BVV v Commissioner of Police

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	BVV v Commissioner of Police [2020] NSWCATAD 182
Hearing dates:	On the papers
Date of orders:	17 July 2020
Decision date:	17 July 2020
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	S Goodman SC, Senior Member
Decision:	(1)   The respondent’s application dated 3 March 2020 is dismissed. (2) The matter is remitted to the respondent for the completion of an internal review pursuant to s 53 of the Privacy and Personal Information Protection Act 1998, with such internal review to be completed within 60 days from the date of these reasons. (3)   The applicant’s application for review is to be listed for directions within 14 days of the expiry of the 60 day period referred to in Order 2
Catchwords:	ADMINISTRATIVE LAW – Privacy – jurisdiction – whether an application for internal review has been made
Legislation Cited:	Administrative Decisions Review Act 1997 (NSW), ss 3, 9, 65 Civil and Administrative Tribunal Act 2013 (NSW) s 55 Privacy and Personal Information Protection Act 1998 (NSW) ss 3, 4, 12, 18, 20, 21, 52, 53, 55
Cases Cited:	CCM v Western Sydney University [2019] NSWCATAP 103 CYL v YZA [2017] NSWCATAP 105 DVG v Western Sydney Local Health District [2020] NSWCATAP 78 DVH v South Eastern Sydney Local Health District [2019] NSWCATAD 221 GA v Commissioner of Police [2004] NSWADT 254 GA v Commissioner of Police [2005] NSWADTAP 38 Meacham v Commissioner of Police [2020] NSWCATAP 107 Neat Holdings Pty Ltd v Karajan Holdings Pty Ltd (1992) 67 ALJR 170; 110 ALR 449 NZ v Commissioner of Police, NSW Police [2007] NSWADT 263 PC v University of New South Wales (GD) [2005] NSWADTAP 72 ZR v NSW Department of Education and Training [2007] NSWADT 239
Texts Cited:	None cited
Category:	Principal judgment
Parties:	BVV (Applicant) Commissioner of Police (Respondent)
Representation:	Solicitors: Applicant (Self Represented) Crown Solicitor (Respondent)
File Number(s):	2020/00020455
Publication restriction:	The publication or broadcast of the name of the applicant is prohibited under s 64(1)(a) of the Civil and Administrative Tribunal Act 2013

REASONS FOR DECISION

Introduction

1. On 14 January 2020, the respondent (the NSWPF) declined the applicant’s request dated 10 January 2020 for an internal review (Internal Review Request) under s 53 the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

2. On 21 January 2020, the applicant commenced this proceeding for review by the Tribunal of conduct the subject of the Internal Review Request.

3. By an application in this proceeding filed on 3 March 2020, the NSWPF asks the Tribunal to exercise the power it has under s 55(1)(b) of the Civil and Administrative Tribunal Act 2013 (NSW) (NCAT Act), to dismiss the proceeding on the basis that it is “misconceived” or “lacking in substance”. The essence of this application by NSWPF is that the Tribunal does not have jurisdiction because the applicant did not make a competent application to NSWPF for review under s 53 of the PPIP Act.

4. On 25 February 2020, the Tribunal made an order under s 64(1)(a) of the NCAT Act, prohibiting the publication or broadcast of the name of the applicant. In these reasons I have replaced some information which might otherwise lead to the identification of the applicant with the notation “XXX”.

5. For the reasons developed below refuse NSWPF’s application to dismiss the proceeding is dismissed and the matter is remitted to the NSWPF to carry out the internal review.

Background

6. On 10 January 2020, the applicant made the Internal Review Request to the NSWPF. The applicant did so by sending an email to the NSWPF, in the following terms:

This is a privacy complaint pursuant to the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

Background

On 18 November 2019, Insurance & Care NSW sent an email to me which attached a document entitled “Deed of Release” signed by me on XXX (Deed).

The contents of the Deed is strictly confidential and is not to be disclosed by me or NSW Police Force (NSWPF), other than to our legal and financial advisers on receiving an undertaking from that person to keep the terms of the Deed confidential or as may be required by law.

Security of personal information

NSWPF failed to ensure that the Deed is protected, by taking such security safeguards as are reasonable in the circumstances, against unauthorised access, use of disclosure, and against all other misuse.

NSWPF contravened section 12(c) of the PPIP Act.

Disclosure of personal information

NSWPF disclosed the Deed to another person or body, without my authority, and in contravention of the following:

(a)   Clause 15 of the Deed in respect to the confidentiality of the contents of the Deed;

(b)   Regulation 75 of the Police Regulation 2008 (NSW) in respect to my confidential requests and complaints made otherwise than under Part 8A of the Police Act 1990 (NSW);

(c) Section 75(2)(b) of the Administrative Decisions Tribunal Act 1997 (NSW) in respect to my identity as the applicant in proceeding numbers XXX and XXX.

The disclosure of the Deed was in contravention of section 18 of the PPIP Act.

Request for internal review

Please conduct an internal review in accordance with section 53 of the PPIP Act.

...

7. On 13 January 2020 the following emails (13 January 2020 Emails) were exchanged between the applicant and the NSWPF:

1. from NSW Police:

I refer to your email below in which you request the NSWPF conduct an internal review under s 53 of the Privacy and Personal Information Protection Act 1998.

You say the NSWPF failed protect a Deed against unauthorised access, use or disclosure of a “Deed of Release” signed by you on XXX. You indicate that on 18 November 2019 you received an email from Insurance & Care NSW attaching a copy of the Deed. From your email it is not clear how this conduct involves the NSWPF handling of your personal information. In order to better understand how the conduct may relate to the NSWPF, could you please provide a copy of the email and attachments you received from Insurance & Care NSW on 18 November 2019. Please also provide any further information that may clarify how the email from Insurance & Care NSW relates to conduct of the NSWPF.

2. from the applicant:

Thank you for your email.

Please find attached the email from Insurance & Care NSW dated 18 November 2019 with attached Deed signed by me.

The other attachment to the email comprises various documents relating to workers compensation which are not relevant to this privacy complaint.

I understand that Insurance & Care NSW obtained the Deed from the staff at Employers Mutual Limited.

By way of clarification, NSWPF failed to comply with its obligations to keep the Deed secure by unlawfully disclosing the Deed to the staff at Employers Mutual Limited.

(The attached email from Insurance & Care NSW to the applicant was in the following form:

Please find attached two documents relation to the additional request for all documents comprising “Letter to EML.pdf”.

1.   Deed of release in which “Letter to EML” in (sic) included as an annexure

2.   Other related settlement documents.

A third document from EML to DLA Piper dated XXX was identified, however legal privilege is claimed for this document.)

3. from NSW Police:

I refer to your emails dated 10 January 2020 and 13 January 2020. I also refer to my email of 13 January 2020.

I note you have provided two attachments being: “Email from Insurance & Care NSW” and “Deed of Release – signed by [BVV]. You also state you understand that Insurance & Care NSW obtained the Deed from staff at Employers Mutual Limited.

I have read both attachments and your email below, on the face of those documents there is nothing to indicate any involvement by the NSWPF. Could you please provide further information that might clarify your contention that the NSWPF unlawfully disclosed the Deed to staff at Employers Mutual Limited.

4. from the applicant:

Thank you for your email.

There are only two parties to the Deed, namely me and NSWPF.

I did not disclose the Deed to the staff at Employees Mutual Limited.

Therefore, NSWPF must have disclosed the Deed to the staff at Employees Mutual Limited.

8. On 14 January 2020, NSWPF wrote to the applicant stating that it was not required to conduct an internal review. It did so in the following terms:

I refer to your email dated 10 January 2020, in which you request the NSW Police Force (NSWPF) conduct an internal review pursuant to section 53 of the Privacy and Personal Information Protection Act 1998 (the Act), see attachment A (the Request).

I also refer to emails exchanged between yourself and the NSWPF dated 13 January 2020, see attachment B (the Clarifying Emails).

Section 53 of the Act provides that a person who is aggrieved by the conduct of a public sector agency is entitled to internal review of the conduct. The entitlement to internal review depends, however, upon the applicant identifying the conduct about which they are aggrieved in sufficient detail to allow the agency to determine whether it constitutes a breach.

The Request suggests that the impugned conduct is the failure of the NSWPF to protect a Deed, executed on XXX, and that that failure amounted to a contravention of s 12 of the Act. The Request states that on 18 November 2019 you received a copy of the Deed by way of email from Insurance & Care NSW (iCare). The Request does not describe how iCare came to be in possession of the Deed, nor how you say the NSWPF was involved with iCare having possession of the Deed.

The Clarifying Emails provided you with an opportunity to provide further particulars in order for the specific conduct to the NSWPF to be identified. In your response you assume the NSWPF disclosed the Deed to iCare or Employers Mutual Limited however you provide no specifics as to how that disclosure occurred or under what circumstances.

Accordingly, the NSWPF is of the view that the Request does not describe the impugned conduct with sufficient detail to allow the NSWPF to determine whether there has been a breach of the Act.

The NSWPF is therefore of the view that the Request is not validly made, such that NSWPF is not required to undertake an internal review.

9. As noted above, on 21 January 2020, the applicant commenced this proceeding and on 3 March 2020 the NSWPF filed an application for dismissal of the proceeding, relying upon s 55(1)(b) of the NCAT Act.

Applicable legislation

10. Section 55 (1)(b) of the NCAT Act provides:

55   Dismissal of proceedings

(1)   The Tribunal may dismiss at any stage any proceedings before it in any of the following circumstances—

…

(b)   if the Tribunal considers that the proceedings are frivolous or vexatious or otherwise misconceived or lacking in substance.

11. The following sections of the PPIP Act are germane and are reproduced in so far as they are presently relevant:

3 Definitions

(1)   In this Act—

…

information protection principle or principle means a provision set out in Division 1 of Part 2.

Public sector agency means any of the following:

...

(e)   the New South Wales Police Force

4   Definition of “personal information”

(1)   In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

…

Part 2 Information protection principles

Division 1 Principles

…

12 Retention and security of personal information

A public sector agency that holds personal information must ensure-

…

(c)   that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse

18 Limits on disclosure of personal information

(1)   A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless—

(a)   the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)   the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c)   the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2)   If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

20 General application of information protection principles to public sector agencies

(1)   The information protection principles apply to public sector agencies.

…

21 Agencies to comply with principles

(1)   A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.

(2)   The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies.

Part 5–Review of certain conduct

52 Application of Part

(1)   This Part applies to the following conduct—

(a)   the contravention by a public sector agency of an information protection principle that applies to the agency,

…

(2)   A reference in this Part to conduct includes a reference to alleged conduct.

…

53 Internal review by public sector agencies

(1)   A person ("the applicant") who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.

…

(3)   An application for such a review must—

(a)   be in writing, and

(b)   be addressed to the public sector agency concerned, and

(c)   specify an address in Australia to which a notice under subsection (8) may be sent, and

(d)   be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and

(e)   comply with such other requirements as may be prescribed by the regulations.

…

55 Administrative review of conduct by Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with—

(a)   the findings of the review, or

(b)   the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

12. Section 9 of the Administrative Decisions Review Act 1997 (NSW) (ADR Act) provides:

9   When administrative review jurisdiction is conferred

(1)   The Tribunal has administrative review jurisdiction over a decision (or class of decisions) of an administrator if enabling legislation provides that applications may be made to the Tribunal for an administrative review under this Act of any such decision (or class of decisions) made by the administrator:

(a)   in the exercise of functions conferred or imposed by or under the legislation, or

(b)   in the exercise of any other functions of the administrator identified by the legislation.

(2)   If enabling legislation makes provision for applications to be made to the Tribunal in respect of an administratively reviewable decision subject to certain conditions, the Tribunal has jurisdiction under the enabling legislation only if those conditions are satisfied.

Submissions and matters for determination

13. The Tribunal has had the benefit of written submissions from each of the parties on the issue whether the Internal Review Request is a competent application for the purposes of s 53 of the PPIP Act.

14. From those submissions, the following matters are not in dispute:

1. the existence of a competent application for internal review is a jurisdictional prerequisite to external review by the Tribunal;

2. an application for internal review does not require formality, precision or comprehensiveness on the part of the applicant, and applications which have been described as “confused and vague” and “somewhat cryptic” have previously been found to be competent;

3. in determining whether the Internal Review Request is a competent application for internal review, regard may be had to the 13 January 2020 Emails;

4. the formal requirements specified in s 53(3) of the PPIP Act have been met;

5. the Internal Review Request conveyed to the NSWPF that the applicant sought internal review under s 53 of the PPIP Act;

6. the Internal Review Request identified the information protection principles in ss 12(1)(c) and 18 of the PPIP Act;

7. the Deed contains personal information of the applicant; and

8. the PPIP Act is beneficial legislation and s 53 (1) should be construed broadly and beneficially: GA v Commissioner of Police [2004] NSWADT 254 at [6].

15. The principal area of dispute is whether the Internal Review Request, as supplemented by the 13 January 2020 Emails, was incompetent for the purposes of s 53 of the PPIP Act because it did not sufficiently identify the conduct in respect of which internal review was sought. The submissions on this issue are summarised below.

The NSWPF’s submissions in chief

16. The NSWPF’s submissions in chief may be summarised as follows:

1. at a minimum, an applicant is required to identify the conduct about which they are aggrieved: GA v Commissioner of Police [2004] NSWADT 254 at [5];

2. whilst s 53 (1) should be construed broadly and beneficially, such a construction has certain necessary limits: GA v Commissioner of Police [2004] NSWADT 254 at [6];

3. the decisive test, as determined in GA v Commissioner of Police [2004] NSWADT 254, is whether an applicant has provided sufficient detail about the conduct to allow an agency to determine whether the conduct constitutes a breach of an information protection principle (subject to the agency making reasonable attempts to clarify the request before declining to review the conduct): GA v Commissioner of Police [2004] NSWADT 254 at [7]; DVH v South Eastern Sydney Local Health District [2019] NSWCATAD 221 at [18(2)];

4. the Internal Review Request and 13 January 2020 Emails do not identify the conduct about which the applicant is aggrieved in sufficient detail to allow the NSWPF to determine whether the conduct constitutes a breach of ss 12(c) and 18 of the PIPA Act because they do not identify: the timeframe (save that it must have occurred after the execution of the Deed, more than eight years ago); the persons or business units within the NSWPF said to have disclosed the Deed to Employers Mutual Limited (EML); any particular recipients within Insurance & Care NSW or EML (or another intervening person or agency) who obtained the Deed from the NSWPF; or the context in which the NSWPF is said to have disclosed the Deed to EML (or anyone else) to assist the NSWPF in drawing inferences as to the above matters;

5. the applicant has provided only two pieces of information, namely that the information said to have been disclosed is the Deed and the Deed is in the possession of Insurance & Care NSW (and is said by Insurance & Care NSW to have at some time been provided to Insurance & Care NSW by EML);

6. this information does little to assist an investigation, as:

1. the Deed addressed a number of claims between the applicant and the NSWPF at the time of its execution more than 8 years ago;

2. the applicant and the NSWPF have remained in dispute since the Deed was executed;

3. the Deed has been cited as a bar in other proceedings and partly extracted in a decision in those other proceedings;

1. documents arising from the Deed have been the subject of various applications by the applicant under the PPIP Act or Government Information (Public Access) Act2009 (NSW);

2. the Deed has been raised by the NSWPF as relevant to other proceedings between the applicant and the NSWPF in respect of issues currently before the Tribunal and in that respect remains a live document for the NSWPF;

3. there will undoubtedly be substantial correspondence relating to or attaching the Deed in the records of the NSWPF since the execution of the Deed more than 8 years ago;

4. the presence of a copy of the Deed in the possession of Insurance & Care NSW or EML is not of substantial assistance because it can be reasonably estimated that the NSWPF will have had substantial direct or indirect contact with both organisations in the period of more than 8 years since the Deed was executed;

7. there is no information from which to determine whether the alleged disclosure by NSWPF to any third party was lawful disclosure under the PPIP Act;

8. the only suggestion that the NSWPF was involved in the disclosure is a broad inference drawn or assumption made from the fact that NSWPF also possesses a copy of the Deed and this is an insufficient basis from which to infer a breach;

9. with respect to s 12(c) of the PPIP Act, in the absence of evidence of disclosure by the NSWPF it is difficult to assess how the NSWPF has failed to ensure the security of the Deed, or whether the NSWPF has taken reasonable steps in the circumstances (including whether the alleged disclosure is said to be inadvertent or deliberate and whether the disclosure was made by a person whose access to the document was restricted or unnecessary). It is also submitted that the breach of s 12(c) is unspecified and would trigger a wide ranging review of the safeguards in place for the Deed, and that this should not be allowed to occur in the absence of particular evidence that the safeguards are inappropriate;

10. the NSWPF is in the “absurd situation” envisaged in GA v Commissioner of Police [2004] NSWADT 254 because it is essentially required to identify and investigate every transaction or communication relating to the Deed which could possibly constitute a breach of s 18 of the PPIP Act and then assess whether the Deed was reasonably secured against such conduct for the purposes of s 12(c);

11. the present situation is less specific than the position in GA v Commissioner of Police [2004] NSWADT 254, where the Tribunal held that an application which contended that the NSWPF had disclosed a copy of a complaint report to a named principal of a high school during the investigation of a complaint was incompetent because the absence of evidence as to the identity of the person who provided the report to the principal and the date on which it was provided meant that NSWPF was unable to identify the conduct alleged to be in breach; and

12. the NSWPF has written to the applicant seeking further information, but the applicant has not provided substantial further information and appears to allege that the contraventions are premised upon a broad assumption.

Applicant’s submissions

17. The applicant’s submissions may be summarised as follows:

1. “conduct” includes alleged conduct: s 52(2) of the PPIP Act;

2. the decision in GA v Commissioner of Police [2004] NSWADT 254 upon which the NSWPF relies was set aside on appeal in GA v Commissioner of Police [2005] NSWADTAP 38 and the Appeal Panel held that the application in that case was sufficient to attract the jurisdiction of the Tribunal;

3. the Internal Review Request:

1. identified the Deed as containing the applicant’s personal information;

2. provided background to the complaint, including the name of Insurance & Care NSW of whom inquires can be made in the internal review;

3. described the alleged conduct of the NSWPF, namely:

1. a failure to ensure that the Deed was protected, by taking such security safeguards as are reasonable in the circumstances, against unauthorised access, use or disclosure and against all other misuse; and

2. disclosure of the Deed to another person or body; and

4. connected the alleged conduct to ss 12(1) (c) and 18 of the PPIP Act;

4. the 13 January 2020 emails from the applicant:

1. attached a copy of the email from Insurance & Care NSW to the applicant dated 18 November 2019, together with a copy of the Deed;

2. provided additional background information, including:

1. the names of DLA Piper and EML, of whom inquires can be made during the internal review;

2. that the applicant’s connection to the third parties was worker’s compensation;

3. the existence of a separate email from EML to DLA Piper of a particular date; and

3. clarified the alleged conduct, as a failure by the NSWPF to keep the Deed secure by disclosing it to staff at EML;

5. DLA Piper represented the NSWPF at the “settlement” referred to in the email from Insurance & Care NSW to the applicant on 18 November 2019. This submission was supported by an email attached to the applicant’s submissions and dated near the date of the Deed;

6. the email from EML to DLA Piper referred to in the email from Insurance & Care NSW to the applicant on 18 November 2019 is evidence of communications at that time between EML and DLA Piper (on behalf of the NSWPF) and it is probable that during such communications the NSWPF disclosed the Deed to EML;

7. the submission of the NSWPF that it is not realistically possible, on the information provided by the applicant, for the NSWPF to investigate whether there has been a breach of the PPIP Act is utter nonsense and ought be rejected out of hand;

8. the essence of the NSWPF submissions is that the applicant has not proven a breach of the information protection principles, and this is misconceived as it is only necessary for the applicant to allege particular conduct and there is no onus on the applicant to prove anything at this stage;

9. the information provided to the NSWPF in the Internal Review Request and the 13 January 2020 Emails goes well beyond the minimum threshold for an application for internal review described in the authorities;

10. there are similarities between the present case and matters identified by the Appeal Panel in GA v Commissioner of Police [2005] NSWADTAP 38, namely:

1. identification of events of concern by reference to the NSWPF records, namely the Deed and the email from EML to DLA Piper (as legal representative of the NSWPF);

2. the applicant gave internal reference numbers, which are contained in the Deed;

3. the applicant referred to a document created by Insurance & Care NSW, namely its email to the applicant dated 18 November 2019;

4. the NSWPF had emails from a correspondent with whom it was more than familiar referring to a general set of circumstances well known to have occurred, being the communications between EML and DLA Piper;

11. the NSWPF has more than enough information to allow it to retrieve details from the specifically identified official documents in its possession and to make inquiries with identified third parties; and

12. the Tribunal could not be satisfied that there was such a lack of particularisation that there was a failure to identify conduct falling within Part 5 of the PPIP Act.

The NSWPF’s submissions in reply

18. The NSWPF’s submissions in reply may be summarised as:

1. an applicant must “identify the conduct about which they are aggrieved in sufficient detail to allow the agency to determine whether it constitutes a breach of an information protection principle”, relying upon GA v Commissioner of Police [2004] NSWADT 254 at [7];

2. the application must include material that can be understood by the agency, fairly read, as connecting the action or circumstances to an information protection principle: CYL v YZA [2017] NSWCATAP 105 at [58];

3. the Internal Review Request and 13 January 2020 Emails did not provide material which, fairly read, illustrated a connection between the alleged breaches and conduct of the NSWPF by which the NSWPF could fairly investigate whether it had breached the information protection principles alleged;

4. as to the similarities suggested by the applicant between the present case and the Appeal Panel decision in GA v Commissioner of Police [2005] NSWADTAP 38:

1. the reference to the Deed does not assist to determine the manner of its disclosure;

2. the applicant did not provide a copy of the email from EML to DLA Piper and there is nothing in the reference to it in the email from Insurance & Care NSW dated 18 November 2019 to suggest that the NSWPF was involved or that it is a police record;

3. it is not clear to the NSWPF what the internal index numbers are and they were not specifically mentioned in the Internal Review Request and 13 January 2020 Emails, nor was their significance explained;

4. there is nothing in the 18 November 2019 email which suggests any involvement by the NSWPF, let alone a breach of an information protection principle and the NSWPF sought further clarification from the applicant without success;

5. it is not clear that the applicant’s communications to NSWPF referred to a communication between DLA Piper and EML (as opposed to attaching an email from Insurance & Care NSW mentioning it) or that its connection with conduct of NSWPF can be assumed to be well known;

5. the applicant did not identify any conduct by the NSWPF at all, rather the applicant alleged that disclosure has occurred and that the NSWPF “must have” disclosed the Deed because the applicant did not and this is the “absurd situation” which the “principle in GA” and subsequent cases is intended to prevent;

6. it is not reasonable to suggest that the NSWPF should have been able to infer from a passing reference in the email from Insurance & Care NSW to the applicant dated 18 November 2019 that the applicant’s request for internal review was directed to presumed instructions given by the NSWPF to DLA Piper to send a copy of the Deed to EML at around the time the Deed was settled in circumstances where:

1. this was not set out in the Internal Review Request or the 13 January 2020 Emails;

2. it cannot be inferred that an internal reviewer will be familiar with the history of dealings, particularly of a matter which was finalised more than 8 years before the Internal Review Request. This is particularly so when there is a lengthy history of applications and litigation between the applicant and the NSWPF, such that it becomes necessary to identify a particular transaction and legal representative of the NSWPF;

3. the 18 November 2019 email is ambiguous on its face, as it suggests a relationship giving rise to an entitlement to legal professional privilege between DLA Piper and Insurance & Care NSW, rather than between DLA Piper and the NSWPF. It does not give rise to an inference that the NSWPF instructed DLA Piper to provide the Deed to EML;

7. the applicant’s submission that disclosure probably occurred at around the time of the execution of the Deed from DLA Piper to EML cannot be considered by the Tribunal because:

1. the scope of the conduct the subject of the internal or external review is the conduct identified in the application for review as supplemented in correspondence prior to a decision being made on internal review;

2. the conduct identified in the Internal Review Request and the 13 January 2020 Emails did not include disclosure of the Deed at around the time of the execution of the Deed from DLA Piper (on behalf of the NSWPF) to EML; and

8. if that submission were to be considered by the Tribunal, it would not assist the applicant because it appears that the disclosure occurred in the course of communications between the NSWPF, its lawyers and its insurer and such disclosure would not constitute a breach of ss 12 or 18.

Consideration

The PPIP Act

19. Division 1 of Part 2 of the PPIP Act sets out a number of information protection principles, including ss 12(c) and 18. Sections 20 and 21 of the PPIP Act provide that the information protection principles apply to public sector agencies. The NSWPF is a public sector agency: see s 3(1) (definition of “public sector agency”) of the PPIP Act.

20. Section 21(1) of the PPIP Act prohibits NSWPF from doing anything, or engaging in any practice, that contravenes an information protection principle. Any such contravention is conduct to which Part 5 of the PPIP Act applies: s 21(2) of the PPIP Act.

21. Part 5 of the PPIP Act (ss 52-55) provides for the review of particular species of conduct including conduct that is, or is alleged to be, a contravention by the NSWPF of an information protection principle: s 52 of the PPIP Act.

22. Section 53 of the PPIP Act provides that a person who is aggrieved by the conduct of the NSWPF is entitled to a review, by the NSWPF, of that conduct.

23. Section 55 of the PPIP Act provides for external review, by the Tribunal, of the same conduct.

Jurisdiction of the Tribunal

24. Section 55 of the PPIP Act is a source of the Tribunal’s external review jurisdiction.

25. Section 9 of the ADR Act provides that the Tribunal has administrative review jurisdiction over decisions of an administrator if enabling legislation provides that applications may be made to the Tribunal for an administrative review under the Act of any such decisions made by the administrator.

26. The PPIP Act is enabling legislation, within the definition of that term in s 3 of the ADR Act, because it (and in particular s 55) provides for applications to be made to the Tribunal with respect to a specified matter or class of matters.

27. Those matters are matters which meet the requirements of s 55(1). The making of a competent application for review under s 55 of the PPIP Act is an essential prerequisite to the Tribunal exercising jurisdiction: GA v Commissioner of Police [2005] NSWADTAP 38 at [10]; PC v University of New South Wales (GD) [2005] NSWADTAP 72 at [20]-[21], [29].

28. As Deputy President Hennessy noted in GA v Commissioner of Police [2004] NSWADT 254 at [4]:

There are three pre-conditions to the Tribunal’s jurisdiction under s 55:

- The person must have made an application for internal review under s 53;

-   The person must be dissatisfied with the findings of the review or the action taken by the public sector agency in relation to the application; and

-   The person must be asking the Tribunal to review the conduct that was the subject of the application.

29. In this application, only the first of these preconditions is in issue.

The competence of the application

30. The concept of “conduct” of the NSWPF is pivotal to the operation of Part 5 of the PPIP Act. Part 5 applies only to conduct as defined in s 52 and it is the identified conduct which is the subject of both the internal review under s 53 and any external review under s 55.

31. Conduct is “the expression used in this area of the law to describe action by the agency or circumstances involving the agency that might amount to a possible contravention of an information protection principle: see PPIPA s 52. There needs to be material that can be understood by the agency, fairly read, as connecting the action or circumstances of concern to a principle, whether or not the principle itself is actually specified by the application”: CYL v YZA [2017] NSWCATAP 105 at [58]; CCM v Western Sydney University [2019] NSWCATAP 103 at [43]; DVG v Western Sydney Local Health District [2020] NSWCATAP 78 at [9].

32. The information provided in an application under s 53 must be sufficient “to identify that, at the least, conduct involving the disclosure of information has been put in issue”: see GA v Commissioner of Police [2005] NSWADTAP 38 at [14]; ZR v NSW Department of Education and Training [2007] NSWADT 239 at [23] and NZ v Commissioner of Police, NSW Police [2007] NSWADT 263 at [19].

33. Applications for internal review under s 53(1) the PPIP Act take various forms. They may be considered as ranging from a position in which there is no identification of the complained of conduct to a position in which that conduct has been fully particularised (for example by the precise identification of the date, time and means of disclosure from identified person X to identified person Y). Most cases will fall somewhere in the middle of this spectrum rather than at the extremes.

34. The end of the spectrum where there is no identification of the conduct involved was described by Deputy President Hennessey in GA v Commissioner of Police [2004] NSWADT 254 at [6]:

The broadest possible interpretation of s 53(1) is that it would be sufficient for an applicant to advise an agency that he or she was aggrieved by some unidentified conduct in order to be entitled to a review of that conduct. That interpretation would lead to the absurd situation that an agency would have to identify and investigate every transaction or communication relating to the personal information of the applicant which could possibly constitute a breach of an information protection principle or a privacy code of practice or the disclosure of personal information kept in a public register: s 52.

(emphasis added)

35. That same end of the spectrum was the subject of the following statement by the Appeal Panel in GA v Commissioner of Police [2005] NSWADTAP 38 at [11]: “We accept that circumstances could arise where there is so little by way of substance in a communication that purports to be an application for internal review that an agency could properly decline the application”.

36. In cases where there is doubt as to whether the particularisation of the conduct is sufficient, the applicant should have the benefit of that doubt. This follows from the beneficial nature of the PPIP Act, as identified by Deputy President Hennessy in GA v Commissioner of Police [2004] NSWADT 254 at [6]. It should also be borne in mind that in particular cases there may be limits as to the ability of an applicant to particularise the conduct by which it is aggrieved because those particulars are not known to that applicant.

37. I turn now to consider the sufficiency of the information concerning conduct contained in the present application. The starting point is to consider the Internal Review Request and 13 January 2020 Emails to determine, on a fair reading, what they convey to the NSWPF concerning conduct or alleged conduct of the NSWPF.

38. Those documents, on a fair reading, convey the following information concerning conduct or alleged conduct of the NSWPF:

1. the applicant and the NSWPF are the only parties to the Deed, which was executed on a particular date more than 8 years ago;

2. the Deed contains personal information of the applicant;

3. the applicant contends that Insurance & Care NSW obtained the Deed from EML;

4. on 18 November 2019, Insurance & Care NSW sent an email to the applicant which attached the Deed;

5. the applicant did not disclose the Deed to EML; and

6. the applicant alleges that NSWPF disclosed the Deed to EML without the applicant’s authority and thereby:

1. failed to ensure that the Deed was protected by reasonable safeguards, in contravention of s 12(c) of the PPIP Act; and

2. contravened s 18 of the PPIP Act.

39. The Internal Review Request, read with the 13 January 2020 Emails, put in issue conduct involving the disclosure by the NSWPF to EML of personal information in the Deed (GA v Commissioner of Police [2005] NSWADTAP 38 at [14]); it described circumstances involving the NSWPF that might amount to a possible contravention of an information protection principle (CYL v YZA [2017] NSWCATAP 105 at [58]); and it contained a sufficient description of the conduct in issue to enable the NSWPF and the Tribunal to appreciate that there are, or are not, grounds for a potential, relevant breach of information protection principles to have occurred which can be examined and considered (DVH v South Eastern Sydney Local Health District [2019] NSWCATAD 221 at [9]). As such, the Internal Review Request is a competent application for internal review.

40. I have reached the above conclusions without reference to the further particularisation of the conduct described in the applicant’s submissions, namely that the disclosure probably occurred around the time that the Deed was executed during communications between DLA Piper (acting for the NSWPF) and EML. As noted above, the NSWPF submitted the Tribunal should not consider that further particularisation. It is not necessary to decide whether that submission should be accepted (or the effect of such further particularisation were it to be taken into account).

39. There is, as the NSWPF has submitted, no particularisation of when the alleged disclosure of the Deed from the NSWPF to EML is alleged to have occurred; nor of the identity of the particular persons involved in the communication by which the alleged disclosure occurred. There is also no precise particularisation of the context in which the alleged disclosure occurred. Nevertheless, the conduct is sufficiently identified to allow the NSPF to conduct an internal review.

40. The submissions of the NSWPF contain various references to anticipated difficulties of the required investigation, with such difficulties anticipated to arise from matters such as the extent of dealings between the applicant and the NSWPF over many years, the extent of the correspondence relating to the Deed (which the NSWPF has submitted “will undoubtedly be substantial”), including correspondence between the NSWPF and Insurance & Care NSW or EML (in respect of each of whom it is submitted “it can be reasonably estimated that the NSWPF will have had substantial direct or indirect contact”).

41. However, the competence of the application depends on whether the alleged conduct has been sufficiently identified. Competence is not determined by the ease or difficulty of the anticipated investigative process. Were it otherwise, the competence of an application might depend upon factors such as the efficiency or otherwise of the methods used by particular public sector agencies to store and retrieve information.

42. Further, if competence were dependent upon the anticipated ease or difficulty of the investigation, it would be necessary to make findings of fact as the likely degree of difficulty. There is no evidence before the Tribunal which would allow such findings to be made and it would be erroneous to make such findings absent evidence: Meacham v Commissioner of Police [2020] NSWCATAP 107 at [54] and [83].

43. The submissions of the NSWPF that the allegations of conduct are based on an assumption or inference do not assist it. The applicant has indicated to the NSWPF that an inference is available that the NSWPF disclosed the Deed to EML, such inference arising from the following circumstances: (1) the applicant and the NSWPF were the only parties to the Deed, (2) Insurance & Care NSW has a copy of the Deed which it received from EML and (3) the applicant did not provide a copy of the Deed to EML. The drawing of such an inference as a step in alleging the conduct in contravention of an information protection principle is unremarkable. Further, as noted above, the Appeal Panel in CYL v YZA [2017] NSWCATAP 105 at [58] referred to conduct as the expression used to “describe action by the agency or circumstances involving the agency that might amount to a possible contravention of an information protection principle” (emphasis added).

44. The submissions of the NSWPF which suggest that the applicant ought to have provided evidence on matters such as the disclosure and how safeguards are inappropriate also do not assist the NSWPF. The applicant is not required to provide evidence. It is sufficient for the applicant to have alleged conduct (being action by an agency or circumstances involving the agency) which might amount to a possible contravention of an information privacy principle.

45. The NSWPF’s submission that it is placed in the “absurd position” described by Deputy President Hennessey in GA v Commissioner of Police [2004] NSWADT 254 is rejected. Such an absurd position was described as the result of the broadest possible interpretation of s 53, namely where no conduct was identified, as is clear from [6] of those reasons.

46. In contrast, and as noted above, the applicant in the present case has identified particular conduct, namely the disclosure of the Deed by the NSWPF to EML. NSWPF would not need to identify and investigate every transaction or communication relating to the personal information of the applicant which could possibly constitute a breach of an information protection principle. The investigation could be targeted more narrowly upon communications between NSWPF and EML (and their respective agents) concerning the Deed.

47. Thus, I am not persuaded that the applicant for internal review is incompetent or that the proceeding should be dismissed for want of jurisdiction.

Next Steps

50. The next question is whether the Tribunal should proceed with the application for external review before it (as the applicant wishes), or remit the matter to the NSWPF so that the NSWPF might carry out the internal review originally requested by the applicant (as the NSWPF wishes).

51. I propose to order that the matter be remitted to the NSWPF pursuant to s 65 of the ADR Act so that it can carry out the internal review originally requested by the applicant, for the following reasons.

52. First, as submitted by the NSWPF, Part 5 of the PPIP Act clearly contemplates that an internal review will occur before the Tribunal carries out an external review. This course means that the applicant and the Tribunal will have the benefit of considering the results of that internal review before the external review is undertaken.

53. Secondly, it may be that the applicant is satisfied with the result of the internal review, such that external review becomes unnecessary.

54. Thirdly, I do not accept the applicant’s submission that the Tribunal could not be satisfied that the NSWPF would properly conduct such an internal review. The basis of that submission is a contention that the NSWPF is willing to conceal inconvenient but pertinent facts so as to avoid being held accountable, because, the applicant submits, the NSWPF failed to disclose in its correspondence with the applicant and in its submissions to the Tribunal that DLA Piper acted for the NSWPF. A finding of such gravity is not lightly to be made (Neat Holdings Pty Ltd v Karajan Holdings Pty Ltd (1992) 67 ALJR 170; 110 ALR 449 at [2]), and I am not prepared to make it on the evidence before the Tribunal. Of course, the fact or otherwise of such legal representation and its relevance to the internal review may be taken into account by the NSWPF on the internal review and might be raised by the applicant in any subsequent external review by the Tribunal.

Orders

55. I make the following orders:

1. The respondent’s application dated 3 March 2020 is dismissed.

2. The matter is remitted to the respondent for the completion of an internal review pursuant to s 53 of the Privacy and Personal Information Protection Act 1998, with such internal review to be completed within 60 days from the date of these reasons.

3. The applicant’s application for review is to be listed for directions within 14 days of the expiry of the 60 day period referred to in Order 2

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 17 July 2020