CGG v Commissioner of Police, NSW Police Force

Case

[2017] NSWCATAD 29

20 January 2017

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: CGG v Commissioner of Police, NSW Police Force [2017] NSWCATAD 29
Hearing dates: On the papers
Date of orders: 20 January 2017
Decision date: 20 January 2017
Jurisdiction:Administrative and Equal Opportunity Division
Before: Dr J Lucy, Senior Member
Decision:

(1) The second applicant’s application is dismissed.
(2) The Tribunal takes no action on the matter of the first applicant’s application.

Catchwords: PRIVACY – Retention by Commissioner of Police of fingerprints obtained for security licensing purposes under the Security Industry Act 1997 (NSW) – Second applicant failed to apply for internal review – Tribunal lacks jurisdiction in respect of second applicant’s application - Whether Commissioner exempt from compliance with amendment principle – Security Industry Act provides that Commissioner may use fingerprints obtained under that Act for any purpose and confers discretion to refuse application for destruction of fingerprints - Whether Security Industry Act reasonably contemplates non-compliance with obligation to delete personal information upon request where not relevant to purposes of collection and use - Whether Commissioner has contravened obligation to ensure first applicant’s personal information kept for no longer than is necessary for the purposes for which it may lawfully be used – Whether power in Security Industry Act to use fingerprints for any purpose authorises use for purposes extraneous to that Act
Legislation Cited: Privacy and Personal Information Protection Act 1998 (NSW)
Civil and Administrative Tribunal Act 2013 (NSW)
Security Industry Act 1997 (NSW)
Administrative Decisions Review Act 1997 (NSW)
Police Act 1990 (NSW)
Cases Cited: Brownells Ltd v Ironmongers' Wages Board & the Drapers' Wages Board (1950) 81 CLR 108
Department of Education and Training v GA (No 3) [2004] NSWADTAP 50
Padfield v Minister of Agriculture, Fisheries and Food [1968] AC 997
Pitt v OneSteel Reinforcing Pty Limited [2008] FCA 923
Police v Clayton-Smith (2010) 107 SASR 261; [2010] SASC 127
R v Toohey; Ex parte Northern Land Council
(1981) 151 CLR 170
Roncarelli v Duplessis [1959] SCR 121
Shire of Swan Hill v Bradbury (1937) 56 CLR 746
Category:Principal judgment
Parties: CGG (First Applicant)
CGH (Second Applicant)
Commissioner of Police, NSW Police Force (Respondent)
Privacy Commissioner (exercising statutory right to appear)
Representation: Solicitors:
CGG (First Applicant in person)
CGH (Second Applicant in person)
Crown Solicitors Office (Respondent)
Information and Privacy Commission (Privacy Commissioner)
File Number(s): 1510707
Publication restriction: The disclosure of the names of the applicants and any information likely to lead to their identification is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW)

reasons for decision

  1. These proceedings concern the question of whether the Commissioner of Police (“Commissioner”) has an obligation under the Privacy and Personal Information Protection Act 1998 (NSW), in the circumstances of the case, to destroy fingerprints collected for security licensing purposes.

  2. The Commissioner collected the applicants’ fingerprints for licensing identification purposes under the Security Industry Act 1997 (NSW). After retiring from the security industry, the applicants requested the Commissioner to destroy records of their fingerprints. The Commissioner refused to do so.

  3. The applicants claim that the Commissioner has contravened obligations under the Privacy and Personal Information Protection Act to ensure that their personal information is kept for no longer than is necessary for the purposes for which it may lawfully be used (s 12(a)) and to make appropriate amendments by way of deletion of their personal information to ensure that it is relevant having regard to the purpose for which it was collected (or is to be used) (s 15(1)(b)).

  4. I have found that:

  1. The Tribunal has no jurisdiction to hear and determine the second applicant’s application, because she has not applied for internal review of the Commissioner’s conduct;

  2. The respondent is not required, in the circumstances, to comply with s 15 of the Privacy and Personal Information Protection Act, by operation of s 25 of that Act; and

  3. The respondent has not contravened s 12(a) of the Privacy and Personal Information Protection Act.

NON-PUBLICATION ORDER

  1. The Tribunal routinely anonymises the names of applicants in privacy matters (see NCAT Administrative and Equal Opportunity Division Procedural Direction 9: Publication, Anonymisation and Suppression, cl 4.2(b)). This practice recognises that the publication of an individual’s name may be a disincentive to bringing proceedings for review under the privacy legislation, in circumstances where the individual’s privacy is the subject of the proceedings. In many cases, the publication of the name of an individual who is applying for a review of conduct under the privacy legislation would undermine the purpose of the review and the legislative intention of protecting individuals’ privacy.

  2. In this case, having regard to these considerations and to the factual circumstances of this case, I am satisfied that it is desirable to make an order under s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) (“NCAT Act”) prohibiting the disclosure of the names of the applicants. This prohibition extends to disclosure of information likely to lead to the identification of the applicants (NCAT Act, s 64(4)). I make that order.

DETERMINATION OF THE MATTER ON THE PAPERS

  1. The parties consented to the application being determined on the papers. I am satisfied that the issues for determination can be adequately determined in the absence of the parties by considering any written submissions or any other documents or material lodged with or provided to the Tribunal and make an order dispensing with a hearing: NCAT Act, s 50(2).

BACKGROUND

  1. The applicants, who are married, were directors of a company which operated a business of installing security systems. The company applied for a master licence under the Security Industry Act and the first applicant also applied for a security licence under that Act. At the time of application, the applicants consented to having their fingerprints taken pursuant to s 18(2) of that Act, either as a licence applicant or in the capacity of a close associate of a licence applicant (see Security Industry Act, s 18(6A)).

  2. The applicants sold their company and retired from the security industry.

  3. In July 2014, the first applicant wrote to the respondent, making reference to his retirement from the security industry, and continued:

“As I will no longer be a participant in the Security Industry, the genuine reason for my fingerprints being held in your database no longer exists. Therefore I formally request that the NSW Police Force delete all records of my fingerprints.

My wife…., whose signature appears on this document, also requests that her fingerprints be deleted.”

  1. In November 2014, a representative of the respondent wrote to the first applicant, refusing his application, stating that:

“The NSW Police Force considers that fingerprints obtained from former licensees may have ongoing value and therefore retains all such prints. Accordingly, your request for your fingerprints, and those of your wife, to be destroyed is refused.”

  1. Later the same month, the first applicant lodged a “Privacy complaint: internal review application form” with the respondent. He described the conduct he was complaining about as follows: “refusal to destroy fingerprints as requested in accordance with the provisions of the Security Industry Act 1997.”

  2. In March 2015, an officer of the respondent responded to the first applicant’s “Privacy complaint: internal review application form”. The officer indicated that, prior to an internal review being conducted under s 53 of the Privacy and Personal Information Protection Act, it was a prerequisite that the first applicant’s application be considered in terms of s 15 of that Act; that is, as an application to amend his personal information. The officer then treated the first applicant’s internal review application as an application to amend personal information under s 15 of the Privacy and Personal Information Protection Act and decided to refuse the application to amend (as the officer had construed it).

  3. On 11 November 2015, the applicants applied to the Tribunal for a review of the respondent’s conduct. The respondent did not object to the applicants lodging the application out of time, and the Tribunal made orders extending the time for the making of the application, pursuant to s 41 of the NCAT Act.

SUBMISSIONS

  1. The respondent makes the following submissions:

  1. The Tribunal lacks jurisdiction in respect of the second applicant’s application, as she has not previously applied for internal review in respect of the subject matter of the application;

  2. The respondent is exempt in the circumstances from compliance with s 15 of the Privacy and Personal Information Protection Act due to the operation of s 25 of that Act;

  3. If s 12(a) of the Privacy and Personal Information Protection Act is relevant to the conduct of the respondent, its application is excluded by operation of s 18 of the Security Industry Act;

  4. Alternatively, the application is liable to be struck out as vexatious under s 55 of the NCAT Act on the ground that it constitutes a collateral attack on the respondent’s decision under s 18(6) of the Security Industry Act;

  5. Alternatively, the respondent is exempt in the circumstances from compliance with s 15 (and any other applicable information protection principle, including s 12) of the Privacy and Personal Information Protection Act due to the operation of s 27 of that Act;

  6. Alternatively, the Tribunal lacks jurisdiction in relation to the first applicant’s application, because he has not previously applied for internal review in respect of the subject matter of that application;

  7. Unless the respondent grants an application to destroy the applicant’s fingerprints under s 18(6) of the Security Industry Act, the respondent cannot lawfully dispose of them until the applicants are 80 years of age, due to the operation of s 21(1) of the State Records Act 1998 (NSW) and cl 7.4.3 of “Functional Retention and Disposal Authority 220” (“FA220”).

  1. The applicants’ response to each of these contentions is dealt with, where relevant, in the discussion below.

  2. The Privacy Commissioner exercised her right to appear and be heard in these proceedings: Privacy and Personal Information Protection Act, s 55(6). Her submissions, however, focused upon the issue raised by the respondent concerning the State Records Act, an issue I did not ultimately need to resolve.

NO INTERNAL REVIEW APPLICATION MADE BY SECOND APPLICANT

  1. The second applicant did not dispute that she had not made an internal review application. The “Privacy complaint: internal review application form” submitted by the first applicant makes no reference to the second applicant. For the following reasons, the Tribunal has no jurisdiction to hear and determine the second applicant’s application for review of the respondent’s conduct, given that she has not applied for internal review of that conduct.

  2. The Tribunal has jurisdiction to review conduct of an agency (including an alleged breach of an information protection principle) in accordance with s 55 of the Privacy and Personal Information Protection Act, s 9 of the Administrative Decisions Review Act 1997 (NSW) and ss 28 and 30 of the NCAT Act. Section 55(1) of the Privacy and Personal Information Protection Act provides that, if a person who has made an application for internal review under s 53 is not satisfied with certain matters, he or she may apply to the Tribunal for an administrative review under the Administrative Decisions Review Act of the conduct the subject of the internal review application. Pursuant to s 9(1) of the Administrative Decisions Review Act, the Tribunal has administrative review jurisdiction if enabling legislation provides that applications may be made to the Tribunal for an administrative review under that Act. Pursuant to s 9(2), if the enabling legislation makes provision for applications to be made to the Tribunal subject to certain conditions, the Tribunal has jurisdiction under the enabling legislation only if those conditions are satisfied.

  3. It is implicit in the terms of s 55 of the Privacy and Personal Information Protection Act, and it is well established, that the Tribunal has no jurisdiction to review conduct under that Act unless the applicant has first applied for internal review of the relevant conduct: see, for example, Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at [7].

  4. This also follows from the provisions of the Administrative Decisions Review Act. It is a “condition” of applying to the Tribunal under s 55(1) of the Privacy and Personal Information Protection Act that the person has first made an internal review application, within s 9(2) of the Administrative Decisions Review Act. As the second applicant has not done so, the Tribunal has no jurisdiction to hear or determine her application.

DISMISSAL OF SECOND APPLICANT’S APPLICATION

  1. Section 55(1)(b) of the NCAT Act empowers the Tribunal to dismiss proceedings “if the Tribunal considers that the proceedings are frivolous or vexatious or otherwise misconceived or lacking in substance.” As Gray J of the Federal Court noted in Pitt v OneSteel Reinforcing Pty Limited [2008] FCA 923 at [9], “the word ‘frivolous’, especially when coupled with ‘vexatious’, is a technical legal term, in substance meaning the absence of a cause of action.” The second applicant does not have a cause of action as she has not applied for internal review. Further, or alternatively, the second applicant’s application is misconceived in the circumstances. The appropriate order is therefore to dismiss that application pursuant to s 55(1)(b) of the NCAT Act.

HAS THE FIRST APPLICANT APPLIED FOR INTERNAL REVIEW?

  1. The next issue is whether the internal review form lodged by the first applicant is properly construed as an internal review application within s 53 of the Privacy and Personal Information Protection Act. The respondent submits that it is not, because the “conduct” of which review is sought is the refusal to amend personal information under s 15 of the Privacy and Personal Information Protection Act and no request for amendment had been made, or any refusal to amend given, prior to lodgement of the internal review form.

  2. In his letter to the respondent of July 2014, written before he lodged the internal review form, the first applicant requested that the respondent “delete all records of my fingerprints”. The respondent submits that this was not a request for the amendment of his records under s 15 of the Privacy and Personal Information Protection Act; rather, it was an application for the destruction of his fingerprints under s 18(5) of the Security Industry Act. Accordingly, the respondent contends, when the first applicant lodged a “Privacy complaint: internal review application form” this was in fact the first time the first applicant had requested the Commissioner to amend his personal information under the privacy legislation. It follows, in the respondent’s submission, that the first applicant has not, in fact, made an application for internal review.

  3. The respondent’s approach to the construction of the first applicant’s request for the deletion of records containing his fingerprints is unduly technical. The first applicant requested amendment of his personal information by way of deletion in his letter of July 2014. Whilst the respondent assumed that this was a request under s 18(5) of the Security Industry Act, this is not stated in the letter itself. Even if the letter is properly characterised as making such a request, in my view, a request for the deletion of fingerprints is capable of being construed as both a request under s 18(5) of the Security Industry Act and a request for the amendment of records under s 15 of the Privacy and Personal Information Protection Act.

  4. Section 15 of the Privacy and Personal Information Protection Act provides as follows:

“A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:

(a) is accurate, and

(b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.”

  1. The section provides for an agency’s obligation when an individual requests the agency to make amendments to his or her personal information. There is no requirement that the individual identify the provision under which the amendments are sought, or refer to the privacy legislation. The obligation obtains when the request is made, irrespective of the individual’s knowledge of or reference to the Privacy and Personal Information Protection Act and irrespective of whether the request has some other legal character.

  2. For these reasons, the first applicant requested an amendment to his personal information, within s 15 of the Privacy and Personal Information Protection Act, in his letter to the respondent of July 2014. The internal review application lodged in November 2014 was what it purported to be. Accordingly, I reject the respondent’s submission that the first applicant did not make an internal review application.

  3. I note also that the first applicant’s internal review application was for the review of “conduct” of the respondent. The relevant conduct is the contravention or alleged contravention by a public sector agency of an information protection principle that applies to the agency: Privacy and Personal Information Protection Act, s 52(1)(a) and (2). This conduct, constituted by the refusal to destroy personal information, may be characterised both as a refusal to amend personal information under s 15 of the Privacy and Personal Information Protection Act (as the respondent characterised it) and as a failure to comply with s 12 of that Act.

  4. Section 12(a) provides that a public sector agency that holds personal information must ensure that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used. The first applicant said in his letter that the respondent had no genuine reason to hold his fingerprints as the first respondent was no longer a participant in the security industry. This is capable of being construed as an allegation that the respondent is keeping the first applicant’s personal information for longer than is necessary for the purposes for which the information may lawfully be used, within s 12(a). Accordingly, even if I am wrong about the letter of July 2014 constituting a request for the amendment of personal information, the internal review application form lodged by the first applicant is properly characterised as an application for review of an alleged failure to comply with s 12 of the Privacy and Personal Information Protection Act.

  5. For these reasons, I reject the respondent’s submission that the Tribunal lacks jurisdiction to determine the first applicant’s application on the basis that he has not applied for internal review of the respondent’s conduct.

IS NON-COMPLIANCE LAWFULLY AUTHORISED?

  1. The respondent contends that the respondent is exempt in the circumstances from compliance with s 15 of the Privacy and Personal Information Protection Act due to the operation of s 25 of that Act. Section 25 provides as follows:

25   Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a)  the agency is lawfully authorised or required not to comply with the principle concerned, or

(b)  non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).”

  1. Section 18 of the Security Industry Act relevantly provides:

18 Investigation of licence and renewal applications

(1) On receiving an application for a licence or for the renewal of a licence, the Commissioner may carry out all such investigations and inquiries as the Commissioner considers necessary to enable the Commissioner to consider the application properly.

(2) The Commissioner:

(a) may require an applicant for a licence to consent to having his or her fingerprints or palm prints, or both, taken by an authorised officer in order to confirm the applicant’s identity, and

(b) must refuse to grant the licence unless the applicant has provided fingerprints or palm prints in accordance with any such requirement.

(5) A person who formerly held a licence, but is not currently a licensee, or who was an applicant for, but was never granted, a licence, may apply to the Commissioner to have the following destroyed:

(a) the person’s fingerprints or palm prints obtained in accordance with a requirement under subsection (2) and any copies of them,

(b) the person’s photograph obtained in accordance with a requirement under subsection (3) and any copies of it.

(6) The Commissioner may grant or refuse the application as the Commissioner sees fit.

…”

  1. The respondent submits that, pursuant to s 18(6) of the Security Industry Act, the respondent is lawfully authorised and/or permitted (within s 25 of the Privacy and Personal Information Protection Act) not to comply with s 15 of the Privacy and Personal Information Protection Act insofar as that provision may apply to the destruction of records of a kind referred to in s 18(5) of the Security Industry Act. The first applicant states in his submissions that he is not a legal practitioner and will rely upon the Tribunal to determine the correct application of the principles of statutory interpretation.

  2. Section 18(5) of the Security Industry Act authorises a person to apply for the destruction of his or her fingerprints and s 18(6) gives the respondent a broad discretion to determine the application as the respondent sees fit. Section 18(6) contemplates that a request for the deletion of fingerprints (being personal information) may be refused at the respondent’s discretion, even where the information is not relevant having regard to the purpose for which the information was collected (or is to be used) (to use the terms of s 15 of the Privacy and Personal Information Protection Act). Non-compliance with s 15 of the Privacy and Personal Information Protection Act is thus “reasonably contemplated” by s 18(5) of the Security Industry Act.

  3. For these reasons, I find that the effect of s 25 of the Privacy and Personal Information Protection Act is that the respondent is not required, in the circumstances, to comply with s 15 of that Act. Section 25 does not, however, exempt the respondent from compliance with s 12(a) of the Act.

HAS THE RESPONDENT COMPLIED WITH THE OBLIGATION TO KEEP THE FINGERPRINTS NO LONGER THAN NECESSARY?

  1. The first applicant contends that the respondent contravened s 12(a) of the Privacy and Personal Information Protection Act. It is implicit that the first applicant asserts that the respondent did so by failing to ensure that his personal information (in the form of his fingerprints) was kept for no longer than was necessary for the purposes for which the information might lawfully be used.

  2. The first applicant submits as follows:

“The justification for collection of our fingerprints was in accordance with the [Security Industry Act], to provide identification. To suggest that the Commissioner may use that personal information outside the jurisdiction of the [Security Industry Act] is unconscionable. It does not follow that the Commissioner may use that information forever.”

  1. The first applicant’s reference to the justification for collection of his fingerprints is to s 18(2)(a) of the Security Industry Act which relevantly provides that the respondent may require an applicant for a licence (or a close associate) to consent to having his or her fingerprints taken by an authorised officer “in order to confirm the applicant’s identity.”

  2. The respondent relies upon s 18(4) of the Security Industry Act, which provides that the respondent may use any fingerprint obtained under s 18 “for any purpose as the Commissioner sees fit.” The respondent submits that it follows from s 18(4) that the purposes for which the respondent may use the first applicant’s fingerprints are not limited to the verification of his identity for the purpose of his licence application. Further, the respondent submits, in circumstances where the respondent has a general power to use the fingerprints for any purpose, it cannot be suggested that the “lawful purpose” for which prints may be used expired upon the lapsing of the first applicant’s security licence.

  3. The key question is whether, given that the first applicant has retired from the security industry, there remain purposes for which his fingerprints “may lawfully be used” by the Commissioner within s 12(a) of the Privacy and Personal Information Protection Act, in light of s 18 of the Security Industry Act.

  4. There is no direct evidence as to the purpose for which the Commissioner is keeping the first applicant’s fingerprints or as to the purpose for which the Commissioner might use those fingerprints. However, there is some material from which it might be inferred that the Commissioner’s purpose in keeping the fingerprints, and the purpose of any contemplated use of that information, is extraneous to a purpose of exercising functions under the Security Industry Act. The first applicant has provided evidence of the Commissioner (through his officers) using fingerprint information, obtained under s 18 of the Security Industry Act, for law enforcement purposes to identify the suspect in a crime. The first applicant has also provided evidence that he can no longer work in the security industry. I accept his evidence, which was not challenged. A member of the NSW Police Force stated, in a letter to the applicant, that the NSW Police Force retains all prints, for their “ongoing value.” As the Privacy Commissioner submitted, the retention of the first applicant’s fingerprints cannot be (or at least appears very unlikely to be) connected with his licence application under the Security Industry Act.

  5. I accept the respondent’s submission that the effect of s 18(4) of the Security Industry Act is that the lawful purposes for which a fingerprint obtained under s 18 may be used are not limited to the verification of a person’s identity. However, there is a separate question as to whether s 18(4) authorises the use of fingerprints after the relevant individual has ceased to hold a security licence (or to be a close associate of a licence holder).

  6. An authority exercising a statutory power is required to exercise the power for the purpose for which the power is conferred: Brownells Ltd v Ironmongers' Wages Board & the Drapers' Wages Board (1950) 81 CLR 108; R v Toohey; Ex parte Northern Land Council (1981) 151 CLR 170 at 186, 202-203, 217, 225, 229, 233. If the authority exercises the power for a different purpose, the exercise of power may be invalid. Whether it is invalid “will depend on the statute conferring the power under which the decision was made or discretion exercised”: Police v Clayton-Smith (2010) 107 SASR 261; [2010] SASC 127 at [17]. The nature and extent of the power must be inferred from a construction of the Act read as a whole: Padfield v Minister of Agriculture, Fisheries and Food [1968] AC 997 at 1033; R v Toohey; Ex parte Northern Land Council (1981) 151 CLR 170 at 186.

  7. Notwithstanding the breadth of the express provision in s 18(4) of the Security Industry Act that fingerprints may be used “for any purpose as the Commissioner sees fit,” the purposes for which the power may be exercised are not unlimited. As Rand J of the Supreme Court of Canada said of an exercise of a discretion to cancel a licence in Roncarelli v Duplessis [1959] SCR 121 at 140, in a passage quoted by Aickin J in R v Toohey; Ex parte Northern Land Council (1981) 151 CLR 170 at 257:

“In public regulation of this sort there is no such thing as absolute and untrammelled 'discretion', that is that action can be taken on any ground or for any reason that can be suggested to the mind of the administrator; no legislative Act can, without express language, be taken to contemplate an unlimited arbitrary power, exercisable for any purpose, however capricious or irrelevant, regardless of the nature or purpose of the statute. Fraud and corruption in the Commission may not be mentioned in such statutes but they are always implied as exceptions. 'Discretion' necessarily implies good faith in discharging public duty; there is always a perspective within which a statute is intended to operate; and any clear departure from its lines or objects is just as objectionable as fraud or corruption.”

  1. Stephen J also cited this passage with apparent approval (R v Toohey; Ex parte Northern Land Council (1981) 151 CLR 170 at 214-215).

  2. In the context of a statutory power where a purpose for the exercise of a discretion is not specified, the purpose of the discretion is to be ascertained by reference to the scope and object of the instrument conferring it: Shire ofSwan Hill v Bradbury (1937) 56 CLR 746, Dixon J at 758. The question here is whether, where the legislature has stipulated that a power may be used for “any purpose,” it may be used for a purpose extraneous to a purpose of the statute in question. The intention of the legislature is to be ascertained by the application of ordinary principles of statutory construction.

  3. The express reference to “any purpose” in s 18(4) is sufficient, in my view, to express a legislative intention that the Commissioner may use fingerprints and other information referred to in s 18(4) for purposes beyond the exercise of the Commissioner’s functions under the Security Industry Act. Whilst s 18(4) clearly does not authorise the use of such information for a corrupt purpose (see R v Toohey; Ex parte Northern Land Council (1981) 151 CLR 170, Aickin J at 232), the stipulation that the Commissioner may use the fingerprints for “any purpose as the Commissioner sees fit” means, in my view, that the Commissioner may use them for (at least) any purpose consistent with the Commissioner’s statutory functions or those of the NSW Police Force for which the Commissioner is responsible (see Police Act 1990 (NSW), ss 6 and 8).

  4. It follows from the above that there are continuing purposes for which the first applicant’s fingerprints may lawfully be used (within s 12(a) of the Privacy and Personal Information Protection Act) after the first applicant ceased to have any role in the security industry. For this reason, I am not satisfied that the Commissioner has kept the first applicant’s fingerprints for longer than is necessary for the purposes for which the information in those fingerprints may lawfully be used.

  5. Accordingly, there has been no contravention of s 12(a) in the circumstances of the case.

OTHER GROUNDS

  1. As I have found that the respondent is not required to comply with s 15 of the Privacy and Personal Information Protection Act and that the respondent has not contravened s 12(a) of that Act, it is not necessary to consider the respondent’s other submissions, including that the respondent is not required to comply with the information protection principles by operation of 27.

  2. The Commissioner has not contravened any information protection principle with which the Commissioner is required to comply. For this reason, the Tribunal decides not to take any action on the matter of the first applicant’s application (Privacy and Personal Information Protection Act, s 55(2)).

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 20 January 2017

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

1

Reynolds v Registrar of Births, Deaths and Marriages [2024] NSWCATAD 255
Cases Cited

6

Statutory Material Cited

5

Department of Education and Training v GA (No 3) [2004] NSWADTAP 50
Pitt v OneSteel Reinforcing Pty Limited [2008] FCA 923
Police v Clayton-Smith [2010] SASC 127