Case Study - IV v IW

A recent privacy case highlights the importance of obtaining consent before releasing personal information, and shows that the Privacy Policy is a significant document - not just words on paper.


In the recent case of ‘IV’ v ‘IW’ [2016] , the Australian Information Commissioner found that a general practitioner had breached privacy laws (APP 6.1 and 10.2 of the Privacy Act) because he disclosed personal information about a patient to third parties in a group email.

The doctor and the patient had been acquainted for many years.

Although they had a professional relationship, they also shared personal correspondence through email. The doctor also maintained email correspondence with a separate group of people.
In this case, the doctor referred to the patient’s mental illness in a group email, without the express permission of the patient.

The doctor argued that he believed that the patient had been consenting to the disclosures because it was the patient himself who had included the third parties into their email discussions.

Despite this, the doctor was found to be in breach and ordered to pay the patient $10,000 compensation for the interference to his privacy, including the harm to reputation suffered by the patient.

What’s the Law?

The Australian Privacy Principles (APPs) outline how ‘APP entities’ must handle, use and manage personal information. Not all businesses are classed as APP entities, but generally businesses that provide health services, trade in personal information (such as recruitment agencies), or have turnovers in excess of $3m per year are considered APP entities. Use or disclosure of personal information (APP 6 ).

APP 6 outlines that where an APP entity holds information that was collected for a specific purpose (‘the primary purpose’), they cannot use or disclose it for any other purpose (‘the secondary purpose’).

The GP in this case argued that he thought that he had the patient’s implied consent, and that he acted out of concern for the patient’s health and safety.

However, the Commissioner found that despite the doctor being genuinely concerned for the patient, it was still inappropriate to manage the concern through the group email.

The Commissioner also held that the information the doctor disclosed was not relevant – the email discussions were about theological matters, not primarily about the patient’s condition (APP10 – Quality of Personal Information).

It did not matter that the GP’s opinion about the patient’s health was valid – this did not give him the right to disclose that opinion in an irrelevant context.

Privacy Policy disclosure of personal information (APP 1.3 )

In the Commissioner’s investigation, reference was made to the Privacy Policy of the GP. The privacy policy required express consent to be provided in writing in order to disclose information.

The Commissioner found that the disclosure was in clear breach of the GP’s own practice’s privacy policy.

Take Home Messages

1. Be careful with disclosures

The critical point is that disclosures of personal information must be clearly defined regarding what personal information is disclosed, and who it is disclosed to. If the information is of a sensitive nature, then consent must be obtained from the individual.

Consent regarding sensitive information may be express or implied, but must be clearly demonstrated. Information on disclosures more generally should be outlined in the Privacy policy.

2. Check you comply with your own Privacy Policy

At some point, perhaps we have all been guilty of thinking that a policy is just a set of meaningless words on paper. But your Privacy Policy is an important document: it should be appropriate to your organisation; it should outline how you will meet the requirements of the APP; it should inform individuals of how you will manage their personal information; and you should check you are complying with it.

Ask yourself the following questions…

  1. Are you aware of what your privacy policy commits you to?
  2. Do your practices and procedures actually comply with it?
  3. How often, and how, do you check compliance?
  4. Have you fully informed individuals on how you will manage their personal information?
  5. Do you confirm that you have a client’s consent before disclosing information?
  6. Even if you have consent, how do you ensure you only disclose information where it is relevant to do so?

Where Do You Go Next?

Dianne Gibert is the MD and founder of Service Excellence Consulting (SEC). She has over 20 years’ experience in business consulting, and a particular interest in privacy management. SEC offers workshops, webinars, privacy assessments and other support services. If you have any questions or would like to learn more about privacy requirements, contact Dianne on 03 9555 3877 or email to