Today’s correspondent works as a paramedic in WA.  They say:

Regularly paramedics receive requests from WAPF [Western Australia Police Force] for statements relating to jobs that may involve police attendance i.e. SDFV [Sexual, Domestic, and Family Violence], assaults, sudden deaths, etc.

The official process is the police officer submits a written request (email) to our compliance department who then gather the details of the crew and forward the request along with the submitted case sheet to the paramedics advising they need to contact the police officer to submit a statement.

My concern (and question for your blog) is two points.

1. When the paramedic is notified by the compliance department, they also cc our line manager (which, depending on where we are currently working, can be 2 or 3 people), this means non-clinical managers who have nothing to do with the case are given full access to the patient case sheet.

When I have previously raised if this is a breach of privacy. The response has been “As we own the case sheet, we can pick and choice who is allowed to view it”.

Is this correct?

2. The notification from the compliance dept also states, “A copy of this statement should then be provided to the Compliance Department”

Again, is this not a breach of privacy? And what I wrote for a statement should have nothing to do with my employer?

The national privacy principles will be adopted in Western Australia with the Privacy and Responsible Information Sharing Act 2024 (WA) intended to come into effect on 1 July 2026.  Until then it appears there is no statutory protection of privacy.

The Privacy Act 1988 (Cth) will apply to an organisation that is not a state or territory authority.  Given the state government does not operate ambulance services in WA this is likely to apply to any paramedic provider in WA and my answer will, therefore, apply the Commonwealth Act.

I’m going to assume, without discussion, that the process described above involves the disclosure of personal information.  The relevant principle here is principle 6 regarding the use or disclosure of personal information.  It says that where an organisation has personal information

6.1 … that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:…

6.2 …

(a)  the individual would reasonably expect the [organisation] … to use or disclose the information for the secondary purpose … or

(b)  the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or…

(e) the [organisation] … reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

Let us assume that the health information is collected for the primary purpose of providing health care to the person and for ensuring continuity of care if and when the patient is transferred into the care of another health practitioner (though that position is debatable, it can be argued that quality assurance is equally a primary purpose of collecting information but I won’t enter that debate here, but see First aid patient records – who and what are they for? (January 31, 2015)).

If the records are released to the paramedics ‘line manager’ the question has be is that for a legitimate secondary purpose?  I would imagine that any person would realise staff beyond the direct clinician can access the organisations records for its own internal purposes including quality assurance and for accounting purposes (both for accounting for where stores etc have gone, but also for accounting to render invoices to anyone liable to pay for services provided).  There could be a legitimate reason for the line managers to review the case sheets to identify if there are any issues that need to be addressed, whether its quality assurance or support to paramedics who may have been involved in matters that the manager was not aware of.

In any event where the person accessing the information works for the organisation, the organisation is not ‘disclosing it’ where it remains in house and the employees have the duty to maintain the confidence.  The organisation does not physically exist, so it only ‘knows’ what its staff know. The privacy principles apply to the organisation and prohibit the organisation disclosing the information. Sharing the information internally to people who need to know it to allow the organisation to function is not disclosing the information, rather it is like letting one part of your brain know what another part already knows.

Whilst it may be going too far to say ‘As we own the case sheet, we can pick and choice who is allowed to view it’, because access should be limited to a ‘needs to know’ basis, it is the case that allowing staff who have a need for the internal management of the organisation to access the documents is not a breach of privacy.

Making a statement to police is neither required nor authorised by law.  But producing case sheets would be required if for example the police had a relevant search warrant.  Having said that the release of the information may be necessary for ‘for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’ in this case WAPF.  Again that would authorise the release of the case sheet, but would not compel a paramedic to produce a statement.

The questions

In my opinion the scenario described in question 1 would not be a breach of privacy. The statement ‘we own the case sheet, we can pick and choice who is allowed to view it’ may go too far but is basically correct.  The case sheet belongs to the organisation and the organisation therefore knows what is in it. The organisation has that information and if someone within that organisation has access to it as part of their role, that is no breach of privacy. Access should be limited on a needs to know basis (eg it would be a breach of privacy if case sheets were shared around so people could laugh at the patients, or because they wanted to know what happened to their neighbour).   Assuming the line mangers have a legitimate need to know (and that would largely be up to the organisation to decide) there would be no breach.

As for the second question that is much the same. The statement repeats what’s in the case sheet and the paramedic’s observations as an employee.  What is written is relevant to an employer because what the paramedic did, or did not do, they did in the name of the employer.  The employer has quality assurance issues as well (one hopes) as a desire to support their employee. 

Conclusion

I cannot see that the situations described area a breach of the privacy principles. It does mean sensitive information about the patient is shared within the organisation, but the organisation already knows that information. What is prohibited is disclosing that information out of the organisation.  If that’s wrong (and one would argue that uncontrolled sharing could be a breach) then the use of the information in ways described would meet the test of using the information for a legitimate secondary purpose.

Paramedics however need to recall that even if asked, they are not obliged to answer police questions or provide a statement if they don’t want to.  There is no legal obligation to answer police questions – see Paramedic providing a statement to Queensland police (June 16, 2017) and Paramedics giving statements to police (August 24, 2024).

This blog is a general discussion of legal principles only.  It is not legal advice. Do not rely on the information here to make decisions regarding your legal position or to make decisions that affect your legal rights or responsibilities. For advice on your particular circumstances always consult an admitted legal practitioner in your state or territory.