In August, the Federal Court hit HealthEngine, Australia's largest online medical booking service, with a $2.9 million fine. In this article, we review what happened and draw lessons for organisations that collect personal information from customers and seek their consent for later uses and disclosures of this information.
HealthEngine operated an online business which facilitated appointment bookings by customers with a range of health practices. HealthEngine also had arrangements with nine private health insurance brokers to receive referral fees.
As part of the online booking process, customers were asked whether they had private health insurance and whether they would like to receive a call about health insurance comparison services, or to assess the customer's insurance needs. It was not made clear to customers that if they answered 'yes', the customer’s non-clinical personal information would be disclosed to one or more third parties. Customers were not required to answer the question to complete their booking.
In the four years between 30 April 2014 and 30 June 2018, HealthEngine earned $1.8m in referral fees from their arrangements with the private health insurance brokers.
The case is interesting because customers explicitly provided consent for their information to be used to provide private health insurance brokerage services. This use was authorised, but only if it had been undertaken by HealthEngine.
HealthEngine accepted the conduct was liable or likely to cause customers to believe HealthEngine itself provided the relevant health insurance brokerage services, rather than disclosing their information to third parties for those services. The breach could have been avoided by rewording the question posed to consumers.
Lessons learned
Organisations need to:
review the purpose for collecting, using and disclosing personal information; and
ensure the consent obtained from customers and information contained in privacy policies and collection statements are consistent with these purposes.
These risks are particularly significant for organisations that collect large volumes of data and rely on customer consent obtained at a single point in time to authorise later uses and disclosures of information. Further, the potential pecuniary penalties under the ACL are greater than those that apply to a breach of privacy law.
The case also addressed HealthEngine's conduct in relation to published customer reviews and ratings of health practitioners, where HealthEngine edited reviews to remove negative aspects or embellished them. This conduct, combined with the disclosure of information to health insurance brokerage services, resulted in a $2.9m fine and non-punitive orders including a review of the HealthDirect ACL compliance program and contacting customers who’d had their information provided to insurance brokers to explain the circumstances of the disclosure and the outcome of the Federal Court action.
Industry implications
Any organisation dealing with personal information needs to ensure that information provided to customers about the proposed uses and disclosures of their information is accurate and not misleading.
If health sector organisations collect large amounts of data over extended time periods, they may face difficulties in relying on consent to authorise uses and disclosures of data that were not envisaged at the time of collection.
Any organisations operating a business with a model that involves the passing through of information to third party providers should take care to ensure that this is clear to consumers. This may apply to organisations that compare third party consumer services such as health insurance or energy comparison services.
How can MinterEllison help?
- review your privacy policies and collection notices to ensure the necessary consents are lawfully obtained;
- carry out Privacy Impact Assessments to enable organisations to better understand how personal information flows through the organisation and uncover processing that may be in breach on the organisations regulatory obligations; and
- review your advertising materials and use of customer testimonials, as well as conduct a broader review of your consumer law compliance policies and processes.