BKM v Sydney Local Health District

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	BKM v Sydney Local Health District [2015] NSWCATAD 87
Hearing dates:	On the Papers
Decision date:	29 April 2015
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	J McAteer, Senior Member
Decision:	(1) The strike out application of the Respondent is dismissed. (2) The Applicant is to advise the Divisional Registrar in writing within 21 days of receipt of these reasons whether he wishes to proceed with his application. (3) Subject to the applicant’s decision at order (2) the matter will be either listed for a Planning Meeting or listed for dismissal.
Catchwords:	Administrative Review – Privacy jurisdiction of Tribunal – powers of Tribunal upon review – nature of review – review of conduct – power of Tribunal to make orders to address systemic issues.
Legislation Cited:	Administrative Decisions Review Act 1997 Civil and Administrative Legislation (Repeal and Amendment) Bill 2013 Civil and Administrative Tribunal Amendment Bill 2013 Civil and Administrative Tribunal Act 2013 Government Information (Public Access) Act 2009 Health Records (Information Privacy) Act 2002 Privacy and Personal Information Protection Act 1998
Cases Cited:	Department of Education & Training v GA (No. 3) [2004] NSWADTAP 50 Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP MH v NSW Maritime [2011] NSWADT 248 GA v Commissioner of Police, NSW Police [2004] NSWADT 254
Category:	Principal judgment
Parties:	BKM (Applicant) Sydney Local Health District (Respondent)
Representation:	Counsel: M Hutchings (Respondent) Solicitors: BKM (Applicant in person) Curwoods Legal Services P/L (Respondent)
File Number(s):	1410388
Publication restriction:	Publication restrictions apply under s 65 of Civil and Administrative Tribunal Act 2013 (NSW)

reasons for decision

1. The applicant in these proceedings is referred to as “BKM”. BKM is the applicant’s pseudonym used in these proceedings.

2. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act).

3. The subject conduct involved an alleged breach of Information Protection Principles (I.P.P.’s) under the PPIP Act, and Health Privacy Principles (H.P.P.’s) under the Health Records and Information Privacy Act 2002 (the HRIP Act).

4. As the conduct involved an alleged breach of the privacy provisions in respect of health information under the HRIP Act, the review of the conduct under section 21 of the HRIP Act is dealt with under the provisions of the PPIP Act as outlined above.

5. Both the PPIP Act and HRIP Act have provisions for a person who is aggrieved by the public sector agency's management of their personal or health information, to request that the matter be reviewed by the Agency.

6. Section 21 of the HRIP Act provides:

21 Complaints against public sector agencies

(1) The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies:

(a) the contravention of a Health Privacy Principle that applies to the agency,

(b) the contravention of a health privacy code of practice that applies to the agency.

(2) For that purpose, a reference in that Part:

(a) to personal information is taken to include health information, and

(b) to an information protection principle is taken to include a Health Privacy Principle, and

(c) to a privacy code of practice is taken to include a health privacy code of practice.

(3) This section applies only to conduct engaged in after the commencement of this section.

Background

7. BKM was subject to treatment at Royal Prince Alfred Hospital (RPAH) in 2012. RPAH is part of the Sydney Local Health District (SLHD) which is the respondent in these proceedings. Arising from that admission to RPHA, the allegations concern unauthorised or unlawful access of health and personal information of the applicant whereby staff at RPAH allegedly gained access to the applicant’s records at Concord Repatriation General Hospital (CRGH). The allegations concern unauthorised access, use and disclosure of the applicant’s personal and health information. In addition the applicant alleged that there were breaches with the security (or safe keeping) of his personal and health information arising from the other alleged breaches.

8. The applicant sought an internal review under section 53 of the PPIP Act on 29 July 2013. The review concerned allegations of conduct by the respondent agency which occurred during 2012 after BKM’s discharge from RPAH in April 2012 and his admission to CRGH. BKM alleges that his personal and health information in his electronic medical record (eMR) was accessed by staff attached to RPAH following his discharge to CRGH. Specifically this occurred at various times during 2012 from mid - April onwards.

9. It appears that in the intervening period between the allegations and the lodgement of the internal review, the applicant had sought redress directly with the SLHD by way of a complaint concerning his treatment and other clinical matters. That complaint was also made to the Health Care Complaints Commission (HCCC) and as I understand it relates to conduct pre-dating the privacy complaints. Suffice to say that the applicant’s complaint issues were being managed by the respondent during late 2012 and the first half of 2013. It is open to conclude however that those issues were not being managed appropriately in BKM’s view as he wrote a detailed letter to the SLHD on 14 July 2013, followed by his privacy internal review on 29 July 2013.

10. On 26 November 2013 the respondent provided their finalised Internal Review report of BKM’s privacy complaint. As the (external) review to the Tribunal was lodged on 22 July 2014, the application was filed approximately seven months after receipt of the review. Section 55 of the PPIP Act provides that an application to the Tribunal. The applicant provided detailed reasons for the delay in lodging his review to the Tribunal. Those reasons include:

I immediately requested clarification from the SLHD re aspects of the IR report but they did not respond in a timely fashion ie several months delay. I also submitted a GIPA request for information that I considered should have been included; this was received in June 2014. More importantly, I think the matters raised in my application are clearly in the public interest because they concern the security of everyone’s personal health information within the eMR (electronic medical record) system. Also, given my personal circumstances as the recovering victim of a savage, random assault, I was not able to manage my affairs as efficiently as I might otherwise have done, during this very demanding period.

11. BKG advises that in the interim he sought information (relating to his complaint) from the SLHD by way of a freedom of information application under the Government Information (Public Access) Act 2009. (the GIPA Act) .

12. It is clear from the background that the SLHD was in some manner dealing with two separate issues from BKM, being his ‘health complaint’ concerning the management and application of treatment as a patient, and his privacy complaint concerning alleged breaches of the IPP’s and HPP’s.

Proceedings before the Tribunal

13. The matter was listed for a number of planning meetings before a Member of the Tribunal. The matter first came before a Member of the Tribunal on 16 September 2014. The applicant was self - represented and the respondent was represented by Counsel. The matter was adjourned for a further planning meeting on 26 November 2014.

14. At the further meeting on 26 November 2014 the following directions were made by consent. The applicant to file and serve any evidence or submission as to what are the deficiencies in the respondent’s proposals (arising from the findings of the internal review as detailed in their letter of 24 November 2014) by 12 January 2015. The respondent to file and serve any evidence and submissions by 10 February 2015. The applicant to file and serve any reply by 24 February 2015. Matter adjourned for a further planning meeting on 3 March 2015. The Member noted that the respondent foreshadowed an application to dismiss the proceedings.

15. On 3 March 2015 the following orders / directions were made: The respondent will file application to dismiss the proceedings by 11 March 2015. The applicant is to respond by written submissions filed and served by 18 March 2015. The Member then noted the file with: Notional hearing date on the papers of 15 April 2015. I infer this last note to mean that 15 April 2015 is the reserved date, and the matter will be determined on the papers. It is clear that the Member had not commenced to determine any of the issues for hearing, other than to note that a preliminary application was sought by the respondent.

16. The matter has been referred to me to determine. As a Senior Member in the Administrative and Equal Opportunity Division of the Tribunal, I have been directed by the President of the Tribunal to hear the matter.

17. The timetable referred to in the planning meetings was adhered to by the parties. The following material is therefore before the Tribunal for consideration:

• Application for Administrative review filed 22 July 2014 by the applicant. (Annexing as Appendix 1: Internal Review Report and covering letter dated 26 November 2013, Internal Review Application form dated 29 July 2013, copy of complaint letter by applicant dated 14 July 2013 with significant redactions. Appendix 2: SLHD Policy Directive re: eMR Security and User Access. Appendix 3: SLHD & SWSLHD eMR – User Access Request Form, Appendix 4: Section 11, NSW Health Privacy Manual version 2, 2005.

• Written submissions dated 3 November 2014 filed 6 November 2014 by the applicant.

• Correspondence dated 24 November 2014 (and annexures) filed 25 November 2014 by the respondent.

• Written submissions dated 10 January 2015 and filed 12 January 2015 by the applicant.

• Correspondence and submissions dated 10 February 2015 and filed 10 February 2015 by the respondent.

• Written submissions dated 23 February 2015 and filed 24 February 2015 by the applicant.

• Respondent’s Outline of Submissions prepared by Counsel on 10 March 2015 and filed 13 March 2015 by the respondent.

• Final written submissions dated 17 March 2015 and filed 18 March 2015 by the Applicant.

(Emphasis added)

The relevant legislation

18. Section 53 (6) of the PPIP Act provides guidance on the appropriate timeframes for conducting an Internal Review. Whilst the PPIP Act does not specify a strict time, it uses the words that 'the review must be completed as soon as is reasonably practical'. In addition it provides that if the review is not completed within 60 days, the applicant / complainant may apply to the Tribunal for a review of the conduct concerned.

19. It is clear that the respondent took longer than the 60 days to complete the initial internal review, and whilst this fact has been referred to in the applicant’s submissions, the timeframe is provides guidance rather than anything of a mandatory nature when considering the wording of the PPIP Act. Section 53 (6) states that:

(6) The review must be completed as soon as is reasonably practicable in the circumstances. However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for an administrative review of the conduct concerned.

20. The period of 60 days is in effect an appeal or external review ‘trigger’, rather than ‘the legally allowed 60 calendar days to conduct it’ , as submitted by the applicant in his 23 February 2015 submissions.

21. The crucial aspect of any request for a review of conduct is determining what if any conduct occurred, whether that conduct involves personal information or health information as defined in the PPIP Act or HRIP Act, and whether such conduct constitutes (in the first instance) a breach of an Information Privacy Principle (IPP) or Health Privacy Principal (HPP). Finally the reviewer must determine whether there was a relevant exemption in place (either in the legislation or subordinate legislation) which permitted the use of the information in the manner alleged.

22. The Tribunal's function in conducting a review under the PPIP Act is to review the conduct falling within the scope of the complaint, as fairly construed, in order to identify whether there has been a breach of an Information Protection Principle, a Health Privacy Principle or of Privacy Code of Practice: see s 52(1) (a) and (b) of the PPIP Act. These criteria are also set out in Department of Education & Training v GA (No. 3) [2004] NSWADTAP 50. It is not to review the internal review decision or the process whereby the internal review decision was made.

23. The scope of the alleged conduct is in dispute between the parties. However, the respondent concedes following the review that there has been a breach of HPP 5 concerning the retention and security of the applicant’s health information. HPP 5 provides:

5 Retention and security

(1) An organisation that holds health information must ensure that:

(a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and

(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.

Note. Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

(2) An organisation is not required to comply with a requirement of this clause if:

(a) the organisation is lawfully authorised or required not to comply with it, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

(3) An investigative agency is not required to comply with subclause (1) (a).

24. This finding by the respondent related to a finding of fact that there were at least two instances when staff at RPAH had left the eMR system unattended whilst still logged on. The finding related to the fact that there were two unexplained accesses of the applicant’s eMR following an audit initiated in response to his complaints. However in respect of the other allegations of breaches of the IPP’s and HPP’s, there was no positive finding.

25. The applicant contends that his privacy was breached as there was unlawful access, use and disclosure of his health information. The applicant submitted that the access issue related to HPP 5 re: a system which facilitated unlawful access due in part to the practices in the relevant workplace(s). (Lack of security / systems in place etc).

26. HPPs 10 and 11 provide (relevant to this review) the following:

10 Limits on use of health information

(1) An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a) Consent

the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b) Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note. For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

………………….

(h) Suspected unlawful activity, unsatisfactory professional conduct or breach of discipline

the organisation:

(i) has reasonable grounds to suspect that:

(A) unlawful activity has been or may be engaged in, or

(B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW), or

(C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and

(ii) uses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or

……………………….

(5) The exemption provided by subclause (1) (j) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

11 Limits on disclosure of health information

(1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a) Consent

the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b) Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note. For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

…………………….

(i) Suspected unlawful activity, unsatisfactory professional conduct or breach of discipline

the organisation:

(i) has reasonable grounds to suspect that:

(A) unlawful activity has been or may be engaged in, or

(B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW), or

(C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and

(ii) discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or

…………………………

(6) The exemptions provided by subclauses (1) (k) and (2) extend to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

27. The alleged conduct is outlined at paragraphs 7-8 above. This conduct would encompass a number of Heath Privacy Principles (HPP's), specifically in the area of security, use and disclosure.

28. It is important to note that the HPP's provide for use of health information for the primary purpose, and not for a secondary purpose, unless the specific secondary context as set out in the relevant HPP's are met.

The threshold application before the Tribunal

29. As can be gleaned from paragraphs 13 – 17 above (inclusive), the current status of the application is not entirely clear from the material. However I take the reference to the strike out application, and that the timetable set at the 3 March 2015 Planning Meeting appears to relate to that application, and noting the notional reserved date, the application before me relates to the ‘Strike Out’ application. Notwithstanding this, and the nature of planning meetings, on the basis of the material filed, in my view the following matters are also clear:

1. The applicant has filed a review to the Tribunal for a review of conduct, and has indicated in informal submissions what action he would like the respondent to take (either by consent or at the direction of the Tribunal).

2. The respondent conceded that HPP 5 has been breached and submits that whilst it requires various remedial actions in order to mitigate future breaches, it does not intend to accede to further requests of the applicant both in respect of individual action and systemic action. In addition, the respondent submits that the Tribunal is significantly limited in it’s jurisdiction and powers to entertain the applicant’s request even if it reached a position where such recommendations might be deemed appropriate on a review of the evidence and findings.

30. In essence, on my reading of the material, the respondent submitted that based on the sole finding and recommendations arising from the internal review, there is nothing more that the applicant can achieve before the Tribunal. It is on this basis that the ‘strike out’ application is brought. At paragraph 2 of the respondent’s submissions a strike out / summary dismissal application is sought.

31. However, in reply at the applicants final paragraph of his last submissions, he states:

I have spent an awful lot of time and effort on an issue I considered important and in the public interest. While I acknowledge the respondent’s efforts to make some changes, they are not focused on hospital staff and core behavioural issue. In the meantime (… sensitive personal factors of the applicant…. ) and I need to direct my energy elsewhere. Hence I do not object to these proceedings being terminated.

32. Based on the parties submissions, and the prior notations concerning the strike out application, I propose to decide what I will term a threshold issue, having regard to the parties material and submissions filed at paragraph 17 above. This will necessitate an examination of the Tribunal’s functions and powers under section 55 of the PPIP Act.

The Tribunals powers under the PPIP Act

33. Section 55 of the PPIP Act provides the following:

55 Administrative review of conduct by Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with:

(a) the findings of the review, or

(b) the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

(1A) A person (the applicant) who is aggrieved by the conduct of a Minister (or a Minister’s personal staff) constituting a contravention of section 15 (Alteration of personal information) may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct.

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4) The Tribunal may make an order under subsection (2) (a) only if:

(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

(4A) The Tribunal may not make an order under subsection (2) (a) if:

(a) the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, and

(b) the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and

(c) the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.

(5) If, in the course of an administrative review, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.

(6) The Privacy Commissioner is to be notified by the Tribunal of any application for an administrative review. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an administrative review.

(7) The Information Commissioner is to be notified by the Tribunal of any application for a review under this section that concerns the provision of government information by an agency (within the meaning of the Government Information (Public Access) Act 2009). The Information Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to such a review.

‘

(emphasis added)

34. I note that the section was amended to include the term ‘administrative’ in connection with the review jurisdiction of the Tribunal (as highlighted above), upon the abolition of the former Administrative Decisions Tribunal and the creation of the NSW Civil and Administrative Tribunal on 1 January 2014 by the passage of the Civil and Administrative Tribunal Amendment Bill 2013 and the Civil and Administrative Legislation (Repeal and Amendment) Bill 2013.

35. However I note that all other provisions and words of the section (s 55 PPIP Act), remain the same and that the role of the Tribunal is to administratively review the conduct (not the decision) of the agency in the same manner as the former Tribunal.

36. In my view, these minor amendments to section 55 of the PPIP Act have a sole consequence. The amendments clarify that in a review under section 55 of the PPIP Act, the Tribunal is exercising its administrative review jurisdiction under section 7 of the Administrative Decisions Review Act 1997. In this regard, the Tribunal is exercising its review jurisdiction rather than its original jurisdiction. No other matters arise under the amendments which inserted the term ‘administrative’ into the statute.

37. Relevant to the question that the parties have requested the Tribunal to determine is what action (if any) can or should the Tribunal take under section 55 (2) of the PPIP Act after reviewing the conduct.

The Respondent’s submissions / application

38. The respondents Counsel prepared written submissions dated 10 March 2015. Those submissions seek the summary dismissal of the proceedings pursuant to section 55 of the Civil and Administrative Tribunal Act 2013. The section provides that:

55 Dismissal of proceedings

(1) The Tribunal may dismiss at any stage any proceedings before it in any of the following circumstances:

(a) if the applicant or appellant (or, if there is more than one applicant or appellant, each applicant or appellant) withdraws the application or appeal to which the proceedings relate,

(b) if the Tribunal considers that the proceedings are frivolous or vexatious or otherwise misconceived or lacking in substance,

(c) if the applicant or appellant (or, if there is more than one applicant or appellant, each applicant or appellant) has failed to appear in the proceedings,

(d) if the Tribunal considers that there has been a want of prosecution of the proceedings.

(2) The Tribunal may reinstate proceedings that have been dismissed under subsection (1) (c) if the Tribunal considers that there is a reasonable explanation for that failure.

39. The submissions set out the findings of the respondent’s review and the negotiating between the parties since the commencement of these proceedings. I note the references to the positive developments in some aspects of the respondent agreeing to adjust their position in respect of suitable action to take and implement in respect of the applicants issues.

40. However I note the submission at paragraph 16 of the written submissions that : ‘The tribunal does not have the power to order the imposition of changes to the applicant’s desired changes to the respondent’s systems.’

Consideration

41. The Tribunal has powers under section 55 (2) of the PPIP Act. However that is not the limit of the Tribunal’s powers when determining what action (if any) to take arising from an (administrative) review of conduct. In examining whether to take specific action under section 55 (2) of the PPIP Act, the Appeal panel of the former Administrative Decisions Tribunal observed the following in the case of Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP at [58]

58 We have decided that a formal order of the kind permitted by s 55(2)(a) to (g) is not required. (In referring to the powers contained in the Tribunal Act we acknowledge that there is some discrepancy of terminology as between the Privacy Act and the Tribunal Act. The task the Tribunal has under the Privacy Act is to make decisions in respect of applications for review of the ‘conduct’ of agencies, whereas under the Tribunal Act it is to make decisions in respect of applications for review of ‘reviewable decisions’ by agencies. In our view it is clear from s 55(3) of the Privacy Act that the Parliament intended the Tribunal to read the provisions in the Tribunal Act going to appropriate orders mutatis mutandis.)

59 Our powers are not restricted to those given by s 55(2). Sub-section (3) leaves open to the Tribunal to be exercised the powers contained in the Administrative Decisions Tribunal Act 1997 (the Tribunal Act).

60 In this case we consider that the exercise of one of those powers is sufficient to provide an adequate response to the issues raised by this case – ‘to remit the matter for reconsideration by the administrator in accordance with any directions or recommendation of the Tribunal’ (s 63(3)).

42. The operation and relationship of the Administrative Decisions Review Act 1997 (sections 7 and 63), and section 30 of the Civil and Administrative Tribunal Act 2013 whilst relevant are not in my view determinative. The respondent’s submissions whilst logical and carefully constructed omit the vital consideration that the above provisions need to be read in conjunction with the ‘enabling legislation’ as referred to in those pieces of legislation. In this case the ‘enabling legislation’ is the PPIP Act and in particular section 55 and 55 (2).

43. Section 55 (2) provides for the powers of the Tribunal following a review. Whilst (as this is an interlocutory decision) to date no review of the conduct by the Tribunal has occurred, should such a review take place, the provisions of section 55 (2) of the PPIP Act may be enlivened (including the power to both take action, and to not take any further action on the matter).

44. In respect of the respondent’s submission at paragraph 40 (above), the Tribunal has a range of powers which have to date been enacted in many dozens of instances. Some examples are the power to make orders concerning the systemic nature of an information practice / system or in respect of administrative practices relating to privacy policies, training, practices and procedures, and general education of staff within the agency.

45. It is clear that the Tribunal can (where the evidence following a review of conduct indicates a need) examine systemic or broader issues when considering what actions to take generally under section 55 (2) (g) or to enliven aspects of section 55 (2) (c ) and (e) of the PPIP Act. The case of MH v NSW Maritime [2011] NSWADT 248 at 24 makes the following observations in respect of the relationship between the systemic issues and the specific conduct complained of by an applicant, and how they might be considered when looking to make an order under section 55 (2) following such a review.

24. As the Privacy Commissioner observed in his submissions, at [14] –

It is clear that the hearing of the matter has of necessity looked into the background of the environment within the Respondent Agency as it relates to privacy matters and the handling of personal information .

The evidence relating to those matters has led to both MH and the Privacy Commissioner making submissions addressing wider 'systemic issues' concerning the agency's compliance with IPPs, its Privacy Management Plan, and the knowledge, understanding and implementation of privacy principles, policies and practices within the agency. The Privacy Commissioner expressed the view that -

... the proceedings highlight a general lack of knowledge, understanding, or compliance with the statutory obligations of the Agency as identified under the PPIP Act .

25. In my opinion the wider systemic issues within the agency form part of the background or context in which the conduct that MH complains of occurred. They are not of themselves the conduct about which MH is aggrieved, but form part of the organizational environment in which the conduct occurred. They do not fall within the scope of his internal review, reasonably construed, because they do not directly relate to the conduct complained of. They do not relate to specific breaches of IPPs or of a Privacy Code of Conduct, but embrace wider issues concerning compliance with the Act and the agency's culture with respect to privacy issues. They are, nonetheless, relevant to the Tribunal's consideration of the conduct in issue, as they set, in part, the context in which the conduct occurred, and inform my decision making accordingly. Addressing systemic issues which contribute to a finding of conduct in breach of the IPP's may be a relevant factor for the Tribunal when considering what orders should be made under s 55(2).

46. The line of authorities show in excess of two dozen cases where a respondent agency was ordered to take specific action in accordance with section 55 (2) of the PPIP Act, where upon review the Tribunal found that the conduct of an agency amounted to a breach of an IPP, a HPP or a Privacy Code of Practice. Those examples are in addition to but sometimes include cases where damages were ordered, or positive findings of breaches were made. In other cases upon making positive findings the Tribunal decided not to take any action on the matter (s- 55 (2) ).

47. In the current matter the applicant has alleged various breaches. The respondent has conducted a review and has reached a position in respect of where the conduct amounts to a breach and where it does not. It is clear that since the completion of the initial review, the parties have held differing views as to both the extent of the breaches and the nature of the breaches conceded. Whilst I note that there have been some significant shifts in the respondent’s position since that time as to classification, characterisation or extent of the nature of the breach, in essence their position seems to be that nothing more can be done for the applicant. That position is based on a view that the evidence constrains the findings, and the practicality of what the agency can do is limited (when one has regard to polices and subordinate legislation). In this regard they hold the view that ‘nothing more can be done in the tribunal’. (Respondent’s submissions paragraph 17).

48. I disagree with the respondent’s submission that the Tribunal does not have the power to order the imposition of changes to the applicant’s desired changes to the respondent’s systems. The tribunal does not (at present) have any authority to make any order of that nature, as no review of conduct has been conducted and no findings made. However the legislation, and legal precedents make it clear that the Tribunals powers and functions under section 55 (whilst clearly limited by the words of the statute) are broad enough to apply upon any finding of a breach, in order to abide by the long titles of the PPIP Act and the objects of the HRIP Act. IN that regard such a power may be open to the Tribunal to exercise subject to a finding following a review of the conduct.

49. In my view there are three preconditions to enliven the jurisdiction of the Tribunal.

1. The applicant must have applied for an internal review under section 53 of the PPIP Act,

2. The applicant must be dissatisfied with the findings and recommendations of the review (which includes the action taken – if any- arising from that review),

3. The applicant is requesting the Tribunal to review the conduct that was the subject of the internal review.

50. These criteria were restated in the case of GA v Commissioner of Police, NSW Police [2004] NSWADT 254 which also stated at paragraph 3 that the Tribunal was exercising its review jurisdiction.

Tribunal’s jurisdiction

3 Source of jurisdiction. The Tribunal’s jurisdiction arises from s 38 of the Administrative Decisions Tribunal Act 1997 (ADT Act) and s 55(1) of the PPIP Act. Section 38 confers jurisdiction on the Tribunal to review a decision (or class of decisions) if an enactment so provides. In this case although the review of conduct is not a review of a decision, the Tribunal has decided that when determining matters under the PPIP Act it is exercising its review jurisdiction, rather than its original jurisdiction (Fitzpatrick -v- Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132 (4 June 2003). The relevant enactment conferring jurisdiction in this case is s 55(1) of the PPIP Act which states that:

(1) If a person who has made an application for internal review under section 53 is not satisfied with:

(a) the findings of the review, or

(b) the action taken by the public sector agency in relation to the application,

the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53.

4 There are three pre-conditions to the Tribunal’s jurisdiction under s 55:

- The person must have made an application for internal review under s 53;

- The person must be dissatisfied with the findings of the review or the action taken by the public sector agency in relation to the application; and

- The person must be asking the Tribunal to review the conduct that was the subject of the application.

51. In my view these criteria were all demonstrated by the applicant. What remains before me is an application filed 22 July 2014 seeking (inter alia) ‘I seek review of the findings of an Internal Review into suspected breaches of my personal health information via the eMR (electronic medical record) system’. However because of the various developments in the application since the proceedings were commenced, and noting the fact that the parties seem to be attempting to narrow the scope of the application, as well as the possibility that the applicant may wish to withdraw his application, I will make the orders in the following manner.

51. On the application to summarily dismiss the matter pursuant to section 55 of the NCAT Act, I make the following orders:

52. (1) The strike out application of the Respondent is dismissed.

53. (2) The Applicant is to advise the Divisional Registrar in writing within 21 days of receipt of these reasons whether he wishes to proceed with his application.

54. (3) Subject to the applicant’s decision at order (2) the matter will be either listed for a Planning Meeting or listed for dismissal.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 29 April 2015