The Office of the Privacy Commissioner (OPC) has shown its willingness to use its Naming Policy in publicly naming a health care provider for consistently ignoring its obligations to report a privacy breach.

In a legislative environment with only low fines for breaching the Privacy Act, ‘naming and shaming’ organisations continues to be a mechanism deployed by the OPC to deter non-compliance with the Act.

What happened?

A representative of a resident living at a facility operated by Ultimate Care Group Limited complained after Ultimate Care withheld health information that the resident had requested under the Health Act. Organisations holding health information must usually provide it to the person the information relates to, or their representative or service provider under section 22F of the Health Act.

The representative had previously raised concerns about the resident's care to Ultimate Care and the Capital and Coast District Health Board. The Health Board conducted an audit in August 2021, during which Ultimate Care discovered that important documents related to the resident's care were missing. The audit concluded that this was a potential privacy breach if confidential information was not stored securely.

In December 2021, the Health Board recommended Ultimate Care to, amongst other things, report the missing documents as a privacy breach. A follow-up audit in 2022 showed no notification to the Privacy Commissioner regarding the issue.

The representative made a further complaint to the Health and Disability Commissioner (HDC), based on the audit's findings. In October 2023, the HDC recommended that Ultimate Care report the loss of the resident's records to the Privacy Commissioner, with confirmation due within three weeks.

In October 2023, Ultimate Care formally notified the OPC of the privacy breach, being the loss of the resident's clinical file. This was almost two years after the Health Board’s recommendations.

Privacy Commissioner’s response

The OPC found that the two year notification delay was “seriously concerning”, remarking on the following issues:

  1. Section 114 of the Privacy Act requires agencies to notify the OPC “as soon as practicable after becoming aware that a notifiable privacy breach has occurred.”
  2. Ultimate Care’s poor document management systems led to losing the resident’s file.
  3. Ultimate Care’s poor privacy capability and related breach management process, meant that Ultimate Care did not identify the breach as notifiable, and then failed to notify the OPC after the Health Board recommended it do so.

Our comment

While the Privacy Act lacks a comprehensive civil penalty regime (leading the Commissioner to call for greater enforcement powers, see our report here), a failure to notify a privacy breach is punishable by a fine of up to $10,000.

In this case, the OPC chose not to impose a financial penalty, recognising Ultimate Care’s productive engagement with the OPC and Ultimate Care’s actions to strengthen its privacy policies and procedures, and raise privacy awareness. These actions included providing staff training and implementing a privacy breach management plan, as well as adopting an electronic document management system.  

Despite these mitigating factors, the OPC nevertheless decided to publicly name Ultimate Care, with the intention of highlighting the importance of compliance with the Act. This can be seen as being for the benefit of not only Ultimate Care, but also for all organisations that hold personal information - and of course the individuals to whom the information relates.

The case highlights the discretion available to the OPC when deciding how to penalise organisations that fail to notify privacy breaches. It also reflects that “naming and shaming” non-compliant organisations is a useful, low-cost enforcement tool. Organisations should be aware that failure to meet privacy obligations may have reputational, as well as financial consequences.

Get in touch

If you have any questions about your organisation’s notification obligations or privacy and data obligations generally, please contact one of our experts.

Special thanks to Avary Patutama for her assistance in writing this article.

Contacts

Anita Birkinshaw
Jania Baigent
Karen Ngan
Michelle Dunlop
Sally McKechnie

Related Articles

15/10/2024·4 mins to read

Workplace use of GenAI breaches privacy laws

Artificial intelligencePrivacy Act and data protection
9/10/2024·2 mins to read

Biometrics Privacy Code - facing up to an uncertain future

Privacy Act and data protection
4/10/2024·4 mins to read

AI Regulation: NZ walks a tightrope

Artificial intelligenceDigital & new technologiesPrivacy Act and data protection
1/08/2024·3 mins to read

The Crowd Strikes back: Preparing your business for IT incidents

Privacy Act and data protectionDigital & new technologiesCyber security
19/07/2024·3 mins to read

Advancing a Consumer Data Right - the Customer and Product Data Bill

Privacy Act and data protectionDigital & new technologies