Privacy Case Note -The Tribunal's powers to make orders concerning the systemic nature of an information practice/system [BKMv Sydney Local Health District  NSWCATAD 87]
View the full decision here BKMv Sydney Local Health District  NSWCATAD 87
Applicant claimed breach of HPP5 (security); HPP 10 (use) HPP11 (disclosure)
The applicant sought a review of the conduct of the agency in relation to a breach of the Information Protection Principles under the PPIP Act and the Health Privacy Principles under the HRIP Act. The applicant did not identify any IPP breaches and the review considered the HPP breaches only.
As the review related to a breach of the privacy provisions in respect of health information, the review conducted under section 21 of the HRIP Act is dealt with under the PPIP Act.
Respondent agency conceded breach of HPP5 (security) at internal review
The issues between the parties was not agreed. The agency conceded a breach of HPP 5 concerning the retention and security of health information. The applicant contended his privacy was breached as there was unlawful access, use and disclosure of his health information. Further the applicant submitted that the matters in relation to HPP 5 related to the practices in the workplace such as lack of security and systems.
The agency sought to have the matter dismissed by the Tribunal as the agency submitted that the Tribunal did not have the power to order the imposition of changes to the agency’s systems as desired by the applicant.
Tribunal made no findings but considered jurisdiction on review
The Tribunal did not agree with the agency in respect of changes to agency systems. The legislation and legal precedents make it clear that the Tribunal’s powers and functions under section 55 of the PPIP Act are broad enough to order the imposition of systemic changes, upon any finding of a breach.
While the Tribunal did not make findings in this matter, it did identify the three preconditions where the Tribunal has jurisdiction to consider a request for a review.
- Firstly the applicant must have applied for an internal review under section 53 of the PPIP Act.
- Secondly the applicant must be dissatisfied with the findings and recommendations of the review and this includes the actions taken if any arising from that review.
- Thirdly the applicant is requesting the Tribunal review the conduct that was the subject of the internal review.