A Tasmanian Ambulance Officer was contacted by his Regional Manager (a qualified, but not current or active Paramedic), he said he’d seen a case report where the officer was a patient and as a result he wanted a medical certificate before that officer can work again. Is this a breach of patient confidentiality or possibly in breach of the Privacy Act?  He must have been alerted to it by another paramedic, so if he’s in breach are others too?

This question was outside my normal field so I thank my ANU colleague, Daniel Stewart for his input into this answer.

Personal Information Protection Act 2004 (Tas)

The privacy law in Tasmania is found in the Personal Information Protection Act 2004 (Tas).  In that Act (s 3) ‘basic personal information means the name, residential address, postal address, date of birth and gender of an individual’.   Health information means –

(a) personal information or opinion about –

(i) the physical, mental or psychological health at any time of an individual; or

(ii) a disability at any time of an individual; or

(iii) an individual’s expressed wishes about the future provision of health services to him or her; or

(iv) a health service provided, or to be provided, to an individual; or

(b) other personal information collected to provide, or in providing, a health service; or

(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d) genetic information about an individual that is or may be predictive of the health at any time of the individual or any of his or her descendants –

other than prescribed information, a prescribed class of information or information contained in a prescribed class of documents.

We can infer that Ambulance Tasmania is a ‘personal information custodian’ being the custodian of the information collected by its paramedics in the course of their duties (s 3, definition of ‘personal information custodian’).

Where a paramedic completes a patient record, they collect and record ‘basic personal information’ and to the extent they record observations about the patient’s condition, form an opinion as to the person’s medical condition and makes a record of the treatment provided then the paramedic is creating and recording health information.

Schedule 1, cl 2(1) that says:

A personal information custodian must not use … personal information about an individual for a purpose other than the purpose for which it was collected …

It is permissible to release medical information obtained by paramedics to treating hospital staff as the purpose of collecting that information is to provide continuity of care and the patient would reasonably expect treating paramedics to communicate their observations and treatment to the hospital staff (Schedule 1, cl 2(1)(a)).

It is also permissible to release or use information for other purposes if that is authorised by the exceptions set out in Schedule 2.  That Schedule says it is not a breach of the privacy principles to ‘use or disclose personal information’ if that is necessary to “lessen or prevent – (i) a serious threat to an individual’s life, health, safety or welfare; or (ii) a serious threat to public health or public safety” (cl 2(1)(d)).

Finally, it is permissible to disclose personal information if:

(i) the personal information is to be used as employee information in relation to –

(i) the suitability of the individual for appointment; or

(ii) the suitability of the individual for employment held by the individual; or

(j) the personal information is employee information which is being transferred from one personal information custodian to another personal information custodian for use as employee information relating to the individual;

Employee information means, inter alia, “… personal information about an individual who is … an employee relating to – … (e) the suitability of the individual … for employment held by the individual…’ (s 3).

Discussion

The problem here is distinguishing between Ambulance Tasmania as service provider and Ambulance Tasmania as employer and asking whether there should be, or can be, an artificial wall between its two roles.

As a general rule we can say that a paramedic, and Ambulance Tasmania should not tell an employer when an employee has been treated by the Ambulance Service.  The information is not obtained for that purposes.  In some circumstances, the account for ambulance services may be sent to the employer which will, necessarily, identify that the employee was treated but that would be the extent of the information that can be disclosed.  But in this case the ambulance service is the patient’s employer and once the ambulance service has information relevant to their employee’s health and fitness can it ignore that?  Can it pretend it doesn’t know what it does in fact know?

My correspondent refers to ‘a case report where the officer was a patient’.  We are not told what sort of condition warranted the ambulance care.  It may have been a traumatic injury caused in a motor vehicle accident, at home or during a sporting match or it may have been a suicide attempt or treating the paramedic for drug overdose at the ambulance station.  Clearly the implications will be different.

The first step is Schedule 1, cl 2(1) that says the ‘personal information custodian must not use … personal information about an individual for a purpose other than the purpose for which it was collected …’   This implies the artificial wall.  Information collected by Ambulance Tasmania as service provider is collected for specific purposes. I suggest that the Ambulance Service collects information about its patients to provide a history and to record the care given to ensure continuity of care when the patient is delivered to further medical care, to ensure quality control and to allow for appropriate billing.   It does not collect information to report to a patient’s employer, even if that employer is Ambulance Tasmania.  Prima facie then, to ‘use’ the information obtained from the paramedic as patient when dealing with the paramedic as employee would appear to be a breach of privacy.

But there are exceptions.  If the information revealed that the paramedic was significantly impaired and posed a risk to the health and safety of others, then it can’t be a breach of privacy for the paramedic to inform his or her supervisors or for Ambulance Tasmania to use the information obtained as service provider in its capacity as employer.  Even if passing the information across the fictional barrier would in other circumstances be a breach of privacy, it is no breach if it is necessary to “lessen or prevent – (i) a serious threat to an individual’s life, health, safety or welfare; or (ii) a serious threat to public health or public safety” (Schedule 1, cl 2(1)(d)).   If the paramedic is for example regularly overdosing on scheduled drugs then he or she may pose a threat to patient’s and therefore disclosing that information across the service provider/employer barrier would be justified.

With respect to employee information Daniel says:

Employee information is treated differently in different jurisdictions. At the Commonwealth level public sector bodies, including the ANU, generally protect against collection and disclosure of employee information, especially relating to health information. Tasmania seems to have taken the approach of exempting employee information (which includes information on the ‘suitability of the individual for appointment or for employment held by the individual’ (s3 employee information) from certain privacy principles, so that it is not a breach to collect employee information from a third party, and there are no special restrictions on collection of employee information that includes sensitive (including health) information (see s 10). Disclosure or use of employee information is also an exception to the general principle that sensitive personal information can only be used for the purpose it was collected or a directly related secondary purpose (sch 1, 2(1)(i)).

I would infer that the reference to employee information is to say there is no breach of privacy if for example a potential employer seeks a reference from a former employer and the former employer reveals that the candidate was dismissed or the like.  But as Daniel says there doesn’t seem to be any restrictions in the Personal Information Protection Act 2004 (Tas).

Ambulance Tasmania owes its employees duties under both common law and under the Work Health and Safety Act 2012 (Tas) to provide a safe system of work and not aggravate injuries, whether they are originally caused at work or not.   Given that once Ambulance Tasmania knows of their employee’s injury or illness it may be incumbent upon them to ensure that the employee is certified fit to return to work or that appropriate adjustments are made.   Accordingly if Ambulance Tasmania becomes aware of a health issue that affects the employee’s ability to perform his or her tasks, then again passing that information from Ambulance Tasmania as service provider to Ambulance Tasmania as employer would not appear to breach the Act because it is employee information that relates to the ‘the suitability of the individual for employment held by the individual’.

How the regional manager received the information

This is, I think, largely irrelevant.  If the regional manager was required, as part of his or her duties, to review case sheets for quality assurance or other purposes, then reading the case sheet and seeing that the patient was also an employed paramedic would not be a breach of privacy as the case sheet was being read for one of the purposes that the information is recorded.

Whether the treating paramedic alerted the manager is also not an issue because once the information was obtained by the treating paramedic then it was information ‘known’ by Ambulance Tasmania.  If the paramedic telling the manager was an example of passing the information from service provider to employer then it is justified for the reasons discussed above.

Conclusion

This is a very tentative answer and it’s clearly a very complex issue.  A definitive answer could only be had from a court or perhaps the Ombudsman as the agency responsible for receiving complaints under the Act (s 18).

My tentative view, however, is that the circumstances described would not constitute a breach of the Personal Information Protection Act 2004 (Tas).