Medical practices collect and store an array of personal and sensitive information about their patients. As the collection, use, disclosure and security of personal information is regulated by Commonwealth legislation, medical practitioners require an understanding of the regulatory framework and their legal obligations. The matter of ‘SD’ and ‘SE’ and Northside Clinic (Vic) Pty Ltd  AICmr 21 stands as a cautionary tale to medical practitioners and practices alike, who must remain vigilant to uphold patient privacy when relying on electronic communications.
Background to the case
On 12 June 2020, the Australian Information Commissioner and Privacy Commissioner (OAIC) ordered a medical practice to pay $16,400 to two complainants for breach of privacy arising out of sending an email with personal and sensitive information to an incorrect email address.
The first complainant was a patient of the practice with HIV positive status. He and his husband, the second complainant, had submitted to a global study into HIV transmission facilitated by the practice, and were considering participating in a further study. The complainants had previously provided their email addresses to the practice. Relevantly, the first complainant provided his work email address, which included a reference to his place of employment, and the second complainant provided a personal email address which was comprised of his first and last name, as well as his middle initial.
On 22 December 2017, the practice sent an email to the first complainant and to an email address containing the second complainant’s first and last name but omitting his middle initial requesting consent for an additional HIV study. The emails identified the complainants names, HIV positive status and same-sex relationship status, the clinic they attended for medical treatment, details of their previous involvement in a HIV study and, in the case of the first complainant, his place of employment (identifiable from his email address).
Australian Privacy Law
The Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth) regulate the collection, use, disclosure and security of personal information held by certain private sector organisations (APP entity). An APP entity includes any agency, individual, sole trader, body corporate, partnership, trust or any other incorporated association.1
Medical practices are bound by the APPs. This includes the duty of non-disclosure (APP 6) and the duty to take reasonable steps to protect personal information from unauthorised disclosure (APP 11).
It is an offence for an APP entity to contravene any of the APPs.2 The maximum penalty for serious or repeated contravention is the higher of $10m, three times the value of any benefit obtained through the breach or 10% of the entity’s annual domestic turnover.3
The Privacy Commissioner found the practice to be liable for breach of APP 6 (disclosure) and APP 11 (security) by making the information accessible or visible to others outside the entity and releasing the subsequent handling of the personal information from its effective control. Although no evidence was led that the email had been read by the third party recipient, the focus of the Commissioner’s enquiries was on the act of disclosure itself, and not on the actions or knowledge of the recipient. In finding breach of APP 11, the practice was criticised for the lack of policy and procedure in place to protect from inadvertent disclosure.
The increasing regulation of Australian privacy laws, in combination with regular media coverage of privacy breaches, has caused many businesses to reconsider their approach to complying with privacy legislation. Medical practitioners ought be aware of their legal obligations when collecting, using, storing and disclosing personal information in the course of their practice. In the current digital environment, there is a risk of inadvertent disclosure of personal information.
Medical practitioners and practice staff would benefit from policy and procedure to protect against inadvertent disclosure, such as two-step authentication processes when corresponding electronically, and mandatory privacy training for staff.
This article was written by Katharine Philp, Partner and Nadia El Moslemani, Law Graduate.
1. Privacy Act 1988 (Cth) s 6 (definition of ‘APP entity’ and ‘entity’).
2. Ibid s 15.
3. See Treasury Laws Amendment (Consumer Data Right) Act 2019 s 56CC.