A woman who tried contacting health workers via social media has been refused the names of staff who accessed her medical records, because there was a “significant likelihood” she would seriously harass them.

The woman asked for the records because she was worried about “employee browsing” - unauthorised access to medical files.

The health agency released an access log with only the positions of the employees and the dates they had accessed the woman’s records.

The woman then sought a review of the decision to release the log which shows only when records were accessed, but not by whom.

The Office of the Privacy Commissioner has now backed the health agency’s decision and in a preliminary view, concluded it had lawfully refused the request for names.

It said in a decision released this month that there is a “relatively high threshold” to meet before an agency can lawfully refuse access to records.

It also said the agency has assured it that any employee outside the allocated team did not and would not be able to access the file because of the security safeguards in place.

The Privacy Commissioner was swayed by evidence it requested to support the agency’s stance, which showed that releasing the names would lead to a “significant likelihood of serious harassment”.

The information showed behavioural patterns in previous dealings with the woman which may have constituted harassment such as attempting to contact employees via social media platforms, threats of self-harm, and repeated contact in a manner that caused significant discomfort and distress.

“This was not a finding that the harassment had occurred, rather, based on the information we reviewed, and which the agency relied on to refuse access, we were satisfied that the agency had a proper basis for its belief that disclosing the individuals’ names to the woman would create a significant likelihood of serious harassment,” the decision said.

The woman disagreed with the decision and has now been informed of her right to bring proceedings in the Human Rights Review Tribunal if she wants to pursue her complaint further.

The agency agreed it would work with the woman to raise any issues of unauthorised access based on the information she had and answer any other questions that came up.

The office of the Privacy Commissioner said agencies that hold personal information have a responsibility to make sure the information they hold is kept safe and secure.

This also means protecting it against unauthorised or inappropriate access.