Privacy determination –Sensitive Information held in garden shed

The Privacy Commissioner, Timothy Pilgrim, has found that a Melbourne medical centre has breached the Privacy Act 1988 (Cth) (Privacy Act) in failing to provide adequate security to protect Sensitive Information contained in medical information. The breach occurred before the Australian Privacy Principles (APPs) took effect and therefore the medical centre was found to have breached the National Privacy Principles (NPPs).

The medical centre stored the files of around 960 patients in a locked garden shed. The security of the files was compromised when the shed was broken into. The files contained detailed personal information including individuals’ full name, address, date of birth, Medicare number, treatment details as well as patient’s discharge summaries.

Under section 6(1)(b) of the Privacy Act Sensitive Information includes Health information which under section 6(1)(a) includes, but it not limited to, information or an opinion about: the health or a disability (at any time) of an individual that is also personal information; or other personal information collected to provide, or in providing, a health service.

The Privacy Commissioner highlighted the insecure, temporary nature of a garden shed and its inadequacy to protect sensitive information from unauthorised access and misuse. The files belonged to many patients that existed prior to 2004. In these circumstances many of the patient files should have been destroyed or de-identified as they were no longer necessary for the purpose in which they were collected. The files could have been shredded or disposed of using another secure method. In failing to take these steps, the medical centre placed its patients at risk of identity fraud.

The Commissioner advised the medical center to undergo a privacy risk assessment, train staff and develop a privacy breach response plan.

The amendments

The Privacy Act now contains thirteen (13) new Australian Privacy Principles aimed at protecting Personal Information.   The APPs apply to business with an annual turnover of more than $3 million, as well as some small businesses including Health Service providers. The actions of the medical center breached the new APP 11 which requires businesses to take reasonable steps to secure Personal Information. The finding suggests that keeping Sensitive Information in a locked garden shed does not constitute “reasonable steps”.

Civil Penalty Provisions

Recent amendments to the Privacy Act have provided the privacy commissioner with the new powers. The Commissioner may apply to the Federal Court for civil penalties orders. The civil penalty provisions currently allow for penalties of up to:

• $A340,000 for an individual; and
• $A1.7 million for a company.

While the substance of the principles under the Privacy Act have not changed. The penalties and prescriptive requirements have become more onerous. Health Services providers and other small business should consider this finding when assessing the adequacy of their current security procedures.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Privacy Amendment (Enhancing Privacy Protection) Act 2012

Other references

Office of the Australian Information Commissioner, APP Guidelines

Office of the Australian Information Commissioner, Australian Privacy Principles

Further information

If you need further information about complying with the Privacy Act 1988 (Cth), contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

Related insights about privacy compliance