De-identifying Information on the Web – A lesson on what not to do

The Medical Board of NSW published a Medical Tribunal decision on its website on 17 January 2011. As the Tribunal had ordered that the doctor's name not be disclosed, a PDF redacting tool was used to "black out" the doctor’s name before putting the decision on the  website.

On 20 May 2011, the doctor contacted the Board to complain that the non-publication order had been breached because her name in the Tribunal decision could be accessed via Google searches. The Board removed the decision from its website two days later. However, a Google search of the doctor's name still resulted in a link to the Board's website.

The doctor commenced legal proceedings against the Medical Board

The case proceeded to hearing four years later. On 5 January 2016, the Tribunal found the Board had breached the non-publication order by disclosing the doctor's name and so had breached her privacy. Evidence was heard that the method used by the Board to redact the doctor's name prevented the human eye from reading it, but still allowed Google web crawlers to read the information and then link the Tribunal decision to a search of the doctor's name.

This case is a useful reminder of the challenges in fully de-identifying or removing information which is placed on the web

Our Medico-legal Advisory Services team has received reports of other cases where a patient's health information has been inadvertently made available via Google searches. These include: x-rays, operation reports and other health information being able to be accessed when the information was stored in cloud storage sites which other users, or web crawlers could access.

This blog contains general information only. We recommend you contact your medical defence organisation or insurer when you require specific advice in relation to medico-legal matters.