Health Privacy Principles: What is “health information”?
A recent decision of the NSW Civil and Administrative Tribunal (Tribunal) has provided further clarification on when ‘information’ is ‘health information’, rather than ‘personal information’, for the purpose of NSW privacy law.
In EIG v North Sydney Council [2022] NSWCATAD 127, the Tribunal found that North Sydney Council had contravened two Health Privacy Principles (HPPs) in relation to the manner in which it collected and disclosed information regarding an individual’s absence from meetings which was ‘health information’ and not merely ‘personal information’.
Background
Prior to the outbreak of the COVID-19 pandemic, Councillors of NSW Councils, including, North Sydney Council (the Council), were not permitted to participate in Council meetings remotely due to the operation of various Acts, Regulations and Codes.
In response to the outbreak of the pandemic, the Local Government Act 1993 (NSW) (LGA) was amended to allow Councils to meet remotely to assist them to manage the risk of transmission of COVID-19 at their meetings and to ensure compliance with relevant Public Health Orders. However, those amendments operated only until 26 March 2021.
In April 2021, following the ease of the COVID-19 pandemic, the Office of Local Government (OLG) informed Councils that due to an amendment to the Local Government (General) Regulation 2005 (LG Regulation) “councils have the option to permit councillors to attend and participate in meetings remotely by audio-visual link should councils choose to do so”. The OLG’s guidance included proposed procedures for managing requests for councillors to attend meetings remotely including that:
- Requests by councillors to attend meetings remotely by audio-visual link must be made in writing to the General Manager and must provide information about the meetings the councillor will be prevented from attending in person and the reason why the councillor will be prevented from attending in person; and
- A resolution by the council or a committee of the council permitting a councillor to attend one or more meetings by audio-visual link must provide the grounds on which the councillor is being permitted to attend meetings remotely by audio-visual link, but not where those grounds relate to illness, disability or caring responsibilities.
On 14 May 2021, the Applicant, a Councillor of the Council, made the following request (which was granted):
I request to attend all meetings of Council, including Council meetings, briefings, reference groups etc remotely for the next 5 months in accordance with medical advice. Please find attached a Medical Certificate.
I ask that my reasoning and this information remain confidential and that my privacy is maintained.
The Council subsequently published a report for the May meeting of Council on its website that included a report titled “3.01 Remote Attendance by Councillors at Council Meetings” which noted the reason for the Applicant’s request to attend meetings for the next 5 months remotely as “Medical (see separate confidential memo).”
Issues of disclosure
The Applicant subsequently requested that the Council conduct an internal review of the disclosure of their “Medical” reason. They alleged that the Council had breached the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) by including the word ‘Medical’ in the published report regarding the Applicant’s remote attendance at Council meetings. They said that the disclosure of the information caused them significant distress as they had kept the fact of their medical condition private to themselves and their spouse only.
The Council concluded that the relevant information was not ‘health information’, but ‘personal information’ for the purposes of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). A third party engaged to assist the Council in the internal review concluded that the Council had breached Information Privacy Principles (IPPs) in the PPIP Act.
However, the Council concluded that any non-compliance with the IPPs was permitted by section 25 of the PPIP Act, which provides that an agency is not required to comply with the IPPs if non-compliance is permitted under another Act and, here, the internal review concluded that non-compliance was permitted under the LGA.
The Applicant subsequently sought an administrative review by the Tribunal, arguing that there was a disclosure of ‘health information’ in breach of, among others, the following HPPs:
- (4): which requires an organisation collecting health information from an individual to take reasonable steps to ensure that the individual is made aware of the purposes for which the information is being collected and the persons to whom the organisation usually discloses information of that kind.
- (11): which requires that an organisation that holds health information for a purpose (secondary purpose) other than the purpose for which it was collected (primary purpose) not disclose that information unless, relevantly, with the individual’s consent or where the secondary purpose is related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose.
The Decision
The Tribunal agreed with the Applicant that the use of the term ‘Medical’ in the context in which it was used meant that there was a disclosure of ‘health information’ for the purpose of the HRIP Act.
The Tribunal reiterated that information may be either ‘personal information’ or ‘health information’, but cannot be both. The Tribunal said that the information was ‘health information’ because the information, in context, made it clear that the Applicant’s in-person attendance was prevented for a medical reason or reasons and was therefore about the physical and mental health or a disability of an individual within the meaning of s 6(a)(i) of the HRIP Act.
Ultimately, the Tribunal found in favour of the Applicant, concluding that the Council had breached HPPs 4 and 11. In making that conclusion, the Tribunal accepted that the OLG’s circular and suggested procedures would have given rise to a reasonable expectation that the Applicant’s information would not be disclosed.
The Applicant did not seek an order for damages by way of compensation, but the Council was ordered to provide an unreserved apology to the Applicant.
The Council was also ordered to publish an anonymous notice on their website titled “Council found to have committed privacy breaches” and leave the notice up for a period of three months.
Key Takeaways
Organisations and agencies including Councils must be cautious about collecting, disclosing and publishing any health or health-related information about individuals as it may be regulated by the HPPs and HRIP Act which can impose a higher standard of regulation than the IPPs and PPIP Act.
To discuss this matter, or any other matters relating to NSW local government, contact a member of our team here.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.