Today’s question comes from a paramedic who works
… for a state ambulance service that provides free services to Centrelink recipients. The area I work in has a multitude of people who are on Centrelink benefits who do not seem eligible (eg. single parent pension when they live with their husband/wife/partner, disability pension when they have no medical conditions, job seeker even though they’re self-employed, on a pension but live in a brand new 5-bedroom house with a Mercedes in the driveway).
It is obviously for the purpose of providing health services that we obtain their name, date of birth, address, and customer reference number. But is it in breach of confidentiality to use this information to report to Centrelink suspected fraud?
I make the warning that it is important not to judge a book by its cover so issues of eligibility are different to issues of appearance; but I’ll answer the question accepting that there is sufficient evidence to at least raise a suspicion of fraud.
I have made a relevant, earlier post – see Paramedics and Patient Confidentiality number 2 (July 23, 2015); see also Discovering crime during an emergency response (July 19, 2016).
I don’t know what ‘state ambulance service’ my correspondent works for so I’ll refer to the Privacy Act 1988 (Cth) as the privacy principles contained there will also be reproduced in a relevant state Act to apply to a state government authority such as the ambulance service. The privacy laws relate to relevant entities rather than individuals but a paramedic who attends a scene and records information does so as part of the ambulance service response so the information they record and the opinions they form are held by the ambulance service.
The Privacy Act 1988 (Cth) defines ‘personal information’ (in s 6) as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’. Information about the person’s circumstances, and an opinion that they are in receipt of a social security benefit when not entitled would both appear to fit that definition. Health information (s 6FA) includes ‘information or an opinion about: (i) the health, including an illness, disability or injury, (at any time) of an individual…’. An opinion that a person in receipt of a disability or sickness benefit is not in fact suffering from that disability or sickness would appear to fall within that definition. Health information also includes ‘other personal information collected … in providing, a health service to an individual’ so the fact that a paramedic obtains personal information, or forms a relevant opinion in the course of providing a health service, would make both the information and the opinion ‘health information’.
Critically Australian Privacy Principle Six says ‘personal information about an individual that was collected for a particular purpose (the primary purpose ) … must not [be used or disclosed] … for another purpose (the secondary purpose ) unless’ one of the exceptions set out in the Principle apply. In context the information about the person was collected for the purpose of providing a health service. That information must not be disclosed for the secondary purpose – reporting an alleged breach of the Social Security Act 1991 (Cth) – unless permitted by the Privacy Principles.
Personal information may be disclosed by the relevant entity (ie the ambulance service not the individual paramedic) where ‘the entity ‘reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’. The Australian Federal Police is an enforcement body, as is the Department of Social Security (see s 6, definition of ‘enforcement body’ paragraphs (a), (f) and (g)).
A paramedic could therefore raise their concerns with their employer and if the ambulance service took the view that the disclosure was necessary then it could release the information to the AFP or department; but I would imagine that the average ambulance service would take the view that the information obtained and the opinion formed is not sufficiently probative of a fraud and that the damage to the service’s trust would exceed any benefit. In short that it is ‘not our job’ to report such matters.
Individual paramedics are bound by the Paramedicine Board’s Code of Conduct which says:
You have ethical and legal obligations to protect the privacy of patients. Patients have a right to expect that you will hold information about them in confidence, unless the release of information is required or authorised by law …
I cannot see anything in either the Social Security Act 1991 (Cth) or the Social Security (Administration) Act 1991 (Cth) that would either require or authorise the release of the information. The Social Security (Administration) Act 1991 (Cth) allows for the release of ‘protected information’ for the purposes of the social security law (s 202(2)) but what is ‘protected information’ is defined (s 201A) by the Taxation Administration Act 1953 (Cth) and is not relevant in this context.
The Department does encourage people to report suspected fraud and will accept anonymous information (see https://www.servicesaustralia.gov.au/reporting-fraud?context=64107#centrelinkfraud). Their privacy notice says:
Centrelink is not able to trace the source of the report. You do not have to provide us with your name and contact details, however if you do, your name and contact details will only be used to enable an investigator from Centrelink the ability to contact you later if further information is required for their investigation. It is possible that information provided may be released to the person concerned, either as part of the appeals process, or under the Freedom of Information Act 1982. However, it is Centrelink’s policy to keep the identity of the person providing information confidential.
There is nothing in the process (at least as far as I was prepared to go into it) to say that a disclosure made in good faith is legally protected; nor can I find a legislative provision that suggests this is the case.
Conclusion
Obtaining information about a person’s circumstances and forming an opinion that they may be engaged in Centrelink fraud whilst providing a health service is to collect health information about that person. Disclosing that information and opinion to Centrelink is prima facie a breach of the relevant Australian Privacy Principles.
A paramedic’s employer may disclose that information if satisfied that the disclosure is reasonably necessary for an enforcement activity by the AFP or the Department but that would be a high bar in the circumstances.
It would appear to be a breach of the Code to release the information as the disclosure by an individual is neither required nor authorised by law. A paramedic could report their suspicions – even anonymously – but would have to consider the possible consequences if they were identified and the nature of their information may lead to a conclusion that they had to be the person supplying the information obtained whilst providing a health service.
This blog is a general discussion of legal principles only. It is not legal advice. Do not rely on the information here to make decisions regarding your legal position or to make decisions that affect your legal rights or responsibilities. For advice on your particular circumstances always consult an admitted legal practitioner in your state or territory.
Australian Emergency Law 
Re disability pensioners.
They aren’t disclosing their disability to you. If this a frequent occurrence, it might pay to consider “why don’t people trust me with their personal / health information?”
Sometimes people don’t want to disclose because of past experiences. Sometimes they don’t want to disclose to the person asking in the moment.