Fact Sheet - Privacy-related complaints under the HRIP Act

Read this Fact Sheet below or download a copy here Privacy-related complaints under the HRIP Act November 2022

If an individual believes that an organisation has breached the privacy of their health information (including where the organisation refuses to provide access to health information), they may make a complaint to the NSW Privacy Commissioner under the Health Records and Information Privacy Act 2002 (HRIP Act). 

In response to a complaint under the HRIP Act, the NSW Privacy Commissioner may undertake an assessment of the circumstances in order to decide whether to deal with the complaint. This fact sheet is designed to assist individuals and organisations to understand how a privacy complaint relating to private sector organisations or persons will be managed.

Who does the HRIP Act apply to?

The HRIP Act applies to every organisation operating within NSW that:

  • is a health service provider, or
  • collects, holds, or uses health information.

NSW public sector agencies and private sector organisations that fall within either of these categories are required to comply with the Health Privacy Principles (HPPs), any health privacy code of practice, and provisions in Part 4 of the HRIP Act that might apply.

In addition to the HRIP Act, private sector health service providers in their handling of health information also come under the Commonwealth Privacy Act 1988 (Cth) and must comply with the requirements of that Act.

Who can make a privacy-related complaint under the HRIP Act?

Any individual (the Complainant) may make a complaint to the NSW Privacy Commissioner about an alleged contravention by a health service provider or an organisation of:

  • an HPP
  • a provision of Part 4 of the HRIP Act relating to retention, access and/or amendment to health information, or
  • a health privacy code of practice.

Where the alleged contravention relates to a NSW public sector agency, it may be more appropriate for the Complainant to ask the agency to undertake an internal review of the conduct under the Privacy and Personal Information Protection Act 1998 (PPIP Act) rather than make a complaint to the NSW Privacy Commissioner under the HRIP Act.

When a complaint should be made to the NSW Privacy Commissioner

A complaint under the HRIP Act must be made within 6 months after the time the Complainant first became aware of the alleged conduct.

If the complaint is received after this time period, the NSW Privacy Commissioner may decide not to deal with the complaint.

The NSW Privacy Commissioner’s role in dealing with HRIP complaints

Where the NSW Privacy Commissioner receives a complaint under the HRIP Act, the IPC will assess the complaint and determine whether there is a prima facie case that the Health Service Provider (the Respondent) had breached the Complainant’s privacy.

The NSW Privacy Commissioner’s powers include to:

  • endeavour to resolve the complaint by conciliation, or
  • further investigate the complaint and make a report, or
  • determine that the complaint has been resolved to their satisfaction.

The NSW Privacy Commissioner can also decline to deal with a complaint in some circumstances, including if the complaint is lacking in substance or there is a satisfactory and alternative means of redress.

Information that we need in order to consider the complaint

In order to progress a complaint, we may request certain information from the parties. The information that might be required will depend on the circumstances and nature of the complaint.

For example, if the complaint is about access to health information, Complainants should provide a copy of the written request for access to health information that was made under section 26 of the HRIP Act.

Respondents should provide a copy of any response they provided to the request under section 27 of the HRIP Act.

Process involved in dealing with a complaint under the HRIP Act

The IPC will register and acknowledge the complaint, then:

  1. The case will be assessed, and the IPC will send a letter to the Complainant with information about their options. The Complainant will be asked whether they would like the IPC to investigate the complaint, or whether they would prefer to make a complaint to the Commonwealth Privacy Commissioner under the Commonwealth Privacy Act.
  2. If the Complainant decides that they would like the IPC to handle the complaint, the matter will be allocated to a case officer, who will complete a preliminary assessment.
  3. During the initial stages, the IPC will seek to clarify the issues with the Complainant and request any further information that might be required. Depending on the issues raised in the complaint, this may include:
  • a copy of the written request for access made by the Complainant and any response received from the Respondent
  • correspondence between the parties
  • any evidence that may prove that the Complainant’s privacy has been breached
  • the outcome(s) that the Complainant is seeking in relation to the complaint
  • if the Complainant is acting on behalf of another person or seeking the health information of another person, a copy of the written authority, and
  • any further information that is relevant.
  1. The IPC will notify the Respondent of the complaint and seek the Respondent’s response to the complaint and any steps they have taken or are willing to take to resolve the complaint.
  2. After all relevant information is received, the IPC will then consider whether the complaint has been resolved, and if not, whether the complaint may be resolved  through conciliation or proceed to a report.

For complaints regarding access to health information (HPP 7), the case officer will consider whether the Respondent has met the requirements of HPP 7 and other provisions of the HRIP Act, including:

  • whether a response to the request was provided within 45 days after receiving the request
  • whether the Respondent provided access to the information or refused access to the information
  • if the Respondent had refused access to the information, whether they provided the Complainant with written reasons for refusing access
  • whether the reason(s) for refusal fall within a situation where access need not be granted.

For other types of issues such as the disclosure of health information (HPP 11), the IPC will look at whether the Respondent had disclosed the Complainant’s health information for a purpose other than the purpose for which the information was collected. If so, the IPC will also consider whether the disclosure falls within one of the exceptions set out in HPP 11.

For complaints about a request for amendment to health information (HPP 8), the IPC may consider whether the health information is incomplete, incorrect, irrelevant, out of date or misleading, together with any written reasons for Respondent’s refusal to make the amendment.

Possible outcomes if the NSW Privacy Commissioner decides to deal with the complaint

Resolution

The complaint may be resolved to the satisfaction of the NSW Privacy Commissioner through the IPC’s informal processes. For example:

  • during a complaint regarding access to health information, the complaint could be resolved by the Respondent providing access to the Complainant as part of their response to the complaint, or
  • the Respondent providing an apology or changing their processes and practices which is considered to have resolved the complaint. 

The IPC may also provide information to the parties to clarify the specific requirements under the relevant HPP.

Conciliation

The IPC may attempt further conciliation to resolve the complaint. In practice this can mean further corresponding with the parties to achieve a resolution and outcome that is satisfactory to both parties.

Report

If the complaint is unable to be resolved through conciliation, the IPC may decide to write a report. In that report, the IPC will consider whether there has been a breach of an HPP by the Respondent.

Once the report has been issued, the Complainant may apply to the NSW Civil and Administrative Tribunal (NCAT) for an inquiry into the complaint within 28 days. NCAT may order the agency to change its practices, apologise or take steps to remedy any damage. NCAT’s decision is enforceable, and they can award compensation.

Limits on outcomes

Please note that unlike the Commonwealth Privacy Commissioner and NCAT, the NSW Privacy Commissioner does not have the power to award financial compensation.

Other useful resources

Other resources that may be useful on this topic include:

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:           1800 472 679
Email:              ipcinfo@ipc.nsw.gov.au
Website:           www.ipc.nsw.gov.au

Document review date: November 2024

NOTE: The information in this Fact Sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.