No business likes having a regulator publish the details of complaints made against it, much less any penalties imposed and remedial steps they’re required to take if those complaints are upheld. So, if there’s a way to avoid one common category of complaint in a given industry sector, especially one that doesn’t involve expensive IT fixes or alterations to the business plan, it surely makes sense to prioritise the action needed and reduce the risk.

Health sector

Health service providers are in the top five sectors that attract complaints made to the Office of the Australian Information Commissioner (OAIC). Under the Privacy Act 1988 (Privacy Act), health care providers are a broad category of organisations including:

  • Private hospitals and day procedure centres
  • Disability service providers where they handle health information
  • Assisted fertility or IVF clinics
  • Medical practitioners, dentists, pharmacists and allied health professionals
  • Gyms and weight loss clinics.

Small businesses that are health service providers are generally not exempt, though state or territory laws cover public hospitals.

Access complaints

According to the OAIC, it is complaints about failure to provide access to individuals’ personal information that top the list of issues raised by complainants.[1]

Under Australian Privacy Principle (APP) 12, APP entities that are holding personal information about an individual are required to give the individual, on request, access to the individual’s information, subject to specified exemptions or exceptions, such as where giving access would have an unreasonable impact on the privacy of other individuals, or the request for access is frivolous or vexatious. APP 12 also sets out other specific requirements, such as timing for response.

So, for health service providers, the simple way to avoid the most common privacy complaint to the OAIC is to ensure that client access requests are expertly handled. Deficient customer service complaint handling and a failure to understand or adequately meet access request obligations can place health service providers on the slippery slope to adverse findings by the OAIC, as the Spring Hill case that follows demonstrates.

Case study

‘AAS’ and Spring Hill Specialist Day Hospital (The Trustee for QFD Day Theatres Unit Trust) (Privacy) [2022] AICmr 11

This matter concerned a patient’s request for access to her Personal Information. The request related to investigation notes about an incident that occurred in a hospital reception area in November 2018 (investigation notes). This incident involved the complainant and staff of the hospital where the patient was attending for surgery. The respondent commenced an investigation of the incident on the day it occurred.

In early December 2018, the complainant made a customer service complaint to the respondent about the incident.

In mid-December, the complainant requested access to her Personal Information contained in the investigation notes. The following day, the respondent provided the complainant with a summary of the investigation and a summary of the Personal Information contained in its investigation notes.

In an access decision provided in mid-January 2019, the respondent explained that its reasons for refusing to provide access to the Personal Information requested were two-fold:

  1. provision would have an unreasonable impact on the privacy of other individuals, and
  2. there was not a reasonable alternative means to provide access that would satisfy both parties.

On 30 January 2019, the complainant made a privacy complaint to the Commissioner under s 36 of the Privacy Act. Subsequently, some documents (medical records) containing redactions were provided to her. The complainant was not satisfied by this measure, and the OAIC considered that conciliation was unlikely to resolve the complainant’s grievance.

Following investigation, in late February 2022 the Commissioner found:

  1. The complaint is substantiated.
  2. The respondent has breached APP 12.1 by refusing to give access to the Personal Information in response to the complainant’s access request.
  3. The respondent has breached APP 12.5 by failing to take reasonable steps to give access by alternative means.

The Commissioner’s Declarations required the respondent not to repeat or continue such conduct, and to certify in writing to the respondent, within seven days, whether all documents containing the Personal Information held by the respondent at the time the access request was made had been provided. It was also proposed that this certification be signed by ‘an officer of senior rank of the respondent’.

Significantly, the Commissioner drew attention to the missed opportunities evident in the handling of this complaint, stating:

Privacy complaint handling processes and investigations can take some time…despite opportunity throughout early resolution, investigation and determinations processes, the respondent has not satisfied me that the exceptions it relied upon to refuse access applied to the Personal Information. (para 87)

Key takeaways

  1. Customer service complaints to providers can escalate quickly to involve regulators such as the OAIC.
  2. Whilst large penalties for breaches of privacy capture the headlines,[2] often involving tech giants with millions of customers, the actions of smaller businesses in relation to individuals’ personal information generate the most complaints to the OAIC.
  3. For health service providers, the simple way to avoid the most common privacy complaint to the OAIC is to ensure that client access requests are expertly handled, in order to avoid adverse client experiences and poor publicity for their organisations, together with the distraction and cost involved in dealing with a regulator’s investigation.

If you would like help reviewing your data handling practices and policies, or your approach to handling access requests, or you are interested in knowing what the above decision means for your business, please contact Deidre Missingham.

This article is not intended to constitute, and should not be treated as, legal advice.

[1] https://www.oaic.gov.au/privacy/privacy-decisions/privacy-complaint-outcomes#:~:text=The%20OAIC%20provides%20a%20complaints,1988%20and%20other%20relevant%20laws.

[2] Most recently, the Federal Court’s imposition in August 2022 of a $60 million fine on Google in respect of the Australian Competition & Consumer Commission’s successful claim that Google mislead some consumers about the collection and use of their personal location data on Android phones over a two-year period. (Australian Competition and Consumer Commission v Google LLC (No 4) [2022] FCA 942.)

For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.  Please also note that the law may have changed since the date of this article.