On 27 March 2014 the Federal Court of Australia decided a case in which it was necessary to form a view of the meaning of one of the National Privacy Principles. Since the National Privacy Principles came into force in December 2001 there have only been two cases in the Federal Court of Australia to consider the substance of the obligations imposed by any of those principles.[1] Now we have a third. It will be interesting to see whether, now that the Commissioner’s enforcement powers have been bolstered substantially, the rate of court cases involving compliance with the Australian Privacy Principles will increase.
The new case is Jones v Office of the Australian Information Commissioner [2014] FCA 285, a decision of Justice Greenwood.
Ms Jones had been a patient of Dr Lotz, a psychiatrist. In June 2011 Dr Lotz had provided a copy of his file on Ms Jones to officers of the Queensland Police Service after the police officers had served a search warrant on Dr Lotz in connection with the investigation of an offence of which Ms Jones was suspected to have committed. Ms Jones considered that the disclosure of her health information to the police constituted a breach of Dr Lotz’s obligations under National Privacy Principle[2], which regulates disclosures of personal information by organisations. Dr Lotz disagreed and Ms Jones complained to the Information Commissioner towards the end of 2011. Following an investigation, the Commissioner decided not to investigate further because he was satisfied that Dr Lotz’s conduct was not an interference with the privacy of Ms Jones. This decision was communicated to Ms Jones in a letter dated 21 December 2012. Ms Jones then applied to the Federal Court of Australia under the Administrative Decisions (Judicial Review) Act for a review of the Commissioner’s decision, arguing that the making of the Information Commissioner’s decision to cease further investigation of her complaint was an improper exercise of power and involved an error of law.
Unlike the applicants in most AD(JR) Act challenges to decisions made under the Privacy Act of the Information Commissioner or the Privacy Commissioner (whose cases have generally been dismissed emphatically)[3], Ms Jones was legally represented.
As the Court explained:
“The conjunction of s41(1)(a) of the Act and cl 2.1(h)(i) of the National Privacy Principles is that the Information Commissioner may decide (that is to say, exercise an administrative discretion) not to investigate further an act about which Ms Jones has made a s 36 complaint if the Information Commissioner is satisfied that Dr Lotz, in disclosing Ms Jones’s medical records in his possession, reasonably believed that the disclosure was reasonably necessary for the detection, investigation, prosecution or punishment of a criminal offence, breach of a law imposing a penalty or sanction, or breach of a prescribed law, by an enforcement body (in this case the Queensland Police Service).”
Ms Jones’s lawyer argued that the material before the Commissioner (obtained through the investigation conducted by the Commissioner’s office) did not:
- demonstrate that Dr Lotz identified the charge recited in the warrant;
- identify whether the medical records were relevant to the charge; nor
- identify, assuming the medical records were relevant to the charge, whether Dr Lotz was prepared to disclose those confidential medical records, regardless of those matters.
A further complication was that the address of Dr Lotz’s medical practice set out in the search warrant was incorrect (it set out the address of the general practitioner who had referred Ms Jones to Dr Lotz).
Justice Greenwood’s response to the argument put forward on behalf of Ms Jones was as follows:
“Dr Lotz was not required to form a view about the ultimate validity of the warrant or whether the mistaken premises address was fatal to the efficacy of the warrant. Dr Lotz was obliged, for the purposes of the Act, to form a reasonable belief that disclosure was reasonably necessary for the investigation, detection, prosecution or punishment of a criminal offence. In order to exercise the statutory discretion in s41(1)(a) of the Act, the delegate was required to be satisfied, acting reasonably, that the material demonstrated a reasonable belief held by Dr Lotz that disclosure was reasonably necessary for the investigation of a criminal offence.
I am entirely satisfied that there was a basis on the material before the delegate upon which the delegate could be satisfied, acting reasonably … that Dr Lotz held a reasonable belief that disclosure of Ms Jones’s medical records was reasonably necessary for the investigation of a criminal offence.”
In light of this finding, Justice Greenwood did not need to consider whether Dr Lotz’s disclosure might also have been permitted by NPP 2.1(g) on the basis that it was a disclosure required or authorised by law (which may have been tricky given the error in identifying Dr Lotz’s address).
The Court also considered NPP 2.2, which imposes an obligation to make a written note of disclosures made under NPP 2.1(h). This was a point which had not been raised with Dr Lotz nor with the Commissioner. Dr Lotz had not made such a note at the time of disclosure, but he had provided detailed information about the circumstances of the disclosure and the information disclosed in response to requests from the Office of the Information Commissioner as part of the investigation of Ms Jones’ complaint. The Court held that if the point had been drawn to the attention of the Commissioner, there was sufficient evidence before the Commissioner to reasonably decide that Dr Lotz had complied with NPP 2.2 within a reasonable period of making the disclosure.
[1] Seven Network (Operations) Limited v Media Entertainment and Arts Alliance [2004] FCA 637 (in which it was decided that there had been a breach of NPP 1 (the collection principle) but not NPP 2 (regarding disclosure) nor NPP 10 (regarding collection of sensitive information)) and Smallbone v NSW Bar Association [2011] FCA 1145 (in which it was decided that Mr Smallbone had a right under NPP 6 to access certain personal information held by the Bar Association about his application for appointment as a senior counsel).
[2] s 41(1)(a) Privacy Act
[3] See for example Riediger v Privacy Commissioner [1998] FCA 1742, Gao v Federal Privacy Commissioner [2002] FCA 823 and [2002] FCAFC 128, Budd v Privacy Commissioner [2005] FCA 1264 and numerous other applications made by Ms Budd, Rodolico v Privacy Commissioner [2006] FMCA 173, Wiltshire v Office of the Privacy Commissioner [2009] FMCA 661, Nicholson v Federal Privacy Commissioner & Anor [2010] FMCA 716, A v Australian Information Commissioner [2011] FCA 520, Wijayaweera v Australian Information Commissioner [2012] FCA 99, Hammond v Australian Information Commissioner [2013] FCA 802