ALZ and the OH & S Division of WorkCover
The Civil and Administrative Tribunal (the Tribunal) decided that the Health Privacy Principles (HPPs) of the Health Records and Information Privacy Act 2002 (NSW) (the HRIP Act) permitted WorkCover NSW (who later became SafeWork NSW) to use my health information against my interests, without my knowledge or consent even though WorkCover had contravened the HPPs that obliged it to obtain my consent.[1] I found that hard to accept.
I appealed, without any real success, to the Tribunal’s Appeal Panel[2] then asked the President of the Tribunal to refer questions of law about the interpretation of the HPPs to the Supreme Court for the opinion of the Court because I thought it likely that the Tribunal would follow itself/the Appeal Panel when it decided a related matter that raised the same interpretation issues (it did follow itself and then some[3]) but the Tribunal decided not to refer the questions. [4]
Later in the proceedings the Tribunal said “this has been a long and difficult matter”[5]. I thought so too because many of my rights (including the right to fair damages as compensation[6]) were not, despite my best efforts, vindicated.
This post is about:
How I became involved with WorkCover NSW
How I found out about the privacy breach
My approach to the construction of the HPPs
Our different perspectives on whether or not the HPPs were contravened
How I became involved with WorkCover NSW
When I felt unsafe at work I submitted a hazard report because that’s what my employer’s Occupational Health and Safety (OH & S) procedure said to do. Later on I reported the risk of harm to WorkCover, who was NSW’s OH & S regulator.
WorkCover said it would see whether my employer, Lismore City Council (the Council), had and were following an adequate bullying policy. While WorkCover were doing that I went on sick leave and made a workers compensation claim. The Council’s workers compensation insurer required me to attend an Independent Medical Examination with a psychiatrist because it wanted information to help it determine whether I was injured and if so whether the injury related to my work.
WorkCover notified me by email that it had completed its investigation[7]. It said it had reviewed the Council’s Harassment (sexual, gender, race, religion etc.) Policy and I had been performance managed not bullied. I thought that was a peculiar and wrong finding so I phoned WorkCover to see if I could find out why it had reviewed the Council’s Harassment Policy instead of its Bullying Policy and how on earth it had concluded that I’d been performance managed.
How I found out about the privacy breach
WorkCover said to apply for the investigation documents under the Government Information (Public Access) Act 2009 so I did. When WorkCover gave me the documents I was very upset and angry to learn that after I contacted WorkCover about its investigation it collected the psychiatrist’s report from the Council (who had collected it from the insurer in contravention of the HPPs) and quoted the doctor’s not-very-nice opinion in a report after it had conducted a review of its investigation.[8]
I wrote to WorkCover and asked it to review its collection and other handling of the psychiatrist’s report but it didn’t. It made a wrong finding that it had collected the report from the Council’s insurer and purported to understand that I was complaining about the management of my workers compensation claim.[9] It used health information that it had collected from the insurer in its internal review findings to imply that I was a serial complainer and a danger to myself or others. It sent the findings to the Privacy Commissioner and to me. That didn’t satisfy my privacy complaint so I lodged a review application in the Tribunal and argued with WorkCover/SafeWork about the legality of its conduct for four and a bit years.
My approach to the construction of the HPPs
As an Appeal Panel indicated I assume that privacy legislation should be interpreted in a way which protects my [and other people’s] privacy to the greatest extent possible[10]. And that’s okay because there’s a rule of construction which says that beneficial and remedial legislation is to be given … a construction that is fair, large and liberal.[11]
Our different perspectives on whether or not the HPPs were contravened
In the Tribunal I said that WorkCover had contravened HPPs 1, 3, 4, 5, 6, 9, 10 and 11.
WorkCover said it had done nothing wrong.
The Tribunal said that WorkCover had contravened HPPs 3 and 4,[12] and 5.[13]
And the Appeal Panel said that WorkCover had also contravened HPP 6[14].
Our different perspectives on whether or not the HPPs were contravened could be explained by the fact that I was hurt and angry and seeking to vindicate every conceivable right the HRIP Act gave me.
WorkCover, it seemed, was fiercely defending its OH & S Act powers.
The Tribunal and Appeal Panel, I think, balanced WorkCover’s HRIP Act obligations with its OH & S powers but instead of letting the HPPs constrain the powers it let the powers overcome the HPPs. I think that was wrong because the HPPs had the clear words needed to constrain the power but the OH & S Act didn’t have the clear words that the Principle of Legality says are needed to overcome my fundamental, and correlative statutory right, to health privacy.
Re correlative rights: When a duty is “imposed for the benefit of particular persons, there arises at common law a correlative right in those persons who may be injured by its contravention”.[15]
The lawful collection HPP
As I see it HPP 1 lifts a necessarily implied blanket prohibition against the collection of health information if the would-be collector can satisfy HPP 1’s conditions.
HPP 1 (1)(a)
“An organisation must not collect health information unless … the information is collected for a lawful purpose that is directly related to a function or activity of the organisation.”
The Tribunal accepted WorkCover’s evidence and decided it had collected the psychiatrist’s report for the lawful purpose of the OH & S investigation but I did not.[16] I thought WorkCover collected the report after the investigation was over and used it to attack me because I queried its investigation and I didn’t think collecting sensitive health information for the purpose of attacking a person with a legitimate complaint was a lawful purpose that would lift HPP 1’s prohibition against collection.
HPP 1(1)(b)
“An organisation must not collect health information unless … the collection of the information is reasonably necessary for that purpose.”
The Tribunal applied a subjective test and said the collection was reasonably necessary because WorkCover thought the health information might be relevant.
However, “the word “reasonably” qualifying the word “necessary” imports an objective test”[17] and I thought the collection of a psychiatric report that contained information about my daughter’s, sister’s and father’s health and information about my relationship with my husband plus a psychiatrist’s opinion about my mental health was not reasonably necessary for the purpose of determining whether the Council had and were following an adequate bullying policy.[18]
When I appealed the Appeal Panel said that the ‘reasonably necessary’ test is objective but HPP 1 had to be applied fairly with regard to the uncertainties that surround the decision to collect health information, especially in investigative contexts. [19]
I’m all for fairness but I think the Appeal Panel should have been fair to me and had regard to the fact that the investigative uncertainty it referred to only arose because WorkCover circumvented its HPP 2 obligation to:
“take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that … the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete, and … the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates”
when it contravened HPPs 3 and 4.
HPP 1 (2)
“An organisation must not collect health information by any unlawful means.”
I think WorkCover collected the psychiatric report by an unlawful means because the means it used contravened HPPs 3 and 4, and contravening HPPs is expressly prohibited by s11 of the HRIP Act, which says organisations are “required to comply with the Health Privacy Principles and … must not do any thing, or engage in any practice, that contravenes a Health Privacy Principle …” That was my submission in the Tribunal and in the Appeal Panel.
The Tribunal was silent on the unlawful means issue. It did not, as the Appeal Panel stated, hold “that the collection of the report complied with … HPP 1(2)”[20] and I did not, as the Appeal Panel stated, “argue[s] by reference to various provisions of the OHS Act that the inspector adopted ‘unlawful means’ and thereby breached HPP 1(2).[21]
The Appeal Panel suggested that an unlawful means might involve some form of surreptitious collection or covert listening or filming; and it might. But “the word “any” does not lend itself to a restrictive interpretation,”[22] “it imports a universal and unlimited application to the subject described,”[23] and as HPP 1 (2) prohibits collection by “any unlawful means” it would include a means of collection that was unlawful under the HRIP Act. That’s what I think anyway.
HPPs 3 and HPP 4
HPP 3 obliged WorkCover to “collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so” and HPP 4 required it to take steps to make me aware of certain matters and my rights.
The Tribunal decided that WorkCover had contravened HPPs 3 and 4, which principles had given me the right to consent or not to the collection and consent or not to WorkCover’s proposed use of my health information.[24]
HPP 5
HPP 5 (1)(c): An organisation that holds health information must ensure that … the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse.
The Tribunal wasn’t satisfied, and neither was I, that the security safeguards WorkCover took were reasonable and it decided that WorkCover had contravened HPP 5 (1)(c).[25] That was straightforward enough (though a lot of work for the parties and the Tribunal).
But I didn’t anticipate that the Tribunal would decide that WorkCover could retain and use health information it had collected in breach of HPPs 3 and 4 so I didn’t argue in the Tribunal that WorkCover had contravened HPP 5 (1)(a), which says:
“An organisation that holds health information must ensure that … the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used”.
In the appeal I raised whether HPP 5 (1)(a)-(b) obliged WorkCover to dispose of, not retain the psychiatrist’s report arguing that compliance with HPPs 3 and 4 was a necessary pre-condition to the valid holding of the health information.
WorkCover did not make a distinction between HPP 1’s ‘lawful purpose’ and HPP 5’s ‘purposes for which the information may lawfully be used’. It said its breaches of HPPs 3 and 4 did not bear on the lawful purpose. I’d agree with that but the issue was whether in light of the breaches it had a purpose ‘for which the information may lawfully be used’ and that’s not the same thing at all. The Appeal Panel, it seems, did not make the distinction between having a lawful purpose and having a purpose ‘for which the information may lawfully be used’ either because they agreed with WorkCover “that the finding that the collection was lawful disposed of the HPP 5(1)(a) issue”.[26]
I think that was wrong because HPP 5 applies to an organisation that holds health information and “health information is held by an organisation if … the organisation is in possession or control of the information.”[27] “The phrase “possession and control” denotes the right and power to deal with the article in question”,[28] and “the legal right to control is central to the common law’s concept of possession[29]”.
HPP 6
An organisation that holds health information must take such steps as are, in the circumstances, reasonable to enable any individual to ascertain … whether the organisation holds health information … relating to that individual, and … [if so] the nature of that information … the main purposes for which the information is used, and … that person’s entitlement to request access to the information.
In the Tribunal I said that WorkCover had contravened HPP 6 because it did not take such steps as are, in the circumstances, reasonable to enable me ascertain that it held my health information, the purpose for which my information was used, and my right to access the information, which is the obligation that HPP 6 imposed on WorkCover.
Both the Tribunal and the Appeal Panel agreed with WorkCover that HPP 6 required WorkCover to have a privacy management plan but the Appeal Panel didn’t think WorkCover’s Privacy Management Plan was good enough and it found that WorkCover had contravened HPP 6.[30]
I think WorkCover’s, the Tribunal’s and the Appeal Panel’s construction of HPP 6 is wrong because section 33 of the Privacy and Personal Information Protection Act 1998 (NSW) gives agencies an express obligation to prepare and implement a privacy management plan and the privacy management plan must include provisions that ensure compliance with the Health Records and Information Privacy Act 2002. It doesn’t make sense that Parliament would provide by a very loose implication in HPP 6 what it had expressly provided for in s33. Furthermore, HPP 6 (2)(b) says an organisation is not required to comply with one of its clauses if non-compliance is permitted under the State Records Act 1998 and it seems very unlikely that the State Records Act 1998 would permit an agency not to have a privacy management plan.
If HPP 6 doesn’t provide an obligation to have a privacy management plan then it must mean what it says unambiguously in plain words and WorkCover had a positive obligation to take such steps as were, in the circumstances, reasonable to enable me to ascertain whether it was holding my health information, why, and what the hell I could do about it.
HPP 9
An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
I felt violated, humiliated, shamed, angry and anxious when I learnt that WorkCover had collected and used the psychiatrist’s report.
The Tribunal accepted WorkCover’s submission that its assumption that the psychiatrist’s opinion was accurate was a reasonable step to take to ensure that the opinion was accurate and the Appeal Panel said it was open to Tribunal to make that finding.[31]
I find that so unfair that I can only conclude that WorkCover, the Tribunal and the Appeal Panel were so bedazzled or excited or impressed by the powers that the OH & S Act had conferred on WorkCover to determine whether Lismore City Council had and were following an adequate bullying policy that they failed to see HPP 9 for what it really was; a prohibition against use that was only lifted if WorkCover took such steps as were reasonable in the circumstances (an objective test that depends on all the circumstances)[32] to ensure , having regard to the limited scope of the investigation (which scope WorkCover verified), that the information was relevant and accurate and up to date and complete and not misleading.
As far as I’m concerned the circumstances were not, as the Appeal Panel said; the practicalities of an investigation,[33] nor how recent the opinion was,[34] nor that a fast investigation’s a good investigation,[35] nor that in the Appeal Panel’s opinion I was not entitled to procedural fairness.[36] The circumstances were that:
- WorkCover had failed to follow the prescribed collection process and consequently (by my construction of HPP 5) it was not authorised to keep the information because it did not have any purpose for which the information may lawfully be used.
- WorkCover had (by my construction of HPP 6) an obligation, which it did not comply with, to tell me that it had the report, why it had it, and the fact that I had a right to ask it to dispose of the report.
- The HPP’s that WorkCover circumvented (HPP 2) and contravened (HPPs 3 and 4) provided me with a statutory right to procedural fairness—the right to be heard as to why the report was not relevant, accurate, up to date, or complete and why it was misleading and excessive.
- The information would lower me in other people’s eyes and “it has long been accepted that reputation is an interest attracting the protection of the rules of natural justice”. [37]
- As NSW’s workers compensation regulator WorkCover would have been aware that disputes about medical information are an inherent part of the workers compensation system (I cited a great authority in support of that)[38] and aware too that workers compensation legislation gives workers rights in relation to insurer initiated medical opinion. Relevantly, the Council’s insurer did not provide the psychiatrist with medical information from my treating doctor or my position profile as the statutory guidelines required it to, and it paid the doctor $5000 when the maximum scheduled fee was $1131.60. The psychiatrist’s opinion, though honestly held, was ill-informed and grossly expensive.
In the above circumstances the only reasonable step that I can see to ensure that the report relevant, accurate, up to date, complete and not misleading would have been for WorkCover to comply with HPP 4 or HPP 6 and allow me my statutory right to be heard as to why the report was not relevant and accurate etc, and let me know what rights I had to protect myself from further violations of my health privacy.
HPP 10
An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless … the individual to whom the information relates has consented to the use of the information for that secondary purpose …
When WorkCover violated my health privacy I wanted HPP 10 to prohibit the use of health information for the primary purpose for which the information was collected unless the individual to whom the information relates has consented to the use of the information, but HPP 10 didn’t say that. It only prohibited the use of information for a secondary purpose unless the individual consented.
But neither did HPP 10 say that “an organisation that holds information should only use the health information in its possession for its primary purpose.”[39] That’s just an inference that the Appeal Panel drew and called HPP 10’s basic rule. The problem with the rule is that the Appeal Panel applied it in my case in circumstances where WorkCover was obliged to obtain my consent but didn’t. So the rule effectively became ‘an organisation that holds information may use the health information for the primary purpose for which it was collected with or without the consent that the individual was entitled to give or withhold.’
I don’t think that’s a correct construction of HPP 10 because firstly, the inference that became the rule was not open to be drawn. Not when you accept that HPPs 3 and 4 oblige organisations to obtain the individual’s consent to use their information for the primary purpose for which it was collected and accept too that HPP 10 applies to “an organisation that holds [possesses and controls] health information” and “the phrase “possession and control” denotes the right and power to deal with the article in question.”[40]
Secondly, the Principle of Legality presumes that “the legislature does not intend to abrogate or restrict a fundamental right or freedom except by words of clear intendment”,[41] and HPP 10 does not say in clear words that organisations can use health information for the primary purpose without the consent that the individual was entitled to give or withhold.[42]
I think HPP 10 should extend to prohibit the use of health information for the primary purpose unless the individual has consented to the use because Parliament clearly intended organisations to obtain consent for the primary use[43], they clearly intended to protect health information from unauthorised use[44], they clearly intended to prohibit the use of health information without the consent of the individual[45], and clearly intended to impose liability on an agency for such conduct[46]. And, “If a court can construe the words actually used by the Parliament to carry into effect the Parliamentary intention, it will do so notwithstanding that the specific construction is not the literal construction …”[47]
HPP 10(2)
WorkCover’s submission that HPP 10 (2) applied if it had used the information for a secondary purpose[48] is a whole new can of worms that will be dealt with in a later post.
Disclosure and Damages
These are topics for another day too.
[1]ALZ v WorkCover NSW [2014] NSWCATAD 49 (24 April 2014).
2] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015).
[3] ALZ v SafeWork NSW (No 2) [2016] NSWCATAD 121 (16 June 2016).
[4] ALZ v WorkCover NSW [2015] NSWCATAD 241 (3 November 2015).
[5] ALZ v SafeWork NSW (No 4) [2017] NSWCATAD 1 (4 January 2017), [41].
[6] Privacy and Personal Information Protection Act 1998, s55(2)(a).
[7] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), the text of the notification is cited at [44].
[8] ALZ v SafeWork NSW (No 4) [2017] NSWCATAD 1 (4 January 2017), [16-18].
[9] ALZ v WorkCover NSW [2014] NSWCATAD 93 (8 July 2014), [125-131].
[10] ALZ v SafeWork NSW [2017] NSWCATAP 51 (9 March 2017), [82].
[11] IW v City of Perth [1997] HCA 30; 191 CLR 1; (1997) 94 LGERA 224; (1997) 146 ALR 696; (1997) 71 ALJR 943 (31 July 1997).
[12] ALZ v WorkCover NSW [2014] NSWCATAD 49 (24 April 2014), [80] and [102] respectively.
[13] ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 (29 August 2014), [44].
[14] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [85].
[15] Leask Timber & Hardware Pty Ltd v Thorne [1961] HCA 73 (16 November 1961), Kitto J, [7].
[16] (It is common in privacy matters that persons whose privacy was interfered with and whose dignity, autonomy and self-worth was harmed do not trust the violater and attribute bad motives to the them.)
[17] Sepulveda v R [2006] NSWCCA 379 (29 November 2006), [18].
[18] The scope of the investigation was verified by WorkCover’s evidence.
[19] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [55].
[20] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [38].
[21] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [40].
[22] Truth About Motorways Pty Limited v Macquarie Infrastructure Investment Management Limited [2000] HCA 11(9 March 2000), [15].
[23] Cornwell v The Queen[2007] HCA 12 (22 March 2007), [193].
[24] ALZ v WorkCover NSW [2014] NSWCATAD 49 (24 April 2014), [76-80, 99-102].
[25] ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 (29 August 2014), [44].
[26] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [60].
[27] Health Records and Information Privacy Act 2002, s9(a).
[28] Williams v Douglas [1949] HCA 40; (1949) 78 CLR 521, at [8].
[29] Western Australia v Ward Attorney-General (NT) v Ward Ningarmara v Northern Territory Ward v Crosswalk Pty Ltd [2002] HCA 28, at [478].
[30] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [85].
[31] Ibid. [98].
[32] “Reasonable in the circumstances” imports an objective test”, Bropho v Human Rights & Equal Opportunity Commission [2004] FCAFC 16, [66]; “What is reasonable depends on all the circumstances”, Electronic Industries Ltd v David Jones Ltd [1954] HCA 69; (1954) 91 CLR 288, at [8].
[33] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [97].
[34] Ibid. [92],[95].
[35] Ibid. [97].
[36] Ibid.
[37] Ainsworth and Anor v. Criminal Justice Commission (1992) 175 CLR 564 (9 April 1992), [27].
[38] Dasreef Pty Limited v Hawchar [2011] HCA 21 (22 June 2011), [56-59].
[39] ALZ v WorkCover NSW [2015] NSWCATAP 138 (10 July 2015), [99].
[40] Williams v Douglas [1949] HCA 40; (1949) 78 CLR 521, at [8].
[41] Lee v New South Wales Crime Commission [2013] HCA 39 (9 October 2013), [220].
[42] (Withheld consent is an opportunity for the organisation to demonstrate its respect for the individual’s right to privacy and its respect for the person’s human dignity and autonomy.)
[43] HPPs 3 and 4.
[44] HPP 5 (1)(c).
[45] HPP 10.
[46] HRIP Act, sections 11 and 21.
[47] R v Young [1999] NSWCCA 166 (7 July 1999), [15].
[48] ALZ v WorkCover NSW [2014] NSWCATAD 49 (24 April 2014), [149-151].