A correspondent writes:

My question to you today related to volunteer work as well as paid work I currently do in New South Wales. Every organisation has its own casualty record on either paper or electronic that is to be filled out for every treatment we do.

Mostly we are being told that these records are confidential and cannot be given to anyone except the casualty, a doctor or the ambulance crew attending. On some duties we are being strictly forbidden from disclosing any information to the event organiser while at some select duties and venues we are being told that it is ok to hand these to organisers and even for them to take photocopies of our sheets.

The arguments seem to contradict themselves as on one hand we’re being told that “it is against the law for us to disclose any information on the record” and on the other hand that “the organiser or venue has hired us to provide event health services at their venue so they are legally entitled to a record”.

My question to would be about which of these “it is the law” arguments is the correct one in this case?

The privacy laws represent cooperative federalism where there is cooperative legislation at both state and federal level; in this case the Privacy And Personal Information Protection Act 1998 (NSW) and the Privacy Act 1998 (Cth).   The legislation is designed to give effect to the Australian Privacy Principles (Privacy Act 1998 (Cth) s 14 and Schedule 1) and Information Protection Principles (Privacy And Personal Information Protection Act 1998 (NSW), Part 2).

Assuming that the services involved are not a government entity (ie not the Ambulance Service of NSW) then the service will be provided by an ‘APP entity and is bound by the Commonwealth Act (Privacy Act 1988 (Cth) s 6, definition of ‘APP entity’ and ‘organisation’).  The APP entity must not not collect sensitive or personal information about an individual ‘unless the individual consents to the collection of the information and he information is reasonably necessary for one or more of the entity’s functions or activities’ (Australian Privacy Principles 3.1 and 3.3). ‘Sensitive information’ includes health information. So far, so good, a first aid organisation needs to collect both personal and sensitive information in order to perform their fundamental task of providing care to the person involved and presumably the person consents when they answer questions about their name, address and what happened to them.

An entity that collects information ‘for a particular purpose … must not use or disclose the information for another purpose’ (Australian Privacy Principle 6.1).   On the face of it that would not allow disclosure to event organisers, but that warrants further consideration. First one has to consider what is the purpose for which the information is obtained, and then consider if there are any exceptions to the relevant rule.

Why is patient information obtained?

It is too simple to say that the information is obtained for the care of the patient. In many case care can be provided to a patient in a first aid situation without recording any of the details. If a person needs a bandaid, a pain killer, an ice pack and bandage, even CPR you don’t really need to record the details of who they are. The care can be provided without keeping any records. Continuity of care is also not a major issue.   A first aid organisation is not like a medical practice where records have to be kept so when the patient comes back the doctor can see what has been done before; most first aid organisations won’t see their patient a second time or provide follow up care. Nor are first aid organisations like a hospital where there will be care provided by many people within the institution who need to see what others have done.

There is an issue of continuity of care if the person is being referred to further care, eg if an ambulance has been called and the paramedics will take over the care and will, in turn, deliver the patient to hospital and there is value in giving a complete record to the treating hospital staff, but that is not most cases that first aiders deal with. There is also an issue of continuity of care if the person needs to follow up on their care with a medical practitioner or other health service and wants to give their copy of the patient record to their treating doctor, but that assumes that they are given a copy on leaving the first aid post.   Many people will not seek or require follow up care but even so patient details are recorded.

It follows that patient care may not be the only purpose of collecting information and it may not even be the primary purpose. There are other reasons to record patient information, both personal information (ie identifying details of name, address, date of birth) and sensitive information (details of their illness or injury, treatment given etc).   I suggest that the following are relevant:

  1. Quality assurance – an organisation needs to keep records so they can review the treatment given to ensure that members are treating their patient’s appropriately.
  2. Statistical analysis – an organisation needs to know how much work its members are doing. If you assume that the organisation provides first aid at many public events it has an interest in knowing how many patients were treated, the nature of their injuries and the level of care required. This allows them to plan for the next event. If they don’t keep the records and have to attend a similar event, or the same event if it’s a recurring event (eg an annual show) they need to know what happened last time in order to plan for the next.
  3. Legal evidence – the record serves as evidence as to what happened, and what did not. This can be vital for subsequent legal investigation and many entities may want to investigate matters. Apart from the obvious ‘self protection’ that is the value of the records should their be complaint about the first aid provided, the records will be of use to others. If people are injured at a public event there may be an investigation by police, the work health and safety inspectorate in the relevant jurisdiction, the department of health and others depending on the nature of the event and the illness or injuries.

All of those issues are relevant to the first aid organisation and the event organisers. They too need to know how many people needed care and why in order to plan for the next event and to consider how to manage the risk should they host another event. That will have more, or less, significance depending on who they are and the nature of the event. A one off event may not need that but an entity that manages a large public venue or regularly arranges events needs to know. That information may be met by de-identified data, ie the number of people, the nature of the injuries, and if there is a common case – eg 5 people treated for food poisoning, 3 for injuries from falling off the ride.

An organisation also has an interest in knowing who was injured – they may want to follow up with a letter or phone call to try to make amends. They may need the information so that if there is a claim they can identify if the person was in fact injured at their event and whether the event as recorded by the first aid staff matches what they are now claiming.

Disclosing the information

Let us assume, for the sake of the argument that the primary purpose of the record is for the benefit of the organisation so disclosing the information outside the organisation is a ‘secondary purpose’.   Information can be collected and disclosed for the ‘secondary purpose’ if:

  1. the individual has consented; or
  2. the individual would reasonably expect that the information would be used for the secondary purpose
  3. a ‘permitted general situation’ allows the disclosure of the information; or
  4. a ‘permitted health situation’

I will deal with those in turn.

1. If the person is told that information will be disclosed to the event organisers and they still give that information, consent can be inferred.

2. An individual might ‘reasonably expect’ that the information will be disclosed. Note that the use of the language ‘reasonably expect’ implies an objective test rather than proof of the expectation of the actual person concerned. Real people would probably never think about it and if they did some would think it obvious, and some would think it outrageous, that the information would be shared. It not the actual expectation of the actual patient that’s the test.

Here it is useful to ask ‘for whose benefit is the organisation on duty for?’ The answer you may want to give is ‘for the benefit of those that might be injured’ but I don’t actually think that’s correct. Imagine (as is the case) I’m the father of teenager daughters who are going to attend an open-air music festival. I might consider that there is a risk to their health and well being and I think there should be first aid services.   A volunteer or for-fee first aid service won’t go simply because I ask them to go, nor will they go and set up a first aid post simply because they too see the potential risk and think people would benefit from their attendance. They go if they are asked to by the event organiser. Why does the event organiser ask them to go? Because they appreciate the risk to patrons and they have done their risk assessment. Apart from their obligation to ensure that people are not exposed to a risk from their event, they have to manage the risk of how to deal with people who are injured. If they don’t take appropriate care they may be subject to prosecution under work health and safety law, they may be sued for failure to take ‘reasonable care’ and patrons who feel they are not being cared for won’t come next year.   The reason the first aid service is there is to manage the event organisers’ risk, not ‘my’ risk (as the concerned father) or even the patient’s risk.

Compare this to the state ambulance service. If one of my daughters is injured at the festival and her sister rings triple zero, the state ambulance service will respond to that request, they are coming for the benefit of the patient, not for the duty organiser.   A first aid organisation has no right to go the concert venue and set up a first aid post without the event organisers’ permission but the state ambulance service will go in whether the event organiser wants them to or not. In some states they have specific authority to do so (Ambulance Service Act 1991 (Qld) s 38) but even where they don’t have a statutory right of entry, the police do (see Law Enforcement Powers and Responsibilities) Act 2002 (NSW) s 9) and would be quite willing to exercise that power if the ambulance service said they were being ‘locked out’ of a venue from where someone had rung triple zero.

Whilst an average person would not think about whether their personal and sensitive information would be given to an event organiser, if they had all of that information a hypothetical person might reasonably expect such information would be shared.

In some cases it may be that the first aiders are in fact collecting information for the event organisers and this would be the case if the organisers had their own form they asked the first aiders to complete or perhaps a co-badged form, ie with the logo of both organisations on it. Then it is the event organisers that are collecting the information.

3. There is a ‘permitted general situation’ that would apply but this relates to given information to paramedics rather than the event organiser. Information may be shared where it is impracticable to obtain the person’s consent and ‘the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety’ (Australian Privacy Principles 3.4 and Privacy Act 1988 (Cth) s 16A). This would apply where for example, the person is unconscious and the first aiders hand their record to the paramedics to report what has happened and what has been done and this is necessary to ensure continuity of care.

4. Despite the fact that first aid services are a health service there is no relevant ‘permitted health situation’ as these relate to clinical research or the release of information ‘in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation’. That could be relevant if the people providing first aid are registered health professionals (eg doctors and nurses) but even so that won’t be relevant to sharing information with event organisers.

So what’s to be done?

This discussion has been complex and too complex to resolve on a case by case basis.

The ultimate step is that the first aid service ‘must have a clearly expressed and up-to-date policy (the APP privacy policy) about the management of personal information’ including ‘the purposes for which the entity collects, holds, uses and discloses personal information’ (Australian Privacy Principle 1.4).   The organisation should have thought about this issue and have it in its general policy.

In developing that policy an organisation should consider the needs of event organisers and it may be prudent to have a policy to provide to event organisers a report, after the duty, setting out the number of casualties and the types of injuries. Once that had been determined it could be explained in the generic privacy policy that would apply for most events.

Even so the issue should be discussed with event organisers particularly if the duty is a regular event or if first aid is being provided at a venue that hosts many events. If the organisers want more than a de-identified report that should be discussed and a specific policy for that event or venue could be developed.

Conclusion

My correspondent said ‘… we’re being told that “it is against the law for us to disclose any information on the record” and on the other hand that “the organiser or venue has hired us to provide event health services at their venue so they are legally entitled to a record”. She asks ‘which of these “it is the law” arguments is the correct one in this case?’

The answer is that neither are correct. It is not an offence to disclose information on the record and I would suggest that a person might ‘reasonably expect’ the information to be shared. It may even the be the case that the information is being collected on behalf of the organiser.

Equally, assuming that the information is not being collected ‘on behalf’ of the event organisers, then it may not be an offence to share the information but it does not mean they are legally entitled to the record. It may mean the service may share it, not must.

The solution is to think about it in advance, discuss the needs with the event organisers. The organisation needs to develop a policy, or policies that reflect the privacy principles which fundamentally requires being able to tell people what is going to happen with the information that they provide and which is held about them.