Allowing workers access to their own personal and health information ensures they are informed throughout the claims process. It also promotes their full participation during injury management.
NSW workers compensation legislation provides for worker access to certain types of information. However, the workers compensation legislation does not limit or prevent a worker from exercising their rights under relevant privacy laws to access their personal and/or health information. Under these laws, a worker can request access to information at any time.
Consistent with relevant privacy principles and privacy laws in NSW and Australia, a worker’s personal and health information held by insurers should be available to the worker at their request. While there are some exemptions to the general presumption of access, these exist in limited circumstances.
Insurers are to comply with relevant privacy laws and should have processes in place to facilitate worker access.
Rights of the worker
Insurers and employers all have obligations to comply with NSW and Federal privacy laws, that deal with the collection, use, storage and disclosure of personal and health information and, how they will obtain consent from the individual.
The privacy law(s) that may apply will vary depending on the insurer type and the type of information being dealt with. For example, the Privacy and Personal Information Protection Act 1998 (PPIP Act) and Government Information (Public Access) Act 2009 (GIPA Act) apply to the Nominal Insurer. However, many employers and other insurers may be bound by the Commonwealth Privacy Act 1988. The Health Records and Information Privacy Act 2002 (HRIP Act) applies more broadly to any organisation in NSW, however is limited to health information.
Generally, the principles outlined in these laws provides that the worker has the right to:
- know why personal and health information is being collected, how it will be used and who it will be disclosed to
- ask for access to personal information (including health information)
- ask for incorrect personal and health information to be corrected
- make a complaint about an entity if there is a belief that personal or health information may have been mishandled.
Information collected about a worker falls into two broad categories - personal information and health information. It is the insurer’s responsibility to be aware of and comply with relevant privacy laws. Insurers should have processes in place to meet their obligations and to facilitate worker access. Further information regarding privacy laws is available from the NSW Information Privacy Commission and the Office of the Australian Information Commissioner.
Specific requirements for medical reports
In addition to the general provisions under privacy legislation, section 126 of the 1998 Act requires the employer or insurer to release medical reports to a worker if those reports are to be relied upon in a dispute.
Clause 41 of the 2016 Regulation requires the inclusion of other documents that the insurer has relied upon in a dispute. This includes certificates of capacity, clinical notes, investigator reports, workplace rehabilitation provider reports, and other reports obtained or provided to the insurer.
Access and release
‘Standard of practice 2: Worker consent’ outlines expectations for insurers regarding worker access to information. It states insurers are expected to:
- advise workers of their right to access their personal and health information
- promptly respond to any request by the worker or their representative for information contained in the insurer’s claim file
- ensure third-party providers are aware that any report they provide in relation to a worker, may be released to that worker.
Insurers should have appropriate claims handling processes and procedures in place to ensure the above requirements are met, and to deal with a worker request to access their personal and health information.
These processes and procedures should be developed to:
- provide workers with access (where appropriate) without unnecessary delay or cost
- inform third-party providers that information may be released to the worker at the time of referral, and prior to the preparation of the report
- ensure appropriate record-keeping on a claim, including:
evidence of the request made by the worker
what personal and health information has been requested
the insurer response to the worker, including what information has been released and the date of release
- ensure that any personal information collected, used or disclosed is accurate, complete, and current.
In some circumstances, it may be reasonable for the insurer to require the worker to forward a written request supported by identity verification before releasing the worker’s personal or health information.
Proactive release of information
In demonstrating commitment to claims management transparency and participation, insurers should support the proactive release of information where this will help return to work and injury management.
Workers have a right to be informed and educated about their injury, and therefore be empowered to participate in injury management.
Access only in the event of a dispute may disadvantage a worker in the claims process and has the potential to cause reactive rather than co-operative behaviour in injury management and hinder return to work objectives.
If the insurer determines that releasing information to the worker would pose a serious threat to the life or health of the worker or any other person, the insurer can release the information in accordance with clause 41(5) of the 2016 Regulation.
In this situation the insurer may instead supply medical reports to a medical practitioner nominated by the worker for that purpose or in any other case, to the worker’s legal representative.
Insurers are encouraged to contact the medical practitioner and/or legal representative to discuss the release of the information, including any particular concerns with respect to the safety and well-being of the worker or others. All actions taken by the insurer should be clearly and accurately documented on the claim file.
Insurers may also assess whether exemptions apply in accordance with the other relevant privacy legislation.
Any grounds for caution regarding the release of information to a worker should be based on concerns regarding the safety and well-being of the worker or others. A worker’s personal and health information should not be withheld arbitrarily however legal professional privilege may apply in certain circumstances.
If the insurer decides not to provide access to personal information, there should be written reasons for the denial of access or refusal provided to the worker. The rationale for the decision should be clearly noted on the claims file. A worker may have a right to have that decision reviewed through the NSW Civil and Administrative Tribunal.
Security of personal information
Personal and health information is collected and stored to enable the insurer to process, assess and manage a worker’s compensation claim and to verify any evidence that may be submitted in support of a claim.
Internal procedures should ensure the safe handling and storage of all personal information including procedures for safe custody and transit. Insurers are to take reasonable steps to protect personal information from misuse and loss and from unauthorised access, interference, modification and disclosure.
All information entrusted to the insurer must be securely stored in physical and electronic form. Where the personal information is no longer required, reasonable steps are to be taken to secure, destroy or permanently de-identify that information in accordance with the law.
Insurers should provide workers with information on the complaints process (including how to lodge a complaint) in case the worker is not satisfied with the insurer’s response to a request for access to personal or health information.
Insurers should recommend a worker contact the insurer, in the first instance, to discuss a complaint and provide an opportunity for the matter to be resolved.
Note: new pathways are available for enquiries and complaints from 1 January 2019.
Workers can also make a complaint to the Office of the Australian Information Commissioner (OAIC) about the handling of their personal information by private sector organisations covered by the Commonwealth Privacy Act 1988.
The NSW Information Privacy Commissioner receives complaints from members of the public regarding alleged breaches of privacy (the violation of, or interference with, an individual’s privacy), which may be dealt with under the Privacy and Personal Information Protection Act 1998 or, in certain circumstances, the Health Records and Information Privacy Act 2002.