AIN v Medical Council of New South Wales

Case

[2016] NSWCATAD 5

05 January 2016

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: AIN v Medical Council of New South Wales [2016] NSWCATAD 5
Hearing dates:10 and 11 September 2015
Date of orders: 05 January 2016
Decision date: 05 January 2016
Jurisdiction:Administrative and Equal Opportunity Division
Before: N Isenberg – Senior Member
Decision:

The Respondent breached s.18 PIPP Act in respect of the Applicant and her son, from 17 January 2011 up to and including 12 June 2011.


ORDERS


The Applicant file and serve submissions as to remedy, not exceeding 2000 words, within 14 days.


The Respondent file and serve submissions as to remedy, not exceeding 2000 words, within 14 days after receipt of the Applicant’s submissions as to remedy.


The Privacy Commissioner file and serve submissions as to remedy, if any, within 14 days after receipt of the Respondent’s submissions as to remedy.


Thereafter, the matter is to be listed for directions as to remedy on 18 April 2016 at 9.30am.

Catchwords: Medical Tribunal – NPO – breach – non-effective redactions - Google search - privacy
Legislation Cited: Privacy and Personal Information Protection Act 1998
Cases Cited: KO and KP v Commissioner of Police, New South Wales Police Force [2005] NSWADTAP 56
WL v Randwick City Council [2007] NSWADT 12
QN and Ors v Commissioner of Fire Brigades [2011] NSWADT 125
Department of Education and Communities v VK [2011] NSWADTAP 61
PN v Department of Education and Training [2010] NSWADTAP 59
Category:Principal judgment
Parties: AIN (Applicant)
Medical Council of New South Wales (Respondent)
Representation: Solicitors:
AIN (Applicant in Person)
Crown Solicitor’s Office (Respondent)
File Number(s):1230032

REASONS FOR decision

Background

  1. The Applicant is a medical practitioner. Registration as a medical practitioner is determined by the Respondent and, formerly, by its predecessor, the Medical Board of NSW (‘the Board’).

  2. Each year from 2004 to 2008, the Applicant applied for general registration and declared that her professional indemnity insurance status for the practice year would be “Limited Prescribing and Referral”, which permitted her to undertake limited practice without professional indemnity insurance.

  3. In May 2009, the Applicant sought general registration without the Limited Prescribing and Referral restriction, but the Board’s Registration Committee refused her application. The Applicant then lodged an appeal to the Medical Tribunal.

  4. In October 2009, after receiving further information from the Applicant, the Board referred the Applicant's application for unconditional general registration to a formal inquiry (‘Inquiry’), under Schedule 1 to the (now-repealed) Medical Practice Act 1992.

  5. In December 2009, following the Inquiry, the Board decided that although it was appropriate to grant the Applicant general registration, the registration was to be subject to conditions, including as to supervision. The Applicant appealed the Board’s decision to the Medical Tribunal.

  6. Both Medical Tribunal appeals were heard on 18-19 October 2010. The parties settled the proceedings, save as to costs (which were awarded in the Applicant’s favour), by agreeing to orders imposing revised conditions on the Applicant's general registration. The Medical Tribunal delivered its decision ex tempore. A written copy of the Medical Tribunal’s decision was made available to the Respondent, shortly thereafter; the Applicant only received an earlier draft. The parties were referred to as “Re A practitioner”, and (erroneously) the "Office of the Health Care Complaints Commission", although this was subsequently corrected.

  7. At the Medical Tribunal hearing the Applicant sought, and, by consent, was granted, a non-publication order (‘NPO’). The NPO prohibited the publication or disclosure of the Applicant's name, the name of her son, or any other identifiers of the Applicant or her son. Neither party appears to have sought a formal, sealed, copy of the Orders as entered, but there is no dispute that the NPO was made.

  8. The Medical Tribunal’s decision was not published on its website.

Publication of the Medical Tribunal’s decision, Orders and Exhibit X by the Respondent.

  1. On 17 January 2011, the Respondent published the Medical Tribunal’s decision, Orders and "Exhibit X", which was incorporated, by reference, into the Orders (collectively, ‘the publication’) on its website. Exhibit X set out the conditions to be imposed upon the Applicant’s registration.

  2. The publication contained the Applicant’s name in three places, although it had been masked by the use of the PDF redacting tool, such that her name was ‘blacked out’; unbeknownst to the Respondent, data remained under the redacted text.

  3. On 20 May 2011, the Applicant's former solicitors informed the Respondent that they considered the Respondent may have breached the NPO by the publication on its website in a form that, while appearing to be redacted, could be accessed when undertaking Google searches.

  4. On 23 May 2011, the Respondent investigated and purported to remove the publication from its website, and the Applicant was so informed.

  5. On 27 May 2011, the Applicant's former solicitors complained to the Respondent that a Google search of "Dr [AIN]" (and similar) resulted in a suggested link to the publication through the "Resources file" on the Respondent's website.

  6. On 30 May 2011 Ms St Hill, who was at that time the Respondent's Legal Director, contacted Google Australia and requested its assistance in immediately removing the publication from Google searches.

  7. On 1 June 2011, the Applicant contacted the Respondent to inform it that, although there was no longer a link on the Respondent's website, the publication was still available on the Internet when undertaking a Google search.

  8. On 16 June 2011, the Respondent provided a detailed response to the complaint about the publication. Amongst other matters, the Respondent confirmed that it understood the publication to have been removed from its website and that it had been in contact with Google Australia.

  9. The next day, Ms St Hill contacted Google Australia again to advise that a Google search result continued to link the Applicant's name to the Respondent's website. Google requested that the Respondent provide "a copy of the civil complaint or similar document reflecting [the] legal action" and on 19 July 2011, the Respondent provided Google Australia with a copy of the (corrected) Medical Tribunal’s decision, but apparently not the NPO, because no formal Order had been obtained. Unsurprisingly, on 20 July 2011, Google Australia informed the Respondent that it would take no action.

  10. Nonetheless, on 20 July 2011, when Ms St Hill arranged for a Google search of the Applicant’s name, no link to the Medical Tribunal’s decision appeared in the first 100 returned searches.

  11. What remains though, is that a Google search of "Dr [AIN]” returns a search result which includes a link to the Respondent's homepage, even though the Applicant’s name does not appear anywhere on the Respondent's website.

  12. On 1 November 2011, the Applicant filed an internal review application which the Respondent determined on 10 January 2012 and made a number of recommendations, in addition to the actions it had referred to in its 16 June 2011 letter to the Applicant’s solicitors.

  13. On 7 February 2012, the Applicant made an application to the Administrative Decisions Tribunal, this Tribunal’s predecessor, for review of the Respondent's internal review decision pursuant to s.55 of the Privacy and Personal Information Protection Act 1998 (‘PPIP Act’).

  14. The Applicant alleges that the Respondent has contravened the following information protection principles (‘IPPs’), as set out in PPIP Act:

  • Section 15 - Alteration of personal information

  • Section 16 - Agency to check accuracy of personal information before use

  • Section 18 - Limits on disclosure of personal information

Issue

  1. Has the Respondent breached its obligations to the Applicant and her son under the PIPP Act?

The hearing

  1. The Applicant has a number of matters before the Tribunal, and all (bar one) were dealt with at the same time, but are the subject of separate decisions. It was discussed at the outset of the hearing that the Tribunal would consider only liability at this stage and that remedies, if any, would be considered later.

  2. The Applicant made a detailed statement and made extensive submissions in this matter. In addition to its submissions the Respondent relied on a written statement by Ms St Hill, the Respondent’s A/Executive Officer dated 21 March 2014, who also gave evidence. Some of the submissions, in particular those relating to ‘Grounds’ 6, 7 and 8 are more appropriately considered in the context of the appropriate remedy.

  3. The scope of the Tribunal's review is limited to considering the conduct said to be in breach of the PPIP Act, as initially identified by the Applicant in her application for internal review under s.53 of the PPIP Act: KO and KP v Commissioner of Police, New South Wales Police Force [2005] NSWADTAP 56.

CONSIDERATION

Ground 1: Breach of the NPO

  1. The Applicant contended that, through the publication, her personal information, and that of her son, was disclosed, in contravention of s.18 PIPP Act.

  2. Section 18 of the PPIP Act provides that a public sector agency that holds personal information must not disclose that information to a person (other than the individual to whom the information relates) or other body, subject only to limited exceptions and exemptions, which are not presently relevant.

  3. Personal information is defined at s.4 of the PPIP Act as, "information or an opinion...about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion".

  4. The Respondent conceded that, on 17 January 2011, it had published the Medical Tribunal’s decision, including the Orders and Exhibit X on its website, in breach the Medical Tribunal's NPO.

Was there disclosure of the Applicant’s personal information as a result of the breach of the NPO?

  1. The Applicant contended that the version of the Medical Tribunal decision which incorrectly named the HCCC as the Respondent suggests she was the subject of a complaint and that she was subject to disciplinary (or misconduct) proceedings. I do not accept this to be the case, because notwithstanding the incorrect title, the published decision clearly does not relate to a “complaint”, which would be the case if the HCCC was the correct Respondent.

  2. The Respondent admitted that it breached s.18 PPIP Act, by disclosing the Applicant's personal information to (potentially) the world at large, by the publication on its website. While the Applicant's personal information was masked from the human eye, her personal information was able to be "read" by the Google search engine. This resulted in a search for "Dr [AIN]" (or similar) leading to a link to a copy of the (human eye redacted) Medical Tribunal’s decision. The Respondent accepted, properly in my view, that a Google search for "Dr [AIN]" would link the Medical Tribunal’s decision to her.

  3. I find there has been a breach of s.18 PPIP Act in respect of the Applicant’s personal information.

Was there disclosure of the Applicant’s son’s personal information as a result of the breach of the NPO?

  1. The Applicant was authorized to bring a complaint on behalf of her son. It was contended that the publication on the Respondent’s website disclosed personal information about the Applicant’s son.

  2. The Respondent submitted that the Applicant did not, in her internal review application, specifically complain of any disclosure of her son's personal information and that that aspect of her complaint is not properly before the Tribunal. I do not agree and, in my view, she squarely raised her son’s privacy in the internal review application.

  3. The Respondent submitted, in the alternative, that the information disclosed in the publication did not disclose any personal information about the Applicant's son.

  4. The publication was to the effect that the Applicant had ceased general practice in order to “care for a child who required intensive attention”.

  5. The Respondent submitted that it should be inferred that the Medical Tribunal, being cognisant of its own NPO, deliberately referred to "a child" as opposed to "the Applicant's child" or "the Applicant's son" or "the Applicant's son, [name]".

  6. The Respondent further submitted that that the identity of the Applicant’s son, who bears a different surname to the Applicant, was not reasonably ascertainable on the basis of the information disclosed without taking “more than moderate steps": WL v Randwick City Council [2007] NSWADT 12 (‘WL’) at [22].

  7. In QN and Ors v Commissioner of Fire Brigades [2011] NSWADT 125, the Tribunal stated as follows:

[27]...In order for an individual's identity to be apparent from the information "one would need to look at the information collected and know or perceive plainly and clearly that it was information about the Applicant". In respect of 'reasonably ascertainable', resort may be had to extraneous material; "which must inevitably lead to the identity of a particular person, depending on the context" (at [17]). There was no evidence before me to suggest the [subject information] was unique to QN, thereby making his identity reasonably ascertainable.

  1. The Respondent contended that the reference in the publication to "[the Applicant] left general practice in order to care for a child who required intensive attention because he had diabetes" does not make her son’s identity sufficiently ascertainable. These are not descriptors that are unique to one individual and do not enable one particular person to be identified. It is difficult to see what readily available further information could be relied upon (in the taking of no more than "moderate steps": see WL at [22]) to assist in determining that her son is the same person as "a child who required intensive attention because he had diabetes". It would take more than moderate steps, it was submitted, to ascertain the identity of her son based only on this information.

  2. The Privacy Commissioner's submissions regarding the Applicant's son were to the effect that it is not unreasonable to suspect that the information was available to people who know that the Applicant’s child with diabetes is her [named] son. In my view, this is not an accurate account of the test in WL.

  3. I do not accept that only through the taking of "more than moderate steps" could the reference to "a child" in the Medical Tribunal’s decision be taken to be a reference to the Applicant’s child. It is not, as the Respondent submitted, an extraordinary step to come to the view that "a child" in the context meant "one of the Applicant's own children”.

  4. I consider the identity of the Applicant’s child is reasonably ascertainable taking of no more than moderate steps: per WL. I find that the identity of the Applicant’s son was identifiable from the publication.

  5. I find there has been a breach of s.18 PPIP Act in respect of the Applicant’s son’s personal information.

Ground 2a: Accuracy of the Medical Tribunal’s decision

  1. The Applicant submitted that the title of Medical Tribunal’s decision was an obvious error and that, had the Respondent raised this error with the Medical Tribunal prior to publication, the Medical Tribunal would have taken steps to correct it. It is clear that such a course would have been desirable.

  2. The Applicant’s contention may be categorised as alleging a breach by the Respondent of s.15 PPIP Act, which provides that an agency that holds personal information must make appropriate amendments to that personal information, to ensure that it is accurate, relevant, up-to-date, complete and not misleading. I accept that the Respondent may simply have not noticed that the Respondent had been incorrectly named in the title of the decision. The "Board"/"Respondent" is referred to elsewhere in the decision and the “Medical Council” is referred to in the Orders and Exhibit X. It was a party to the proceedings and was aware of the terms of the decision and Orders (including Exhibit X).

  3. However, it was simply not open to the Respondent to itself make the amendment to the decision made available to it by the Medical Tribunal. Consequently, I find there to have been no breach of s.15 PIPP Act.

  4. The Applicant also alleged that the Respondent contravened s.16 PPIP Act, which requires an agency to check the accuracy of personal information before use.

  5. I was referred to the decision in Department of Education and Communities v VK [2011] NSWADTAP 61. There, the Appeal Panel, at [26] highlighted the distinction between ’use’ and ‘disclosure’. It referred to PN v Department of Education and Training [2010] NSWADTAP 59 where it was discussed that the ‘data quality standard’ reflected in s.16 does not apply to an external disclosure. In this case the complaint related to the external disclosure of the publication on the Respondent’s website. Consequently, I find that there has been no breach of s.16 PIPP Act.

Ground 2b. Alteration of the decision of the Medical Tribunal by the addition of Orders and Exhibit X

  1. The Applicant contended that the Respondent had improperly created a document by adding the Orders and Exhibit X to the Medical Tribunal’s decision, and that this amounted to an alteration of the decision. She contended that the creation of a single document was in contravention of s.16 PPIP Act.

  2. It was difficult to see how s.16 might apply in respect of this contention, because, as I have observed, s.16 does not apply to an external disclosure. I do not consider that the collective publication of the Medical Tribunal's decision together with the Orders and Exhibit X was a breach of s.16 PIPP Act; there was no inaccuracy by virtue of the publication and in fact, in my view, the publication in that form provided completeness: per MT.

Ground 3 (not pressed)

Ground 4: Publication of the decision that did not give notice of the NPO

  1. The Applicant contended that it was misleading to publish a document which identified the Applicant and from which her son was identifiable when that publication was the subject of a NPO without clearly stating the terms of that Order. The Respondent, it was submitted had thereby contravened s.16 PPIP Act.

  2. As discussed in relation to Ground 2, s.16 does not apply to an external disclosure. I therefore find there to have been no breach of s.16 in relation to this Ground.

Ground 5: Ongoing breach of the NPO

  1. The Applicant’s evidence was that she became aware of the publication on the Respondent’s website in February 2011 and that she accessed the document on the Respondent’s website again on 25 March 2011 and on multiple occasions up to 12 June 2011. The Respondent had originally submitted that it ceased to breach the NPO when Internetrix, its website provider, on Ms St Hill’s instructions, removed the Medical Tribunal’s decision from the Respondent's website. The Respondent now accepts that the publication remained available on its website until 12 June 2011. When the Applicant performed Google searches of her name from 23 June 2011, the searches did not return a link to the Medical Tribunal’s decision.

  2. The Respondent conceded that it had advised the Applicant that the publication had been removed from its website before that had been fully accomplished, and that it needed to be told on several occasions that the publication continued to be available via a Google search of the Applicant's name before it was successfully removed. The Respondent accepted that the period of publication of the Medical Tribunal's decision in breach of the NPO extended to 12 June 2011. I agree with this analysis.

  3. At some stage in early 2012, the Applicant observed that a Google search of her name returned search results which included a link to the Respondent's homepage. The Applicant's evidence however was that when she had previously performed a search of her name on 23 June 2011, this did not occur. It was unclear why on 23 June 2011 a Google search returned no search results and, yet, in early 2012, a Google search was found to return search results. I was informed that a search for the Applicant’s name on Google currently returns no references to the Respondent's homepage but a search of "Dr [AIN]" currently returns search results including a link to the Respondent's homepage. The location of the Respondent's website, in the ordering of the Google search results, was, I was informed, between the period of 20 July 2011 and the date of the hearing, been listed, at various times, as either the second or third search result. (The fourth returned search result related to a different person of the same name.)

  1. The Respondent submitted, that the Google search results, which include the Respondent's homepage, do not indicate the nature of the association between the Applicant and the Respondent. I reject the Respondent’s submission that, if an inference can be drawn at all from the Google link, it is that the Applicant was at one time a volunteer at the Respondent, an employee, a member of the Registration Committee or the like. A considerably more likely explanation for the connection is that the Applicant is, simpliciter, a medical practitioner.

  2. There was some complicated evidence about Google searches. Ms St Hill’s evidence was that she arranged for Internetrix to report in relation to access to the Applicant’s name. Ms St Hill explained that the method used to "redact" the Applicant's name merely placed an opaque "block" over the top of the “redacted” words. While this prevented the human eye from reading the Applicant’s name, it allowed, as was later discovered, Google webcrawlers (also called "Googlebots") to read this information and to link the publication to a search of "Dr [AIN]" (and similar). In summary, Ms St Hill’s evidence, in explaining Google searches, was that while there was no identifying information on the face of the decision on the Respondent’s website (such information having been redacted), the fact that a Google search of the Applicant's name resulted in a link to the decision meant it could readily be inferred that the decision related to her.

  3. The Respondent submitted that if there is any further breach of the NPO, it is a breach by Google. The Applicant contends, and the Respondent accepted, that there remains a "linking issue" in that a Google search of the Applicant's name produces a link to the Respondent's homepage in a prominent place. The Respondent contended, and I agree, that this is not a breach of the PPIP Act; any continuing link between the Applicant and the Respondent on the Google search engine is not a breach of the NPO. Further, it is a matter over which the Respondent has no further control.

  4. I was informed that the publication is no longer available on the Internet. There is now no link to the publication from the Google search engine, and the publication is not posted on any website controlled by the Respondent, nor, I was informed, to the Respondent's knowledge, any website at all. There is no continuing breach of s.18 PPIP Act by the Respondent after 12 June 2011.

Grounds 6, 7 and 8

  1. Relevant as to remedy.

DECISION

  1. The Respondent breached s.18 PIPP Act in respect of the Applicant and her son, from 17 January 2011 up to and including 12 June 2011.

ORDERS

  1. The Applicant file and serve submissions as to remedy, not exceeding 2000 words, within 14 days.

  2. The Respondent file and serve submissions as to remedy, not exceeding 2000 words, within 14 days after receipt of the Applicant’s submissions as to remedy.

  3. The Privacy Commissioner file and serve submissions as to remedy, if any, within 14 days after receipt of the Respondent’s submissions as to remedy.

  4. Thereafter, the matter is to be listed for directions as to remedy on 18 April 2016 at 9.30am.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 05 January 2016

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

4

Bailey v Commissioner of Police, NSW Police Force [2023] NSWCATAD 275
Eric Anthony Foster v Department of Planning and Environment [2022] NSWCATAD 235
Efl v Secretary, Department of Education [2020] NSWCATAD 239
Cases Cited

5

Statutory Material Cited

1

KO and KP v Commissioner of Police, New South Wales Police (GD) [2005] NSWADTAP 56
WL v Randwick City Council [2007] NSWADT 12
QN & ors v Commissioner of Fire Brigades [2011] NSWADT 125