This Case Study Guide is an addendum to our article dated XX 2024 entitled: Mishandling patient information is risky business: Proposed new changes to the Privacy Act to ensure effective information governance and privacy training. It contains hypothetical scenarios based on published cases about privacy breaches from Australia and Canada.
Scenario 1 - Intentional or Reckless Privacy Breach
Day Hospital DH is a private hospital and day surgery clinic. A group of employed hospital staff that have access to records about patients who had given birth at the hospital, disclose the personal and health information of those patients, without their authorisation or consent, to employees of private health and life insurers (who are looking to boost their sales). These hospital staff also disclose personal and health information of patients seeking treatment for work-related injuries (pursuant to workers' compensation legislation) to local personal injury law firms. The affected patients are then contacted by the insurance companies and personal injury law firms seeking to solicit their products and services.
Breach of current APPs | Proposed statutory tort for serious invasion of privacy |
The impacted patients could make a complaint against Day Hospital DH to the Australian Information Commissioner for breach of APPs 6 (use or disclosure of personal information) and 11 (security of personal information). As this could be considered a serious or repeated privacy interference by a body corporate, Day Hospital DH could be liable for paying a significant amount of compensation to the impacted patients plus additional civil penalties paid to the Commonwealth (potentially up to, or more, than $50M). (The impacted patients could also apply to the Civil and Administrative Tribunal of their local State / Territory against Day Hospital DH for breach of personal, health and/or sensitive information under specific State / Territory based privacy laws.) |
The impacted patients could potentially bring an action against Day Hospital DH for serious invasion of privacy by way of vicarious liability for the acts of the hospital employees. The impacted patients would need to establish that the hospital staff acted intentionally or recklessly, and knew or ought to have known that the unauthorised disclosure would likely offend, distress or harm them, and that the staff were acting within the scope of their employment when accessing and disclosing the personal and health information of the plaintiffs. The plaintiffs would also need to establish that they were of ordinary sensibilities. (The impacted patients could also bring individual actions against the individual hospital employees for serious invasion of privacy.) |
Scenario 2 – Inadvertent Disclosure or Disclosure Made in Good Faith
Doctor Z is a busy General Practitioner operating a sole trader medical practice. The practice has a privacy policy, but Doctor Z wasn't very familiar with it. Patient K has been a regular patient of Doctor Z for nearly 3 years, including for a patient care plan with a psychologist for treatment of Patient K's chronic mental health conditions, which included Post Traumatic Stress Disorder and Anxiety Disorder. Patient K's employer was aware that they had been suffering from a chronic health condition and seeking treatment from Doctor Z as a result of medical certificates supplied by Patient K. However, the employer was not aware of the exact diagnosed health conditions or the complete history of treatment. Patient K became involved in a minor and brief verbal altercation with a work colleague. The employer's People and Culture (P&C) Team were notified and they organised a meeting with Patient K the same day to discuss the incident. The P&C Team became concerned about Patient K's wellbeing during the meeting, on the basis that Patient K appeared to be overreacting to the situation and was behaving in a threatening manner towards them. After the meeting, Patient K went home to take the rest of the day off and report back the following day. There was no indication that Patient K was going to self-harm or harm any other individual at the time they left work. The P&C telephoned Doctor Z to enquire about Patient K's wellbeing and mentioned the workplace incident. Doctor Z informed the employer about Patient K's mental health conditions.
Breach of current APPs | Proposed statutory tort for serious invasion of privacy |
Patient K could make a complaint against Doctor Z to the Australian Information Commissioner for breach of APPs 6 (use or disclosure of personal information) and 11 (security of personal information). (Patient K could also apply to the Civil and Administrative Tribunal of their local State / Territory against Doctor Z for breach of personal, health and/or sensitive information under specific State / Territory based privacy laws.) Doctor Z could argue in defence that disclosure was permitted to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety pursuant to exemption under APP 6 for a permitted general situation. |
Patient K could seek to bring an action against Doctor Z for a serious invasion of privacy for unauthorised disclosure of private health information. The key issue would be establishing whether the disclosure by Doctor Z was intentional, or reckless, with a purpose to intrude or misuse their private information – knowing that Patient K was likely to be offended or suffer harm and distress. Doctor Z could argue in defence that the disclosure was negligent, as opposed to intentional or reckless, on the basis that they incorrectly presumed that it was necessary in the circumstances to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health. |
Footnotes
1 2018 ONSC 6315
2 [2019] NSWSC 1781
3 [2015] AICmr 23.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.