The complainant had a blood test at a hospital to establish whether she would be a suitable organ donor for a family member ( ‘the recipient’). The result showed that she was a suitable match. The recipient was told by the physician of the complainant’s suitability prior to the complainant being told. The complainant had not authorised the physician to disclose this information to the recipient and believed that the physician had breached rule 11 of the Health Information Privacy Code 1994 (the Code) which places limits on the disclosure of health information. The physician also gave the recipient a letter for the complainant containing the results of her blood tests to pass on to her. The complainant alleged that this was a breach of Rule 5 of the Code which is concerned with the security of health information.