Is your patients’ privacy adequately protected?
In a decision published on 1 July 2020,1 the Australian Information Commissioner and Privacy Commissioner ordered a medical practice to pay compensation totalling $16,400 to two complainants arising out of a breach of privacy resulting from the use of an incorrect email address.
This update considers how the Australian Privacy Principles apply to personal information held by medical practices and considers the protective measures which can and should be in place to safeguard that information.
Background
The complaint involved two complainants. The first complainant was a patient of the practice who had been diagnosed as HIV positive. The second complainant was his husband who was also HIV positive.
Both complainants had previously provided their email addresses to the medical practice in connection with a global study into particular aspects of HIV transmission facilitated by the medical practice.
On 22 December 2017 the medical practice sent email communications to the complainants regarding an opportunity to participate in a further study. The emails contained personal information pertaining to the complainants including:
- Their names;
- Their HIV positive status;
- Their same-sex relationship status;
- The clinic which they attended for medical treatment;
- Details of their involvement in a medical study; and
- In the case of the first complainant, his place of employment (which was identified in his email address).
(‘the personal information’)
The emails to the second complainant were sent to an incorrect email address (‘the error’).
The first complainant (who had been copied into the communications to his husband) realised and alerted the medical practice to the error promptly by reply email on 22 December 2017.
The medical practice failed to acknowledge the error or take any steps at all to rectify it at any time until 29 January 2018 and, indeed, after the first complainant had followed up to enquire what was being done.
The incorrect email address belonged to an unknown recipient. It was established that it was a valid email address, but it was not established whether the email had been opened or read, or that any other use had been made of the personal information by the owner of the incorrect email address. The medical practice sent a follow up email to the incorrect email address requesting the original emails be destroyed but did not receive any response.
Relevant Australian Privacy Principles
The Australia Privacy Principles (APPs), which are set out in Schedule 1 to the Privacy Act 1988 (Cth) regulate the collection, use, disclosure and security of personal information held by Australian Government agencies and certain private sector organisations (APP entities).
Medical and allied health practices and hospitals are all captured by and bound to comply with the APPs.
In this case, the Commissioner was satisfied that the personal information held by the medical practice was not only ‘personal information’ but ‘sensitive information’ as defined by the Privacy Act. Use and disclosure of ‘sensitive information’ attracts higher scrutiny under the APPs.
The principles of particular relevance to this complaint were APP 6 and APP 11.
APP 6 requires that where an entity holds sensitive information that was collected for a particular purpose, it must not use or disclose the information for a secondary purpose.
APP 11 requires an entity to takes such steps as are reasonable in the circumstances to protect personal information that it holds from, among other things, unauthorised disclosure.
The Decision of the Information Commissioner
Breach of APPs
The Commissioner was satisfied that the medical practice had disclosed sensitive information pertaining to both the first and second complainant to the unknown owner of the incorrect email address. This disclosure was in breach of APP 6.
The Commissioner was also satisfied, in the absence of any evidence from the medical practice as to what measures had been taken prior to the error to protect the personal information that it holds from unauthorised disclosure, that APP 11 had been breached.
Compensation Awarded
The complainants sought $250,000 in compensation. Reports from treating psychologists were provided to the Commissioner in support of the claims.
In coming to a decision on the compensation to be awarded the Commissioner considered:
‘the nature of the information, being sensitive medical information, the fact that the disclosure was to a single third party who does not appear to have used the information in any way, the impact of the disclosures on each of the complainants, and the relevant case law.’
The present case was said to involve a ‘one-off occasion of disclosure to a single private email address’. On that basis it was distinguished from previous cases that have seen a high award of damages which involved ‘disclosure to the public at large over a sustained period of time’
The first complainant was awarded $10,000 for distress and psychological damage caused by the error. This distress was compounded by the fact the error resulted in a breakdown of the doctor patient relationship with his treating practitioner from the medical practice resulting in him being forced to find a new doctor. In addition, he was awarded $3,500 for the costs he had incurred and would incur in receiving treatment for this psychological damage.
The second complainant was awarded $3,000 for his distress and psychological damage. The medical practice had already funded his psychological treatment and no further award for psychological treatment was made.
Take Home Message
As this decision demonstrates, a simple error of mis-typing an email address can be enough give rise to a breach of the APPs and an award of compensation against a medical practice.
You could help to protect your organisation from complaints and awards of compensation under the APP by taking reasonable steps to ensure that your patients’ personal information is protected from unauthorised disclosure. These might include:
- Enforcing strict guidelines for the use of email communication with patients which dictate avoidance of email communication where possible.
- Privacy training for practice staff (both clinical and administrative).
- A compulsory two-step authentication process for the email of personal or sensitive information.
If you become aware that a breach has occurred, act promptly to address the breach and reassure the patient that you are taking steps to do so. Not only could prompt redress limit the scope of unintended disclosure and use of the patients personal information, it could also minimise the distress suffered by the patient and be taken into account as a mitigating factor when compensation is being assessed.
1‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21
