THE OFFICE OF THE PRIVACY COMMISSIONER
Spacer GifHOME > Federal Privacy Law > 2008 - Complaint Case Note 4 Spacer Gif Spacer Gif Spacer Gif Spacer Gif
Spacer Gif
Spacer Gif Federal Privacy Law
Spacer Gif Bullet Privacy Act
Spacer Gif Bullet Privacy Act Regulations
Spacer Gif Bullet Public Interest Determinations
Spacer Gif Bullet Guidelines
Spacer Gif Bullet Complaint Case Notes & Determinations
Spacer Gif Bullet Audits
Spacer Gif Bullet Information Privacy Principles
Spacer Gif Bullet National Privacy Principles
Spacer Gif Bullet Private Sector Codes and Opt-in Registers
Spacer Gif Bullet Credit Reporting
Spacer Gif Bullet Health
Spacer Gif Bullet Telecommunications
Spacer Gif Bullet Tax File Numbers
Spacer Gif Bullet Spent Convictions
Spacer Gif Bullet Data-matching
Spacer Gif Bullet Privacy Advisory Committee
Spacer Gif Bullet Private Sector Review 2005
Spacer Gif Bullet ALRC Privacy Inquiry 2006 - 08
Spacer Gif Bullet Privacy Law History
Spacer Gif SPECIFIC PRIVACY
INFORMATION FOR:
Spacer Gif > Individuals
Spacer Gif > Business
Spacer Gif > Health
Spacer Gif > Government
Horizontal Rule
Spacer Gif > Federal Privacy Law
Spacer Gif > About the Office
Spacer Gif > Frequently Asked Questions
Spacer Gif > IT and Internet Issues
Spacer Gif > Media and Speeches
Spacer Gif > Publications
Spacer Gif > Privacy Links
Spacer Gif > International
Spacer Gif > Contact us

Spacer Gif

2008 - Complaint Case Note 4

View printable version of this page

PDF, Word

Case Citation: 

D v Health Service Provider [2008] PrivCmrA 4

Subject Heading:

Unauthorised access to and security of personal information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant provided their personal information to a health service provider, a private clinic, during a consultation prior to undergoing a surgical procedure.  The complainant subsequently received a telephone call from the clinic asking the complainant to return for another pre-surgical consultation.  The clinic advised the complainant that it again needed to prepare pre-surgical notes as those prepared earlier could not be located.  The clinic advised the complainant that the notes were most likely in the complainant's possession, or the clinic's cleaning staff may have misplaced them.

The complainant felt that the clinic had not taken adequate steps to protect their personal information from unauthorised access or loss, and made a complaint to the Privacy Commissioner.

Issues:

Section 6 of the Act defines personal information as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

In deciding what are ‘reasonable steps' to ensure data security an organisation must consider a number of factors.  For instance, what is reasonable depends on the circumstances in which personal information is held.  The sensitivity of personal information stored is also an important factor and higher levels of security could be expected for sensitive information, such as health information. 

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act. 

The clinic advised the Commissioner that during the initial consultation with the complainant, the consulting doctor recorded some notes on an A4 sheet of paper.  However, the clinic asserted that the doctor did not record any information on the sheet of paper that would identify the complainant, such as their name, address or date of birth.  Immediately following the consultation the doctor realised that this A4 sheet of paper was missing.  The clinic assumed the complainant had taken the sheet of paper and contacted them to organise another consultation.

The clinic also advised the Commissioner that clinic staff did the day-to-day cleaning and that it did not have any contracted cleaners or other such persons who could have accessed the clinic's records. 

With reference to the clinic's security practices, the clinic advised the Commissioner that all patient files are kept in a lockable cabinet and only the doctor and clinic staff have access to this cabinet.  The clinic advised that it had told the complainant that cleaning staff may have lost the sheet of paper to spare embarrassment to the complainant.   

The complainant was unable to recall what specific information was recorded by the doctor on the A4 sheet of paper.  In the absence of any evidence to the contrary, the Commissioner could not be satisfied that the missing A4 sheet of paper contained any ‘personal information' about the complainant in that the content of that page did not identify them, having been separated from the rest of the complainant's medical file. 

The Commissioner reached the view that the missing information consisted of one A4 sheet of paper separate from the rest of the complainant's medical file and did not meet the definition of personal information provided in the Act. 

Therefore, the Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act as she was satisfied that there was no interference with the privacy of the individual.

OFFICE OF THE PRIVACY COMMISSIONER
May 2008



Spacer Gif> Privacy Policy Spacer Gif> Copyright Spacer Gif> Site map Spacer Gif> Join Email List Spacer Gif> Glossary Spacer Gif> Calendar Spacer Gif> Newsletter