CJU v Northern Sydney Local Health District

Case

[2019] NSWCATAD 236

13 November 2019

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: CJU v Northern Sydney Local Health District [2019] NSWCATAD 236
Hearing dates: On the papers
Date of orders: 13 November 2019
Decision date: 13 November 2019
Jurisdiction:Administrative and Equal Opportunity Division
Before: C Ludlow, Senior Member
Decision:

(1) The Tribunal finds that no breach of the Privacy and Personal Information Protection Act 1998 has been established.
(2) Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 no action will be taken in the matter.
(3)   The parties may file written submissions on costs within 28 days of the publication of these reasons.

Catchwords: ADMINISTRATIVE LAW – privacy – whether an application for internal review has been made – whether the alleged conduct is established – alleged disclosure and use of personal information –- alleged disclosure to legal representative and employee - judicial functions exemption.
Legislation Cited: Civil and Administrative Tribunal Act 2013 (NSW)
Government Information (Public Access) Act 2009 (NSW)
Privacy and Personal Information Protection Act 1998 (NSW)
Cases Cited: ALZ v Lismore City Council [2016] NSWCATAD 20
ALZ v Safework NSW [2017] NSWCATAP 51
CJU v Northern Sydney Local Health District [2018] NSWCATAD 223
GA v Commissioner of Police, NSW Police [2004] NSWADT 254
GA v NSW Police (GD) [2005] NSWADTAP 38
GL v Director-General, Department of Education and Training [2003] NSWADT 166
KP v Narrandera Shire Council [2011] NSWADTAP 15
NZ v Director General, NSW Department of Housing [2005] NSWADT 58
Texts Cited: None cited
Category:Principal judgment
Parties: CJU (Applicant)
Northern Sydney Local Health District (Respondet)
Representation: Solicitors:
Applicant (Self Represented)
Bartier Perry (Respondent)
File Number(s): 2019/00083467
Publication restriction: Pursuant to s64(1)(a) of the Civil and Administrative Tribunal Act 2013 the publication of the name of the applicant is prohibited.Pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 the publication of the material contained in the applicant’s submissions lodged with the Tribunal in these proceedings is prohibited.

REASONS FOR DECISION

Background

  1. The applicant CJU seeks a review of claimed breaches of her privacy contrary to the Privacy and Personal Information Protection Act 1998 (PPIP Act).

  2. This application was filed on 14 March 2018, and states under the heading “Decision for review”:

“No outcome of the internal review application of breach of privacy, but was not more than a cover up for the poor conducts of seniors in NSLHD time after time, and NSLHD did not try to find out why the breaches occur and adding another breach of my privacy by contacting more and more people again without my consent. I wrote to Chair an email which was acknowledged it will be given to him (attached) two days latter many people knew about it. ”

  1. The grounds for the review are said to be:

“The NSLHD failed to abide by the law and breached my privacy to cover up and failed to provide me with outcome for internal review of the breach of my privacy …

I am seeking remedy and damages.”

The nature of the proceedings

  1. The applicant attached to her first application an email dated 30 November 2018 which is addressed to “the Chair of NSLHD” and states:

“I discovered as below that my privacy and information has been breached while the Executive of the organisation sensor (sic) and check the correspondence to you and the Board. I was assured that the email will be directed to the Board of NSLHD.

In NCAT 15 August 2018, Carol Parker and Darren Gardner stated that I sent you and the Board.

Did you go to tell Carol Parker or the Chief Executive instead of investigating the matter and while you received my concern about this on 15 August you still did nothing.”

  1. A further email dated 15 August 2018 is also attached which states:

“To the Chair of the Board

NSLHD

May I let you know that today 15 August Carol Parker from NSLHD and coach Darren Gardner stated that they received my email below which I sent to you and NSLHD Board members.

Which I believe means that the Chief Executive Officer sensors all the emails sent to NSLHD Board either Chair or members. …I believe that the public should be advised about that sensorship. …”

  1. There follows a sequence of emails including an email from the applicant dated 11 August 2018 addressed to an email address “[email protected]”. This is a website operated by the respondent to allow patients and family members to provide feedback on services. The applicant’s email concerned other proceedings in this Tribunal in which she was a party, her claims of various misconduct, unconscionable conduct and coverups against officers and agents of the respondent and an application for access to information under the Government Information (Public Access) Act 2009 (GIPA Act).

  2. The respondent submits that the email dated 15 August 2018 refers to other proceedings between the same parties heard by Senior Member Hamilton on that date (CJU v Northern Sydney Local Health District [2018] NSWCATAD 223). Ms Parker was a witness in those proceedings and Mr Gardner was the solicitor on the record for the respondent.

  3. In her submissions the applicant describes her email of 11 August as follows:

“…It was a 12 points complaints and in it I asked to Audit and to Act and to investigate my complaint.

On the 11 August or just after, the Chair, who received this information, instead of investigating it according to the policy of NSW Health,

He disclosed my details and the complaint contents to Carol Parker,

Which was a breach of my privacy, and misuse of the information for other purposes different than that of the original purpose of collecting the information (which was collected for a complaint and proper investigation).”

  1. She goes on to complain that her emails were quoted by the respondent in the other proceedings in this Tribunal on 15 August which was also, she alleges, a breach of her privacy as being “use of information for other purposes other than what was collected for.”

  2. She also complains that on 30 November 2018 she submitted “an official request for an internal review for the above mentioned breaches”.

  3. She attaches an email dated 10 December which states:

“I have applied for an internal review on 30 Nov 2019 as per the email below. I did not receive any acknowledgement of the request for my application as required by law.”

Relevant legislation

  1. Section 6 of the PPIP Act provides:

“6 Courts, tribunals and Royal Commissions not affected

(1)   Nothing in this Act affects the manner in which a court or tribunal, or the manner in which the holder of an office relating to a court or tribunal, exercises the court’s, or the tribunal’s, judicial functions.

(2)   Nothing in this Act affects the manner in which a Royal Commission, or any Special Commission of Inquiry, exercises the Commission’s functions.

(3)   In this section, judicial functions of a court or tribunal means such of the functions of the court or tribunal as relate to the hearing or determination of proceedings before it, and includes:

(a)   in relation to a Magistrate—such of the functions of the Magistrate as relate to the conduct of committal proceedings, and

(b) in relation to a coroner—such of the functions of the coroner as relate to the conduct of inquests and inquiries under the Coroners Act 2009.”

  1. Sections 17 and 18 provide:

“17 Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a)   the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b)   the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c)   the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

18 Limits on disclosure of personal information

(1)   A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

(a)   the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)   the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c)   the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2)   If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.”

  1. Section 53 provides:

“53 Internal review by public sector agencies

(1)   A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.

(1A)   There is no entitlement under this section to the review of the conduct of a Minister (or a Minister’s personal staff) in respect of a contravention of section 15 (Alteration of personal information).

Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A).

(2)   The review is to be undertaken by the public sector agency concerned.

(3)   An application for such a review must:

(a)   be in writing, and

(b)   be addressed to the public sector agency concerned, and

(c)   specify an address in Australia to which a notice under subsection (8) may be sent, and

(d)   be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and

(e)   comply with such other requirements as may be prescribed by the regulations.

(4)   Except as provided by section 54 (3), the application must be dealt with by an individual within the public sector agency who is directed by the agency to deal with the application. That individual must be, as far as is practicable, a person:

(a)   who was not substantially involved in any matter relating to the conduct the subject of the application, and

(b)   who is an employee or officer of the agency, and

(c)   who is otherwise suitably qualified to deal with the matters raised by the application.

(5)   In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by:

(a)   the applicant, and

(b)   the Privacy Commissioner.

(6)   The review must be completed as soon as is reasonably practicable in the circumstances. However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for an administrative review of the conduct concerned.

(7)   Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following:

(a)   take no further action on the matter,

(b)   make a formal apology to the applicant,

(c)   take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),

(d)   provide undertakings that the conduct will not occur again,

(e)   implement administrative measures to ensure that the conduct will not occur again.

(7A)   A public sector agency may not pay monetary compensation under subsection (7) if:

(a)   the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, and

(b)   the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and

(c)   the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.

(8)   As soon as practicable (or in any event within 14 days) after the completion of the review, the public sector agency must notify the applicant in writing of:

(a)   the findings of the review (and the reasons for those findings), and

(b)   the action proposed to be taken by the agency (and the reasons for taking that action), and

(c)   the right of the person to have those findings, and the agency’s proposed action, administratively reviewed by the Tribunal.”

  1. Section 55 provides:

“55 Administrative review of conduct by Tribunal

(1)   If a person who has made an application for internal review under section 53 is not satisfied with:

(a)   the findings of the review, or

(b)   the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

(1A) A person (the applicant) who is aggrieved by the conduct of a Minister (or a Minister’s personal staff) constituting a contravention of section 15 (Alteration of personal information) may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct.

(2)   On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a)   subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)   an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)   an order requiring the performance of an information protection principle or a privacy code of practice,

(d)   an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)   an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)   an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)   such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4)   The Tribunal may make an order under subsection (2) (a) only if:

(a)   the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b)   the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

(4A)   The Tribunal may not make an order under subsection (2) (a) if:

(a)   the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, and

(b)   the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and

(c)   the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.

(5)   If, in the course of an administrative review, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.

(6)   The Privacy Commissioner is to be notified by the Tribunal of any application for an administrative review. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an administrative review.

(7) The Information Commissioner is to be notified by the Tribunal of any application for a review under this section that concerns the provision of government information by an agency (within the meaning of the Government Information (Public Access) Act 2009). The Information Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to such a review.”

The history of the proceedings

  1. The proceedings were listed for hearing on 16 August 2019. On that date Mr Fahmi, solicitor, appeared for the applicant and stated he had only been instructed that day in the matter and sought an adjournment. The applicant was not present and had emailed a medical certificate to the Registry. The adjournment was opposed by the respondent.

  2. I granted an adjournment on the basis that the respondent was seeking to have the proceedings dismissed and it was not clear whether the applicant was aware of a particular ground relied upon by the respondent, namely a letter concerning whether it had conducted an internal review of the conduct complained of. The parties agreed that this matter was suitable for determination without a hearing. Directions were made for the filing of further material and a determination on the papers. The respondent reserved its right to seek an order for costs depending on the outcome of the proceedings.

  3. It appears that the applicant did not, in the event, retain a legal representative to prepare any material on her behalf.

Whether the Tribunal has jurisdiction

  1. The respondent submits that the applicant’s email of 30 November 2018 was not a request for internal review of any conduct under the PPIP Act but a grievance and request for action on that grievance. There is a complex history of grievances and litigation in this Tribunal between the two parties. If there was no request for internal review, the Tribunal does not have jurisdiction in the matter (s 55(1) PPIP Act).

  2. A letter from the Chief Executive of the respondent to the applicant dated 13 December 2018 which responded to the 30 November email did not treat it as a request for internal review but correspondence relating to other proceedings and stated that the matter was “now fully and finally resolved.”

  3. The relevant test for whether the email is a request for internal review is whether the email reasonably conveys to the respondent agency, that an application for internal review is sought. The applicant claims that a privacy breach had occurred on or about 15 August 2018. This is contained in her complaints that:

“I discovered as below that my privacy and information has been breached while the Executive of the organisation sensor (sic) and check the correspondence to you and the Board. I was assured that the email will be directed to the Board of NSLHD.

In NCAT 15 August 2018, Carol Parker and Darren Gardner stated that I sent you and the Board.

Did you go to tell Carol Parker or the Chief Executive instead of investigating the matter…

Can NSLHD acknowledge my request for Internal Review for breaching my privacy and confidentiality….”

  1. In my view this email, while confused and vague, reasonably conveys a request for internal review as it expressly refers to a breach of privacy and a request for internal review. It follows from the sequence of events, as I have interpreted them, that the applicant lodged an internal review request on 30 November regarding the alleged breach and the respondent did not deal with that request for internal review within the 60 day period. A failure by an agency to accept a valid application for internal review is an example of “action taken in relation to the application”, and meets this pre-condition to the Tribunal’s review jurisdiction in s.55 (GA v NSW Police (GD) [2005] NSWADTAP 38).

  2. Accordingly the applicant was entitled to apply to this Tribunal and the Tribunal has jurisdiction.

The merits of the case

  1. It is the applicant’s obligation to identify the conduct which she alleges breached her privacy. She does not need to identify the specific individual privacy principles which apply: GA v Commissioner of Police, NSW Police [2004] NSWADT 254; GL v Director-General, Department of Education and Training [2003] NSWADT 166. As stated by Deputy President Hennessy in GA:

“In my view, an applicant’s entitlement to an internal review (and ultimately an external review) depends on that person identifying the conduct about which they are aggrieved in sufficient detail to allow the agency to determine whether it constitutes a breach of an information protection principle or a privacy code of practice or the disclosure of personal information kept in a public register.”

  1. From the available information, I infer that the applicant alleges that the respondent breached her privacy by unauthorised disclosure and use, comprising:

  1. Alleged disclosure of her email of 11 August 2018 addressed to the respondent’s Board, to an employee of the respondent and to the respondent’s legal representative; and

  2. Alleged use of the information in the email in a hearing in this Tribunal on 15 August 2018.

  1. The applicant provided material in the form of submissions which stated that in an unrelated hearing in this Tribunal on 15 August 2018 concerning proceedings between herself and the respondent:

  1. the legal representative for the respondent quoted her (unspecified) emails to the respondent’s Board and tried to disparage her; and

  2. Her email was used for a different purpose in the Tribunal by Ms Parker (who was a witness in the proceedings) and the legal representative.

  1. This is an allegation that a disclosure of personal information was made by the respondent to an employee of the respondent and the respondent’s legal representative, and that the information was used in the hearing. No evidence has been adduced by the applicant, however, to substantiate either of these allegations. This is despite the applicant being granted an extension of time in which to file evidence in June 2019 and an adjournment and an opportunity to respond to the respondent’s evidence and submissions on 16 August 2019. There is nothing before the Tribunal to indicate what happened in the Tribunal, what information was used and how it was used.

  2. Where the evidence is uncertain, the Appeal Panel has stated that:

"Given the nature of the review under the PPIP Act , and the absence of any provisions attributing onus to either party, if left in a state of uncertainty in relation to a fact in issue, that fact should be decided against the applicant”.

(KP v Narrandera Shire Council [2011] NSWADTAP 15 at [26] and [31])

  1. It is not denied that by the respondent that the email was mentioned in the proceedings. That being so, I could infer that the email was disclosed to the two named persons by the respondent.

  2. However, there would still be a question as to whether such conduct breached the PPIP Act. In relation to disclosure, the Appeal Panel has held that disclosure of personal information to a legal representative is not a breach of s 18 of the PPIP Act (ALZ v Safework NSW [2017] NSWCATAP 51 at [120]). Additionally, any disclosure to an employee of the respondent is not a disclosure within the meaning of the PPIP Act, as this is limited to the giving of the information by the collecting agency to a person or body outside the agency (NZ v Director General, NSW Department of Housing [2005] NSWADT 58 at [69]).It is not alleged that by disclosing the information to Ms Parker the information was given to someone outside the respondent organisation.

  3. The alleged use of the information was a matter within the applicant’s knowledge, if it occurred. However there is no evidence of the nature of the use or the alleged different purpose.

  4. In the circumstances, it is not possible to determine whether s 6 of the PPIP Act, which provides that the Act does not apply to conduct relating to a Tribunal’s judicial functions, would apply even if use in the Tribunal hearing had been established. However I note that where personal information was contained in evidence relevant to a matter to be determined in Tribunal proceedings, it has been held that this did not breach the PPIP Act (ALZ v Lismore City Council [2016] NSWCATAD 20 at [57]).

  5. For the reasons stated above, I am not satisfied that any breach of the PPIP Act has occurred as alleged by the applicant. The appropriate course is to take no action.

Whether confidentiality orders should be made

  1. The respondent opposed the anonymization of the applicant’s name in these proceedings and in the alternative sought confidentiality orders anonymising the respondent and persons named in the proceedings as well as prohibiting disclosure of unfounded, serious and scandalous allegations made by the applicant against officers, employees and representatives of the respondent.

  2. I am not satisfied that there is sufficient reason to reverse the anonymization order concerning the applicant or anonymise the respondent as a party to the proceedings, as it is a statutory body.

  3. I am not satisfied that the names of the individuals named in these reasons should be anonymised, given the contents of these reasons.

  4. The applicant’s submissions contain wide ranging allegations against various persons who are not parties to these proceedings and have not had an opportunity to respond. Therefore I am satisfied that it is appropriate to make an order under s 64(1)(c) of the Civil and Administrative Tribunal Act2013 prohibiting the publication of the material contained in the applicant’s submissions lodged with the Tribunal in these proceedings.

Costs

  1. The respondent indicated that it reserved its position on costs. The parties have liberty to file written submissions on the costs issue within 28 days of the publication of these reasons. Any costs application should include submissions as to whether the Tribunal should hear a costs application ‘on the papers’: Civil and Administrative Tribunal Act 2013, s 50(3).

Orders

  1. The Tribunal finds that no breach of the Privacy and Personal Information Protection Act 1998 has been established.

  2. Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 no action will be taken in the matter.

  3. The parties may file written submissions on costs within 28 days of the publication of these reasons.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 13 November 2019

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

1

Eok v Northern Beaches Council [2021] NSWCATAD 297
Cases Cited

7

Statutory Material Cited

3

CJU v Northern Sydney Local Health District [2018] NSWCATAD 223
GA v Commissioner of Police [2005] NSWADTAP 38
GA v Commissioner of Police, NSW Police [2004] NSWADT 254