EJX v University of Newcastle
Case
•
[2023] NSWCATAD 53
•13 March 2023
Details
AGLC
Case
Decision Date
EJX v University of Newcastle [2023] NSWCATAD 53
[2023] NSWCATAD 53
13 March 2023
CaseChat Overview and Summary
The case before the court involved EJX, the applicant, and the University of Newcastle, the respondent. The dispute centred on the alleged contraventions of the Australian Privacy Principles (APPs) and the Health Records Information Protection Principles (HPPs) by the University. These contraventions were said to have arisen from the establishment and operation of an email account and address solely operated and controlled by the university on behalf of the applicant. The applicant sought redress for the alleged breaches, including compensation for harm, distress, humiliation, and embarrassment caused by the university's actions.
The legal issues that the court had to address were primarily concerned with whether the university had contravened the APPs and HPPs in its handling of the applicant’s personal and health information. This involved examining the university’s policies and practices regarding the creation and use of the email account, the adequacy of the security measures implemented, and the accuracy, relevance, and completeness of the information held. The court also needed to consider the impact of the university's policies on its obligations under the Privacy and Personal Information Protection Act and the Health Records Information Protection Act, and whether there was any aggravating conduct that warranted additional compensation.
In its reasoning, the court found that the university had indeed contravened several APPs and HPPs. The court highlighted that the university’s operation of the email account on behalf of the applicant without proper authorisation and its failure to provide adequate information and notice to the applicant were significant breaches. Additionally, the court determined that the university’s conduct was aggravating due to its repeated and unnecessary breaches of privacy. Consequently, the court ordered the university to cease its use of the dedicated email, provide a formal written apology, pay compensation including aggravated damages, and take various steps to rectify its privacy practices.
The final orders of the court included the setting aside of previous internal review and interlocutory orders, mandating the university to cease using the dedicated email, issue an apology, pay compensation, and implement various privacy measures. These included providing the applicant with all required notices and information, ensuring the security and accuracy of the applicant's information, and using the information only in accordance with the principles. The university was also required to confirm its compliance with these orders in writing.
The legal issues that the court had to address were primarily concerned with whether the university had contravened the APPs and HPPs in its handling of the applicant’s personal and health information. This involved examining the university’s policies and practices regarding the creation and use of the email account, the adequacy of the security measures implemented, and the accuracy, relevance, and completeness of the information held. The court also needed to consider the impact of the university's policies on its obligations under the Privacy and Personal Information Protection Act and the Health Records Information Protection Act, and whether there was any aggravating conduct that warranted additional compensation.
In its reasoning, the court found that the university had indeed contravened several APPs and HPPs. The court highlighted that the university’s operation of the email account on behalf of the applicant without proper authorisation and its failure to provide adequate information and notice to the applicant were significant breaches. Additionally, the court determined that the university’s conduct was aggravating due to its repeated and unnecessary breaches of privacy. Consequently, the court ordered the university to cease its use of the dedicated email, provide a formal written apology, pay compensation including aggravated damages, and take various steps to rectify its privacy practices.
The final orders of the court included the setting aside of previous internal review and interlocutory orders, mandating the university to cease using the dedicated email, issue an apology, pay compensation, and implement various privacy measures. These included providing the applicant with all required notices and information, ensuring the security and accuracy of the applicant's information, and using the information only in accordance with the principles. The university was also required to confirm its compliance with these orders in writing.
Details
Key Legal Topics
Areas of Law
-
Administrative Law
Legal Concepts
-
Jurisdiction
-
Res Judicata
-
Compensatory Damages
-
Aggravated & Exemplary Damages
-
Injunction
Actions
Download as PDF
Download as Word Document
Most Recent Citation
GGP v Lismore City Council [2024] NSWCATAD 308
Cases Citing This Decision
4
GGP v Lismore City Council
[2024] NSWCATAD 308
Chaouk v Chief Commissioner of State Revenue
[2023] NSWCATAD 305
GGP v Lismore City Council
[2024] NSWCATAD 308
Cases Cited
28
Statutory Material Cited
6
ALZ v SafeWork
[2017] NSWCATAD 52
ALZ v WorkCover NSW (No 2)
[2014] NSWCATAD 122
BVV v Commissioner of Police
[2020] NSWCATAD 182