CJU v SafeWork NSW

Case

[2018] NSWCATAD 300

21 December 2018

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

  • Amendment notes
Medium Neutral Citation: CJU v SafeWork NSW [2018] NSWCATAD 300
Hearing dates: 14 March 2016, 12 November 2016, last written submissions received on 21 November 2018
Date of orders: 21 December 2018
Decision date: 21 December 2018
Jurisdiction:Administrative and Equal Opportunity Division
Before: P Durack SC, Senior Member
Decision:

1. The respondent shall pay the applicant $1,000.00 within 14 days in respect of the respondent’s breach of the information protection principle in s 18 (1) of the PPIP Act the subject of these proceedings.

 

2. By 17 January 2019 the parties are to lodge and serve written submissions of not more than 4 pages in length concerning:

 

a) The terms of the foreshadowed order under s 55 (2)(b) of the PPIP Act referred to in paragraph 140 of these reasons.

 

(b)The costs of these proceedings and whether any decision about costs should be made on the papers without the need for any further hearing.

 3. By 30 January the parties are to lodge and serve written submissions of no more than 4 pages in length in reply to the written submissions referred to in Order (2).
Catchwords: PRIVACY – review of conduct of public sector agency – unlawful disclosure of personal information – remedies – recovery for psychological harm - causation – quantum of damages – other orders
Legislation Cited: Civil and Administrative Tribunal Act 2013 (NSW)
Civil Liability Act 2002 (NSW)
Government Information (Public Access) Act 2009 (NSW)
Government Sector Employment Act 2013 (NSW)
Health Services Act 1997 (NSW)
Privacy and Personal Information Protection Act 1998 (NSW)
Work Health and Safety Act 2011 (NSW)
Cases Cited: AOZ Rail Corporation NSW (No 2) [2015] NSWCATAP 179
APV and APW v Department of Family and Community Services [2015] NSWCATAD 140
CYH v Family and Community Services [2018] NSWCATAD 84
Department of Education and Training v GA (No.3) [2004] NSWADTAP 50
Department of Education and Training v ZR (No 2) (GD) [2009] NSWADTAP 44
Hall and Ors v A & A Sheiban Pty Ltd and Ors [1989] FCA 92; (1989) 20 FCR 217
JD v Department of Health (GD) [2005] NSWADTAP 44
KO & KP v Commissioner of Police, New South Wales Police [2005] NSWADT 18
Lamb v Cotogno (1987) 164 CLR 1
NZ v Director General, Department of Housing [2006] NSWADT 173
Rummery v Federal Privacy Commissioner [2004] AATA 1211
Tame v New South Wales (2002) 211 CLR 317
Category:Principal judgment
Parties: CJU (Applicant)
SafeWork NSW (Respondent)
Representation:

Applicant (self- represented)

  Solicitors:
Crown Solicitor (Respondent)
File Number(s): 2017/00138493
Publication restriction: Pursuant to s 64 (1) (a) of the Civil and Administrative Tribunal Act, the name of the applicant and any other information identifying the applicant is not to be disclosed without further order of the Tribunal.

REASONS FOR DECISION

Overview

  1. The applicant has applied for the review by the Tribunal of conduct by the respondent, which was admittedly in breach of her information privacy, involving unlawful disclosure of her personal information in breach of the information protection principle set out in s 18(1) of the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIPAct). She brings the application because she was dissatisfied with the outcome of an internal review by the respondent of her complaint which review was a precondition to her commencing these proceedings: s 55(1) of PPIP Act.

  2. The breach involved the disclosure of personal information about the applicant to a solicitor acting for the NSW Ministry of Health in October 2016.

  3. At a directions hearing on 12 December 2017, following an unsuccessful mediation, the respondent conceded that it was liable for the breach of the PPIP Act the subject of the application and the matter was set down for hearing of the issue as to whether the Tribunal should take any action as a result of the breach and, if so, what that action should be.

  4. The conclusion of the hearing was delayed following an unsuccessful application by the applicant that the Tribunal member should recuse himself from any further hearing of the application on the ground of bias.

  5. The applicant has sought compensation in the amount of $40,000, including an amount for aggravated damages. This is the maximum amount that the Tribunal can award under the PPIP Act. For the reasons set out below, the Tribunal has decided to award the applicant very substantially less than this amount.

  6. In addition, the Tribunal has foreshadowed the making of a further order with the object of ensuring that there is no further breach of s 18 (1) in respect of the applicant’s personal information held by the respondent.

  7. Publication of the name of the applicant has been prohibited under previous orders made by the Tribunal. It is sensible that the terms of the restriction be now specified in a new order set out at the end of these reasons. This will extend to any information identifying the applicant. For that reason some material about the applicant that goes beyond her name has been deleted when referring to the evidence, as indicated by square brackets.

The parties

  1. The applicant is a former employee of the North Shore Local Health District (NSLHD). Her first language is not English.

  2. The respondent is the regulator under the Work Health and Safety Act 2011 (NSW) (the WHS Act). One of the functions of the respondent is to investigate and, if thought fit, bring prosecutions for contraventions of the WHSA as requested by members of the public.

  3. Mr Covi, whose conduct on behalf of the respondent, constituted the breach of privacy, was, at the relevant time, Assistant State Inspector – Metro North Operations of the respondent.

  4. The personal information disclosed included communications to and from a Mr Craft within the Ministry of Health and from Ms Collins from the NSLHD.

  5. The NSLHD is one of a number of local health districts constituted as statutory bodies under s 17 of the Health Services Act 1997 (NSW).

  6. The NSW Ministry of Health is established as a government department under the Government Sector Employment Act 2013 (NSW).

  7. It is accepted by the respondent, and is otherwise not in dispute, that the local health districts, including the former employer of the applicant, are separate public sector agencies for the purposes of the PPIP Act.

  8. Sometimes in the evidence and submissions reference has been made to “NSW Health”. Unless I have indicated to the contrary, because of the context in which such references are made, I have treated such references as a reference to the Ministry of Health. In doing so, I am aware that the Health Services Act makes reference to the NSW Health Service which consists of persons who are employed under Part 1 of Ch 9 of that Act by the Government of NSW in the service of the Crown.

The Disclosure in breach of s 18(1) of the PPIP Act

  1. The disclosure the subject of the admitted breach was made by an email from Mr Covi of the respondent to Ms Bromwich of the Crown Solicitor’s Office (CSO) sent on 17 October 2016 at 11:53am (the Disclosure). The email was copied to two of Mr Covi’s superiors within the respondent, Mr Bromly and Ms Gleeson. Ms Gleeson was Mr Bromly’s direct superior. Mr Bromly was a Team Manager. Mr Covi was part of Mr Bromly’s team.

  2. The email stated:

Hi Greta,

In response to your email of the 6/10/16, I advise that:

On the 1/2/16 SafeWork NSW (formerly known as WorkCover NSW) received a request under Section 231 of the WHS Act from [CJU] requesting us to prosecute 3 individuals who work for North Sydney Local Health District at [name of hospital]. Her application was accompanied by many pages of information.

On the 17/2/16 I was allocated the matter.

On the 18/2/16 I called and spoke to [CJU] and then made a number of inquiries in relation to the matter.

On the 19/2/16 Damien Bromley (my supervisor) and I spoke by telephone to Trevor Craft – the Deputy Director of Workplace Relations at Health NSW. Later that day I followed this up with the email to Mr Craft – (see attached).

On the 29/2/16 – Mr Craft replied to my email (see attached).

On the 29/2/16 – as a result of the email from Mr Craft I made contact by phone with Melissa Collins Deputy Director – HR Business Partners Workforce and Culture Directorate Northern Sydney Local Health District – and spoke to her about the matter.

Later that (sic) Ms Collins sent me an email – see attached.

I trust this answers your question.

If you would like further information relating to this matter my suggestion would be request the entire file via the appropriate channels – (this file consist of [CJU] original request under Section 231 of the WHS Act and the documents she attached to that application and SafeWork NSW’s actions relating to file – file reference number WSMS 1-353763).

Kind regards

Paul Covi

Assistant State Inspector – Metro North Operations

  1. The email was headed “Security Classification – DLM Only”. No party placed any reliance on this classification.

  2. The first attachment referred to in the email was an email from Mr Covi to Mr Craft. That email stated:

Hi Trevor,

Great to talk to you on the phone just then.

As discussed I am requesting advice from you if your employer has ever been notified of a complaint re allegations of bullying at [name of hospital].

The complainant would be from a [CJU] – employed at [name of hospital]. [CJU] has approached SafeWork NSW seeking for individuals to be prosecuted, however we have never investigated this allegation.

Happy to discuss further,

Kind regards,

Paul Covi

Assistant State Inspector – Metro North Operations

  1. The second attachment referred to in the 17 October 2016 email was an email from Mr Craft to Mr Covi sent on 29 February 2016. In this email, Mr Craft informed Mr Covi that carriage of matters connected with CJU’s employment resided with the Chief Executive or her delegate of (NSLHD) and that Ms Collins at NSLHD was fully across all matters pertaining to CJU and was happy to liaise directly with Mr Covi in relation to those matters.

  2. The third attachment was an extract from an email to Mr Covi from Ms Collins, sent on an unknown date. That extract stated:

[CJU] made numerous complaints during her period of employment with Northern Sydney Local Health District. Her complaints were often about a range of issues, largely about her work environment. But later concerned allegations of bullying and victimisation and harassment.

In response to [CJU’s] complaints, NSLHD management and Human Resources offered to meet with [CJU] to understand her complaints and attempt to particularise her specific issues. [CJU] did not respond to the numerous attempts made by the district to meet with her, NSLHD investigated and reviewed all of [CJU’s] complaints, where possible, based on the information provided by [CJU] and other staff members in response to her complaints.

Despite numerous attempts to meet with [CJU] without success, NSLHD conducted an overarching formal investigation into all of [CJU’s] complaints (conducted by an independent management representative, Ms Alison King, Patient Services Information Manager and Ms Nancy Knott, Deputy Manager Human Resources). Unfortunately [CJU] would not participate in the investigation. The findings of the investigation report were that [CJU’s] allegations were unsubstantiated.

Attached is a detailed chronology of events relating to [CJU]. The chronology indicates the numerous attempts to meet with [CJU] and the timeline of the investigation which found [CJU’s] allegations to be unsubstantiated.

I hope this assists you. Please do not hesitate to contact me if you have any questions.

Kind regards

Melisa

Deputy Director – HR Business Partners

Workforce and Culture

Norther Sydney Local Health District

M: [mobile number omitted]

  1. Section 4(1) of the PPIP Act contains a definition of “personal information” as follows:

4    Definition of "personal information"

(1)    In this Act, "personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

  1. Plainly, the text of the 17 October 2016 email, and the three attachments to the email, contained a range of personal information relating to CJU, including information of a sensitive nature concerning CJU’s request under s 231 of the (the WHS Act) and concerning her complaints to her employer.

  2. It is important to bear in mind that the breach of information privacy the subject of these proceedings is the disclosure by Mr Covi of the respondent made on 17 October 2016 and not the disclosure by Mr Covi to Mr Craft in February 2016, as revealed by the 17 October 2016 email and its attachments, or any connected disclosures around that time in February 2016 by the Ministry of Health or by NSLHD.

The applicant’s case

  1. Extracts from the applicant’s document which is Exhibit A1 are as follows:

1 – NCAT has to understand the extent of the pain suffering, non economic losses [CJU] suffered. And to be fully aware that this breach incident and these conducts by NSW Safework were not just an accidental innocent breach but rather a malicious well organised and orchestrated breach, one of many which were the products of collusions between multiple government agencies SAFE WORK NSW, Northern Sydney Local Health District, NSLHD and the Ministry of Health, MOH.

2 – Those 3 colluding organisation thought that because they are the custodians of the documents, they believed by preventing the applicant from accessing the documents in any of the three locations they can get away with that destroying conducts

They refused to produce, or Delayed, objected and obstructed the access to documents and truth

They Refused and objected that I subpoena documents and staff,

Both MOH AND NSLHD Refused to provide DOCUMENTS and communications under GIPA. While Safework Delayed until I had to write to the minister to receive partial documents.

3 – Remedy Damages:

3.1 While Safework got legal advice from its own team about the breach of privacy of the applicant, it was an aggravated damages, they deliberately intentionally and maliciously meant to hurt and humiliate the applicant and her cases and give the three colluding corrupt agencies the edge to undermine the case of the applicant. Safework conducts has acted in a way that exacerbated the applicant injury and hurt her feelings. (Attachments F1-F2-F3).

3.2 Safe work had no regards to the law Or Act

Has no regards to the employees safety

……

[CJU] was so upset and very stressed when she found out that Safework had breached her privacy again and talked to representatives from NSW health about her and her prosecution application and how Safework again played a role to undermine [CJU].

WHICH HAPPENED MANY TIMES.

This case and this conducts has caused the applicant more emotional distress as the applicant felt helpless, especially after she wrote to seniors, minister, and complained to Safework but all were covered up.

as a result of such breaches [CJU] had to discontinue another case AGAINST THE MINISTRY OF HEALTH, where TC [Mr Craft] breached her privacy. This withdrew was In a very stressing situation and humiliating one in front of my family and children and her Collegues as she had to withdrew, not because [CJU] did not have a case but because the three agents are breaching my privacy times after time TO COVER IT UP.

3.3 TC was leading a colluding pack between The Ministry, NSLHD and SafeWork to defeat and eliminate [CJU].

…….

Non economic losses.

evidences of the suffer and hurt suffered every day in the applicant life. the Evidences demonstrated the struggle, the stress, the fear of the applicant from losing her job and lively hood everyday by interfering and breaches by Trevor Craft and Safework. The Battle and suffer between [CJU] as an employee against these agencies are noticed in the uphill battles of the applicant against those three government agencies. TC and the crown Solicitor Lawyer reached Safework employee in his own home while on leave and enticed him to get record in his custody. they got access to documents they should not have had. All agencies refused to take the orthodox legal process.

3.5 compensation should be assessed having regard to [CJU] reaction and struggle not a ‘reasonable person’ test

The pain and suffer of the applicant was felt severely in every betrayal conducts by, the distress because of he (sic) interference safeWork was suppose to protect her and her wellbeing, not to betray her and breach her privacy to coverup for the ministry and their fiend (sic) TC and to help the ministry to undermined the applicant court proceeding by disclosing these information and breaching my privacy. They reached PC in his home (Attachment F2) to disclose information So the applicant had to withdrew a win case against the ministry of health breaching the applicant information with safe work. A case was almost a win to the applicant and the applicant had to suffer the pain and suffer from injustice (Attachment F)

as those government agencies cover up for each other without any regards to moral or ethical values or principles.

……

  1. The essence of the applicant’s case that I discern from the above material, and from her oral submissions, is that the Disclosure exacerbated her existing distress caused by what she saw as her unfair battle with the respondent, the Ministry of Health and NSLHD to properly deal with and not “cover up” her complaints, and in respect of which her privacy had already been breached. She perceived the Disclosure as another improper step in this battle, made in collusion with the Ministry of Health and NSLHD in order to undermine a breach of privacy case she had on foot against the Ministry of Health and which caused her to withdraw what she believed were proceedings in which she would be successful.

  2. Accompanying these contentions by the applicant, were a number of other assertions of misconduct by Mr Craft, Mr Covi, Mr Bromly and others that were made in such general terms that it is not possible to treat them as relevant to these proceedings.

The respondent’s defence

  1. The respondent’s case was that the Disclosure was a discrete breach of information privacy made in good faith by Mr Covi who was trying to be helpful in responding to an enquiry from a government agency’s solicitor by providing information that the agency already had or could otherwise obtain. For these reasons it submitted that it was a breach at the lower end of the spectrum of information privacy breaches.

  2. According to the respondent:

  1. The applicant had not established that she had suffered psychological harm “because of” the admitted breach and had not established that she had suffered any other harm that gave rise to an entitlement to damages.

  2. If, however, the Tribunal was minded to award an amount for damages such amount should be at the lower end of the scale.

  1. The respondent also relied upon other remedial steps that it had taken, including issuing an apology and carrying out some training in relation to privacy issues with a view to preventing further information privacy breaches.

The issues

  1. Despite the respondent’s admission of breach, significant factual, and to some extent legal issues, remained between the parties as follows:

  1. Whether the Disclosure was made maliciously or in bad faith by Mr Covi. This is relevant to the claim for aggravated damages.

  2. In connection with issue (1), whether the applicant specifically told Mr Covi not to contact anyone in the Ministry of Health about her request for prosecutions under the WHSA in a telephone conversation on 18 February 2016.

  3. Whether the applicant established she had suffered recoverable loss and damage under the PPIP Act.

  4. In connection with issue (3), the following sub-issues arose:

  1. Does “psychological harm” referred to in s 55(4) (b) of the PPIP Act extend to distress not the subject of a medical diagnosis of a mental illness or condition such as depression or anxiety.

  2. If yes to (a), has the applicant established that she suffered such psychological harm “because of” the conduct in breach, as provided for in s 55(2) (a) of PPIPA. The issue here is whether the applicant has established that her pre-existing distress arising out of dealings with the respondent, the Ministry of Health and NSLHD was exacerbated by the conduct in breach that is the subject of these proceedings. This is the causation issue in the proceedings.

  1. If the answers to the issues in (4) are yes, what is the quantum of the compensation, if any, that should be awarded to the applicant. I say “if any” because it is uncontroversial that the Tribunal has a discretion under s 55(2) of PPIP Act whether to order compensation even if it found that recoverable loss or damage has been suffered.

  2. What was the quality of the training concerning information privacy protection that the respondent carried out and how did this training bear upon the risk of further breaches of information privacy?

  3. Should the Tribunal make any non–compensation order because of the breach?

  1. In addition to the admission of breach, a number of other matters were not in issue as follows:

  1. The conduct the subject of these proceedings consisted of a disclosure of information made in an email, including its attachments, from Mr Covi to Ms Bromwich of the CSO sent on 17 October 2016 at 11:53am (the Disclosure). This had been the conduct the subject of the internal review.

  2. At the time of the Disclosure, the state of mind of Mr Covi was, at least, that he was aware that the applicant was sensitive about the disclosure of information about herself to the Ministry of Health, including the disclosure of information related to her request for prosecutions. In saying “at least”, I recognise that the applicant contends for a more adverse position to the respondent, namely that Mr Covi knew that the respondent did not want information of the nature of the Disclosure disclosed to the Ministry of Health, he proceeded to do so despite this, and did so with a view to helping the Ministry of Health undermine her case in other proceedings she had brought against them.

  3. With respect to the causation issue, at the relevant times, the respondent was and still is distressed about her dealings with a number of agencies, including the respondent, over an extended period of time: respondent’s written submissions on remedies (RWS) at [26]. In saying this, I recognise that the respondent puts in issue a number of matters, as already indicated, including whether “the applicant’s distress” results from “the very discrete conduct that is in issue in these proceedings”: RWS at [26].

  4. The Civil Liability Act 2002 does not apply to the assessment of compensation under PPIP Act: respondent’s supplementary written submissions dated 16 November 2018 (RSWS) at [17] referring to the decision of then President O’Connor in NZ v Director General, Department of Housing [2006] NSWADT 173.

  1. Because of the matters that remain in issue, it is necessary to examine in some detail the history and nature of the applicant’s grievances. Before examining the facts, I set out the important statutory provisions related to her claim.

The PPIP Act provisions

  1. Section 18 of the PPIP Act provides:

18    Limits on disclosure of personal information

(1)    A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

(a)    the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)    the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c)    the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

  1. Section 55 of the PPIP Act, relevantly, provides:

55   Administrative review of conduct by Tribunal

(1)     If a person who has made an application for internal review under section 53 is not satisfied with:

(a)     the findings of the review, or

(b)     the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

(2)     On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a)     subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)     an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)     an order requiring the performance of an information protection principle or a privacy code of practice,

(d)     an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)     an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)     an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)     such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4)     The Tribunal may make an order under subsection (2) (a) only if:

(a)     the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b)     the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

(5)     If, in the course of an administrative review, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.

The WHS Act provisions

  1. Section 231 of the WHS Act, relevantly, provides:

231   Procedure if prosecution is not brought

(1)     If:

(a)  a person reasonably considers that the occurrence of an act, matter or thing constitutes a Category 1 offence or a Category 2 offence, and

(b)  no prosecution has been brought in relation to the occurrence of the act, matter or thing after 6 months but not later than 12 months after that occurrence,

the person may make a written request to the regulator that a prosecution be brought.

(2)     Within 3 months after the regulator receives a request the regulator must:

(a)     advise the person (in writing):

(i)     whether the investigation is complete, and

(ii)     if the investigation is complete, whether a prosecution has been or will be brought or give reasons why a prosecution will not be brought, and

(b)     advise the person who the applicant believes committed the offence of the application and of the matters set out in paragraph (a) …

  1. Section 271 of the WHS Act provides:

271     Confidentiality of information

(1)     This section applies if a person obtains information or gains access to a document in exercising any power or function under this Act (other than under Part 7).

(2)     The person must not do any of the following:

(a)     disclose to anyone else:

(i)     the information; or

(ii)    the contents of or information contained in the document;

(b)     give access to the document to anyone else;

(c)    use the information or document for any purpose.

Penalty:

(a)     In the case of an individual—$10 000.

(b)     In the case of a body corporate—$50 000.

(3)     Subsection (2) does not apply to the disclosure of information, or the giving of access to a document or the use of information or a document:

(a)     about a person, with the person’s consent; or

(b)     that is necessary for the exercise of a power or function under this Act; or

(c)     that is made or given by the regulator or a person authorised by the regulator if the regulator reasonably believes the disclosure, access or use:

(i)     is necessary for administering, or monitoring or enforcing compliance with, this Act; or

(ii)     is necessary for the administration or enforcement of another Act prescribed by the regulations; or

(iii)     is necessary for the administration or enforcement of another Act or law, if the disclosure, access or use is necessary to lessen or prevent a serious risk to public health or safety; or

(iv)     is necessary for the recognition of authorisations under a corresponding WHS law; or

(v)     is required for the exercise of a power or function under a corresponding WHS law; or

(d)     that is required by any court, tribunal, authority or person having lawful authority to require the production of documents or the answering of questions; or

(e)     that is required or authorised under a law; or

(f)     to a Minister …

The facts – a chronology of events

  1. In addition to the Disclosure to which I have already referred, the facts set out below, which are almost entirely documented, are uncontroversial.

  2. In an email sent to Dr Foley, the Secretary of the Ministry of Health, on 22 January 2015 at 5:34pm CJU said she was providing formal notice and requesting urgent action about a number of matters, including reprisal actions against her that she said had occurred since 2012 in response to her making a protected disclosure the substance of which she said concerned corruption and maladministration at a NSW hospital.

  3. Prior to 18 February 2016, CJU made a request to the respondent under s 231 of the WHS Act for prosecutions to be brought against persons she named.

  4. This request that was the subject of a telephone conversation between Mr Covi and CJU on 18 February 2016. Prior to that telephone conversation, a decision was made within the respondent not to proceed with the request. However, subsequent to that decision, the request was assigned to Mr Bromly’s investigation team and he referred it to Mr Covi, who was part of that team. That led to Mr Covi’s call to CJU on 18 February 2016.

  5. It is not in dispute that in the call on 18 February 2016, Mr Covi made some reference to him taking the matter up with some people within the NSW Ministry of Health. The main dispute is about what CJU said in response to that reference.

  6. At the hearing on 14 March 2018, CJU said that in this telephone conversation with Mr Covi he said the matter had been assigned to him and he had a friend in the Ministry of Health and he could take her case to people in the Ministry of Health. According to the applicant, she said to Mr Covi, no, she wanted to proceed through s 231, you do not contact anyone from the Ministry of Health – I do not consent. Mr Covi then said again he could talk to them, they are senior. She said no you don’t, you have no consent to do that.

  7. I will set out my findings about this conversation further below, but, for the present, I set out the terms of a written record of the conversation prepared by Mr Covi on 18 February 2016. The note records:

Call requestor on [number given] and advise I have the matter and will investigate if we are prosecuting – she said she had had no contact from WorkCover to date.

I advised I am able to take this up with Health Dep reps at a State Level (Damien meets with these reps for State Wide Health Matters) – [name of respondent] advised she would like to be told if we are prosecuting and if not, will decide if she wants further action by SafeWork NSW.

  1. I also set out Mr Covi’s recollection of the conversation according to his statement dated 28 March 2018 (Exhibit R3):

10.   I recall that we had a conversation during which words to the following effect were said:

Me: “I am dealing with your matter. I will be looking into your application and investigating whether there is a basis for a prosecution.”

Applicant: “I haven’t heard from WorkCover since my request was made.”

Me: “I am sorry on behalf of WorkCover for the delay in responding to your request but only got the job yesterday. What is it exactly that you want as an outcome from your request?”

Applicant: “I would like people to be prosecuted.”

Me: “I will investigate if we will prosecute. I can also take the issues you have raised up with the Health Department representatives at a State level. Where there are problems with bullying, it can be helpful to raise this at a higher level. My superior regularly meets with representatives of the Department that deal with State Wide Health Matters.”

Applicant: “I would like to be told if the prosecution goes ahead, in writing. If it doesn’t, I will decide if there is any further action I would like WorkSafe to take.”

11.   I recall that the applicant did not make any objection when I raised the possibility of contacting the ‘Health Department representatives at a State level’. If the applicant had raised any such objection, I would have made a note of it in accordance with my usual practice.

12.   Immediately following my phone call with the applicant, I recorded the details of our telephone conversation on our internal information management system. Annexed and marked “A” is a copy of my notes following the above telephone conversation.

  1. Also on 18 February 2016, Ms O’Heffernan, Principal Policy Advisor with the Ministry of Health sent an email to Mr Craft and Ms Jonas at 11:34am on the subject of “Safework matter re bullying”. She asked to speak to them sometime soon about a call she had received from SafeWork about a request to prosecute they had received from CJU in relation to allegations she is being bullied.

  2. On 19 February 2016, the events of that day referred to in the Disclosure occurred, namely that Mr Covi and Mr Bromly spoke by telephone to Mr Craft and Mr Covi sent an email to Mr Craft.

  3. Also on 19 February 2016, Mr Bromly sent an email to Mr Craft at 3:06pm saying that as mentioned the request from CJU stated that she had raised her issues with Dr Foley and that it mentions the Minister but does not actually say that she had raised this with the Minister.

  4. On 29 February 2016 Mr Craft sent the email to Mr Covi which is part of the Disclosure. Also on that day, Mr Covi spoke to Ms Collins by telephone – a conversation that is referred to in the Disclosure. Mr Covi also sent an email to Mr Craft at 9:31am thanking him and saying he would be in touch with Ms Collins.

  5. Some time after 29 February 2016, Ms Collins sent Mr Covi the email which is part of the Disclosure.

  6. On 2 March 2016, Mr Covi sent an email to CJU about her request. In the email, he said he had received detailed advice back from “Health NSW” and they advised they had investigated allegations raised by you and they found that the allegations were unsubstantiated. Mr Covi said he would need to meet with CJU to obtain a statement if this matter was to proceed further. He asked if she was available for him to obtain this statement. I note also that the email begins with thanking CJU for her reply – I have not seen the reply referred to.

  7. The email of 2 March 2016 from Mr Covi led to complaints by CJU about Mr Covi having spoken to people within the Ministry of Health and about the Ministry of Health supplying information about her to the respondent. The complaint by CJU about Mr Covi speaking to people within the Ministry of Health led to an internal review by the respondent of a privacy complaint by CJU (see further below). The internal review found that no contravention of privacy had occurred. After the internal review CJU took this particular complaint no further.

  8. In addition, the complaint by CJU about the Ministry of Health supplying information to the respondent led to her commencing separate proceedings to these in the Tribunal for a review of that conduct on the basis it involved a breach of her privacy. I have not seen those proceedings. As will be seen below, it was in connection with these proceedings that Ms Bromwich made a request for information that resulted in the Disclosure.

  9. Various emails from CJU now referred to making her complaints which followed Mr Covi’s email of 2 March 2016 are relevant to the applicant’s state of mind prior to the Disclosure and to the dispute about what transpired in the conversation on 18 February 2016.

  10. In an email sent by CJU to Mr Covi and Mr Bromly on 10 March 2016 at 7:32pm, CJU complained about Mr Covi

… running to disclose the information on my application to your friend in NSW HEALTH. You suppose (sic) to be impartial, independent and to investigate not to take the employer ward or my ward…

This is the second time work safe cover up for NSW HEALTH.

do you think it was not clear when you rang me and wanted to tell NSW HEALTH. It was very obvious you wanted to kill it and you did.

You should not close it, Damien Bromley should have asked you to step dawn (sic) ….

  1. In another email sent on 10 March 2016 at 11:37pm to the respondent CJU described the subject of the email as:

Complaint about the poor, unfair, bias, not impartial service with repeat cover up for NSW HEALTH SENIOR BY WORKSAFE AND WORK COVER

  1. The email included the following:

2016 in this time I have been trying to find out who is the head of prosecution to send my email to him/her after Mr Covi call and I could find out who is the head of this prosecution unit as it is very obvious the Mr Covi had friends in NSW Health and wanted to please and alert them to end the application.

He wanted to tell seniors in NSW HEALTH and I refused and did not give him consent, he disclosed that to end the case and rely on their story …

Work cover has no structure or clear standards or clear process for complaint, it is all making favourites.

Can you please confirm receiving this complaint. And investigate it by someone independent….

  1. I note that this email refers to an email from CJU of 8 March 2016. I have not seen that email.

  2. By an email from Ms Richardson, Customer Service Consultant with the respondent, CJU was informed that her complaint made in her second email sent on 10 March 2018 had been forwarded to Mr Bromly for his attention.

  3. By an email from CJU to the Privacy Officer of the respondent sent on 11 July 2016, CJU requested an internal review of what she said was a breach of privacy and confidentiality by Mr Covi, without her consent, contacting:

his friends in the NSW ministry of Health to alert them seeking information about me without my consent …

  1. In an email from CJU to the office of the Minister of Health and to Ms Stewart of the respondent on 10 August 2016 at 8:45am CJU described the subject of the email as:

WORKSAFE breach of privacy and cover up

  1. The email included:

….

WORKSAFE should record the dates and facts properly and stop switching every fact just to meet it’s desired outcome that there was no breach of privacy and both staff who ran to their seniors friend in NSW Health did nothing wrong. Mr Covi and his supervisor Damien Bromly were working closely together and even in the covering up…

…..while I made it very clear that Mr Covi wanted to talk to the seniors in NSW Health about me, he wanted to talk to those he knows in the ministry of health…

[Mr Covi] contacted them because he wanted them to know while he knew very well that I refused that, he had no consent and he knew that I work at …

I made it very clear when Mr Covi contacted me and he tried time after time to extract my consent and let him contact his “seniors fried” (sic) he knows in the ministry of Health. He said he will talk to them about my (sic) me and all the case. I SAID KNOW (sic), so he breached my privacy …

I repeadtly (sic) refused and told him I am applying for the prosecutions as per the law and he tried again and said they are seniors I can talk to them, I said NO, …

He refused to say their name and I said No do not tell them …

A – the consent is to tell those I am applying to prosecute them not to talk to his friend in NSW MINISTRY OF HEALTH.

B – my verbal call with him after that would over-ride and revoke any consent he might have thought he has in writing.

C – Mr Covi should have said as you do not give me a consent to tell The ministry of health, I would not be able to proceed …

5 – So Mr Covi and Bromly knew that I do not agree or give consent to contact the his seniors friends in the ministry of Health but he rang to alert them …

All what Mr Covi wanted was to find out what do I have to pas on to NSW HEALTH, not consider the case.

Mr Covi disclosed everything about me and what was in my emails and my application to the ministry of health.

The Minister in charge of WORKSAFE has to find out why, WORKSAFE does not follow the rules, fairness and proper investigations and complaint handling process. But rather cover up for NSW HEALTH TIME AFTER TIME.

That is why patient dies and got hurt and NSW staff get bullied and the cover up happen in NSW Health…

  1. By letter from Ms Stewart of the respondent dated 27 September 2016, CJU was informed of the outcome of the internal review of her complaint about a breach of privacy by SafeWork in speaking to the Ministry of Health about her request for a prosecution. She was informed that no contraventions of Information Privacy Principles had been found. She was also informed that Ms Stewart considered that the inspector was required to provide reasonable detail to the Ministry of Health in order to investigate the allegations CJU had made and that this required disclosure of her name and the details of the allegations she had submitted in the request for prosecution form.

  2. In an email sent on 28 September 2016 to the NSW Privacy Commissioner, Ms Stewart and Others, CJU said:

Ms Sue Stewart, have deliberately omitted my emails and phone communication with her stating that Mr Covi contacted me over the phone just before he contacted Nsw health and I advised mr Covi repeatedly that he has no consent given from me to him to contact the NSW Health at all.

  1. On 6 October 2016 at 4:36pm, Ms Bromwich sent an email to Mr Covi in connection with the privacy proceedings brought by the applicant against the Ministry of Health as follows:

Dear Mr Covi,

I am instructed by the NSW Ministry of Health in proceedings before the NSW Civil and Administrative Review.

These proceedings relate to information allegedly provided to you by the Ministry’s Workplace Relations Branch.

I attach a copy of an email, dated 2 March 2016, sent by you to [CJU]. In the second paragraph of this email, you refer to received “detailed advice” from “Health NSW”.

I would be grateful if you could advise whether you are referring to the Ministry’s Workplace Relations Branch or to the Northern Sydney Local Health District when you refer to detailed advice being provided to you by Health NSW.

At this stage, my query is limited to confirming who provided you with detailed advice, as referred to in your email. I do not seek any information about the content of this advice (or any other information that you may hold in relation to [CJU]).

If you have any queries in relation to the above, please do not hesitate to contact me on [email protected]. Due to the sensitivity of these proceedings, I would be very grateful if you would provide your response in writing.

  1. Whilst on leave, Mr Covi replied to this email by email sent on 6 October 2016 at 5:19pm as follows:

Dear Ms Bromwich

I am currently on leave and will reply to your email sometime after my return to work on 12/10/16 when I have had an opportunity to examine relevant internal records and seek advice from our legal section before I provide you with any written response to your query.

I have ccd my superior Damien Bromly into my response to you as he has knowledge of this matter.

  1. After he returned from leave, and after consulting with both Mr Bromly and Ms Gleeson, Mr Covi sent the 17 October 2016 email. I accept Mr Covi’s evidence that he did not obtain any legal advice before he sent the 17 October 2016 email.

  2. The respondent accepts that at the time of sending the 17 October 2016 email, Mr Covi was aware that CJU was sensitive about the respondent providing information about her to the Ministry of Health and that he could not have thought that the applicant would have no objection to him sending the information that he did send. However, in accepting that fact, the respondent disputed CJU’s version of the conversation on 18 February 2016.

  3. In cross examination Mr Covi said he had not seen the terms of the complaints that CJU had made about him, although he became aware that she had made a complaint. There was no challenge by CJU to this evidence in her cross-examination of Mr Covi. I accept Mr Covi’s evidence to this effect.

  4. I find that CJU first became aware of the 17 October 2016 email on or about 6 December 2016 when Ms Bromwich forwarded the email to her, following a direction from the Tribunal in the privacy proceedings against the Ministry of Health: see paragraphs 8 and 9 of Ms Bromwich’s statement dated 16 February 2017 (Exhibit A2).

  5. On 14 February 2017, the respondent received a request from CJU for an internal review of an alleged privacy breach in respect of the 17 October 2016 email. That review was conducted by Ms Jackson of the respondent.

  6. On 14 February 2017 at 5:47pm, CJU sent an email to the office of Mr Perrottet MP, amongst others, concerning her request for an internal review of Mr Covi’s breach of her privacy “again”. The email included:

Worksafe has no rights to breach privacy,

no rights to alert other friend in NSW health,

no rights to hide documents to cover up for their friends,

has no rights to set up on complaints and not to investigate.

Has no rights to close legitimate investigation to cover up for the ministry of health.

Has no rights to make their friends in NSW to decide if the contents of my own file to be accessed or not.

  1. By email sent on 5 March 2017 at 8:27pm CJU informed the Tribunal that she discontinued her privacy application against the Ministry of Health (matter no. 1610498). The email included:

In October 2016 the ministry contacted the Worksafe officer while he was on leave notwithstanding my objections in relation to this contact. He responded to her and communications were made between them about evidence relevant to this matter …..

In circumstances where I have been stonewalled at every point, I cannot prepare and conduct the proceedings in any fair way, form, and meaningful way and have made the very emotional difficult decision to discontinue it.

  1. The outcome of the Ms Jackson’s internal review was communicated to CJU by letter dated 13 April 2017. That letter included:

Greta Bromwich from the Crown Solicitor’s Office was acting on behalf of the NSW Ministry of Health in proceedings in the NSW Civil and Administrative Tribunal. I understand that these proceedings involved you as the other party. In her email to Paul Covi of 6 October 2016, she enquired whether the ‘detailed advice’ from ‘Health NSW’ (referred to in an email dated 2 March 2016 from Mr Covi to you was from the Ministry’s Workplace Relations Branch or the Northern Sydney Local Health District. I note that she was not requesting the advice but just wished to clarify the provider of the advice.

However, as you are aware, in his email of 17 October 2016, Mr Covi provided a detailed response including the email attachments identified above.

5   Conclusion

After carefully reviewing the information available, I have come to the conclusion that there has been a technical breach of section 18 of the Privacy Act and that the exceptions available in section 18(1) are not applicable.

This review is now complete and I have made the following recommendations to the SafeWork NSW management team to remedy its non - compliance with the Privacy Act.

I will contact you again within four weeks when I expect these recommendations will have been implemented.

5.1   Actions already taken by SafeWork NSW

To increase awareness of privacy requirements and an understanding of ‘personal information’, a compulsory on line training module has recently been launched for all SafeWork NSW employees. The mandatory privacy training must be completed by 31 May 2017.

The training includes:

privacy in the Public Sector agencies

understanding your legislation

familiarising the privacy management plan

education and information on privacy principles

misuse of information

collection, use, storage, access and disclosure of personal information

5.2   Recommendation – Revise staff training practices

That staff within the agency are to consider the guidance provided in the Privacy Management Plan for SafeWork NSW, in particular where it states that ‘Requests for personal information from external bodies, including government agencies, will be assessed to determine whether SafeWork NSW is permitted to provide the information’.

That managers remind their teams of obligations under the Privacy Act at regular staff meetings.

The Right to Information team will work with other teams within the agency to provide relevant training if required.

5.3   Recommendation – Make appropriate changes to policies and procedures

That policies and procedures are reviewed to ensure consistency and clarity regarding privacy requirements.

If required, the Right to Information team will assist the document owners to review policies and enhance procedures to minimise further breaches occurring.

  1. The findings of the internal review commenced the chronology of the events concerning the complaint with the email from Ms Bromwich to Mr Covi sent on 6 October 2016. It made no reference to any events before that time.

  2. In an email from CJU to Ms Jackson sent on 7 May 2017 at 7:29pm, CJU said:

….. she was totally dissatisfied by the… conducts of SafeWork NSW and the internal reviews of breaching my privacy.

And the breaches and endless attempts to cover the conducts up and prevent justice and favors NSW Health seniors …”

  1. By letter from the Deputy Executive Director of the respondent dated 10 May 2017, the respondent apologised to CJU:

for any distress or harm caused by actions of staff that were in breach of the Privacy Act…

  1. The letter also included:

SafeWork NSW aims to be an exemplary regulator, and the actions taken in relation to your personal information fell short of the high standards that the public, and you specifically, should rightfully expect from us.

We ought to; and certainly do now, recognise that in the circumstances in which SafeWork NSW distributed your information to a third party, we should have first contacted you and sought your approval personally. We regret that we did not ensure that you were provided with the opportunity to decline this information being provided.

I wish to assure you and provide an undertaking that the conduct will not occur again. I will also ensure that further training of our officers in privacy issues will occur to ensure that the conduct will not occur again.

I sincerely apologise for our failure to meet the privacy principles in the action taken in relation to your information. I am committed to ensuring SafeWork NSW is a secure custodian of privacy information, and that this is at the forefront of our intentions and actions when we are protecting the privacy of the citizens of New South Wales.

  1. CJU responded to the respondent’s letter of apology by email sent on 22 May 2017. The email included:

4.   The apology Worksafe sent to me is a joke “next time we will ask you.

I said so many time to your corrupt staff ‘do not contact the Ministry’ and time after time they disclosed to the Ministry to cover up.

  1. By an application lodged with the Tribunal on 22 June 2017, CJU commenced these proceedings against the respondent. This application replaced an earlier application lodged by CJU against NSLHD, filed on 9 May 2017.

  2. The application was confusing for a number of reasons, one of which was that it was not specifically directed to the conduct which was the subject of the internal review by Ms Jackson. The grounds for review were stated to be:

NSW SafeWork failed to abide by the law and breached my privacy many times to cover up for NSW Health and failed to provide me with a proper outcome for 2 internal reviews of breach of my privacy and subjecting me to more breaches of my privacy. Stress and suffering. 1 - P Covi contacted Ministry of health without my consent. 2 – I asked his supervisor Damien Bromley to remove P Covi from my case, Damien was involved in the breach and did not remove him. 3 – I complained in writing against both of them to Worksafe, it was covered up and gave the complaint to the same 2 offenders.

4 – I wrote to the minister in charge of NSW SafeWork, and to the ministry of health Deputy Secretary, I was denied access to the information under GIPA and I was deliberately ignored and the matter was covered up by seniors. 5 – Ministry of health had access to P Covi while he was away on leave and his email stated that clearly. The ministry contacted him.

While I wrote to the Deputy State Secretary, NSW Health, Ms Karen Crew and she became aware of the matters She failed to act per the law.

I am exercising my right by the law to request review of the breach of my privacy and to review the conducts of Deputy State secretary and NSLHD.

I am seeking remedy and damages.

  1. After the hearing was concluded, the applicant provided with her supplementary submissions a number of additional notes and emails which she had not presented to the Tribunal at the hearing (from pages 11 to 22 of those submissions). I take no account of this additional evidence. There was no permission from the Tribunal to present any such additional evidence in the directions it made for some limited further submissions at the close of the hearing on 12 November 2018. The applicant had her opportunity to present her evidence at the hearings on 14 March 2018 and 12 November 2018. It would be unfair to the respondent if the Tribunal was to decide to take this additional material into account.

  2. For the same reason, I take the same approach to new statements that the applicant made in those submissions about loss and damage she has allegedly suffered as a result of the Disclosure.

The controversial facts:

Telephone conversation between Mr Covi and the applicant on 18 February 2016

  1. I do not accept Mr Covi’s evidence that he has an actual recollection of the conversation with the applicant on 18 February 2016 whether refreshed by his file note or otherwise. The applicant submitted, and I agree, that her cross-examination revealed that in a number of respects Mr Covi did not have a good memory of the events concerning her request for prosecution or about Ms Stewart’s subsequent internal review.

  2. I find that the applicant does have an actual recollection of this conversation, but I am not prepared to accept that her version of it is wholly accurate. The applicant gave her version of the conversation before she had seen Mr Covi’s file. That file note provides some, but not complete, support for her version. I think it is implicit from the file note that the applicant did convey to Mr Covi that she did not agree that he should take up the matter she had raised with the Ministry of Health, at least, not at that stage. Rather, what she wanted to know was whether or not SafeWork would be prosecuting before she consented to them taking any such further action. Accordingly, I find that this is what the applicant did convey to Mr Covi.

  3. However, because of the terms of the contemporaneous file note, which I regard as the most reliable source of what transpired in the conversation, I am not prepared to accept that she spoke to Mr Covi in the emphatic and blanket terms against making any contact with the Ministry of Health that she says she did. If she had done so I would have expected the file note to reflect this. I accept Mr Covi’s evidence that he prepared the file note on 18 February 2016 after the conversation with the applicant.

  4. Nor am I prepared to accept that Mr Covi referred to speaking to a friend in the Ministry of Health – by contrast, the file note refers to people in the Health Department that Mr Bromly meets with.

  5. Nor do I accept the applicant’s interpretation that Mr Covi’s subsequent enquiry of Mr Craft was directly contrary to what she had said to him in the conversation. I do not accept that Mr Covi understood it in that way. His subsequent contact was an enquiry seeking information, apparently, as an aspect of SafeWork’s consideration of the request for prosecution – it was not a taking up of the matter with the Ministry. I do not accept their conversation covered the subject of the steps Mr Covi might take in his investigation of the question of prosecuting, including contacting people in the Health Department as part of that investigation.

  6. I should add that I was not impressed by CJU’s oral evidence in cross-examination about the conversation in which she gave a long and unresponsive answer rejecting the proposition that Mr Covi did not speak to her in the terms she said he had. Her answer indicated to me that she was giving her evidence as an advocate for the version she wanted the Tribunal to accept.

Why Mr Covi sent the 17 October 2016 email

  1. The 17 October 2016 email, which I have defined as the Disclosure, was far from responsive to Ms Bromwich’s email which had just asked for limited information as to who had provided the advice referred to in his email dated 2 March 2016.

  2. It remains a mystery why Mr Covi sent the email in the terms that he did. In his cross-examination he was firm in saying he could not now explain why he did so. When pressed on the subject all he could say was that a solicitor asked him for information and he provided it.

  3. I find his answers to this effect unconvincing, but I see no proper basis to make a positive finding that he had some sinister motive against the applicant in sending it. In his cross-examination Mr Covi said that he thought the email was an appropriate response. He said, and I accept, that his superiors (Mr Bromly and Ms Gleeson) did not suggest there was anything wrong in sending it. He said that he now knew more about privacy protection (he had received some online training in 2017), but he gave answers about his present views concerning the email that indicated to me that he still did not really appreciate that he should not have sent the email without the applicant’s consent.

  4. All of this suggests a step taken in ignorance of the applicant’s rights rather than acting in bad faith or maliciously to harm or undermine the applicant’s interests, but I am not able to make any positive finding as to why he sent the email.

Impact of the Disclosure on the applicant

  1. It is clear that, prior to the Disclosure, CJU had become distressed following her discovery that Mr Covi had proceeded to make contact with the Ministry of Health after the conversation on 18 February 2016. Her distress intensified as she battled (as she saw it) by a variety of means against persons in SafeWork, the Ministry of Health and NSLHD who she believed were intent on ensuring that her request for prosecution was not acted upon, and as she sought to have persons responsible for disclosing her personal information between these agencies, without her consent, brought to account.

  1. This much I take to be uncontroversial. It is evident from her email correspondence after 18 February 2016 referred to above and her written and oral statements at the hearing. In this regard, I have taken account of CJU’s statements at the hearing about the trouble she has experienced, including her display of emotion from time to time, which I accept was genuine.

  2. In saying this I am not accepting the accuracy of the applicant’s perception about this.

  3. In this state of mind, as referred to above, in December 2016, she came to discover the Disclosure. I am satisfied that this did exacerbate her distress. To this extent, I accept what she said in her document Evidence and Submissions, which is Exhibit A1, namely:

[CJUI] was so upset and very stressed when she found out her privacy had again been breached by Safework…

This case and this conducts has caused the applicant more emotional distress as the applicant felt helpless, especially as after she wrote to seniors, minister, and complained to Safework but all were covered up.

  1. However, against the applicant, I do not accept that I can or should attribute a great deal of significance to her additional distress in circumstances where she has not presented any evidence as to any specific consequences that flowed from this new event such as impact upon her work, sleeping, lifestyle, relationships or treatment for her state of mind, nor has she presented any independent evidence to support her claim.

  2. CJU said that her discovery of the Disclosure caused her to withdraw her application against the Ministry of Health for breach of information privacy – a step that she found distressing and humiliating.

  3. According to the applicant, it also meant she abandoned a winnable case. The appIicant may have had in mind that this resulted in a financial loss for the loss of opportunity to obtain a damages award. However, she never sought to quantify this or demonstrate the merits of this withdrawn case.

  4. Although asked, CJU did not adequately explain the alleged link between discovery of the Disclosure and withdrawal of the privacy claim against the Ministry of Health. She referred to a sense of helplessness but this seems inconsistent with her pursuit of this claim. In the circumstances, I am not satisfied that there was, in truth, any real link between the Disclosure and the withdrawal of these other proceedings.

Training by SafeWork after the breach of privacy complaint

  1. In a signed written statement dated 6 March 2018, Ms Stewart of the respondent gave evidence about privacy training implemented by the respondent since October 2016. Ms Stewart is the Co-ordinator of the Right to Information Unit (RIU) of the respondent. The RIU processes applications for internal review of alleged breaches of privacy, as well as dealing with requests for information under the GIPA Act.

  2. In her written statement, Ms Stewart gave the following unchallenged evidence, which I accept, that:

  1. The training referred to in the letter of apology was initiated as a result of a previous privacy-related matter, which also coincided with CJU’s matter.

  2. Mandatory privacy training was rolled out to all staff between March and May 2017. That training provided all staff with an overview of the Information Protection Principles (IPP), outlined good practice in relation to the collection, storage, use and disclosure of personal information and informed all staff of their legal responsibilities and obligations about such matters. This training course also included examples and an assessment component. That assessment required the employee to achieve a mark of 70% to pass the course, otherwise the course had to be repeated until that mark was achieved. A copy of that course, including all examples and the assessment component was annexed to her statement.

  3. As a direct result of the breach related to CJU, she approached the Work Health and Safety Documents Operations Manual Review Committee in May 2017 to review its policies and procedures around privacy. Specifically, she requested a review of the document titled “Confidentiality of Information, Disclosure and Requests for Information”. She requested that a document be updated to ensure that Inspectors were aware of the responsibilities and obligations related to confidentiality of information. She annexed a copy of the updated document which had changes following her request, including her request for more content to be added, which clearly explained when disclosure of personal information is appropriate and further explained key concepts about disclosure of personal information. She said that the updated version was notified and distributed to all staff on 17 July 2017. She said that these changes were communicated to all staff by email from the Chief Executive Officer and were featured in the staff newsletter.

  4. Also, as a direct result of the breach of privacy relating to CJU, she was aware that the respondent recognised it needed to provide specialised training to Inspectors relating to the collection, use, storage, access, disclosure and security of personal information. The training would be specifically targeted at Inspectors in the field and address privacy issues when dealing with other government agencies and the public. She was currently consulting with the relevant teams within the respondent about this training, which was not ready for rollout. It was planned that the training would be delivered face to face and would involve case study based scenarios.

  1. In her oral evidence, Ms Stewart said that this further specialised training to Inspectors was now planned for the first quarter of 2019.

  2. During his oral evidence, when asked what training he had received, Mr Covi referred to a document, which became Exhibit R4. This consisted of a one page certificate to Mr Covi for the successful completion of the course “BRD Privacy”, and a second page which showed the electronic file names of the contents of the privacy course. Mr Covi explained that he had done the course online. He said the course had taken him no more than half an hour to complete, and it may have taken him materially less than half an hour.

  3. The online course to which Mr Covi was referring must have been the training course referred to in the respondent’s letter about the outcome of the internal review.

  4. In cross-examination, Ms Stewart indicated some surprise that this online course could be completed in half an hour or less, although in re-examination she said that she had not timed how long it was likely to take.

  5. I note that the course describes itself as “introductory” privacy training (Slide 38). I also note that the assessment consists of only 10 relatively simple questions.

  6. In the respondent’s favour, I regard it as of some significance that the changes to the manual that Ms Stewart specifically requested as a result of the privacy breach in this case included specific and prominent reference to s 271 of the WHS Act.

  7. Again in the respondent’s favour, I also note the changes make reference to the following:

2.   Information obtained or documents accessed during exercise of powers and functions, can only be disclosed or used to:

Make inquiries to elicit necessary and relevant information.

Provide information and advice about compliance with the WHS Act.

Provide the basis of reasonable belief to issue an improvement, prohibition or non-disturbance notice or an infringement notice.

Prepare a brief of evidence at the conclusion of an investigation for Management and Legal Services to consider.

Explain context when arranging to have a seized thing analysed, tested or examined by another person.

5.   If it is considered necessary to disclose, give access or use information and/or documents about a specific person, firstly obtain the relevant person’s consent. If consent is not or cannot be obtained, seek legal advice prior to disclosing, using or giving access to the information and/or documents.

11.   If an approach is made by any other person from outside of SafeWork MSW to release information or documents, or the content of these, advise the person to apply through the [GIPA Act] …

  1. As I have already said, in his cross-examination Mr Covi gave evidence that indicated to me his lack of appreciation of error in sending the 17 October 2016 email. In view of this evidence and the limited nature of the online course that I have mentioned, I find that the training steps that have so far been carried out by the respondent are inadequate to convey to staff their responsibilities concerning the disclosure of personal information obtained during the exercise of the powers and functions of the respondent.

  2. I also regard it as unsatisfactory that the further specialised training to Inspectors, to which Ms Stewart referred, has taken so long to be implemented and will not be implemented until the first quarter of 2019.

The law

  1. Related issues arise in this case, first, as to the scope of the expression “psychological harm” in s 55(4)(b) of the PPIP Act and, second, as to what the law may require in order to prove that such harm has been suffered.

  2. In written submissions in relation to this area that I sought from the parties after the hearing, the respondent suggested that recoverable loss for non-physical harm was quite restricted and may not extend to “mere distress”. In support of this submission, the respondent drew upon guidance from the approach in tort in nervous shock cases where recovery is limited to a situation where the plaintiff has suffered some recognisable psychiatric illness: Tame v New South Wales (2002) 211 CLR 317 at [194].

  3. In this regard the respondent submitted:

There are obvious limits to the analogies that can be drawn between principles of tort law and the award of damages under privacy legislation. However, the insistence by the Tribunal that applicants provide some evidence of “impairment” of mental state in order to establish compensable “psychological harm” is consistent with the objectives enunciated by their Honours in the above-cited passage from Tame. It reduces the scope for indeterminate liability, and seeks to set a standard which is capable of objective determination.

  1. The respondent also referred to two Tribunal decisions which between them have expressed the view that damages for hurt and humiliation are not recoverable under s 55(4)(b); APV and APW v Department of Family and Community Services [2015] NSWCATAD 140 at [94]-[95]; CYH v Family and Community Services [2018] NSWCATAD 84 at [104]. The respondent submitted that in APV the Tribunal had held that distress was not recoverable but I do not read the passage relied upon as going this far.

  2. As indicated below, I do not agree that recoverable loss under s 55(4) (b) in respect of psychological harm is as limited as the respondent’s submissions suggest.

  3. In the only Appeal Panel decision on the subject of recovery in respect psychological harm, of which I am aware, damages were awarded for distress: AOZ Rail Corporation NSW (No 2) [2015] NSWCATAP 179 at [20] and [30].

  4. In that case the Appeal Panel said:

28   Other cases where damages award have been made in this jurisdiction include: GR v Department of Housing (No 2) [2005] NSWADT 301 ($4200); NZ v Director General, Department of Housing [2006] NSWADT 173 ($4000); JD v NSW Medical Health Board (No 2) [2006] NSWADT 345 ($7500); JD v NSW Dept of Health [2007] NSWADT 219 ($4500); WT v Auburn Council [2007] NSWADT 253 ($5000 each); FM and FN v Department of Community Services [2008] NSWADT 288 ($5000). In the federal jurisdiction in Re Rummery and Federal Privacy Commissioner [2004] AATA 1221 there was an award of $8000 for a ‘serious breach’ (the federal law has an open-ended damages provision).

29   In NK v Northern Sydney Central Coast Area Health Service (No.2) [2011] NSWADT 81 the Tribunal made an order for financial compensation in the maximum amount of $40,000. In this case the Tribunal drew on the detailed consideration of the principles found in HP v Hunter New England Area Health Services [2009] NSWADT 186. These are the main points:

- damages are compensatory in that the applicant should be awarded such sums of money so as that he/she may be restored to the position that he/she would have been in but for the breach:…. However, this must also be viewed in the context of the $40,000 limit as provided for in the PPIP Act;

- in measuring compensation the principles of damages as apply in tort law are a guidance but the ultimate guide is the wording of the PPIP Act and its objectives;

- compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances;

- ‘psychological harm’ in s.55(4) of the PPIP Act is intended to encompass situations where an individual suffered some impairment of the mental states and processes. These being conditions such as depression and anxiety.

- even where an applicant is able to substantiate loss or damage as a result of conduct that contravenes an 'information principle' under the PPIP Act, an award of damages under that Act remains a discretionary one;

- compensation for alleged financial loss and alleged psychological and physical harm can only be considered where the Tribunal finds that the alleged loss and harm was 'because of' or 'caused by' the contravening conduct of the respondent.

30 In this case, while we have no independent evidence of psychological harm, we are prepared to accept from the submissions and material filed by the applicant, and our assessment of her when she participated in the main appeal hearing, that she has suffered emotional distress and harm, along the lines that she has asserted, because of the aspect of the conduct of RailCorp in relation to which we have made a finding of contravention. In this regard, the indication given by RailCorp is also to be commended in that it has not resisted outright the making of some award pursuant to s 55(2)(a), and to that extent acknowledges that an award under s 55(2)(a), as qualified by s 55(2)(d), is not out of the question.

31   Equally, it is clear, we think that the appellant’s distress has a wider compass than the aspect of RailCorp’s conduct in relation to which we have found a contravention.

  1. In AOZ the appellant was awarded an amount of $4,000: at [33].

  2. It is notable that the passage from the HP decision that was adopted by the Appeal Panel, in which reference was made to depression and anxiety, only gave these conditions as examples.

  3. In addition to the fact that both claims were for distress, the present case has two other elements in common with the AOZ case, namely that in AOZ there was no independent evidence, including medical evidence, supporting the claim and the breach was not the only factor causing the appellant’s distress.

  4. Because of the AOZ decision awarding compensation for distress, which I should follow, this is not the occasion for a broader consideration of the nature of the harm which falls within the meaning of “psychological harm” in s 55(4)(b).

  5. Nevertheless, out of deference for the submissions that I have received on the subject, I express the following views about some aspects of those submissions:

  1. It seems to me the expression “psychological harm” in the section is of wide import. It stands in contrast to “physical harm”. “Psychological”, and not the word “psychiatric”, is the chosen term. No degree of such harm has been imposed such as a requirement for “serious” psychological harm. Given its common use in a wide range of legal contexts, the word “harm” is capable of application to a wide variety of adverse consequences, as does the interpretation of the word as meaning “some impairment of their mental states and processes”: see JD v Medical Board (NSW) (No.2) [2006] NSWADT 345 at [53].

  2. Furthermore, in the context of information privacy protection and enforcement it could readily be foreseen by the legislature that a breach such as unlawful release of personal information could produce a range of justifiable reactions such as distress, worry, humiliation or fear of some real significance.

  3. It is not clear what is meant by “mere distress”. It may be a reference to distress that did not require medical treatment or distress having no disruptive consequences such as time off work, or interrupted sleep, or breakdown of relationships. Nevertheless, I think these aspects are relevant to proof and quantum rather than resulting in a blanket denial of recovery.

  4. In a context in which enforcement and compensation is placed in the hands of the Tribunal (or its predecessor the Administrative Decisions Tribunal), in which there is anticipated to be less formality and expense than in Court proceedings, it does not seem to me that the legislature would have expected “psychological harm” to be limited to a mental condition that is only capable of identification by diagnosis from a doctor or psychologist.

  5. Indeterminate tortious liability for nervous shock is a distinct issue from the present. Breach of information privacy will be expected to affect an identified person or class of persons.

  1. It does follow from the AOZ decision that I should reject the submission that the respondent must fail because she did not present any medical or other independent evidence to support her claim.

  2. I apply the six “main points” referred to in the above passage from the AOZ decision which were implicitly approved by the Appeal Panel in that case.

  3. I accept that aggravated damages are available in an appropriate case. Such damages are compensatory in nature: Lamb v Cotogno (1987) 164 CLR 1 at 8. In contrast to exemplary damages, such damages are awarded as compensation for harm suffered.

  4. As was said by said by the Full Federal Court in Hall and Ors v A & A Sheiban Pty Ltd and Ors [1989] FCA 92; (1989) 20 FCR 217 (a discrimination case):

75   English authority supports the award of aggravated damages in discrimination cases in appropriate circumstances. In Alexander v Home Office, supra, May L.J. (with whom Ewbank J. agreed) observed that in cases of racial discrimination aggravated damages might be awarded where the defendant had behaved high-handedly, maliciously, insultingly or oppressively in committing the act of discrimination (at 975).

76   Assuming that the principles of tort are properly applicable to the assessment of damages by way of compensation for loss or damage suffered by the complainant under para. 81(1)(b)(iv), then it is useful to refer to the circumstances in which aggravated damages are available in the Australian law of torts. It is fundamental that an award of a larger amount of damages by way of aggravated damages serves to compensate the victim for damage occasioned by the defendant's conduct where an element of aggravation is involved in that conduct, and not to punish the defendant: Bickel v John Fairfax & Sons Pty. Ltd. (1981) 2 NSWLR 474 per Hunt J. at 496; Taylor v Beere (1982) 1 NZLR 81 per Somers J.A. at 93; F.A. Trindale & P. Cane, The Law of Torts in Australia, 1985, p 242. In Lamb v Cotogno (1987) 164 CLR 1 at 8, the High Court observed in a joint judgment that "(a)ggravated damages, in contrast to exemplary damages, are compensatory in nature, being awarded for injury to the plaintiff's feelings caused by insult, humiliation and the like".

  1. In my opinion, an award of aggravated damages falls within the expression in s 55(2) (a) “…by way of compensation for any loss or damage suffered”. So much appears to have been accepted by the Tribunal in NZ v Director General, Department of Housing [2006] NSWADT 173 when it adopted the principles applied by the AAT in Rummery v Federal Privacy Commissioner [2004] AATA 1211 as generally appropriate to cases under the PPIP Act: see at [35]. One of those principles was that aggravated damages were recoverable (the principle set out in (d)).

  1. I do not accept that exemplary damages are available because these are not “by way of compensation”: s 55 (2) (a). They are punitive rather than compensatory in nature: Hall at [81].

  2. I have not seen a sufficient justification for the notion that the Tribunal should apply a restrained approach to the assessment of quantum and I do not approach the question of quantum in this case on that basis (a subject addressed by the parties’ supplementary written submissions).

  3. I am aware that in Rummery the Administrative Appeals Tribunal said that one of the principles relevant to the matter before them was that “awards should be restrained but not minimal” and that the Tribunal in the NZ case indicated that these principles were generally appropriate to cases arising under the PPIP Act: at [25] and [35]. However, unlike s 55 (2) (a) of the PPIP Act, the Commonwealth legislation interpreted in Rummery did not prescribe a limit on the size of a damages award and I do not see anything in the language of s 55 (2) (a), or its context, that warrants the adoption of a restrained approach, other than that the award must not exceed $40,000. The governing consideration is that the award be “by way of compensation” and I do not see that there is some qualification to this by imposing a requirement of restraint.

Conclusion

  1. In applying these aspects of the law to the facts, the Tribunal is satisfied that an award of damages by way of compensation should be made in favour of the applicant in view of the added distress the breach caused to her.

  2. The Tribunal has not identified any factors that would cause it to refuse to make such an award of damages in the exercise of its discretion in circumstances where it is satisfied that the applicant had suffered some psychological harm as a result of the breach. The Tribunal did not understand the respondent to submit that there were any such factors.

  3. However, such an award should be at the lower end of the scale because of the absence of evidence as to the consequential impact of the distress upon the applicant as referred to in the section of these reasons “Impact of the Disclosure on the applicant”.

  4. In saying this:

  1. I have considered the size of damages awards in the 12 cases set out in the schedule of cases in which damages have been awarded under the PPIP Act provided by the respondent in their supplementary written submissions. However, these awards are of limited assistance because each case is factually quite different.

  2. I have considered the applicant’s submission that the only appropriate comparison to her case is the award of the maximum amount of $40,000 in NK v Northern Sydney Central Coast Area Health Service (No.2) [2011] NSWADT 81. I do not agree. In that case the Tribunal was dealing with assessing the making of an award in a context of multiple and varying breaches of information privacy principles resulting in severe consequences for the applicant, including an attempted suicide.

  1. The Tribunal does not accept that any award of aggravated damages should be made in this case. The applicant has not established that in breaching s 18 (1) the respondent acted maliciously or otherwise in a manner that would justify such an award. In this respect, I refer, in particular, to the section of these reasons concerning “ Why Mr Covi sent the 17 October 2016 email”.

  2. In all the circumstances, the Tribunal is of the opinion that an award of damages in the amount of $1,000 is appropriate.

  3. The Tribunal is also minded to make an order under s 55 (2) (b) of the PPIP Act to the effect that the respondent shall not disclose any personal information that it holds about the applicant to any other person other than the applicant without the applicant’s consent or without having first given the applicant 21 days’ notice of its intention to do so. The provision for notice will provide the applicant with an opportunity to object or consent and if she objects to seek appropriate relief in the Tribunal to prevent such disclosure before it occurs.

  4. The Tribunal is minded to make this order because of the conclusions it has reached concerning inadequate training of staff concerning information privacy protection set out in the section of these reasons “Training by SafeWork after the breach of privacy complaint”.

  5. Given the breach in this case and the conclusions that the Tribunal has come to about inadequate training there is a sufficient risk of a future breach (or breaches) of s 18 (1) in respect of the applicant’s personal information to warrant the making of this additional order.

  6. However, before making any such order I will give the parties an opportunity to make any short written submissions about the terms of the order that I have proposed. The parties will have more time to do so than they would usually have to make these submissions in view of the approaching Christmas vacation. I will also give the parties an opportunity to make any submissions about costs.

  7. As the Tribunal has already said, it is not satisfied that the Disclosure was made in bad faith. Accordingly, no issue arises concerning the taking of any step under s 55 (5) of the PPIP Act in respect of the Disclosure, assuming, for the present, that this section is otherwise applicable to the circumstances of this case (a point upon which it is unnecessary that I express any view).

Orders

  1. For the above reasons, the Tribunal makes the following orders:

  1. The respondent shall pay the applicant $1,000.00 within 14 days in respect of the respondent’s breach of the information protection principle in s 18 (1) of the PPIP Act the subject of these proceedings.

  2. By 17 January 2019 the parties are to lodge and serve written submissions of not more than 4 pages in length concerning:

  1. The terms of the foreshadowed order under s 55 (2) (b) of the PPIP Act referred to in paragraph 140 of these reasons.

  2. The costs of these proceedings and whether any decision about costs can be made on the papers without the need for any further hearing.

  1. By 30 January the parties are to lodge and serve written submissions of not more than 4 pages in length in reply to the submissions in Order (2).

  2. Pursuant to s 64 (1) (a) the name of the applicant and any other information identifying the applicant is not to be disclosed without further order of the Tribunal.

***************

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Amendments

21 December 2018 - Formatting error in coversheet corrected, so as to include the omitted reference to Order (2) in the last line of the orders.

Decision last updated: 21 December 2018

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

17

Evans v Health Administration Corporation [2019] NSWSC 1781
GXU v Sutherland Shire Council [2025] NSWCATAD 227
GSY v Western Sydney Local Health District [2025] NSWCATAD 219
Cases Cited

21

Statutory Material Cited

7

NZ v Director General Department of Housing [2006] NSWADT 173
Mount Isa Mines Ltd v Pusey [1970] HCA 60
Tame v New South Wales [2002] HCA 35