CNP v Commissioner for Fair Trading

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	CNP v Commissioner for Fair Trading [2017] NSWCATAD 70
Hearing dates:	24 November 2016
Date of orders:	07 March 2017
Decision date:	07 March 2017
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	J McAteer, Senior Member
Decision:	1. The decision of the respondent is affirmed. 2. The Tribunal has decided not to take any action on the matter.
Catchwords:	PRIVACY – Personal Information – Absence of Evidence of Breach – Whether hearing information amounts to a collection – Whether information held – Data protection
Legislation Cited:	Administrative Decisions Review Act 1997 Civil and Administrative Tribunal Act 2013 Privacy and Personal Information Protection Act 1998 State Records Act 1998
Cases Cited:	Vice Chancellor Macquarie University v FM [2005] NSWCA 192
Category:	Principal judgment
Parties:	CNP (Applicant) Commissioner for Fair Trading, Office of Finance, Services & Innovation (Respondent)
Representation:	Solicitors: In Person (Applicant) W Maynard (Respondent)
File Number(s):	1610280
Publication restriction:	Section 64 (1) of the Civil and Administrative Tribunal Act 2013 prohibiting or restricting the disclosure of the name of the applicant.

Reasons for decision

1. On 20 April 2016 the applicant filed an application for administrative review with the Tribunal. That application concerned how the respondent had dealt the applicant and his personal information when transacting with the respondent Department concerning various client complaints. The applicant submits that the respondent breached his privacy by the manner in which it dealt with these complaints.

2. CNP is the applicant’s pseudonym, in that the Tribunal has de-identified the applicant’s name from any open reasons consistent with the practice of the Tribunal in privacy reviews. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act).

3. The primary issue involved complaints concerning the operation of the applicant’s Strata Scheme, for which the respondent Department has regulatory and oversight authority. The PPIP Act has provisions for a person who is aggrieved by the public sector agency's management of their personal or health information, to request that the matter be reviewed by the Agency. For the reasons set out below the Tribunal finds that there were no significant breaches of the PPIP Act other than a minor issue concede by the respondent.

Background

4. CNP contacted the respondent in June 2014 initially on three separate occasions concerning the owners corporation of the Strata Scheme where he resided. Fair Trading staff handling the complaints contacted the applicant on 24 June 2014. The applicant was advised that the matter would be referred to the specialist support unit (SSU) which would contact CNP separately. Two of the complaints were then closed as duplicates and were deleted on 26 June and 27 June 2014. The internal policies and procedures of Fair Trading categorised these two ‘deleted’ complaints as ‘deactivated’ within the complaints database referred to as the Customer Assistance System.

5. Documents before the Tribunal indicate that the SSU sent the applicant an e-mail on 30 June 2014 providing advice about how the applicant might resolve the complaints himself, or failing that, information concerning lodging the dispute with the Consumer and Commercial Division of NCAT.

6. On 3 July 2014 the applicant contacted Fair Trading and it appears that various matters concerning the Strata complaint were canvassed in the period 3 July 2014 to 17 July 2014. These contacts involved the applicant, the Departments Dispute Resolution Officers and staff of the Minister’s Office. At various times contact between the Department’s staff and the applicant was unsuccessful. Some contacts were partially successful in that the applicant spoke to an officer who was able to take a message for the relevant officer dealing with the complaint.

7. It appears that by 17 July 2014 the complaints had escalated into complaints concerning the respondent Department’s handling of the strata complaints. These complaints eventually took the form of privacy complaints, in that by 17 October 2015 the applicant lodged a complaint with Fair Trading whereby he described the complaint in the following terms:

Broken Privacy – Eavesdropped on my complaints – 7040121, 7045850, 7044469, with (‘L.E.’) there & took over the files (‘T.R.’ )eavesdropped on my conversation behind my back, without my knowledge, consent & permission, & took over the files (3) (aforesaid) from (‘L.E.’)there? I want an apology & compensation? Thanks. Please investigate? Thanks. Please treat this as urgent, as I am very ill, on DSP, under medical treatment & blurred vision due to cataract? Any probs please Buzz, Rgds, (‘CNP). (Mobile Phone No given).

8. The respondent replied to the privacy complaint by way of letter dated 4 November 2015 and advised that they would be conducting an Internal Review under the PPIP Act. The issue of the requirement of an individual to lodge the review within 6 months of first becoming aware of the matter was dealt with by the respondent in that correspondence. In my view the Department applied an appropriately beneficial interpretation to the facts consistent with the individual rights regime of which the PPIP Act is an example. It was determined that the applicant had first made the respondent aware of these concerns in July and September 2014, and as a result the review was deemed to have been instigated at that time, and was taken to have been further particularised in October 2015.

9. Having examined the privacy grievance, the respondent summarised the alleged conduct in the context of Information Protection Principles (IPP’s) from the PPIP Act in the following manner:

That (‘T.R.’) Officer 1 collected CNP’s personal information without CNP’s knowledge, consent and permission by eavesdropping on a telephone conversation between CNP and (‘L.E.’) Officer 2.

That Officer 1 used CNP’s personal information to take over the three files (reference numbers 7040121, 7045850 and 7047769).

10. The respondent identified the relevant IPP’s as relating to the alleged conduct as being: Collection IPP 1 (Section 8), Storage IPP 5 (Section 12), and Use IPP 10 (Section 17).

11. After conducting an internal review of the alleged conduct the respondent found no breach of an IPP or any breach of the PPIP Act. The respondent did however identify that correct internal file protocol procedures had not been followed by the officers in the Department, in that the ‘duplicate files’ raised different issues and should not have been deleted, and further that initially only one file should have been created containing all the issues raised.

The relevant legislation

12. The PPIP Act defines personal information at section 4. The requirement that the data meets the personal information definition is the precondition to coverage under the PPIP Act. This (section 4) requirement in the current matter extends to the nature of the data or information subject to the claimed breach. Section 4 provides:

4 Definition of “personal information”

(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

(2) Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.

(3) Personal information does not include any of the following:

…..

(4) For the purposes of this Act, personal information is held by a public sector agency if:

(a) the agency is in possession or control of the information, or

(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.

(5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.

Section 4 (3) contains 12 exemptions to the definition of personal information. Those issues do not arise in the current proceedings.

13. The PPIP Act provides that privacy grievances involving New South Wales public sector agencies can be dealt with by way of an internal review. An internal review has various statutory pre-conditions / requirements as set out at Part 5 and specifically section 53 of the PPIP Act. An internal review takes the form of a fact finding investigation whereby the reviewer accumulates evidence and material to the extent necessary to make a factual finding in respect of the alleged conduct (the conduct under review) and then applies those findings to the relevant provisions of the PPIP Act. After considering the statutory provisions and the availability (or otherwise) of various exemptions, the reviewer then makes a series of findings in respect of the IPP’s and ensuing recommendations.

14. Section 53 (6) of the PPIP Act provides guidance on the appropriate timeframes for conducting an Internal Review. Whilst the PPIP Act does not specify a strict time, it uses the words that 'the review must be completed as soon as is reasonably practical'. In addition it provides that if the review is not completed within 60 days, the applicant / complainant may apply to the Tribunal for a review of the conduct concerned.

15. In the current matter CNP took issue with the respondent taking more than 60 days to complete the review. The review was provided to CNP approximately 5 months after lodgement.

The Hearing

16. The matter was heard over half a day before the Tribunal. At the conclusion of the evidence and submissions the Tribunal had formed a view about the application, but due to time constraints was unable to provide detailed reasons at the conclusion of the hearing.

Applicant’s Written Evidence

17. The applicant tendered number of documents as evidence in support of his application. These took the form of signed statements, an affidavit, a medical certificate and the application for administrative review. Various written submissions addressing matters in the review and respondent material were filed by the applicant. These addressed the respondent’s matters item by item through 29 and 18 dot points respectively.

18. The written evidence of the applicant comprised:

• Application for review dated 15 April 2016 with 6 pages of grounds Exhibit A 1.

• Affidavit of the applicant deposed 27 September 2016 Exhibit A2.

• Medical Certificate Dr F Quader dated 7 November 2016 relating to the applicant Exhibit A3.

19. Other material was before the Tribunal as referred to at paragraph 17 (above).

Respondent’s Written Evidence

20. The respondent filed documents under the provisions of section 58 of the Administrative Decisions Review Act 1997. This position seems consistent with the change from a review of conduct, (as referred to in section 55 of the PPIP Act prior to the enactment of the Civil and Administrative Tribunal Act 2013 and the repeal of the Administrative Decisions Tribunal Act 1997), to an administrative review of conduct.

21. The respondent’s written material was in two volumes:

• S-58 documents filed 26 May 2016 comprising correspondence between the parties and Privacy Commissioner correspondence. Exhibit ‘R 1’.

• S-58 documents filed 9 June 2016 comprising file records from matters: 7040121, 7045850 and 7047769.

Jurisdiction

22. There is no dispute that the Tribunal has jurisdiction to hear this application. Section 55 of the PPIP Act provides for a review by the Tribunal if the matter has been subject to a valid internal review and the applicant is either dissatisfied with the findings of the review, or the review has not been completed within 60 days. It was uncontroversial between the parties that the application to the Tribunal had been lodged after completion of the internal Review, and that that application had been lodged within time as calculated from that completion.

Evidence at Hearing

23. The applicant read Exhibit A 2 onto the record in giving his evidence in chief. In that affidavit the applicant deposed that it was his belief that Departmental officer (‘T.R.’ known as Officer 1) has breached my privacy by eavesdropping and listening to my telephone conversation with (‘L.E.’) (Officer 2). Also by DFT – Penrith on / around 10 July 2014, behind my back, without my knowledge, consent and permission. This deliberately, intentionally and wilfully done by her (‘T.R.’). ‘T.R.’ has told me this (listening), and admitted to me on phone.

24. The applicant gave evidence that the privacy concerns had caused him to suffer medical issues which were adverse to his health and well-being. Exhibit ‘A-3’ referred to suffering chronic bilateral shoulder and thigh pain. The medical certificate is dated 7 November 2016 a few weeks prior to the hearing. No timeframe for this condition is referred to on the certificate.

25. The applicant’s oral evidence however was that he could not remember suffering pain prior to the Fair Trading issues central to these proceedings. His evidence was that the dispute has concerned him, he is suffering as a result of harassment and bullying. He has booked a spot in a separate location for retirement accommodation. The applicant gave evidence that the previous strata managers haven’t done anything for him, they just haven’t done a thing’.

26. The applicant gave evidence that ‘T.R.’ told him on 10 or 11 July a few minutes after the breach what had occurred. Three files were put into the system about the strata grievance. The applicant stated in his evidence that he felt confident with the nature and level of the service given by ‘L.E.’ but not so by ‘T.R.’

27. When questioned about the medical condition concerning shoulder and upper leg pain the applicant stated that he ‘couldn’t remember whether (he) had the problem before dealing with Fair Trading.’

28. The respondent submitted that there was no prejudice to the applicant caused by any of these issues before the Tribunal. The respondent’s representative submitted that his instructions were that the letter signed by the Commissioner for Fair Trading Mr R Stowe on 8 August 2014 is the Department’s final position on the handling of the substantive (Strata) grievance, and that it contains a ‘partial’ apology.

29. In the respondent’s submission that apology arises solely in the context of a conceded administrative error (concerning the administration of the three files). In closing the respondent submitted that no further action should be taken in respect of the matter.

30. The applicant submitted that he was entitled to $40,000 in damages on a number of consecutive counts and other significant remedies concurrently.

Consideration

31. The intentions of the applicant and his understanding of what took place (as set out in his submissions and evidence), are not matters essentially in dispute. It is the characterisation of those matters, and the applicant’s objection to certain occurrence’s or actions being permissible or otherwise necessary that in my view give rise to his grievance. Coupled with this is the unfortunate ‘meshing’ of his substantive dispute involving the Strata Managers, Fair Trading’s handling of that dispute, and the consequential belief by the applicant that privacy breaches arise from these issues and therefore give rise to significant penalties and remedies.

32. I have no doubt having read the applicant’s material and heard from him during the proceedings, that these disputes have had some impact and bearing on the applicant over the two and half years prior to the hearing. It may be that they still have some impact or bearing on the applicant. The only evidence provided (Exhibit A-3) whilst establishing that the applicant suffered from the requisite condition, in my view was not linked to the central dispute based on the applicant’s own evidence.

33. Putting causation to one side, there was uncertainty as to when the condition first manifested, so as to cast significant doubt (from a chronological perspective) over causation. In addition there was no other evidence as to the cause or trigger for the matters which the applicant presented with and was diagnosed on 7 November 2016 in the weeks prior to the hearing.

34. The relevant IPP’s identified in the review are as follows:

8 Collection of personal information for lawful purposes

(1) A public sector agency must not collect personal information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) A public sector agency must not collect personal information by any unlawful means.

…..

12 Retention and security of personal information

A public sector agency that holds personal information must ensure:

(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

…..

17 Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

35. In respect of the ‘eavesdropping’ component of the complaint it is somewhat unclear in the evidence as to what was heard. Clearly Officer 1 heard Officer 2’s contribution to the telephone conversation between her and the applicant. The assertion that section 8 (IPP 1) was breached appears predicated on a belief that the information about the complainant was conveyed through Officer 2’s questioning of the applicant (overhearing that conversation) and therefore CNP’s information was collected indirectly (through Officer 2 by Officer 1). I.e. it was not collected directly from the applicant.

36. On the evidence and material before me the information was clearly collected for a lawful purpose in that it was collected in order to manage, advise, and otherwise respond to CNP’s strata complaint. The information stayed within the Department through this process subject to the need to make inquiries and otherwise investigate matters with the Strata Managers. This aspect of the Department’s work would be governed at the requisite time by an in-force Privacy Commissioner section 41 (PPIP Act) Direction in respect of investigative functions. (Since repealed or not current). It may well be that the Department was exercising powers under the governing legislation concerning strata schemes. Whilst no submissions were put by either party on this issue, in my view the alleged breaches might be further authorised by section 25 of the PPIP Act especially in so far as the complaint concerning the breach of section 17 of the PPIP Act concerning ‘use’.

25 Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a) the agency is lawfully authorised or required not to comply with the principle concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

37. I note that the respondent has conceded in the Internal Review that the erroneous deletion of two of the generated complaint files (No’s 7040121 and 7045850), were a breach of section 12 of the PPIP Act. The deletion of the files resulted in no consequential breaches of privacy law, and if anything would appear to be more aligned with the provisions of Part 3 of the State Records Act 1998.

38. In addition I note the matters outlined in Commissioner Stowe’s letter of 8 August 2014 indicating the action taken to restore the records in response to CNP’s concerns.

39. In respect of the ‘use’ grievance (s-17), the respondent outlined in their review the circumstances of the files being handled by different officers. The respondent has provided a clear and cogent business explanation for these actions and in my view no privacy grievance can be maintained (even in the absence of an explanation for the transfer).

40. In forming this view I note that the files were transferred between officers of the same Unit or area within the Department. In addition some aspects of the transfers within the agency were in response to the applicant raising matters directly with the then Minister’s office and escalating his grievances. In my view this evidence before the Tribunal further explains the actions of the respondent as being legally and practically permissible when the above factual circumstances are considered.

41. The use would appear to be entirely consistent with the Department’s officers managing CNP’s matters within the available resources.

Further consideration

42. The complaint of the ‘eavesdropping’ is (notwithstanding the matters outlined above) a matter that can be further addressed. The PPIP Act is primarily a data protection Act, and whilst there are residual powers for the Privacy Commissioner under section 36 (2) (k) and (l) (concerning privacy related matters), the IPP’s primarily deal with data, which is material which at the time of collection, transmission, use etc. is in a recordable form.

43. The New South Wales Court of Appeal considered the issue of information being ‘held’ in a person’s mind in the case of Vice Chancellor Macquarie University v FM [2005] NSWCA 192. (FM)In that case the Court was dealing with a disclosure of information that had been gleaned through conversation with another individual. The Court of Appeal held at the concluding paragraph [40] that:

40 The primary context of the legislative scheme which gives meaning to the words “holds personal information” is Pt 2 Div 1, with the definitions in s4. That context strongly indicates that the words do not extend to information held in the mind of an employee.

44. Whilst the case examined a submission (about a different piece of data) concerning police information being conveyed orally prior to any ‘record’ being made, the current case involves the creation of records. However even if the information that Officer 1 heard from Officer 2’s conversation with CNP was consistent with data that had been recorded in the complaint’s database, as we do not have a record of what specifically was heard, it may be that the information was only (at that time) in the mind of Officer 1 (and clearly Officer 2).

45. If what Officer 2 heard was not recorded at the relevant time, then consistent with the case of FM the information would not have constituted personal information under section 4 of the PPIP Act as it was not held by the respondent agency at that time. These observations are consistent with the PPIP Act being in practice a data protection statute rather than a broad privacy statute offering statutory protections against physical privacy infringements, oral disclosures not materially recorded, intrusion, surveillance (in the absence of capture) and more common additional notions of privacy.

46. These matters are addressed in order to outline the scope and or limitations to the coverage under the IPP’s. As outlined above there are some residual privacy functions beyond the IPP’s in section 36 of the Act, but the current case does not involve those issues.

47. In respect of the breach of section 12, when looking at the range of remedies and functions of the Tribunal as set out at section 55 (2) of the PPIP Act, and noting the evidence before the Tribunal and the observations at paragraph 37 and 38 (above), in my view the matter is minor in nature. It has been administratively addressed, and arose in circumstances where no improper motive is evident. The matters outlined in the Commissioner’s correspondence of 8 August 2014 lead me to form the view that no further action is necessary.

48. In respect of the applicant’s other grievances, (the time taken to conduct the review), for the reasons set out in paragraphs 14, 15 and 22 (above), in my view (even if section 55 (1) (b) applies) no further action is required on that point. It is clear that there was a continual relationship between the parties from July 2014 to March 2016 both leading up to the review, and the final five months in addressing the review.

49. CNP’s other detailed grievances in my view are not privacy related, but are in part concerned with the actions of private sector third parties (the substantive strata complaint), and also involve customer service issues best directed back at the Department or the external oversight body if appropriate. This observation is made purely to illustrate that the Tribunal has no further jurisdiction in respect of CNP’s grievances generally (on the evidence and material before me).

Conclusion

50. As a result there are no additional breaches of the IPP’s other than the breach outlined in the Internal Review constituting a breach of section 12 of the PPIP Act.

51. I therefore make the following orders.

Orders

1. The decision of the respondent is affirmed.

2. The Tribunal has decided not to take any action on the matter.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 07 March 2017