The amendments to the Privacy Act 1988 (Cth) take effect on 12 March 2014.  The Privacy Commissioner will then have significant powers to conduct own motion investigations and institute civil penalty proceedings in the Federal Court.  The Guidelines being developed by the Privacy Commisioner’s office will no doubt be persuasive.   Guidelines are not binding rules (but with a few notable exceptions, see section 16B.  That has been made clear with the amendments (see section 6(3).   The Privacy Commissioner will develop guidelines which will establish the criteria on which a decision to pursue a civil penalty will be made.  But it will be the Federal Court which will be considering the meaning of words, the scope and operation of privacy policies and codes and the operation of the APPs.  The jurisprudence in Australia in the privacy law area is quite sparse.  Not surprising given the relative ineffectiveness of the legislation.  That may change with the new powers available to the Privacy Commissioner.  It will be prudent to consider how other jurisdictions have approached privacy issues and have developed their jurisprudence.  Obviously they may be of use and even persuasive but definitely not binding.

In that vein it is relevant to have regard to the case notes recently published by the New Zealand Privacy Commissioners.  They are found here.

Case Note 235239 [2013] NZ PrivCmr 1 : Dealing with child’s health information when parents are separated

FACTS

A mother  requested her child’s health information from a medical clinic.  The clinic  declined to provide it because the child’s father did not want the information to be released.

Section 22F of the Health Act states that parents and guardians are permitted to request their child’s health information, if the child is under 16 years old. Where an agency receives a request under section 22F it is required to treat that request as if the person had requested their own information under the Code. It must release the information unless a withholding ground applies.  Information may be withheld where:

–      the child does not want the information to be disclosed;

–      it would not be in the child’s best interests to disclose the information; or

–      one of the withholding grounds in sections 27-29 of the Privacy Act applies.

The clinic advised that the child’s mother and father had separated, and the father had custody of the child. The clinic was willing to provide the child with information that was only about the child, it did not want to disclose any information contained in the file relating to the father out of concern for his privacy.

DECISION

On review of the file the Commissioner found that  most of the information was about the child and the mother was entitled to it.

There was a small amount of mixed information about the child and the child’s father. Under section 29(1)(a) of the Privacy Act an agency can withhold information if releasing it would involve the unwarranted disclosure of someone else’s information. Given the nature of the information and the difficult relationship between the mother and the father it was  unwarranted to provide this to the mother.

Case Note 226245 [2013] NZ PrivCmr 2 : Over-collection of medical notes by insurance company

FACTS

A man applied for trauma insurance with an insurance company.  In the application he provided extensive medical information and authorised the company to collect health information relating to the application and any previous insurance claims. The company contacted the man’s doctor and obtained his full medical history for the preceding five years.

The complaint was that the company had collected more information than was necessary to process the application.

DECISION

Under rule 1 of the HIPC  agencies must not collect health information unless the information is necessary for a lawful purpose connected with the function of the agency.

The insurance company advised that, in assessing the application, it identified three issues which it wanted to get more information about.  The company’s policy to request a medical report containing five years of medical notes in any case where more than two issues were identified.

The Commissioner found that  the company should only have requested information relating to the three issues it had identified and that, as a result, it had breached principle 1 of the HIPC by obtaining the man’s full medical history for the previous five years.

The company accepted this view and amended its process so that it only asked for information relating to specific conditions identified in applications.  It also reached a confidential settlement with the man.

Case Note 243548 [2013] NZ PrivCmr 3 : Recruitment agency fails to remove all personal information from an old online profile

FACTS

The complainant  was previously a client of a recruitment agency.  One of the agency’s services was to provide an online profile for the man which included extensive information about him, including his name, photo, physical description, qualifications and personal interests. He advised the agency he no longer wanted to use its services, and asked to have his profile removed. While the agency removed his name, photo from the online profile and the link to his profile from its website.  However, the rest of the profile was left online.

He later found that the edited profile was available in Google when he searched his name.

DECISION

Principle 9 states that an agency must not keep information for longer than is required for the purposes for which the information may lawfully be used. While  the man’s name had been removed from the profile  it could still be considered to be personal information that identified him because  of the detailed information retained on the profile and it was still being linked to him through Google’s search engine.

The agency  completely removed the profile from its website.

Case Note 248601 [2013] NZ PrivCmr 4 : Medical practice mitigates future harm after data breach

FACTS

A doctor working in a suburban medical practice had his car broken into and bag stolen. The bag contained a USB stick holding the personal information of a number of patients, including the complainant. The data detailed the complainant’s first and last names.  Also included were details of their prescribed drugs and medical diagnosis.

DECISION

The medical practice acted quickly and fulfilled all four key steps an agency should follow in response to a privacy breach being:

Breach containment and preliminary assessment

Following a data breach, an agency must take immediate steps to contain or limit it. This includes designating an appropriate individual to lead the initial investigation and determine who needs to be notified.

The medical practice received news of the theft the following day and the manager immediately made plans to contact the affected individuals. Our complainant was informed of the breach by his general practitioner and offered a meeting with the manager to discuss the situation.

Evaluation of the risks associated with the breach

An appropriate evaluation includes considering what personal information was involved, establishing the cause and extent of the breach, considering who was affected by the breach and whether those affected might be harmed.

The manager noted that the only identifying details in this case were the complainant’s first and last name. He had frequently changed address in recent years and did not have a listed telephone number.  The manager believed the main harm was that the complainant may lose trust in the medical practice. However, the complainant had continued to use the agency’s services since the breach.

Notification

The patients were notified as soon as reasonably possible. The manager of the medical practice met the complainant to discuss the theft and apologised for the loss of his personal information.

Prevention

As a result of the breach, the medical practice took steps to increase the security of any data that was to leave the premises. A review was conducted of their patient information security policy.  Immediate changes were drafted for sign off by the practice’s Board.

The medical practice purchased new encrypted USB sticks immediately after the data breach, to be used where data is to leave the premises. An active register containing a list of the staff who are to use these keys was implemented and an agreement drawn up for staff to sign, acknowledging that they are responsible for the safety of the information.

Staff were advised both verbally and electronically of the new process and the medical practice ensured there was a transparent communication process with the staff about this incident.

The Commissioner  was not satisfied that the patient had suffered harm that warranted damages and was satisfied that the medical practice had taken appropriate steps in the circumstances.

Case Note 244873 [2013] NZ PrivCmr 5 : Man objects to CCTV camera in the men’s public toilets of a pub

FACTS

A man was concerned that he had been filmed in the men’s toilets of a pub by a fixed CCTV camera. He was initially unaware of the camera’s presence, but had later seen copies of the pictures taken while he was using the bathroom.

He complained that the use of a camera in toilet areas was an interference with his privacy.  The pub manager said that several CCTV cameras were in place on the premises for safety and security reasons. Signs had been positioned around the pub to advise people that they may be filmed.

DECISION

The complaint raised issues under principle 4 of the Privacy Act. Principle 4, dealing with the means by which personal information is collected,  requires that personal information must not be collected by unlawful means, by means that are unfair in the circumstances or by means that unreasonably intrude into an individual’s personal affairs.

The Commissioner considered the circumstances, including the purpose of the collection, whether the collection was effective to fulfil that purpose, the sensitivity of the information collected, whether realistic alternatives were available that would result in less intrusion into privacy, and whether the collection was overt or covert.

The Commissioner agreed that it was reasonable for CCTV cameras to be mounted in most public and staff areas for safety and security reasons, since there was a genuine need for them. There was adequate signage and the footage was only used for safety and security reasons, and there was adequate protection for the information with staff members only being able to access it. The general use of CCTV in most areas of the pub complied with the Act. The purpose for having a camera in the men’s toilet was not clear. It captured highly sensitive information in an unreasonably intrusive manner and that it breached principle 4. It was a permanent fixture and it overlooked the urinals. Even if the signage had indicated that there was a camera in the toilet area, it would not have made the camera justifiable because of the other circumstances of the filming.

The pub manager agreed to remove the camera in the toilet area.

ISSUES

With the exception of  Case Note 248601 [2013] NZ PrivCmr 4, dealing with a data breach of medical information, each decision is a careful and useful analysis of distinct privacy invasive fact situations.  The medical breach decision is useful in setting out the mitigation and what should be best practice.  The failure award any damages is quite disappointing and an anaemic response to a very serious breach of basic privacy protocols.  It is appalling , but all too common, practice for individuals to place sensitive personal information in a USB stick and then leave it vulnerable to theft. Patient data is generally regarded as the most sensitive of personal information.  And rightly so.

While the mitigation practices adopted by the medical practice were good, even excellent, the breach was very serious and brought about by carelessness, if not negligence by the medical practitioner.  That in and of itself would justify an award, even if not significant, being made. It is hard to contemplate how a patient would not be distressed by exposure of his or her medical data. Why shouldn’t that be as a measure of damages (as was the case in Giller v Procopets).  That is a error of policy and, probably, at law.  It is certainly a poor exercise of discretion by the Privacy Commissioner and inconsistent with what would have happened in the UK.  It is curious and strange to see that the medical practice will still wish to to use now encrypted USB sticks for data leaving the premises.  If a doctor wishes the access patient data from another place using a USB stick, encrypted or not, remains very poor practice.  As it his or her intention to use it on a computer the better practice would be to use remote access programs such as VPN, to view the data stored in the practice’s hard disk from a remote location.