Today’s correspondent is seeking advice on privacy laws. They say:
I am a WHS HSR [Work Health and Safety, Health and Safety Representative] and was wanting to get photos made of people who assault paramedics in our area displayed on the ambulance station as a precaution for paramedics to be cautious around these known offenders. This would be in a similar way police have wanted criminals on their notice boards and shops such as Bunnings have for people who shoplift.
When I raised it to my managers our legal team told them that it would breach patient confidentiality. I am of the opinion that is not the case. I contacted the federal privacy commission and they tend to agree stating exceptions to the privacy rule – one of which is assault but said it’s a state matter and to speak with the state privacy commission. When I contacted them they were not helpful stating it’s a organisation policy that needs to change but wouldn’t elaborate further (assuming 2 state government entities).
Currently we have addresses of these offenders flagged as caution notes on our MDT [Mobile Data Terminal] but a lot of the time these people call from another address – this a photo when we approach would be useful.
I am not recommending not treating these people but moreover taking care when doing so and / or call for police to back us up.
I would love to hear your thoughts on the matter if you have time.
I can understand why none of the regulators are going to give an answer. It’s not their job to give legal advice and they cannot get a full picture of what is intended. And as the regulators they may have to investigate and possibly take action to enforce the Act and don’t want to get into a situation where they have given pre-emptive advice.
It has to be understood that if the information is obtained and used in the way suggested, the information is not being held by my correspondent or the paramedics at a particular station, rather it is being held by the organisation. It is the organisation that must comply with the law and the organisation that will be held to account if the law is not applied.
The law
Privacy laws are complex. There is the Privacy Act 1988 (Cth) which sets out the National Privacy Principles. There are however constitutional limitations on who the Commonwealth can regulate and, in particular, they cannot direct state government public sector employees (see the discussion of the ‘Melbourne Principle’ in the posts Industrial Relations and asking the CFA to stick to its bargain (January 26, 2015) and The Commonwealth setting terms and conditions of employment for Victorian fire fighters (May 20, 2015)). To cover the field, that is to catch those individuals and organisations that fall outside the Commonwealth law, each state and territory has passed complimentary privacy legislation to apply the privacy principles to entities within their areas of responsibility. For example, in NSW there is the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002(NSW).
I don’t know what jurisdiction my correspondent is from, but I infer that it’s not Victoria (as they have the Occupational Health and Safety Act, not the Work Health and Safety Act). I also infer that they work for a jurisdictional ambulance service. With the exception of Western Australia and the Northern Territory, the jurisdictional ambulance services are state entities so it is most likely that it will be a state law, rather than the Commonwealth law, that applies. I will therefore use the NSW legislation as my model when answering the question.
For the purposes of the Privacy and Personal Information Protection Act, ‘personal information’ means (s 4)
… information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
It does not include ‘health information’ (s 4A).
Personal information is held by a public sector agency (which would include NSW Ambulance (s 3, definition of ‘public sector agency’) if ‘the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement’ (s 4(4); see also Health Records and Information Privacy Act s 9).
‘Health information’ is (Health Records and Information Privacy Act, s 6):
(a) personal information that is information or an opinion about–
(i) the physical or mental health or a disability (at any time) of an individual, or
(ii) an individual’s express wishes about the future provision of health services to him or her, or
(iii) a health service provided, or to be provided, to an individual, or
(b) other personal information collected to provide, or in providing, a health service, or
(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or
(d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
(e) healthcare identifiers,
but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.
It is not explained how my correspondent is going to obtain the photos in question but let us assume they are taken by paramedics while providing a health service to the person.
An assault, in the strict sense, is an act putting someone in fear of actual physical violence. A battery is the infliction of actual violence but in modern times, at least in the criminal law, the term assault covers both assault and battery (an assault occasioning grievous bodily harm does not infer that the harm was caused by fear alone). Critically to be an assault there has to be an intentional act. A person who strikes a paramedic whilst under the effect of an illness or injury such as hypoxic brain injury, hypo or hyper glycemia, epilepsy, or a mental illness or the effect of drugs may not be guilty of an assault even if they strike the paramedics. But paramedics may still want to be forewarned that such an outcome is likely regardless of whether or not it constitutes the offence of ‘assault’.
If therefore paramedics are going to take photos of a person whilst providing a health service and record that along with an opinion that the person ‘assaulted’ a paramedic (when at law they may not have) then that is clearly recording an opinion about an individual who can be identified (identifying them being the point of the exercise) and it may be an opinion about their physical or mental health and it is information obtained whilst providing a health service. Clearly ‘health information’ as defined. Further if my correspondent works for the jurisdictional ambulance service (and here I’m assuming NSW Ambulance) then that information is held by that public sector agency. The information must be managed in accordance with the Health Records and Information Privacy Act. That does not mean the information cannot be recorded and used in the way intended, only that it has to be used in accordance with that Act and the Health Privacy Principles (s 19 and schedule 1).
The Health Privacy Principles (HPPs) are set out in schedule 1. HPP 1 says:
An organisation must not collect health information unless–
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the organisation, and
(b) the collection of the information is reasonably necessary for that purpose.
Collecting this information may be reasonably necessary for the purpose of the ambulance service protecting its staff. It may also assist in the care of the patient in future if paramedics are aware that the patient may become aggressive as a result of their physical or mental illness. It may facilitate a more appropriate first response.
HPP 2 says:
An organisation that collects health information from an individual must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that–
(a) the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete, and
(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
There may be a debate about whether the collection suggested does, or does not ‘intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates’. It would be important to think about how one is going to ensure the information is ‘accurate, up to date and complete’. If for example a person was violent some time ago whilst suffering a mental health crisis that is now controlled by their ongoing health care, is it still accurate and up to date? There would have to be some system of review.
HPP 4 says:
(1) An organisation that collects health information about an individual from the individual must, at or before the time that it collects the information (or if that is not practicable, as soon as practicable after that time), take steps that are reasonable in the circumstances to ensure that the individual is aware of the following–
(a) the identity of the organisation and how to contact it,
(b) the fact that the individual is able to request access to the information,
(c) the purposes for which the information is collected,
(d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind,
(e) any law that requires the particular information to be collected,
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
Anyone would know that the ambulance service that treats them is going to collect information about them. Presumably NSW Ambulance has a privacy policy that is available on request. Any information collected would have to be managed in accordance with that policy. Just as most people would not know exactly what information is kept and just as patients do not get given a copy of their case sheet, it is probably not necessary to tell a person that their photo is going to be kept for the purposes suggested. But anyone keeping this database would need to know that if a person did ask the ambulance service what information they held about them, the fact that their photo and the information was being held would have to be disclosed and the person would have a right to inspect that and to challenge it if they thought the information recorded was wrong (HPP 6, 7 and 8). They may well object to a label of ‘assault’ if they were not acting voluntarily at the time.
HPP 5 says:
(1) An organisation that holds health information must ensure that–
(a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and
(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.
This would be really important. If the photos were ‘displayed’ in a way that people who did not need to see it eg visitors to the station, then that would be a problem. There would have to be procedures in place to ensure that only those that needed to know could access the data.
Health information is usually collected to provide health care to the patient. Protecting the welfare of paramedics would be a secondary purpose. Information can be used for a secondary purpose (HPP 10(1)(c )) if
… the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent—
(i) a serious and imminent threat to the life, health or safety of the individual or another person, or
(ii) a serious threat to public health or public safety,
It would therefore be up to the organisation (ie NSW Ambulance) to consider whether the threats posed are ‘serious and imminent’.
Discussion
The issues are not ones for my correspondent to judge. It is up to the organisation to determine whether obtaining and using information in the way described would meet the tests set out in HPP 1, 2, 5 and 10. That is the organisation would have to decide if the information needed to be kept to deal with an imminent and serious threat, whether it is sufficiently protected against unauthorised release, how it will be kept up to date etc. If information is kept by the ambulance coordination centre so released via the MDT then clearly the service has already made some decisions. One can see that if the information is centrally located it is easier for the service to respond to a request for that information and to have procedures in place to protect against improper disclosure and rectification. If the information is held at different ambulance stations, the central administration may not know about it and therefore would not be able to meet the obligations that fall to the organisation.
As for police having ‘wanted criminals’ there are different rules for them and for law enforcement generally. And Bunnings are not keeping health information.
Conclusion
What follows is that it would not, axiomatically, be a breach of the privacy principles, and therefore a breach of privacy to keep the information suggested. It would however expose the ambulance service to a risk that how the information is managed would be in breach of the Health Privacy Principles. It is the ambulance service’s responsibility, not the responsibility of an individual HSR, to make sure that the information is accurate, up to date, protected from disclosure, available for inspection on request etc. One can see that having this sort of data stored at an ambulance station would be very difficult to control and may well lead to a breach of the privacy principles. Simply putting the photos on a notice board would not be consistent with the records management requirements under the Act.
This blog is a general discussion of legal principles only. It is not legal advice. Do not rely on the information here to make decisions regarding your legal position or to make decisions that affect your legal rights or responsibilities. For advice on your particular circumstances always consult an admitted legal practitioner in your state or territory.
Australian Emergency Law 