In the recent case of ‘IV’ v ‘IW’  , the Australian Information Commissioner found that a general practitioner had breached privacy laws (APP 6.1 and 10.2 of the Privacy Act) because he disclosed personal information about a patient to third parties in a group email.
The doctor and the patient had been acquainted for many years.
Although they had a professional relationship, they also shared personal correspondence through email. The doctor also maintained email correspondence with a separate group of people.
In this case, the doctor referred to the patient’s mental illness in a group email, without the express permission of the patient.
The doctor argued that he believed that the patient had been consenting to the disclosures because it was the patient himself who had included the third parties into their email discussions.
Despite this, the doctor was found to be in breach and ordered to pay the patient $10,000 compensation for the interference to his privacy, including the harm to reputation suffered by the patient.
What’s the Law?
The Australian Privacy Principles (APPs) outline how ‘APP entities’ must handle, use and manage personal information. Not all businesses are classed as APP entities, but generally businesses that provide health services, trade in personal information (such as recruitment agencies), or have turnovers in excess of $3m per year are considered APP entities. Use or disclosure of personal information (APP 6 ).
APP 6 outlines that where an APP entity holds information that was collected for a specific purpose (‘the primary purpose’), they cannot use or disclose it for any other purpose (‘the secondary purpose’).
The GP in this case argued that he thought that he had the patient’s implied consent, and that he acted out of concern for the patient’s health and safety.
However, the Commissioner found that despite the doctor being genuinely concerned for the patient, it was still inappropriate to manage the concern through the group email.
The Commissioner also held that the information the doctor disclosed was not relevant – the email discussions were about theological matters, not primarily about the patient’s condition (APP10 – Quality of Personal Information).
It did not matter that the GP’s opinion about the patient’s health was valid – this did not give him the right to disclose that opinion in an irrelevant context.
Take Home Messages
1. Be careful with disclosures
The critical point is that disclosures of personal information must be clearly defined regarding what personal information is disclosed, and who it is disclosed to. If the information is of a sensitive nature, then consent must be obtained from the individual.
Ask yourself the following questions…
- Do your practices and procedures actually comply with it?
- How often, and how, do you check compliance?
- Have you fully informed individuals on how you will manage their personal information?
- Do you confirm that you have a client’s consent before disclosing information?
- Even if you have consent, how do you ensure you only disclose information where it is relevant to do so?
Where Do You Go Next?
Dianne Gibert is the MD and founder of Service Excellence Consulting (SEC). She has over 20 years’ experience in business consulting, and a particular interest in privacy management. SEC offers workshops, webinars, privacy assessments and other support services. If you have any questions or would like to learn more about privacy requirements, contact Dianne on 03 9555 3877 or email to firstname.lastname@example.org.