Elder v Lithgow City Council

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	Elder v Lithgow City Council [2025] NSWCATAD 100
Hearing dates:	3 March 2025
Date of orders:	8 May 2025
Decision date:	08 May 2025
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	A Christie, Senior Member
Decision:	(1) The Respondent’s decision that there was no breach of s 18 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPP 11) is set aside and, in substitution for it, I find that the Respondent breached ss 12 and 18 of the Privacy and Personal Information Protection Act 1998 (NSW). (2) Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Mayor of Lithgow City Council addressing and apologising for (a) the Respondent's contraventions of IPPs 5 and 11 identified in these Reasons for Decision and (b) all harm and the significant distress and intimidation suffered by the Applicant caused by and resulting from the Conduct of Concern and the Respondent’s breaches of APPs 5 and 11. (3) Within fourteen (14) days of the Applicant providing to the Respondent her bank account details, the Respondent is to pay the Applicant $8,000 as compensation for the significant and prolonged distress suffered by the Applicant caused by and resulting from the Conduct of Concern and the Respondent’s breaches of IPPs 5 and 11. (4) Within fourteen (14) days of the date of these Reasons for Decisions the Respondent is to perform IPPs 5 and 11 in relation to all personal information of the Applicant held by the Respondent, including by implementing such: (i) training, awareness raising and safeguards; and  (ii) administrative measures, necessary to ensure the Respondent will implement reasonable security safeguards in the circumstances to protect the Applicant’s personal information held by the Respondent and only disclose the Applicant’s personal information held by the Respondent in compliance with IPP 11, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances. (5) Within sixty (60) days of the date of these Reasons for Decisions the Respondent is to perform IPPs 5 and 11 in relation to all personal information held by the Respondent in relation to all complaints made to the Respondent, including by implementing such: (i) training, awareness raising and safeguards; and  (ii) administrative measures, necessary to ensure the Respondent will implement reasonable security safeguards in the circumstances to protect all personal information in such complaints held by the Respondent and only disclose personal information in such complaints held by the Respondent in compliance with IPP 11, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances. (6) Within 7 days of fully complying with Order (4) above the Respondent must notify the Applicant in writing that it has fully complied with that Order. (7) Within 7 days of fully complying with Order (5) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.
Catchwords:	ADMINISTRATIVE LAW – Privacy and Personal Information Protection Act 1998 (NSW) – is a complaint personal information in the circumstances – whether there was an unauthorised disclosure under IPP 11 – whether reasonable security safeguards were taken under IPP 5 – systemic issues – damages for distress without a medical certificate
Legislation Cited:	Administrative Decisions Review Act 1997 (NSW) Civil and Administrative Tribunal Act 2013 (NSW) Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 (NSW)
Cases Cited:	AIN v Medical Council of New South Wales [2017] NSWCATAP 23 ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122 BKM v Sydney Local Health District [2015] NSWCATAD 87 CJU v SafeWork NSW [2018] NSWACATAD 300 CRP v Department of Family and Community Services [2017] NSWCATAD 164 DED v Randwick City Council [2017] NSWCATAD 327 Director General, Department of Education and Training v MT (2006) 67 NSWLR 237 Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 DSG v Department of Education [2019] NSWCATAD 182 EEC v Federation Council [2020] NSW CATAD 169 EIG v North Sydney Council [2021] NSWCATAD 66 EFL v Secretary, Department of Education [2020] NSWCATAD 239 GFX v Secretary Department of Communities and Justice [2024] NSWCATAD 322 Insurance and Care NSW v EEH [2021] NSWCATAP 350 KT v Sydney Local Health Network [2011] NSWADT 171 MH v NSW Maritime [2011] NSWADT 248 Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 The Office of Finance and Services v APV and APW [2014] NSWCATAP 88 58 Vice-Chancellor, Macquarie University v FM (No 2) [2004] NSWADTAP 61 WL v Randwick City Council [2007] NSWADTAP
Texts Cited:	The Information Privacy Commissioner, “Privacy NSW, A Guide to the Information Protection Principles, 1999”
Category:	Principal judgment
Parties:	Tracey Elder (Applicant) Lithgow City Council (Respondent)
Representation:	Solicitors: Applicant (Self-Represented) Pikes & Verekers Lawyers (Respondent)
File Number(s):	2024/00408648
Publication restriction:	Nil

REASONS FOR DECISION

1. This is an application under s 55(1) of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) made by the Applicant on 1 November 2024 for administrative review of the conduct of the Lithgow City Council which the Applicant alleges was in contravention of Information Protection Principles (IPPs) of the PPIP Act (External Review Application).

2. At the heart of the External Review Application is the alleged significant and prolonged intimidation and verbal abuse suffered by the Applicant at the hands of her neighbour over the Christmas period of 2023, which intimidation and abuse the Applicant alleges resulted from the conduct of the Respondent in disclosing her personal information to that neighbour in breach of the PPIP Act and various IPPs (Conduct of Concern). The Applicant submits that her personal information in this case is that she had made and the nature of her enquiries of and complaints to the Respondent about her neighbour’s development application and their alleged illegal occupation of a non-approved structure on that neighbour’s property adjacent to her dwelling (Applicant Personal Information).

3. On 5 August 2024 the Applicant made an application to the Respondent for internal review in relation to the Conduct of Concern (Internal Review Application). The Applicant did not complete Question 6 of the Internal Review Application form in which the applicant (the Applicant in these proceedings) is asked to tick one or more of a number of options that describe the relevant activities the subject of the application in terms of alleged breaches of the IPPs (e.g. “security or storage of my personal health information”, “disclosure of my personal health information”, etc) to assist the Respondent’s consideration and review of the Internal Review Application. The Applicant did not tick any of the eight boxes in Question 6 of the Internal Review Application form she submitted to the Respondent. The Respondent did not follow up with the Applicant as to which of the IPPs (i.e. the boxes in Question 6 of the form) she alleged were breached by the Conduct of Concern.

4. On 3 October 2024 the Respondent notified the Information and Privacy Commissioner (IPC) of the draft findings of its internal review in a draft report (Draft Report). On 23 October 2024 the IPC provided it's “Submissions of the NSW Privacy Commissioner” on the Draft Report and the findings of the Respondent’s internal review (IPC Submissions). In summary and most relevantly, the IPC Submissions were as follows:

1. the Draft Report contained minimal details about the investigation carried out by the Respondent and of the Respondent's findings; and

2. noting the Respondent’s inconclusive findings about “insufficient evidence”, the IPC recommended that the Respondent consider the nature of its internal review obligations as expressed in CRP v Department of Family and Community Services [2017] NSWCATAD 164 and quoted from paragraph [7], most relevantly, as follows:

“An internal review takes the form of a fact-finding investigation whereby the reviewer accumulate[s] evidence and material to the extent necessary to make a factual finding in respect of the alleged conduct... and applies those findings to the provisions of the PP IP Act. ...”

5. On 28 October 2024 the Respondent’s internal reviewer, Ms Staines, issued her decision (Internal Review Decision) noting and finding that, in summary and most relevantly:

1. the Respondent understands that the Applicant’s complaint is that “Council failed to protect her private information”;

2. Question 6 of the Internal Review Application form lodged by the Applicant was not completed and Ms Staines assumed, even after noting the Respondent’s understanding in (1) above, that only IPP 11 was at issue;

3. the Respondent’s officer, Mr Sheehan, did not recall telling the Applicant’s neighbour about any complaint made by the Applicant;

4. Ms Staines found no documents on file where the Applicant’s neighbour was informed about a complaint, even though Ms Staines attached the email from Mr Sheehan referred to in [45] to her affidavit;

5. Mr Sheehan confirmed that he was aware of the requirement to adhere to the standards set by the Respondent’s Code of Conduct and the requirement to protect privacy of complainants;

6. based on the above conclusions, there was insufficient evidence to suggest the alleged conduct (i.e. the Conduct of Concern) actually occurred; and

7. despite this finding, as a result of the review the Respondent is going to offer additional information/training to all staff to reinforce their awareness of the requirement to “protect the personal information” that the Respondent holds.

6. In this External Review Application before the Tribunal the Applicant seeks a review of the Internal Review Decision which, although not expressly stated in the Internal Review Decision, impliedly found no breaches of any IPPs, including of IPP 11 which Ms Staines had assumed was the only IPP in issue. The Applicant states in the External Review Application that she is seeking a review of the Internal Review Decision because:

1. I am not satisfied with the findings of the internal review.

2. I am not satisfied with the action Lithgow City Council proposes to take in relation to my application.

3. The internal review did not comply with Section 53(3) of the Privacy and Personal Information Protection Act 1998.

7. The hearing by the Tribunal of this External Review Application occurred on 3 March 2025 (Hearing) at which both the Applicant (by AVL) and the Respondent through its solicitor appearing in person made oral submissions, answered various questions of the Tribunal and Ms Staines was made available for cross-examination.

8. The Applicant’s position is that the Applicant Personal Information is personal information under the PPIP Act and the Respondent disclosed the Applicant Personal Information (i.e. her personal information) to her neighbour in breach of the PPIP Act and the IPPs and therefore the Internal Review Decision was wrong in not finding that the Conduct of Concern resulted in any breaches of the IPPs and should be set aside. The Applicant has asked that the Tribunal order damages and compensation be paid to the Applicant for damage to her property and her significant mental and emotional distress resulting from the Conduct of Concern and the Respondent’s breaches of the IPPs, an apology be made by the Respondent and the Respondent be required to take corrective action to prevent further breaches of the PPIP Act in respect of both her personal information and the personal information of others in similar circumstances in the future.

9. The Respondent does not dispute that the Applicant’s name constitutes personal information regarding the identity of the Applicant and that its disclosure by the Respondent in this case would breach the PPIP Act and IPP 11. The Respondent’s position is essentially twofold, that: (a) the fact that a complaint had been made to the Respondent about the neighbour and the content or type of such complaint is not personal information about the Applicant where the Applicant’s name is not expressly included in that information; and (b) the Applicant has not established that any disclosure of her name occurred at any time before Christmas 2023 to trigger the neighbour’s alleged verbal abuse and intimidation of the Applicant over the Christmas 2023 period. On this basis, therefore, the Respondent submits that the Conduct of Concern did not occur and, as a result, there cannot be any and is no breach of IPP 11 by the Respondent.

10. As to the orders to be made by the Tribunal, if the Tribunal finds against the Respondent on the Applicant Personal Information being personal information and whether disclosure of the Applicant Personal Information occurred, the Respondent’s position is that the Applicant has not sufficiently proved that any financial loss, psychological or physical harm was suffered by the Applicant due to the alleged breach of the PPIP Act. The Respondent submitted that the neighbour’s alleged behaviour reflects a long-standing existing pattern of behaviour which, based on the Applicant’s evidence, also reflects the significant mental health issues of the neighbour, all of which the Respondent has been aware of for a long time prior to Christmas 2023. The Respondent also submitted that it already has in place sufficient procedures to protect all personal information it holds but submitted little if any evidence to support this submission.

11. For the reasons that follow I have decided to set aside the Internal Review Decision and, in substitution, I find that the Conduct of Concern occurred and that the Respondent breached IPPs 5 and 11.

Materials

12. The Applicant relies on various bundles of documents and written submissions lodged on 18 February 2025 and 24 February 2025 and written submissions in reply lodged on 26 February 2025.

13. The Respondent relies on written submissions lodged on 5 February 2025. It also relies on:

1. a bundle of documents lodged on 21 November 2024 pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) (ADR Act) (Section 58 Documents);

2. an affidavit Ms Kylie Staines. Ms Staines is a NAR/GIPA Officer for the Respondent and, in this case, was as the Respondent’s internal reviewer for the Internal Review Application and the author of the Internal Review Decision; and

3. an affidavit of Mr Jim Sheehan. Mr Sheehan is a team leader of building development employed by the Respondent. Mr Sheehan supervisors a team of building surveyors which are responsible for investigating compliance issues concerning the development or use of buildings/land and assessing and issuing building certificates. In this case, Mr Sheehan is the Respondent's officer who is alleged to have disclosed the Applicant Personal Information to the Applicant’s neighbour (i.e. the officer alleged to be responsible for the Conduct of Concern).

14. Ms Staines was briefly cross-examined by the Applicant during the Hearing and also answered the questions of the Tribunal.

15. Both parties also made oral submissions during the Hearing and answered the Tribunal’s questions.

Background to the Internal Review Application

16. Over some 10 years prior to Christmas 2023 the Applicant has made numerous complaints to and inquiries of the Respondent regarding her neighbour and their occupation of a ‘shed’ adjacent to her property, including questioning the lawfulness of that occupation and making various allegations concerning the behaviour of the neighbour towards her, including allegations of extreme verbal abuse and intimidation by the neighbour.

17. On 25 August 2023 the Applicant’s solicitor, on behalf of the Applicant, made inquiries of and/or complaints to the Respondent in relation to the progress of the neighbour’s development application and alleged illegal occupation of a shed on the neighbour's property.

18. Being in a semi-rural location there were no other near neighbours of the Applicant and, for the period up to and including the Christmas 2023 period, the Applicant and her neighbour were the only occupied buildings in the vicinity of the Applicant’s neighbour. This is supported by Mr Sheehan’s evidence (see [48] below).

19. Sometime in the lead up to Christmas Day 2023, on Christmas Day and subsequently over the Christmas period the Applicant alleges that her neighbour became extremely verbally abusive to her, successfully sought to intimidate her and informed her that his behaviour was because Mr Sheehan, the Respondent’s officer responsible for overseeing regulatory compliance of the neighbour's property, had informed the neighbour that the Applicant had complained about the neighbour and the structure on their property.

The Tribunal’s administrative review jurisdiction

20. The circumstances in which the Tribunal has administrative review jurisdiction over a ‘decision’of an administrator is detailed in the ADR Act and s 30(1) of the Civil and Administrative Tribunal Act 2013 (NSW) (CAT Act).

21. Section 9(1) ADR Act provides that the Tribunal has administrative review jurisdiction over a ‘decision’, or class of ‘decisions’ of an ‘administrator’ if the ‘enabling legislation’ provides that applications may be made to the Tribunal for an administrative review under the ADR Act.

22. The term ‘enabling legislation’ is defined in s 4(1) ADR Act to mean legislation, other than the ADR Act, that provides for applications to be made to the Tribunal. In this case the enabling legislation is the PPIP Act.

23. The word ‘administrator’ is defined in s 8 ADR Act. There is no dispute that the Respondent is an administrator. In this case the relevant administrator is the person making the internal review decision on behalf of the Respondent, even though the Internal Review Decision itself is not the subject of the review by the Tribunal.

24. Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed on it by the CAT Act, the ADR Actand the enabling legislation (i.e. the PPIP Act in this case) in connection with the conduct or resolution of these proceedings. 

25. Under s 63(1) ADR Act the Tribunal’s role in determining an application for the administrative review of an administratively reviewable decision (i.e. the External Review Application in this case) is to decide what is the correct and preferable decision having regard to the material before it, including any relevant factual material and any applicable written or unwritten law. For this purpose, under s 63(2) ADR Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

26. Under s 63(3) ADR Act, the Tribunal may decide to: (a) affirm the reviewable decision; (b) vary the reviewable decision; (c) set aside the reviewable decision and make a decision in substitution for the reviewable decision that was set aside; or (d) set aside the reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.

27. The Tribunal's role is to review the conduct of concern in issue (in this case the Conduct of Concern) and to consider whether such contravenes any IPP (in this case) and, if so, determine what action(s), if any, should be taken by the agency, the Respondent in this case. The Tribunal's role is not to review the findings of the internal review decision as detailed in the report (i.e. the Internal Review Decision in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [51].

20. Often the internal review decision of an agency can assist the Tribunal's considerations but the Tribunal must consider the conduct of concern afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171.

The PPIP Act

29. Part 5 of the PPIP Act makes provision for review of certain ‘conduct’ of a public sector agency. Section 52(1)(a) PPIP Act in Part 5 sets out the ‘conduct’ to which the Part applies and includes ‘conduct’ that contravenes, or is alleged to contravene, an IPP that applies to the public sector agency. The IPPs relate to the collection (ss 8-11 PPIP Act, IPPs 1-4), retention and security (s 12 PPIP Act, IPP 5), access (ss 13-14 PPIP Act, IPPs 6-7), alteration (s 15 PPIP Act, IPP 8), accuracy (s 16 PPIP Act, IPP 9), use (s 17 PPIP Act, IPP 10) and disclosure (ss 18 and 19 PPIP Act, IPPs 11-12) of personal information by a public sector agency.

30. It is not in dispute that the IPPs and the PPIP Act apply to the Respondent and that the Respondent must comply with them.

31. Section 53 PPIP Act makes provision for internal review of conduct falling within the circumstances set out in s 52 PPIP Act and s 55 PPIP Act makes provision for a person to apply to the Tribunal for administrative review, under the ADR Act, of that conduct if the person has made an application for internal review under section 53 and is not satisfied with the findings of the review or the action taken by the public sector agency in relation to that application.

32. On reviewing the conduct of the relevant agency, the Tribunal may decide not to take any action on the matter (s 55(2) PPIP Act) or it may make one or more of the orders described in s 55(2)(a)-(g) PPIP Act. These include under s 55(2)(a) PPIP Act, subject to certain exceptions, an order requiring the agency “to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct”.

33. Personal information is defined in s 4 of the PPIP Act to mean, subject only to certain exclusions, “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion” (emphasis added).

34. I will now briefly deal with each of IPPs 5 and 11 (ss 12 and 18 PPIP Act) which were raised in the submissions of the Respondent as relevant obligations of the Respondent for consideration by the Tribunal in this case (Respondent Raised IPPs). The Respondent also raised s 17 PPIP Act/IPP 10 but the Tribunal did not consider this because, as pointed out by the IPC in the IPC Submissions, IPP 10 (use) is not relevant in these circumstances.

35. For the reasons noted below, the Respondent Raised IPPs are the most relevant to the Applicant’s allegations in these proceedings that, by the Conduct of Concern, the Respondent has breached the IPPs in relation to the Applicant’s personal information.

IPP 5 - Security

36. Section 12 PPIP Act (IPP 5) relates to the security of personal information. A public sector agency that holds personal information must ensure, most relevantly:

“…

(c)  that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and…”

37. The Applicant bears the burden of adducing some evidence to suggest that appropriate measures were not taken to protect their personal information as required by IPP 5. However, this burden is not high because the knowledge of how the information in question is protected and what security safeguards are in place is held by the agency (i.e. the Respondent in this case). Common sense therefore dictates that the party which has relevant information in their possession should put that information before the Tribunal. Further, if the facts are mostly within the knowledge of one party to an issue, a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn by the Tribunal.

38. The Information Privacy Commissioner in “Privacy NSW, A Guide to the Information Protection Principles, 1999” (Guide) states that the appropriate level of security required will depend on the nature of the information. At page 17 of the Guide the IPC notes that "if information is extremely sensitive or likely to find an illicit market it should receive more comprehensive protection". The Tribunal followed this approach in ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122 at [32] and has continued to apply it to date.

IPP 11 - Disclosure

39. Section 18 of the PPIP Act (IPP 11) provides, most relevantly based on the Respondent’s submissions:

“Limits on disclosure of personal information

(1)  A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) …, unless—

(a)  the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)  the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or …”

Considerations

The Internal Review Decision and the options available to the Tribunal

40. In this case, in part due to the apparent failure of the Respondent to fully address the IPC Submissions, the Internal Review Decision is of little assistance to the Tribunal. In such circumstances the Tribunal has the option of referring the Internal Review Decision back to the Respondent to reconsider the Internal Review Application based on direction from the Tribunal and to document its internal review decisions in accordance with the requirements of ss 53(5) and (8) PPIP Act, as discussed in EEC v Federation Council [2020] NSW CATAD 169 at [32]. 

41. However, in applying the guiding principle in s 36 CAT Act and considering the Applicant’s advanced years and rapidly deteriorating health, I have decided not to further delay the consideration of the real issues as between the parties in these proceedings by referring the Internal Review Decision back to the Respondent. That is, in accordance the guiding principle in s 36 CAT Act, I have decided to proceed to make a decision in these proceedings based on the material placed before the Tribunal by the parties. 

42. As noted by the Appeal Panel in Insurance and Care NSW v EEH [2021] NSWCATAP 350:

"[22] … The Tribunal at first instance was conducting an administration review. It was entitled to assume that the agency, which was under an obligation to cooperate with the Tribunal to give effect to the guiding principle of the Civil and Administrative Tribunal Act 2013 that the just, quick and cheap resolution of real issues in the proceedings be facilitated, had placed all relevant material before it …

[61] …Parties, particularly agencies, should come to the hearing of a matter prepared to adduce all of their evidence and make all of their submissions in relation to the matters in issue in the proceedings."

The evidence as to disclosure

43. The Applicant noted that she was not entirely sure if Mr Sheehan had visited the neighbour just prior to the neighbour’s outburst and, if so, whether at that time Mr Sheehan disclosed the Applicant Personal Information or if the alleged disclosure had occurred some time earlier and, for whatever reason, the neighbour’s alleged behaviour only occurred later in the lead up to the Christmas 2023 period.

44. Mr Sheehan’s evidence is that he cannot recall visiting the Applicant’s neighbour in the lead up to Christmas 2023 but that he may have. Mr Sheehan states that the neighbour would have been told by the Respondent about any and all complaints, as and when made, to ensure there is natural justice. Mr Sheehan’s evidence is that if he did visit and tell the neighbour about the Applicant’s complaints in the lead up to the Christmas 2023 period that he knows not to disclose the name of the Applicant to the neighbour as the person who complained about the neighbour.

45. However, Mr Sheehan’s evidence is that he did send the Applicant’s neighbour an email on 11 September 2023, a copy of this email is attached to Mr Sheehan’s affidavit. In this email Mr Sheehan states:

“Council continues to receive complaints about your residing in an incomplete dwelling without any occupation certificate (Refer to Council’s email of 17/4/23). Council has been more than patient & accommodating to date, in allowing you ample time to complete your development in accordance the terms of consent and is now considering the issue of a Development Control Order upon you to facilitate the completion of this development.”

Threshold issues

46. There is no evidence that the Respondent expressly informed the Applicant’s neighbour of the Applicant’s name as the individual who had made a complaint about the neighbour to the Respondent. It was established by the evidence, however, that the Respondent did inform the Applicant’s neighbour in September that complaints had been made and were continuing to be made about the neighbour’s alleged occupation of a non-approved building on site and the neighbour’s development application (Complaint Information). Therefore, two threshold issues arise for determination, whether: (a) in this case the Complaint Information is the personal information of the Applicant under the PPIP Act (i.e. is it the Applicant Personal Information), discussed from [47] below; and (b) if the Applicant’s neighbour knew that, at some time in the past, the Applicant had made a complaint about the neighbour, would this impact if any disclosure of the Applicant Personal Information by the Respondent to the neighbour as part of the Conduct of Concern which is the subject of this External Review Application was in breach of IPP 11, discussed from [56] below?

Is the Complaint Information the personal information of the Applicant?

47. The definition of personal information (see [33] above) is clear. If the individual’s identity ‘can reasonably be ascertained from the information or opinion’ then such information or opinion will be the personal information of that individual pursuant to and for the purposes of the PPIP Act and IPPs. That is, even if the individual is one of a few individuals identified as to whom that information or opinion could relate and even if the neighbour ‘wrongly’ associated that information with the Applicant.

48. Mr Sheehan’s evidence in his affidavit is that the ‘houses’ on the properties of the Applicant and the neighbour were 17m apart and “are the only two houses within the vicinity”. Also, the Applicant submitted that there were very few properties nearby to her property other than the Applicant’s neighbour in question and, as at Christmas 2023, the Applicant’s neighbour and the Applicant were the only occupied buildings in the vicinity. No submissions or evidence to the contrary were put before the Tribunal by the Respondent.

49. Referring to and quoting from GFX v Secretary Department of Communities and Justice [2024] NSWCATAD 322, the Respondent submitted that the Tribunal must undertake a two-stage process to determine if information which is not obviously about an individual (presumably, where such is not evident from the information itself) is personal information under the PPIP Act. The first stage is to determine if the information is of the type that could theoretically be about an unnamed or non-identified individual. Only if this is the case should the Tribunal then move to the second stage of the process, to determine whether that information can be “married with other information to identify a particular individual”.

50. I am satisfied that the Complaint Information meets the first stage of this analysis, it is about an individual and possibly two individuals, even if that particular individual or individuals are not immediately clear solely from the Complaint Information itself. The fact a complaint has been made by an individual and the content of that complaint is information or an opinion about that individual complainant. At the very least, the complaint details what the individual believes and what action has been taken by that individual in relation to such belief. Where the subject of the complaint is also an individual (as in this case) the information or opinion is also personal information about the subject of the complaint. It details that the subject individual has (allegedly) done something wrong or not in compliance with requirements. Therefore, having satisfied the first stage of this process, I turn now to consider the second stage of the Respondent’s submitted two-stage process.

51. In AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [112] the Appeal Panel noted that the definition of personal information in the PPIP Act is broad and is to be interpreted broadly. The Full Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 found at [64], in applying the then very similar definition of 'personal information' in the Privacy Act 1988 (Cath), that:

“… Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not 'about an individual' it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.” [emphasis added]

52. In The Office of Finance and Services v APV and APW [2014] NSWCATAP 88 the Appeal Panel held that:

“[58] The primary focus or purpose of the legislation is to protect the privacy interests of persons about whom public sector agencies collect information: Director General, Department of Education and Training v MT (2006) 67 NSWLR 237; [2006] NSWCA 270 (29 September 2006) Spigelman CJ (with whom Ipp JA and Hunt AJA agreed) at [29]. Because the PPIP Act is beneficial legislation, it must be interpreted liberally to achieve its beneficial purpose: [49]-[50]. …

[70] While the AAT decisions relate to the operation of the definition of "personal information" in an exemption to the FOI Act, the Appeal Panel of the Administrative Decisions Tribunal has used similar reasoning in relation to the PPIP Act. One issue for consideration in WL v Randwick City Council [2007] NSWADTAP 58 was whether photographs of the inside of a home unit taken by Mr Kerr, a compliance officer employed by the Council, was "personal information" about the owner. The Appeal Panel held at [15] - [16] that:

[15] Documents which themselves do not contain any obvious features identifying an individual may take on the quality by virtue of the context to which they belong. We accept that the photographs of building works, without more, might not reasonably be said to contain 'information ... about an individual whose identity is apparent or can reasonably be ascertained from the information'. However, if the photographs were taken in circumstances where the identity of the owner of the property was known to the photographer, it might at least be arguable that the photographer (and the organisation to which he or she belonged) knew that the photographs recorded the condition of a property owned by a specific individual. This combination of factors might produce the conclusion that the information as a whole was information to which s 4(1) applied.

[16] Even if Mr Kerr did not know at the time who owned the property, he quickly proceeded to obtain that information from the Council files, in order to take the enforcement steps. It is strongly arguable that by this point the photographs formed part of a body of information which amounted to 'information ... about an individual whose identity is apparent or can reasonably be ascertained from the information'. …

[73] This case concerns a situation where the information - an address, photographs of the interior of a home, the floor plan and interior design features, could be linked to the homeowners' names. …”

53. In EFL v Secretary, Department of Education [2020] NSWCATAD 239, Senior Member Starke concludes, in summarising prior decisions, that:

“[58] In determining whether or not information is “personal information”, context may be important: WL v Randwick City Council [2007] NSWADTAP 58 at [15]; CWI v The University of New South Wales, [2018] NSWCATAD 12 at [78]. This is because documents which do not contain any obvious features identifying an individual may take on that quality by virtue of the context to which they belong: WL v Randwick City Council [2007] NSWADTAP 58 at [15].”

54. In the circumstances of this case, where the Applicant’s neighbour had few other neighbours and only one other neighbour occupying their property at that time, the Applicant, it is ‘reasonably ascertainable’ from the Complaint Information and the context (i.e. the circumstances of this case) that the Applicant made or likely made the relevant complaint.

55. I am satisfied that the Complaint Information is information about at least one individual and the Applicant is reasonably ascertainable from the Complaint Information and, as such, the Complaint Information is the personal information of the Applicant (i.e. the Complaint Information is also the Applicant Personal Information).

IPP 11: Did the neighbour already know the Applicant Personal Information

56. It was not established by the evidence that Mr Sheehan visited the Applicant’s neighbour in the lead up to Christmas 2023 and, at that time, told the neighbour that someone had complained about the neighbour and the nature of that complaint. However, Mr Sheehan’s evidence is that the Applicant’s neighbour would have been told by the Respondent about all complaints made relating to their property, development application and occupation of the building on site. This was the Respondent’s policy and there was no reason to suspect it was not followed in this case.

57. Further, Mr Sheehan’s evidence includes, as an attachment to his affidavit, an email he sent to the Applicant’s neighbour in September 2023 (see [45] above) in which Mr Sheehan clearly informs the Applicant’s neighbour that relevant complaints about them continue to be received by the Respondent.

58. The terms of IPP 11 are clear, the Respondent must not disclose the personal information of an individual (in this case the Applicant Personal Information) to another person or body unless any of the exceptions (a) to (c) of s 18 PPIP Act or any other exemption under the PPIP Act apply exempting the Respondent from complying with IPP 11 (i.e. the prohibition on disclosure) in relation to the Applicant Personal Information.

59. The Respondent expressly states in its written submissions that it “does not submit that any exemptions in s 18 or Part 2 Division 3 apply in the circumstances”.

60. I am satisfied on the material before the Tribunal that there has been a disclosure by the Respondent to the Applicant’s neighbour of the Applicant Personal Information, contrary to the prohibition on disclosure in IPP 11 and the stated policy of the Respondent relating to such complaints and their handling by the Respondent.

61. Although it was not clear exactly when and in relation to what, referring to the Applicant’s documents, the Respondent submitted that the Applicant had previously informed her neighbour that some years before she had enquired and/or complained about the neighbour’s occupation of the shed on site. However, the fact that the Applicant’s neighbour knew that the Applicant had previously made a complaint of some description to the Respondent, this does not lead to the conclusion that the neighbour was aware of the Applicant Personal Information in this case.

56. Knowing about a prior complaint does not equate to the neighbour, at Christmas time 2023, being aware of the Applicant Personal Information before its disclosure to them by the Respondent. The ‘prior knowledge’ exception as applied by the Tribunal in relation to disclosure is limited to circumstances where the specific personal information in question (the Applicant Personal Information in this case) is already known by the recipient, not that the recipient knows that the individual has in the past acted in a similar way (i.e. made a complaint). The recipient (the Applicant’s neighbour in this case) must already be aware of the specific personal information the subject of the ‘disclosure’ in question, not just of a prior similar course of action or activity of the Applicant, in order for this exception to IPP 11 to apply.

57. Given the evidence presented to the Tribunal, the Respondent’s submissions and admissions including that disclosure of the Applicant’s personal information to the neighbour would breach IPP 11, that the Applicant Personal Information was disclosed by the Respondent to the Applicant’s neighbour and my findings in [60] above, I am satisfied that the Conduct of Concern occurred and this was a breach of IPP 11 by the Respondent.

IPP 5: Taking reasonable security safeguards

64. As noted in [36] above, s 12(c) PPIP Act (IPP 5) requires that the Respondent (in this case) must protect the information it holds, including by taking such reasonable ‘security safeguards’ in the circumstances against, among other things, unauthorised disclosure ‘and against all other misuse’.

65. While ‘security safeguards’ are not defined in the PPIP Act, the obligation in IPP 5(c) has been interpreted and applied by the Tribunal and its predecessors as requiring agencies to implement a combination of administrative, technical and physical measures that ensure the confidentiality, privacy and security of personal information and to prevent its inappropriate use and disclosure.

66. In this case, given the stated policies of the Respondent to both (a) inform the subject of a relevant complaint when such a complaint has been made and (b) not to disclose the name and personal information of the complainant in relation to their complaint, there is an obligation under IPP 5(c) for the Respondent to consider all of the circumstances relating to the providing of the Complaint Information to the Applicant’s neighbour (in this case). This consideration by the Respondent must assess what reasonable security safeguards, if any, must be taken in the circumstances while satisfying the Respondent’s policy that those subject of a complaint be alerted to the nature of the concerns raised by such complaints. The Respondent could reconsider how and of what it informs the subjects of complaints in circumstances similar to this case. Perhaps, if reasonable in the circumstances, only referring to the substance of the complaint as a concern of the Respondent or something the Respondent needs to confirm, without specifying it’s a complaint the Respondent has received. In this case, where the complainant is reasonably ascertainable from the Complaint Information and therefor it is personal information of the complainant, the Respondent is required by IPP 5 to assess what security safeguards, if any, are reasonable in the circumstances and therefore must be taken to protect the personal information of the complainant, in this case the Applicant Personal Information.

67. The evidence of the Respondent is that it always provides details of each complaint to the subject of the complaint in the same way, noting that it is a complaint received by the Respondent, irrespective of the circumstances of the relevant complaint and the complainant. That is, the Respondent has not considered and in this case did not consider if this is appropriate or what, if any, reasonable safeguards it should take to protect the complainant’s personal information where, in circumstances such as in this case, the complaint information is the personal information of the complainant.

68. In this case, the Respondent’s admitted failure to consider, let alone implement, any reasonable safeguards necessary to protect the Applicant Personal Information from the type of unauthorised disclosure as occurred in this case is a breach of IPP 5.

69. This breach of IPP 5 by the Respondent not only affects the Applicant in this case but the evidence of the Respondent shows a systemic issue which is likely to have and will continue to negatively impact other relevant complainants to the Respondent in similar circumstances to the Applicant in this case where the information about their complaint is their personal information which may continue to be disclosed to the subject of the complaint by the Respondent contrary to IPP 11.

Consideration of systemic issues

70. The Tribunal’s role is to review certain conduct (in this case the Conduct of Concern) rather than merely determining whether there has been a contravention of the PPIP Act by the agency (in this case the Respondent). However, the Tribunal may look at systemic issues concerning compliance with the PPIP Act, the IPPs and an agency’s culture with respect to privacy issues in considering the context in which the Conduct of Concern occurred. 

71. As concluded in BKM v Sydney Local Health District [2015] NSWCATAD 87 (BKM) at [45], it is clear that where the evidence following a review of conduct indicates a need the Tribunal can examine systemic issues when considering what actions to take generally under section 55 (2) (g) or to enliven aspects of section 55 (2) (c ) and (e) of the PPIP Act.

72. The case of MH v NSW Maritime [2011] NSWADT 248 (MH) at [24] makes the following observations in respect of the relationship between the systemic issues and the specific conduct complained of by an applicant and how they might be considered when looking to make an order under section 55 (2) following such a review:

“[24] As the Privacy Commissioner observed in his submissions, at [14] –

It is clear that the hearing of the matter has of necessity looked into the background of the environment within the Respondent Agency as it relates to privacy matters and the handling of personal information.

The evidence relating to those matters has led to both MH and the Privacy Commissioner making submissions addressing wider 'systemic issues' concerning the agency's compliance with IPPs, its Privacy Management Plan, and the knowledge, understanding and implementation of privacy principles, policies and practices within the agency. The Privacy Commissioner expressed the view that -

... the proceedings highlight a general lack of knowledge, understanding, or compliance with the statutory obligations of the Agency as identified under the PPIP Act .

[25] In my opinion the wider systemic issues within the agency form part of the background or context in which the conduct that MH complains of occurred. They are not of themselves the conduct about which MH is aggrieved, but form part of the organizational environment in which the conduct occurred. They do not fall within the scope of his internal review, reasonably construed, because they do not directly relate to the conduct complained of. They do not relate to specific breaches of IPPs or of a Privacy Code of Conduct, but embrace wider issues concerning compliance with the Act and the agency's culture with respect to privacy issues. They are, nonetheless, relevant to the Tribunal's consideration of the conduct in issue, as they set, in part, the context in which the conduct occurred, and inform my decision making accordingly. Addressing systemic issues which contribute to a finding of conduct in breach of the IPP's may be a relevant factor for the Tribunal when considering what orders should be made under s 55(2).”

73. Addressing systemic issues which contribute to a finding of conduct in contravention of the IPPs is a relevant factor for the Tribunal when considering what orders should be made under s 55(2) of the PPIP Act (MH at [25]). This principle was followed in BMK.

74. In BKM at [44] the Tribunal noted “many dozens of instances” in which the Tribunal has, following a privacy review, made orders “concerning the systemic nature of an information practice/system or in respect of administrative practices relating to privacy policies, training, practices and procedures, and general education of staff within the agency”.

75. At [46] of BKM the Tribunal also noted:

“Those examples are in addition to but sometimes include cases where damages were ordered, or positive findings of breaches were made.”

76. The principle in MH with respect to examining systemic issues was also explicitly followed in DSG v Department of Education [2019] NSWCATAD 182 at [102] and, most recently, in EIG v North Sydney Council [2021] NSWCATAD 66at paragraphs [81] to [83].

77. Given the Respondent’s evidence and admissions that it did not in this case and has not otherwise considered: (a) that the Complaint Information could be personal information in these circumstances; or (b) any security safeguards to protect the personal information of complainants in these circumstances, I am satisfied that there are systemic privacy compliance issues within the Respondent relating to the Conduct of Concern and my findings of the Respondent’s failure to comply with IPPs 5 and 11 and that these issues and breaches are likely to continue in relation to similar future conduct of the Respondent. These are, in my view, matters on which orders relating to systemic issues and ancillary orders are appropriate. 

Damages for distress

78. As noted in Vice-Chancellor, Macquarie University v FM (No 2) [2004] NSWADTAP 61 at [19]:

"Ordinarily where a breach is demonstrated, some sanction should be applied to the agency: …"

79. While the Applicant submitted that she had suffered significant harm, including to her property, no detailed evidence of such caused by the Conduct of Concern was provided to the Tribunal by the Applicant. However, from her submissions and appearance before the Tribunal it is clear to me that the Applicant was caused significant distress by the Conduct of Concern and the Respondent's breaches of IPPs 5 and 11. As noted in CJU v SafeWork NSW [2018] NSWACATAD 300 at [117], damages for "mere distress" are a recoverable psychological harm. In the absence of any substantial evidence of the psychological harm caused to the Applicant by the Conduct of Concern, such as a medical certificate, there is a limit to the amount of damages the Tribunal should award for distress caused by the Conduct of Concern.

80. I am satisfied that, on the material before the Tribunal, the Applicant was caused significant distress over a prolonged period over Christmas 2023 caused by the Conduct of Concern and the Respondent's breaches of IPPs 5 and 11.

Conclusion and orders

81. For the reasons noted above and on the material before the Tribunal I have decided to set aside the Internal Review Decision and, in substitution for that decision, I find that the Conduct of Concern occurred and the Respondent breached ss 12 and 18 PPIP Act (IPPs 5 and 11) and make the following orders.

Orders:

1. The Respondent’s decision that there was no breach of s 18 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPP 11) is set aside and, in substitution for it, I find that the Respondent breached ss 12 and 18 of the Privacy and Personal Information Protection Act 1998 (NSW).

2. Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Mayor of Lithgow City Council addressing and apologising for (a) the Respondent's contraventions of IPPs 5 and 11 identified in these Reasons for Decision and (b) all harm and the significant distress and intimidation suffered by the Applicant caused by and resulting from the Conduct of Concern and the Respondent’s breaches of APPs 5 and 11.

3. Within fourteen (14) days of the Applicant providing to the Respondent her bank account details, the Respondent is to pay the Applicant $8,000 as compensation for the significant and prolonged distress suffered by the Applicant caused by and resulting from the Conduct of Concern and the Respondent’s breaches of IPPs 5 and 11.

4. Within fourteen (14) days of the date of these Reasons for Decisions the Respondent is to perform IPPs 5 and 11 in relation to all personal information of the Applicant held by the Respondent, including by implementing such:

1. training, awareness raising and safeguards; and 

2. administrative measures,

necessary to ensure the Respondent will implement reasonable security safeguards in the circumstances to protect the Applicant’s personal information held by the Respondent and only disclose the Applicant’s personal information held by the Respondent in compliance with IPP 11, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances.

5. Within sixty (60) days of the date of these Reasons for Decisions the Respondent is to perform IPPs 5 and 11 in relation to all personal information held by the Respondent in relation to all complaints made to the Respondent, including by implementing such:

1. training, awareness raising and safeguards; and 

2. administrative measures,

necessary to ensure the Respondent will implement reasonable security safeguards in the circumstances to protect all personal information in such complaints held by the Respondent and only disclose personal information in such complaints held by the Respondent in compliance with IPP 11, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances.

6. Within 7 days of fully complying with Order (4) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

7. Within 7 days of fully complying with Order (5) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the New South Wales Civil and Administrative Tribunal.

Registrar

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 08 May 2025