New Zealand Law Students Journal
Last Updated: 29 May 2014
PRIVACY AND PATIENT RIGHTS: DOES NEW ZEALAND NEED A RIGHT TO INFORMATIONAL PRIVACY IN THE CODE OF HEALTH AND DISABILITY SERVICES CONSUMERS’ RIGHTS?
In his 2009 Review of the Code of Health and Disability Services Consumers’ Rights (“the Code”), the incumbent Health and Disability Commissioner (“HDC”), Ron Paterson, argued the restricted definition of privacy in the Code should be removed. He believed the HDC should have jurisdiction to hear all privacy complaints. The present state of the law enables the HDC to hear complaints relating only to breaches of spatial privacy whilst issues relating to information privacy are dealt with by the Privacy Commissioner (“PC”) under the Privacy Act, and the Health Information Privacy Code (“HIPC”). Paterson’s key concern was that the split complaints system was detrimental to
healthcare consumers’ ability to seek redress when their privacy
LLB/BA (University of Auckland). I would like to thank Ron Patterson, Joanna
Manning and Stephen Penk for inspiring my passion for
health care and privacy
law through their elective courses. I would also like to thank Lillian Beattie
for the many hours she has
spent proof reading and editing this
breached. Given there is a comprehensive set of statutory rules in relation
to health privacy, as well as common law causes of action,
there does not appear
to be a lack of remedial avenues for patients who have suffered. Perhaps then
the issue is more one of lack
of consumer ease than lack of consumer
Aside from considering the effect on consumers, the broader consequences of
including a right to privacy in the Code should also be
contemplated. It is
notable that the legislature has been reluctant to enact a general right to
privacy in any area of the law. Perhaps
then to include a right to privacy in
the Code would undermine Parliament’s seemingly deliberate omissions.
of a broad right to privacy could create further trouble as
there is a wide range of statutory provisions granting express permission
privacy and confidentiality to be breached. A right to privacy may make it
harder to justify such breaches. Finally, the Code
differs from both the common
law and legislation in that no harm needs to be suffered in order to make a
claim. While this may be
positive at times, it could also have some undesirable
effects. For example, it could expose the HDC to an increase in
frivolous assertions, or cause the Office to be considered a backdoor way for
claimants, who would ordinarily be unsuccessful, to
triumph. This article will
examine the question of whether an unrestricted right to privacy should be
included in the
Code. In weighing up the effects for consumers with the
implications that it could have for the two Offices and the law in a broader
context, I find that the balance falls on the side of not inserting an
all-encompassing right to privacy in the Code.
A. Summary of the 2009 Review of the Code of Health and
Disability Services Consumers’ Rights
Currently the Code provides a right to privacy.1 Right 1(2)
states a consumer has “the right to have his or her privacy
respected”2 and thus many consumers may believe the HDC has
jurisdiction to hear an array of privacy complaints. This right is, however,
constrained. Both the Code3 and the Health and Disability
Commissioner Act 1994 provide that only privacy issues other than those dealt
with under the Privacy
Act or HIPC are covered.4 This essentially
denotes that only matters of spatial privacy, such as providing patients with
adequate facilities to get changed
in, and not information privacy,
that is disclosure of private or confidential information, are covered by the
Code.5 Dialogues regarding the Code make many references to
confidentiality, and thus both privacy and confidentiality will be considered
concurrently throughout this article.
Ron Paterson, during his evaluation of the Code in 2008 and 2009, strongly advocated for this right to privacy to be expanded. He noted in the HDC Consultation Document there was some scope for the HDC to deal with informational privacy claims via a liberal interpretation of Right 4(2) regarding legal, professional and ethical standards, or if the
privacy issue was only a minor part of the broader complaint.
2 At cl 2.
3 At cl 4.
4 Health and Disability Commissioner Act 1994, s 20(1)(c).
5 Rosemary Tobin “Healthcare and Privacy Law” in Stephen Penk and
Rosemary Tobin (eds) Privacy Law in New Zealand (Brookers, Wellington,
2010) 161 at 162.
this was not particularly practical and thwarted the deliberately narrow definition of privacy in the HDC legislation.6 Paterson also found other issues arising from the narrow definition. He argued splitting claims between the HDC and the PC was detrimental to the complainant as the issue could not be seen in its entirety.7 The division also resulted in repetition of process, and incurred unnecessary time and expense.8
Furthermore practitioners in breach of their ethical duty of
confidentiality could not be held liable under the Code and thus by the Director of Proceedings’ process before the Health Practitioners Disciplinary Tribunal.9 As a solution to these concerns he proposed the definition of privacy in the Code and Act be removed to allow the HDC to hear information privacy claims.10 He did not recommend the removal of the PC’s jurisdiction, but rather that the two Offices have joint jurisdiction so privacy claims could be dealt with by the more appropriate agency.11 Paterson alluded to the fact that the HDC currently shared jurisdiction with the Chief Human Rights Commissioner (CHRC) in regard to the right to be free from
discrimination and this had proved
6 Ron Paterson HDC Consultation Document: Review of the Health and Disability Commissioner Act 1994 and the Code of Health and Disability Services Consumers’ Rights: A Resource for Public Consultation (November 2008) at 47.
7 Ron Paterson, A Review of the Health and Disability Commissioner Act
1994 and the Code of Health and Disability Services Consumers’ Right s
(Report to the Minister of Health June 2009) at 14.
8 At 14.
9 Paterson, above n 6, at 13.
10 Paterson, above n 7, at 4.
11 Paterson, above n 6, at 47.
12 At 47.
B. Why are Privacy and Confidentiality So Important in the
Paterson advocates an inclusion of a general right to privacy because “the right to privacy is integral to the quality of health and disability services and the rights of health and disability service consumers.”13
Confidentiality is a concept long recognised in medical practice. This is
perhaps due to its appearance in the Hippocratic Oath circa
500 BC, one of the
first ethical codes in medicine.14 The inclusion of confidentiality
can be justified by appealing to philosophical reasoning. From a teleological or
point of view, it is thought that if private information is
kept confidential then patients are more likely to disclose everything
doctor needs to know in order to make an accurate diagnosis and provide the
right treatment. If they are fearful that personal,
and at times embarrassing,
information will be shared then they will be discouraged from seeking
care.15 A deontological perspective advocates for confidentiality on
the basis that it sustains patient autonomy and fosters one’s dignity
In the New Zealand context, the deontological perspective is of particular
importance. The whole rationale behind codifying
patient rights developed
out of the reforms in the healthcare system
13 Paterson, above n 7, at 13-14.
14 Peter de Cruz Comparative Health Care Law (Cavendish, London, 2000) at
15 Emily Jackson Medical Law: Texts, Cases and Material (Oxford University
Press, Oxford, 2006) at 315.
16 At 315.
the Cervical Cancer Inquiry and the Cartwright report in the 1980s.17
This investigation revealed experimental research on patients was occurring
without patient consent.18 Having such atrocities brought to light
fostered demands for patient autonomy and a need for the traditional
of healthcare professionals to change.19
Thus while respecting patient privacy had always been central to medicine
in order for practitioners to perform their job to the best
of their ability, it
is now also recognised as a key means of upholding patient dignity and
independence. In principle, then,
privacy is extremely
C. For and Against an Unrestricted Right to Privacy
1. Current Remedies for Breaches of Consumer Privacy and
The first question in deciding whether there should be a right to privacy
included in the Code is whether the remedies currently available
to patients are
adequate in helping address claims.
(1) The code
The process the HDC Office must take is set out under the Health and
Disability Commissioner Act.20 If, after an initial
assessment,21 the claim
17 Ron Paterson “Patient Rights in New Zealand: A Tool for Quality Improvement?” (paper presented to Third National Health Care Complaints Conference, Melbourne, March 2001).
18 Charlotte Paul “The New Zealand Cervical Cancer Study: Could it
Happen Again?” (1988) 297 BMJ 533 at 533.
19 Paterson, above n 17.
20 Health and Disability Commissioner Act 1994.
21 Section 33.
is passed on to the HDC, the HDC has a range of options before them,22
including the power to investigate.23 The consequences of an
investigation where there is a breach finding will usually result in the
practitioner being asked to apologise
to the claimant or to review their
practice so that a similar event does not reoccur.24 If the breach
is sufficiently serious the decision can be forwarded to the Director of
Proceedings25 who can then refer the matter to the relevant
disciplinary tribunal,26 or to the Human Rights Review
Tribunal27 where damages are sometimes awarded to the aggrieved
The Code does contain a right to privacy and, if the breach covers spatial privacy, it can provide an effective avenue for redress. Opinion
96HDC2314 was a situation where a woman was not given the opportunity to
remove her clothing behind a screen. This was found to be
a breach of Right 1(2)
and an apology from the doctor to the patient was
There are instances where the HDC will deal with information privacy rights via a broad interpretation of the Code. This can be achieved using Right 4(2): the right to have services provided that comply with the various relevant standards, including legal and ethical standards.29
The HIPC is a legal standard dealing with health
22 Sections 34-40.
23 Section 40.
24 Section 45(2)(a).
25 Section 45(2)(f).
26 Section 45(2)(f)(i).
27 Section 45(2)(f)(ii).
28 Health and Disability Commissioner Report on Opinion - Case 96HDC2314
(8 December 1997).
29 Above n 1, at cl 2.
disclosure,30 and there are a number of ethical codes, such as the New Zealand Medical Association’s Code of Ethics which include in its principles respect for a patient’s private information.31 In Opinion
01HDC03691 the HDC found a doctor liable for breaching Right 4(2) due to his
unethical treatment of patient information. Dr B disclosed
to Dr A that his
patient had gonorrhoea. When the patient’s wife visited Dr A, Dr A was
aware of the circumstances and proceeded
to act in a paternalistic matter to
protect the wife from the truth. Dr B disclosed the private information to Dr A
to persuade his patient to make the disclosure himself. This was
considered both a breach of HIPC Rule 11 and the doctor’s
duties. Both doctors were ordered to apologise, review their practice and the
matter was sent to the Director of Proceedings.32 This avenue is
extremely rare however and when there is an obvious information privacy issue,
complaints will be sent to the PC.
Using the Code is a quick, cost-effective way to solve complaints. However, despite some discretion, it is not the best place for consumers with grievances stemming from information privacy breaches to go for resolution. The problem is that the existence of an organisation which deals specifically with the rights of health and disability consumers, and includes in its Code a right to privacy, may
cause a number of patients to try this avenue of redress
30 Health Information Privacy Code 1994, r 11.
31 New Zealand Medical Association Code of Ethics for the New Zealand Medical
Profession (New Zealand Medical Association, Wellington, 2008) at 5.
32 Health and Disability Commissioner Report on Opinion – Case
(2) The HIPC
When a complaint reaches the PC they may take action if there has been a
breach of the HIPC and if this breach has caused, or may cause, some form
of harm, whether it be loss, injury, adverse effects on rights or interests, or
damage to feelings or dignity.33 Thus the threshold for finding a
breach is higher than under the Code. The PC has an advisory role. If a breach
is found, the PC can
make recommendations or, if the complaint is sufficiently
serious, refer the issue to the Director of Human Rights Proceedings,
then has the option to issue proceedings before the Human Rights Review
Tribunal.34 The Tribunal has authority to award remedies including
damages and costs.35
Issues regarding health information disclosure are dealt with under Rule
11 of the HIPC whereby health information must not be disclosed unless it fits within one of the exceptions listed.36 Both the Privacy Act and the HIPC are generally silent as to the status of these rules. While some of the literature has discussed the HIPC as establishing rights,37 there is in fact no codified right to privacy regarding disclosure.38 The
PC takes issues relating to disclosure of medical information
33 Tim McBride “NZ’s Privacy Act 1993 Part II” (1994) 1 PLPR 15 at 15.
34 Kathryn Dalziel and Sue Johnson “Health Information” in Rebeccan
Keenan (ed) Health Care and the Law (4th ed, Brookers, Wellington, 2010)
200 at 239.
35 At 239.
36 Above n 30, r11(1).
37 Tobin, above n 5, at 165;; John Dawson “Health Information Law: General Principles” in PDG Skegg and Ron Paterson (eds) Medical Law in New Zealand (Brookers, Wellington, 2006) 257 at 257-258.
38 Only Information Privacy Principle 6 is considered to be enforceable as a
right under s 11 of the Privacy Act 1993.
seriously however and has stated that “professional confidence should
only be breached in the most exceptional
As with the Code, the HIPC is an inexpensive and fast way to deal with
privacy breaches. However, the fact of a higher threshold for
a breach finding
may mean claimants who have had their privacy breached, but do not suffer any
significant harm as a result, will
not have their objections considered. Also as
non-disclosure of private information is not a right, a privacy claim will be
less weight when competing rights, such as the public’s right to
know, come into play.40 Nor is there a mechanism in place to
have the provider placed before the disciplinary committee and thus the
of breaching privacy for a practitioner may not be as
(3) Common law
Aside from a few exceptional circumstances, breaches of the privacy rules under the Privacy Act cannot be heard in the courts.41 The implementation of these rules however does not remove a consumer’s ability to take civil action.42 Therefore the common law works alongside the statutory provisions to provide another forum for disgruntled patients to air their concerns about privacy breaches.43 Depending on the circumstances, an action can be brought in equity or in tort. Despite
some overlap between the two actions, in New Zealand breach
39 Case note 2049  NZPrivCmr 7.
40 Brooker v Police  NZSC 30,  3 NZLR 91 at .
41 Dalzeil and Johnson, above n 34, at 239.
42 Ron Paterson “Health Care Law” (1996) 3 NZ L Rev 286 at 287.
43 John Dawson “Common Law Principles
Concerning Confidentiality, Privacy and Disclosure” in PDG Skegg and Ron
(eds) Medical Law in New Zealand (Brookers, Wellington, 2006)
325 at 325.
confidence and the tort of unwarranted disclosure of private facts
remain separate causes of action.44
(a) Breach of confidence
Lord Keith in AG v Guardian Newspapers (No 2) has stated
“[a relationship of confidentiality] can also arise as a necessary or
traditional incident of a relationship between
the confidant and the confider,
such as priest and penitent, doctor and patient”.45 This is
also the position in New Zealand where in Duncan v Medical Practitioners
Disciplinary Committee a GP was found guilty of professional misconduct for
a breach of confidence.46 The GP warned his patient’s
passengers and the police that his patient had just undergone a triple coronary
artery bypass graft
operation and thus he felt it was unsafe for the man to be
driving. It was noted that while sometimes public interest may justify
of confidence, it should be ensured that disclosure is made only to the relevant
A breach of confidence can be established when the information disclosed has the “necessary quality of confidence about it”, is imparted in “circumstances importing an obligation of confidence”, and when there is an “unauthorised use of that information.”48 It is likely most patients will consider their information is confidential when it is
provided for a special purpose, such as to get treatment, with
44 Hosking v Runting  NZCA 34;  1 NZLR 1(CA) at .
46 Preliminary Proceedings Committee of the Medical Council of New Zealand v
Duncan  NZCA 465;  1 NZLR 513 (CA).
47 At 518.
48 Coco v AN Clark (Engineers) Ltd  RPC 41 (Ch) at
recognition that it will not be disclosed without consent, and when the
information is not already within the public arena.49 Furthermore
it must be shown that economic or emotional harm has been sustained due to the
breach.50 The remedies available are delivery of personal documents,
account of profits, injunction to prevent a potential or continuing breach
(b) The tort of unwarranted disclosure of private facts
In most instances of a provider-patient relationship breach of confidence will be the preferable route to take. However, the tort of unwarranted disclosure of private facts may provide a claimant with another cause of action. In P v D the plaintiff sought an injunction to prevent the publication of information regarding treatment received at a psychiatric hospital. While they stated such information could only have been obtained due to a breach of confidence, there was not enough evidence to prove this and so they proceeded on the basis that publication would breach their privacy.52 To establish a breach of privacy, there must be public disclosure of private facts that would be highly offensive and objectionable to the reasonable person.53 As with breach of confidence, harm must be suffered.54 The remedies available to a successful plaintiff are damages and injunction preventing the
publication of the objectionable
49 Dawson, above n 43, at 328.
50 At 329.
51 At 329.
52 P v D & Independent New Auckland Ltd  2 NZLR 591 (HC).
53 Hosking v Runting, above n 44, at .
54 Dawson, above n 43, at 333.
55 At 333.
Both these common law avenues are more time-consuming and expensive than
using the statutory regimes. This is especially true for
the plaintiff if the
defendant can adequately defend disclosure. In R v Matthews a patient
told his doctor he had been sexually involved with a child. The Court held
that while the doctor did have a duty
of confidence to his patient, his
duty to tell the police about the incident so as to prevent imminent and serious
threat of harm
outweighed it.56 If a claimant is successful, however,
the remedies may be greater.
(4) Are the remedies adequate?
In reviewing the available remedies for breaches of privacy, it would appear
all bases are covered. The Code allows an avenue of redress
when a consumer
feels their spatial privacy has been interfered with. The HIPC and two common
law causes of action can provide remedies
when confidential or private
information is, or is going to be, shared without legitimate justification. The
key issue in terms of
having an avenue for complaint is perhaps that the
threshold for finding a breach is higher in the HIPC and common law compared
In 2005 Helen A Malcom conducted a study where patients discussed their perceptions of privacy in shared hospital rooms.57 One of the findings was that while patients were satisfied that their spatial privacy was respected by means of screens or curtains, they found that their personal medical information could be overheard by, and thus disclosed to, others in the room; this frequently made them uncomfortable.58 The
correct place to complain in this instance would be to the PC as
56 R v Matthews CA370/03, 8 March 2004.
57 Helen A Malcom “Does Privacy Matter? Former Patients Discuss their
Perceptions of Privacy in Shared Hospital Rooms” (2005) 12 Nurs Ethics
58 At 160.
has been disclosure to others and without justification or their consent. It
seems though that as no sufficient harm had been suffered
it is unlikely they
would receive a remedy.
Some participants stated that in certain instances the discomfort could
escalate to severe stress, especially if the illness being
serious. This would likely be covered by the HIPC.59 If the Code
were to cover informational privacy the HDC would be at liberty to find a
breach, as a right simply needs to have
been interfered with.60
To include a right to privacy in the Code would therefore cater to those
who have had their informational privacy breached
but have not suffered
sufficient harm so as to be provided with redress under the HIPC.
D. The Purpose of the Code
The second point to consider is how the restricted definition of privacy fits
in with the purpose of the HDC Act and Code. As set
out in the Act the objective
is to “promote and protect the rights of health consumers and disability
services consumers, and,
to that end, to facilitate the fair, simple, speedy,
and efficient resolution of complaints relating to infringements of those
rights.”61 This reflects the importance of the patient’s
A split system hinders rather than achieves this purpose. In the Code the
rights conferred on consumers impose parallel duties on
59 At 160.
60 Above n 4, s 45(1)(a).
61 Section 6.
providers.62 The fact that information privacy is excluded from
the Code seems to imply there is no obligation under the Code for
to respect consumer’s informational privacy. This may not be
clear to consumers, especially as there is often considerable
ignorance as to
the relevant legislation.63 Arguably many patients without
comprehensive understanding of statutory interpretation will simply look
at the rights provided
in the Code. They will make their complaint without
looking to Clause 4 that states the right to privacy is subject to Parts VII,
VIII and X of the Privacy Act.64 Even if a consumer was to consider
Clause 4, to then have to negotiate their way around the Privacy Act
their ability to easily express their grievances.
Australia has faced similar issues in that there are a “patchwork of laws” designed to protect health consumer privacy.65 The Federal Privacy Commissioner has noted that having multiple pieces of legislation covering similar issues “may result in consumers not knowing where they should go to resolve issues about the privacy of their health information.”66 Indeed, in New Zealand, 154 claims to the HDC in
2011 had to be referred to other agencies.67 No doubt a number of
these claims were in relation to breaches of confidentiality or privacy.
Consequently, several discontented consumers would have had
a longer wait than
they would have thought necessary to resolve their issues.
62 Above n 1, cl 1.
63 Malcom, above n 57, at 158.
64 Above n 1, cl 4.
65 Jasime McInnes “Health Privacy Legislation – A Patchwork of Laws”
(2004) 1Privacy Law Bulletin 87.
66 McInnes, above n 65.
Paterson believes having a “one-stop shop” approach would be
significantly more convenient for patients.68 The Nursing Council of
New Zealand agrees, and further argues it would “[allow] for low level
resolution or disciplinary action
to be taken where appropriate.”69
Such action would help foster a culture whereby healthcare practitioners
consider the patient’s perspective before acting.
The PC on the other hand remains opposed to the inclusion of an unrestricted
right to privacy in the Code. Her key concern is that
compressing the HIPC into
a single right in the Code would result in greater misunderstanding by
consumers.70 Certainly this has again been an issue faced in
Australia whereby having multiple pieces of legislation and agencies to
remedies to deal with privacy claims has resulted in
inconsistencies as to how privacy issues are dealt with.71 The
Federation of Women’s Health Council Aotearoa has anticipated that
discrepancies may start to appear, stating they would
rather have information
privacy dealt with under the jurisdiction of the PC “as relevant
understanding and expertise has been
developed within that
To combat this problem a removal of the restricted definition of privacy in the Code could be replaced by inclusion of a more complex set of clarifications to encompass the various exceptions to the
entitlement to have healthcare information kept private
68 Paterson, above n 7, at 14.
69 At 13.
70 At 13.
71 McInnes, above n 65, at 87.
72 Paterson, above n 7, at 13.
confidential. However, given the accessible way in which the Code is written,
complex clauses would be detrimental to the Code’s
standing as a
Including an unrestricted right to privacy could significantly increase
the HDC’s workload. In 2011 the HDC received 1,405 complaints.73
The PC received 968, of which 185 related to the HIPC.74 It would
thus appear unnecessary to disperse the privacy claims between the two
agencies, as the PC does not receive as many complaints
as the HDC. Increasing
the HDC’s workload could further delay claims from being resolved in a
fast and efficient manner.
The arguments in favour of upholding the status quo are compelling. However,
most qualms are countered by the fact that Paterson wishes
the two jurisdictions
to coordinate and work together. He remarks that often privacy claims brought to
the HDC contain issues about
other aspects of the Code and thus it makes sense
for the HDC to hear the complaint in its totality in order to combat broader
especially in relation to the quality of services.75 In
terms of extra workload, the HDC would not be taking all the PC’s HIPC
complaints and thus the work would be fairly distributed.
E. Privacy Expressed as a Right
The Code is a code of rights. A right in law holds significant weight.
Despite public perception that privacy is a fundamental human
73 Health and Disability Commissioner, above n 67, at 7.
75 Paterson, above n 6, at 47.
76 Malcom, above n 57, at 157.
in New Zealand the legislature appears to have been careful not to include a
right to privacy in any domestic legislation. Most notably,
there is no right to
privacy in the New Zealand Bill of Rights Act 1990. Indeed in that Act’s
White Paper there was debate
surrounding this issue. In the end it was decided
the scope and development of privacy was too uncertain for inclusion.77
In the HIPC there is no absolute right to privacy as an individual does
not have a general right to veto disclosure of their health
Perhaps this lack of status is because, while considerable importance is
placed on maintaining patient confidentiality, the justifications
in certain situations are seen as more important. Such justifications for
disclosing health information under the
HIPC include when there is an imminent
and serious threat to public safety,79 and when the information is
needed in court or tribunal proceedings.80
If privacy is not given the status of a right then it is less significant, and is able to be more easily outweighed by other interests that are rights or freedoms.81 Additionally, there are several other pieces of legislation that make provision for the disclosure of information without consent.82 To include a right to privacy in the Code could thus undermine the structures of current legislation. Furthermore, privacy claims may more readily be made to the HDC over the PC as the
stronger language may lead to it being seen as the more
77 Geoffrey Palmer “A Bill of Rights for New Zealand: A White Paper”
[1984-1985] I AJHR A6 at [10.144].
78 Above n 30, r 11(2).
79 Rule 11(2)(d)(i).
80 Rule 11(2)(i)(i)-(ii).
81 Brooker v Police, above n 40, at .
route. This could have the effect of both undermining the Office of the PC
and seeing a dramatic increase in complaints to the HDC
as consumers may
believe such a right overrules other statutory
Giving privacy the status of a right could also be seen as focusing too much
on patient autonomy and having a chilling effect on beneficial
healthcare professionals. Ross Boswell accepts patient information brings with
it obligations of confidentiality.83 However, such obligations
are seen by providers as a duty to contain the information within the medical
The legal perspective is stricter. Informal discussions about unique
cases are seen as acceptable in the healthcare provider
arena, but under the
HIPC are discouraged. Only discussions that provide a direct benefit to
the patient are permissible.
Boswell believes the law as it stands is already
overly strict and can be detrimental both to the patient and to the education of
other medical professionals.84 To include an unrestricted right to
privacy in the Code could thus be seen as further preventing practitioners from
being able to
disclose patient information to one another for instructive
reasons. If patients became aware of such discussions the practitioner
themselves subject to a complaint, despite having the patient’s, and wider
community’s, best interests at heart.
While removing the restricted definition in the Code may appear to advance the status of privacy, there are a number of limitations
provided in the Code. The first is the wording of the right. The right
83 Ross Boswell “Privacy Issues and Medical Practice” (Speech to the
Privacy Issues Forum, Wellington, 30 March 2006).
84 Boswell, above n 83.
privacy falls under the broader right of the right to respect, and Paterson’s amendment is worded as “the right to have services provided in a manner that respects the privacy of the individual.”85
Thus, the right to privacy is clearly a qualified one; it is only to be in relation to the provision of healthcare services. A provider is not in breach of the Code if they take all reasonable actions in the circumstances to give effect to the patient’s rights and their duties. While the burden is on the provider to prove this, it gives them an opportunity to demonstrate they were justified in disclosing the private information.86 The Code also makes reference to other enactments, stating that nothing in the Code shall prevent a provider from performing their duties or obligations imposed by other enactments.87
This will prevent other legislation from taking a subordinate position to
the Code. In relation to a right to privacy not being included in the New
Zealand Bill of Rights Act, an existing right is
not restricted simply
by its exclusion from the Act.88 Nor have a number of the other
rights in the Code been included in the New Zealand Bill of Rights Act, and this
has not proved to
be an issue.
The inclusion of privacy as a right in the Code would not undermine other legislation. The Code is clear it is subordinate to other rights and obligations, imposed by law, on providers. Such apprehension stems from the fact that privacy as a right has been the subject of much discussion at both the parliamentary and judicial level. However, that the right is qualified and contextualised should immediately clarify any
85 Paterson, above n 7, at 4.
86 Above n 1, cl 3.
87 At cl 5.
88 New Zealand Bill of Rights Act 1990, s 28.
The biggest problem with including a right to privacy is that it would be
inconsistent with the HIPC, which does not discuss its rules
as rights. Given
that a right has greater weight, it could undermine the PC’s role. It
should be noted that Paterson has used
the example of joint jurisdiction with
the CHRC as an example of where partnership has worked well.89
However, there is already a well-recognised right to be free from
discrimination affirmed in the relevant legislation and thus there is no
inconsistency.90 Furthermore, it could place too great a burden on
practitioners. Defining privacy as a right therefore needs further
F. No Need for Harm
The final issue to consider more deeply is how a lack of harm is needed in
order for there to be a successful breach finding under
the Code. A lack of harm
may result in the HDC being exposed to an increase in trivial claims. Patients,
in seeing that harm does
not need to be suffered, may make complaints to the HDC
simply because they believe they are entitled to preferential
This is, however, unlikely to cause many problems as the HDC has the power to take no action if a complaint is trivial or vexatious.91 Clause 3 of the Code also provides a defence for practitioners if their actions were reasonable in the circumstances.92 Thus a patient in a public hospital who does not get their own private room for a consultation
may find there is no breach if there are resource constraints and
89 Paterson, above n 6, at 47.
90 New Zealand Bill of Rights Act 1990, s 19.
91 Above n 4, s 38.
92 Above n 1, cl 3(1).
doctor took care to discuss their condition with them in such a way that
could not be overheard by others.93
Alternatively, the exclusion of harm could prove to be valuable to the
reasonable patient in a number of cases. The earlier example
Malcom’s study is one such instance. The patients did not necessarily
suffer harm as defined by the Privacy Act, and thus
there would be no actionable
claim.94 The HDC, however, upon finding a breach, would be able to
request the doctors of this hospital review their practice and that some
guidelines be put in place, such as ensuring they spoke in low voices and stood
as close as possible to the patient. Patients value
However, the lack of a need to prove harm could be seen as
undermining the PC’s Office. In Case Note 35361, the
PC found the doctor
had unjustifiably breached his patient’s privacy by discussing the
patient’s injury with his employer
without consent. However, the harm
suffered by the patient was not considered to result from the privacy
breach.96 In such a case, had the complaint gone to the HDC and there
was an unrestricted right to privacy, a breach would certainly have been
Comparing this issue again to the joint jurisdiction the HDC has with the CHRC, discrimination can be seen as inherently causing harm in that it adversely affects one’s rights. It would be difficult to find an instance of discrimination that did not cause harm and therefore this
has not been a problem. In regard to the PC, however, this is a
93 Malcom, above n 57, at 159-160.
94 At 160.
95 At 161.
96 Case Note 35361  NZPrivCmr 9.
issue that needs to be taken into consideration if there was to be joint
jurisdiction. Indeed, this was a problem in
inconsistent legislation means the same issues are treated differently under
different schemes.97 Such discrepancies lead to patient confusion and
damage the institutions’ reputations.
Initially it makes sense for the HDC to be able to hear claims regarding
information privacy. Privacy and confidentiality are key
aspects of the
doctor/patient relationship. The exclusion of a right to privacy in the Code,
which is designed to promote patient
rights and place obligations on
practitioners, seems counter-intuitive. While there are plenty of avenues an
aggrieved claimant can
take if they feel their privacy has been breached, the
common law options can be slow, expensive and incur great stress. Furthermore,
such options are primarily reserved for only the most serious breaches and may
not provide less aggrieved consumers the opportunity
they seek. Thus for the
majority of complainants, the PC and HDC are the suitable avenues. Between the
two jurisdictions, aspects
of patient privacy seem to be suitably
Having split jurisdictions, however, seems to contradict the purpose of the HDC Act: to promote patient rights and facilitate their resolution in the event of a breach. Patients with little knowledge of statutory interpretation may appeal to the HDC without realising their complaint should be placed with the PC. Such unawareness creates lack of consumer ease and unnecessary duplication of process. Concern has been expressed that simplifying the HIPC into one right in the Code
would cause greater confusion and there could be an increase in
97 McInnes, above n 65, at 87.
HDC workload. Such arguments are negated by the fact that Paterson has
advocated for joint jurisdiction and a collaborative partnership.
The two key issues remaining therefore are that the Code is one of rights
whereas the HIPC is simply a set of rules, and secondly
that there is no need to
prove harm under the Code. In regard to using the term “rights”, it
has been found this is not
so much of an issue in the broader context of law, as
the right in the Code is clearly qualified by referring only to health and
disability services. However, to use the language of rights could have two
detrimental effects. It may undermine the PC’s Office
as claimants may
feel they could have greater success under the Code with its stronger language.
Secondly, it may have a chilling
effect on practitioners who wish to discuss
cases, especially for educational purposes. While this would not be the
the HDC, public perception can be very powerful and, as Western
society is frequently considered a rights-based one, such rhetoric
That the Code does not require harm is also a marked difference that needs
serious consideration. While there are many instances where
a lack of need to
prove harm is beneficial to patients and could help providers improve their
services, it could also be seen as
undermining the PC’s role. The HDC
could find itself in the position of finding breaches where the PC would
inconsistency could be damaging to the credibility of both
Offices. Finally in regard to these two problems, while Paterson has
the success of having joint jurisdiction with the CHRC, there is already an
affirmed right to be free from discrimination
in the legislation, and
discrimination is seen as inherently harmful. Thus neither of these
issues has caused a problem
for the two agencies.
Having an unrestricted right to privacy in the Code could be desirable for
many reasons. Unfortunately having two codes that are inconsistent
problems. Perhaps the HIPC could be amended so that the language of rights is
used. Indeed, the general public already
appears to consider the HIPC and
Privacy Act confers rights upon individuals.
The question of whether to remove the need for harm in regard to Rule
11 of the HIPC, or to include it in Rule 1(2) of the HDC Act is more problematic. To either add harm into the HIPIC or remove it from the Code would have the effect of creating inconsistency within the Codes themselves. Thus it is most practicable to have the two jurisdictions remain separate and for the law to stay as it is. The proposed overhaul of the Privacy Act provides an opportunity to address such discrepancies and consider amending the law to allow for a joint jurisdiction that is truly complementary.