DQN v The University of Sydney

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	DQN v The University of Sydney [2019] NSWCATAD 266
Hearing dates:	29 August 2019
Date of orders:	19 December 2019
Decision date:	19 December 2019
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	S Higgins, Senior Member
Decision:	(1) Pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 the disclosure of paragraphs four and five of Annexure JSD2 to the affidavit of Jodi Sophia Dickson, sworn on 28 May 2019 is prohibited. (2) Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 no action will be taken in this matter.
Catchwords:	ADMINISTRATIVE LAW – privacy – alleged disclosure of personal and health information about the applicant contrary to the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 – judicial functions exemption
Legislation Cited:	Administrative Decisions Review Act 1997 (NSW) Civil and Administrative Tribunal Act 2009 (NSW) Government Information (Public Access) Act 2009 (NSW) Health Records Information Privacy Act 2002 (NSW) Privacy and Personal Information Protection Act 1998 (NSW)
Cases Cited:	AFC v Sydney Children’s Hospital Speciality Network [2012] NSWADT 189 AIL v Department of Premier and Cabinet [2013] NSWADTAP 26 BFP v NSW Ambulance Service [2015] NSWCATAD 39 Commissioner of Police, NSW Police Force v Fine [2014] NSWCA 327 Department of Education and Communities v VK (GD) [2011] NSWADTAP 61 DQN v University of Sydney [2019] NSWCATAD 159 MH v NSW Maritime [2011] NSWADT 248 PN v Department of Education and Training (GD) [2010] NSWADTAP 59
Texts Cited:	None cited
Category:	Principal judgment
Parties:	DQN (Applicant) The University of Sydney (Respondent)
Representation:	Counsel: B Tronson (Respondent)   Solicitors: Applicant (Self Represented) Heesom Legal (Respondent)
File Number(s):	2019/00033036
Publication restriction:	Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 the publication of the name of the applicant is prohibited.Note: A reference to the name of the applicant includes a reference to any information, picture or other material that identifies the applicant or is likely to lead to the identification of the applicant.

REasons for decision

Introduction

1. The applicant, DQN, seeks review of conduct by the respondent, the University of Sydney (the University), which he asserts to have been a breach of his privacy. The conduct in issue is the disclosure of his personal information contrary to the information protection principle in s 18 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and the health privacy principles in cl 11 of Schedule 1 in the Health Records Information Privacy Act 2002 (NSW) (HRIP Act).

2. As required under s 53 of the PPIP Act, the applicant initially made an internal review request, to the University in regard to the conduct that is the subject of this application. That application was made, on 28 November 2018.

3. The University completed its internal review on 21 January 2019, and found that the alleged conduct did occur and that it involved the ‘use’ and ‘disclosure’ of the applicant’s personal information that was health information. However, the University went on to find that it was not required to comply with the use and disclosure health privacy principle because non-compliance was otherwise permitted: PPIP Act, s 25(b) and HRIP Act, Sch 1 cl 10(2) and 11(2).

4. There is no dispute that the Tribunal has jurisdiction to hear and determine the applicant’s application. The role of the Tribunal is to review the conduct of the respondent the subject of the applicant’s internal review request and determine whether the conduct as alleged did or did not breach an information protection principle or a health privacy principle and determine what further action, if any, should be taken in light of the findings made in regard to the alleged conduct: PPIP Act, s 55 and Administrative Decisions Review Act 1997 (NSW) (ADR Act).

5. For the reasons that follow, I have found that there has been no contravention by the University of the PPIP Act or the HRIP Act in regard to the use and disclosure of the applicant’s personal information or health information as I am satisfied that non-compliance was otherwise permitted (or is necessarily implied or reasonably contemplated) under the provisions of the Civil and Administrative Tribunal Act 2013 (NSW) (NCAT Act), the ADR Act and the GIA Act.

The conduct

6. The conduct the subject of this application arises from the response of the University to an external review application the applicant lodged with the Tribunal. In that application, the applicant sought review of a decision of the University in regard to an access application he made under the provisions of the Government Information (Public Access) Act 2009 (NSW) (GIPA Act).

7. The information for which the applicant had sought access, was the preliminary assessment report of a complaint he had made to the University under its ‘Bullying, Harassment and Discrimination Resolution Procedures 2015’ (the bullying complaint). The applicant’s complaint was made against a number of his former work colleagues at the University, including his former manager, Ms A.

8. The respondent determined to grant the applicant access to part of the information in the preliminary assessment report, but refused access to the remaining information in the report on grounds that there was an overriding public interest against the disclosure of that information: GIPA Act, s13 and s 58(1)(d). The public interest considerations against disclosure relied on by the University included those contained in cl 3(a) and (b) of the Table to s 14(2) of the GIPA Act. Those clauses provide as follows:

3   Individual rights, judicial processes and natural justice

There is a public interest consideration against disclosure of information if disclosure of the information could reasonably be expected to have one or more of the following effects:

(a)   reveal an individual’s personal information,

(b)   contravene an information protection principle under the Privacy and Personal Information Protection Act 1998 or a Health Privacy Principle under the Health Records and Information Privacy Act 2002,

9. These public interest considerations against disclosure were found to apply to the personal information of the work colleagues against whom the applicant had complained, which included Ms A.

10. Being dissatisfied with that decision, the applicant sought external review by the Tribunal, which he was entitled to do: GIPA Act, s 100.

11. That application was heard, before me, on 19 February 2019. My decision was published on 14 August 2019: DQN v University of Sydney [2019] NSWCATAD 159.

12. In support of its case, the University filed and served an affidavit of Ms Jodi Sophia Dickson (Ms Dickson), Director of Workplace Relations of the University. In her affidavit Ms Dickson explained that, pursuant to s 54 of the GIPA Act, she sent an email to the persons (including Ms A) whose personal information was contained in the preliminary assessment report and for which the applicant had been refused access. In her email, Ms Dickson, advised each person of the applicant’s request for access to the preliminary assessment report. She also asked each person if they objected to their personal information in the preliminary assessment being disclosed to the applicant. A copy of Ms Dickson’s email and the response she received from each person was attached to her affidavit filed and served by the University in support of its case in the GIPA review proceedings.

13. In her response, Ms A objected to the applicant being granted access to her personal information as contained in the preliminary assessment report. Ms A also set out her reasons for objecting to the disclosure of this information. These reasons included a reference to another unrelated claim the applicant had made in regard to his employment with the University. The information concerning the unrelated claim (i.e. not the bullying complaint) was information of which Ms A had direct knowledge of, through her role as the applicant’s manager at that time. It was also information held by the University.

14. The information concerning the unrelated claim is at lines 4 to 6 of the third paragraph of Ms A’s response.

15. The applicant contends that, as this information was unrelated to his complaint that gave rise to the preliminary assessment report, the conduct of Ms A and Ms Dickson, on behalf of the University, in disclosing this information was a breach of his privacy. In regard to Ms A, the applicant contended that: - ‘The decision of this individual is an attempt to denigrate, smear and humiliate me. It is also an attempt to damage my professional reputation’ and that Ms Dickson should have deleted this information from the copy of Ms A’s email that she had attached to her affidavit. Alternatively, she should have given him the opportunity to seek a non-publication order in regard to that information. No such order was sought by the applicant.

Material before the Tribunal

16. In support of its case in these proceedings, the University also filed and served an affidavit of Jodi Sophia Dickson, sworn on 28 May 2019. Annexed to that affidavit was a copy of the email from Ms A that had been annexed to the affidavit of Ms Dickson earlier affidavit that had been filed and relied on by the University at the hearing of the applicant’s GIPA application. That copy of Ms A’s email had paragraphs four and five redacted (i.e. the contents of these paragraphs were not disclosed to the applicant or his legal representative). However, an un-redacted copy of that email was provided to the Tribunal in confidence, in the GIPA proceeding and in these proceedings. In the GIPA proceedings, a non-publication order was made in regard to the un-redacted information and the University has requested a similar order be made in these proceedings. I am satisfied that it is appropriate to make such an order. Hence, I have made an order, pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 prohibiting the disclosure of paragraphs four and five of Annexure JSD2 to the affidavit of Jodi Sophia Dickson, sworn on 28 May 2019).

17. Ms Dickson also gave evidence at the hearing of these proceedings and she was cross-examined by the applicant.

18. The applicant and the University filed and served written submissions.

PPIP Act

19. Section 4(1) of the PPIP Act defines ‘personal information’ as follows:

“In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”

20. Division 1 of Part 2 of the PPIP Act contain a number of ‘information protection principles’ relating to the collection (ss 8, 9 and 10), retention (s 11), access (s 13 and 14), alteration (amendment and correction) (s 15), use (ss 16 and 17) and disclosure (ss 18 and 19) of personal information.

21. Division 2 of Part 2 contain general provisions applicable to government agencies in regard to the ‘information protection principles’ in Division. Section 20(1) of the PPIP Act provides that the ‘information protection principles’ apply to a public sector agency. It is not disputed that the respondent is a public sector agency.

22. Section 21 of the PPIP Act provides:

“21   Agencies to comply with principles

(1)   A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.

(2)   The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies.”

23. Part 5 of the PPIP Act relates to internal and external review of conduct of a public sector agency that is alleged to be a breach of an information protection principle that applies to a public sector agency (i.e. internal review under ss 53 and 54 and external review by the Tribunal)

24. The information protection principles relevant to this application are ss 17 and 18 which provide as follows:

17   Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a)   the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b)   the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c)   the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

18   Limits on disclosure of personal information

(1)   A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

(a)   the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)   the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c)   the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2)   If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

25. Division 3 of Part 2 of the PPIP Act contain a number of specific exemptions from compliance with the ‘information protection principles’, including the following:

“25   Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

…

(b)   non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).”

26. Section 55(2) of the PPIP Act provides that on reviewing the conduct of a public sector agency the Tribunal may decide not to take any action on the matter, or it may make one or more of the orders set out in subsection 55(a) to (g). This includes, subject to the requirements in subsections 55(4) and (4A), an order requiring the public sector agency to pay the applicant damages that do not exceed $40,000 by way of compensation for any loss or damage suffered because of the conduct.

The HRIP Act

27. Section 6 of the HRIP Act defines ‘health information’ as follows:

6   Definition of “health information”

In this Act, health information means:

(a)   personal information that is information or an opinion about:

(i)   the physical or mental health or a disability (at any time) of an individual, or

(ii)   an individual’s express wishes about the future provision of health services to him or her, or

(iii)   a health service provided, or to be provided, to an individual, or

(b)   other personal information collected to provide, or in providing, a health service, or

(c)   other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or

(d)   other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or

(e)   healthcare identifiers,

but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act

28. Section 20 provides that the ‘health privacy principles’ apply to a public sector agency. As noted above, these principles are set out in Schedule 1 of the HRIP Act. For the purpose of this application the relevant principles are as follows:

10   Limits on use of health information

(1)   An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a)   Consent

the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b)   Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note.

For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c)   Serious threat to health or welfare

the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

(i)   a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii)   a serious threat to public health or public safety, or

…

(2)   An organisation is not required to comply with a provision of this clause if:

(a)   the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b)   non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

(3)   …

11   Limits on disclosure of health information

(1)   An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a)  Consent

the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b)  Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note.

For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c)  Serious threat to health or welfare

the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

(i)   a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii)   a serious threat to public health or public safety, or

…

(2)   An organisation is not required to comply with a provision of this clause if:

(a)   the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b)   non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or

(c)   the organisation is an investigative agency disclosing information to another investigative agency.

(3)   …

29. Section 21 of the HRIP Act provides that a contravention of a ‘health privacy principle’ that applies to a public sector agency is conduct to which Part 5 of the PPIP Act applies and for that purpose ‘personal information’ is taken to include ‘health information’. That is, an alleged contravention by an agency of a health privacy principle is dealt with under ss 52, 53 and 55 of the PPIP Act.

Consideration

30. As I have noted, the position of the University is that the information in issue is personal information that is health information about the applicant. The University also accepts that:

1. the information is information that is held by the University: see PPIP Act, s 4(4); and

2. the conduct of Ms A and Ms Dickson the subject of this application was conduct they engaged in on behalf of the University.

31. I accept that the information in issue is personal information about the applicant. However, I am not persuaded that the information is also ‘health information’ about the applicant. Other than containing the word ‘illness’ the information does not include any information or an opinion about the physical or mental health of the applicant. Even if I am wrong and the information is health information, nothing turns on this, as the applicable ‘use’ and ‘disclosure’ information protection principles and health privacy principles are in similar terms.

32. The University also accepts that, except for the exemption in s 25 of the PPIP Act, the conduct of Ms A and Ms Dickson was a breach of the use and disclosure information protection principle in ss 17 and 18 PPIP Act.

33. Similarly, the University accepts that, except for the exemptions in and cls 10(2) and 11(2) of Sch 1 of the HRIP Act, the conduct of Ms A and Ms Dickson was a breach of the use and disclosure health privacy principle in those clauses.

34. However, the University contends that the exemptions in s 25(b) of the PPIP Act and/or and cls 10(2) and 11(2) of Sch 1 of the HRIP Act applied in that non-compliance was otherwise permitted (or is necessarily implied or reasonably contemplated) by the Civil and Administrative Tribunal Act 2013 (NSW)(NCAT Act), the ADR Act and/or GIPA Act.

35. The construction and application of s 25(b) was considered in PN v Department of Education and Training (GD) [2010] NSWADTAP 59, at [52] to [60]. At [54], the Appeal Panel said that s 25 of the PPIP Act was expressed in broad language and the task required of the Tribunal in deciding whether s 25 applies does not go so far as requiring a ‘microscopic comparison of an alternative law’. At [57] the Appeal Panel said:

“57   In our view, it is enough for s 25(b) to apply that the transactions in issue (here, one instance of indirect collection and otherwise disclosures) are of a type that is contemplated by the regime; and that they are genuinely undertaken for the purpose of the scheme. Whether something is 'reasonably contemplated' is a factual determination for the trial tribunal to make, only vulnerable to appeal as an error of law on narrow grounds, such as no evidentiary basis for the finding or because the finding is one no rational tribunal could make. This is clearly not a case of that kind.”

36. The same principles would apply to the proper construction of cl 10(2) and 11(2) of Sch 1 of the HRIP Act.

37. In Department of Education and Communities v VK (GD) [2011] NSWADTAP 61, at [14] to [16], the Appeal Panel reiterated that in deciding what is ‘reasonably contemplated’ by a law involves a broad inquiry and one does not drill down to specific elements of the communication and appraise them by reference to a standard of relevance. That is, the words ‘reasonably contemplated’ does not embraced a ‘relevance’ qualification: see also AIL v Department of Premier and Cabinet [2013] NSWADTAP 26; BFP v NSW Ambulance Service [2015] NSWCATAD 39, at [41] to [45]; MH v NSW Maritime [2011] NSWADT 248 and AFC v Sydney Children’s Hospital Speciality Network [2012] NSWADT 189.

GIPA Act – public interest test

38. As pointed out by the University, the relevant legislative context in which the applicant’s personal and health information was used and disclosed was the GIPA Act. The objects of that Act include the following:

3   Object of Act

(1)   In order to maintain and advance a system of responsible and representative democratic Government that is open, accountable, fair and effective, the object of this Act is to open government information to the public by:

(a)   authorising and encouraging the proactive public release of government information by agencies, and

(b)   giving members of the public an enforceable right to access government information, and

(c)   providing that access to government information is restricted only when there is an overriding public interest against disclosure. (italics added)

39. Section 13 of the GIPA Act defines what is meant by the term ‘overriding public interest against disclosure’ as follows:

13   Public interest test

There is an overriding public interest against disclosure of government information for the purposes of this Act if (and only if) there are public interest considerations against disclosure and, on balance, those considerations outweigh the public interest considerations in favour of disclosure.

40. In this case, as set out at [7] above, the information for which the applicant had sought access included personal information of Ms A, the disclosure of which gives rise to a public interest consideration against disclosure under cl 3(a) and (b) of the Table to s 14(2) of the GIPA Act. In determining the applicant’s access request, the University found that this public interest consideration outweighed the public interest considerations in favour of disclosure and refused to grant the applicant access to that information; GIPA Act, s 58(1)(d). That was an administrative decision that was reviewable by the Tribunal: GIPA Act, s 80

Role of the Tribunal on external review

41. As noted by the University, the role of the Tribunal on administrative review of a reviewable decision of a government agency under the GIPA Act is to make the ‘correct and preferable decision’ having regard to the applicable law and the relevant facts: ADR Act, s 63(1). That is, it stands in the shoes of the respondent and exercises all the functions conferred on the decision maker and makes the decision afresh based on the material before it at the hearing: Commissioner of Police, NSW Police Force v Fine [2014] NSWCA 327, at [46].

42. In merit review proceedings, as a general rule, neither party bears an onus of proof. However, under s 105 of the GIPA Act, there is an onus on the government agency to establish that its decision is justified. Hence, in the applicant’s GIPA proceedings before the Tribunal, there was an onus on the University to establish that its decision to refuse access to the personal information of the persons against whom the applicant had made his bullying complaint was justified.

43. In accordance with its usual practices, the Tribunal made orders, under the provisions of the NCAT Act (see s 38(1)) for each party to file and serve their evidence. It was in this context that the University filed and served the affidavit of Ms Dickson that had the email of Ms A annexed to it. As I have noted above, that email was a response to Ms Dickson having consulted Ms A in regard to the disclosure of her personal information in the preliminary assessment report.

GIPA Act - section 54 consultation

44. Section 54 of the GIPA Act makes provision for such consultation and is in the following terms:

54   Consultation on public interest considerations

(1)   An agency must take such steps (if any) as are reasonably practicable to consult with a person before providing access to information relating to the person in response to an access application if it appears that:

(a)   the information is of a kind that requires consultation under this section, and

(b)   the person may reasonably be expected to have concerns about the disclosure of the information, and

(c)   those concerns may reasonably be expected to be relevant to the question of whether there is a public interest consideration against disclosure of the information.

(2)   Information relating to a person is of a kind that requires consultation under this section if the information:

(a)   includes personal information about the person, or

(b)   …

45. I am satisfied on the material before me that Ms Dickson’s email to the persons whose personal information was contained in the preliminary assessment report and for which access had been refused was for the purpose of complying with the requirements of s 54 of the GIPA Act. As explained by the University in its submissions, this consultation was undertaken in order to support its case that the correct and preferable decision was to refuse to grant the applicant access to the personal information in the preliminary assessment report that was personal information about a person other than the applicant because the public interest consideration against disclosure, on balance, outweighed the public interest consideration in favour of the disclosure of that information.

46. Ms A’s email response was made in the same context and while her remarks, the subject of this application, appear to be unrelated to the applicant’s bullying complaint they nevertheless formed a basis of her reasons why she objected to the applicant being granted access to her personal information, as contained in the preliminary assessment report.

47. Accordingly, I am satisfied that in the circumstances where the use and disclosure of the applicant’s personal information and/or health information in the context of GIPA review proceedings before the Tribunal, non-compliance with the use and disclosure information protection principles were permitted, necessarily implied and/or reasonably contemplated by the NCAT Act, the ADR Act and/or GIPA Act. I would make a similar finding in the event the information was health information about the applicant.

Conclusions

48. For the reasons set out above I am satisfied that the conduct of the University for which the applicant seeks review did not amount to a contravention of the ‘use’ or ‘disclosure’ information protection principle or health privacy principle as non-compliance with the use and disclosure information protection principles were permitted, necessarily implied and/or reasonably contemplated by the NCAT Act, the ADR Act and/or GIPA Act.

49. Section 55(2) of the PPIP Act sets out the orders the Tribunal can make on reviewing conduct of an agency that is alleged to amount to a contravention of an information protection principle or a health privacy principle. This includes deciding to take no further action. In my opinion, as I am satisfied that there has been no breach of an information protection principle or a health privacy principle, the appropriate order is to decide to take no further action and I make such an order accordingly.

Orders

1. Pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 the disclosure of paragraphs four and five of Annexure JSD2 to the affidavit of Jodi Sophia Dickson, sworn on 28 May 2019 is prohibited.

2. Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 no action will be taken in this matter.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 19 December 2019