Privacy Case Note 04/2014 (NPP 4)

Case note number: 04/2014

Privacy principles: NPP 4 – Data security

The complaint

The complainant initially wrote to the health agency to query whether a specific employee had accessed the complainant’s medical record. The health agency investigated the matter and confirmed that the complainant’s medical record had been subjected to unauthorised access and that this conduct had been dealt with under a disciplinary process. The agency declined to identify the employee who accessed the medical record.

The complainant subsequently made a privacy complaint under the Information Privacy Act 2009 (Qld) to the health agency. The outcomes sought by the complainant to resolve the matter included confirmation as to what personal information was accessed and a written apology from the agency. The complainant also sought confirmation of the identity of the employee who obtained unauthorised access to the medical record, together with a written apology and written undertaking from the employee.

The health agency responded by providing an outline of what personal information was accessed and advised the request for a written apology from the agency had been referred onto senior management. The complainant was also advised that the agency could not disclose the name of the employee and that they could not direct an employee to provide a written apology or written undertaking.

The complainant was dissatisfied with this response and brought their complaint to the Office of the Information Commissioner (OIC).

The alleged breach of the privacy principles

National Privacy Principle 4 (NPP 4) requires that a health agency must take reasonable steps to protect the personal information it holds from misuse, loss and unauthorised access, modification or disclosure. As it was not in dispute that unauthorised access had occurred, the complaint was accepted as concerning a breach of NPP 4.

The mediation process

In the course of mediation discussions with OIC, the complainant dropped their request for a written apology and written undertaking from the health agency employee.

The health agency informed OIC that a letter of apology had been sent to the mailing address it had for the complainant. Discussions with the complainant revealed that this letter had not been received. The health agency promptly provided a copy of the letter to OIC who forwarded it on to the complainant.

Also discussed in the course of the mediation was if the health agency were to reveal the employee’s identity to the complainant, this may then be breaching the employee’s privacy and leave the health agency open to a new privacy complaint.

The health agency agreed to provide the complainant more detailed information on what personal information the employee could have potentially accessed. Screen captures of the relevant tabs within the information system were generated to show the record as at the time the unauthorised access occurred, together with explanatory notes that clarified which tabs were not accessed and that linked documents had not been opened.

The screenshots were subsequently provided to the complainant who obtained a measure of assurance that no sensitive health information had been accessed.