EIG v North Sydney Council

Case

[2021] NSWCATAD 66

17 March 2021

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: EIG v North Sydney Council [2021] NSWCATAD 66
Hearing dates: 30 October 2020
Date of orders: 17 March 2021
Decision date: 17 March 2021
Jurisdiction:Administrative and Equal Opportunity Division
Before: A Christie, Senior Member
Decision:

(1) Within 30 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondent’s breaches of s18 PPIP Act (IPP 11) and s12 PPIP Act (IPP 5) in respect of the personal information of the Applicant, as identified in these Reasons for Decision, and all distress and embarrassment caused to the Applicant by such.

(2) Within 120 days of the date of these Reasons for Decisions the Respondent is to (i) perform IPP 5 by implementing such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse for all of personal information it holds in physical form and (ii) implement such administrative measures necessary to ensure that the conduct of concern the subject of these proceedings will not occur again. Such security safeguards and administrative measures must include the Respondent’s position as to when and in what circumstances an internal review of an incident will be sufficient and when an external independent review of an incident is required.

(3) The Respondent is to amend the Privacy Management Plan to reflect the security safeguards implemented in accordance with Order (2) above.

(4) The Respondent must publish anonymous notices not identifying the Applicant (in accordance with the publication restriction) in the ‘Latest News’ section of the Respondent’s public website as follows:

(a) within 30 days of the date of these Reasons for Decision, under the heading “Council ordered to address personal information security breach”, a notice noting Orders (2) and (3) above of the Tribunal in relation to the Respondent’s breach of IPP 5 and such notice must stay up until the notice in (b) below is published; and

(b) after the Respondent has completed the measures required by Orders (2) and (3), under the heading “Council’s personal information security remediation completed”, a notice noting Orders (2) and (3) above of the Tribunal and that the Respondent has now completed the measures ordered by the Tribunal to address its breach of IPP 5 and such notice must stay up for 3 months from publication.

Catchwords:

ADMINISTRATIVE REVIEW - personal information - review of conduct of agency and if in contravention of ss 12 (IPP 5) and 18 (IPP 11) of the Privacy and Personal Information Protection Act 1998 - what are reasonable security safeguards in the circumstances under IPP 5

Legislation Cited:

Administrative Decisions Review Act 1997

Civil and Administrative Tribunal Act 2013

Government Information (Public Access) Act 2018

Privacy and Personal Information Protection Act 1998

Cases Cited:

AIN v Medical Council of New South Wales [2017] NSWCATAP 23

ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122

DED v Randwick City Council [2017] NSWCATAD 327

Department of Education and Training v GA (No 3) [2004] NSWADTTAP 50

Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409

DTN v Commissioner of Police [2020] NSWCATAP 73

Education and Training v MT [2006] NSWCA 270

Housing NSW v Hamilton [2015] NSWCATAP 136

KT v Sydney Local Health Network [2011] NSWADT 171

MH v NSW Maritime [2011] NSWADT 248

New South Wales Crime Commission v Ollis [2006] NSWCA 76

Nasr v State of New South Wales (2007) NSWCA 101

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4

Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP 37

XW v Department of Education and Training [2009] NSWADT 73

Category:Principal judgment
Parties: EIG (Applicant)
North Sydney Council (Respondent)
Representation:

Counsel:
A Edwards (Respondent)

Solicitors:
Husband of the Applicant (Applicant)
Maddocks (Respondent)
File Number(s): 2020/00136495
Publication restriction: Pursuant to s64 of the Civil and Administrative Tribunal Act 2013 the publication or broadcast of the name of the Applicant in these proceedings or reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person is prohibited.

REASONS FOR DECISION

  1. In these reasons the names of some private individuals have been anonymised so as to preserve the privacy of their personal affairs. The Applicant is referred to as EIG.

  2. On 28 February 2020 the Applicant requested an internal review by the Respondent (IR Request) under Part 5 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) of certain alleged conduct of the Respondent as detailed in the IR Request relating to the disclosure of certain of the Applicant’s personal information which, on 25 November 2019, was sent by a group known as the “North Sydney Residents Alliance” from the email address [email protected] (External Email) to a wide range of recipients. The addressees of the External Email appear in the header of the External Email (Addressees). The External Email is Attachment A to the Applicant’s Statement dated 15 September 2020 (EIG Statement).

  3. In Section 5 of the IR Request the conduct of concern complained about by that the Applicant (and for which the Applicant sought an internal review by the Respondent) was that (conduct of concern):

  1. certain of the Applicant’s personal information held by the Respondent was made publicly known (i.e. an unauthorised disclosure) to a person or persons who then misused that personal information;

  2. the Respondent failed in its obligations under s12(c) PPIP Act by not taking such security safeguards as were reasonable in the circumstances to protect personal information against loss, unauthorised access, use, modification or disclosure and against all other misuse;

  3. the Respondent failed to properly investigate the incident and take the Applicant’s complaint seriously, sought to obfuscate and detract from the seriousness of the breach of the Applicant’s privacy and made untrue statements about the information provided during the Respondent’s Finance Workshops; and

  4. the unauthorised disclosure was done with the clear and deliberate intent of causing the Applicant hurt and anguish and to damage the Applicant’s reputation and standing in the community.

  1. After the lapsing of 60 days from the date of receipt of the IR Request by the Respondent, without the Respondent having completed the internal review, on 4 May 2020 under s53(6) PPIP Act the Applicant filed with this Tribunal for administrative review of the conduct of concern (AR Application).

  2. Also on 4 May 2020 the Respondent issued its decision in respect of the IR Request (IR Decision). However, the Applicant stated in Section 4 of the EIG Statement that they did not receive the IR Decision until it was provided by the Respondent’s solicitors by email on 26 June 2020.

  3. In the IR Decision the Respondent concluded that no personal information of the Applicant was released, there was no breach of the PPIP Act and thus no breach of the Applicant’s privacy. These conclusions were based primarily on the Respondent’s determination that neither the contents of the External Email or any of the documents attached to it contained any personal information, as defined under the PPIP Act, of the Applicant because:

  1. had a third party made an application to the Respondent under the Government Information (Public Access) Act 2018 (GIPA Act) the Respondent would have likely released the information “excluding any information that is strictly personal information”;

  2. none of the Documents comprise personal information “as they comprise information about an individual that is contained in a publicly available document or publication”; and

  3. “there appears no record of any employee of [the Respondent] releasing any of the information” (i.e. the Documents).

  1. Based on the conclusions set out in paragraph [6] above, the Respondent decided to take no further action.

  2. These proceedings relate to the Applicant’s allegations in respect of the conduct of concern, set out in the IR Request and addressed in the IR Decision, that the Respondent breached the PPIP Act in relation to the security (s12 PPIP Act) and disclosure (s18 PPIP Act) of the Applicant’s personal information.

Background

  1. The Applicant was at the time, and remained as at the date of the Hearing, a Councillor of the Respondent.

  2. Over a 2 to 3 year period prior to the sending of the External Email on 25 November 2019, the Applicant and others submitted various of the “Documents” (as defined in paragraph [11] below) and pecuniary interest returns to the Respondent to support requests to attend conferences, comply with obligations to notify the Respondent of pecuniary interests and to claim expenses.

  3. The External Email sent to the Addressees attached fourteen (14) documents, each numbered by hand in the top right-hand corner (Numbers), with some documents containing handwritten annotations and some of the four (4) sets of duplicate documents containing different handwritten annotations (Documents).

  4. The Documents which were attached to the External Email are, using the Numbers, as follows:

Numbers

Description of Document

1 & 11

Bill and receipt from Courgette restaurant, Canberra, dated 20 June 2017 (each Document with different handwritten annotations)

2 & 12

Bill and receipt from Banana Leaf restaurant, Canberra, dated 19 June 2017

3 & 10

Bill and receipt from Monster Kitchen and Bar, Canberra, dated 19 June 2017

4

Minutes of a Council meeting held on 1 May 2017

5

Tax invoice for the Applicant’s registration at the 2019 Local Government NSW Conference dated 2 October 2019 with handwritten annotation “No Show At Conference”

6

Tax invoice for the Applicant’s registration at the 2018 Local Government Conference dated 5 October 2018

7

Qantas E-ticket itinerary, receipt and tax invoice issued to the Applicant for travel between Sydney and Albury on 21 and 23 October 2018

8 & 9

Commonwealth Bank statement for the period 30 May to 28 June 2017 for a Corporate Charge Card held by a representative/officer of the Respondent

13

Copy of part of a brochure in respect of the National General Assembly of Local Government 2019 with handwritten annotations circling certain parts of the brochure

14

One page of the publication by “Good Food” entitled “Canberra’s Top 20 Restaurant’s for 2018” dated 11 December 2018 (although the whole publication is attached, the Number is applied to the page listing Courgette restaurant)

  1. In addition to the Documents attached to the External Email, the body of the External Email made assertions about the Applicant and others based on the Documents and also disclosed information about the Applicant’s property ownership within the Respondent’s Local Government Area. The Applicant alleges this information was taken from the Applicant’s pecuniary interest returns and/or the pecuniary interest register held by the Respondent (Pecuniary Interest Information).

  2. On 26 November 2019 the Applicant received a media query by email which attached two of the Documents and requested the Applicant answer a number of questions posed by the journalist related to the two attached Documents and some of the other Documents attached to and matters raised in the External Email (26 November Email).

  3. Subsequent to the 26 November Email an article was published in a newspaper widely available in Sydney referring to the Applicant, among others, and the transactions/activities referred to in the Documents and the body of the External Email.

  4. On 27 November 2019 the Applicant emailed the Director Corporate Services of the Respondent (DCS) attaching a copy of the External Email and addressing a number of the claims made in the External Email (27 November Email). The Applicant also requested the DCS inform the Applicant:

…who has access to these financial documents, receipts, my travel details and other documents?

…please advise who has inspected my pecuniary interest file in the past two years and who has access to it within the Council Staff.

  1. On 29 November 2019 the DCS replied to the 27 November Email stating, most relevantly:

Finance documents including receipts and payment records are accessible by a range of finance and administrative staff.

Regarding the disclosure of the Pecuniary Interest Returns for Councillors…those must be tabled at the first meeting of Council after the last day the return is required to be lodged. Once tabled, the returns are public documents.

Where Council documents are classified as confidential, access controls are put in place. Regardless of this, Council is aware that a confidential report on the options and pricing of advertising appears to have recently been released to one of the two newspaper entities competing to supply this service.

  1. After some further correspondence between the DCS and the Applicant the DCS confirmed, most relevantly:

…your Pecuniary Interest Register…has not been accessed by any external party.

External parties means people who are not staff including Councillors and the Mayor.

No Councillor or the Mayor has accessed your Pecuniary Interest Register.

The Respondent’s actions after the IR Decision

  1. Subsequent to the IR Decision the Respondent stated that it continued to thoroughly investigate the incident (Statement of Mr Craig Winn filed on 23 October 2020 [11]) and, based on that investigation, the Respondent has subsequently (Respondent Submissions dated 23 October 2020 [54]):

  1. provided a written apology to the Applicant; and

  2. scheduled an additional course of training for staff on the importance of protecting personal information and the requirements of the PPIP Act.

  1. On 20 October 2020 the Respondent issued a letter of apology to the Applicant (Apology).

  2. On 15 June 2020, after the commencement of these proceedings in the Tribunal, as part of the Legal and Planning Committee Agenda (LPCA) the Respondent published (including to the Respondent’s publicly accessible website) “Report 3.1 Current Appeals and Results – June 2020” (Report) authored by the Respondent’s in-house solicitor and endorsed by the General Manager of the Respondent. On page 12 of the Report, in the “NCAT Matters List” section, the Applicant was identified by name as having lodged a privacy complaint against the Respondent.

  3. Despite the Applicant notifying the Respondent of their concern in relation to the matter noted in [21] above, at a subsequent LPCA (including a report for October 2020 similar to the Report), the Respondent again published the name of the Applicant and details of their privacy complaint including on the Respondent’s publicly accessible website.

  4. During the Hearing the Respondent (via Counsel) agreed that it would immediately redact or remove the information referred to in paragraphs [21] and [22] above from all of its publicly available records, including the Respondent’s website.

Issues for determination

  1. The following issues arise for determination by the Tribunal in these proceedings:

  1. what (if any) personal information of the Applicant was the subject of disclosure by the Respondent;

  2. was there any unauthorised disclosure of such personal information by the Respondent in breach of s18 PPIP Act;

  3. whether the Respondent failed to take reasonable security safeguards, as are reasonable in the circumstances, to protect the Applicant's personal information in breach of s12 PPIP Act; and

  4. what orders, if any, the Tribunal should make under s55(2) PPIP Act.

Powers of the Tribunal

  1. A person who is aggrieved by an alleged contravention of the PPIP Act by the conduct of a public sector agency can seek internal review of the conduct of concern by that agency under s53 PPIP Act.

  2. Under s53(6) PPIP Act the Applicant (in this case) is entitled to make an application pursuant to s55 PPIP Act for administrative review of the conduct of concern if the requested internal review is not completed by the Respondent within 60 days of the date of receipt of the Applicant’s internal review application (the IR Request in this case). Also, where an internal review decision has been issued by the agency, s55 PPIP Act most relevantly provides:

(1)   If a person who has made an application for internal review under section 53 is not satisfied with:

(a)   the findings of the review, or

(b)   the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under s53.

  1. On reviewing the conduct of an agency, ss55(2) and (3) PPIP Act provide that the Tribunal may decide not to take any action on the matter or it may make any one or more of the following, most relevant, orders:

(c)   an order requiring the performance of an information protection principle or a privacy code of practice, …

(g)   such ancillary orders as the Tribunal thinks appropriate. …

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997.

  1. However, the powers under s55(2) PPIP Act are not the limit of the Tribunal’s powers when determining what action (if any) to take arising from an administrative review of the conduct of concern. In examining whether to take specific action under s55(2) of the PPIP Act, the Appeal Panel of the former Administrative Decisions Tribunal observed the following in the case of Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP 37:

[59] Our powers are not restricted to those given by s 55(2). Sub-section (3) leaves open to the Tribunal to be exercised the powers contained in the Administrative Decisions Tribunal Act 1997 (the Tribunal Act).

  1. It is not in dispute that the Tribunal has jurisdiction to determine this matter pursuant to s55 PPIP Act, s30 Civil and Administrative Tribunal Act 2013 (CAT Act) and s63 Administrative Decisions Review Act 1997 (ADR Act).

Scope of administrative review proceedings under the PPIP Act

  1. The scope of the request for internal review (i.e. IR Request in this case) limits the scope of the AR Application (in this case) before the Tribunal, without the agreement of the Respondent to expand the scope of the AR Review. The scope of the IR Request (i.e. the conduct of concern) is a matter of fact to be determined by objectively and reasonably construing the IR Request.

  2. The Tribunal’s role is to review the conduct of concern in issue and to consider the action proposed to be taken by the agency (i.e. the Respondent in this case), not to review the findings of the internal review report (i.e. the IR Decision in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [50]. The Tribunal considers the conduct of concern afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and, KT v Sydney Local Health Network [2011] NSWADT 171 at [64].

  3. Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed by the ADR Act or enabling legislation in connection with the conduct or resolution of the proceedings. By s63(2) of the ADR Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

  4. It is not in dispute that the AR Application and these proceedings are within the scope of the IR Request, in particular the conduct of concern as set out in the IR Request.

The hearing and evidence

  1. The hearing was held on 30 October 2020 by telephone (Hearing).

  1. The evidence submitted and relied on by the Applicant includes:

  1. the EIG Statement (and attached documents) filed on 16 September 2020; and

  2. the Applicant’s Supplementary Statement (and attached documents) filed on 28 October 2020 (ASup).

  1. The evidence submitted and relied on by the Respondent includes the Statement of Mr Craig Alan Winn (and attached documents) filed on 23 October 2020 (WS).

  2. Both parties (i) filed written submissions prior to the Hearing (Applicant: Summary of legal arguments filed on 16 September 2020 (A Submissions) and Submissions in reply filed on 28 October 2020 (A Reply Submissions) and Respondent: Submissions filed on 23 October 2020 (R Submissions)) and (ii) presented oral argument and made further submissions during the Hearing.

  3. The Privacy Management Plan prepared by the Respondent (PM Plan), required by the PPIP Act, referred to in the R Submissions at [49(g)] was attached to the WS and is referred to at [47] of the WS.

  4. The IR Request is annexed to the AR Application and the EIG Statement.

Since the Hearing

  1. In the process of considering my decision and preparing these Reasons for Decision I came to an inconsistency between two potential orders the Tribunal may give, an order under s64 CAT Act and an order requested by the Applicant for a public apology.

  2. Considering the Administrative and Equal Opportunity Division Guideline entitled “Confidentiality, privacy and publication”, the usual practice of the Tribunal in respect of privacy matters and in order not to exacerbate any breaches of the Applicant‘s privacy, I was proposing to make an order under s64 CAT Act to restrict publication of the name of the Applicant.

  3. However, such an order under s64 CAT Act is inconsistent with the Applicant‘s submissions requesting, given the public nature of the disclosures, that any formal apology ordered by the Tribunal be published both (i) to all Addressees and (ii) on the Respondent’s public website in the “Latest News” section (Website). The publication of a formal apology in the usual form (written by the Respondent and addressed to the Applicant) as requested by the Applicant would identify the Applicant and the Tribunal has, in those circumstances, no control over how the recipients of such an apology may use it, which is contrary to the essence of the s64 CAT Act order.

  4. In balancing the interests of the confidentiality of the Applicant and the Applicant‘s desire for a public apology, I notified the parties that I was proposing to resolve the inconsistency by ordering that the Respondent issue to the Applicant a formal unreserved apology for the Respondent’s breaches of the PPIP Act and the Information Protection Principles (IPPs) as detailed in these Reasons for Decision (once published) and for all distress and embarrassment caused to the Applicant by such. That is, I was proposing not to order the publication of the apology by the Respondent to the Addressees or on the Website.

  5. This inconsistency and the Tribunal’s proposed resolution of it was put to the parties on 25 February and the parties were given 14 days to submit, for consideration by the Tribunal, any written submissions in respect of the Tribunal’s proposed resolution of this inconsistency.

  6. The Respondent informed the Tribunal on 5 March 2021 that it did not wish to make any written submissions in respect of the Tribunal’s proposed resolution. The Respondent requested instead to have an option to respond to any such submissions made by the Applicant which I have not allowed in the interests of ‘just, quick and cheap resolution of the real issues’ in dispute between the parties pursuant to s36 CAT Act. The Respondent was given the opportunity to make written submissions on this issue (and declined to) and because any such further response by the Respondent to the Applicant’s submissions on this point would, in my opinion, not address the “real issues” in dispute in this matter.

  7. The Applicant made written submissions on 8 March 2021 (8 March Submissions) in which, in addition to the Tribunal’s proposed resolution, the Applicant requested that:

[1] … the respondent be ordered to post the anonymised orders together with a link to the published reasons for decision in the [Website] … and for the posting to remain for a period of at least 6 months, under the headline “Council commits privacy breach”.

The Respondent's concessions

  1. In the R Submissions at [5] and [37] and during the Hearing, the Respondent made a number of important concessions, most relevantly in summary, that (paragraph references are to the R Submissions, unless otherwise noted):

  1. the Respondent accepted that its reasoning in the IR Decision that the information in question was not personal information as it was of the type that may be released on request under the GIPA Act as a matter of course “did not correctly engage with the definition of personal information in s4 of the PPIP Act” [27];

  2. personal information is “held” by the Respondent if “the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement” under s4(4)(b) PPIP Act [12];

  3. subject to the Tribunal’s determination of the extent of the personal information disclosed and the extent to which the Documents and the External Email contain personal information, the Respondent concedes that it holds such and that the Applicant’s identity can be reasonably ascertained (where it is not expressly stated) from such information [37];

  4. the Respondent concedes that Numbers 1-13 of the Documents attached to the External Email were held by it and improperly disclosed by the Respondent and, due to the context of their release, the identity of the Applicant could be reasonably identified even if not otherwise explicit in the Documents [37];

  5. subject to the Tribunal’s determination of the extent of the personal information disclosed and the extent to which the Documents and the External Email contain personal information, it breached the PPIP Act by contravening IPP 11 as the disclosure of the Applicant’s personal information was unauthorised, improper and in breach of s18 PPIP Act (IPP 11) [5] and [36];

  6. the Pecuniary Interests Information of the Applicant (i.e. the Applicant’s property interests in the Respondent’s Local Government Area), referred to in paragraphs [34] and [35] of WS, were not made publicly available until some months after their unauthorised disclosure in November 2019;

  7. the Applicant’s registration to attend the 2019 conference (2019 Conference Details) was first included in the meeting papers and published on the Respondent’s website around 27 July 2020 (WS [38]) (i.e. after the unauthorised disclosure in November 2019) (i.e. contrary to [35]);

  8. the Respondent holds physical copies of Numbers 1-13 of the Documents (without some of the handwritten annotations that appear in the corresponding Documents) in a secure vault room which is only accessible by members of the Respondent’s Finance Team [49(a)];

  9. after the concessions made in the R Submissions and the Hearing, the Respondent accepts that the below is the personal information of the Applicant which was wrongfully disclosed by the Respondent [40] and [47] ((a) to (d) below are collectively referred to as the Agreed Personal Information):

  1. regarding the information referred to in paragraph 49(1)(b)] below, the Applicant’s personal information is that the Applicant booked and attended Courgette restaurant and the details of the food and beverages consumed;

  2. regarding the information referred to in paragraph [49(1)(c)] below, the Applicant’s personal information is that the Applicant attended Monster Kitchen restaurant and details of the food and beverages consumed;

  3. regarding the information referred to in paragraph [49(1)(d)] below, prior to the later authorised publication of the Pecuniary Interests Information by the Respondent, the Applicant’s personal information is the Applicant’s Pecuniary Interests Information including the real estate holdings in the Respondent's Local Government Area; and

  4. regarding the information referred to in paragraph [49(1)(f)] below, the Applicant’s personal information is the Applicant’s Qantas flight details.

Applicant’s submissions

  1. In the A Submissions, the A Reply Submissions and during the Hearing the Applicant submitted, most relevantly and in summary, that:

  1. the Applicant's personal information includes:

  1. the Applicant’s possession of a specific type of credit card (Credit Card) and the use of it to incur Respondent-related expenses;

  2. booking and attendance at Courgette restaurant, details of the food and beverages consumed and identity of persons with whom the Applicant dined;

  3. attendance at Monster Kitchen restaurant, details of the food and beverages consumed and identity of persons with whom the Applicant dined;

  4. pecuniary interests, including real estate holdings in the North Sydney Local Government Area;

  5. attendance at the 2018 conference;

  6. Qantas flight details in connection with attendance at the 2018 conference; and

  7. registration to attend the 2019 conference and non-attendance at that conference;

  1. the information noted in (1) above is personal information and none of it was contained in a publicly available publication at the time of disclosure;

  2. the extensive nature of the disclosure is prima facie evidence that reasonable security safeguards were not in place, the IR Decision underscores this and any system of reasonable safeguards must involve properly investigating all breaches;

  3. it is erroneous to assert that, because information may be capable of disclosure pursuant to an access request under the GIPA Act, it is contained in a publicly available publication;

  4. under s62(1) PPIP Act the intentional unauthorised disclosure or use of personal information carries a maximum penalty of 100 penalty units and 2 years’ imprisonment and the Respondent’s submissions state that the conduct was deliberate and politically motivated;

  5. the Respondent holds other personal information of the Applicant and the External Email threatened further disclosures and, if the disclosure was intentional with a view to harm the Applicant, the Applicant is concerned further unauthorised disclosures by the Respondent may occur and the IR Decision shows a disregard for the safeguarding of the Applicant’s personal information;

  6. it’s not just personal information in formal written records of the Respondent that attracts the protections of the PPIP Act, such apply to all personal information held by the Respondent;

  7. the focus of the Respondent’s investigation on the electronic versions of the Documents (being only three (3) of the thirteen (13) Documents) held by the Respondent fails to adequately address of the security in place in relation to the hard copies of thirteen (13) of the Documents held by the Respondent;

  8. the publication of the Applicant’s name associated with these proceedings in the Respondent’s meeting papers and on its publicly available website, some months after the commencement of these proceedings and then, again, three months later after being put on notice of this error shows a total disregard for the privacy of the Applicant by the Respondent; and

  9. the two investigations made by/on behalf of the Respondent and the Respondent’s proposed remedies and the apology issued only to the Applicant are wholly inadequate and the Applicant seeks:

  1. an apology in an agreed form to be posted in the ‘latest news’ section of the Respondent’s public website;

  2. the apology in (i) also be emailed to all of the Addressees;

  3. a comprehensive independent investigation of the incident be undertaken under the oversight of the NSW Ombudsman; and

  4. all findings from that independent investigation referred to in (iii) be published on the Respondent’s public website.

  1. The Applicant submitted at A Reply Submissions [8] that the Apology was inadequate because:

It self-servingly devotes more attention to trying to convey that it maintains safeguards and has thoroughly investigated the breach …

Respondent’s submissions

  1. In the R Submissions and during the Hearing the Respondent submitted, most relevantly in summary and after the Respondent's concessions (summarised in paragraph [48] above) are taken into account, that (paragraph references are to the R Submissions, unless otherwise noted):

  1. not all of the information claimed by the Applicant to be the Applicant’s personal information (see paragraph 49(1)] above) is “personal information” under the PPIP Act [6];

  2. the Respondent maintained such security safeguards over the Applicant’s personal information (the subject of the IR Request and the AR Application) as were reasonable in the circumstances and thus it has not failed to comply with s12 PPIP Act [7];

  3. the registration and attendance of the Applicant at the 2018 conference was published on the Respondent’s website before the unauthorised disclosure in November 2019 [WS 37];

  4. the Respondent does not hold any formal record of attendance or non-attendance at conferences [34(c)];

  5. the Respondent maintains that (a) to (d) below are not the personal information of the Applicant and thus were not wrongfully disclosed by the Respondent (collectively referred to as Disputed Personal Information) [40], [41], [42], [43] and [45]:

  1. regarding the information referred to in paragraph [49(1)(a)] above, there is no disclosure in the Documents of whether or not the Applicant possesses or used the Credit Card; (Card Information)

  2. regarding the information referred to in paragraph [49(1)(b)] above, there is no disclosure of who attended dinner with the Applicant (Courgette Diners);

  3. regarding the information referred to in paragraph [49(1)(c)] above, there is no disclosure of who attended the dinner with the Applicant (MK Diners);

  4. regarding the information referred to in paragraph [49(1)(e)] above, the attendance at the 2018 conference and the related Documents are not personal information because such information was, at that time, available on the Respondent’s website and is thus contained in a publicly available publication; (2018 Conference Details);

  5. regarding the information referred to in paragraph [49(1)(g)] above, the handwritten note about the Applicant’s non-attendance at the conference does not appear on the Respondent’s copy of the relevant Documents and thus is not information held by the Respondent (2019 Conference Annotation);

  1. the investigations conducted by the Respondent’s General Counsel, Information Technology team and external legal advisors were unable to reach any conclusion as to who made the disclosure of the Documents [36];

  2. it may be inferred that the disclosure of the relevant Documents and the Pecuniary Interests Information:

  1. occurred in circumvention of the Respondent’s protection procedures;

  2. was deliberate and done for political reasons;

  3. intentionally avoided the Respondent’s monitoring of its information systems; and

  4. were politically motivated “leaks” which may not be prevented by reasonable precautions if a person is determined to do it [51]; and

  1. the Respondent has:

  1. conducted a thorough investigation of the breach of s18 PPIP Act;

  2. provided an apology to the Applicant; and

  3. scheduled an additional course of training on the importance of protecting personal information and the requirements of the PPIP Act [54].

  1. In conclusion, the Respondent submitted that:

  1. as a result of the Respondent’s concession as to the breach of s18 PPIP Act, the following issues arise for determination of the Tribunal:

  1. what personal information of the Applicant was the subject of unauthorised disclosure by the Respondent;

  2. whether the Respondent breached s12 PPIP Act; and

  3. what orders, if any, the Tribunal should make under s55(2) PPIP Act (R Submissions [8]); and

  1. as a result of the Respondent’s actions (see paragraph [51(8)] above), the Tribunal should make no further order under s55(2)(b)-(g) [PPIP Act] (R Submissions [55]).

The relevant legislation

  1. ‘Personal information’ is defined by s4(1) PPIP Act as:

"personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

  1. Section 4(3) PPIP Act sets out information that is excluded from the definition of ‘personal information’ including, most relevantly in this case, information about an individual that is contained in a ‘publicly available publication’ (s4(3)(b) PPIP Act).

  2. As noted in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [112], the definition of ‘personal information’ in the PPIP Act is broad and is to be interpreted broadly.

  3. The Full Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 found at [63], in applying the then very similar definition of ‘personal information’ in the Privacy Act 1988 (Cth):

The words ‘about an individual’ direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not ‘about an individual’ it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

  1. The various IPPs are set out in Part 2 of the PPIP Act (ss 8-19) which include, most relevantly in this case, in relation to the security (IPP 5) and disclosure (IPP 11) of personal information.

  2. IPP 11 (s18 PPIP Act) provides that an agency must not disclose personal information to other than the individual to whom the information relates unless, in summary:

  1. the disclosure is directly related to the purpose for which it was collected and there is no reason to believe the individual concerned would object;

  2. the individual is reasonably likely to have been made aware that such information is usually disclosed to that other person; or

  3. the agency believes on reasonable grounds disclosure is necessary to prevent or lessen a serious or imminent threat to life or health of any person.

  1. In this context the ‘essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know’ (Nasr v State of New South Wales (2007) NSWCA 101 at [127]).

  2. Section 12 PPIP Act (IPP 5) relates to the security of personal information. A public sector agency that holds personal information must ensure, most relevantly:

(c)   that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and…

  1. The Applicant bears the burden of adducing some evidence to suggest that their personal information was not securely stored as required by s12 PPIP Act/IPP 5. However, the standard is not high because the knowledge of how the information is stored and the security safeguards in place is held by the agency (i.e. the Respondent in this case). Common sense dictates that the party which has relevant information in their possession should put that information before the Tribunal. Further, if the facts are mostly within the knowledge of one party to an issue, a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn.

  1. The Privacy Commissioner in Privacy NSW, A Guide to the Information Protection Principles, 1999 (Guide) states that the appropriate level of security required will depend on both the nature of the information and the medium in which it is stored. At page 17 it is noted that “if information is extremely sensitive or likely to find an illicit market it should receive more comprehensive protection”. The Tribunal followed this approach in ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122 at [31].

  2. In addition, the Guide advises agencies to look to relevant IT security and records management standards issued by bodies such as Standards Australia and the NSW Office of Information Technology.

Consideration and findings

  1. As noted in paragraph [31] above, the Tribunal's role is to review the conduct of concern afresh. That is, while the concessions of the Respondent are persuasive, I must review the evidence and determine if the concessions of the Respondent in relation to the provisions of the PPIP Act (e.g. whether the information is personal information and there has actually been an unauthorised disclosure by the Respondent) generally accord with the provisions of the PPIP Act. In other words, that the conclusions reached in such concessions are supportable, in the circumstances, under the relevant provisions of the PPIP Act.

  2. In coming to my conclusions below, paragraphs [65] to [70] below, based on the evidence before me I have considered afresh the issues of whether the relevant information is personal information held by the Respondent and, if so, whether it was disclosed by the Respondent and, if so, whether it was disclosed contrary to IPP 11 (s18 PPIP Act).

  3. Based on the evidence before me, the Applicant’s submissions, the concessions by the Respondent and the Tribunal's consideration of the applicable law, I am satisfied that the Documents and Pecuniary Interests Information were: (i) held by the Respondent; (ii) disclosed by the Respondent (i.e. by an employee of the Respondent) and, to the extent they are or contain the personal information of the Applicant, such disclosure was in breach of s18 PPIP Act (IPP 11); and (iii) subsequently attached to or included in the body of the External Email and sent to the Addressees.

  4. As regards the Respondents concessions in paragraphs [47 (2), (3) and (4)] above, the NSW Court of Appeal found in Education and Training v MT [2006] NSWCA 270 (MT) that not every action (eg disclosures of information) by an employee can be attributed to their employer. However, as a corollary to the Court’s finding in MT at [45], where an agency has not taken reasonable security safeguards to protect personal information under IPP 5 (as is the case here) it may be liable for the unauthorised conduct of its employees. Thus, in the circumstances of this case, I am satisfied that the Respondent’s concessions are supported by the evidence.

  5. I accept the Respondent’s submission, supported by my review of the evidence, that the Card Information does not appear in the manner stated by the Applicant on Numbers 1 and 11 of the Documents and is not therefore personal information of the Applicant.

  6. I do not need to decide here whether or not the names of those who dined with the Applicant is the personal information of the Applicant as I accept the Respondent’s submissions, supported by my review of the evidence, that Numbers 1, 3, 10 and 11 of the Documents do not disclose the Courgette Diners or the MK Diners (ie the names of those who dined with the Applicant) and thus the issue does not arise in these circumstances.

  7. I accept the Respondent’s submission that it does not hold Number 14 of the Documents and, in any event, it is a publicly available publication and thus not the personal information of the Applicant and the annotation, in this case, does not change that characterisation in my view.

  8. I accept the Respondent’s submissions and evidence that the 2018 Conference Details were published on the Respondent’s publicly available website prior to the disclosure in November 2019 and thus Number 6 of the Documents does not contain the Applicant’s personal information.

  9. Given Mr Win’s evidence (WS [38]) that the 2019 Conference Details were first published on the Respondent’s website in July 2020 then, at the time of disclosure in November 2019, Numbers 5 and 9 of the Documents included the Applicant’s personal information.

  10. While Number 13 of the Documents is a publicly available publication in its original form, in my view the annotations on it implying that there was no need to pay for certain dinners as disclosed in the other Documents is information or an opinion about the Applicant held by the Respondent. Thus, the annotations on Number 13 of the Documents are the Applicant’s personal information held by the Respondent and which was wrongfully disclosed. The fact that Respondent does not currently hold a copy of Number 13 of the Documents with the same annotations does not alter the position that in all likelihood the annotations were added by the Respondent’s employee in the process of disclosing the personal information in the Documents contrary to IPP 11 (see paragraph [50(7)]).

  11. The Pecuniary Interest Information was, at the time of its disclosure by the Respondent, the personal information of the Applicant because (for whatever reason) it was not then publicly available information. However, such information is now publicly available in accordance with the policies of the Respondent. Thus, while a disclosure in breach of s18 PPIP Act when it occurred, it would not be so now and so I have not taken it into account in respect of my consideration of whether or not the Respondent has failed to take reasonable security measures under IPP 5 (and it is not included in respect of the measures required under Orders 2 and 3).

  12. As to s12(c) PPIP Act, there were numerous submissions and evidence in respect of the measures taken to protect personal information held in electronic/digital form. Without deciding the matter, it appeared from the evidence that the measures taken in respect of the personal information in electronic/digital form are reasonable in the circumstances. However, from the Respondent's investigations, it appears that it was not the electronic or digital copies (but rather the physical copies) of the Documents that were accessed and disclosed. As regards the physical copies of the Documents, the Respondent submitted that only the Respondent’s Finance Team could access the physical copies of the Documents held by the Respondent. The Respondent presented little evidence as regards (i) the security measures in place in relation to the physical copies of the Documents, (ii) how access by the Finance Team to the Documents is tracked or monitored or (iii) any investigations made in respect of the access to the physical copies of the Documents and access to them by the Finance Team.

  13. I am satisfied that (i) the Applicant adduced sufficient evidence to raise (and the Respondent’s absence of evidence in relation to the security measures of the Respondent over the physical copies of the Documents raises) concerns with respect to the Respondent’s compliance with its personal information security obligations in IPP 5, at least in respect of the physical copies of the personal information in the Documents. I am also concerned about the evidence that other serious information security related incidents have occurred (see paragraph [17] above) which, together with the conduct of concern in these proceedings, potentially indicate more systemic information security issues for the Respondent.

  14. The PM Plan, referred to by the Respondent as evidence of the Respondent’s compliance with IPP 5, simply restates the wording of IPP 5 as regards its security obligations. It does not detail any measures actually (or to be) taken by the Respondent to implement its IPP 5 obligations in respect of the security of the personal information held by the Respondent.

  15. The information security obligation under IPP 5 is not a static or ‘one size fits all’ obligation. Rather, IPP 5 requires such security safeguards as are ‘reasonable in the circumstances’. That is, in accordance with the reasoning in XW v Department of Education and Training [2009] NSWADT 73, in circumstances where the Respondent is aware of the potential for deliberate and motivated circumvention of its security measures for likely political motives, which actions will not be easily thwarted by standard or existing security safeguards, the Respondent is required in those circumstances to implement increased security safeguards to meet this increased security threat. In my view it is therefor reasonable to expect that, in the circumstances, the Respondent should have implemented significant security safeguards across all of its personal information holdings, including in physical form, in order to address this concern.

  16. Given the lack of detail in the PM Plan and in the absence of any evidence from the Respondent as to the specific security and access measures implemented by the Respondent in respect of the physical copies of the personal information in the Documents, I find that the Respondent has failed to meet its obligations under, and thus has breached, IPP 5 (s12 PPIP Act) by not having in place reasonable measures in the circumstances to protect the personal information of the Applicant in relation to the physical copies of the Documents.

  17. In summary, based on the evidence, submissions, the concessions of the Respondent and the Tribunal's consideration of the relevant provisions of the PPIP Act in the circumstances of this case, I find that:

  1. the Agreed Personal Information, the 2019 Conference Details, the 2019 Conference Annotation and the Pecuniary Interest Information were, at least at the time, the personal information of the Applicant, which was held and wrongfully disclosed by the Respondent in breach of IPP 11 (s18 PPIP Act); and

  2. the Disputed Personal Information (other than the 2019 Conference Details and 2019 Conference Annotation) and Numbers 4, 8, 9 and 14 of the Documents are not (and do not contain) the personal information of the Applicant and thus were not wrongfully disclosed by the Respondent in breach of IPP 11; and

  3. the Respondent has breached IPP 5 (s12 PPIP Act) in respect of the physical copies of the Applicant’s personal information in the Documents.

  1. The Tribunal has a range of powers, including the power to make orders concerning the systemic nature of an information practice / system or in respect of administrative practices relating to privacy policies, training, practices and procedures and general education of staff within an agency.

  2. As held by the Appeal Panel in DTN v Commissioner of Police [2020] NSWCATAP 73 (DTN):

[99]   In our view, and given that the CAT Act postdates the PPIP Act, the Tribunal may either exercise the functions conferred or imposed upon the public sector agency pursuant to s53(7) as well as make any of the orders provided for in s 55(2) of the PPIP Act…

[105] Under s53(7)(e) of the PPIP Act, following the completion of the review, the public sector agency whose conduct was the subject of the application may “implement administrative measures to ensure that the conduct will not occur again”. As discussed above, by s63(2) of the Administrative Decisions Review Act 1997 and s30(2)(b) of the CAT Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision in connection with the conduct or resolution of the proceedings. This would include the making of a decision as to whether or not the public sector agency should implement administrative measures to ensure that the conduct will not occur again. Orders of that kind have been made by the Tribunal, including for example in BVS v Sydney Local Health District [2015] NSWCATAD 171.

  1. It is clear that the Tribunal can (where the evidence following a review of conduct indicates a need) examine systemic or broader issues when considering what actions to take to enliven aspects of s55(2)(c) of the PPIP Act. The case of MH v NSW Maritime [2011] NSWADT 248 makes the following observations in respect of the relationship between the systemic issues and the specific conduct complained of by an applicant and how they might be considered when looking to make an order under s55(2) PPIP Act following such a review:

[24]   As the Privacy Commissioner observed in his submissions, at [14]

It is clear that the hearing of the matter has of necessity looked into the background of the environment within the Respondent Agency as it relates to privacy matters and the handling of personal information.

The evidence relating to those matters has led to both MH and the Privacy Commissioner making submissions addressing wider 'systemic issues' concerning the agency's compliance with IPPs, its Privacy Management Plan, and the knowledge, understanding and implementation of privacy principles, policies and practices within the agency. The Privacy Commissioner expressed the view that -

... the proceedings highlight a general lack of knowledge, understanding, or compliance with the statutory obligations of the Agency as identified under the PPIP Act.

[25]   In my opinion the wider systemic issues within the agency form part of the background or context in which the conduct that MH complains of occurred. They are not of themselves the conduct about which MH is aggrieved, but form part of the organizational environment in which the conduct occurred. They do not fall within the scope of his internal review, reasonably construed, because they do not directly relate to the conduct complained of. They do not relate to specific breaches of IPPs or of a Privacy Code of Conduct, but embrace wider issues concerning compliance with the Act and the agency's culture with respect to privacy issues. They are, nonetheless, relevant to the Tribunal's consideration of the conduct in issue, as they set, in part, the context in which the conduct occurred, and inform my decision making accordingly. Addressing systemic issues which contribute to a finding of conduct in breach of the IPP's may be a relevant factor for the Tribunal when considering what orders should be made under s 55(2).

  1. Section 55(2)(c) of the PPIP Act empowers the Tribunal to make an order requiring the performance of an IPP. I am of the view that, in the current case, s55(2)(c) of the PPIP Act empowers the Tribunal to order the performance of IPP 5 (as provided for in s12 PPIP Act) by the Respondent. This is because such a course of conduct is clearly related to the found contravention of IPP 5.

  2. In my opinion the orders available to the Tribunal in this case also include what may be described as requiring the implementation of administrative measures to ensure that the conduct the subject of the IR Request will not occur again. In support of this, as noted in DTN at [105], the Appeal Panel found that:

… If the conduct was to be too narrowly construed, there would be no or little role for any decision to put in place administrative measures to ensure that the “conduct” will not occur again. Any such decision is of course a discretionary remedy depending on all of the circumstances and the submissions of the parties.

  1. Section 55(2)(g) PPIP Act also permits the Tribunal to make an “ancillary order”. An ancillary order is an order that is “incidental or supplemental to” an order the Tribunal is empowered to make (see for example, New South Wales Crime Commission v Ollis [2006] NSWCA 76 at [28] and Housing NSW v Hamilton [2015] NSWCATAP 136 at [39]).

  2. However, in my view, an order requiring a comprehensive independent investigation of the incident under the oversight of the NSW Ombudsman and that the findings of such be published, as the Applicant is seeking, is not reasonably supplemental or incidental and/or directly flowing from the finding of a contravention of IPP 5 and any order of the Tribunal for the Respondent to comply with IPP 5 and/or implement administrative measures to ensure the conduct of concern will not occur again.

  3. The Tribunal also has power to order the making of a formal apology in appropriate terms under s53(7)(b) of the PPIP Act as, following the completion of the review, the public sector agency whose conduct was the subject of the application may decide to make a formal apology to the Applicant (see DTN [91]). In the absence of any submission as to and evidence of harm, an apology is the appropriate remedy in these circumstances.

  4. Based on my findings above, I agree with the Applicant’s submission that the Apology is not satisfactory. An unreserved formal written apology should be issued by the Respondent to the Applicant addressing and apologising for the Respondent’s breaches of s18 PPIP Act (IPP 11) and s12 PPIP Act (IPP 5) in respect of the personal information of the Applicant, as identified in these Reasons for Decision, and all distress and embarrassment caused to the Applicant by such.

  5. For the reasons set out in paragraphs [41] to [43] above, the Applicant’s original request that any apology ordered by the Tribunal be published as specified in paragraphs [49(10)(a) and (b)] above is not consistent with the s64 CAT Act order made by the Tribunal. The Applicant’s amended request in the 8 March Submissions (see paragraph [46] above) is for an anonymised version of the apology and link to these Reason for Decision to be published on the Website for 6 months. Given the circumstances of this case, in my opinion this will make it obvious to most who the Applicant is, this requested publication is inconsistent with the s64 CAT Act order which the Applicant confirmed in the 8 March Submissions that they wished to keep in place. I have therefor decided, consistent with the proposed approach provided to the parties (see paragraph [43] above) to not order the publication of the apology or an anonymised version of it on the Website or the Addressees.

  6. However, I am cognisant of the very public nature of the disclosures resulting from the breach of IPP 5 by the Respondent and, pursuant to the Tribunal’s powers discussed at paragraphs [28] and [29] above and subject to the s64 CAT Act publication restriction order, I have determined that the Respondent should publish appropriate notices (i.e. anonymous notices not identifying the Applicant) on the Website notifying the public (a) of what it has been ordered to do by this Tribunal to remediate its breach of IPP 5 and (b) once it has complied with the orders in relation to such.

Orders

  1. Within 30 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondent’s breaches of s18 PPIP Act (IPP 11) and s12 PPIP Act (IPP 5) in respect of the personal information of the Applicant, as identified in these Reasons for Decision, and all distress and embarrassment caused to the Applicant by such.

  2. Within 120 days of the date of these Reasons for Decisions the Respondent is to (i) perform IPP 5 by implementing such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse for all of personal information it holds in physical form and (ii) implement such administrative measures necessary to ensure that the conduct of concern the subject of these proceedings will not occur again. Such security safeguards and administrative measures must include the Respondent’s position as to when and in what circumstances an internal review of an incident will be sufficient and when an external independent review of an incident is required.

  3. The Respondent is to amend the Privacy Management Plan to reflect the security safeguards implemented in accordance with Order (2) above.

  1. The Respondent must publish anonymous notices not identifying the Applicant (in accordance with the publication restriction) in the ‘Latest News’ section of the Respondent’s public website as follows:

  1. within 30 days of the date of these Reasons for Decision, under the heading “Council ordered to address personal information security breach”, a notice noting Orders (2) and (3) above of the Tribunal in relation to the Respondent’s breach of IPP 5 and such notice must stay up until the notice in (b) below is published; and

  2. after the Respondent has completed the measures required by Orders (2) and (3), under the heading “Council’s personal information security remediation completed”, a notice noting Orders (2) and (3) above of the Tribunal and that the Respondent has now completed the measures ordered by the Tribunal to address its breach of IPP 5 and such notice must stay up for 3 months from publication.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 17 March 2021

Key Legal Topics

Areas of Law

  • Administrative Law

Legal Concepts

  • Administrative Review

  • Judicial Review

  • Reasonable Security Safeguards

  • Compensatory Damages

  • Remedial Orders

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

6

Webb v Port Stephens Council [2025] NSWCATAD 191
Elder v Lithgow City Council [2025] NSWCATAD 100
EIG v North Sydney Council [2022] NSWCATAD 127
Cases Cited

12

Statutory Material Cited

4

ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122
DED v Randwick City Council [2017] NSWCATAD 327
Seyfarth v Minister for Immigration and Multicultural and Indigenous Affairs [2005] FCAFC 105