LHD gained unauthorised access to the applicants’ health information

In this case the applicants alleged that the Local Health District (LHD) had breached their privacy when an employee of the LHD gained unauthorised access to the applicants’ health information.

The employee was a nurse at the LHD and the applicants were the nurse’s former wife, her mother and one of her brothers.

The applicants’ health information was recorded in the LHD’s electronic data base which was only accessible by means of a username and password. NSW Health policy requires that employees keep their passwords confidential and never leave their workstation unattended while logged in.

The nurse did not have a username or password but whilst on night duty in the early morning of 14 August 2015, found a computer that had been left logged on and used it to access the applicants’ health information.

At the time, the nurse and his former wife had a matter before the Child Support Agency and another matter before the Family Court. In connection with both those matters, the nurse provided an affidavit which the applicants alleged contained health information about them from the hospital database. The nurse maintained that the information was known to him because of his relationship with the applicants.

The applicant’s applied for an internal review of the LHD’s conduct. The internal review concluded that HPP 5 (Retention and security) had been breached because the staff member who failed to log out when she left her workstation failed to comply with the LHD’s policy. The internal review concluded that there had been no breach of the use and disclosure principles (HPPs 10 and 11).

The applicants then sought a review of the LHD’s conduct by NCAT.

The first question for NCAT was whether there had been any use or disclosure of the applicants’ health information by the LHD. NCAT concluded that the health information accessed by the nurse in breach of LHD policy was for his private purposes. The provision of the information to the Family Court and Child Support Agency was for “purposes extraneous to” the LHD. For those reasons the authority of Director General, Department of Education and Training v MT applied and there had been no use or disclosure of the applicants’ health information by the LHD.

Although the LHD had conceded that it had breached HPP5, NCAT were not bound by that concession. NCAT noted that the requirement in HPP 5.1(c) was for the LHD to take “such security safeguards as are reasonable in the circumstances” to protect health information. It did not necessarily follow that because there had been unauthorised access the LHD’s security safeguards were not reasonable in the circumstances. NCAT concluded that a further planning meeting was required to consider these issues.

Post by John Kell 

Most Popular Articles


When can the unqualified be qualified? Non-lawyers engaging in legal practice - when is it OK and when is the law broken

Only lawyers can provide legal advice, but anyone can provide legal information. When thinking of the difference, you might ask your friend or colleague to provide information about a serious illness; however you would seek out a qualified medical professional in relation to its treatment.

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.

Thanks, but no thanks – I don’t want to inherit

It seems odd that anybody would reject an inheritance, but for some beneficiaries, there are valid reasons they do not wish to receive their inheritance.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.