An employee at a large health agency in New Zealand has had her private health information - including her "extremely sensitive" emergency department and mental health records - accessed by more than one former colleague.

The woman's private information was looked at on numerous occasions between 2012 and 2013, case notes from the Privacy Commissioner's Office show.

She was notified about the offending by the health agency and told her former colleague had been fired as a result.

Both parties had worked in administrative roles and had access to health records and medical information.


But it was only when the woman asked for an access audit to be conducted that she found more than one person had "browsed" through her private information.

The offending "showed a pattern of behaviour and gave meaning and context to some comments her former colleagues had made about her health while they worked together", Privacy Commissioner John Edwards said.

He said the woman had asked for an audit of access to her records after finding out they had been accessed without proper reason, "so she could be sure no other staff she had worked with had inappropriately accessed her health information".

Mr Edwards said the audit revealed another former colleague had browsed her health information during the same time period.

The fact that people she worked with were responsible heightened the complainant's feelings of violation and humiliation.

"This was especially distressing for the complainant because it renewed the complainant's concerns that her colleagues had treated her unfairly and had been sharing her sensitive health information with each other."

He said Rule 5 of the Health Information Privacy Code 1994 requires an agency to ensure reasonable security safeguards exist to prevent loss, unauthorised access or disclosure of the health information it holds.

"Assessing what is reasonable depends on the sensitivity or confidentiality of the information involved and the ease with which safeguards could be put in place to protect the information. The agency's current policies and practices, including any staff training, are also relevant."

The information accessed was shown to include "extremely sensitive" emergency department and mental health records.


Edwards said under Rule 5, an agency has an ongoing responsibility to develop and maintain appropriate security safeguards for their information.

"System audits, staff training, policies and technology upgrades are some of the tools an agency can employ to help maintain a good privacy culture and ensure trust and confidence in the security and privacy of health information.

"Inappropriate access to information by employees, called 'employee browsing', is a problem for many large agencies. It is important agencies take a proactive approach to information security and make continuing efforts to put in place and improve their security processes."

He ruled that although the health agency took a proactive, sympathetic and responsible approach to the interference with the complainant's privacy, it had limited processes in place to catch inappropriate access to their files.

"The extent of the browsing and length of time before detection also indicated the safeguards in place were not adequate. The browsing took place over several months and was not an isolated incident.

"The fact that people she worked with were responsible heightened the complainant's feelings of violation and humiliation."


Edwards said that in this case, the harm suffered by the complainant was "ongoing and substantial".

"She experienced high levels of anxiety, nightmares, and was fearful of further browsing of her health information.

"The complainant also felt any future possible employment at the agency was impossible as not only did she feel her reputation had been damaged, she no longer trusted the agency."

The woman and her employer agreed to participate in a mediation facilitated by the Privacy Commissioner's Office.

"The mediation was successful and the health agency, following on from earlier apologies, provided a formal apology and agreed to provide financial compensation to the complainant for the harm caused by the interference with her privacy," Mr Edwards said.

He added: "The health agency had initiated an independent review of its health record audit process to reduce the risk of this happening again in the future and is implementing those changes."