CCM v Western Sydney University

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	CCM v Western Sydney University [2016] NSWCATAD 234
Hearing dates:	14, 15 and 31 March 2016
Date of orders:	18 October 2016
Decision date:	18 October 2016
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	Dr J Lucy, Senior Member
Decision:	(1) The respondent’s name is changed from University of Western Sydney to Western Sydney University. (2) No action is to be taken on the matters raised by the applicant in proceedings 1510426 and 1510427.
Catchwords:	PRIVACY – Scope of application to Tribunal – Whether conduct the subject of Tribunal application was also the subject of the internal review application – Some conduct not the subject of internal review application so beyond the scope of the Tribunal’s jurisdiction – Whether respondent unlawfully used or disclosed the applicant’s personal information – Applicant’s personal information emailed to others by or on behalf respondent’s employees in response to a third party’s proceedings under the Fair Work Act 2009 (Cth) – Employees responding to claim in their personal capacity for purpose extraneous to that of respondent –Conduct not attributable to respondent
Legislation Cited:	Privacy and Personal Information Protection Act 1998 (NSW) Fair Work Act 2009 (Cth) Civil and Administrative Tribunal Act 2013 (NSW) Civil and Administrative Tribunal Rules 2014 (NSW) Administrative Decisions Review Act 1997 (NSW) Western Sydney University Act 1997 (NSW)
Cases Cited:	C.F. [2015] FWC 5272 Director General, Department of Education and Training v MT [2006] NSWCA 270 OD v Department of Education and Training [2005] NSWADTAP 74
Category:	Principal judgment
Parties:	CCM (Applicant) Western Sydney University (Respondent)
Representation:	Counsel: B Tronson (Respondent)   Solicitors: CCM (Applicant in person) Thomson Geer (Respondent)
File Number(s):	1510426 and 1510427
Publication restriction:	It is prohibited to disclose the name of the applicant, except for the purposes of the proceedings or for the respondent’s reporting requirements. Access to the Tribunal files in this matter, other than by the parties to the proceedings and their legal representatives, is prohibited.

REASONS FOR DECISION

1. These proceedings concern the question of whether the respondent (“the University”) breached the applicant’s privacy under the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIP Act”) through the sending of emails containing the applicant’s personal information.

2. I have found that some of the privacy complaints that the applicant made in her application to the Tribunal (including about the collection of her personal information by the University) were not contained in the applicant’s internal review application, and so are outside the scope of the Tribunal’s review. I have also found that the applicant’s complaints about the University’s use and disclosure of her personal information, which are within the scope of the review, cannot be sustained, because the relevant conduct was not engaged in for the University’s purposes, and is not attributable to the University.

Non-disclosure orders

3. Early in the proceedings, the Tribunal made orders, by consent, prohibiting the disclosure of the applicant’s name, except for the purposes of these proceedings or for the University’s reporting requirements. I have referred to other persons by pseudonyms in this decision where the person’s identity might reveal that of the applicant.

Name of respondent

4. After the hearing had concluded, the respondent informed the Tribunal, by letter copied to the applicant, that the respondent’s name had been changed by statutory amendment from the University of Western Sydney to Western Sydney University (see Western Sydney University Act 1997 (NSW), s 6). I order that the respondent’s name in these proceedings be amended accordingly.

Background

5. The applicant’s privacy complaints concern emails sent by a University employee, Ms A, and on behalf of another University employee, Dr B, in response to a third party’s claim under the Fair Work Act 2009 (Cth). The emails both contain sensitive information about the applicant.

6. A staff member of the University, Ms C, had lodged an application for an order to stop bullying with the Fair Work Commission (“the Fair Work claim”). The claim alleged that Ms A and Dr B had bullied Ms C.

7. Ms A and Dr B were not represented by the University in relation to the Fair Work claim. The University was, however, a party and was served with relevant documents.

8. On 27 October 2014, an employee of the NTEU, who was representing Dr B in the proceedings in the Fair Work Commission, sent an email to the Commission and staff members of the University containing the applicant’s personal information. The email attached a response to the Fair Work claim and a witness statement in relation to that claim.

9. On 30 October 2014, Ms A sent an email from her University email account to two University staff members and a member of a union, the National Tertiary Education Union (“NTEU”). The email was a response to allegations made against her in Ms C’s Fair Work claim and also contained the applicant’s personal information.

Tribunal proceedings

10. The applicant applied for internal review of the University’s alleged conduct in respect of the email sent by Ms A and in respect of the email sent on behalf of Dr B. The internal reviewer found in both cases that the University had not contravened any information protection principles.

11. The applicant then made two separate applications to the Tribunal for a review of the University’s conduct in respect of the sending of an email by Ms A (proceedings 1510427) and in respect of the sending of an email on behalf of Dr B (proceedings 1510426).

12. The Tribunal conducted a hearing at which a number of witnesses gave evidence and were cross examined. Some of that evidence related to matters over which I have found that the Tribunal does not have jurisdiction, or was otherwise not relevant to the issues which were ultimately determinative. I have not discussed such evidence in this decision.

13. The proceedings the subject of this decision were heard concurrently with another application for review under the PPIP Act brought by a different applicant against the University, involving some of the same facts and circumstances. Those proceedings are considered in a separate decision.

Tribunal’s jurisdiction

14. There is no dispute that the applicant applied for internal review within six months of becoming aware of the conduct the subject of her internal review applications (see PPIP Act, s 53(3)(d)), or that she applied to the Tribunal within 28 days of being notified of the outcome of the internal review (see Civil and Administrative Tribunal Rules 2014 (NSW), r 24(3)(b) and (4)(a1)). The Tribunal therefore has jurisdiction to review the conduct the subject of her internal review applications (see PPIP Act, s 55(1), Civil and Administrative Tribunal Act 2013 (NSW), s 30(1); Administrative Decisions Review Act 1997 (NSW), s 9).

15. The main jurisdictional issue is the identification of the conduct the subject of those applications. The applicant’s applications to the Tribunal raise the use and disclosure of the applicant’s personal information, as well as other conduct such as the retention, security and collection of her information. The Tribunal only has jurisdiction to review conduct of the respondent which the applicant has identified in her application for internal review (see PPIP Act, s 55(1) and OD v Department of Education and Training [2005] NSWADTAP 74 at [12]).

16. The University’s position is that the applicant’s application for internal review primarily raised the disclosure of the applicant’s personal information and that the Tribunal does not have jurisdiction to review other alleged conduct referred to in the applications to the Tribunal.

Scope of the Tribunal’s review in respect of Ms A’s emails

17. The relevant part of the applicant’s application for internal review of the University’s conduct in respect of Ms A’s emails is as follows:

“5. I am aware that on 30 October 2014 at 2:16 pm [Ms A] used her University email account to respond to [an employee] – UWS, [an employee] – NTEU, and [Dr B] – UWS. This email from [Ms A] also included information relating to highly confidential investigatory matters in statements, which included information about myself and my sister, a graduate of the University of Western Sydney; investigations; making defamatory statements that I and my sister were charged with corruption.

6. On 30 October 2014 at 2:16pm [Ms A] used her University email account to send a copy of her email and statement to [an employee] (UWS), [an employee] at the National Tertiary Education Union (NTEU) AND [Dr B], an academic employed by the University. The statements included information about investigations of corruption, naming myself and my sister, a graduate of the University of Western Sydney.

7. The above mentioned two emails by [Ms A], with attachments, institute a disclosure of her breach of security and unauthorised use of private and confidential information for a secondary purpose, which forms the basis of my complaint for the breach of my privacy and confidentiality.”

18. The internal review application also refers to Ms A making “defamatory statements that I and my sister were charged with corruption.”

19. In her application to the Tribunal, the applicant complained that, through Ms A’s emails, the University unlawfully used and disclosed the applicant’s personal information and that Ms A’s emails evidenced that the University collected and stored the applicant’s personal information. The applicant also alleged in her application to the Tribunal that the information about the applicant attached to Ms A’s emails is “false misleading and vexatious” and “inaccurate and invalid.”

20. I accept the respondent’s submission that the internal review application does not put in issue the collection or storage of the applicant’s personal information. Any conduct of the University concerning the collection and storage of the applicant’s personal information was not “the subject of” the applicant’s internal review application under s 53 of the PPIP Act, so the Tribunal has no jurisdiction to consider it (see PPIP Act, s 55(1)).

21. The University also submits that the internal review application does not raise the issue of the accuracy of the applicant’s personal information which is contained in that email. The University is obliged to take reasonable steps to ensure that personal information is accurate before using it (PPIP Act, s 16) and is also obliged to ensure that personal information is accurate when an individual requests it to amend that information (PPIP Act, s 15). The applicant did not request the University to amend her personal information in the email; accordingly, the only provision of potential relevance where accuracy of information is concerned is s 16 of the PPIP Act.

22. The reference in the applicant’s application for internal review to a “defamatory” statement made in Ms A’s email could, possibly, be sufficient to raise the University’s obligation to ensure the accuracy of the applicant’s personal information before using it. I will assume that this is the case, without deciding the issue. Ultimately, it has not been necessary for me to do so, because I have found that any use of the information by the sending of the email was not a use by the University.

23. The internal review application clearly raises the issue of the use of the applicant’s personal information (that is, through an email to other University staff members) and the disclosure of that information (through an email to the NTEU). However, the conduct which is identified is only Ms A’s conduct in sending an email on 30 October 2014. The applicant has subsequently raised, in her submissions, the University’s conduct in “trimming” (electronically storing) the email. If this is properly characterised as a “use” of the applicant’s personal information, it is not conduct which was raised in the applicant’s internal review application, so it is not conduct the subject of the Tribunal’s review.

Scope of the Tribunal’s review in respect of the email sent on behalf of Dr B

24. The relevant part of the applicant’s application for internal review of the University’s conduct in respect of the email sent by an NTEU employee on behalf of Dr B is as follows:

“6. I am aware that on 27 October 2014 at 3:47pm the NTEU representative for [Dr B] used her NTEU email account to respond to the Fair Work Commission on behalf of [Dr B], forwarding the email with attachments to [a staff member] – UWS, [a male person] – NTEU, and [Dr B] – UWS. This email from included [sic] information in a Statement prepared by NTEU from [Dr B’s] information relating to highly confidential investigatory matters, which included information about myself and my sister, a graduate of the University of Western Sydney; investigations; making defamatory statements that I and my sister were charged with corruption.

7. The above mentioned email, with attachments, institute a disclosure of the breach of security and unauthorised use of private and confidential information for a secondary purpose, which forms the basis of my complaint for the breach of my privacy and confidentiality.”

25. A later paragraph in the internal review application requests the University to inform the applicant “what actions the University will be undertaking to rectify and compensate on this matter and prevent any further breaches of my private and confidential information by [Dr B].”

26. The applicant’s application to the Tribunal alleges that the University has unlawfully used and disclosed the applicant’s personal information, through the NTEU representative sending an email on behalf of Dr B. This conduct is conduct the subject of the internal review application. In the application to the Tribunal (which is lengthy), the applicant also identifies other alleged conduct of the University, including the following:

1. The University solicited and collected correspondence from Dr B through its staff and investigators engaged by it, which included the applicant’s personal information, and this information was confidential;

2. Dr B provided information that was inaccurate and invalid in order to slander, defame and discredit the applicant in the Fair Work matter;

3. The University allowed Dr B to use inaccurate information to slander, defame and discredit the applicant, as it was first sent to a staff member of the University prior to being sent to the Fair Work Commission;

4. The University has breached the collection principles as the information provided by Dr B was solicited by the University during investigations it conducted, then used unlawfully for the Fair Work matter.

27. To the extent that the application to the Tribunal seeks to raise the University’s compliance with the collection principles, I find that this is beyond the Tribunal’s jurisdiction as this was not raised by the applicant’s internal review application. The reference to breaches of the applicant’s private information by Dr B in that application indicates that the applicant was focused on Dr B’s actions or actions taken on his behalf, and not upon the actions of any other employee of the University prior to or after the sending of the email of 27 October 2014.

28. The application to the Tribunal refers to the accuracy of personal information contained in the email sent by the NTEU representative. As with the email sent by Ms A, the applicant did not request the University to amend any of her personal information contained in the email or its attachments, so that s 15 of the PPIP Act is not in issue. The only provision of potential relevance to an allegation that personal information in the NTEU employee’s email was inaccurate is s 16 of the PPIP Act. The reference in the applicant’s internal review application to “defamatory statements” may, arguably, raise the accuracy of the applicant’s personal information; however, it is unnecessary for me to decide this, as I have found that the University is not responsible for any use of the applicant’s information in that email for the reasons which follow.

29. Finally, the internal review application refers to a “disclosure of the breach of security”; however, in my view, this is not sufficient to raise s 12 of the PPIP Act (“retention and security”). On a fair reading, the complaint is about the use and/or disclosure of the applicant’s personal information through the NTEU employee’s email, and not about the way the University protects personal information. Further, notwithstanding that the applicant’s submissions allege a breach of the retention and security principle, the application to the Tribunal does not allege that the University failed to take such security safeguards as are reasonable in the circumstances to protect personal information against misuse (see PPIP Act, s 12(c)).

30. Accordingly, the only conduct the subject of the Tribunal’s review in respect of the email sent on behalf of Dr B is the alleged breach of the use and disclosure principles.

Has the University unlawfully used or disclosed the applicant’s personal information through Ms A’s emails?

31. The applicant submits that Ms A’s emails evidence Ms A’s and the University’s breach of the confidentiality of her personal information that was collected in earlier confidential investigations conducted by or on behalf of the University. She says that the University’s staff have breached the confidentiality of those investigations by not securing the information to prevent unauthorised access of the information they collected and held. She refers in her submissions to emails sent by Ms A on 28 October 2014 and 30 October 2014.

32. The applicant also submits that she was not a party to the Fair Work claim, that Ms A had no reason to name her in her response submissions and that Ms A was responsible for ensuring that the applicant consented to any disclosure of the applicant’s personal information contained in Ms A’s Fair Work response. The applicant’s position is that Ms A was an employee of the University and that the University was liable for Ms A’s conduct.

33. As already indicated, the issues of collection and storage are not within the Tribunal’s jurisdiction. The complaint about any breach of the PPIP Act on 28 October 2014 is also outside the Tribunal’s jurisdiction, not having been raised in the applicant’s internal review application.

34. The University submits that it did not use or disclose the applicant’s personal information because Ms A sent the relevant email in her private capacity as a respondent to the Fair Work claim.

35. Ms Natasha Maiolo, a senior employment lawyer employed by the University, gave evidence that she had advised both Ms A and Dr B that they would have to act for themselves in relation to the Fair Work Claim, following receipt of that claim. Her evidence is that at no stage did she direct or request Ms A to prepare a response in relation to the Fair Work claim, to send her or anyone else the relevant attachments to that claim or to send the email of 30 October 2014. Ms Maiolo’s evidence to this effect was unchallenged in cross examination and I accept it.

36. Ms A also gave evidence that, after receiving the Fair Work claim, she enquired with the University as to whether any support was available to assist her in writing her submission and was told that it was not. I accept this evidence.

37. A copy of the Fair Work claim is annexed to an affidavit of Ms Maiolo. The Fair Work claim names Ms A and Dr B as the persons against whom bullying is alleged. It names the University of Western Sydney as being the legal name of the business that employs or engages those persons.

38. It is relevant to consider the statutory context in which the Fair Work claim was made, and the personal liability of Ms A and Dr B as respondents to that claim. The claim was made under s 789FC of the Fair Work Act. Section 789FC(1) of that Act provides: “A worker who reasonably believes that he or she has been bullied at work may apply to the FWC for an order under section 789FF.” Section 789FD(1) relevantly provides that a worker is bullied at work if an individual repeatedly behaves unreasonably towards the worker and certain other criteria are met. Section 789FF broadly provides that, if satisfied a worker has been bullied at work, the Fair Work Commission may make an order to prevent the worker from being bullied at work. It is clear that an order under s 789FF may be made against an individual (as occurred, for example, in the case of C.F. [2015] FWC 5272 at [30]). Section 789FG of the Fair Work Act prohibits a person to whom an order under section 789FF applies from contravening such an order and civil penalty provisions apply if such an order is contravened (see Fair Work Act, s 539).

31. I am satisfied, from an consideration of the evidence and the relevant provisions of the Fair Work Act, that Ms A was named in an individual capacity in the Fair Work claim, and that she was exposed to personal liability as a result. If the claim had succeeded, she could have been exposed to an order naming her personally.

32. For the above reasons, I am satisfied that Ms A’s use or disclosure of the applicant’s personal information, when she sent the email of 30 October 2014, was for a purpose extraneous to any purpose of the University; that is, for Ms A’s own purposes in defending a claim against her. Accordingly, the use or disclosure of the applicant’s information should not be characterised as a use or disclosure by the University or as conduct of the University (see Director General, Department of Education and Training v MT [2006] NSWCA 270 at [43]).

33. For these reasons, the University has not contravened any information protection principles through the conduct of Ms A in sending an email on 30 October 2014.

Has the University unlawfully used or disclosed the applicant’s personal information through the email sent on behalf of Dr B?

42. The University’s primary position is that the University did not use or disclose the applicant’s personal information when the NTEU employee representing Dr B sent the email of 27 October 2014, because the NTEU employee was not employed by the University. It submits that the University was not in a position to control or direct the NTEU employee in relation to any matter. It also says that any use or disclosure occurred for a purpose extraneous to any purpose of the University and was thus not a “use” or “disclosure” within ss 16 to 19 of the PPIP Act.

43. As indicated above, I accept Ms Maiolo’s evidence that she told Dr B the University could not act for him in relation to the Fair Work claim. It is not in dispute that the NTEU employee who sent the relevant email was acting for Dr B in relation to that claim. I am satisfied that Dr B was named as a respondent to the Fair Work proceedings in his private capacity. I am also satisfied that the NTEU employee’s email, sent on behalf of Dr B, was sent for a purpose extraneous to the University’s purposes; that is, it was sent for Dr B’s purposes of responding to a claim which named him personally as a respondent.

44. For these reasons, any use or disclosure of the applicant’s personal information by or on behalf of Dr B when the NTEU representative sent the email of 27 October 2014 was not the University’s conduct for the purposes of the PPIP Act (see Director General, Department of Education and Training v MT [2006] NSWCA 270 at [43]). Accordingly, the University did not contravene any information protection principles when that email was sent.

45. Any other conduct raised by the applicant in her application to the Tribunal was not raised in her application for internal review, and so is not properly before the Tribunal.

Orders

46. As the University has not contravened any of the information protection principles, the Tribunal decides not to take any action on the matters raised by the applicant (PPIP Act, s 55(2)).

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 18 October 2016