EHG v Commissioner of Police, NSW Police Force

Case

[2025] NSWCATAD 265

28 October 2025

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: EHG v Commissioner of Police, NSW Police Force [2025] NSWCATAD 265
Hearing dates: 22 September 2025
Date of orders: 28 October 2025
Decision date: 28 October 2025
Jurisdiction:Administrative and Equal Opportunity Division
Before: A Christie, Senior Member
Decision:

(1) The Respondent’s decision that there was no breach of any IPPs or, if there was, that the Respondent is exempt from complying with the IPPs under s 27 PPIP Act is set aside under s 63(3)(c) ADR Act. In substitution for that decision, I find that the correct and preferable decision is that the Respondent breached s 16 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPP 9) and that the conduct in question is not exempt under s 27 PPIP Act in this case.

(2) Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Commissioner of Police addressing and apologising for: (a) the Respondent's contravention of IPP 9 identified in these Reasons for Decision; and (b) any harm and distress suffered by the Applicant caused by the Respondent’s contravention of IPP 9.

(3) Within thirty (30) days of the date of these Reasons for Decision, the Respondent is to annotate all of the Applicant’s personal information referred to in these Reasons for Decision as the “Applicant PI 1” wherever such is held by the Respondent, including in the “2007 Rae Report” and the “2023 MB Report” (both of which are as defined in these Reasons for Decision) to note this Order and that before using this information in the future all of the requirements of IPP 9 must be complied with by the Respondent, unless an exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

(4) Within sixty (60) days of the date of these Reasons for Decision, the Respondent is to ensure the performance of IPP 9 in relation to all future uses of the “Applicant PI 1”, the “2007 Rae Report” and the “2023 MB Report” (all as defined in these Reasons for Decision) wherever such are held by the Respondent, including by implementing such:

(a) training, awareness raising and safeguards; and

(b) administrative measures,

necessary to ensure that, in accordance with IPP 9, the Respondent will take reasonable steps in the circumstances to ensure that information is all of relevant, accurate, up to date, complete and not misleading having regard to the purpose for which it is proposed to be used, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

(5) Within seven (7) days of fully complying with Order (3) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

(6) Within seven (7) days of fully complying with Order (4) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

Catchwords:

ADMINISTRATIVE LAW – Privacy and Personal Information Protection Act 1998 (NSW) – whether s 27 PPIP Act applies to exempt the respondent from complying with the IPPs - whether reasonable steps were taken under IPP 9 in relation to the use of personal information - whether sharing personal information critical of an employee with that employee was an unauthorised use under IPP 10 – if there were systemic issues to be addressed

Legislation Cited:

Administrative Decisions Review Act 1997 (NSW)

Civil and Administrative Tribunal 2013 (NSW)

Government Information (Public Access) Act 2001 (NSW)

Privacy and Personal Information Protection Act 1998 (NSW)

Cases Cited:

BKM v Sydney Local Health District [2015] NSWCATAD 87

Commissioner of Police v Ritson (“DUT”) (No2) [2023] NSWSC 854

DED v Randwick City Council [2017] NSWCATAD 327

Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409

DTN v Commissioner of Police [2022] NSW CATAD 134

EMF v Cessnock City Council [2021] NSWCATAD 219

FM v Macquarie University [2003] NSWADT 78

Insurance and Care NSW v EEH [2021] NSWCATAP 350

KT v Sydney Local Health Network [2011] NSWADT 171

ZR v Department of Education and Training (GD) [2010] NSWADTAP 75

Texts Cited:

Nil

Category:Principal judgment
Parties: EHG (Applicant)
Commissioner of Police, NSW Police Force (Respondent)
Representation: Solicitors:
Applicant (Self-Represented)
Crown Solicitor (Respondent)
File Number(s): 2025/00104062
Publication restriction: The publication or broadcast of the name of the Applicant is prohibited under s 64(1)(a) Civil and Administrative Tribunal Act 2013.

REASONS FOR DECISION

  1. This is an application under s 55(1) of the Privacy and Personal Information Protection Act 1998 (NSW) ("PPIP Act") made by the Applicant on 17 March 2025 for administrative review of the conduct of the Respondent which the Applicant alleges was in contravention of the Information Protection Principles ("IPPs") of the PPIP Act ("External Review Application").

  2. At the heart of the External Review Application is the alleged conduct of the Respondent by using certain of the Applicant's personal information: (a) in order for the Respondent to prepare a ‘Ministerial Briefing’ report for the Minister of Police and Counter Terrorism dated 14 June 2023 (“2023 MB Report”) in relation to an ex-gratia payment request the Respondent received from the Applicant in early 2023 (“Payment Request”); and (b) by sharing within the Respondent an email of the Applicant dated 2 September 2024 sent to the Respondent ("Conduct of Concern"). The Applicant alleges that the Conduct of Concern breaches the PPIP Act and the IPPs.

  3. The Applicant submits that their personal information used, shared or disclosed is: (a) false, misleading and irrelevant personal information about the Applicant relating to a Respondent employee’s view of the Applicant’s then motives and a statement attributed to the Applicant in an internal report of the Respondent dated 14 February 2007 (“2007 Rae Report”) relating to a meeting held on 7 February 2007 with that employee, two others from the Respondent and the Applicant (“Applicant PI 1”); and (b) information critical of an individual at the Respondent with whom the Applicant had been dealing in relation to the Payment Request, after the Minister had rejected the Payment Request, in an email from the Applicant dated 2 September 2024 (“Applicant PI 2”). Applicant PI 1 was included in the 2023 MB Report and Applicant PI 2 was shared with the individual who was criticised in relation to the Respondent’s processing of a subsequent Government Information (Public Access) Act 2009 (NSW) (“GIPA Act”) access request of the Applicant.

  4. The existence of the 2007 Rae Report, the Applicant PI 1 and the related Conduct of Concern became apparent to the Applicant around 2 August 2024 from documents provided by the Respondent as the result of a GIPA Act access application made by the Applicant. The Conduct of Concern related to Applicant PI 2 became apparent to the Applicant from correspondence form the Respondent employee in question to the Applicant around 15 October 2024 as the result of a further GIPA Act access application made by the Applicant.

  5. On 2 December 2024 the Applicant requested by email an internal review by the Respondent of the Conduct of Concern relating to the Applicant PI 1 and the Applicant PI 2 ("Internal Review Application"). The Applicant did not use the IPC internal review application form to request an internal review but did note in their Internal Review Application, in summary and most relevantly, that:

  1. in relation to Applicant PI 2, the Applicant was shocked that their email including this personal information critical of the Deputy Commissioner with whom they had been dealing and which was sent to the Commissioner in confidence was ‘disclosed’ to the Deputy Commissioner. The Applicant alleges that this conduct was a contravention of IPP 11, s 18PPIP Act (“Complaint 1”);

  2. in relation to Applicant PI 1, the 2023 MB Report contains personal information that is incorrect, irrelevant and misleading and the Applicant alleges this was a contravention of IPP 4, s 11 PPIP Act (“Complaint 2”); and

  3. although the Applicant specifically refers to alleged contraventions of IPPs 11 and 18, the internal review of the Respondent should not be limited to these IPPs alone.

  1. The decision of the Respondent in relation to the Internal Review Application, prepared by the Crown Solicitor’s Office on behalf of the Respondent, one was provided to the Applicant around 17 February 2025 (“Internal Review Decision”).

  2. The findings of the Internal Review Decision, in summary and most relevantly, are that:

  1. Complaint 1 is not made out because sharing of the Applicant PI 2 within the Police Force, including with the Deputy Commissioner in question, is not a “disclosure” for the purposes of the PPIP Act;

  2. Complaint 1 might also be understood as relating to s17 PPIP Act (IPP 10). If sharing the Applicant PI 2 with the Deputy Commissioner is a “use” then it was used for the purpose for which it was collected, being to investigate matters further at the Applicant’s request;

  3. Complaint 2 is not made out because the Respondent did not, at the time of preparing the 2023 MB Report, “collect” the Applicant PI 2 and, if it did, any internal review application of the Applicant in respect of this would be out of time;

  4. Complaint 2 might also be understood as relating to s 16 PPIP Act (IPP 9). If so, the Respondent took reasonable steps to check the accuracy of the Applicant PI 2 before using it; and

  5. even if there was a breach of any IPPs, the Respondent is exempt from compliance with the IPPs under s 27 PPIP Act as the Conduct of Concern is not in connection with the exercise of the Respondent’s ‘administrative functions’.

  1. The External Review Application seeks a review by the Tribunal based on the Internal Review Decision finding that: (a) there were no breaches IPPs 10 or 11, ss 17 or 18 PPIP Act; (b) there were no breaches of IPPs 4 or 9, ss 11 or 16 PPIP Act; and (c) even if any breaches of such were found, the Respondent is exempt under s 27 PPIP Act from complying with them. The Applicant states in the External Review Application that they are seeking a review of the Internal Review Decision under s 53 PPIP Act because they ‘disagree’ with the findings of the Internal Review Decision.

Submissions of the Applicant

  1. For the reasons that follow, based on the material before the Tribunal I have decided to set aside the Internal Review Decision and, in substitution for it, I find that the Conduct of Concern and thus the Respondent contravened IPP 9, s16 PPIP Act.

  2. In summary and most relevantly, the Applicant submitted in its written and oral submissions that:

  1. As regards Complaint 1, the Applicant's email to the Commissioner dated 2 September 2024 including the Applicant PI 2 was shared other than for a purpose for which it was provided and was not something that the Applicant was reasonably likely to be aware of or expect.

  2. The 2 September 2024 email was provided to the Commissioner in confidence.

  3. The use of Applicant PI 2 for the purpose of briefing the Deputy Commissioner was not consistent with the original purpose of its collection by the Respondent and was therefore in breach of s 17 PPIP Act.

  4. As regards Complaint 2, the 2023 MB Report contained personal information about the Applicant (i.e. Applicant PI 1) that was misleading, unbalanced, irrelevant and omitted key facts.

  5. One of the misleading and irrelevant uses of the Applicant PI 1 was including in the 2023 MB Report that the Applicant had had the intent to ‘cause as much trouble’ for the Respondent as possible by releasing internal information to the media based on an the alleged statement of the Applicant recorded in a the 2007 Rae Report in relation to the February 2007 meeting including the Applicant and employees of the Respondent.

  6. The various characterisations of the Applicant in 2023 from and in relation to a 2007 meeting, including that noted in (5) above, are wholly inaccurate, unfounded and omit critical information in 2023 and the heavy reliance on and use of an internal note authored in and an alleged statement of the Applicant made in February 2007 is both misleading and irrelevant as regards the 2023 MB Report and the Applicant’s motives for the Payment Request in 2023. This alleged statement and the contents of the 2007 Rae Report were over 16 years old when used in 2023, have not been the subject of any procedural fairness and the Applicant was not given the opportunity for ‘rebuttal’ and they remained unseen by the Applicant until recently (see [4] above).

  7. The 2023 MB Report omitted key facts, including the recent conciliatory behaviour of the Applicant, failed to note ongoing efforts to support the reconciliation process and the expression of thanks and respectful conduct towards senior officers. The inclusion of the Applicant PI 1 from 2007 in the 2023 MB Report was misleading and did not represent what had happened leading up to the Payment Request in 2023.

  8. The preparation and provision of an ex-gratia payment brief to the Minister (i.e. 2023 MB Report) about a former employee is plainly an administrative function. It is not related to the core policing, law enforcement or operational matters of the Respondent. As such, the Respondent is required to comply with the IPPs in the handling, use and disclosure of the Applicant PI 1 and Applicant PI 2.

  9. The ex-gratia payment request process involved a non-statutory discretionary financial recommendation involving senior executive review, internal legal drafting and Ministerial submission, all of which fall squarely within an ‘administrative context’. The 2023 MB Report was the centrepiece of this process and was therefore administrative in nature and part of the Respondent’s administrative functions.

  1. While the exact phrasing of the orders sought by the Applicant from the Tribunal varied across the Applicant’s various submissions, in the initial written submissions made by the Applicant dated 27 March 2025 the Applicant requested, in summary and most relevantly, the following orders be made by the Tribunal:

  1. to declare that the Respondent contravened one or more of ss 11, 16, 17 or 18 PPIP Act;

  2. to require the Respondent to formally apologise to the Applicant for all of its breaches of the IPPs;

  3. to require the Respondent to add a notation to the 2023 MB Report reflecting the Applicant’s ‘rebuttal’;

  4. to require the Respondent to take steps to ensure compliance with the IPPs in the future handling of personal information in relation to administrative reports; and

  5. to award costs to the Applicant, if appropriate under the circumstances.

  1. The Applicant’s position is that Applicant PI 1 and Applicant PI 2 are the Applicant’s personal information under the PPIP Act and the Respondent’s disclosure and/or use of Applicant PI 1 in the 2023 MB Report and by providing Applicant PI 2 to the Deputy Commissioner are contraventions of the PPIP Act and the IPPs.

Submissions of the Respondent

  1. The Respondent does not dispute in its submissions that Applicant PI 1 and Applicant PI 2 are the personal information of the Applicant and that they were ‘used’ by the Respondent in the manner noted by the Applicant. That is, the Respondent agrees that the Conduct of Concern occurred but does not agree that such resulted in the contravention of any IPPs or the PPIP Act by the Respondent and, if it did, the Respondent is exempt under s 27 PPIP Act.

  2. The Respondent’s position is, as set out in its written submissions and repeated in its oral submissions, that:

“[21] It is generally accepted that s 18 does not limit the sharing of personal information within an agency. The sharing of the correspondence with Deputy Commissioner… was clearly internal to the NSWPF and did not constitute a disclosure for the purpose of the PPIP Act. …

[22] The internal review also concluded that, even if the sharing of [the Applicant's] information with Deputy Commissioner… was a disclosure, the exception in s 18(1)(b) would apply. …

[27] The email [in question [2 September 2024] was not marked as being confidential. Nothing in the text of the email indicated that it was intended to be confidential.

[28] Nor does the fact that the email was critical of Deputy Commissioner... imply that it was confidential. …

[33] The email sent by the applicant was not solicited and so it may be doubted that the information was "collected" by the respondents. If the information was "collected" and if the sharing of the information with Deputy Commissioner... involved a "use" of information, the purpose of the collection and use was the same, being to investigate the applicant's complaint. It is difficult to see how the respondent could have investigated the applicant's complaints without discussing them with the Deputy Commissioner…, given that the complaints related to their complaints about Deputy Commissioner...’s conduct. …

[35] The respondent could not address the applicant’s complaint about Deputy Commissioner… without putting the complaint to Deputy Commissioner... The applicant provides no explanation about how the respondent could have done so and provides no elaboration of the alleged breach of s 17. ...

[39] It is well established that s 11 of the PPIP Act does not apply to the internal movement of personal information about an individual within an agency. Similarly, where an employee of an agency reduces to writing an opinion which he or she holds mentally (including an opinion about another person that amounts to "personal information" of that person), that does not constitute "collection" of personal information.

[40] The information in the ministerial brief was therefore not "collected" such that the NSWPF did not breach s 11 of the PPIP Act. ...

[42] Unlike s 11, s 16 applies to information which an agency "holds" and uses, rather than information which it has "collected". The respondent accepts that NSWPF held the applicant’s personal information and that it used it for the purpose of preparing the ministerial brief, in particular making the recommendation that the Minister consider the application for an ex-gratia payment. ...

[44] Section 16 of the PPIP Act turns on whether an agency has taken reasonable steps to ensure the accuracy of information before using it, not on whether the information is actually accurate. ...

[49] The applicant complains that the document is outdated and criticises both the respondent and the CSO's use of it. To the contrary, the document is contemporaneous with the meeting which it describes. There is no reason to doubt the accuracy of a contemporaneous record of the meeting. ...

[54] Section 16 does not refer to the information being complete, but the section must be read as a whole. What s 16 requires is that an agency "take such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is to be used, the information is complete…". The information was used to brief the Minister in relation to the application for an ex-gratia payment. The respondent took reasonable steps to ensure that the information was complete for that purpose. [emphasis added]

[65] The Tribunal has held that "administrative functions" are those relating to the internal administration of an agency, including "corporate services areas performing functions such as personnel, budget, and information technology”.

[66] Plainly, the making of an ex-gratia payment to the applicant does not relate to the internal administration of the NSWPF given that the applicant does not work for the NSWPF. Nor is it an issue of corporate services. If granted, the ex-gratia payment would have involved expenditure of money, but that alone does not mean that something is a budgetary or administrative function. ...

[69] If the Tribunal finds that the respondent has breached the PPIP Act and that the NSWPF is not exempt from compliance with the PPIP Act, the respondent accepts that the relief sought in [26(a)] [2(c)6] [being items (1), (2) and (3) of paragraph 11 above] would be appropriate.”

  1. The Respondent submitted that the correct and preferable decision is that the Respondent did not engage in conduct that contravened (i.e. the Conduct of Concern did not contravene) the PPIP Act and requests the Tribunal to determine to take no further action under s 55(2) PPIP Act.

The Hearing and Materials

  1. The hearing by the Tribunal of the External Review Application occurred on 22 September 2025 (“Hearing”) at which the Applicant appearing by AVL and the Respondent, through its solicitor appearing in person made oral submissions, answered the questions of the Tribunal and the Applicant themselves and the Respondent’s witness, Mr Condon, were cross-examined at the Hearing.

  2. The Applicant relies on their written submissions dated 27 March 2025, written submissions in reply dated 4 July 2025 and the ‘Statement of the Applicant’ dated 10 August 2025.

  3. The Respondent relies on its written submissions lodged with the Tribunal on 20 June 2025. It also relies on:

  1. a bundle of documents lodged on 22 April 2025 pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) (“ADR Act”) (“Section 58 Documents”); and

  2. an affidavit Mr Christopher Condon lodged with the Tribunal on 2 September 2025. Mr Condon is currently the Director of the Tort and Compensation Law Unit at the Respondent and was previously a Staff Officer at the Office of General Counsel of Respondent.

  1. Mr Condon was cross-examined at length by the Applicant during the Hearing and also answered the questions of the Tribunal.

  2. The Applicant, having submitted a statement, was cross-examined by the Respondent during the Hearing and also answered the questions of the Tribunal.

  3. The Applicant and the Respondent made oral submissions during the Hearing and answered the Tribunal’s questions.

The Tribunal’s administrative review jurisdiction

  1. The circumstances in which the Tribunal has administrative review jurisdiction over a ‘decision’ of an administrator is detailed in the ADR Act and s 30(1) of the Civil and Administrative Tribunal Act 2013 (NSW) (“CAT Act”).

  2. Section 9(1) ADR Act provides that the Tribunal has administrative review jurisdiction over a ‘decision’ or class of ‘decisions’ of an ‘administrator’ if the ‘enabling legislation’ provides that applications may be made to the Tribunal for an administrative review under the ADR Act. The term ‘enabling legislation’ is defined in s 4(1) ADR Act to mean legislation, other than the ADR Act, that provides for applications to be made to the Tribunal. In this case the enabling legislation is the PPIP Act. The word ‘administrator’ is defined in s 8 ADR Act. There is no dispute in this case that the Respondent is an administrator

  3. Part 5 of the PPIP Act makes provision for review of certain ‘conduct’ of a public sector agency. Section 52(1)(a) in Part 5 of the PPIP Act sets out the ‘conduct’ to which the Part applies and includes ‘conduct’ that contravenes, or is alleged to contravene, an IPP that applies to the public sector agency. The IPPs relate to the collection (ss 8-11 PPIP Act, IPPs 1-4), retention and security (s 12 PPIP Act, IPP 5), access (ss 13-14 PPIP Act, IPPs 6-7), alteration (s 15 PPIP Act, IPP 8), accuracy (s 16 PPIP Act, IPP 9), use (s 17 PPIP Act, IPP 10) and disclosure (ss 18 and 19 PPIP Act, IPPs 11-12) to/of personal information by a public sector agency.

  4. Subject to the application of s 27 PPIP Act in this case, which is dealt with as Preliminary Issue 1 below at [38] to [40], it is not in dispute that the IPPs and the PPIP Act may apply to the Respondent and, if so, that the Respondent must generally comply with them.

  5. Section 53 PPIP Act makes provision for internal review by the agency of conduct falling within the circumstances set out in s 52 PPIP Act. After completion of the internal review under s 53(7) PPIP Act the administrator, the reviewer of the Respondent in this case, may do any one or more of the following:

  1. take no further action;

  2. make a formal apology;

  3. take such remedial action it thinks appropriate, including the payment of monetary compensation;

  4. provide undertakings that the conduct will not occur again; and/or

  5. implement administrative measures to ensure that the conduct will not occur again.

  1. Section 55 PPIP Act makes provision for a person to apply to the Tribunal for administrative review of that conduct if the person has made an application for internal review under s 53 ADR Act and is not satisfied with the findings of the review or the action taken by the agency in relation to that application for review.

  2. Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed on it by the CAT Act, the ADR Act and the enabling legislation (i.e. the PPIP Act in this case) in connection with the conduct and resolution of these proceedings.

  3. Under s 63(1) ADR Act the Tribunal’s role in determining an application for the administrative review of an administratively reviewable decision (i.e. the External Review Application in this case) is to decide what is the correct and preferable decision having regard to the material before it, including any relevant factual material and any applicable written or unwritten law. For this purpose, under s 63(2) ADR Act the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the internal review decision.

  4. Under s 63(3) ADR Act the Tribunal may also decide, in addition to the actions available under s 53(7) PPIP Act, to: (a) affirm the reviewable decision; (b) vary the reviewable decision; (c) set aside the reviewable decision and make a decision in substitution for the reviewable decision that was set aside; or (d) set aside the reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.

  5. On reviewing the conduct of the relevant agency, in addition to the options available to the Tribunal noted at [26] and [30] above, the Tribunal may decide not to take any action on the matter (s 55(2) PPIP Act), take any of the actions noted in s 53(7) PPIP Act as available to the administrator or it may make one or more of the orders described in s 55(2)(a)-(g) PPIP Act. Subject to certain exceptions these include, under s 55(2)(a) PPIP Act, an order requiring the agency “to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct”.

  6. The Tribunal's role is to review the conduct of concern in issue (in this case the Conduct of Concern) and to consider whether such contravenes any of the IPPs (in this case) and, if so, determine what action(s), if any, should be taken by the Respondent (in this case). The Tribunal's role is not to review the findings of the internal review decision as detailed in the Internal Review Decision (in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [51].

  7. Often the internal review decision of an agency can assist the Tribunal’s considerations. However, the Tribunal must consider the Conduct of Concern (in this case) afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171.

  8. It is also important to note the role of the parties in proceedings before the Tribunal and of the Tribunal in practice in such administrative review proceedings. As noted by the Appeal Panel in Insurance and Care NSW v EEH [2021] NSWCATAP 350:

“[22] … The Tribunal at first instance was conducting an administration review. It was entitled to assume that the agency, which was under an obligation to cooperate with the Tribunal to give effect to the guiding principle of the Civil and Administrative Tribunal Act 2013 that the just, quick and cheap resolution of real issues in the proceedings be facilitated, had placed all relevant material before it …

[61] …Parties, particularly agencies, should come to the hearing of a matter prepared to adduce all of their evidence and make all of their submissions in relation to the matters in issue in the proceedings.”

  1. I note that submissions were made by both the Applicant and Respondent in writing and orally on s 27 PPIP Act and on all of the IPPs in question and evidence was adduced in support of their respective positions.

Preliminary issues for consideration and determination

  1. Based on the written submissions of the parties and their oral submissions and the discussion during the Hearing, the following three preliminary issues arise for consideration by the Tribunal:

  1. whether s 27 PPIP Act applies to exempt the Respondent from its obligations under the IPPs and the PPIP Act in these circumstances or if, pursuant to s 27(2) PPIP Act, the Conduct of Concern is in this case administrative in nature and thus carved out from the s 27(1) PPIP Act exemption and therefore the Respondent is required to comply with the IPPs (“Preliminary Issue 1”);

  2. whether s 11 PPIP Act (IPP 4) is appropriate in the circumstances of the use in 2023 of the Applicant PI 1, which it had collected by the Respondent in 2007, by including it in the 2023 MB Report (“Preliminary Issue 2”); and

  3. whether s 18 PPIP Act (IPP 11) is applicable to the sharing of the Applicant PI 2 to a person within/employed by the Respondent (“Preliminary Issue 3”)?

  1. If Preliminary Issue 1 is determined in favour of the Respondent then there is no need to look any further as all of the Conduct of Concern will be exempt from and the Respondent in this case will not be subject to the relevant IPPs. If the IPPs do apply to the Respondent in this case then, if Preliminary Issues 2 and/or 3 are resolved in the negative, this will reduce the need for the Tribunal’s detailed consideration in respect of these IPPs, reducing the scope of the Tribunal’s enquiries. I will therefore first briefly address each of these preliminary issues.

Preliminary Issue 1

  1. As noted by the Privacy Commissioner in a 2004 Submission to the Review of the Privacy and Personal Information Protection Act 1998 at page 72:

“Specially, section 27 aims to protect [the NSWPF] from any barriers that the information protection principles might otherwise pose to their operational and investigative activities.”

  1. This sentiment was reinforced by the Supreme Court in Commissioner of Police v Ritson (“DVT”) (No2) [2023] NSWSC 854 at [183]:

“The purpose behind s 27 of the PPIP Act is obvious. Clearly, there is an interest in the information held by law enforcement agencies such as the NSWPF relating to their investigative functions being protected ... hence the general exemption in the PPIP Act with the carve-out for information held in the agency’s administrative and educative functions.”

  1. As pointed out by the Respondent, there has been a long history of often contrary decisions of the Tribunal on the interpretation and application of s 27 PPIP Act. In this case and despite the best efforts of the Respondent to convince the Tribunal otherwise, I find the Applicant’s submissions and evidence on this issue compelling. Based on the material before me I am satisfied that the processing of a request for a discretionary ex-gratia payment by a former employee and the related work in preparing the 2023 MB report for the Minister to decide on whether or not such a payment should be made is an administrative function of the Respondent as contemplated (and carved-out) by s 27(2) PPIP Act. As a result of this, the Conduct of Concern is subject to the IPPs and the Conduct of Concern is not exempt from the PPIP Act.

Preliminary Issue 2

  1. While I do not entirely agree with or accept the submissions of the Respondent on this issue, I note that the obligations under IPP 4 apply at the time of the collection of the personal information in question. I do not agree with the Respondent’s phrasing used in its submissions, perhaps loosely rather than intentionally, around the Applicant PI 1 not having been ‘collected’ by the Respondent and the Applicant being out of time to challenge the collection under this IPP, impliedly because it was originally collected by the Respondent in 2007. It is important to note that the Applicant only became aware of Applicant PI 1 in August 2024 after a successful GIPA Act application.

  2. Based on the material before the Tribunal, I am satisfied that IPP 4 is not applicable to the Conduct of Concern related to Applicant PI 1 and the use of it in the 2023 MB Report by the Respondent as this is a use of personal information already held by the Respondent, not a new collection of that personal information.

Preliminary Issue 3

  1. In certain circumstances, where an agency is large or there are different and discrete functions within an agency, for example, there may be a ‘disclosure’ within an agency for the purposes of IPP 11. In most cases, however, the sharing of personal information such as Applicant PI 2 within an agency is usually a ‘use’ to be dealt with under IPP 10, rather than a ‘disclosure’ to be dealt with under IPP 11.

  2. Based on the material before the Tribunal, I am satisfied that the sharing of Applicant PI 2 with the Deputy Commissioner in relation to a GIPA Act access request of the Applicant is a use of personal information under IPP 10 not a disclosure subject to IPP 11. Therefore IPP 11 (s 18 PPIP Act) is not applicable to the Conduct of Concern in this case.

Relevant IPPs

  1. Based on the above and the material before me, I therefore conclude that the Conduct of Concern is subject to the IPPs and the real issues for consideration by the Tribunal in this proceeding relate to IPPs 9 and 10 (“Relevant IPPs”) and whether the Conduct of Concern is a contravention by the Respondent of either or both of IPPs 9 and/or 10..

The PPIP Act

  1. Personal information is defined in s 4 PPIP Act to mean, subject only to certain exclusions, “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. It is not in dispute that the Applicant PI 1 and Applicant PI 2 is the Applicant’s personal information.

  2. Based on the decision in relation to the Preliminary Issues 1, 2 and 3, see [45] above, below I focus only on the Relevant IPPs.

IPP 9 – Accuracy at the time of use

  1. Section 16 PPIP Act (IPP 9) requires that:

“A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.” [emphasis added]

  1. The Applicant bears the burden of adducing some evidence to suggest that appropriate steps as required by IPP 9 were needed or not taken to ensure that their personal information used is relevant, accurate, up to date, complete and not misleading for the proposed use. However, this burden is not high because the knowledge of what steps were taken is primarily known by the Respondent. Common sense dictates that the party which has relevant information in their possession should put that information before the Tribunal. Further, if the facts are mostly within the knowledge of one party to an issue, a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn by the Tribunal.

  2. As can be seen by the emphasis added in [48] above, IPP 9 requires that every use of the Applicant PI 1 by the Respondent (in this case) requires reasonable steps:

  1. to ensure each of:

  1. its relevance;

  2. its accuracy;

  3. that it is up to date;

  4. its completeness; and

  5. that it is not misleading;

  1. in the circumstances; and

  2. for the purpose for which it is proposed to be used.

  1. ‘Reasonable steps’ are not defined in the PPIP Act, However, the obligation in IPP 9 has generally been interpreted and applied by the Tribunal to require agencies to implement a combination of administrative or organisational and technical measures to ensure that, before any and each use of personal information, the agency and its staff consider whether that information is relevant, accurate, up to date, complete and not misleading for that proposed use.

IPP 10 – Use

  1. Section 17 PPIP Act (IPP 10) provides, most relevantly:

“Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless —

the individual to whom the information relates has consented to the use of the information for that other purpose, or

the other purpose for which the information is used is directly related to the purpose for which the information was collected, or …”

  1. While not specifically raised or addressed by the Respondent, it is also important to note the exemption from IPP 10 under s 25 PPIP Act which provides, most relevantly:

“A public sector agency is not required to comply with Section…17… if - …

(b) non-compliance is otherwise permitted/or is necessarily implied or reasonably contemplated under an Act or any other law…”

  1. A “use” is to employ the personal information for a purpose within the Respondent. As noted in FM v Macquarie University [2003] NSWADT 78 at [42]:

“The plain an ordinary meaning of the word use in this context is ‘to avail oneself’ of; apply to one’s purposes; (the Macquarie Dictionary, 3rd edition, the Macquarie Library).”

  1. It is also important to note that even unsolicited personal information will be subject to IPP 10 where such is subsequently retained, used or disclosed by the agency. As the Appeal Panel found in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 at [71] as regards the unsolicited information exemption (which principle was subsequently also applied in EMF v Cessnock City Council [2021] NSWCATAD 219 at [48]):

“ .. [it] ought not be applied to the entirety of the information handling cycle. Information that was unsolicited at origin, once taken under the control of the agency for one of its administrative purposes should be treated as ‘collected’ and no longer retaining the character of ‘unsolicited information’.”

Considerations

IPP 9: Accuracy on Use

  1. The Applicant submitted, the evidence establishes and the Respondent agrees that the Applicant PI 1 was personal information relevant to a February 2007 meeting recorded by the Respondent later in February 2007 in a report prepared by a Respondent employee (i.e. the 2007 Rae Report) and held since then in the Respondent’s records. The fact, agreed by the Respondent, that this 2007 Applicant PI 1 was used by the Respondent in the 2023 MB Report is enough, of itself, to meet the Applicant’s burden detailed in [49] above. That is, any use of old (in this case over 16 years old) personal information of the Applicant raises a legitimate concern as to what reasonable steps the Respondent took before that proposed use to ensure its relevance, accuracy, currency (i.e. that it is up to date) and completeness of that information and that its use is not misleading in light of that proposed use in 2023.

  2. As noted in [48] and [50] above and agreed in the Respondent’s submissions (see the Respondent’s paragraph [54] quoted in [14] above), s 16 PPIP Act (IPP 9) “must be read as a whole” and thus IPP 9 requires that the Respondent must take reasonable steps in the circumstances to ensure the personal information in question is all of relevant, accurate, up to date, complete and not misleading, having regard to the purpose for which the information is to be used. That is, not just that at the time of its original collection (in this case, in 2007) reasonable steps were taken to ensure it was accurate but that at the time of its use in 2023 reasonable steps were taken to ensure it was relevant, up to date, complete and not misleading for that use.

  1. In this case, as forcefully submitted by the Respondent, the Applicant PI 1 and the 2007 Rae Report may be an accurate contemporaneous record of the Respondent employee’s opinion as to the Applicant’s motives and his recollection of a statement allegedly made by the Applicant in the February 2007 meeting to which the 2007 Rae Report relates. However, the issues in this case are not if the Applicant PI 1 is an accurate record of a 2007 meeting but are primarily: (a) what steps the Respondent took in 2003 to ensure the relevance, currency and completeness of Applicant PI 1 and that it was not misleading for its proposed use in the 2023 MB Report in relation to the 2023 Payment Request; and (b) if those steps were reasonable in the circumstances: see DTN v Commissioner of Police [2022] NSW CATAD 134 at [78] and [80].

  2. The Respondent’s submissions and Mr Condon’s evidence focus almost exclusively on the ‘accuracy’ of the Applicant PI 1 as a contemporaneous record of the February 2007 meeting and the Respondent employee’s recollection of what was said in the February 2007 meeting with the Applicant and the employee’s opinion as to the Applicant’s motives at that time.

  3. I do not need to decide, in this case, whether reasonable steps were taken to ensure the 2007 Rae Report is an accurate record of the statements made at the 7 February 2007 meeting and the employee’s opinions of the Applicant. However, I note that the Respondent did make compelling submissions that, as a contemporaneous record signed by other attendees of that February 2007 meeting within weeks of that meeting and it being an unaltered record, reasonable steps were taken on collection of the Applicant PI 1 in 2007 to ensure the ‘accuracy’ of the record of the employee’s opinion and recollection of what was said when recorded in February 2007 in the 2007 Rae Report.

  4. However, even if this is established, the relevant issues under IPP 9 in the current circumstances where the Respondent used of the 2007 Applicant PI 1 in the 2023 MB Report for the purposes of the 2023 Payment Request (e.g. the Conduct of Concern) is what steps were taken by the Respondent to ensure that the 2007 Applicant PI 1 was relevant, up to date, complete and not misleading (collectively “Relevant”) in relation to its use for the 2023 MB Report and the Payment Request in 2023. Once the steps (if any) taken are established, the Tribunal must then determine if those steps (if any) were reasonable in the circumstances.

  5. As the Respondent submitted, the Tribunal’s role under IPP 9 is not to determine if the Respondent’s use of the Applicant PI 1 was actually relevant or if it was up to date, complete and not misleading or if a different decision was likely to have been made by the Minister if the Minister was presented with it was different information. Rather, the Tribunal’s role is to determine if reasonable steps were taken by the Respondent in the circumstances to ensure that the Applicant PI 1 was Relevant for the proposed use in 2023: see Insurance and Care NSW v EEH [2021] NSW CATAP 350.

  6. The evidence of Mr Condon is that, in preparing a draft of the 2023 MB Report in relation to the Payment Request in 2023 for review by the General Counsel of the Respondent:

[16] When reviewing the [2007] Rae Report in 2015, I noted that it had been prepared by…, a senior officer of the NSWPF. As a NSWPF employee, he is required to comply with NSWPF Statement of Values and the NSWPF Code of Conduct and Ethics, which includes requirements to ‘behave honestly’ and ‘act with care and diligence when on duty’ that extend to the preparation of reports.

[17] I considered whether Detective Inspector Rae had any reason to lie about the Contents of the [2007] Rae Report and concluded that he did not.

[18] I noted that the [2007] Rae Report had progressed through the chain of command to the Deputy Commissioner of Field Operations and it had been forwarded to the Commissioner of Police. The chain of command which had reviewed the [2007] Rae Report included Assistant Commissioner Burn, who was then [in 2007] the Commander of the Professional Standards Command and had been present at the [2007] meeting described in the [2007] Rae Report. I considered that Assistant Commissioner Burn would have included a comment if she had a different recollection of the meeting to which had been recorded by Deceive Rae.

[19] I also note that the [2007] Rae Report was contained on an official records keeping system for the NSWPF.

[20] I also considered that the comment set out [in the 2007 Rae Report] was consistent with my own [2015] experience of responding to [the Applicant’s] correspondence.”

  1. Mr Condon’s evidence, consistent with the Respondent’s submissions, is relevant as to whether the 2007 Rae Report and thus whether reasonable steps were taken at the time of collection to ensure that the Applicant PI 1 is an accurate contemporaneous record of the relevant 2007 meeting. Even through the Applicant’s evidence was that there were numerous discussions with the Deputy Commissioner and Commissioner leading up to the Payment Request in 2023, there was little evidence from Mr Condon or submissions of the Respondent on the steps taken by the Respondent in 2023 to ensure the Applicant PI 1 was Relevant for use in the 2023 MB Report in relation to the 2023 Payment Request in 2023.

  2. When questioned about the steps he took to confirm if the Applicant PI 1 was Relevant for use in the 2023 MB Report regarding the Payment Request, Mr Condon noted that he believed that the Applicant’s attitude recorded in the 2007 Rae Report was relevant. However, neither Mr Condon nor the submissions of the Respondent set out in any detail what steps were taken to come to that decision. That is, there was no detail as to what steps were taken in 2023 to ensure that the 2007 Applicant PI 1 was Relevant for the purposes of the 2023 MB Report and the Payment Request in 2023 and why these steps were reasonable in the circumstances. This is despite the Applicant’s undisputed evidence and submissions that there were numerous positive and reconciliatory discussions between the Applicant and the Deputy Commissioner and Commissioner leading up to the Payment Request in 2023 and the elapsing of some 16 years since 2007.

  3. Based on the material before the Tribunal, I am satisfied that the Respondent did not take reasonable steps in the circumstances to ensure the Applicant PI 1 from 2007 was Relevant for use in the 2023 MB Report for the Payment Request in 2023. As a result, the Conduct of Concern and thus the Respondent contravened IPP 9.

IPP 10: Use

  1. Despite the Respondent’s submissions that the Applicant PI 2 was used for the purposes for which it was collected, “to investigate the Applicant’s complaint” [paragraph 33] of the Respondent’s written submissions dated 20 June 2025), as noted in paragraph [16] of those written submissions in relation to Complaint 1, quoting the Internal Review Application which in turn quoted the Deputy Commissioner:

“…the GIPA stuff you put through, there’s an email in there that they have sent to me, because I’ve obviously contributed to it, but there’s an email in there from you to Karen bluing about me…”

  1. That is, the Applicant PI 2 was used by the Respondent by sharing it with the Deputy Commissioner related to the Applicant’s GIPA Act application, not as part of an investigation of the Deputy Commissioner’s behaviour.

  2. I am satisfied based on the material before the Tribunal that there was no indication that the 2 September 2024 email or the Applicant PI 2 was confidential and not to be disclosed to the Deputy Commissioner.

  3. In addition, although not subject to any detailed submissions of the Respondent, from the Applicant’s submissions the Tribunal understands that the Deputy Commissioner was likely shown the 2 September 2024 email and the Applicant PI 2 under s 54 GIPA Act to determine if he had any objections to releasing it to the Applicant as it contained his personal information. I note that under s 25(b) PPIP Act this use is permitted (if not required) by s 54 GIPA Act.

  4. Based on the analysis above and the material before the Tribunal, I am satisfied that use of the Applicant PI 2 by the Respondent by sharing it with the Deputy Commissioner in relation to the Applicant’s GIPA Act application is exempted by s 25 PPIP Act from being a contravention of IPP 10. However, the Respondent should take care in future proceedings that its submissions reflect and are made in respect of the facts of each specific case. This is both to ensure that it presents its best case to protect its interests and because it is also part of its legal obligations as a party to proceedings before the Tribunal. I remind the Respondent and all Australian legal practitioners representing a party to proceedings before the Tribunal that they have obligations to the Tribunal under s 36 CAT Act, see [34] above.

Systemic issues

  1. The Applicant has raised, by the orders requested from the Tribunal (see 11(4) above), that the Tribunal consider and make orders in relation to issues wider than in relation to the Applicant PI 1 and Applicant PI 2 or similar personal information of the Applicant. That is, to consider and address more systemic privacy issues of the Respondent.

  2. The Tribunal’s role is to review certain conduct (in this case the Conduct of Concern) rather than merely determining, generally, whether there has been a contravention of the PPIP Act or IPPs by the agency (in this case the Respondent). However, the Tribunal may look at systemic issues concerning compliance with the PPIP Act, the IPPs and an agency’s culture with respect to privacy issues in considering the context in which the Conduct of Concern occurred.

  3. As concluded in BKM v Sydney Local Health District [2015] NSWCATAD 87 (“BKM Decision”) at [45] it is clear that, where the evidence indicates a need for it, the Tribunal can examine systemic issues when considering what actions to take generally under s 55 (2) (g) PPIP Act or to enliven aspects of ss 55 (2) (c) and (e) of the PPIP Act.

  4. Addressing systemic issues which contribute to a finding of conduct in contravention of the IPPs is a relevant factor for the Tribunal when considering what orders should be made under s 55(2) PPIP Act.

  5. In the BKM Decision at [44] the Tribunal noted “many dozens of instances” in which the Tribunal has, following a privacy review, made orders “concerning the systemic nature of an information practice/system or in respect of administrative practices relating to privacy policies, training, practices and procedures, and general education of staff within the agency”.

  6. In this case, given there is no evidence that the Respondent’s behaviour goes beyond the Applicant PI 1 personal information and the related Conduct of Concern, I am not satisfied that there are systemic privacy compliance issues within the Respondent exposed by the Conduct of Concern and my finding that the Respondent contravened IPP 9 in relation to the Applicant PI 1.

  7. However, a contravention of IPP 9 by the Respondent in relation to the Applicant PI 1 and the related Conduct of Concern has been found by the Tribunal. There is also a possibility of potential further or continuing contraventions of IPP 9 by the Respondent in similar circumstances in relation to the Applicant and the use of the Applicant PI 1, especially if another ex-gratia payment request is made by the Applicant. Therefore, appropriate orders in respect of the Applicant, the Applicant PI 1 and potential future similar conduct of the Respondent in relation to that personal information should be made by the Tribunal to address the potential ongoing contravention of IPP 9 by the Respondent in respect of the Applicant and the Applicant PI 1.

The Orders requested by the Applicant

  1. I have considered all of the Applicant’s requested orders. I have addressed the requested orders (1) to (3) noted in paragraph [11] above in the Tribunal’s Orders. However, for the reason briefly noted below, based on the materials before the Tribunal I do not believe that the requested orders noted in (4) and (5) of paragraph [11] are appropriate in the circumstances:

(4) orders made specific to the Applicant PI 1 and the Respondent’s contravention of IPP 9 are, in my view, sufficient to address the harm in this case and, in the absence of any evidence of systematic issues (see [77]), this order generally in relation to all IPPs and all personal information in administrative reports for all individuals would be excessive in the circumstances, especially given the operation of s 27 PPIP Act; and

(5) I do not believe that an Order for costs is appropriate in the circumstances as no special circumstances under s 60(3) CAT Act has been established and also because the Applicant is self-represented.

  1. For the reasons noted above and based on the material before the Tribunal, I have decided to set aside the Internal Review Decision that found no contraventions of any IPPs and, in the alternative, that s 27 PPIP Act applied to exempt the Respondent from complying with the IPPs in this case. In substitution for the Internal Review Decision under s 63(3)(c) ADR Act, I have decided that, in this case, s 27 PPIP Act does not exempt the Respondent from the IPPs, IPPs 9 and 10 apply to the Conduct of Concern and that the Respondent has contravened s 16 PPIP Act (IPP 9) and I make the following Orders.

Orders

  1. The Respondent’s decision that there was no breach of any IPPs or, if there was, that the Respondent is exempt from complying with the IPPs under s 27 PPIP Act is set aside under s 63(3)(c) ADR Act. In substitution for that decision, I find that the correct and preferable decision is that the Respondent breached s 16 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPP 9) and that the conduct in question is not exempt under s 27 PPIP Act in this case.

  2. Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Commissioner of Police addressing and apologising for: (a) the Respondent's contravention of IPP 9 identified in these Reasons for Decision; and (b) any harm and distress suffered by the Applicant caused by the Respondent’s contravention of IPP 9.

  3. Within thirty (30) days of the date of these Reasons for Decision, the Respondent is to annotate all of the Applicant’s personal information referred to in these Reasons for Decision as the “Applicant PI 1” wherever such is held by the Respondent, including in the “2007 Rae Report” and the “2023 MB Report” (both of which are as defined in these Reasons for Decision) to note this Order and that before using this information in the future all of the requirements of IPP 9 must be complied with by the Respondent, unless an exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

  4. Within sixty (60) days of the date of these Reasons for Decision, the Respondent is to ensure the performance of IPP 9 in relation to all future uses of the “Applicant PI 1”, the “2007 Rae Report” and the “2023 MB Report” (all as defined in these Reasons for Decision) wherever such are held by the Respondent, including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure that, in accordance with IPP 9, the Respondent will take reasonable steps in the circumstances to ensure that information is all of relevant, accurate, up to date, complete and not misleading having regard to the purpose for which it is proposed to be used, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

  1. Within seven (7) days of fully complying with Order (3) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

  2. Within seven (7) days of fully complying with Order (4) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 28 October 2025

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0

Cases Cited

9

Statutory Material Cited

4

BKM v Sydney Local Health District [2015] NSWCATAD 87
Commissioner of Police v Ritson (“DVT”) (No 2) [2023] NSWSC 854
DED v Randwick City Council [2017] NSWCATAD 327