Privacy Commissioner John Edwards has welcomed the findings of Michael Heron QC’s investigation into the recent COVID-19 patient privacy breach.
In early July, news media were leaked a confidential list of details concerning 18 active confirmed cases of COVID-19. The list included the names, dates of birth, ages and quarantine locations for each of the patients.
Mr Heron’s report found that the acting CEO of Auckland Rescue Helicopter Trust (ARHT), Michelle Boag, and National MP Hamish Walker were both responsible for the unauthorised disclosure of this sensitive personal information. The findings stated that the motivation for each disclosure was political.
Mr Heron consulted with the Office of the Privacy Commissioner (OPC) while the report was being compiled.
The Privacy Act 1993 and the Health Information Privacy Code 1994 are administered by OPC. Each protect the sanctity of personal and health information. Both pieces of legislation make allowances for disclosures of information where necessary to prevent or lessen a “serious threat” to public health.
Mr Heron’s findings questioned why highly sensitive health information was being distributed and was able to be shared by Ms Boag and Mr Walker with apparent ease.
“The State Services Commission has referred the report to my office to consider what further action, if any, under the Privacy Act is appropriate,” Mr Edwards said.
“I will consider this in light of a related inquiry I am currently undertaking into the distribution of COVID-19 health information.”
“The Privacy Commissioner has no ability to issue penalties against individuals or organisations and has no jurisdiction over Members of Parliament.”
“It remains open to any of the individuals whose information was subject to the Walker/Boag breaches to make complaints to my office.”