Media reports suggest that the personal medical records of asylum seekers have been handed over to Australia’s immigration department for “political purposes”.

Online news outlet The Guardian says it has leaked documents that suggest contractor International Health and Medical Services (IHMS) gave the records to Immigration Department officials, and could be in breach of privacy laws.

The revelations are allegedly contained in meeting notes from a clinical directors’ meeting at IHMS on confidentiality in September 2013.

Both IHMS and Immigration have strongly denied inappropriately providing or seeking access to asylum seekers’ medical records.

The briefing document reportedly composed by a senior IHMS clinician says that data has been passed to the department for purposes outside the immediate medical needs of asylum seekers.

“Such an example is passing on updated medical information on clients who are in hospital – in most cases the department wants the information for ‘political’ reasons and not for reasons of health and welfare of the client,” the note said, according to The Guardian.

“Not only might this be considered a breach of confidentiality but it might also be considered contrary to the Privacy Act.

“The reason that IHMS collects data is for the healthcare of the client and if we provide information to others for other reasons it could be considered as a breach of Privacy Act.”

The clinician allegedly said medical data is passed over for “compliance checking”, provided for administrative reasons and not medical ones.

“Unfortunately, when this information is provided, it is not provided in de-identified way and so could be considered a breach of confidentiality. If the information is provided in de-identified manner, one could argue that this does not breach confidentiality – and, in my view, this is how the information should be provided.”

It also raises concern over information given to foreign government departments – including the governments of Nauru and in Papua New Guinea – about Australia’s offshore detention centres.

“I do not believe that clients have provided consent to have their personal information given to foreign governments and this would certainly be a breach of confidentiality. In addition, it would be a breach of the Privacy Act,” the clinician reportedly noted.

In Australian privacy law, an organisation is only allowed to give over personal data to a third party for the primary purpose of collection, but the purposes of using the data outlined in The Guardian reports appear to go beyond medical reasons.

The clinician’s note allegedly warns that it could allow inappropriate breaches to occur.

There is concern that the provision of asylum seekers’ records may go against the code of conduct outlined by the Medical Board of Australia, which states that good medical practice requires “appropriately sharing information about patients for their healthcare, consistent with privacy law and professional guidelines about confidentiality”.

But despite these concerns and obvious risks, Immigration Department officers appear more than willing to demand access to asylum seekers’ records.

In excerpts from a separate email published by The Guardian, immigration department officers appear to have sought direct access to asylum seekers’ medical data through IHMS’s records system Chiron.

“We are aware that your local DIBP [Department of Immigration and Border Protection] counterparts are repeatedly requesting access to Chiron to further the contract monitoring program,” a September 2013 email by an IHMS business analyst allegedly said.

“This has been vetoed by both Michael Shelton (DIBP’s contract manager) and our IT people as being inappropriate and unmanageable.

“Chiron contains confidential information related to each client, and is ‘live’ – any person with access to it could potentially modify or delete a healthcare record.

“At the moment, Chiron cannot be viewed in ‘read only’ mode and access cannot be limited to those records under review for the monitoring activity. This would put us in serious breach of our professional and contractual obligations.”

A spokesperson for IHMS replied to the reports, saying “IHMS abides by Australian, PNG and Nauruan privacy requirements. IHMS follows the Australian privacy legislation in its dealings in the other countries due to the more stringent nature of Australian law(spearheaded by the Privacy Act 1988 (Cth).

“The observance of privacy and confidentiality is embedded in IHMS practice through policies and procedures that have been developed by IHMS and approved by the department.

“When any personal information is shared with the commonwealth of Australia, both IHMS and the commonwealth (usually the Department of Immigration and Border Protection and its predecessor organisations) will only access the information when such access is lawful and necessary.”

An Immigration spokesperson said: “The department takes its privacy obligations very seriously and strongly refutes allegations that transferee or detainee data has been inappropriately accessed or provided to other parties.

“The sharing of detainee health information is allowed in certain circumstances under law. These circumstances include conducting audits of IHMS performance, contract monitoring or responding to parliamentary, ombudsman and Australian human rights enquiries.”

“Detainees and transferees are advised of the possible disclosure of their health information for lawful purposes and are also asked to provide written consent for the sharing of their health information when required.”

The reports are a new blow for the perception of the Immigration Department’s ability to handle and control data.

The department was slammed twice in 2014, after it accidentally exposed the personal details of almost 10,000 people in immigration detention, and also accidentally emailed the personal details of G20 world leaders to the organisers of a regional soccer event.