Home | Databases | WorldLII | Search | Feedback New Zealand Law Students' Journal

Beattie, Samantha --- "Privacy and patient rights: does New Zealand need a right to informational privacy in the Code of Health and Disability Services Consumers' Rights" [2013] NZLawStuJl 6; (2013) 3 NZLSJ 88

Last Updated: 29 May 2014

PRIVACY AND PATIENT RIGHTS: DOES NEW ZEALAND NEED A RIGHT TO INFORMATIONAL PRIVACY IN THE CODE OF HEALTH AND DISABILITY SERVICES CONSUMERS’ RIGHTS?

SAMANTHA BEATTIE

Introduction

In his 2009 Review of the Code of Health and Disability Services Consumers’ Rights (“the Code”), the incumbent Health and Disability Commissioner (“HDC”), Ron Paterson, argued the restricted definition of privacy in the Code should be removed. He believed the HDC should have jurisdiction to hear all privacy complaints. The present state of the law enables the HDC to hear complaints relating only to breaches of spatial privacy whilst issues relating to information privacy are dealt with by the Privacy Commissioner (“PC”) under the Privacy Act, and the Health Information Privacy Code (“HIPC”). Paterson’s key concern was that the split complaints system was detrimental to

healthcare consumers’ ability to seek redress when their privacy was

LLB/BA (University of Auckland). I would like to thank Ron Patterson, Joanna Manning and Stephen Penk for inspiring my passion for health care and privacy law through their elective courses. I would also like to thank Lillian Beattie for the many hours she has spent proof reading and editing this work.

breached. Given there is a comprehensive set of statutory rules in relation to health privacy, as well as common law causes of action, there does not appear to be a lack of remedial avenues for patients who have suffered. Perhaps then the issue is more one of lack of consumer ease than lack of consumer opportunity.

Aside from considering the effect on consumers, the broader consequences of including a right to privacy in the Code should also be contemplated. It is notable that the legislature has been reluctant to enact a general right to privacy in any area of the law. Perhaps then to include a right to privacy in the Code would undermine Parliament’s seemingly deliberate omissions. Any inclusion of a broad right to privacy could create further trouble as there is a wide range of statutory provisions granting express permission for privacy and confidentiality to be breached. A right to privacy may make it harder to justify such breaches. Finally, the Code differs from both the common law and legislation in that no harm needs to be suffered in order to make a claim. While this may be positive at times, it could also have some undesirable effects. For example, it could expose the HDC to an increase in frivolous assertions, or cause the Office to be considered a backdoor way for claimants, who would ordinarily be unsuccessful, to triumph. This article will examine the question of whether an unrestricted right to privacy should be included in the Code. In weighing up the effects for consumers with the implications that it could have for the two Offices and the law in a broader context, I find that the balance falls on the side of not inserting an all-encompassing right to privacy in the Code.

A. Summary of the 2009 Review of the Code of Health and

Disability Services Consumers’ Rights

Currently the Code provides a right to privacy.¹ Right 1(2) states a consumer has “the right to have his or her privacy respected”² and thus many consumers may believe the HDC has jurisdiction to hear an array of privacy complaints. This right is, however, extremely constrained. Both the Code³ and the Health and Disability Commissioner Act 1994 provide that only privacy issues other than those dealt with under the Privacy Act or HIPC are covered.⁴ This essentially denotes that only matters of spatial privacy, such as providing patients with adequate facilities to get changed in, and not information privacy, that is disclosure of private or confidential information, are covered by the Code.⁵ Dialogues regarding the Code make many references to confidentiality, and thus both privacy and confidentiality will be considered concurrently throughout this article.

Ron Paterson, during his evaluation of the Code in 2008 and 2009, strongly advocated for this right to privacy to be expanded. He noted in the HDC Consultation Document there was some scope for the HDC to deal with informational privacy claims via a liberal interpretation of Right 4(2) regarding legal, professional and ethical standards, or if the

privacy issue was only a minor part of the broader complaint. However,

1. The Code is a Schedule to the Health and Disability Commissioner (Code of Health and Disability Services Consumers' Rights) Regulations 1996.

^{2 At cl 2.}

³ At cl 4.

⁴ Health and Disability Commissioner Act 1994, s 20(1)(c).

⁵ Rosemary Tobin “Healthcare and Privacy Law” in Stephen Penk and

Rosemary Tobin (eds) Privacy Law in New Zealand (Brookers, Wellington,

2010) 161 at 162.

this was not particularly practical and thwarted the deliberately narrow definition of privacy in the HDC legislation.⁶ Paterson also found other issues arising from the narrow definition. He argued splitting claims between the HDC and the PC was detrimental to the complainant as the issue could not be seen in its entirety.⁷ The division also resulted in repetition of process, and incurred unnecessary time and expense.⁸

^{Furthermore practitioners in breach of their ethical duty of}

confidentiality could not be held liable under the Code and thus by the Director of Proceedings’ process before the Health Practitioners Disciplinary Tribunal.⁹ As a solution to these concerns he proposed the definition of privacy in the Code and Act be removed to allow the HDC to hear information privacy claims.¹⁰ He did not recommend the removal of the PC’s jurisdiction, but rather that the two Offices have joint jurisdiction so privacy claims could be dealt with by the more appropriate agency.¹¹ Paterson alluded to the fact that the HDC currently shared jurisdiction with the Chief Human Rights Commissioner (CHRC) in regard to the right to be free from

discrimination and this had proved effective.¹²

⁶ Ron Paterson HDC Consultation Document: Review of the Health and Disability Commissioner Act 1994 and the Code of Health and Disability Services Consumers’ Rights: A Resource for Public Consultation (November 2008) at 47.

^{7 Ron Paterson, A Review of the Health and Disability Commissioner Act}

1994 and the Code of Health and Disability Services Consumers’ Right s

(Report to the Minister of Health June 2009) at 14.

⁸ At 14.

⁹ Paterson, above n 6, at 13.

¹⁰ Paterson, above n 7, at 4.

¹¹ Paterson, above n 6, at 47.

¹² At 47.

B. Why are Privacy and Confidentiality So Important in the

Medical Context?

Paterson advocates an inclusion of a general right to privacy because “the right to privacy is integral to the quality of health and disability services and the rights of health and disability service consumers.”¹³

Confidentiality is a concept long recognised in medical practice. This is perhaps due to its appearance in the Hippocratic Oath circa 500 BC, one of the first ethical codes in medicine.¹⁴ The inclusion of confidentiality can be justified by appealing to philosophical reasoning. From a teleological or consequentialist point of view, it is thought that if private information is kept confidential then patients are more likely to disclose everything that a doctor needs to know in order to make an accurate diagnosis and provide the right treatment. If they are fearful that personal, and at times embarrassing, information will be shared then they will be discouraged from seeking care.¹⁵ A deontological perspective advocates for confidentiality on the basis that it sustains patient autonomy and fosters one’s dignity and freedom.¹⁶

In the New Zealand context, the deontological perspective is of particular importance. The whole rationale behind codifying patient rights developed out of the reforms in the healthcare system following

¹³ Paterson, above n 7, at 13-14.

¹⁴ Peter de Cruz Comparative Health Care Law (Cavendish, London, 2000) at

47.

¹⁵ Emily Jackson Medical Law: Texts, Cases and Material (Oxford University

Press, Oxford, 2006) at 315.

¹⁶ At 315.

the Cervical Cancer Inquiry and the Cartwright report in the 1980s.¹⁷

This investigation revealed experimental research on patients was occurring without patient consent.¹⁸ Having such atrocities brought to light fostered demands for patient autonomy and a need for the traditional paternalistic approach of healthcare professionals to change.¹⁹ Thus while respecting patient privacy had always been central to medicine in order for practitioners to perform their job to the best of their ability, it is now also recognised as a key means of upholding patient dignity and independence. In principle, then, privacy is extremely important.

C. For and Against an Unrestricted Right to Privacy

1. Current Remedies for Breaches of Consumer Privacy and

Confidence

The first question in deciding whether there should be a right to privacy included in the Code is whether the remedies currently available to patients are adequate in helping address claims.

(1) The code

The process the HDC Office must take is set out under the Health and

Disability Commissioner Act.²⁰ If, after an initial assessment,²¹ the claim

¹⁷ Ron Paterson “Patient Rights in New Zealand: A Tool for Quality Improvement?” (paper presented to Third National Health Care Complaints Conference, Melbourne, March 2001).

¹⁸ Charlotte Paul “The New Zealand Cervical Cancer Study: Could it

Happen Again?” (1988) 297 BMJ 533 at 533.

¹⁹ Paterson, above n 17.

²⁰ Health and Disability Commissioner Act 1994.

²¹ Section 33.

is passed on to the HDC, the HDC has a range of options before them,²² including the power to investigate.²³ The consequences of an investigation where there is a breach finding will usually result in the practitioner being asked to apologise to the claimant or to review their practice so that a similar event does not reoccur.²⁴ If the breach is sufficiently serious the decision can be forwarded to the Director of Proceedings²⁵ who can then refer the matter to the relevant disciplinary tribunal,²⁶ or to the Human Rights Review Tribunal²⁷ where damages are sometimes awarded to the aggrieved claimant.

The Code does contain a right to privacy and, if the breach covers spatial privacy, it can provide an effective avenue for redress. Opinion

96HDC2314 was a situation where a woman was not given the opportunity to remove her clothing behind a screen. This was found to be a breach of Right 1(2) and an apology from the doctor to the patient was demanded.²⁸

There are instances where the HDC will deal with information privacy rights via a broad interpretation of the Code. This can be achieved using Right 4(2): the right to have services provided that comply with the various relevant standards, including legal and ethical standards.²⁹

The HIPC is a legal standard dealing with health information

²² Sections 34-40.

²³ Section 40.

²⁴ Section 45(2)(a).

²⁵ Section 45(2)(f).

²⁶ Section 45(2)(f)(i).

²⁷ Section 45(2)(f)(ii).

²⁸ Health and Disability Commissioner Report on Opinion - Case 96HDC2314

(8 December 1997).

²⁹ Above n 1, at cl 2.

disclosure,³⁰ and there are a number of ethical codes, such as the New Zealand Medical Association’s Code of Ethics which include in its principles respect for a patient’s private information.³¹ In Opinion

01HDC03691 the HDC found a doctor liable for breaching Right 4(2) due to his unethical treatment of patient information. Dr B disclosed to Dr A that his patient had gonorrhoea. When the patient’s wife visited Dr A, Dr A was aware of the circumstances and proceeded to act in a paternalistic matter to protect the wife from the truth. Dr B disclosed the private information to Dr A before trying to persuade his patient to make the disclosure himself. This was considered both a breach of HIPC Rule 11 and the doctor’s ethical duties. Both doctors were ordered to apologise, review their practice and the matter was sent to the Director of Proceedings.³² This avenue is extremely rare however and when there is an obvious information privacy issue, complaints will be sent to the PC.

Using the Code is a quick, cost-effective way to solve complaints. However, despite some discretion, it is not the best place for consumers with grievances stemming from information privacy breaches to go for resolution. The problem is that the existence of an organisation which deals specifically with the rights of health and disability consumers, and includes in its Code a right to privacy, may

cause a number of patients to try this avenue of redress first.

³⁰ Health Information Privacy Code 1994, r 11.

³¹ New Zealand Medical Association Code of Ethics for the New Zealand Medical

Profession (New Zealand Medical Association, Wellington, 2008) at 5.

³² Health and Disability Commissioner Report on Opinion – Case

01HDC03691(2002).

(2) The HIPC

When a complaint reaches the PC they may take action if there has been a breach of the HIPC and if this breach has caused, or may cause, some form of harm, whether it be loss, injury, adverse effects on rights or interests, or damage to feelings or dignity.³³ Thus the threshold for finding a breach is higher than under the Code. The PC has an advisory role. If a breach is found, the PC can make recommendations or, if the complaint is sufficiently serious, refer the issue to the Director of Human Rights Proceedings, who then has the option to issue proceedings before the Human Rights Review Tribunal.³⁴ The Tribunal has authority to award remedies including damages and costs.³⁵

Issues regarding health information disclosure are dealt with under Rule

11 of the HIPC whereby health information must not be disclosed unless it fits within one of the exceptions listed.³⁶ Both the Privacy Act and the HIPC are generally silent as to the status of these rules. While some of the literature has discussed the HIPC as establishing rights,³⁷ there is in fact no codified right to privacy regarding disclosure.³⁸ The

PC takes issues relating to disclosure of medical information very

³³ Tim McBride “NZ’s Privacy Act 1993 Part II” (1994) 1 PLPR 15 at 15.

³⁴ Kathryn Dalziel and Sue Johnson “Health Information” in Rebeccan

Keenan (ed) Health Care and the Law (4th ed, Brookers, Wellington, 2010)

200 at 239.

³⁵ At 239.

³⁶ Above n 30, r11(1).

³⁷ Tobin, above n 5, at 165;; John Dawson “Health Information Law: General Principles” in PDG Skegg and Ron Paterson (eds) Medical Law in New Zealand (Brookers, Wellington, 2006) 257 at 257-258.

^{38 Only Information Privacy Principle 6 is considered to be enforceable as a}

right under s 11 of the Privacy Act 1993.

seriously however and has stated that “professional confidence should

only be breached in the most exceptional circumstances”.³⁹

As with the Code, the HIPC is an inexpensive and fast way to deal with privacy breaches. However, the fact of a higher threshold for a breach finding may mean claimants who have had their privacy breached, but do not suffer any significant harm as a result, will not have their objections considered. Also as non-disclosure of private information is not a right, a privacy claim will be given less weight when competing rights, such as the public’s right to know, come into play.⁴⁰ Nor is there a mechanism in place to have the provider placed before the disciplinary committee and thus the consequences of breaching privacy for a practitioner may not be as serious.

(3) Common law

Aside from a few exceptional circumstances, breaches of the privacy rules under the Privacy Act cannot be heard in the courts.⁴¹ The implementation of these rules however does not remove a consumer’s ability to take civil action.⁴² Therefore the common law works alongside the statutory provisions to provide another forum for disgruntled patients to air their concerns about privacy breaches.⁴³ Depending on the circumstances, an action can be brought in equity or in tort. Despite

some overlap between the two actions, in New Zealand breach of

³⁹ Case note 2049 [1996] NZPrivCmr 7.

⁴⁰ Brooker v Police [2007] NZSC 30, [2007] 3 NZLR 91 at [210].

⁴¹ Dalzeil and Johnson, above n 34, at 239.

⁴² Ron Paterson “Health Care Law” (1996) 3 NZ L Rev 286 at 287.

⁴³ John Dawson “Common Law Principles Concerning Confidentiality, Privacy and Disclosure” in PDG Skegg and Ron Paterson (eds) Medical Law in New Zealand (Brookers, Wellington, 2006) 325 at 325.

confidence and the tort of unwarranted disclosure of private facts remain separate causes of action.⁴⁴

(a) Breach of confidence

Lord Keith in AG v Guardian Newspapers (No 2) has stated “[a relationship of confidentiality] can also arise as a necessary or traditional incident of a relationship between the confidant and the confider, such as priest and penitent, doctor and patient”.⁴⁵ This is also the position in New Zealand where in Duncan v Medical Practitioners Disciplinary Committee a GP was found guilty of professional misconduct for a breach of confidence.⁴⁶ The GP warned his patient’s passengers and the police that his patient had just undergone a triple coronary artery bypass graft operation and thus he felt it was unsafe for the man to be driving. It was noted that while sometimes public interest may justify a breach of confidence, it should be ensured that disclosure is made only to the relevant authority.⁴⁷

A breach of confidence can be established when the information disclosed has the “necessary quality of confidence about it”, is imparted in “circumstances importing an obligation of confidence”, and when there is an “unauthorised use of that information.”⁴⁸ It is likely most patients will consider their information is confidential when it is

provided for a special purpose, such as to get treatment, with the

⁴⁴ Hosking v Runting [2004] NZCA 34; [2005] 1 NZLR 1(CA) at [45].

45. Attorney General v Guardian Newspapers (No 2) [1988] UKHL 6; [1988] 2 WLR 805 (CA) at 867.

^{46 Preliminary Proceedings Committee of the Medical Council of New Zealand v}

Duncan [1986] NZCA 465; [1986] 1 NZLR 513 (CA).

⁴⁷ At 518.

⁴⁸ Coco v AN Clark (Engineers) Ltd [1969] RPC 41 (Ch) at 47.

recognition that it will not be disclosed without consent, and when the information is not already within the public arena.⁴⁹ Furthermore it must be shown that economic or emotional harm has been sustained due to the breach.⁵⁰ The remedies available are delivery of personal documents, account of profits, injunction to prevent a potential or continuing breach and damages.⁵¹

(b) The tort of unwarranted disclosure of private facts

In most instances of a provider-patient relationship breach of confidence will be the preferable route to take. However, the tort of unwarranted disclosure of private facts may provide a claimant with another cause of action. In P v D the plaintiff sought an injunction to prevent the publication of information regarding treatment received at a psychiatric hospital. While they stated such information could only have been obtained due to a breach of confidence, there was not enough evidence to prove this and so they proceeded on the basis that publication would breach their privacy.⁵² To establish a breach of privacy, there must be public disclosure of private facts that would be highly offensive and objectionable to the reasonable person.⁵³ As with breach of confidence, harm must be suffered.⁵⁴ The remedies available to a successful plaintiff are damages and injunction preventing the

publication of the objectionable material.⁵⁵

⁴⁹ Dawson, above n 43, at 328.

⁵⁰ At 329.

⁵¹ At 329.

⁵² P v D & Independent New Auckland Ltd [2000] 2 NZLR 591 (HC).

⁵³ Hosking v Runting, above n 44, at [259].

⁵⁴ Dawson, above n 43, at 333.

⁵⁵ At 333.

Both these common law avenues are more time-consuming and expensive than using the statutory regimes. This is especially true for the plaintiff if the defendant can adequately defend disclosure. In R v Matthews a patient told his doctor he had been sexually involved with a child. The Court held that while the doctor did have a duty of confidence to his patient, his duty to tell the police about the incident so as to prevent imminent and serious threat of harm outweighed it.⁵⁶ If a claimant is successful, however, the remedies may be greater.

(4) Are the remedies adequate?

In reviewing the available remedies for breaches of privacy, it would appear all bases are covered. The Code allows an avenue of redress when a consumer feels their spatial privacy has been interfered with. The HIPC and two common law causes of action can provide remedies when confidential or private information is, or is going to be, shared without legitimate justification. The key issue in terms of having an avenue for complaint is perhaps that the threshold for finding a breach is higher in the HIPC and common law compared with the Code.

In 2005 Helen A Malcom conducted a study where patients discussed their perceptions of privacy in shared hospital rooms.⁵⁷ One of the findings was that while patients were satisfied that their spatial privacy was respected by means of screens or curtains, they found that their personal medical information could be overheard by, and thus disclosed to, others in the room; this frequently made them uncomfortable.⁵⁸ The

correct place to complain in this instance would be to the PC as there

⁵⁶ R v Matthews CA370/03, 8 March 2004.

⁵⁷ Helen A Malcom “Does Privacy Matter? Former Patients Discuss their

Perceptions of Privacy in Shared Hospital Rooms” (2005) 12 Nurs Ethics

156.

⁵⁸ At 160.

has been disclosure to others and without justification or their consent. It seems though that as no sufficient harm had been suffered it is unlikely they would receive a remedy.

Some participants stated that in certain instances the discomfort could escalate to severe stress, especially if the illness being discussed was serious. This would likely be covered by the HIPC.⁵⁹ If the Code were to cover informational privacy the HDC would be at liberty to find a breach, as a right simply needs to have been interfered with.⁶⁰ To include a right to privacy in the Code would therefore cater to those who have had their informational privacy breached but have not suffered sufficient harm so as to be provided with redress under the HIPC.

D. The Purpose of the Code

The second point to consider is how the restricted definition of privacy fits in with the purpose of the HDC Act and Code. As set out in the Act the objective is to “promote and protect the rights of health consumers and disability services consumers, and, to that end, to facilitate the fair, simple, speedy, and efficient resolution of complaints relating to infringements of those rights.”⁶¹ This reflects the importance of the patient’s perspective.

A split system hinders rather than achieves this purpose. In the Code the rights conferred on consumers impose parallel duties on healthcare

⁵⁹ At 160.

⁶⁰ Above n 4, s 45(1)(a).

⁶¹ Section 6.

providers.⁶² The fact that information privacy is excluded from the Code seems to imply there is no obligation under the Code for providers to respect consumer’s informational privacy. This may not be clear to consumers, especially as there is often considerable ignorance as to the relevant legislation.⁶³ Arguably many patients without comprehensive understanding of statutory interpretation will simply look at the rights provided in the Code. They will make their complaint without looking to Clause 4 that states the right to privacy is subject to Parts VII, VIII and X of the Privacy Act.⁶⁴ Even if a consumer was to consider Clause 4, to then have to negotiate their way around the Privacy Act further encumbers their ability to easily express their grievances.

Australia has faced similar issues in that there are a “patchwork of laws” designed to protect health consumer privacy.⁶⁵ The Federal Privacy Commissioner has noted that having multiple pieces of legislation covering similar issues “may result in consumers not knowing where they should go to resolve issues about the privacy of their health information.”⁶⁶ Indeed, in New Zealand, 154 claims to the HDC in

^{2011 had to be referred to other agencies.67 No doubt a number of}

these claims were in relation to breaches of confidentiality or privacy. Consequently, several discontented consumers would have had a longer wait than they would have thought necessary to resolve their issues.

⁶² Above n 1, cl 1.

⁶³ Malcom, above n 57, at 158.

⁶⁴ Above n 1, cl 4.

⁶⁵ Jasime McInnes “Health Privacy Legislation – A Patchwork of Laws”

(2004) 1Privacy Law Bulletin 87.

⁶⁶ McInnes, above n 65.

67. Health and Disability Commissioner Learning from complaints: Annual Report for the year ended 30 June 2011(3 October 2011) at 8.

Paterson believes having a “one-stop shop” approach would be significantly more convenient for patients.⁶⁸ The Nursing Council of New Zealand agrees, and further argues it would “[allow] for low level resolution or disciplinary action to be taken where appropriate.”⁶⁹ Such action would help foster a culture whereby healthcare practitioners consider the patient’s perspective before acting.

The PC on the other hand remains opposed to the inclusion of an unrestricted right to privacy in the Code. Her key concern is that compressing the HIPC into a single right in the Code would result in greater misunderstanding by consumers.⁷⁰ Certainly this has again been an issue faced in Australia whereby having multiple pieces of legislation and agencies to provide remedies to deal with privacy claims has resulted in inconsistencies as to how privacy issues are dealt with.⁷¹ The Federation of Women’s Health Council Aotearoa has anticipated that discrepancies may start to appear, stating they would rather have information privacy dealt with under the jurisdiction of the PC “as relevant understanding and expertise has been developed within that office.”⁷²

To combat this problem a removal of the restricted definition of privacy in the Code could be replaced by inclusion of a more complex set of clarifications to encompass the various exceptions to the

entitlement to have healthcare information kept private and

⁶⁸ Paterson, above n 7, at 14.

⁶⁹ At 13.

⁷⁰ At 13.

⁷¹ McInnes, above n 65, at 87.

⁷² Paterson, above n 7, at 13.

confidential. However, given the accessible way in which the Code is written, complex clauses would be detrimental to the Code’s standing as a consumer-friendly system.

Including an unrestricted right to privacy could significantly increase

the HDC’s workload. In 2011 the HDC received 1,405 complaints.⁷³

The PC received 968, of which 185 related to the HIPC.⁷⁴ It would thus appear unnecessary to disperse the privacy claims between the two agencies, as the PC does not receive as many complaints as the HDC. Increasing the HDC’s workload could further delay claims from being resolved in a fast and efficient manner.

The arguments in favour of upholding the status quo are compelling. However, most qualms are countered by the fact that Paterson wishes the two jurisdictions to coordinate and work together. He remarks that often privacy claims brought to the HDC contain issues about other aspects of the Code and thus it makes sense for the HDC to hear the complaint in its totality in order to combat broader issues, especially in relation to the quality of services.⁷⁵ In terms of extra workload, the HDC would not be taking all the PC’s HIPC complaints and thus the work would be fairly distributed.

E. Privacy Expressed as a Right

The Code is a code of rights. A right in law holds significant weight. Despite public perception that privacy is a fundamental human right,⁷⁶

⁷³ Health and Disability Commissioner, above n 67, at 7.

74. Privacy Commissioner Annual Report of the Privacy Commissioner for the year ended 30 June 2011 (November 2011) at 26.

^{75 Paterson, above n 6, at 47.}

⁷⁶ Malcom, above n 57, at 157.

in New Zealand the legislature appears to have been careful not to include a right to privacy in any domestic legislation. Most notably, there is no right to privacy in the New Zealand Bill of Rights Act 1990. Indeed in that Act’s White Paper there was debate surrounding this issue. In the end it was decided the scope and development of privacy was too uncertain for inclusion.⁷⁷ In the HIPC there is no absolute right to privacy as an individual does not have a general right to veto disclosure of their health information.⁷⁸ Perhaps this lack of status is because, while considerable importance is placed on maintaining patient confidentiality, the justifications for disclosure in certain situations are seen as more important. Such justifications for disclosing health information under the HIPC include when there is an imminent and serious threat to public safety,⁷⁹ and when the information is needed in court or tribunal proceedings.⁸⁰

If privacy is not given the status of a right then it is less significant, and is able to be more easily outweighed by other interests that are rights or freedoms.⁸¹ Additionally, there are several other pieces of legislation that make provision for the disclosure of information without consent.⁸² To include a right to privacy in the Code could thus undermine the structures of current legislation. Furthermore, privacy claims may more readily be made to the HDC over the PC as the

stronger language may lead to it being seen as the more successful

⁷⁷ Geoffrey Palmer “A Bill of Rights for New Zealand: A White Paper”

[1984-1985] I AJHR A6 at [10.144].

⁷⁸ Above n 30, r 11(2).

⁷⁹ Rule 11(2)(d)(i).

⁸⁰ Rule 11(2)(i)(i)-(ii).

⁸¹ Brooker v Police, above n 40, at [210].

82. See generally: Health Act 1956, s 22C; Tuberculosis Act 1948, s 3; Venereal Diseases Regulations 1982, r 7.

route. This could have the effect of both undermining the Office of the PC and seeing a dramatic increase in complaints to the HDC as consumers may believe such a right overrules other statutory provisions.

Giving privacy the status of a right could also be seen as focusing too much on patient autonomy and having a chilling effect on beneficial dialogue between healthcare professionals. Ross Boswell accepts patient information brings with it obligations of confidentiality.⁸³ However, such obligations are seen by providers as a duty to contain the information within the medical community.

The legal perspective is stricter. Informal discussions about unique cases are seen as acceptable in the healthcare provider arena, but under the HIPC are discouraged. Only discussions that provide a direct benefit to the patient are permissible. Boswell believes the law as it stands is already overly strict and can be detrimental both to the patient and to the education of other medical professionals.⁸⁴ To include an unrestricted right to privacy in the Code could thus be seen as further preventing practitioners from being able to disclose patient information to one another for instructive reasons. If patients became aware of such discussions the practitioner may find themselves subject to a complaint, despite having the patient’s, and wider community’s, best interests at heart.

While removing the restricted definition in the Code may appear to advance the status of privacy, there are a number of limitations

provided in the Code. The first is the wording of the right. The right to

⁸³ Ross Boswell “Privacy Issues and Medical Practice” (Speech to the

Privacy Issues Forum, Wellington, 30 March 2006).

⁸⁴ Boswell, above n 83.

privacy falls under the broader right of the right to respect, and Paterson’s amendment is worded as “the right to have services provided in a manner that respects the privacy of the individual.”⁸⁵

Thus, the right to privacy is clearly a qualified one; it is only to be in relation to the provision of healthcare services. A provider is not in breach of the Code if they take all reasonable actions in the circumstances to give effect to the patient’s rights and their duties. While the burden is on the provider to prove this, it gives them an opportunity to demonstrate they were justified in disclosing the private information.⁸⁶ The Code also makes reference to other enactments, stating that nothing in the Code shall prevent a provider from performing their duties or obligations imposed by other enactments.⁸⁷

^{This will prevent other legislation from taking a subordinate position to}

the Code. In relation to a right to privacy not being included in the New Zealand Bill of Rights Act, an existing right is not restricted simply by its exclusion from the Act.⁸⁸ Nor have a number of the other rights in the Code been included in the New Zealand Bill of Rights Act, and this has not proved to be an issue.

The inclusion of privacy as a right in the Code would not undermine other legislation. The Code is clear it is subordinate to other rights and obligations, imposed by law, on providers. Such apprehension stems from the fact that privacy as a right has been the subject of much discussion at both the parliamentary and judicial level. However, that the right is qualified and contextualised should immediately clarify any

concerns.

⁸⁵ Paterson, above n 7, at 4.

⁸⁶ Above n 1, cl 3.

⁸⁷ At cl 5.

⁸⁸ New Zealand Bill of Rights Act 1990, s 28.

The biggest problem with including a right to privacy is that it would be inconsistent with the HIPC, which does not discuss its rules as rights. Given that a right has greater weight, it could undermine the PC’s role. It should be noted that Paterson has used the example of joint jurisdiction with the CHRC as an example of where partnership has worked well.⁸⁹ However, there is already a well-recognised right to be free from discrimination affirmed in the relevant legislation and thus there is no inconsistency.⁹⁰ Furthermore, it could place too great a burden on practitioners. Defining privacy as a right therefore needs further consideration.

F. No Need for Harm

The final issue to consider more deeply is how a lack of harm is needed in order for there to be a successful breach finding under the Code. A lack of harm may result in the HDC being exposed to an increase in trivial claims. Patients, in seeing that harm does not need to be suffered, may make complaints to the HDC simply because they believe they are entitled to preferential treatment.

This is, however, unlikely to cause many problems as the HDC has the power to take no action if a complaint is trivial or vexatious.⁹¹ Clause 3 of the Code also provides a defence for practitioners if their actions were reasonable in the circumstances.⁹² Thus a patient in a public hospital who does not get their own private room for a consultation

may find there is no breach if there are resource constraints and the

⁸⁹ Paterson, above n 6, at 47.

⁹⁰ New Zealand Bill of Rights Act 1990, s 19.

⁹¹ Above n 4, s 38.

⁹² Above n 1, cl 3(1).

doctor took care to discuss their condition with them in such a way that could not be overheard by others.⁹³

Alternatively, the exclusion of harm could prove to be valuable to the reasonable patient in a number of cases. The earlier example from Malcom’s study is one such instance. The patients did not necessarily suffer harm as defined by the Privacy Act, and thus there would be no actionable claim.⁹⁴ The HDC, however, upon finding a breach, would be able to request the doctors of this hospital review their practice and that some guidelines be put in place, such as ensuring they spoke in low voices and stood as close as possible to the patient. Patients value these simple actions.⁹⁵

However, the lack of a need to prove harm could be seen as undermining the PC’s Office. In Case Note 35361, the PC found the doctor had unjustifiably breached his patient’s privacy by discussing the patient’s injury with his employer without consent. However, the harm suffered by the patient was not considered to result from the privacy breach.⁹⁶ In such a case, had the complaint gone to the HDC and there was an unrestricted right to privacy, a breach would certainly have been found.

Comparing this issue again to the joint jurisdiction the HDC has with the CHRC, discrimination can be seen as inherently causing harm in that it adversely affects one’s rights. It would be difficult to find an instance of discrimination that did not cause harm and therefore this

has not been a problem. In regard to the PC, however, this is a serious

⁹³ Malcom, above n 57, at 159-160.

⁹⁴ At 160.

⁹⁵ At 161.

⁹⁶ Case Note 35361 [2003] NZPrivCmr 9.

issue that needs to be taken into consideration if there was to be joint jurisdiction. Indeed, this was a problem in Australia whereby inconsistent legislation means the same issues are treated differently under different schemes.⁹⁷ Such discrepancies lead to patient confusion and damage the institutions’ reputations.

G. Conclusion

Initially it makes sense for the HDC to be able to hear claims regarding information privacy. Privacy and confidentiality are key aspects of the doctor/patient relationship. The exclusion of a right to privacy in the Code, which is designed to promote patient rights and place obligations on practitioners, seems counter-intuitive. While there are plenty of avenues an aggrieved claimant can take if they feel their privacy has been breached, the common law options can be slow, expensive and incur great stress. Furthermore, such options are primarily reserved for only the most serious breaches and may not provide less aggrieved consumers the opportunity they seek. Thus for the majority of complainants, the PC and HDC are the suitable avenues. Between the two jurisdictions, aspects of patient privacy seem to be suitably covered.

Having split jurisdictions, however, seems to contradict the purpose of the HDC Act: to promote patient rights and facilitate their resolution in the event of a breach. Patients with little knowledge of statutory interpretation may appeal to the HDC without realising their complaint should be placed with the PC. Such unawareness creates lack of consumer ease and unnecessary duplication of process. Concern has been expressed that simplifying the HIPC into one right in the Code

would cause greater confusion and there could be an increase in the

⁹⁷ McInnes, above n 65, at 87.

HDC workload. Such arguments are negated by the fact that Paterson has advocated for joint jurisdiction and a collaborative partnership.

The two key issues remaining therefore are that the Code is one of rights whereas the HIPC is simply a set of rules, and secondly that there is no need to prove harm under the Code. In regard to using the term “rights”, it has been found this is not so much of an issue in the broader context of law, as the right in the Code is clearly qualified by referring only to health and disability services. However, to use the language of rights could have two detrimental effects. It may undermine the PC’s Office as claimants may feel they could have greater success under the Code with its stronger language. Secondly, it may have a chilling effect on practitioners who wish to discuss cases, especially for educational purposes. While this would not be the intention of the HDC, public perception can be very powerful and, as Western society is frequently considered a rights-based one, such rhetoric could be detrimental.

That the Code does not require harm is also a marked difference that needs serious consideration. While there are many instances where a lack of need to prove harm is beneficial to patients and could help providers improve their services, it could also be seen as undermining the PC’s role. The HDC could find itself in the position of finding breaches where the PC would not. This inconsistency could be damaging to the credibility of both Offices. Finally in regard to these two problems, while Paterson has referred to the success of having joint jurisdiction with the CHRC, there is already an affirmed right to be free from discrimination in the legislation, and discrimination is seen as inherently harmful. Thus neither of these issues has caused a problem for the two agencies.

Having an unrestricted right to privacy in the Code could be desirable for many reasons. Unfortunately having two codes that are inconsistent risks causing problems. Perhaps the HIPC could be amended so that the language of rights is used. Indeed, the general public already appears to consider the HIPC and Privacy Act confers rights upon individuals.

The question of whether to remove the need for harm in regard to Rule

11 of the HIPC, or to include it in Rule 1(2) of the HDC Act is more problematic. To either add harm into the HIPIC or remove it from the Code would have the effect of creating inconsistency within the Codes themselves. Thus it is most practicable to have the two jurisdictions remain separate and for the law to stay as it is. The proposed overhaul of the Privacy Act provides an opportunity to address such discrepancies and consider amending the law to allow for a joint jurisdiction that is truly complementary.