AKL v University of Western Sydney

Case

[2013] NSWADT 147

25 June 2013

Administrative Decisions Tribunal


New South Wales

Medium Neutral Citation: AKL v University of Western Sydney [2013] NSWADT 147
Hearing dates:29 November 2012
Decision date: 25 June 2013
Jurisdiction:General Division
Before: S Higgins, Deputy President
Decision:

In accordance with subs 55(2) of the Privacy and Personal Information Protection Act 1998, the Tribunal determines not to take any action on the matter.

Catchwords: Privacy - personal information held by an agency - review of conduct of agency alleged to be a contravention of the use and disclosure information protection principles concerning personal information - alleged unlawful access, use and disclosure of the applicant's personal information by an officer of the agency - whether conduct by the officer of the agency was for a non-agency purpose - whether alleged loss or damage suffered because of the alleged contravention by the agency
Legislation Cited: Administrative Decisions Tribunal Act 1997
Privacy and Personal Information Protection Act 1998
Cases Cited: Department of Education and Training v GA (No.3) [2004] NSWADTAP 50
Department of Education and Training v ZR (No 2) (GD) [2009] NSWADTAP 44
Director-General, Department of Education and Training v MT [2006] NSWCA 270
GR v Director-General, Department of Housing (GD) [2004] NSWADTAP 26
JD v Department of Health (GD) [2005] NSWADTAP 44
KO & KP v Commissioner of Police, New South Wales Police [2005] NSWADT 18
MH v NSW Maritime [2010] NSWADT 248
NW v New South Wales Fire Brigades (No 2) [2006] NSWADT 61
Category:Principal judgment
Parties: AKL (applicant)
University of Western Sydney (respondent)
Representation: AKL (Applicant in person)
Bartier Perry (Respondent)
J McAteer (Deputy Privacy Commissioner)
File Number(s):123191

REASONS FOR DECISION

Introduction

  1. On 12 July 2012, the applicant, AKL, made an application, under subs 55(1) of the Privacy and Personal Information Protection Act 1998 (PPIP Act), seeking review of conduct by the respondent, University of Western Sydney, that he asserts to have been a contravention of an information protection principle under that Act in regard to his personal information. In particular, the applicant sought specific orders, including compensation, pursuant to para 55(2)(a) of the PPIP Act.

  1. For the reasons set out below, I have found that the conduct, the subject of review, did not amount to a contravention, by the respondent, of an information protection principle under the PPIP Act. On this basis I have determined that the appropriate order is not to take any action in this matter.

Background

  1. On 9 April 2012, the applicant, a former student at the respondent, sent an email to Miss Bama, of the respondent, complaining about a staff member having, without his permission, accessed his student record and distributed his grades without his consent. The applicant did not identify the staff member and requested information about the respondent's policies on staff gaining access to student records and the names of all staff who had access to his records in the period January 2010 to December 2012.

  1. The applicant's complaint was referred to Ms Linda Kay Watson, the respondent's Complaints Resolution Manager. On 20 April 2012, Ms Watson sent an email to the applicant stating that she would need further and better particulars in regard to his complaint and asked the applicant to contact her. In her email, Ms Watson also gave the applicant the internet links to the respondent's Disclosure and Use of Student Personal Information Guidelines and Complaint Handling and Resolution Policy. The applicant contacted Ms Watson, who, on the same day, sent an email to the applicant setting out her understanding of what the applicant had said to her that day (i.e. his account of what had occurred and who was involved). Ms Watson asked the applicant to advise her on the accuracy of her record.

  1. On 27 April 2012, the applicant sent, by email, his edited version of the complaint as formulated by Ms Watson. In his email he advised Ms Watson that he would be seeking damages from the respondent for pain and suffering. In regard to the complaint, the applicant did not make any substantive changes other than to correct names and clarify matters. However, he added the following paragraph at then end:

'17. As repeated that, to me this is a serious matter which has and still causes distress by having sleeping problems, chest pains, problems concentrating and recently displaying aggressive behaviour towards a barrister at court while attending a mention before Davie J in the Supreme Court of NSW, which was the day after these allegations came to my attention.'

  1. The essence of the applicant's complaint was the alleged unauthorised access, by an employee of the respondent, Ms B, to his student records and the subsequent disclosure by her of his 'results' (i.e. marks), to her former husband, Mr W, who was also a personal friend of the applicant.

  1. The respondent determined the applicant's internal review application, on 13 June 2012. In making its determination the respondent had received a written explanation from Ms B in regard to the applicant's complaint. In its determination, the respondent noted the following:

  • Ms B's role, as an employee of the respondent, included recruiting students suitable to participate in the respondent's Student Exchange Program,
  • in fulfilling her role, Ms B, was authorised to access the respondent's student record system for those student whose marks were equal to or exceed a nominated grade point average (GPA),
  • the applicant's marks did not fall within this GPA and he was not an applicant to participate in the Student Exchange Program,
  • Ms B, acknowledged that, in approximately August or September 2011, she accessed the applicant's student record,
  • Ms B acknowledged, that in December 2011, she had a discussion with Mr W about the applicant's performance as a student, and
  • Mr W was not spoken to or interviewed as the applicant had indicated that he had refused the internal reviewers request to do so.

  1. The respondent's findings in regard to the alleged breaches of the PPIP Act were as follows:

  • it appeared that Ms B's actions were in breach of the 'Use privacy principle', but her actions were not inconsistent with the 'accepted practice in her particular workplace', and
  • 'While it cannot be absolutely determined, we accept [Ms B's] conduct in discussing your performance as a student with [Mr W] was most likely in breach of the Disclosure principle.'

  1. On the basis of its findings, the respondent determined to take the following action:

  • make a formal apology to the applicant,
  • review the administrative practices of the respondent, 'to the extent they relate to the access and use of student private information', and
  • steps were taken in regard to Ms B's actions.

  1. In his application for external review, the applicant contended that the conduct of Ms B was a breach of the retention and security information protection principle in s 12 of the PPIP Act as well as the Use and Disclosure information protection principles in ss 17 and 18 of that Act. The applicant also identified the following as the orders he was seeking:

1) Damages for economic loss
2) Damages for non-economic loss
3) Damages for aggravated damages
4) Further orders as the Tribunal sees fit.

  1. In his particulars of loss and damage, filed in the course of these proceedings, the applicant sought a number of additional orders, many of which were inappropriate and for which the Tribunal has no jurisdiction to make. I have not drawn any adverse inferences from this as the applicant has been unrepresented throughout these proceedings.

  1. The respondent contended that Ms B's disclosure of the applicant's performance as a student, to Mr W, did not amount to a breach by the respondent of the disclosure information protection principle in s 18 of the PPIP Act. The disclosure, it was argued, fell within the terms of the decision Court of Appeal in Director-General, Department of Education and Training v MT [2006] NSWCA 270 (MT [2006] NSWCA 270) at [45]. That is, Ms B was on a frolic of her own.

The Tribunal's jurisdiction

  1. It is well established that the role of the Tribunal, on an application for review under subs 55(1) of the PPIP Act, is to review the conduct of the agency that was the subject of the applicant's internal review application under s 53: see JD v Department of Health (GD) [2005] NSWADTAP 44 at [114], Department of Education and Training v GA (No.3) [2004] NSWADTAP 50 at [4] to [7], KO & KP v Commissioner of Police, New South Wales Police [2005] NSWADT 18 at [10] and Department of Education and Training v ZR (No 2)(GD) [2009] NSWADTAP 44 at [16] to [19]. In this regard, I note that the Tribunal can only have regard to an information protection principle that is open on the basis of the alleged conduct, the subject of the applicant's internal review application.

  1. Subs 55(2) of the PPIP Act sets out the action the Tribunal can take when reviewing the conduct the subject of the review application. This includes an order for the payment of compensation: see subs 55(2)(a) of the PPIP Act. This provision and other relevant provisions are set out below.

Issues

  1. The issues for determination in this application are as follows:

(a) whether a contravention of the retention and security information protection principle (s 12 of the PPIP Act) is open on the basis of the applicant's internal review application;
(b) whether the conduct of Ms B amount to a contravention, by the respondent, of the relevant information protection principles in the PPIP Act (i.e. a contravention of ss 17 and 18 and s 12 if (a) above is established), and
(c) what action, if any, should the Tribunal take in regard to the matter. As I have explained, the applicant seeks an order for compensation.

The PPIP Act

  1. Subs 20(1) of the PPIP Act provides that the information protection principles in the PPIP Act apply to public sector agencies. There is no dispute that the respondent is a public sector agency for the purpose of the PPIP Act. Subs 20(2) of the PPIP Act set out some exceptions to this. These exceptions are not relevant to this application.

  1. Subs 21(1) provides that a public sector agency must not do anything, or engage in any practice, that contravenes an information protection principle that applies to the agency.

  1. The information protection principles are those set out in Division 1 of Part 2 of the PPIP Act (see ss 8 to 19). These principles deal with how an agency is to collect, retain, provide access, alter, use and disclose personal information. Personal information is defined in subs 4(1) of the PPIP Act to mean:

4 (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.

  1. There is no dispute that the applicant's academic record held by the respondent in its student record management system, Callista, and in its information management system, TRIM, is personal information about the applicant.

  1. For the purpose of this application, the information protection principles relied on by the parties provide as follows:

12 Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
17 Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

  1. Part 5 of the PPIP Act makes provision for the review of 'certain conduct'. Subs 52(1) describes the 'conduct' the subject of that Part. It includes conduct - 'the contravention of a public sector agency of an information protection principle that applies to the agency': see para 52(1)(a). There is no dispute that the above information protection principles apply to the respondent.

  1. As I have explained, s 53 of the PPIP Act makes provision for a person 'who is aggrieved by the conduct of a public sector agency' to make an application for a review of that conduct. S 55 makes provision for review by the Tribunal. As I have explained, that section also sets out the orders the Tribunal can make on review of conduct. So far as it is relevant s 55 provides:

55 Review of conduct by Tribunal
(1) If a person who has made an application for internal review under section 53 is not satisfied with:
(a) the findings of the review, or
(b) the action taken by the public sector agency in relation to the application,
the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53.
(1A) ...
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997.
(4) The Tribunal may make an order under subsection (2) (a) only if:
(a) ...
(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.
(4A) ...

  1. Part 8 of the GIPA Act contains the miscellaneous provisions. This includes s 62, which creates an offence of corrupt disclosure and use of personal information by a public sector official. That section provides:

62 Corrupt disclosure and use of personal information by public sector officials
(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any personal information about another person to which the official has or had access in the exercise of his or her official functions.
Maximum penalty: 100 penalty units or imprisonment for 2 years, or both.
(2) A person must not induce or attempt to induce a public sector official (by way of a bribe or other similar corrupt conduct) to disclose any personal information about another person to which the official has or had access in the exercise of his or her official functions.
Maximum penalty: 100 penalty units or imprisonment for 2 years, or both.
(3) Subsection (1) does not prohibit a public sector official from disclosing any personal information about another person if the disclosure is made in accordance with the Public Interest Disclosures Act 1994.
(4) In this section, a reference to a public sector official includes a reference to a person who was formerly a public sector official.

The evidence

  1. The respondent tendered into evidence two statements of Ms Watson. The first statement is dated 6 September 2012 and the second statement is dated 20 November 2012.

  1. In her first statement, Ms Watson, gave a brief outline of student personal information collected by the respondent and the controls that are in place in regard to accessing that information. In that statement, Ms Watson also set out the background to the applicant's complaint about Ms B's conduct. Attached to Ms Watson's statement is a copy of the applicant's complaint (including his expanded explanation) and Ms B's response to the complaint.

  1. Attached to Ms Watson's second statement are copies of emails between the respondent and the applicant during July 2010 and August 2011 and the applicant's student record.

  1. The respondent also tendered into evidence pages 55 to 70 of its written submissions, filed and served on 23 November 2012. These were pages produced by a medical centre at which the applicant had received treatment for anxiety and depression. The documents had been produced, pursuant to a summons, issued by the Tribunal at the request of the respondent.

  1. The applicant relied on his affidavit, sworn on 14 September 2012 and the particulars for loss and damage he filed and served on 17 October 2012. The applicant also gave oral evidence at the hearing and was cross-examined by the respondent's legal representative.

  1. Both parties provided written submissions. I have dealt with these and the evidence below, to the extent they are relevant to the matters in issue.

Is a contravention of s 12 open?

  1. Neither party addressed this issue in their submissions. However, on the basis of the terms of the applicant's original complaint and the subsequent more detailed complaint, in my view a contravention of the retention and security information protection principle in s 12 of the PPIP Act was clearly open.

  1. Although the applicant did not specify any particular information protection principle in his complaint, the complaint was clearly about conduct involving unauthorised access, use and disclosure of his personal information held by the respondent.

  1. As explained by the Court of Appeal in MT [2006] NSWCA 270 at [41], the most relevant obligation with respect to unauthorised use of personal information held by an ageny is that imposed by para 12(c) of the PPIP Act, as it requires an agency to take steps to ensure that the information is protected against unauthorised access. In my view, the essence of the applicant's complaint falls within these observations of the Court.

  1. Accordingly, I find that the principle in para 12(c) of the PPIP Act is relevant to the conduct in issue in this application.

Is the conduct the subject of review a contravention, by the respondent, of ss 12, 17 or 18 of the PPIP Act?

  1. The conduct - In her written account of events, Ms B said she had accessed the applicant's student record, in August/September 2011, as she had seriously considered whether he could participate in the respondent's Student Exchange Program and in this regard she said:

'...[I] recall accessing [AKL's] academic record to check on his eligibility for exchange in or around August/September 2011 to see if he could be targeted as I had delegated approval to endorse any applicant whose GPA exceeded 4.0 and who had achieved 40cps of successfully completed study. The guidelines for this criteria and approval were developed by former Vice-Chancellor, John Ingleson in or around 2010.
I am required to check on student's enrolment records each and every day for the purpose of:
- Checking their eligibility for exchange;
- Sourcing/targeting student(s)/groups of students for exchange
- Responding to enquiries for exchange.
...'

  1. Ms B went on to say she did not 'recall any detailed extent the information' she saw, but she 'vaguely recall[ed] that he [AKL] had achieved completion of 2 units (I think) and cannot recall what his GPA was.' She went on to say:

'... [My] thoughts were that at this time he wasn't eligible but he mentioned to me that he was trying to appeal some results, so this still left the possibility open to going in the short term. It wasn't unusual for me to source prospects for exchange. There have been multitude of staff and students at UWS who I have approached in an effort to recruit candidates for exchange. The time frame for recruitment is always 6-9 months in advance and in any given semester, UWS International waits for results to be released before finalising nominations. So I considered that by the end of 2011, [AKL] might be in a position to formally apply for exchange studies abroad. '

  1. I note from the student record of the applicant, which was attached to the statement of Ms Watson, that the applicant had completed 8 Units in 2010 and in 2011 he repeated a number of these Units as he had failed these in 2010. Which of these had been entered into the applicant's student record at the time Ms B said she accessed the applicant's student record is not clear.

  1. In her account of events, Ms B said that in early December 2011, during a discussion with her former husband, Mr W, she 'divulged' to him that the applicant 'had only just that day expressed to [her] that he hadn't performed very well in some subjects and that this surprised [her] because he appeared so confident in earlier discussions.' That is, Ms B stated that she had spoken to the applicant that day and he, not her, raised the issue about his results. In the course of these proceedings, the applicant did not dispute this aspect of Ms B's account. That is, he did not dispute that he had spoken to her about his performance at university at that time.

  1. In his account of events, as recorded in his 27 April 2012 edited version of events, the applicant said:

5. I recently saw [Mr W] and he told me that [Ms B] had told him that I had failed some units.
6. ...
7. I was told by [Mr W] that he was told by [Ms B] she had accessed my student record, ...
...
10. The next piece of relevant information is that [Ms B] later went on a holiday with her daughters ... During the holiday in a telephone conversation with her father [Mr W], [child 2] asked her father why he had told me that her mother had accessed my records. [Mr W] told me of the conversation between [child 2] and himself ....
11. If [Ms B] had admitted she accessed my record at the time I approached her, I would most likely, if I was persuaded in believing she had done wrong and showed remorse, I would have left it at that. ...

  1. In his affidavit, sworn more than 4 months after his complaint was made, the applicant gave the first detailed explanation of when Mr W had spoken to him and what Mr W had said. He said the conversation occurred on the evening of 3 April 2012, when he was at Mr W's home. The applicant asserts, while he was at Mr W's home, Mr W said to him words to the effect:

'"[Ms B] told me you failed some units"'.
'"[Ms B] said, she accessed your records and got your grades."'

  1. In his affidavit, the applicant also said that on the following morning he sent an SMS message to Ms B in which he said:

'"Hi [Ms B], it has come to my attention that you have accessed my records from uni and disclosed that information to [Mr W]. I'm giving you u till 8am to reply to this message explain your actions. ..."'

  1. In her account of events, Ms B said that she had received a text message from the applicant on the morning of 4 April, in which he said:

'"It has come to my attention that you have accessed my academic record and discussed it with [Mr W]. You have until 8.00am to respond or else I will be reporting you."'

  1. Ms B said she responded immediately by saying '"... It was you who advised me that you failed some subjects, and I offered you my notes.'" The applicant's account, as stated in his affidavit is consistent with this. His account is more detailed, however, I have preferred the account of Ms B as this was made not long after the applicant's complaint was made and the applicant's affidavit account post-dates Ms B's account. Indeed a copy of that account was attached to the first statement of Ms Watson, which was filed and served shortly before the applicant swore his affidavit.

  1. In her account of events, Ms B said that she had ceased all communications with her former husband in January 2012. She also explained that on 4 April 2012, she and her daughters were flying overseas for a holiday. It was also the day after the Child Support Agency had ruled in her favour in regard to an ongoing support dispute between herself and Mr W. Ms B was adamant that she had not accessed the applicant's student records and discussed these with Mr W as asserted by the applicant. She said she knew this would be contrary to the respondent's policies. She also reiterated her discussions with the applicant at Christmas 2011. Ms B suggested that Mr W, being dissatisfied with the ruling of the Child Support Agency, had decided to use the applicant as a vehicle to get back at her. Ms B also suggested that a statement be obtained from Mr W to ascertain what he had in fact said to the applicant.

  1. The applicant did not seek to call or cross-examine Ms B. Nor did he challenge many aspects of her account of events. Accordingly, I make the following findings, to the extent it is relevant to this application, concerning the conduct of Ms B:

  • Ms B, in her capacity as an officer of the respondent, accessed the applicant's student information, held by the respondent, in August/September 2011,
  • Ms B accessed and used the applicant's student information for the purpose of ascertaining whether he would be suitable for the respondents Student Exchange Program,
  • In October 2011, Ms B offered to provide the applicant with her student notes in order to assist him in his studies. The applicant refused this offer, and
  • In December 2011 (Christmas), Ms B and the applicant had a discussion about his student results. During those discussions the applicant advised Ms B that he had performed poorly. Later that day Ms B informed Mr W about what the applicant had said to her that day.

  1. I also find that Mr W spoke to the applicant, on 3 April 2013, about his student grades and as a result of that conversation the applicant made his complaint to the respondent. I also accept the applicant's evidence that on this day, Mr W said something to him about his university grades which the applicant understood to be that Ms B had accessed his student records and told Mr W that he had failed some units. However, in light of Ms B's denials and in the absence of any evidence from Mr W, it is not possible to make a conclusive finding that Ms B had in fact told Mr W what is asserted, let alone a finding that she had done what was asserted.

Was the conduct a contravention of s 12 (i.e. unauthorised access)?

  1. The question is whether, in Ms B's access to the applicant's student record in August/September 2011 was unauthorised and the respondent had failed to ensure that the information to which she sought access was protected against such unauthorised access or use: see para s 12(c) of the PPIP Act.

  1. In this regard I note the respondent's Guidelines on the Disclosure and Use of Student Personal Information (Guidelines) sets out why student information is collected; who can access the information and for what purpose the information can be used or disclosed. In regard to why information of this kind is collected, I note the Guidelines state that it is collected 'to enable the provision of educational and associated welfare services to the student and for associated administration of the University'.

  1. On the basis of my findings, Ms B's access to the applicant's student records in August/September 2011 was an access undertaken in the course of her role of sourcing students suitable for the respondent's Student Exchange Program. To fulfil that role Ms B was authorised to access student information, including that of the applicant, on the respondent's student record management system, Callista, and in its information management system, TRIM. While the applicant has stated that he personally had not authorised Ms B to access his student information, it is clear from the terms of the Guidelines and the information in the internal review that Ms B, in her role as an officer of the respondent, had the authority to access information of this kind.

  1. Accordingly, I find that Ms B's conduct in accessing the applicant's student information was an authorised access. However, the issue remains as to whether the steps taken by the respondent in protecting the personal information of students, it holds, is reasonable in the circumstances. In this regard I note the applicant did not suggest that the Guidelines or the respondent's processes are inadequate and failed to meet the requirements of para 12(c) of the PPIP Act. I also note the respondent's undertaking to nevertheless review its processes in this regard.

Was the conduct a contravention of s 17 (i.e. information was not used for the purpose for which it was collected, or a purpose directly related thereto)?

  1. I make a similar finding in regard to Ms B's use of the applicant's student information, as the information was used for a purpose for which the student information is collected and retained by the respondent (i.e. educational services to the student). If not, it is clearly a use for a purpose directly related to the purpose for which the information was collected. Again, on the evidence, the use occurred in or around August/September 2011. The use was for the purpose of ascertaining whether the applicant had sufficient grades to be considered for the respondent's Student Exchange Program. This was part of Ms B's role as an officer of the respondent and I note that the applicant did not dispute that Ms B had suggested to him that he might be eligible for that Program, but at no time had he applied for it.

  1. Accordingly, I find that Ms B's conduct in using the applicant's student information, in August/September 2011, was not a contravention of the use information protection principle in s 17 of the PPIP Act.

Was the conduct a contravention of s 18 (i.e. an unlawful disclosure)?

  1. As indicated above, my findings are that, in December 2011, Ms B had a discussion with Mr W about the applicant's performance as a student. That discussion having gone no further than what she had been told by the applicant that day. This is not conduct falling within the terms of s 18 of the PPIP Act.

  1. As I have explained above, in light of Ms B's account of events and the lack of evidence from Mr W, no conclusive finding can be made that Ms B did in fact access the applicant's student information and disclose this and the applicant's marks to Mr W. Even if such a finding were to be made, I agree with the respondent that Ms B's conduct would not be conduct for which the respondent was responsible under s 18 of the PPIP Act. That is, I disagree with the argument of the applicant, that in such circumstances, the respondent would be vicariously liable for the conduct of Ms B.

  1. As pointed out by the respondent, this was an issue addressed by the Court of Appeal in MT [2006] NSWCA 270. In that case the issue before the Court of Appeal was whether the disclosure by MT's soccer coach, X, of her personal information, held by the respondent school, amounted to a contravention by the respondent of the use and disclosure information protection principles in ss 17 and 18 of the PPIP Act. MT was a student at the respondent school and X was a teacher at the school. However, the soccer team was not an activity organised by the respondent school or one in which it had any role. Having concerns about MT's ability to play in the grand final, X accessed MT's student records, which contained information about MT's medical condition. Every teacher at the respondent school was authorised to access the student records held by the respondent school. Subsequently, X used this information about MT for the purpose of deciding whether she was fit to play soccer. In doing so, X disclosed the information to the president of the soccer club. The Court of Appeal (per Spigleman CJ with IPP JA and Hunt AJA agreeing) found that the use and disclosure, by X, of MT's personal information did not amount to a contrvention by the respondent school as the conduct of X was for a non-agency purpose. In this regard it is useful to set out the Court's reasoning in this regard:

41 The legislative scheme is concerned with the conduct of public sector agencies acting for their public purposes. The most relevant obligation with respect to unauthorised use of information held by an agency, of a character which has occurred in the present case namely use or disclosure for a non-agency purpose, is that imposed by s12(c), set out above, requiring the agency to take steps to "ensure ... that the information is protected ... against ... unauthorised access, use ... or disclosure".
42 Furthermore, the legislative scheme makes separate and distinct provision in s62(1) for employees who disclose or use personal information for a purpose outside the scope of their official functions.
"62(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any personal information about another person to which the official has or had access in the exercise of his or her official functions."
43 The interaction of s12(c) and s62 (1) is such that, in my opinion, it leaves no scope for the extension of each reference to conduct of the public sector agency to encompass any conduct by an employee or agent, irrespective of whether it is within the scope of his or her functions as such. Where, as here, the "use" or "disclosure" of information was for a purpose extraneous to any purpose of the Department, it should not be characterised as "use" or "disclosure" by the Department or conduct of the Department. It is not appropriate to adopt a rule of attribution that extends so far.
44 There is a tension between s12(c ) and the interpretation adopted by the Appeal Panel and urged on this Court by the Respondent. The express regulation of "unauthorised use or disclosure" is qualified by the condition that the "safeguards" must only be "reasonable". This Court should be slow to interpret a statutory obligation expressed in general terms with the effect that it overlaps with another obligation which is expressed in conditional terms. There are numerous cases which apply the expressum facit cessare tacitum principle of statutory
45 Of course Parliament may have intended that statutory obligations should overlap. In the Act under consideration, however, the focus of Parliamentary attention is upon a public agency acting in that capacity for public purposes. Where the agency has satisfied its obligation under s12, it was not, in my opinion, Parliament's intention to expose every such agency to a form of absolute liability for the unauthorised private conduct of its employees or agents.
46 Nothing in the text or the scope and purpose of the legislative scheme suggests that Parliament intended to impose absolute regulatory liability. Indeed, s12(c) itself imposes an obligation only to adopt such "safeguards as are reasonable in the circumstances".
47 In a case such as the present, where there is a breach of s12 by the agency of a kind which permitted unauthorised use or disclosure, I can see no purpose of the Act which will be served by imposing additional liability upon an agency under any of ss16, 17 or 18. Ms Pritchard submitted that there was a limitation upon liability under ss16, 18 and 19 for conduct in which an employee acts in an unauthorised way. That limitation was to be found in s12(c). She submitted that a contravention of s12(c) was a gateway to the other sections. I would reject this submission.
48 It could be said that, in terms of causation, such a breach is one step further removed than the actual disclosure or use which results in loss or damage, for which compensation may be recovered under s55(2)(a). Perhaps there will be circumstances - although they are difficult to envisage - in which this additional step may mean that compensation is not recoverable. However, there is no warrant to adopt an inappropriate rule of attribution in order to overcome such a contingency.
49 ...
50 ...
51 The obverse to this case is one where an employee has impermissibly used information held by an agency, but where the agency has not contravened s12. Where an agency has 'ensured' that its information is "protected" by implementing 'reasonable security safeguards', I can see no purpose of the scheme that is served by imposing liability on the agency. It has done all the Act requires of it. The sanction is, in such circumstances, appropriately directed to the employee, i.e. s62(1).

Should the Tribunal make orders under subs 55(2)?

  1. On the basis of my findings and the actions taken by the respondent to date, the appropriate order is for the Tribunal to decide not to take any action. However, in light of the applicant's evidence and submissions in regard to loss and damage I would make the following comments.

  1. As I have pointed out above, para 55(2)(a) of the PPIP Act, provides that an order for compensation can only be made for loss or damage suffered by the applicant as a result of the conduct of the respondent agency the subject of the review application (my emphasis): see MH v NSW Maritime [2010] NSWADT 248 at [220]. Para 55(4)(b) of the PPIP Act emphasise that the loss or damage must arise because of the conduct of the respondent agency and that loss can be in the form of financial loss, psychological loss or physical harm.

  1. As pointed out by the respondent, the orders in para 55(2) of the PPIP Act are discretionary, including the order for compensation: see NW v New South Wales Fire Brigades (No 2) [2006] NSWADT 61 at [23] to [24]. That is, even where the applicant can establish loss or damage as a result of the conduct of an agency, this does not automatically mean that the Tribunal must make an order for the award of compensation.

  1. The onus in establishing that loss is on the applicant: see GR v Director-General, Department of Housing (GD) [2004] NSWADTAP 26 at [38]. And the respondent must be given an opportunity to test any evidence on which the applicant relies.

  1. In his particulars of loss the applicant sought the following orders in regard to loss:

(a) $7,500 for non-economic loss
(b) $33,000 for economic loss
(c) $5,000 for aggravated damages

  1. In regard to non-economic loss, the applicant relied on the report of Andrew R McKinley, psychologist, dated 15 August 2012.

  1. In my view, very little weight can be placed on the report of Andrew McKinley. His report is an account of how the applicant presented himself, on1 May 2012, when he first saw the applicant and what treatment he has given the applicant since that time. Furthermore, Andrew McKinley's assessment of the applicant and the treatment appears to be solely based on a history presented to him by the applicant. That history, in my view, is subjective and inadequate in a number of respects. In this regard I note, the applicant's initial visit to Andrew McKinley was 4 days after he had sent his email to Ms Watson stating that he would be making a claim for damages for pain and suffering. The history provided by the applicant fails to explain other important events in his life since 2010. These events include Supreme Court Proceedings, in which he was a party and which the applicant has acknowledged greatly affected his studies and life more generally during 2010 and 2011. These proceedings, I note, were ongoing as at the time he made his complaint to the respondent. Yet he refused to provide any information about these proceedings, the effect they had on him and whether that was ongoing at the time of Ms B's alleged disclosure. The information was clearly relevant and through his adamant refusal to provide the necessary information, I can only assume that the information would not support his claim or the extent of his claim.

  1. I am also unable to place much weight on the letter of termination he received from his employer in May 2012. The letter notes that the applicant had indicated to his employer that his unacceptable behaviour was due being upset and angry from a recent incident at respondent university. In my view, again, this is no more than a self serving statement by the applicant.

  1. Perhaps, what is the most telling aspect to the applicant's claim for non-economic loss is his failure to raise this as an issue in his original complaint.

  1. In regard to his alleged economic loss, the applicant asserted that since his termination, in May 2012, he has not been able to obtain employment due to 'stresses, depression, sleeping problems and anger management'. However, he did not provide any evidence to support this assertion.

  1. In regard to his claim for aggravated damages, the applicant alleges that Ms B intentionally disclosed his university grades for her own satisfaction. As I have indicated, that disclosure, if proven as asserted by the applicant, was not a disclosure for which the respondent had any responsibility. Nor is there any material before the Tribunal to support this assertion of the applicant as to Ms B's intentions.

  1. Accordingly, even if I had found that the conduct the subject of the applicant's review application was a contravention, by the respondent, of an information protection principle, in my view, the applicant failed to provide sufficient evidence to support his claim for an order for compensation.

Conclusions and orders

  1. For the reasons set out above, I have found that the conduct the subject of review, does not amount to a contravention by the respondent of the information protection principles in ss 12, 17 or 18 of the PPIP Act.

  1. Accordingly, the appropriate order is that the Tribunal has decided not to take any action in this matter.

**********

Decision last updated: 25 June 2013

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

5

DMR v Lane Cove Council [2024] NSWCATAD 193
Ehg v Commissioner of Police [2021] NSWCATAD 54
Jackson v The University of New South Wales (No 2) [2018] NSWCATAD 271
Cases Cited

8

Statutory Material Cited

2

Director General, Department of Education and Training v MT [2006] NSWCA 270
JD v Department of Health (GD) [2005] NSWADTAP 44
Department of Education and Training v GA (No 3) [2004] NSWADTAP 50