BXK v Western Sydney University

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	BXK v Western Sydney University [2016] NSWCATAD 235
Hearing dates:	14 and 15 March 2016
Date of orders:	18 October 2016
Decision date:	18 October 2016
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	Dr J Lucy, Senior Member
Decision:	(1) The respondent’s name is changed from University of Western Sydney to Western Sydney University. (2) No action is to be taken on the matter.
Catchwords:	PRIVACY – Scope of application to Tribunal – Whether conduct the subject of Tribunal application was also the subject of the internal review application – Some conduct not the subject of internal review application so beyond the scope of the Tribunal’s jurisdiction – Whether respondent unlawfully used or disclosed the applicant’s personal or health information – Applicant’s information emailed to others by respondent’s employee in response to a third party’s claim under the Fair Work Act 2009 (Cth) – Employee responded to claim in her personal capacity for purpose extraneous to that of respondent – Conduct not attributable to respondent
Legislation Cited:	Privacy and Personal Information Protection Act 1998 (NSW) Health Records and Information Privacy Act 2002 (NSW) Fair Work Act 2009 (Cth) Civil and Administrative Tribunal Act 2013 (NSW) Civil and Administrative Tribunal Rules 2014 (NSW) Administrative Decisions Review Act 1997 (NSW) Western Sydney University Act 1997 (NSW)
Cases Cited:	C.F. [2015] FWC 5272 Director General, Department of Education and Training v MT [2006] NSWCA 270 KO and KP v Commissioner of Police, New South Wales Police [2005] NSWADTAP 56 OD v Department of Education and Training [2005] NSWADTAP 74
Category:	Principal judgment
Parties:	BXK (Applicant) Western Sydney University (Respondent)
Representation:	Counsel: B Tronson (Respondent)   Solicitors: BXK (Applicant in person) Thomson Geer (Respondent)
File Number(s):	1510316
Publication restriction:	It is prohibited to disclose the name of the applicant, except for the purposes of the proceedings or for the respondent’s reporting requirements. Access to the Tribunal files in this matter, other than by the parties to the proceedings and their legal representatives, is prohibited.

REASONS FOR DECISION

1. These proceedings concern the question of whether the respondent (“the University”) breached the applicant’s privacy under the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIP Act”) or the Health Records and Information Privacy Act 2002 (NSW) (“HRIP Act”) when a University employee sent an email containing the applicant’s personal and health information to persons within and outside of the University.

2. I have found that some of the conduct identified by the applicant in her application to the Tribunal was not the subject of her internal review application, and so is outside the scope of the Tribunal’s review. I have also found that the applicant’s complaints about the University’s alleged use and disclosure of her personal and health information, which are within the scope of the review, cannot be sustained, because the relevant conduct was not engaged in for the University’s purposes and is therefore not attributable to the University.

Non-disclosure orders

3. Early in the proceedings, the Tribunal made orders, by consent, prohibiting the disclosure of the applicant’s name, except for the purposes of these proceedings or for the University’s reporting requirements. I have referred to other persons by pseudonyms in this decision where the person’s identity might reveal that of the applicant.

Name of respondent

4. After the hearing had concluded, the respondent informed the Tribunal, by letter copied to the applicant, that the respondent’s name had been changed by statutory amendment from the University of Western Sydney to Western Sydney University (see Western Sydney University Act 1997 (NSW), s 6). I order that the respondent’s name in these proceedings be amended accordingly.

Background

5. The applicant’s privacy complaint arises from an email sent by a University employee, Ms A. Attachments to the email contain the applicant’s personal and health information and, in particular, information about a worker’s compensation claim she had made.

6. A staff member of the University, Ms C, had lodged an application for an order to stop bullying with the Fair Work Commission (“the Fair Work claim”). The claim alleged that Ms A and another staff member, Dr B, had bullied Ms C.

7. Ms A and Dr B were not represented by the University in relation to the Fair Work claim. The University was, however, a party and was served with relevant documents.

8. On 30 October 2014, Ms A sent an email from her University email account to two University staff members and a member of a union, the National Tertiary Education Union (“NTEU”) for the purposes of responding to the Fair Work claim. The NTEU employee who received the email was representing Dr B in the Fair Work proceedings.

9. Ms A attached to the email documents concerning a claim for workers’ compensation made by the applicant. Ms A had been interviewed in relation to the applicant’s Workcover claim and the attachments included a copy of the statement she had made to the investigator as well as emails concerning that claim.

Tribunal hearing

10. The Tribunal conducted a hearing at which a number of witnesses gave evidence and were cross examined. Some of that evidence related to matters over which I have found that the Tribunal does not have jurisdiction, or was otherwise not relevant to the issues which were ultimately determinative. I have not discussed such evidence in this decision.

11. The proceedings the subject of this decision were heard concurrently with two other applications for review under the PPIP Act brought by a different applicant against the University, involving some of the same facts and circumstances. Those proceedings are considered in a separate decision.

Tribunal’s jurisdiction

12. There is no dispute that the applicant applied for internal review within six months of becoming aware of the conduct the subject of her internal review application (see PPIP Act, s 53(3)(d)), or that she applied to the Tribunal within 28 days of being notified of the outcome of the internal review (see Civil and Administrative Tribunal Rules 2014 (NSW), r 24(3)(b) and (4)(a1)). The Tribunal therefore has jurisdiction to review the conduct the subject of her internal review application (see PPIP Act, s 55(1), Civil and Administrative Tribunal Act 2013 (NSW), s 30(1); Administrative Decisions Review Act 1997 (NSW), s 9).

13. The main jurisdictional issue is the identification of the conduct the subject of that application. The applicant’s application to the Tribunal identifies a wide range of conduct of which the applicant seeks review. The Tribunal only has jurisdiction to review conduct of the respondent where the applicant has earlier applied for internal review of that conduct (see PPIP Act, s 55(1) and OD v Department of Education and Training [2005] NSWADTAP 74 at [12]). As the Appeal Panel of the former Administrative Decisions Tribunal commented, “the application for internal review, reasonably construed, sets the scope for the application for review of the conduct by the Tribunal” (KO and KP v Commissioner of Police, New South Wales Police [2005] NSWADTAP 56 at [13]).

14. The University’s position is that the applicant’s application for internal review only raised the disclosure of the applicant’s personal information and that the Tribunal does not have jurisdiction to review other alleged conduct referred to in the application to the Tribunal.

Scope of the Tribunal’s review

15. The internal review application identified the relevant conduct of which the applicant sought review as follows:

● On 30.10.2014 at 2:16pm [Ms A] used her University email account to respond to Natasha Mailo [sic] – UWS, [employee] – NTEU, and [Dr B] – UWS. This email from [Ms A] also included a trail of highly confidential health related correspondence between her and Debbie Brown of the University’s Work Health & Safety Unit, which included information about my health and my claim. In addition to the email trail [Ms A] attached a copy of her statement made to Drew Pearce – Employers Mutual Investigator in relation to my Workcover Claim.

● On 30.10.2014 at 2:16pm Ms A used her University email account to send a copy of her statement to Natasha Mailo (UWS), [employee] at the National Tertiary Education Union (NTEU) and [Dr B], an academic employed by the University. The statement included information about my health and my claim.

● The abovementioned two emails by [Ms A] (and their attachments) constitute a disclosure, breach of security and unauthorised use of my personal information for a secondary purpose, which is the basis of my complaint.

16. The internal review application raises an alleged disclosure by the University of the applicant’s personal and/or health information (through the conduct of an employee in emailing that information to an NTEU employee) and an alleged use by the University of the applicant’s personal and/or health information (through the conduct of an employee in emailing it to University employees).

17. The internal review application also refers to a “breach of security” which is said to have occurred through Ms A’s emails. There is a question as to whether this is sufficient to raise conduct giving rise to an alleged contravention of s 12(c) of the PPIP Act and/or health privacy principle 5(1)(c) (HRIP Act, Sch 1, cl 5(1)(c)). Those principles require the University to ensure that personal and health information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse.

18. The internal reviewer considered whether the University had collected the applicant’s personal information in Ms A’s statement (attached to her email) and found that it had not. She also found that the University had not used or disclosed the personal information in the statement. The internal reviewer commented that there was “no need to examine the security of the personal information contained within the statements” because the University did not hold that information. Finally, she found that the University was exempted from the requirement to comply with the information protection principles in relation to other personal information contained in an attachment to the email, by operation of s 25 of the PPIP Act.

19. The application to the Tribunal is long and detailed. In that application, the applicant complained that:

1. the University had revealed her health information to Ms A without her knowledge or permission for the purpose of requesting Ms A to make a statement to assist the University and its insurer to make a determination on the applicant’s Workcover claim;

2. the University had breached her privacy to a staff member in relation to health information it collected and kept records of within its Work Health and Safety Unit.

3. Ms A was provided with the applicant’s confidential health information by the University and used, distributed and revealed this information in her response to the Fair Work Commission proceedings.

4. The statement made by Ms A to the Employers Mutual Investigator contained misleading, vexatious and defamatory information in relation to the applicant.

5. The University revealed to Ms A that the applicant had lodged a workplace injury claim for “psychological injury.”

6. Ms A should not have distributed correspondence revealing that the applicant had lodged a Workcover claim for “psychological injury” as “she was provided this information as an employee of the University and requested by the University to assist the University by meeting with the University Insurer Investigator to assist the University and its Insurer to make a determination on my claim”.

20. To the extent that the application to the Tribunal raises the University’s alleged conduct in revealing the applicant’s personal or health information to Ms A, I find that this was not raised by the internal review application. Nor does the internal review application complain about the collection of the applicant’s personal or health information or the accuracy of the information provided in Ms A’s statement to an investigator. The allegation in the application to the Tribunal that the University informed Ms A that the applicant had lodged a claim for a psychological injury is not conduct identified in the internal review application. Accordingly, none of this conduct is conduct which the Tribunal is entitled to review.

21. Nor is the issue of the University’s compliance with the obligation to take reasonable security safeguards against the misuse of personal and health information properly before the Tribunal. The alleged “breach of security” in the internal review application is said to be constituted by Ms A’s email and the attachments to it; there is no allegation that Ms A was not entitled to be given access to the applicant’s information in the first place. Reasonably construed, the internal review application raises the issues of the use and disclosure of the applicant’s personal information through the sending of the email, which is the “breach of security” referred to. It does not raise a failure on the part of the University to take reasonable security safeguards against the misuse of personal and health information by providing such information to Ms A or by Ms A providing it to others.

22. The applicant’s submissions to the Tribunal raise an even wider range of conduct; however, it is the internal review application and the application to the Tribunal which are determinative of the issues before the Tribunal. The applicant did not apply to amend her application to the Tribunal and, in any event, the additional issues raised in her submissions were not matters raised in the internal review application.

23. The subject of the Tribunal’s review is thus the University’s alleged conduct in using and disclosing the applicant’s personal and/or health information through the sending of an email by Ms A, a University employee (see PPIP Act, ss 17 and 18 and HRIP Act, Sch 1, cl 10 and 11).

Has the University unlawfully used or disclosed the applicant’s personal or health information through Ms A’s emails?

24. The University submits that it did not use or disclose the applicant’s personal information because Ms A sent the relevant email in her private capacity as a respondent to the Fair Work claim.

25. Ms Natasha Maiolo, a senior employment lawyer employed by the University, gave evidence that she had advised Ms A that she would have to act for herself in relation to the Fair Work claim, following receipt of that claim. Ms Maiolo’s evidence is that at no stage did she direct or request Ms A to prepare a response in relation to the Fair Work claim, to send her or anyone else the relevant attachments to that claim or to send the email of 30 October 2014. Ms Maiolo’s evidence to this effect was unchallenged in cross examination and I accept it.

26. Ms A also gave evidence that, after receiving the Fair Work claim, she enquired with the University as to whether any support was available to assist her in writing her submission and was told that it was not. I accept this evidence.

27. A copy of the Fair Work claim is annexed to an affidavit of Ms Maiolo. The Fair Work claim names Ms A and Dr B as the persons against whom bullying is alleged. It names the University of Western Sydney as being the legal name of the business that employs or engages those persons.

28. It is relevant to consider the statutory context in which the Fair Work claim was made, and the personal liability of Ms A and Dr B as respondents to that claim. The claim was made under s 789FC of the Fair Work Act 2009 (Cth). Section 789FC(1) of that Act provides: “A worker who reasonably believes that he or she has been bullied at work may apply to the FWC for an order under section 789FF.” Section 789FD(1) relevantly provides that a worker is bullied at work if an individual repeatedly behaves unreasonably towards the worker and certain other criteria are met. Section 789FF broadly provides that, if satisfied a worker has been bullied at work, the Fair Work Commission may make an order to prevent the worker from being bullied at work. It is clear that an order under s 789FF may be made against an individual (as occurred, for example, in the case of C.F. [2015] FWC 5272 at [30]). Section 789FG of the Fair Work Act prohibits a person to whom an order under section 789FF applies from contravening such an order and civil penalty provisions apply if such an order is contravened (see Fair Work Act, s 539).

29. I am satisfied, from a consideration of the evidence and the relevant provisions of the Fair Work Act, that Ms A was named in an individual capacity in the Fair Work claim, and that she was exposed to personal liability as a result. If the claim had succeeded, she could have been exposed to an order naming her personally. She was responding to the claim on her own account, without any assistance from the University.

30. For the above reasons, I am satisfied that Ms A’s use or disclosure of the applicant’s personal information, when she sent the email of 30 October 2014, was for a purpose extraneous to any purpose of the University; that is, it was for Ms A’s own purposes in defending a claim against her. Accordingly, the use or disclosure of the applicant’s information should not be characterised as a use or disclosure by the University or as conduct of the University (see Director General, Department of Education and Training v MT [2006] NSWCA 270 at [43]).

31. For these reasons, the University has not contravened any information protection principles or health privacy principles through the conduct of Ms A in sending an email on 30 October 2014.

Orders

32. As the University has not contravened any information protection principles or health privacy principles, the Tribunal decides not to take any action on the matter (PPIP Act, s 55(2)).

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 18 October 2016