Director General, Department of Education and Training v MT

Set aside by Appeal:

Set aside by appeal on 20 September 2006 (Director General, Department of Education & Training v MT [2006] NSWCA 270)

Appeal Panel - Internal

CITATION:	Director General, Department of Education and Training v MT (GD) [2005] NSWADTAP 77
PARTIES:	FIRST APPELLANT Director General, Department of Education and Training FIRST RESPONDENT MT SECOND APPELLANT MT SECOND RESPONDENT Director General, Department of Education and Training
FILE NUMBER:	049040 and 049045
HEARING DATES:	16/12/2004 & 31/05/2005
SUBMISSIONS CLOSED:	07/01/2005
DATE OF DECISION:	12/23/2005
DECISION UNDER APPEAL:	MT v Director General, NSW Department of Education & Training [2004] NSWADT 194
BEFORE:	O'Connor K - DCJ (President); Higgins S - Judicial Member; Antonios Z - Non Judicial Member
CATCHWORDS:	adequacy of reasons - statutory interpretation
MATTER FOR DECISION:	Principal matter
FILE NUMBER UNDER APPEAL:	033230
DATE OF DECISION UNDER APPEAL:	09/03/2004
LEGISLATION CITED:	Administrative Decisions Tribunal Act 1997 Freedom of Information and Protection of Privacy Act 1990 (Ontario) Health Records and Information Privacy Act 2002 Human Rights and Equal Opportunity Commission Act 1986 (Cth) Personal Information Protection and Electronic Documents Act 2000 (Can) Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 State Records Act 1998
CASES CITED:	MT v Director General, NSW Department of Education & Training [2004] NSWADT 194 Vice-Chancellor Macquarie University v FM [2005] NSWCA 192 FM v Vice Chancellor, Macquarie University [2003] NSWADT 78 GL v Director-General, Department of Education and Training [2003] NSWADT 166 KD v Registrar, NSW Medical Board [2004] NSWADT 5 R v Brown [1996] 1 All ER 545 (HL) Seager v Copydex Ltd [No 1] [1967] 1 WLR 923 Corrs Pavey Whiting & Byrne v Collector of Customs (Vic) (1987) 14 FCR 434; 74 ALR 428; 13 ALD 254 Smith Kline & French Laboratories (Aust) Ltd v Secretary, Department of Community Services & Health (1990) 22 FCR 73; 95 ALR 87 Talbot v General Television Corporation Pty Ltd [1980] vr 224 Soulemezis -v- Dudley (Holdings) Pty Ltd (1987) 10 NSWLR 247 Mifsud v Campbell (1991) 21 NSWLR 725 Beale v Government Insurance Office (1997) 48 NSWLR 430 Attorney General of the Commonwealth v Oates (1999) 198 CLR 162; (1999) 164 ALR 393 Oates v Williams (1998) 84 FCR 348; 156 ALR 1 Re L'Annee Kane International Pty Ltd & Australian Trade Commission (1998) 50 ALD 279 W v Edgell [1990] 1 All ER 835 (CA) R v Devon CC, ex p L [1991] FLR 541 R v Harrison (unrtd, CA, Rougier J, 10 July 2000)
REPRESENTATION:	FIRST APPELLANT/SECOND RESPONDENT J McDonnell, solicitor, Crown Solicitor's Office FIRST RESPONDENT/SECOND APPELLANT S Pritchard of consel instructed by S Moran, Public Interest Advocacy Centre
ORDERS:	1. Appeal No. 049045 (Appeal by Review Applicant): Appeal allowed in part. The Tribunal’s finding in relation to s 16 is set aside ; 2. Appeal No. 049040 (Appeal by Department): Appeal allowed in part. The findings in relation to contravention of ss 18 and 19 are set aside. The following finding is substituted: The Department’s conduct in disclosing health information to the soccer club president about the applicant acquired by its employee from school records constitutes a contravention of s 18, as varied by s 19(1); 3. The application is remitted to the Tribunal on the following basis:; (a) to make a finding as to whether the conduct contravened s 16; and ; (b) to make further orders

1 The Appeal Panel has before it appeals from both parties to the decision under appeal. The appeals raise numerous questions relating to the interpretation and application of the Privacy and Personal Information Protection Act 1998 (the Privacy Act or the Act).

2 The decision under appeal is MT v Director General, NSW Department of Education & Training [2004] NSWADT 194. Before the Tribunal the applicant for review, MT, claimed that the respondent (the Department) had contravened ss 12, 16, 17, 18 and 19 of the Privacy Act. The Privacy Act regulates the collection, storage, use and disclosure of personal information held by public sector agencies. The Act permits a person aggrieved by conduct of the agency which might constitute a contravention of the Act’s standards to apply to the agency for it to review the conduct and take any appropriate action; and, if dissatisfied by the agency’s response, to apply to the Tribunal for review of that conduct or the action proposed: ss 53, 55. The required standards are primarily to be found in the statement of twelve Information Protection Principles set out at ss 8 to 19 of the Act.

3 The Tribunal separated the liability and remedies questions. As to the question of the liability of the Department, the Tribunal made the following findings, and further order:

‘1. The Tribunal finds that there have been contraventions of sections 12, 18 and 19 of the Privacy and Personal Information Protection Act 1998 .

2. The Application is to be relisted for a further planning meeting at a time convenient to the parties and the Privacy Commissioner.’

4 The Department’s appeal was the first in time. The Department does not challenge the finding that it contravened s 12. It does challenge the findings that it contravened ss 18 and s 19. On the other hand the review applicant (MT) appeals against the Tribunal’s decision that the Department did not contravene ss 16 and 17.

Background

5 MT was a student at a high school in the years 1998 to 2003 (years 7 to 12). She formally complained under s 53 of the Privacy Act over events that occurred in 2001 to the Department in its capacity as the public sector agency ultimately responsible for the school. She claimed that the school (and, therefore, the Department) had contravened the Privacy Act in the way it had dealt with sensitive personal information relating to her.

6 In this case no evidence was led at hearing, so the conduct under notice is entirely to be found by reference to the evidence contained in the internal review reports. This point is, we think, of some importance in this case. There is not the degree of evidence in the material that one might normally expect going to some of the issues that the parties canvassed before the Tribunal, and again before the Appeal Panel. The following account is drawn from the First and Second Internal Review Reports (Exs A and B before the Appeal Panel), and the reasons for decision of the Tribunal. A primary source is the letter written by the coach, X, to the Human Rights and Equal Opportunity Commission (HREOC), see para [8] of the Second Internal Review Report.

7 We have avoided some of the descriptions used in the decision under appeal. We do not think, for example, that it is desirable, as occurred in that decision for the man to be referred to as ‘the Teacher’. Clearly he had a relationship to the circumstances that involved two different aspects of his life; as did MT. Using the description ‘teacher’ tends to prefer one over the other, and possibly give a misleading impression.

8 On enrolment in 1998, MT’s parents had advised the school that her health was affected by a problem affecting her joints, in particular her knees and legs, that meant that it would not be advisable for her to play certain kinds of sports. This advice led to a school counsellor contacting the parents and placing a report on file. It also led to the parents supplying a doctor’s report. During 1998 a circular was sent to various teachers informing them of MT’s condition.

9 In the year 2000 MT commenced playing soccer with a junior girls’ team in the district. The coach of the team was also a teacher at the school. We will refer to this man as ‘X’. In his capacity as coach, X had been told by MT’s mother that she had a form of arthritis and she would tell the coach if she had difficulty playing. He would then take her off. MT wore strapping on her knees when she played.

10 X had not been among the teachers who had received the circular, and did not have any knowledge that the problem might be one of some greater seriousness. Many of the girls on the team were students at the school. One day at school in 2001 some of these girls told X that MT had recently had a fall, and that if she had another one it could result in her being left in a wheelchair. X asked MT what had happened but she was dismissive of his enquiry. She did not attend soccer training or scheduled games for the next six weeks. X assumed that she had dropped out of soccer, and informed the club president of this assumption.

11 The team reached the finals. On 12 September 2001, in the week prior to the preliminary final MT told X that she would not be available to play, but she did wish to play in the grand final. The team reached the grand final. Other girls on the team again expressed concern to him over her health.

12 At this point X decided to access the school file, which was open to all teachers. He learnt for the first time of the nature of her condition as reported in 1998 (a rare genetic condition called proximal symphalangism). He read the doctor’s letter from 1998 and the school counsellor’s report of that year. In his letter to HREOC the teacher said ‘Even though this [the physical disability] was not the main reason for not playing [MT] her medical condition did make us very concerned about her health’. In that letter X referred to the fact that this information had never been known to him or the insurance company, and said: ‘Even though we would never had said no to her playing soccer, we would have passed the information on to the insurance company’. X was then approached by MT and told her that it would be necessary for the parents to provide the club with an indemnity in case she was injured. The next day MT told him that on legal advice they were not willing to give the club any indemnity. Consequently X contacted the club president, and told him that he had become aware that MT had a medical condition, that she intended to play in the grand final when he did not consider her to be match fit and that she had told other members of the team that if she had another injury she would end up in a wheel chair.

13 Later that afternoon at training (19 September 2001) MT and her mother attended a soccer training session. The club president approached them to express concerns for MT’s safety. The conversation ended, according to the club president, in the mother becoming abusive. MT did not play in the grand final.

14 In conclusion in his letter to HREOC X said that the main reasons for not selecting MT in the grand final was her lack of training for the previous 7 weeks. He said he was concerned about her ‘health and team fitness’. He also referred to the question of fairness to other members of the team, MT’s lack of ‘match fitness’ and the fact that the club’s insurance policy covering MT might be null and void because of her parents’ non-disclosure.

15 MT lodged a disability discrimination complaint against the soccer club with HREOC in October 2002. The President of HREOC wrote formally to the soccer club president requiring the provision of information to assist HREOC in dealing with the complaint. X provided the reply. This is the letter already referred to. X provided HREOC with a copy of the school counsellor’s report after obtaining the school counsellor’s permission.

Security (section 12)

16 The agency’s internal review found that the security practices adopted by the school in permitting access to school records were inadequate, and that a contravention of the Information Protection Principle (IPP) found in the Privacy Act relating to security safeguards had occurred. The relevant provision was considered to be s 12(c) which provides:

‘A public sector agency that holds personal information must ensure: …

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse’.

17 There is a brief discussion of this aspect of the case at paras [22] to [27] of the Tribunal’s decision. As noted there is no appeal against the Tribunal’s order, which is in line with the Department’s finding.

18 We now turn to the appeals. We will deal with MT’s first.

Preliminary Matter

19 Section 4(1) defines ‘personal information’ as:

‘information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.’

20 When this case was before the Tribunal the prevailing view in the Tribunal was that because of the apparent breadth of the meaning of ‘personal information’, the IPPs placed controls on personal information that was held either in records of the agency or mentally by the officers of an agency. The Court of Appeal (Spigelman CJ, Tobias JA, Brownie AJA) held in Vice-Chancellor Macquarie University v FM [2005] NSWCA 192 that the IPPs, ss 12-19 of the Act, all relate to circumstances where a public sector agency ‘holds personal information’ (per Spigelman CJ at [20]) and that it was ‘almost impossible to conceive’ of how these provisions would operate in practice ‘if they were intended to apply to information in the minds of employees acquired by direct visual or aural experience and never recorded in any manner’ (at [29]). Referring to the terms ‘possession’ and ‘control’, used elsewhere in the scheme of the Act in conjunction with the term ‘personal information’, Spigelman CJ observed at [34]:

‘Both words connote some form of physical object upon which or within which an information or opinion is recorded. A person is neither in “possession”, nor in “control”, of the contents of her or his mind.’

21 Accordingly, the further written submission filed 1 July 2005 by the Department in light of the Court of Appeal’s decision is correct – that this case can only relate to the conduct of X that involved the use of ‘personal information’ ‘held’ by the Department. The result is the information given to X by the team mates about MT can not be treated as information affected by the Act, provided it was never reduced to a written record of the school. There is no evidence that that occurred.

The Use Principles (sections 16 and 17)

22 Sections 16 and 17 provide:

‘ 16 Agency must check accuracy of personal information before use

A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.’

17 Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.’

23 MT’s position is that X’s conduct in accessing the school records constituted a ‘use’ of her personal information. MT asserts that when X accessed the information, X failed to ensure, having regard to the purpose for which it was proposed to be used, that it was relevant, accurate, up to date, complete and not misleading; and X used the information for a purpose that was not permitted.

24 The Tribunal began its consideration of this question by examining in detail local case-law relating to the meaning to be given to the word ‘use’, and also referred to overseas case-law, as have the parties in their submissions to the Appeal Panel. The case-law includes FM v Vice Chancellor, Macquarie University [2003] NSWADT 78 at [42]; GL v Director-General, Department of Education and Training [2003] NSWADT 166 at [42]; KD v Registrar, NSW Medical Board [2004] NSWADT 5 at [29]-[30]; and R v Brown [1996] 1 All ER 545 (HL). The parties also referred to guidance documents issued by Privacy Commissioner’s offices, such as the Guide to the Information Protection Principles issued by NSW Privacy Commissioner at page 32, and the Plain English Guidelines to Information Privacy Principles 8-11 (1996), issued by the Commonwealth Privacy Commissioner at page 11. We will not re-visit that case law and the other material in this decision.

25 The Tribunal held:

‘162 I agree with the Agency’s position that, on the ordinary meaning of the word ''use', it is necessary to do more with the information than to access it and view what is contained in it. It is necessary to employ the information for some purpose, not merely to access it. The issue then is whether a broader definition of the word is to apply. Again I agree with the Agency’s position in that I prefer the approach adopted by the Deputy President in FM v Macquarie University . In my view, this definition takes into account the overall framework within which the information protection principles were developed. Further, I see no reason why "use" should have different meanings in section 16 and 17.

163 I agree with the Commissioner’s submission that the words ‘use’ and ‘disclosure’ are intended to refer to different functions of an agency. I also agree that the distinction between operations that are internal to an agency and those that are external is not an absolute one. This is consistent with the view that I expressed in KJ v Wentworth Area Health Service [2004] NSWADT 84 at paragraphs 49 and 50.’

26 As to the section 17 question, the Tribunal said the following. (We have excised from the extracts so much of the summary of arguments as refers to the X’s position in relation to the information given by the other girls on the team (referred to in the decision as the Schoolgirls), as there is no longer any liability issue in respect of this information, for the reasons already explained.)

‘102 The Agency submits that section 17 has no application to the personal information obtained from … the Doctor's report because that personal information was not "collected" but rather was unsolicited. Accordingly, section 17 has no application to such personal information. Mr McDonnell refers to KD v Registrar NSW Medical Board at paragraphs 29 as authority for this submission. [We interpolate. In KD v Registrar, NSW Medical Board [2004] NSWADT 5 the Tribunal held at [29]: ‘Section 17 refers to information held for a purpose “other than that for which it was collected.” This seems to me to confine the relevant information to information that had been collected by the agency for one purpose and prevents it being used for another. Critically, it relates to collected information.’] He further submits that there is no basis for Mr MacDiarmid's submissions that the Doctor’s Report became personal information by incorporation. The Agency concedes that the School Counsellor's Report was collected, but relies on the same argument as relied upon in relation to section 16. Any "use" of the personal information received unsolicitedly from MT's general file by the Teacher in approaching MT to seek a release of liability for himself and the Soccer Club can not constitute a use by the Agency within the meaning of section 17. The Agency, through the Teacher, did not apply the information to its own purposes. It disclosed the personal information to the Teacher qua soccer coach who used the personal information for purposes in relation to the Soccer Club and the purposes of the Soccer Club generally. There was no use by the Agency.

103 Alternatively, Mr McDonnell submits that to the extent that the personal information was collected and used by the Agency, its use was for a purpose for which it was collected. Any collection was to assist the School and its staff to understand MT’s medical condition so that they could better exercises their duty of care. All the evidence is that the Teacher, in exercise of his duty of care to MT, went to MT's file to ascertain/confirm her medical condition following information provided to him by the Schoolgirls. Alternatively, if the information was collected and used by the Agency for a purpose other than that for which it was collected, the other purpose was directly related to the purpose for which the information was collected. The information was used to ascertain/confirm MT's medical condition not to obtain a release from legal liability.

104 Further in the alternative, Mr McDonnell submits that to the extent that the personal information was collected and used by the Agency for a purpose other than which it was collected, section 17(c) would apply. He argued that it is plain from the evidence taken as a whole that the Teacher’s concern for MT injuring herself was a prime consideration, if not the prime consideration, at all times. …

186 Given my views in relation to the application of section 4(5) I do not accept the Agency’s submission that section 17 has no application to the personal information obtained from the Schoolgirls and the Doctor's report because that personal information was not "collected" but rather was unsolicited. Nevertheless, the Agency argues that any "use" of the personal information by the Teacher for himself and the Soccer Club can not constitute a use by the Agency within the meaning of section 17, as the Agency did not apply the information to its own purposes. I agree with that submission.

187 I also agree with the Agency’s submission that if there was a use by the Agency, to the extent that the personal information was used by the Agency its use was for a purpose for which it was collected ie to assist the School and its staff to understand MT’s medical condition so that they could better exercises their duty of care. The evidence is that the Teacher consulted MT's file to ascertain/confirm her medical condition following information provided to him by the Schoolgirls. In my view this is a purpose directly related to the purpose for which the information was collected.

188 Accordingly, on the evidence I am not satisfied that the Agency has acted in breach of section 17 of the Privacy Act.’

27 Australia’s information privacy laws have their origins in the work of the Australian Law Reform Commission, and the reference given to it in 1976 by the Commonwealth government to examine the need for laws in relation to various aspects of privacy, including information privacy. The Australian Law Reform Commission reported in 1983, Report No 22, Privacy (1983). Its model law provides the basis for the modern Australian information privacy laws.

28 The model bill (see Appendix A) contains at Part V general provisions relation to information privacy, and Part II of the Schedule sets out a series of ‘Information Privacy Principles’. The use and disclosure principles are as follows:

‘ Use of Personal Information

7. Personal information should not be used except for a purpose to which it is relevant.

8. Personal information should not be used for a purpose that is not a purpose of collection or a purpose incidental to or connected with that purpose unless -

(a) the record-subject has consented to that use;

(b) the person using the information believes on reasonable grounds that the use is necessary to prevent or lessen a serious and imminent threat to the life or health of a record-subject or of some other person; or

(c) the use is required by or under law.

9. A person who uses personal information should take reasonable steps to ensure that, having regard to the purpose for which the information is being used, the information is accurate, complete and up to date.

Disclosure of Personal Information

10. A person should not disclose personal information to another person unless -

(a) the record-subject has consented to the disclosure;

(b) the person disclosing the information believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of record-subject [sic] or some other person; or

(c) the disclosure is required by or under law.’

29 The ALRC in its discussion paper issued in 1980, Discussion Paper No 14, Privacy and Personal Information, drew a distinction between ‘necessary uses’ of personal information and the ‘disclosure of personal information’. In dealing with ‘necessary uses’ in ch 5 it gave examples from Commonwealth government administrative practice where the agency holding the personal records engaged in some limited disclosure of the information to another agency as part of the process of the first agency taking administrative action on the information to give effect to the purpose for which it was collected (for example, Social Security checking a statement as to taxable income of a benefit applicant with the Tax Office). It will be seen that the ALRC Discussion Paper did not draw a clinical distinction between ‘uses’ and ‘disclosures’. It was comfortable with the proposition that some forms of use, at least, could involve disclosure.

30 The ALRC in the discussion paper did not, however, see these use-related disclosures as ones of a kind to which its strict prohibition on third party disclosure applied. It stated, ch 6 at [92], that its disclosure recommendations related to ‘disclosure of personal information for a purpose other than that which governed the collection of the information’. It went on to recommend that these be strictly confined.

31 Again in its final report the ALRC referred to the need for more flexibility to be shown in relation to the ‘use’ of information than might be shown in relation to disclosure for a purpose unrelated to the purpose of collection. At [798] ff it discussed the question of whether internal administrative use of personal information should be regulated at all, noting that historically the law had not been interested in the question of controlling intra-organisational uses of data, but had strictly regulated external disclosure of the data. It is obvious that ordinarily the privacy interests put at risk by external disclosure of data will be greater for the individual than those put at risk by internal use of the data. The major difference is that once disclosed to an external party the original recipient loses control of the further use and dissemination of that information.

32 Nonetheless the ALRC went on to recommend finally, as noted above, that use limitation principles be introduced. The argument in support of that conclusion appears mainly at [1292] ff of the report. The argument in favour of use limitation principles is essentially a natural justice one, with fair information practices being seen as crucial to the effective protection of an individual’s privacy interests. The argument recognise that the use of data for the purpose for which it was collected will often involve the taking by the agency of some significant decision affecting the interests of the individual. Therefore the use should ensure that data quality principles are observed.

33 In the first discussion of the need to regulate disclosure in its final report, the ALRC states at [803]: ‘[d]isclosure is a particular form of ‘use’’. In our view, this is correct though it is a common characteristic of information privacy laws to deal separately with ‘disclosure’ and ‘use’. The actions that an agency may take on personal information range from relatively minor internal ones, such as verification of data against other records held by the agency, to the much more grave step of making a considered decision to disclose the information to an external body. There is, in our view, no clinical distinction between conduct which amounts to ‘use’ and that which involves ‘disclosure’.

34 This view is also consistent, we consider, with the desirability of adopting a beneficial approach to the interpretation of a statute of this kind.

35 The view that a common approach should be taken to the ‘use’ and ‘disclosure’ of personal information is firmly reflected in some more recent laws. Any doubt as to the applicability of the data quality standard to the disclosure of information is addressed. See for example the National Privacy Principles (binding Australian private sector organisations) under the Privacy Act 1988 (Commonwealth) which provide:

‘ 3 Data quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.’

36 Similarly the activities of use and disclosure are dealt with in those Principles by a common statement, set out in cl 2 which begins

‘ 2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose ) other than the primary purpose of collection unless:’
followed by a number of exceptions.

37 The importance of s 16 in the scheme of the Act should not be underestimated. It is, arguably, the most important of the IPPs. Its status is reflected in the fact that it has not been disapplied in a specific way by any other provision of the Act. This stands in contrast to the position in relation to several other IPPs. In Division 3 of Part 2 (ss 22 to 28) many of the IPPs are disapplied in specific circumstances which amount, in effect, to further exceptions to the IPP mentioned. Not once in the provisions from ss 22 to 28 is s 16 specifically disapplied. It is only disapplied in those instances where there is a global exception disapplying all the IPPs, as for example in s 27, where the operations of several law enforcement agencies are immunised from all the IPPs except in relation to their administrative and educative functions.

38 It would be an odd outcome if the data quality standard reflected in s 16 of the NSW Act (in similar terms to the original formulation found in the ALRC model bill) were not to apply to the gravest form of ‘use’ – disclosure of the information to another agency.

39 We see the relationship between ss 16, 17 and 18 as follows. Section 16 applies a data quality standard to all uses of personal information by an agency including conduct involving disclosure of personal information by the agency. Then s 17 and s 18 operate in separate spheres. Section 17 deals with internal use of the personal information by the agency, while s 18 deals with external disclosure of the personal information by the agency.

40 In some instances the only use engaged in by agency, viewed practically, will be the grave use that is involved in external disclosure. In other instances the only uses engaged in by the agency will be internal. Sometimes the personal information will pass through both spheres, being the subject of internal use and external disclosure.

41 On this point, MT’s appeal succeeds. The Tribunal should have applied the data quality standard to the conduct in question. Section 16 needs to be applied to the circumstances.

42 However, we do not accept, looking at the scheme of the legislation, that the mere act of browsing involves a ‘use’ of information to which s 16 is addressed. Something more is required as we see it.

43 We have noted that the Federal Privacy Commissioner Guidelines, as pointed out by MT’s counsel, do define ‘use’ as including ‘searching records for any reason’. So far as ordinary parlance is concerned, we accept that the perusal of the information in the file could be said to be a ‘use’ of the information.

44 We think however that the legislative history, in particular the ALRC discussion paper and report, concerns itself with ‘use’ which involves some administrative action or consequence. We agree with the conclusion of the Tribunal on that point.

45 Improper browsing is a matter to be dealt with, as we see it, by the security safeguards IPP (s 12). Section 12(c) provides that:

‘A public sector agency that holds personal information must ensure: …

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse’.

46 In regulated systems improper browsing is an example of ‘unauthorised access’. It may also be regarded, we think, for the purposes of this provision as a species of ‘unauthorised use’ and more generally a form of ‘misuse’. In the present case the Department, in our view appropriately on the evidence, made an adverse finding in relation to the practices followed by the school as at September 2001 in not ensuring that any access to student records was confined to school purposes, with any additional exceptions carefully stated, and in requiring that levels of sensitivity of the information be taken into account.

47 This is a case also where, as a practical matter, we consider that s 17 is not applicable. The agency, vicariously, used the information only by disclosing it when its employee X, having acquired the information in his capacity as a teacher, disclosed it to the soccer club. There was one substantive event. In this case, the facts in our view simply do not support any analysis based on s 17. X never made any use of the information for internal school purposes. His only action was to disclose the information. Accordingly, for different reasons to those given by the Tribunal, we do not regard s 17 as in issue. Section 16 and s18 (or s19, see further below) are the relevant provisions.

48 In more recent privacy laws, such as the National Privacy Principles, some of the issues raised by this case are more clearly addressed. The provisions on use and disclosure are harmonised, as we have noted, into a single provision.

Sections 18 and 19

49 Section 18 provides:

‘ 18 Limits on disclosure of personal information

(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.’

50 Sections 18 and 19 must not be read in isolation. They by no means represent a complete statement of the exceptions to the Act’s prohibition on disclosure. There are several further exceptions of importance. Oddly, the most uncontentious exception to s 18 and s 19 (express consent) is found elsewhere in the Act (see s 26(2)).

51 One of the Department’s submissions was that it was not bound by X’s conduct. In our view the disclosure provision does attach liability to disclosure by an officer of information acquired by the officer within the agency, including disclosures that are not made for official purposes. The principle is a strict one and is to be construed as binding agencies in cases where officers exceed their authority. There may be an exception in certain kinds of cases, discussed later.

52 The principle that an agency is generally responsible for disclosures of information it controls, whether authorised or not, has also been recognised in other jurisdictions.

53 In Ontario, for example, the Information and Privacy Commissioner held an agency to be liable for the disclosure of personal information on a computer stolen from an officer’s vehicle: Investigation PC-000026-1 and PC-010009-1; see Section 42 of the Freedom of Information and Protection of Privacy Act R.S.O. 1990, Chapter F.31 (Ontario) provided that ‘An institution shall not disclose personal information in its custody or under its control except’ in certain limited and specified circumstances. The Ministry’s argument that ‘the [Freedom of Information and Protection of Privacy] Act contemplates only intentional or wilful disclosures of personal information’ was rejected. The Information and Privacy Commissioner said:

‘Section 42 of the Act imposes a mandatory requirement on an institution not to “disclose personal information in its custody or under its control,” except in the various permitted circumstances outlined in this section. The section does not limit the obligations on an institution to circumstances of “intentional or wilful disclosure” as suggested by the Ministry nor, in my view, is it reasonable to interpret section 42 in this restrictive manner. …[T]he prohibition on disclosure imposed on the Ministry by section 42 of the Act applies, irrespective of whether the disclosure was unintended or done without any wilful motive, or whether the Ministry has knowledge that the personal information on the computers was accessed by anyone as a consequence of the thefts.’

54 A similar view was taken by the Office of the Privacy Commissioner of Canada in PIPEDA Case Summary #298. An employee of a pet store divulged a customer’s telephone number, held by the store, to a mutual acquaintance of the customer and the employee. The Assistant Privacy Commissioner held that although the store had appropriate security practices in place, it had nevertheless acted contrary to the disclosure principle contained in the Personal Information Protection and Electronic Documents Act 2000 c 5 (Can.). See also a comparable decision of the New Zealand Privacy Commissioner in Case Note 18420 [1999] NZPrivCmr 4.

55 The view that an agency is liable for both authorised and unauthorised disclosures of personal information is consistent with the position in respect of the law of breach of confidence, where the test is whether there has been an unauthorised disclosure or use of the information of a kind which is subject to an obligation of confidentiality: Seager v Copydex Ltd [No 1] [1967] 1 WLR 923; see also, Corrs Pavey Whiting & Byrne v Collector of Customs (Vic) (1987) 14 FCR 434; 74 ALR 428; 13 ALD 254; Smith Kline & French Laboratories (Aust) Ltd v Secretary, Department of Community Services & Health (1990) 22 FCR 73; 95 ALR 87 at 102 per Gummow J. The test does not involve an examination of the intention of the disclosing party, but rather imposes an absolute obligation not to disclose in certain circumstances (see also Talbot v General Television Corporation Pty Ltd [1980] vr 224 at 234 and see Seager v Copydex Ltd [No 1] [1967] 1 WLR 923 at 418 per Salmon LJ and at 419 per Winn LJ).

56 There may, however, be a point at which considerations based on what may seen as the extent of an agency’s vicarious liability come into play, and provide a qualification to the strict application of the disclosure IPP.

57 For example, taking the present case, had the school known of a problem of teachers perusing records for non-school purposes, and taken action by putting in place strict security practices, it may be that a case could be mounted that the school was not bound by the disclosure that occurred, in terms of the Privacy Act. That was not the case here. The Department has acknowledged that the school had inadequate security practices.

58 There is one Tribunal decision which has dealt with quite similar circumstances to the present, and it was held there that the agency was not liable for its staff member’s disclosure of information obtained from the agency’s records. In that case the staff member (Ms Munro) was in private life president of a Scottish dancing association. In that capacity she had cause to suspect that a male instructor might have an adverse criminal record involving offences against minors and been imprisoned. She used her privileges as a member of the probation and parole service of the Department of Corrective Services to search the Department’s prisoners’ database which includes criminal history information. She found adverse information there and disclosed it to parents of children in the dancing classes. She also searched the Department’s records of visitors to the instructor while he was in prison to find out who the visitors were, and then contacted the visitors informing them of the instructor’s criminal record and a new criminal charge. However well intentioned this conduct may have been, it clearly involved a gross violation of the confidentiality of prisoner records.

59 The Tribunal found that the Department was not in these circumstances liable for the staff member’s disclosure.

60 The only substantive difference between the present circumstances and this case is that there the Tribunal found that the Department had adequate security practices. The Tribunal accepted the Department’s evidence that every time a staff member seeks access to persons in prison or on probation and parole a copy of the information security policy of the Department appears. In the case of probation and parole officers such as NS a flag appeared:

‘The information from the system now available to you is confidential and must NOT be disclosed to unauthorised persons under any circumstances, nor are you authorised to access such information for personal reasons …’.

61 The Tribunal held:

‘55 In my opinion, Ms Munro’s initial access was for a dual purpose, her own private reasons and also for the purpose of fulfilling her duties as a probation and parole officer. While there is no direct evidence, in my opinion it can be inferred that Ms Munro in her capacity as President of the Scottish Association became aware that NS was undertaking dancing classes and that she became concerned about the safety of the children as she knew or believed that NS had a criminal record. In such circumstances it is arguable that she as a probation and parole officer also had a duty to verify what that record was and inform the appropriate persons if she found that this criminal record had a bearing on him undertaking the dancing classes. For these reasons, even though Ms Munro was not NS’s probation and parole officer, this did not mean that her official duties excluded her from accessing such information and informing the appropriate persons. An exclusion of this kind would, in my opinion, seriously affect the operation of the agency in performing its function of supervising persons on parole. Again by inference, Ms Munro used and disclosed the information she had obtained to NS’s probation and parole officer clearly because she believed that it was necessary to prevent or lessen a serious and imminent threat to the health of the children in the dancing classes under his instructions. For these reasons I find that the Department has not breached ss. 17 or 18 of the PPIP Act in respect of the initial incident.

56 In respect of the second access (i.e. the third incident) as referred to in paragraph 19(c) above, I find that Ms Munro obtained access on this occasion entirely for her own private purposes, as at this time, to the knowledge of Ms Munro, NS was in custody and he continued to remain in custody.

57 However, for the reasons stated above I am satisfied that the Department, through its computer flag, had in place adequate warning that her access for such purposes was unauthorised. In light of this, and the fact that Ms Munro expressly stated that she was acting in her capacity as the President of the Scottish Dancing Association, I am satisfied that the Department is not responsible for the disclosure of the personal information concerning NS to Ms A. That is, there has been no breach by the Department of ss. 12, 17 and 18 of the PPIP Act. This does not mean that Ms Munro has not breached the Department’s information security policy and may be subject to disciplinary action. However, this is not a matter for the Tribunal.

58 This leaves the second incident as set out in paragraph 19(b) above. Again I find that Ms Munro was acting in her private capacity when she disclosed personal information about NS to parents of the Scottish dancing community. This disclosure was as a result of the information that Ms Munro had obtained from the Departments data base. As mentioned above, when accessing that data base Ms Munro was advised in the computer flag that a disclosure of this information in circumstances such as these were unauthorised. Accordingly, for the reasons I have already stated I am satisfied that the Department is also not responsible for the disclosure of the personal information concerning NS to parents of the Scottish dancing community.

59 In light of my findings, it is unnecessary to consider the final matter in issue. However, as this application demonstrates, the Department has an ongoing obligation to ensure that it informs its officials of the Department’s responsibilities under the PPIP Act and in this regard it is important to ensure that the terms of any policy or other written measure is clear and that these are brought to the attention of its officials on a regular basis. As part of this exercise the Department may consider it appropriate to re-examine the terms of the wording on its computer flag and in its information security policy so that the provisions of the PPIP Act are more clearly stated.’

62 It will be seen that the conclusion reached as to the adequacy of the Department’s security practices became crucial to the question of whether the disclosures that the officer made were ones for which the Department was responsible. It is not necessary on this occasion to form a view as to whether NS was otherwise correctly decided, since, in the present case it is accepted that the school had a lax approach to the security of student records, and, therefore, it can properly be treated as bound by the disclosure that occurred.

Imminent Threat to Life and Health :

63 The Department renewed its submission, unsuccessful before the Tribunal, that either s 18(1)(c) or s 19(1) (as then in force) protected its disclosure. For the purpose of this submission it adopts the view that the teacher was engaged in an official disclosure. Section 18(1)(c) provides that an agency ‘must not disclose’ personal information unless:

‘the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health individual concerned or another person.’

64 Section 19(1) is intended (see the heading to the provision) to impose ‘special restrictions’ on the disclosure of certain classes of information. A provision of this kind was not a feature of the original ALRC proposals or of the Commonwealth Privacy Act 1988, though it is seen in many overseas laws.

65 Section 19(1) provided at the relevant time (emphasis added):

‘ 19 Special restrictions on disclosure of personal information

(1) A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person.

66 The ultimate determination to be made is one of fact, but affected by the interpretation given to key terms.

67 As to s 18(1)(c) the Tribunal held:

‘195 In my view, the exemption contained in section 18(1)(c) is to be narrowly construed. It is clear that the legislature intended that disclosure should only be permitted in very limited circumstances. I note that in his response to HREOC the teacher discounted MT's health as a reason for preventing her playing soccer. He stated “we would never have said no to her playing soccer". This explanation is more likely to represent the true situation than that later provided in response to these proceedings because of its proximity in time to the actual events. In my view this statement is inconsistent with the actions of a person with a genuinely held fear for MT's life or health.

196 I have no doubt that the Teacher had an initial concern for MT's health however it is my view that his motivation in disclosing MT's personal information to the Soccer Club President was to protect both himself and the Soccer Club from any potential personal injury claims. If that were not the case he would have acted immediately to prevent her from playing. As coach he had the means to do so. There can be no serious suggestion that disclosure to HREOC was necessary to prevent or lessen a serious or imminent threat to MT's life or health.

197 In those circumstances, the exemption contained in section 18(1)(c) cannot be available to the Agency.’

68 As to s 19(1), the Tribunal held:

‘204 Section 19 is similar to section 18, save that it applies to specific types of personal information, including information relating to an individual's health. Section 19 contains an exemption of the type similar to that found in section 18(1)(c). The standard applicable to this exception is apparently lower that that in section 18(1)(c). The exemption in section 18(1)(c) provides for an objective test where a belief that the threat is serious and imminent is held on reasonable grounds. Section 19 of the Privacy Act requires that a threat is either serious or imminent.

205 The arguments in relation to the alleged breach of section 19 reflect those for section 18. For the same reasons that I have provided in relation to section 18 I am also of the view that that the Agency has acted in breach of section 19 of the Privacy Act.’

69 There are important differences between s 19(1) and s 18(1)(c) which considerably narrow the availability of s 19(1) as a defence. First of all s 18(1)(c) allows the agency to contend that it had a belief based on reasonable grounds, that is a subjective belief that is objectively defensible, that the circumstances set out in s 18(1)(c) were applicable. In contrast in the case of the disclosure of information protected by s 19(1) it must show that the disclosure was ‘necessary’. This is clearly a tougher requirement. Secondly, in the case of s 18(1)(c) the purpose of the disclosure is expressed in looser terms than s 19(1). Under s 18(1)(c), the disclosure (provided there is a belief based on reasonable grounds) is permitted if the disclosure would ‘prevent or lessen’ the risk then described, whereas s 19(1) is restricted to one which would ‘prevent’ the risk then described. An oddity then appears at the third point of the comparison. Section 19(1), as in force at the relevant time, described the relevant risk more loosely than s 18(1)(c). In s 19(1) the risk was described as a ‘serious or imminent threat to the life or health of the individual concerned’ whereas in s 18(1)(c) it was a ‘serious and imminent threat [et cetera]’.

70 The original formulation on this third point was, we consider, clearly an error. The text was amended during 2002, though the amendment did not come into force until the principal Act to which it was attached came into force in September 2004: s 19(1) was amended to read ‘serious and imminent threat’ by the Health Records and Information Privacy Act 2002 (HRIPA), No 71 (assented to 25 September 2002; commenced 1 September 2004). The amendment also removed ‘health’ information from the scope of s 19(1), leaving that category of information to be regulated by HRIPA.

71 The Department criticised the Tribunal’s reasoning in relation to both provisions as being inadequate (and therefore giving rise to the error of law of failure to give adequate reasons, as to which see cases such as Soulemezis -v- Dudley (Holdings) Pty Ltd (1987) 10 NSWLR 247; Mifsud v Campbell (1991) 21 NSWLR 725; and Beale v Government Insurance Office (1997) 48 NSWLR 430; and the Administrative Decisions Tribunal Act 1997, s 89). The Department submitted that the reasons did not deal with each of the elements of the exception provided by s 18(1)(c), and similarly in relation to s 19(1); and, importantly, introduced an irrelevant consideration – the teacher’s real motivation which it described as being ‘to protect both himself and the Soccer Club from any potential personal injury claims’.

72 We agree, to this extent, with the Department’s criticisms: the discloser may have a mixture of beliefs and motivations, all that is required is that there is a belief held which on ‘reasonable grounds’ satisfies s 18(1)(c). In dealing with s 18(1)(c) and s 19(1) we agree that the Tribunal should have didactically dealt with each of the elements; and distinguished between the disclosure to the soccer club president and the disclosures contained in the letter to HREOC; and also distinguished between the classes of information.

73 As we read the legislation s 19 overrides s 18(1)(c) if one of the categories of sensitive information mentioned in s 19(1) is in issue. It appears to have been accepted in this case that the information disclosed was information relating to MT’s health, but the Tribunal nonetheless applied both provisions. In our view, the Tribunal should only have applied s 19(1).

74 The requirements in s 19(1) are cumulative. The Tribunal relied in dealing with the question of ‘reasonable belief’ under s 18(1)(c) on the letter to HREOC. In our view, the Tribunal’s conclusion of fact in relation to this letter was reasonably open to it. This letter represented the best evidence that the Tribunal had as to the nature of X’s belief at the time of the disclosure and the grounds that he possessed for that belief (the s 18(1)(c) question, if that provision is relevant at all) and on the question of ‘necessity’ (the s 19(1) question).

75 While the letter does reflect a concern for MT’s health, it does not possess the gravity of concern that one might expect to see for s 18(1)(c) (belief, etc) or s 19(1) (necessity) to be satisfied. X said:

‘I did say to her that before I could consider her playing that I needed a letter from her parents accepting responsibility for her and that they would not hold the club or myself responsible in case she was injured. … The decision not to play [MT] in the grand final was mainly based on her not having played or trained for about 7 weeks. I was greatly concerned about [MT’s] health and fitness. It was not fair to the remainder of the team if [MT] was not match fit or physically fit to play in such an important game. The fact that the parents did not disclose her injury meant that the insurance policy for her, may have been null and void.’

76 It was clearly open to the Tribunal to conclude as it did that this state of mind was not one that reached the threshold required for s 18(1)(c) to be applicable. In our view, if the softer test of s 18(1)(c) was not able to be met on the facts, then there was no likelihood that the stricter test, that of necessity found in s 19(1), which we think in any case was probably the only relevant provision, could have been met.

77 Consequently, while there were clear inadequacies in the reasoning process, the Tribunal’s thinking on the issue of ‘necessity’ is, we think, adequately exposed. As a negative conclusion on that point was sufficient to dispose of the Department’s defence, the ultimate finding of contravention should not be interfered with. In our view a finding should be entered of contravention of s 18, as varied by s 19(1), in respect only to the disclosure of health information to the soccer club president derived from school records.

78 As to other elements of the exception in s 19(1), we note also the importance of the word ‘imminent’ in confining the nature of the risk. As Hennessy DP noted in FM v Vice Chancellor, Macquarie University [2003] NSWADT 78 at [55]:

‘… The Macquarie Dictionary, 3rd edition, The Macquarie Library, relevantly defines ‘imminent’ as ‘likely to occur at any moment; impending’.’

79 There is no evidence here, as we see it, that X had any basis for concluding that an injury was ‘impending’. MT had played regularly in the past with her knees strapped. He had understandable concerns over her match fitness.

Lawful Authority :

80 As a further alternative, the Department relied on this exemption.

‘ 25 Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a) the agency is lawfully authorised or required not to comply with the principle concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

81 Disclosure to the Soccer Club: The Department submitted X had acted in accordance with the duty of care owed by the Department and its staff to its students and to those responsible for their health and well being such as the soccer club. This duty of care amounted to a lawful authority for the purpose of s 25(a); and in addition, or at least alternatively, was a ‘law’ which permitted non-compliance.

82 The Tribunal held:

‘200 In the circumstances I do not need to determine the issue of whether a duty of care is sufficient to activate the exemption under section 25. On the evidence before me I agree with Mr MacDiarmid that the Agency, through Teacher, did not discharge such a duty of care. In my view, the minimum that would have been required to discharge the duty would have been to immediately prevent MT from playing. While the Teacher as an employee of the Agency could not stop MT from playing, the Teacher qua Soccer Club could do so. If the duty of care exists as asserted by the Agency, the Teacher would have been obliged to act in accordance with that duty and do whatever could be done to ensure that the duty was discharged. The Teacher did not do so.’

83 The duty to which the Department refers is, perhaps, better described in the present circumstances as a duty to warn. There was some debate between the parties as to whether the language used in para (b) (‘non-compliance is otherwise permitted … under any other law’) embraces common law obligations. In our view these obligations do fall within the scope of the expression ‘any other law’: see Attorney General of the Commonwealth v Oates (1999) 198 CLR 162; (1999) 164 ALR 393 at 396, citing Oates v Williams (1998) 84 FCR 348 at 353; 156 ALR 1 [at 5]; and ReL'Annee Kane International Pty Ltd & Australian Trade Commission (1998) 50 ALD 279 at 288. There may be some debate as to whether a provision like s 18(1)(c) abridges or replaces in any way any relevant common law duty of disclosure.

84 That there is, in certain circumstances, a legal duty to disclose confidentially-acquired information is well-established in English law: see for example, W v Edgell [1990] 1 All ER 835 (CA) – psychiatrist disclosure of patient’s violent tendencies to relevant authorities, R v Devon CC, ex p L [1991] FLR 541 – social workers knowledge that a man who lived with three different women who had children in their case was a child abuser, R v Harrison (unrtd, CA, Rougier J, 10 July 2000) – statement to prison chaplain by prisoner as to future murderous intent. See generally Pattenden R, The Law of Professional-Client Confidentiality (2003) ch 11, ch 20).

85 In this case there was, in our view, insufficient evidence before the Tribunal to enable it to reach any conclusion other than one it did on the question of a duty to warn or a duty of care so far as the disclosure to the soccer club president is concerned. To make findings of this kind, there would, we think, virtually have to be a trial within a trial. The relevant law is multi-factored; and the evidentiary requirements are substantial.

86 Disclosure to Human Rights and Equal Opportunity Commission: The Department’s next submission under this heading referred to the Human Rights and Equal Opportunity Commission Act 1986, s 46PI and s 48(3) which provide:

‘ President's power to obtain information

Section 46 PI

(1) This section applies if the President has reason to believe that a person is capable of providing information ( relevant information ) or producing documents ( relevant documents ) relevant to an inquiry under this Division.

(2) The President may serve a written notice on the person, requiring the person to do either or both of the following within a reasonable period specified in the notice, or on a reasonable date and at a reasonable time specified in the notice:

(a) give the President a signed document containing relevant information required by the notice;

(b) produce to the President such relevant documents as are specified in the notice.

(3) If the notice is served on a body corporate, the document referred to in paragraph (2)(a) must be signed by an officer of the body corporate.

(4) If a document is produced to the President in accordance with a requirement under this section, the President:

(a) may take possession of the document; and

(b) may make copies of the document or take extracts from the document; and

(c) may retain possession of the document for as long as is necessary for the purposes of the inquiry to which the document relates.

(5) While the President retains any document under this section, the President must allow the document to be inspected, at all reasonable times, by any person who would be entitled to inspect the document if it were not in the possession of the President.

Protection from civil actions

Section 48

(3) Where:

(a) a complaint has been made to the Commission; or

(b) a submission has been made, a document or information has been furnished, or evidence has been given, to the Commission or to a person acting on behalf of the Commission;

a person is not liable to an action, suit or proceeding in respect of loss, damage or injury of any kind suffered by another person by reason only that the complaint or submission was made, the document or information was furnished or the evidence was given.’

87 The correspondence with HREOC is set out at para [7] (letter from HREOC) and para [8] of the Second Internal Review Report at para [8]. The Tribunal held:

‘201 I do not accept the Agency’s assertion that non-compliance with sections 18 was "lawfully authorised or required", "otherwise permitted" or "necessarily implied" under the HREOC Act. It is my view that for such a result to follow there would need to have been a direction from HREOC to the Agency. Here there was merely a request from the HREOC President and the request is not directed to the Agency or even the Teacher. The HREOC Matter concerned MT and the Soccer Club. Neither the School nor the Agency were parties or named in the complaint. It cannot be the case that the Agency was compelled to comply with a request by HREOC addressed to the Soccer Club. If the HREOC President, using her powers under section 46PI of the HREOC Act, had sought access to MT's personal information from the Agency, it might be arguable that the Agency must comply with that request under section 25(b) of the Privacy Act. However, in such circumstances there may have been an opportunity for the Agency to dispute the need to supply the information. In these circumstances that was not the case. In my view the nexus is insufficient to give rise to the exemption asserted.

202 I also agree with Mr MacDiarmid’s submission that section 48(3) of the HREOC Act exists to protect witnesses and others who are appropriately involved in HREOC proceedings. In my view, no protection applies in relation to these proceedings as a result of that provision as HREOC simply did not request any information from the Agency.’

88 We are comfortable with the Tribunal’s conclusion that s 46PI is not applicable. For s 46PI to be triggered, we think there would have to be evidence of service by the President of a ‘written notice … requiring the person’ to take the steps set out in s 46(4). That point, in our view, had not been reached in this case. The President did write a formal opening letter the inquiry. In the letter the President said: ‘At this stage, I am seeking a response as part of my inquiry into this complaint. I therefore request your comments on allegations and would appreciate your advice on the following matters’. As most responsible recipients of such a letter would do, the soccer club president responded by way of the letter from X set out in para [8] of the Second Internal Review Report.

89 We do not agree with the Tribunal’s interpretation of s 48(3). In this instance ‘information has been furnished … to a person acting on behalf of the Commission’. That was done as part of the official processes of the Commission, though, in our view, the letter was a letter of request and not a demand of the kind to which s 46PI is applicable.

90 We can not see how the provision can be read down only to apply to formal proceedings before the Commission. The Commission, when dealing with complaints, does not conduct proceedings of the kind to which witnesses are called. It is a conciliation body. The adjudicative function in respect of federal discrimination complaints is vested in the federal courts. In our view the provision confers an immunity on those that supply personal information to the Commission. The Commission may be vulnerable if it then fails to protect the supplied information.

91 Accordingly, in our view the contents of the letter to HREOC are protected from any suit or proceeding including action taken before this Tribunal under the Privacy Act.

92 This aspect of the Department’s appeal is allowed.

Conclusions

93 It will be seen from the foregoing reasons that the appeal by MT is rejected. The appeal by the Department is allowed in part.

94 The Appeal Panel sets aside the Tribunal’s decision in so far as it found a contravention of s 18 and s 19 by the Department in respect of personal information derived from school records or copies of school records furnished to HREOC. The Tribunal’s decision is also set aside generally in so far as it finds contraventions by the Department in respect of disclosure of any personal information about MT acquired orally by X and not recorded in any school records.

95 The net result therefore is that the Appeal Panel upholds the Tribunal’s finding that the Department contravened s 18, as varied by s 19(1), in respect of X’s conduct in disclosing to the soccer club president health information about MT acquired by X from school records.

96 The matter will be remitted to the Tribunal for the making of further orders.

Orders

1. Appeal No. 049045 (Appeal by Review Applicant): Appeal allowed in part. The Tribunal’s finding in relation to s 16 is set aside.

2. Appeal No. 049040 (Appeal by Department): Appeal allowed in part. The findings in relation to contravention of ss 18 and 19 are set aside. The following finding is substituted: The Department’s conduct in disclosing health information to the soccer club president about the applicant acquired by its employee from school records constitutes a contravention of s 18, as varied by s 19(1).

3. The application is remitted to the Tribunal on the following basis:

(a) to make a finding as to whether the conduct contravened s 16; and

(b) to make further orders.