Director General, Department of Education and Training v MT - [2006] NSWCA 270

No judgment structure available for this case.

Reported Decision: 67 NSWLR 237

Court of Appeal

CITATION: Director General, Department of Education and Training v MT [2006] NSWCA 270

HEARING DATE(S): 20 September 2006

JUDGMENT DATE:
29 September 2006

JUDGMENT OF: Spigelman CJ at 1; Ipp JA at 54; Hunt AJA at 55

DECISION: 1 Leave to appeal granted; 2 Appeal allowed with costs; 3 Orders 1-3 made by the Appeal Panel of the Administrative Decisions Tribunal in these matters on 23 December 2005 be set aside; 4 In lieu thereof; (a) Appeal No 049045 is dismissed; (b) Appeal No 049040 is allowed; (c) The order of the Administrative Decisions Tribunal of 3 September 2004 is varied by deleting “18 and 19” from order 1.

CATCHWORDS: PRIVACY LAW – PRIVACY AND PERSONAL INFORMATION ACT 1998 (NSW) – Scope of Information Protection Principles – Public agency is not responsible for use or disclosure of personal information by employee acting for a purpose extraneous to any purpose of the agency - COMPANY LAW – Regulatory framework – Rules of attribution – Employee acting for a purpose extraneous to any purpose of the company

LEGISLATION CITED: Administrative Decisions Tribunal Act 1997: Ch 1 Pt 7
Privacy and Personal Information Protection Act 1998: ss 4(4), 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 52, 53, 55, 56, 62; Pt 2 Div 1; Pt 2 Div 3; Pt 3; Pt 5

CASES CITED: AAPT Ltd v Cable and Wireless Optus Ltd (1999) 32 ACSR 63
ABC Developmental Learning Centres Pty Ltd v Wallace [2006] VSC 171
Director of Public Prosecutions Reference No 1 of 1996 [1998] 3 VR 352
Hollis v Vabu Pty Ltd (2001) 207 CLR 21
Linework Limited v Department of Labour [2001] 2 NZLR 639
Meridian Global Funds Management Asia Limited v Securities Commission [1995] 2 AC 500
Northside Developments Pty Ltd v Registrar-General (1990) 170 CLR 146
R v Commercial Industrial Construction Group Pty Ltd [2006] VSCA 181
Re Supply of Ready Mix Concrete (No 2) [1995] 1 AC 456
Rodriguez v United States, 480 US 522 (1987)
Smorgon v Australia and New Zealand Banking Group Ltd (1976) 134 CLR 475
Switz Pty Ltd v Glowbind Pty Ltd (2000) 48 NSWLR 661
Tesco Supermarkets Limited v Nattrass [1972] AC 153
The Lady Gwendolen [1965] P 294

PARTIES: Director General, Department of Education and Training (Applicant)
MT (Respondent)

FILE NUMBER(S): CA CA 40043/06

COUNSEL: N Perram / Francois F F Salama (Applicant)
S Pritchard (Respondent)

SOLICITORS: I V Knight – Crown Solicitor (Applicant)
Public Interest Advocacy Centre (Respondent)

LOWER COURT JURISDICTION: Administrative Decisions Tribunal Appeal Panel

LOWER COURT FILE NUMBER(S): ADT 049040 and 049045

LOWER COURT JUDICIAL OFFICER: Judge K P O'Connor, S Higgins, Z Antonios

LOWER COURT DATE OF DECISION: 23 December 2005

LOWER COURT MEDIUM NEUTRAL CITATION: [2005] NSWADTAP 77

- 19 -

CA 40043/06

SPIGELMAN CJ
IPP JA
HUNT AJA
Friday 29 September 2006

DIRECTOR GENERAL DEPARTMENT OF EDUCATION & TRAINING v MT

A teacher was employed by the Appellant Department in a school in New South Wales. He was also the coach of a soccer team in the same region that had no connection with the school.

The Respondent was both a student at the school and a member of the soccer team. MT had a medical condition which affected her ability to play certain sports. The team reached the finals and, in the week before the preliminary final, MT told X that she would not be available to play but did wish to play in the grand final. The team reached the grand final, but MT was not chosen to play. One of the matters that was taken into consideration was MT’s medical condition.

The coach X had a number of sources of information about MT’s medical condition. Relevantly, at the time that consideration was being given to whether MT could play in the grand final, X took steps to access the school file, which was open to all teachers. Consequently, X contacted the club president and told him that he had become aware that MT had a medical condition.

This case concerned whether the Department’s conduct contravened the Information Protection Principles contained in Pt 2 Div 1 of the Privacy and Personal Information Protection Act 1998 (the “Act”). The matter progressed to the Administrative Decisions Tribunal, and then to the Appeal Panel of the Tribunal. The Department appeals to this Court from the Appeal Panel’s finding that the Department had contravened ss16, 18 and 19 of the Act. The Department had always admitted a contravention of s12.

Section 16 requires that a public sector agency must not “use” personal information, without taking reasonable steps that the information is relevant, accurate, up to date, complete and not misleading. Sections 18 and 19 limit the circumstances in which a public sector agency may “disclose” personal information.

The Department’s primary submission was that, as X was engaged in conduct that had nothing to do with his role as teacher, the Department had not contravened the respective provisions of the Act upon which the Respondent relied.

HELD

Meridian Global Funds Management Asia Limited v Securities Commission [1995] 2 AC 500 applied.

Director of Public Prosecutions Reference No 1 of 1996 [1998] 3 VR 352 considered.

Hollis v Vabu Pty Ltd

Tesco Supermarkets Limited v Nattrass

Re Supply of Ready Mix Concrete (No 2)

Linework Limited v Department of Labour

R v Commercial Industrial Construction Group Pty Ltd

ABC Developmental Learning Centres Pty Ltd v Wallace

Switz Pty Ltd v Glowbind Pty Ltd

Rodriguez v United States,

ORDERS

1 Leave to appeal granted.

2 Appeal allowed with costs.

3 Orders 1-3 made by the Appeal Panel of the Administrative Decisions Tribunal in these matters on 23 December 2005 be set aside.

(a) Appeal No 049045 is dismissed;

(b) Appeal No 049040 is allowed;

CA 40043/06

SPIGELMAN CJ
IPP JA
HUNT AJA

Friday 29 September 2006

DIRECTOR GENERAL DEPARTMENT OF EDUCATION & TRAINING v MT

Judgment

1 SPIGELMAN CJ: The Appellant, to which I will refer as the Department, seeks leave to appeal from a decision of the Appeal Panel of the Administrative Decisions Tribunal which allowed in part appeals brought by both the Department and the Respondent to it from a decision of the Tribunal at first instance. The Appeal Panel held that it was open to the Tribunal to make a finding that the Department had breached s16 of the Privacy and Personal Information Protection Act 1998 (“the Act”) and remitted the matter for determination of facts to the Tribunal. The Appeal Panel also held that the Department’s conduct constituted what the Appeal Panel, in its order, characterised as “a contravention of s18, as varied by s19(1)”.

2 I should note that in its own internal review, in the Tribunal, in the Appeal Panel and in this Court, the Department acknowledged that it had contravened s12(c) of the Act. The Tribunal has not yet determined what consequences flow from that acknowledged contravention.

3 The Tribunal at first instance separated the issue of contravention of the Act from questions of remedy. Accordingly, the matter before this Court is interlocutory and leave to appeal is required. Mr N Perram, who appeared for the Department, applied for leave by Notice of Motion filed on the day of hearing. Ms S Pritchard, who appeared for the Respondent, accepted that an important issue of statutory interpretation arose in the case and that it was appropriate to grant leave. The Court proceeded to hear the Notice of Motion for leave and the substantive appeal together.

4 In my opinion this is an appropriate case for leave. Leave should be granted.

5 The Tribunal found that the Department contravened ss12, 18 and 19 of the Act, but not ss16 and 17. Both parties appealed to the Appeal Panel, but not with respect to s12. The Panel concluded that the Department had contravened ss16, 18 and 19, but not s17. Neither the Tribunal’s conclusion with respect to s12, nor the Panel’s conclusion with respect to s17 is before this Court. The Department appeals with respect to the Panel’s conclusion concerning ss16, 18 and 19. There is no cross-appeal.

6 The directly relevant statutory provisions are as follows:

“12 A public sector agency that holds personal information must ensure:

(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

…

16 A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

18(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such person or body is a public sector agency, unless:

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

19(1) A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person.

(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless:

(a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or

(b) the disclosure is permitted under a privacy code of practice.

relevant privacy law

(4) The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales.

(5) Subsection (2) does not apply:

(a) until after the first anniversary of the commencement of this section, or

(b) until a code referred to in subsection (4) is made, whichever is the later.”

Background Facts

7 The background facts are in a narrow compass. A teacher, who has been referred to throughout the proceedings as X, was employed by the Department in a particular school in New South Wales. He was also the coach of a soccer team in the same area. The soccer team did not have any connection with the school. The Respondent, MT, was both a student at the school and a member of the soccer team. MT had a disabling medical condition which affected her ability to play certain sports. The team reached the finals and, on 12 September 2001, in the week before the preliminary final, MT told X that MT would not be available to play but did wish to play in the grand final. The team advanced to the grand final but MT was not chosen to play. One of the matters taken into consideration, perhaps the dominant matter but that is a matter for the Tribunal, was MT’s lack of match fitness. However, another matter taken into account was MT’s medical condition.

8 The coach X had a number of sources of information about MT’s medical condition. X had been told by MT’s mother that she had a form of arthritis and would tell the coach if she had difficulty playing. MT wore strapping on her knees when she played. X was informed at the school, where other members of the soccer team in addition to MT were also students, by a number of them that MT had had a recent fall and that she had said that if she had another one it could result in her being left in a wheelchair. When X asked MT about this, MT was dismissive of the inquiry. In September 2001 when the issue of participating in the grand final arose, other team members reiterated their concern about MT’s health.

9 The critical event for the purpose of this case is that, at the time that consideration was being given to whether MT could play in the grand final, X took steps to access the school file. The relevant facts are as stated by the Appeal Panel as follows:

“[12] At this point X decided to access the school file, which was open to all teachers. He learnt for the first time of the nature of her condition as reported in 1998 (a rare genetic condition called proximal symphalangism). He read the doctor’s letter from 1998 and the school counsellor’s report of that year. In his letter to HREOC the teacher said ‘Even though this [the physical disability] was not the main reason for not playing [MT] her medical condition did make us very concerned about her health’. In that letter X referred to the fact that this information had never been known to him or the insurance company, and said: ‘Even though we would never had said no to her playing soccer, we would have passed the information on to the insurance company’. X was then approached by MT and told her that it would be necessary for the parents to provide the club with an indemnity in case she was injured. The next day MT told him that on legal advice they were not willing to give the club any indemnity. Consequently X contacted the club president, and told him that he had become aware that MT had a medical condition, that she intended to play in the grand final when he did not consider her to be match fit and that she had told other members of the team that if she had another injury she would end up in a wheel chair.

[13] Later that afternoon at training (19 September 2001) MT and her mother attended a soccer training session. The club president approached them to express concerns for MT’s safety. The conversation ended, according to the club president, in the mother becoming abusive. MT did not play in the grand final.”

10 Although X had access to the school file, he did so for a purpose extraneous to the school’s functions. There is no finding of fact that access for such an extraneous purpose was in any way authorised.

11 The use or disclosure of the information by X was not a use or disclosure by or in connection with any activity of the Department. The teacher had access to the information by reason only of his status as an employee of the Department, but did not act in that capacity when, relevantly, he disclosed the information to the President of the soccer club. It was this disclosure which the Panel found constituted a breach of s18 and s19 (expressly) and which may have constituted a breach of s16 (implicitly).

12 As the Panel held, albeit in the context of considering s17:

“[47] … The agency, vicariously, used the information only by disclosing it when its employee X, having acquired the information in his capacity as a teacher, disclosed it to the soccer club … X never made any use of the information for internal school purposes. His only action was to disclose the information.”

The Appeal

13 There are a number of grounds of appeal. The primary submission of the Appellant is that, as X was engaged in conduct that had nothing to do with his role as a teacher, the Department cannot be held liable under the respective provisions of the Act upon which the Respondent relied. The relevant conduct, in each case, was the disclosure by X to the President of the soccer club of the information contained in the school files.

14 The critical question for the present case is whether, on the facts, the Department ‘used’ the information within s16 of the Act or ‘disclosed’ the information within s18 or s19 of the Act.

15 Mr N Perram submitted that it was not appropriate to conclude that the actions of X were the actions of the Department in the circumstances of the case. He submitted, correctly, that it was necessary to begin with the legislation. The issue, he submitted, was whether or not any part of the Act could be seen to exclude the operation of common law principles of agency. That is not, in my opinion, the correct approach to the issue of statutory interpretation which is involved.

16 The law of agency is not an adequate or complete basis for institutional law. When determining whether conduct or knowledge or mental state of an individual employee or agent should be attributed to a corporation, an organic approach has been developed, which approach goes beyond the individualistic inclinations of the law of agency. (See e.g. Smorgon v Australia and New Zealand Banking Group Ltd (1976) 134 CLR 475 at 482-483; Northside Developments Pty Ltd v Registrar-General (1990) 170 CLR 146 at 159-160, 201-202; Ross Grantham “Attributing Responsibility to Corporate Entities: A Doctrinal Approach” (2001) 19 C&SLJ 168.) In many cases, the conduct of persons in actual control of particular operations of the company will constitute the company for particular statutory purposes. (See e.g. The Lady Gwendolen [1965] P 294 at 343-344; AAPT Ltd v Cable and Wireless Optus Ltd (1999) 32 ACSR 63 at [91]-[92].)

17 It is necessary to identify, in each specific statutory context, what Lord Hoffmann has felicitously called “the rules of attribution” (Meridian Global Funds Management Asia Limited v Securities Commission [1995] 2 AC 500 at 506C.) These are rules adopted to determine which acts, knowledge or mental states of persons, through whom an organisation necessarily acts, are to be attributed to the organisation for the purposes of the legislative scheme.

18 In a particular context it may be appropriate to apply to an institution a rule of general applicability, such as the law of agency (called a “general rule” by his Lordship). Determining such issues often turns on the interpretation of the constituent documents of an institution, whether contractual or statutory (called a “primary rule” by his Lordship). However, in a case such as the present, determining when a person’s conduct or knowledge should be attributed to an institution turns on the proper interpretation of the regulatory legislative scheme, having regard to the scope and purpose of the scheme (called a “special rule” by his Lordship).

19 As Lord Hoffmann’s judgment in the Meridian Global Funds Management case makes clear, identifying the relevant rules of attribution is a process that must be separately conducted in each particular context. For example, the rule will not be the same when a court is considering vicarious liability for a tort committed by a person associated with a corporation, as the rule that establishes criminal liability of a corporation for the conduct of a person. The policy issues that must be considered in every such context differ considerably. (C/f Hollis v Vabu Pty Ltd (2001) 207 CLR 21 at [42].) Similarly the context of different criminal or regulatory provisions may suggest quite different rules of attribution.

20 When considering the applicability of a criminal statute, Lord Hoffmann said at 507:

for this purpose

21 Lord Hoffmann went on to contrast two earlier cases in order to establish the proposition that the rule of attribution depends on the interpretation of the relevant substantive rule: Tesco Supermarkets Limited v Nattrass [1972] AC 153 and Re Supply of Ready Mix Concrete (No 2) [1995] 1 AC 456. In each case the Court considered the legislative scheme when deciding, in the first, that the acts of a manager were not to be attributed to the company and, in the second case, to come to the opposite conclusion.

22 Subsequent development of the case law has emphasised particular features of the legislative scheme under consideration, e.g. the protective nature of the statutory regulation. (See e.g. in the case of occupational health and safety legislation, Linework Limited v Department of Labour [2001] 2 NZLR 639; R v Commercial Industrial Construction Group Pty Ltd [2006] VSCA 181 and, in the case of a child protection statute, ABC Developmental Learning Centres Pty Ltd v Wallace [2006] VSC 171.) Each statutory regime must be considered separately, although the case law that has developed, particularly after Meridian Global Funds Management, will prove instructive about the kinds of indicators that point one way or another.

23 In Director of Public Prosecutions Reference No 1 of 1996 [1998] 3 VR 352, Callaway JA with whom Phillips CJ and Tadgell JA agreed, referred to Lord Hoffmann’s analysis in Meridian Global Funds Management with approval and said that “it does not tell us the rule of attribution … It merely provides a framework for analysis and dispels the notion that, for all offences, the person with whom a corporation is identified must be its directing mind and will” (at 355 lines 35-40).

24 Callaway JA also identified a number of principles which are inherent in Lord Hoffmann’s judgment and which it is convenient to set out, omitting matters pertinent only to the case under consideration by the Victorian Court of Appeal. His Honour said at 354-355:

“1 The first step is to decide whether a corporation aggregate … is capable of committing the offence in question … The next step is to decide whose acts or omissions or state of mind are, for the purpose of the relevant offence, to count as the acts or omissions or state of mind of the corporation …

2 The search is not for the officers, employers, or agents for whose acts or omissions the corporation might be held liable in a civil action. The question is whose acts or omissions or state of mind are taken to be the acts or omissions or state of mind of the corporation itself for the purpose at hand. The liability is direct, not vicarious …

Leonards Carrying Co Limited v Asiatic Petroleum Co Limited

4 Sometimes only the board of directors acting as such or a person at or near the top of a corporation’s organisation will be identified with the corporation itself. On other occasions, someone lower, and perhaps much lower, in the hierarchy will suffice … The criminal negligence of the lorry driver employed by a corporation will not make it guilty of manslaughter but it is not inconceivable that his or her failure to comply with some regulatory requirement could make it liable, directly and not vicariously, for non-compliance with the relevant regulations.

5 The rule of attribution depends on the offence and on the facts of the case …

6 In at least some cases involving a criminally negligent omission to take due care a corporation may face the dilemma … either there was or were a person or persons in the corporation’s organisation whose function it was to take care in the relevant respect, in which case that person or those persons may be identified with it, or the corporation was at fault because its organisation was inadequate. In referring to a person or persons I do not intend to convey that there can be aggregation as opposed to joint or collective responsibility …”

The Present Case

25 This case is concerned with that part of the Act which contains a scheme for the enunciation and implementation of a number of “information protection principles”. Sections 12, 16, 17, 18 and 19, as set out above, are the relevant principles said to have been contravened in the present case.

26 Each of the principles contained in Pt 2 Div 1 of the Act are obligations imposed upon “a public sector agency”, as defined. This Division contains a number of prohibitions or restrictions upon the conduct of each public sector agency to which the Act applies. The relevant conduct of the agency is identified in a number of different ways:

· “collect” (ss8, 9, 10 and 11).

· “use” (ss16 and 17).

· “disclose” (ss18 and 19).

27 Other principles include an obligation to ensure that information is relevant and accurate (s11), disposed of and protected (s12), accessible to the person (ss13 and 14) and amended to ensure accuracy and relevance (s15).

28 Division 3 of Pt 2 provides a range of specific exemptions from the principles enunciated in Div 1.

29 It is clear from this legislative scheme that the focus of attention is on protecting the privacy interests of persons about whom public agencies collect information. However, it is also a purpose of the legislative scheme to ensure the effective conduct of the public agencies by establishing a mechanism to determine the relevance and accuracy of the information held by such agencies.

30 The enforcement provisions of the scheme, with respect to public agencies, are found in s20(1) and s21(1):

“20(1) The information protection principles apply to public sector agencies.

…

21(1) A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.”

31 I note that Pt 3 of the Act makes provision for privacy codes of practice, which may modify the information protection principles.

32 The mechanism for enforcement of the information protection principles is set out in Pt 5 of the Act at ss52-56.

33 Section 52 provides:

“52(1) This Part applies to the following conduct:

(a) the contravention by a public sector agency of an information protection principle that applies to the agency,

…”

34 Section 53(1) provides:

the applicant

35 A person who is not satisfied with either the findings of such an internal review or the action taken by the public sector agency, may apply to the Tribunal for a “review of the conduct”.

36 Section 55 relevantly provides:

“55(1) If a person who has made an application for internal review under section 53 is not satisfied with:

(a) the findings of the review, or

(b) the action taken by the public sector agency in relation to the application,

the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53.

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it make any one or more of the following orders:

(a) subject to subsection (3), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to restrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

…”

37 By force of s56 of the Act an appeal lies to the Appeal Panel of the Tribunal under Pt 1 of Ch 7 of the Administrative Decisions Tribunal Act 1997.

38 As can be seen each of the relevant enforcement provisions i.e. s52(1), s55(2)(a), s53 and s55(1), turn on the “conduct” of the public sector agency. There is no specific statutory provision, of a kind sometimes found in regulatory statutes, that identifies, by way of clarification and often by way of extension, when conduct of an employee or agent of an organisation is to be attributed to the organisation. Absent any such provision, the issue in any specific case is one of interpretation of the legislative scheme, giving weight to its scope and purpose.

39 Each of the principles under consideration in this case, relevantly ss12, 16, 17 and 18, are concerned with a public sector agency that “holds personal information”. That is a term defined in s4(4):

held

(a) the agency is in possession or control of the information, or

(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

State Records Act

40 Section 4(4)(b) assumes that information may be in the “possession or control” of an employee or agent, in the course of such employment or agency, as distinct from the “possession or control” of the public sector agency upon which the obligations are imposed. However, such information must have come into the possession or control of the person “in the course of” the employment or agency. Where that occurs then each of the principles which turn on the ‘holding’ of personal information will apply to such information. This provision has little significance for present purposes. It does, however, indicate that where the drafter wished to extend the application of the regime beyond the confines of the public sector agency s/he said so. More significantly, this extension was confined to “possession or control” acquired in the course of employment not otherwise.

41 The legislative scheme is concerned with the conduct of public sector agencies acting for their public purposes. The most relevant obligation with respect to unauthorised use of information held by an agency, of a character which has occurred in the present case namely use or disclosure for a non-agency purpose, is that imposed by s12(c), set out above, requiring the agency to take steps to “ensure … that the information is protected … against … unauthorised access, use … or disclosure”.

42 Furthermore, the legislative scheme makes separate and distinct provision in s62(1) for employees who disclose or use personal information for a purpose outside the scope of their official functions.

“62(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any personal information about another person to which the official has or had access in the exercise of his or her official functions.”

43 The interaction of s12(c) and s62(1) is such that, in my opinion, it leaves no scope for the extension of each reference to conduct of the public sector agency to encompass any conduct by an employee or agent, irrespective of whether it is within the scope of his or her functions as such. Where, as here, the “use” or “disclosure” of information was for a purpose extraneous to any purpose of the Department, it should not be characterised as “use” or “disclosure” by the Department or conduct of the Department. It is not appropriate to adopt a rule of attribution that extends so far.

44 There is a tension between s12(c) and the interpretation adopted by the Appeal Panel and urged on this Court by the Respondent. The express regulation of “unauthorised use or disclosure” is qualified by the condition that the “safeguards” must only be “reasonable”. This Court should be slow to interpret a statutory obligation expressed in general terms with the effect that it overlaps with another obligation which is expressed in conditional terms. There are numerous cases which apply the expressum facit cessare tacitum principle of statutory interpretation to statutory powers or procedures. (See e.g. the cases collected in Switz Pty Ltd v Glowbind Pty Ltd (2000) 48 NSWLR 661 at [69]-[73]; Pearce & Geddes Statutory Interpretation in Australia (6th ed) at pars [4.30]-[4.31]. In my opinion, the same approach may assist in determining whether a statutory obligation expressed in relevantly unqualified terms was intended to overlap with a conditional obligation.

45 Of course Parliament may have intended that statutory obligations should overlap. In the Act under consideration, however, the focus of Parliamentary attention is upon a public agency acting in that capacity for public purposes. Where the agency has satisfied its obligation under s12, it was not, in my opinion, Parliament’s intention to expose every such agency to a form of absolute liability for the unauthorised private conduct of its employees or agents.

46 Nothing in the text or the scope and purpose of the legislative scheme suggests that Parliament intended to impose absolute regulatory liability. Indeed, s12(c) itself imposes an obligation only to adopt such “safeguards as are reasonable in the circumstances”.

47 In a case such as the present, where there is a breach of s12 by the agency of a kind which permitted unauthorised use or disclosure, I can see no purpose of the Act which will be served by imposing additional liability upon an agency under any of ss16, 17 or 18. Ms Pritchard submitted that there was a limitation upon liability under ss16, 18 and 19 for conduct in which an employee acts in an unauthorised way. That limitation was to be found in s12(c). She submitted that a contravention of s12(c) was a gateway to the other sections. I would reject this submission.

48 It could be said that, in terms of causation, such a breach is one step further removed than the actual disclosure or use which results in loss or damage, for which compensation may be recovered under s55(2)(a). Perhaps there will be circumstances – although they are difficult to envisage – in which this additional step may mean that compensation is not recoverable. However, there is no warrant to adopt an inappropriate rule of attribution in order to overcome such a contingency.

49 Ms Pritchard submitted that s62(1) provides no basis for proceedings for review or compensation by an aggrieved person. No doubt the imposition of sanctions on an agency, even when an employee has used and disclosed information for a purpose unrelated to the agency, could in some way enhance the enforcement of the information principles. The Act is beneficial legislation which must be liberally interpreted in order to achieve its beneficial purpose. That does not mean that it must be interpreted in such a way that whatever may be regarded as improving its enforcement must fall within the intention of the legislature.

50 As the Supreme Court of the United States said in Rodriguez v United States, 480 US 522 (1987) at 525-526:

whatever

51 The obverse to this case is one where an employee has impermissibly used information held by an agency, but where the agency has not contravened s12. Where an agency has ‘ensured’ that its information is “protected” by implementing ‘reasonable security safeguards’, I can see no purpose of the scheme that is served by imposing liability on the agency. It has done all the Act requires of it. The sanction is, in such circumstances, appropriately directed to the employee, i.e. s62(1).

52 It is unnecessary to deal with other grounds of appeal.

53 The appeal should be allowed. The orders I propose are:

1 Leave to appeal granted.

2 Appeal allowed with costs.

3 Orders 1-3 made by the Appeal Panel of the Administrative Decisions Tribunal in these matters on 23 December 2005 be set aside.

(a) Appeal No 049045 is dismissed;

(b) Appeal No 049040 is allowed;

54 IPP JA: I agree with Spigelman CJ.

55 HUNT AJA: I agree with Spigelman CJ.

**********

Citations

Director General, Department of Education and Training v MT [2006] NSWCA 270

Most Recent Citation

Cases Citing This Decision

140

Anderson v Canaccord Genuity Financial Ltd [2023] NSWCA 294

Cases Cited

9

Statutory Material Cited

2

Melbourne Steamship Co Ltd v Moorehead [1912] HCA 69

Northside Developments Pty Ltd v Registrar-General [1990] HCA 32

AAPT Ltd v Cable and Wireless Optus Ltd [1999] NSWSC 509

Actions

Download as PDF Download as Word Document

CITATION:	Director General, Department of Education and Training v MT [2006] NSWCA 270
HEARING DATE(S):	20 September 2006
JUDGMENT DATE:	29 September 2006
JUDGMENT OF:	Spigelman CJ at 1; Ipp JA at 54; Hunt AJA at 55
DECISION:	1 Leave to appeal granted; 2 Appeal allowed with costs; 3 Orders 1-3 made by the Appeal Panel of the Administrative Decisions Tribunal in these matters on 23 December 2005 be set aside; 4 In lieu thereof; (a) Appeal No 049045 is dismissed; (b) Appeal No 049040 is allowed; (c) The order of the Administrative Decisions Tribunal of 3 September 2004 is varied by deleting “18 and 19” from order 1.
CATCHWORDS:	PRIVACY LAW – PRIVACY AND PERSONAL INFORMATION ACT 1998 (NSW) – Scope of Information Protection Principles – Public agency is not responsible for use or disclosure of personal information by employee acting for a purpose extraneous to any purpose of the agency - COMPANY LAW – Regulatory framework – Rules of attribution – Employee acting for a purpose extraneous to any purpose of the company
LEGISLATION CITED:	Administrative Decisions Tribunal Act 1997: Ch 1 Pt 7 Privacy and Personal Information Protection Act 1998: ss 4(4), 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 52, 53, 55, 56, 62; Pt 2 Div 1; Pt 2 Div 3; Pt 3; Pt 5
CASES CITED:	AAPT Ltd v Cable and Wireless Optus Ltd (1999) 32 ACSR 63 ABC Developmental Learning Centres Pty Ltd v Wallace [2006] VSC 171 Director of Public Prosecutions Reference No 1 of 1996 [1998] 3 VR 352 Hollis v Vabu Pty Ltd (2001) 207 CLR 21 Linework Limited v Department of Labour [2001] 2 NZLR 639 Meridian Global Funds Management Asia Limited v Securities Commission [1995] 2 AC 500 Northside Developments Pty Ltd v Registrar-General (1990) 170 CLR 146 R v Commercial Industrial Construction Group Pty Ltd [2006] VSCA 181 Re Supply of Ready Mix Concrete (No 2) [1995] 1 AC 456 Rodriguez v United States, 480 US 522 (1987) Smorgon v Australia and New Zealand Banking Group Ltd (1976) 134 CLR 475 Switz Pty Ltd v Glowbind Pty Ltd (2000) 48 NSWLR 661 Tesco Supermarkets Limited v Nattrass [1972] AC 153 The Lady Gwendolen [1965] P 294
PARTIES:	Director General, Department of Education and Training (Applicant) MT (Respondent)
FILE NUMBER(S):	CA CA 40043/06
COUNSEL:	N Perram / Francois F F Salama (Applicant) S Pritchard (Respondent)
SOLICITORS:	I V Knight – Crown Solicitor (Applicant) Public Interest Advocacy Centre (Respondent)
LOWER COURT JURISDICTION:	Administrative Decisions Tribunal Appeal Panel
LOWER COURT FILE NUMBER(S):	ADT 049040 and 049045
LOWER COURT JUDICIAL OFFICER:	Judge K P O'Connor, S Higgins, Z Antonios
LOWER COURT DATE OF DECISION:	23 December 2005
LOWER COURT MEDIUM NEUTRAL CITATION:	[2005] NSWADTAP 77