EMF v Cessnock City Council

Civil and Administrative Tribunal

New South Wales

• Amendment notes

Medium Neutral Citation:	EMF v Cessnock City Council [2021] NSWCATAD 219
Hearing dates:	28 May 2021
Date of orders:	27 July 2021
Decision date:	27 July 2021
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	A Christie, Senior Member
Decision:	(1) The decision of the Respondent is set aside. (2) Within 30 days of the date of these Reasons for Decision the Respondent is to provide an unreserved written apology to the Applicant addressing and apologising for the Respondent’s breaches of IPPs 3 and 10 as identified in these Reasons for Decision and for all distress and harm caused to the Applicant as a result of such. (3) Within 180 days of the date of these Reasons for Decisions the Respondent is to: (a) perform IPP 3 by implementing such measures as are reasonable in the circumstances to ensure IPP 3 compliant notices are issued in relation to all personal information collected by the Respondent, (b) amend the Privacy Statement to be (and keep it) consistent with all IPP 3 notices issued, (c) ensure all IPP 3 notices and the Privacy Statement clearly state any rights or exceptions under the Privacy Code of Practice for Local Government or other law or code the Respondent will rely on to permit other uses of information collected by it, (d) perform IPP 10 by implementing such measures necessary to ensure that no personal information collected by the Respondent is used other than for the lawful purpose(s) of collection unless either consented to by the individual whose personal information it is or such is permitted by a right or exception noted in an IPP 3 notice in accordance with (a) and (c) above, and (e) implement such administrative measures necessary to ensure that the conduct of concern the subject of these proceedings will not occur again. (4) The measures implemented in accordance with Order (3) must specifically address the Respondent’s position as to information submitted to it in confidence and when and in what circumstances any personal information marked confidential collected by the Respondent may be used for purposes other than that for which it was lawfully collected. (5) The Respondent is to amend the Privacy Management Plan to reflect the measures implemented in accordance with Order (3) above. (6) Pursuant to s 54 Privacy and Personal Information Protection Act 1998, within 30 days of the Applicant providing their bank account (or other acceptable payment method) details to the Respondent, the Respondent is to pay the Applicant $30,000 as compensation for the harm suffered by the Applicant as a result of the Relevant Conduct of Concern. (7) Under s 64(1) of the Civil and Administrative Tribunal Act 2013 the disclosure of the Applicant’s name or of material that identifies the Applicant or is likely to lead to the Applicant’s identification is prohibited.
Catchwords:	ADMINISTRATIVE LAW – privacy – review of conduct of agency and if in contravention of IPP 3 and/or IPP 10 – reasonable steps to notify an IPP 3 compliant notice before or after collection – impact of contrary statement in Privacy Statement and collecting information in confidence on right given to Councils under clause 4.11(1) of the Privacy Code of Practice for Local Government to use information for other purposes – assessing causation and amount of damages for psychological harm under s 54 PPIP Act
Legislation Cited:	Administrative Decisions Review Act 1997 (NSW) Civil and Administrative Tribunal Act 2013 (NSW) Health Records and Information Privacy Act 2002 (NSW) Local Government Act 1993 (NSW) Privacy and Personal Information Protection Act 1998 (NSW) State Records Act 1998 (NSW)
Cases Cited:	ALZ v WorkCover NSW [2014] NSWCATAD 49 ALZ v SafeWork NSW (No 2) [2016] NSWCATAD 121 ALZ v SafeWork NSW [2017] NSWCATAP 51 AOZ v Rail Corporation NSW [2014] NSWCATAP 76 AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 APV v Department of Finance and Services [2016] NSWCATAD 168 AQK v Commission of Police, NSW Police Force [2014] NSWATAD 55 BKM v Sydney Local Health District [2015] NSWCATAD 87 CBL v Southern Cross University [2018] NSWCATAD 97 CBL v Southern Cross University [2018] NSWCATAP 236 CJU v SafeWork NSW [2018] NSWCATAD 300 CPJ v The University of Newcastle [2017] NSWCATAD 350 DQU v University of New England [2020] NSWCATAD 226 DRX v City of Canada Bay Council [2020] NSWCATAD 26 DSC v South Eastern Sydney Local Health District (No. 2) [2019] NSWCATAD 216 DSG v Department of Education [2019] NSWCATAD 182 EIG v North Sydney Council [2021] NSWCATAD 66 EMF v Cessnock City Council [2021] NSWCATAD 83 EQ v Office of the Australian Information Commissioner (Freedom of Information) [2016] AATA 785 GA v Department of Education & Training (No 2) [2005] NSWADT 119 GR v Department of Housing [2003] NSWADT 268 JD v NSW Medical Board (No. 2) [2006] NSWADT 345 KJ v Wentworth Area Health Service [2004] NSWADT 84 March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506 MH v NSW Maritime [2011] NSWADT 248 NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 NZ v NSW Department of Housing [2006] NSWADT 173 RD v Department of Education and Training [2005] NSWADT 195 SW v Forests NSW [2006] NSWADT 74 WT v Auburn Council [2007] NSWADT 253 ZR v Department of Education and Training (GD) [2010] NSWADTAP 75
Texts Cited:	Nil
Category:	Principal judgment
Parties:	EMF (Applicant) Cessnock City Council (Respondent)
Representation:	Solicitors: Applicant (Self Represented) Respondent (Self Represented)
File Number(s):	2020/00358935
Publication restriction:	Under s 64(1) of the Civil and Administrative Tribunal Act 2013 (NSW) the disclosure of the Applicant’s name or of material that identifies the Applicant or is likely to lead to the Applicant’s identification is prohibited.

REASONS FOR DECISION

Introduction

1. The Applicant applied to the Tribunal under s 55 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) for an administrative review of certain conduct of concern of the Respondent which had been the subject of an Applicant’s request under s 53 of the PPIP Act for an internal review by the Respondent.

2. The Applicant’s complaint dated 10 April 2020, addressed to the General Manager of the Respondent, was marked “confidential”, referred to the Respondent’s code of conduct and to certain officers of the Respondent and was received by the General Manager of the Respondent on 17 April 2020 (Complaint). The Complaint alleged several breaches of the Respondent’s code of conduct relating to various breaches by the relevant officers of the Respondent of their obligations under the PPIP Act, the Information Privacy Principles (IPPs) and the Code of Practice for Local Government (LG Code of Practice) and the Local Government Act (1993) (LGA).

3. The General Manager did not “accept” the Complaint as a code of conduct complaint but determined, without contacting the Applicant, that the Complaint was to be handled as a complaint about privacy under the PPIP Act. Based on that determination the Complaint was provided to the Respondent’s staff for action as a privacy complaint. In a letter dated 21 April 2020 from Mr Maginnity (the Public Officer of the Respondent who was provided with the Complaint), the Respondent noted receipt of the Complaint. The Applicant responded by letter dated 27 April 2020 asking, effectively, why Mr Maginnity was dealing with the Applicant’s confidential code of conduct complaint.

4. Despite the Applicant’s letter dated 27 April 2020, in an outcome letter dated 4 May 2020 Mr Maginnity, on behalf of the Respondent, informed the Applicant that he was not satisfied, in relation to the Applicant’s “privacy complaint”, that the Respondent failed to comply with the IPPs in respect of the Applicant’s personal information related to the Complaint.

5. By a letter dated 30 September 2020 (received by the Respondent on 2 October 2020) the Applicant asked for an internal review by the Respondent (IR Request) alleging that the Applicant’s personal information related to the Complaint, including the Applicant’s “personal political opinions”, had been improperly disclosed, accessed and/or used by the Respondent by the Respondent’s alleged conduct of concern. In particular, based on the Applicant’s belief that the Complaint would be classified as unsolicited information, the Applicant alleged the Respondent failed to comply with ss 12, 18 and 19 PPIP Act (IPPs 5, 11 and 12).

6. In the application to the Tribunal for administrative review dated 17 December 2020 (AR Application) the Applicant states that the basis for the Tribunal’s jurisdiction to hear the AR Application is that the Respondent had “failed to respond [i.e. make a decision] within required time (deemed refusal)” to the IR Request.

7. Notwithstanding the AR Application, the Respondent’s internal review decision was communicated to the Applicant in a letter dated 17 December 2020 (IR Decision). The IR Decision determined that the Respondent had complied with all IPPs in handling the Applicant’s personal information related to the Complaint. The Respondent also contends that the IR Decision was completed within the timeframe required under s 53(6) of the PPIP Act and that it was provided to the Applicant within the timeframe specified in s 53(8) of the PPIP Act.

8. The hearing was held on 28 May 2020 by telephone (Hearing).

9. In these Reasons for Decision the name of the Applicant has been anonymised to “EMF”.

Background

Previous proceedings

10. It is important background to this matter to understand that these parties were recently involved in earlier and related events which resulted in external administrative review by the Tribunal in EMF v Cessnock City Council [2021] NSWCATAD 83 (EMF1). The conduct of concern and issues arising for determination in these proceedings are different to those in EMF1 but are related to those earlier events and the conduct dealt with in EMF1.

11. In EMF1 Senior Member Starke details the circumstances giving rise to the earlier events and conduct, including an earlier internal review by the Respondent, and there is no need to re-address them here in any detail. However, it is important to the consideration in these proceedings to understand some of the relevant behaviours and lessons addressed by Senior Member Starke in EMF1, especially when considering if systemic issues may affect the Respondent.

12. In EMF1, EMF sent an email to the Mayor of Cessnock contemporaneously with the Respondent’s request for submissions and comments on a proposed revision to the “Draft Cessnock Local Strategic Planning Statement” (Draft Plan). EMF’s email dated 20 January 2020 sent to the Mayor was, as acknowledged in EMF1, intended by EMF only for the Mayor and made various complaints about officers and staff of the Respondent involved in and relating to the Draft Plan (EMF’s 20/01/20 Email).

13. In EMF1 the Council acknowledged that the subject line of the EMF’s 20/01/20 Email should have alerted the Mayor and, especially if the Mayor had read the contents of the email before forwarding it on, it would have been understood that EMF’s 20/01/20 Email was not a public response to the Draft Plan. Rather, EMF’s 20/01/20 Email was a complaint intended by EMF for the Mayor only. The Mayor, however, forwarded EMF’s 20/01/20 Email on to members of staff of the Council (including those who were the subject of complaints in the email) believing it to be a submission or a comment on or response to the Draft Plan (EMF1 Relevant Conduct).

14. EMF was unsuccessful in EMF1 in establishing that the EMF1 Relevant Conduct resulted in any failure of the Council to comply with the IPPs. However, Senior Member Starke did note in EMF1 that, at least in part, this was because EMF’s 20/01/20 Email was not clearly marked as ‘confidential’, ‘for the addressee only’ or otherwise such that there was an obvious and clear indication that EMF did not intend the email as a general response to or public comment on the Draft Plan to be dealt with in the ordinary course of the Draft Plan processes.

15. In the current proceedings the conduct of concern alleged in the IR Request (and the subject of the AR Application) is the handling of the Applicant’s personal information in and related to the Complaint. The Complaint being a subsequent and separate complaint addressed to the General Manager of the Respondent alleging breaches of, among other things, the code of conduct of the Respondent arising from and relating to the Respondent’s prior handling of EMF’s 20/01/20 Email. That is, these proceedings are not a reconsideration of the alleged privacy infringements in relation to the Respondent’s handling of EMF’s 20/01/20 Email to the Mayor but, rather, are in relation to how the Applicant’s personal information related to a subsequent “confidential” “for address only” code of conduct complaint (i.e. the Complaint) made to the General Manager (about the Council’s handling of EMF’s 20/01/20 Email) was handled by the Respondent.

The Complaint

16. On 17 April 2020 the Respondent received the Complaint, addressed to the General Manager in an envelope marked “Confidential – Attention of Addressee Only” alleging breaches of the Respondent’s code of conduct (among breaches of other laws and codes) by the Mayor, the Mayor’s Office, the Director of Planning and Environment and the Acting Principal Strategic Planner (Councillors/Officers).

17. The Complaint is headed “REASONS FOR CONTACTING YOU AND NSW PRIVACY COMMISSIONER” and the opening paragraph of the Complaint states:

“I am writing to bring to your attention evidence of systemic and demonstrable disregard for Privacy Legislation and Policies that apply to Cessnock Council. The conduct engaged in also breaches your Council’s Code of Conduct and specific requirements of conduct imposed on all Councils by the LGA 1993.”

18. The second paragraph of the Complaint states:

“This matter involves the Mayor, the Mayor’s Office, Cessnock Council’s Director of Planning and Environment and Council’s Acting Principal Strategic Planner. These are persons I can show by documentation to have definite involvement. Specific Code of Conduct complaints are made to you, concerning each person.”

19. Throughout the Complaint the Applicant refers to the Respondent’s code of conduct and alleges specific failures by the Councillors/Officers to comply with the standards of conduct prescribed under that code constituting misconduct for the purposes of the LGA. The Applicant also cites various provisions of the LGA concerning the responsibilities of the Councillors/Officers with respect to overseeing the Respondent’s policies, including those relating to privacy. The Complaint also refers to the Respondent’s Privacy Management Plan (PMP) and the obligations imposed on the Respondent’s Officers and other staff in handling, disclosing and using personal information. EMF asserts in the Complaint that there were repeated failures by the Respondent to understand or comply with these obligations.

20. As noted in [3], the General Manager did not “accept” the Complaint as a code of conduct complaint and, without contacting the Applicant, decided to treat the Complaint as a privacy complaint and, despite the ‘confidential’ and ‘addressee only’ wording on the envelope, provided the Complaint to the Respondent’s Public Officer to handle it as a ‘privacy complaint’. The Respondent’s Public Officer, Mr Maginnity, then sent a letter dated 21 April 2020 to the Applicant acknowledging receipt of the Applicant’s “privacy complaint”.

21. In response to Mr Maginnity’s 21 April 2020 letter the Applicant wrote to Mr Maginnity in correspondence dated 27 April 2020 (which the Respondent submitted was received on 4 May 2020) questioning why the Public Officer was contacting the Applicant in relation to the Applicant’s confidential code of conduct complaint relating to the Councillors/Officers (i.e. the Complaint) addressed to the General Manager. In that 27 April 2020 letter the Applicant specifically notes that the Complaint was addressed to the General Manager in a registered post envelope that was clearly marked “Confidential – Attention of Addressee Only” and asks Mr Maginnity:

“Please explain why you have contacted me concerning detailed Code of Conduct complaints confidentially made by me, to Cessnock Council’s General Manager.

The General Manager should not have provided you with any confidential code of conduct complaints made by me, other than in accordance with the LGA. … [s440AA of the LGA and sections of the Respondent’s Complaint Handling Policy are then quoted].”

22. Despite the Applicant’s letter dated 27 April 2020, in a letter dated 4 May 2020 Mr Maginnity advised the Applicant of the outcome of his investigation into the Applicant’s “privacy complaint” (4 May Outcome Letter).

The Respondent’s response to the “privacy complaint” (i.e. the Complaint)

23. The 4 May Outcome Letter explains to the Applicant:

“In accordance with clause 4.2(d) of the Council’s Code of Conduct Procedures, your complaint was not accepted as a Code of Conduct complaint because it is a complaint about the conduct of a Council official arising from the exercise of their functions in good faith, …

I note clause 4.3 of the Code of Conduct Procedures states complaints that do not satisfy the definition of a code of conduct complaint are to be dealt with under Council’s routine complaints management processes. Considering your complaint is about privacy I have decided to address it as a privacy complaint in accordance with Council’s Privacy Management Plan.”

24. The Public Officer found that the Complaint, which he had dealt with as a privacy complaint, was unsubstantiated because the Applicant had not “provided any evidence to demonstrate [the Applicant’s] personal information was improperly ‘accessed and used’ by Councillors and Council staff as you allege”. An additional basis stated for his decision in the 4 May Outcome Letter (although in my view more appropriate to either the events considered in EMF1 or the consideration of the Complaint as a code of conduct complaint) was that the Mayor’s action in forwarding EMF’s 20/01/20 Email to the Director of Planning was appropriate and necessary to ensure that Councillors pass on to the Respondent’s administration any views received from the community on the Draft Plan.

25. The references in the 4 May Outcome Letter to the Mayor’s actions together with details about the civic duties of councillors and staff, the structure of the Respondent being divided into a governing body (i.e. councillors) and administration and the requirement for councillors to consult with administration in respect of the Draft Plan appear to me to be more appropriate to the consideration and determination of a code of conduct complaint, rather than a privacy complaint. This is especially so given that the privacy related aspects of these matters have already been the subject of and dealt with by an external review by the Tribunal in EMF1.

The IR Request

26. The IR Request was received by the Respondent on 2 October 2020. The Applicant alleges in the IR Request that, among other things, their personal information in and related to the Complaint was accessed, used and disclosed by the Respondent in contravention of the IPPs and, in particular, in breach of ss 12, 18 and 19 PPIP (i.e. IPPs 5, 11 and 12).

27. By letter dated 3 November 2020 Ms Darrylen Allan, the Respondent’s Manager Human Resources, informed the Applicant that the IR Request (i.e. internal) review would be undertaken by her. Ms Allan committed to conducting the internal review within 60 calendar days of receiving the IR Request and subsequently advising the outcome of the internal review within a further 14 days (i.e. the Applicant would receive the decision by 15 December 2020).

28. On 11 November 2020, almost six (6) weeks after the IR Request, the Privacy Commissioner (IPC) was notified of the IR Request by the Respondent.

The IR Decision

29. The IR Decision informed the Applicant of the outcome of the internal review of the Respondent’s conduct of concern detailed in the IR Request and set out the Respondent’s findings, reasons for those findings and the Respondent’s proposed actions. In summary, the Respondent’s internal review found no evidence that the Respondent had failed to comply with any of the IPPs in its handling of the Applicant’s personal information in or relating to the Complaint.

30. In particular, in summary and most relevantly, the IR Decision finds/states (which are findings substantially relied on and repeated in the Respondent’s submissions):

(a)   On 17 April 2020 the Complaint was received, opened and captured in the Respondent’s electronic data management system Content Manager and provided to/accessible by, in addition to the General Manager, the Executive Assistant to the General Manager, Director Corporate and Community Services (Public Officer), Governance Coordinator and the Senior Legal Governance Officer and Records Officers.

(b)   The General Manager assessed the Complaint and did not accept it as a Code of Conduct complaint and it was delegated to the Public Officer to handle under the Respondent’s Complaint Handling Policy as a privacy complaint.

(c)   The internal review was focused only on the actions of the General Manager and Public Officer in handling the Complaint.

(d)   While the Complaint was addressed to the General Manager in a registered post envelope that was clearly marked “Confidential – Attention of Addressee Only”, there is no evidence the General Manager personally opened that envelope.

(e)   The personal information in the Complaint was collected for a lawful purpose directly related to the Respondent’s functions and activities.

(f)   IPPs 6 to 8 “access and accuracy” are not a factor (and were not considered) in the review.

(g)   The personal information in the Complaint may be used for the purpose for which it was collected.

(h)   It is accepted that the Respondent is required to use the information directly related to a purpose the Applicant would expect or for which the information was provided.

The AR Application

31. The AR Application was filed with the Tribunal on 17 December 2020 with the Applicant citing that, as the trigger for filing for the AR Application, the “Agency has failed to respond within required time (deemed refusal).”

Issues to be determined

Preliminary issues

32. The preliminary issues raised by (and which will be considered prior to addressing the real and substantive issues between) the parties are:

1. Was the IR Decision within time (and does it matter for the AR Application)?

2. Is the personal information in the Complaint ‘unsolicited information’ or was it ‘collected’ by the Respondent and what are the consequences of that answer in this case?

3. What of the various matters and alleged failures to comply with and breaches of various codes and laws referred to in the AR Application can the Tribunal address in these proceedings? That is, what is the jurisdiction of the Tribunal in these proceedings relating to the AR Application?

The real and substantive issue

33. The real and substantive issue between the parties to be determined in these proceedings, which will be addressed once the preliminary issues have been dealt with, is whether the Relevant Conduct of Concern resulted in the Respondent failing to comply with any of the IPPs or the LG Privacy Code.

34. The relevant conduct of concern (as originally set out in the IR Request) is, in summary (Relevant Conduct of Concern):

1. the failure to protect the Applicant’s personal information in the Complaint from unauthorised disclosure, access and/or use;

2. the disclosure, use and/or access to the Applicant’s personal information in the Complaint without consent; and

3. the disclosure of the Applicant’s restricted information (i.e. the applicant’s political opinions), without consent,

which conduct the Applicant claims contravenes, in particular, IPPs 5, 11 and 12. In addition, based on the IR Request and the Relevant Conduct of Concern, I have also considered ss 8, 10 and 17 PPIP Act (IPPs 1, 3 and 10) in determining if there has been any failure of the Respondent to comply with any of the IPPs in respect of the Relevant Conduct of Concern.

35. The Respondent submits that the Relevant Conduct of Concern did not breach any of the IPPs in handling the Applicant’s personal information related to the Complaint. In particular, the Respondent asserts that it complied with IPPs 1, 2, 3, 4, 5, 9, 10, 11 and 12 and that IPPs 6-8 are not IPPs to be considered.

Evidence before the Tribunal

36. In determining this matter I have had regard to the following evidence and submissions:

Written material filed on behalf of the Applicant

1. The AR Application together with the attached documents, the “Information provided to comply with 15 March 2021 Order” submissions dated 7 April 2021 and all attached documents (Applicant Submissions) (marked “Exhibit A2”) and the “All evidence in reply to the Respondent’s 6 May 2021 submissions” and all attached documentation (Applicant Reply Submissions) (marked as “Exhibit A1”).

Written material filed on behalf of the Respondent​​​​​​​

2. Submissions from the Respondent dated 6 May 2021 and all attached documentation, except for the confidential document at tab 13 which was not admitted into evidence (Respondent Submissions) (marked as “Exhibit R1”).

Oral submissions

3. The oral submissions made during the Hearing by the Applicant and the oral submissions made by Mr Maginnity (Director Corporate & Community Services/Public Officer of the Respondent) on behalf of the Respondent.

37. For the most part the Respondent Submissions refer to, repeat and provide as submissions the findings of the IR Decision with supporting documentation.

38. The Applicant’s submissions (including the detailed oral submissions) and the supporting documentation of Exhibits A1 and A2 expand on, detail and seek to fully establish the claims made in the IR Request and the AR Application. In addition, at pages 8 to 10 of the Applicant Submissions, the Applicant sets out the orders sought by the Applicant as, most relevantly and in summary, that the Respondent must:

1. implement all provisions, recommendations and requirements of “IPC Fact Sheet – The PPIP Act: Agency systems policies and practices” updated November 2020 (IPC Fact Sheet);

2. no later than three (3) months after the order, implement and comply with all requirements under the heading “Training and systems” in the IPC Fact Sheet;

3. fully review and amend the PMP adopted on 17 June 2020 in line with the IPC “Guide to Making Privacy Management Plans” August 2012, which review is to be overseen by the Mayor;

4. systematically work through the IPC “Checklist – Privacy Management Plans” (updated September 2019) when undertaking (3) above;

5. provide the IPC and the Tribunal with a hard copy of the revised PMP (once above (3) has been done);

6. systematically work through and comply with the IPC’s “Essential Guidance Toolkit on Information Access and Privacy Fundamentals – Local Government”;

7. have the General Manager and Public Officer complete all available IPC educational courses and provide documented proof of such to the Tribunal;

8. inform its employees, ratepayers and the public (including a prominent notice on the website) of any wrong or misleading information previously contained in the PMPs between 2013 and 2020;

9. pay the Applicant $40,000 compensation for psychological and physical damage, suffering, prolonged stress, exacerbation of existing conditions and financial loss suffered by the Applicant; and

10. reimburse the Applicant’s costs of $788.40 incurred to submit material to NCAT and the Respondent.

39. The Applicant also requested that the Tribunal make any other ancillary orders that the Tribunal considers appropriate.

Agreed key facts and acknowledgement of the Respondent

40. It is not disputed that the Complaint was:

1. sent by registered post in an envelope clearly addressed to the General Manager and marked as “Confidential ‑ Attention of Addressee Only”;

2. received, assessed and disclosed by the General Manager to other Council officers and staff, in particular Mr Maginnity;

3. put into the Respondent’s electronic document management system; and

4. treated as a privacy complaint without the prior consent of the Applicant.

41. The Respondent also acknowledges that the Applicant intended that the Complaint be considered as a ‘code of conduct complaint’ and that the Complaint was dealt with as a ‘privacy complaint’.

Consideration of the preliminary issues

42. As regards [32(1)], this question was fully explored in EMF1 in relation to the earlier events and prior conduct the subject of those proceedings. In particular, see paragraphs [105], [128] and [130] to [135] of EMF1. In relation to the current proceedings on the AR Application, from 2 December 2020 (i.e. 60 days after 2 October 2020) the Applicant was entitled under s 53(6) PPIP Act to apply to the Tribunal under s 55 PPIP Act for external review of the relevant conduct of concern if the Respondent’s internal review had not yet been completed and notified to the Applicant. However, neither this date nor the filing of the AR Application prohibits the Respondent from completing and notifying the Applicant of its decision resulting from the Respondent’s internal review (i.e. the IR Decision in this case).

43. However, as I noted at paragraph [26] in EIG v North Sydney Council [2021] NSW CATAD 66 (EIG), the Applicant also has the right to apply to the Tribunal for administrative review under s 55(1) PPIP Act if they are not satisfied with the IR Decision, in this case. That is, from a Tribunal jurisdiction point of view, nothing turns on whether the AR Application is filed on the basis of the trigger in s 53(6) PPIP Act or s 55(1) PPIP Act.

44. In conclusion, although nothing turns on it in this case, as noted in [42], the 60 days under s 53(6) PPIP Act expired on 2 December 2020 and the Respondent should have aimed to get the IR Decision to the Applicant on or before 2 December 2020.

45. As regards [32(2)], I have followed the reasoning in the Appeal Panel decision in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 (ZR) which held, in particular at [58]:

“As to the text authored by the complainant in relation to the matter of concern, we are inclined to the view that, insofar as the information provided is relevant to the purposes of the agency, it ought be regarded as collected, and not treated as unsolicited. It is not, as we see it, a mere instance of passive receipt. This is a situation where the practice of the agency is to get the complaint in writing and create a record. It is requesting the information to that extent.”

46. Also the IPC has warned agencies, in its “A Guide to the Information Protection Principles”, against treating complaints as unsolicited information if the agency holds itself out as the agency to contact as regards such complaints.

47. In applying the quoted text in [45] to the facts of this case, I am satisfied that the Respondent sought or ‘solicited’ code of conduct complaints by having a policy relating to how such complaints may be made, will be handled and providing details of to whom one can make such a complaint. Thus, any personal information contained in or related to such a complaint made on this basis will prima facie be solicited information.

48. However, even if I am wrong on this, in accordance with the Appeal Panel decision in ZR at [71] “once taken under the control of the agency for one of its administrative purposes” the personal information is taken as collected. That is, the moment the Respondent keeps, assesses, deals with and/or processes the Complaint (in this case) then, even if it is originally considered unsolicited personal information, it will then become personal information collected and held by the Respondent. As such (as is the case for all solicited personal information) it is then subject to all the IPPs as amended by the Privacy Code of Practice for Local Government published in the Government Gazette Number 179 on 20 December 2019 (LG Privacy Code).

49. As regards [32(3)], for the reasons detailed in [50] to [52], I have limited my review under s 52(1)(a) PPIP Act (i.e. the Tribunal only has jurisdiction to review) to the conduct of concern detailed in the IR Request that relates to the alleged failures of the Respondent to comply with the IPPs or the LG Privacy Code (i.e. the Relevant Conduct of Concern).

Jurisdiction and scope and administrative review

50. The Tribunal’s jurisdiction to hear and determine the AR Application in relation to the Relevant Conduct of Concern, which is alleged to be conduct contrary to the IPPs, arises from s 9 of the Administrative Decisions Review Act 1997 (NSW) (ADR Act) and ss 53(6) and 55(1) PPIP Act.

51. To the extent that the IPPs are modified by (or other requirements exist under) the LG Privacy Code this matter also concerns conduct under s 52(1)(b) of the PPIP Act (i.e. it is Relevant Conduct of Concern), namely any alleged failure by the Respondent to comply with the LG Privacy Code.

52. Accordingly, the Tribunal’s review and decision in these proceedings is confined to considering whether any of the Relevant Conduct of Concern resulted in the Respondent failing to comply with any of the IPPs and/or the LG Privacy Code. That is, I have not considered, addressed and/or determined (and do not have the jurisdiction in these AR Application proceedings to consider) the various additional allegations made by the Applicant as to breaches of the Respondent’s code of conduct, the LGA and other codes and laws (i.e. other than the IPPs and the LP Privacy Code).

Legislative framework on key themes

53. The PPIP Act is described as an Act to provide for the protection of personal information and for the protection of the privacy of individuals generally. “Personal information” is defined in s 4(1) to mean:

“information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”

Whether personal information is “held” and when it is “collected”

54. For the purposes of the PPIP Act, personal information is said to be “held” under s 4(4) of the Act by a public sector agency if:

“(a)   the agency is in possession or control of the information, or

(b)   the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998 (NSW).”

55. Also for the purposes of the PPIP Act, s 4(5) provides that:

“personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.”

56. See paragraphs [45] to [47] above as regards when personal information was “collected” by the Respondent in this case.

Transfer of personal information within an agency is not a fresh ‘collection’

57. A transfer of personal information within an agency (i.e. the Respondent in this case), from one unit or employee to another, can involve a disclosure or use of that information by the first unit or employee: (KJ v Wentworth Area Health Service [2004] NSWADT 84) but does not involve a fresh collection by the second unit or employee: (GA v Department of Education & Training (No 2) [2005] NSWADT 119 at [19]). In CBL v Southern Cross University [2018] NSWCATAD 97 at [24] (confirmed on appeal in CBL v Southern Cross University [2018] NSWCATAP 236 (CBL) at [19]) the Tribunal found that re-directing an in-bound email from one area to another within an agency is not a fresh ‘collection’ by the second recipient of the email. Collection is a single collection by the agency as a whole and not a separate collection by each employee or area of the agency who receives the information.

58. Based on the reasoning noted in [57], one must thus look to the first collection of the relevant personal information to determine the purpose for collection. In this case, as noted in [45] to [48] above, the first collection occurs on receipt of the personal information in the Complaint (or, in the alternative, at the latest once the General Manager considers/assesses the personal information in the Complaint).

Transfer of personal information within an agency may be a “disclosure”

59. It has been held that, especially in “large public sector agencies consisting of specialised units”, the exchange of personal information between units of an agency (i.e. within that agency) may be a ‘disclosure’ for the purposes of IPP 11 (see KJ v Wentworth Area Health Service [2004] NSWADT 84 and AQK v Commission of Police, NSW Police Force [2014] NSWATAD 55). However, generally speaking, ‘disclosure’ for the purposes of IPP 11 refers to making the personal information in question available to people outside the agency (see NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 and the Appeal Panel Decision in CBL).

60. In cases where information transferred or access is provided to it within an agency is not a “disclosure” for the purposes of IPP 11 then such falls to be considered as a “use” under IPP 10.

Information Protection Principles (IPPs)

61. Part 2, Division 1 of the PPIP Act identifies 12 IPPs that apply to the conduct of public sector agencies (i.e. the Respondent in this case) when handling an individual’s personal information (ss 8 to 19 PPIP Act). Section 21 PPIP Act states that:

(1)   A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.

(2)   The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies.

62. Part 5 of the PPIP Act (s 52(1) PPIP Act) deals with conduct that is alleged to be the contravention by a public sector agency of, most relevantly in this case, an IPP and/or a privacy code of practice that applies to the agency (i.e. the LG Privacy Code in this case).

LG Privacy Code – Effect on IPPs

63. Under the LG Privacy Code there is no modification of IPPs 1, 4, 5, 6, 7, 8 or 9 and, accordingly, those IPPs apply to the Respondent as is. The departures/exceptions under the LG Privacy Code with respect to IPPs 2, 3, 11 and 12 have no relevance in these proceedings.

64. Clause 4.11(1) of the LG Privacy Code expands the purpose(s) for which the Respondent collects personal information by modifying the requirements under IPP 10 (s 17 PPIP Act: Limits on use of personal information) such that:

“Council may use personal information for a purpose other than the purpose for which it was collected in the following circumstances:

(1)   where the use is for the purpose of undertaking Council’s lawful and proper function/s and Council is satisfied that the personal information is reasonably necessary for the exercise of such function/s, …”

The meaning of “lawful purpose”

65. Section 8 PPIP Act/IPP 1 provides that the Respondent can only collect personal information for a “lawful purpose” that is directly related to its function or activity and is reasonably necessary for that purpose.

66. The meaning of “lawful purpose” has been the subject of interpretation in a number of cases, in particular to consider whether it means positively authorised by law or, in the broader sense, of simply not prohibited by law. The Tribunal has confirmed that “‘lawful purpose’ is to be interpreted to mean a purpose that is not forbidden, rather than positively authorised, by law: see ALZ v SafeWork NSW (No 2) [2016] NSWCATAD 121 at [42] which was upheld on appeal in ALZ v SafeWork NSW [2017] NSWCATAP 51. The Appeal Panel held at [82] that the effect of IPP 1(1) was as follows:

“The purpose will be permissible if it has three elements: it must be lawful; it must be directly related to a function or activity of the organisation; and it must be reasonably necessary for that purpose.”

Decisions available to the Tribunal after an administrative review

67. Section 55(2) PPIP Act makes it clear that, after reviewing the Relevant Conduct of Concern (in this case), the Tribunal may decide not to take any action on the matter or it may make one or more of the orders listed in s 55(2)(a)-(g) PPIP Act:

“(a)   subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)   an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)   an order requiring the performance of an information protection principle or a privacy code of practice,

(d)   an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)   an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)   an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)   such ancillary orders as the Tribunal thinks appropriate.”

[emphasis added]

68. As noted in paragraph [32] of EIG (and see the quoted text in [69] below), the Tribunal may also exercise all of the functions that are conferred or imposed by relevant legislation on the administrator who made the IR Decision (in this case) under s 53 PPIP Act.

Orders in relation to systemic issues

69. As regards the orders available to the Tribunal to address systemic issues, I note the following paragraphs from EIG:

[81]   As held by the Appeal Panel in DTN v Commissioner of Police [2020] NSWCATAP 73 (DTN):

[99] In our view, and given that the CAT Act postdates the PPIP Act, the Tribunal may either exercise the functions conferred or imposed upon the public sector agency pursuant to s53(7) as well as make any of the orders provided for in s 55(2) of the PPIP Act…

[105] Under s53(7)(e) of the PPIP Act, following the completion of the review, the public sector agency whose conduct was the subject of the application may “implement administrative measures to ensure that the conduct will not occur again”. As discussed above, by s63(2) of the Administrative Decisions Review Act 1997 and s30(2)(b) of the CAT Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision in connection with the conduct or resolution of the proceedings. This would include the making of a decision as to whether or not the public sector agency should implement administrative measures to ensure that the conduct will not occur again. Orders of that kind have been made by the Tribunal, including for example in BVS v Sydney Local Health District [2015] NSWCATAD 171.

[82] It is clear that the Tribunal can (where the evidence following a review of conduct indicates a need) examine systemic or broader issues when considering what actions to take to enliven aspects of s55(2)(c) of the PPIP Act. The case of MH v NSW Maritime [2011] NSWADT 248 makes the following observations in respect of the relationship between the systemic issues and the specific conduct complained of by an applicant and how they might be considered when looking to make an order under s55(2) PPIP Act following such a review:

[24]   As the Privacy Commissioner observed in his submissions, at [14]

…

It is clear that the hearing of the matter has of necessity looked into the background of the environment within the Respondent Agency as it relates to privacy matters and the handling of personal information.

The evidence relating to those matters has led to both MH and the Privacy Commissioner making submissions addressing wider 'systemic issues' concerning the agency's compliance with IPPs, its Privacy Management Plan, and the knowledge, understanding and implementation of privacy principles, policies and practices within the agency. The Privacy Commissioner expressed the view that -

... the proceedings highlight a general lack of knowledge, understanding, or compliance with the statutory obligations of the Agency as identified under the PPIP Act.

[25] In my opinion the wider systemic issues within the agency form part of the background or context in which the conduct that MH complains of occurred. They are not of themselves the conduct about which MH is aggrieved, but form part of the organizational environment in which the conduct occurred. They do not fall within the scope of his internal review, reasonably construed, because they do not directly relate to the conduct complained of. They do not relate to specific breaches of IPPs or of a Privacy Code of Conduct, but embrace wider issues concerning compliance with the Act and the agency's culture with respect to privacy issues. They are, nonetheless, relevant to the Tribunal's consideration of the conduct in issue, as they set, in part, the context in which the conduct occurred, and inform my decision making accordingly. Addressing systemic issues which contribute to a finding of conduct in breach of the IPP's may be a relevant factor for the Tribunal when considering what orders should be made under s 55(2).

[83] Section 55(2)(c) of the PPIP Act empowers the Tribunal to make an order requiring the performance of an IPP. I am of the view that, in the current case, s55(2)(c) of the PPIP Act empowers the Tribunal to order the performance of IPP 5 (as provided for in s12 PPIP Act) by the Respondent. This is because such a course of conduct is clearly related to the found contravention of IPP 5.

[84]   In my opinion the orders available to the Tribunal in this case also include what may be described as requiring the implementation of administrative measures to ensure that the conduct the subject of the IR Request will not occur again. In support of this, as noted in DTN at [105], the Appeal Panel found that:

… If the conduct was to be too narrowly construed, there would be no or little role for any decision to put in place administrative measures to ensure that the “conduct” will not occur again. Any such decision is of course a discretionary remedy depending on all of the circumstances and the submissions of the parties.

[85] Section 55(2)(g) PPIP Act also permits the Tribunal to make an “ancillary order”. An ancillary order is an order that is “incidental or supplemental to” an order the Tribunal is empowered to make (see for example, New South Wales Crime Commission v Ollis [2006] NSWCA 76 at [28] and Housing NSW v Hamilton [2015] NSWCATAP 136 at [39]).

An Order for damages under s 55(4) PPIP Act

70. An order requiring the Respondent to pay the Applicant damages by way of compensation for any loss or damage suffered because of the Relevant Conduct of Concern can only be made if the Tribunal is satisfied that the Applicant has suffered financial loss, psychological or physical harm because of the conduct of the Respondent (s 55(4) PPIP Act).

71. As noted in APV v Department of Finance and Services [2016] NSWCATAD 168 (APV) at [15], the Applicant bears the onus of “establishing the causal link between the breach of privacy [i.e. the Relevant Conduct of Concern where non-compliance with an IPP is found] and the damage allegedly suffered”. APV was followed in DRX v City of Canada Bay Council [2020] NSWCATAD 26 (DRX).

72. The Deputy President of the Tribunal in CPJ v The University of Newcastle [2017] NSWCATAD 350 (CPJ) at [25] and [27], rejecting the previous causation test applied by the Tribunal, held that the ‘material contribution’ test was the relevant test. In favouring the ‘material contribution’ test the Deputy President in CPJ followed the AAT decision in EQ v Office of the Australian Information Commissioner (Freedom of Information) [2016] AATA 785 (EQ) at [47], interpreting the equivalent provision under the Federal Privacy Act and relied, to some extent, on the common law principles in March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506. In CPJ at [24] the Deputy President, quoting from EQ, stated:

“… in law, causation is a question identifying where legal responsibility should lie, rather than examine the cause of event from a scientific or philosophical viewpoint, policy issues and value judgments have a role to play in determining whether for legal purposes, a circumstance we found to be causative of loss.”

73. In order to persuade the Tribunal to the level of satisfaction required by s 55(4) PPIP Act, specific evidence is required that the conduct of the agency that is the subject of the complaint (i.e. the Relevant Conduct of Concern in this case) and not the conduct of the Respondent more generally caused the alleged loss or harm (see GR v Department of Housing [2003] NSWADT 268 (GR) at [46]).

74. As noted in JD v NSW Medical Board (No. 2) [2006] NSWADT 345 at [53], psychological harm “is intended to encompass a situation where an individual suffers some impairment of their mental state and processes”. This can include “conditions such as depression and anxiety”, as held in WT v Auburn Council [2007] NSWADT 253 at [27].

75. In CJU v SafeWork NSW [2018] NSWCATAD 300 (CJU) at [117] the Tribunal following AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 accepted that “mere distress” is a recoverable psychological harm and added the following commentary at [124]:

“It seems to me the expression “psychological harm” in the section is of wide import. … “Psychological”, and not the word “psychiatric”, is the chosen term. No degree of such harm has been imposed such as a requirement for “serious” psychological harm.”

…it could readily be foreseen by the legislature that a breach such as unlawful release of personal information could produce a range of justifiable reactions such as distress, worry, humiliation or fear of some real significance.

…it does not seem to me that the legislature would have expected “psychological harm” to be limited to a mental condition that is only capable of identification by diagnosis from a doctor or psychologist.”

76. In CJU at [98] the Tribunal suggested that the types of claims, supported by some independent evidence, that would be needed to seek compensation on the grounds of psychological harm by way of distress would be “specific consequences that flowed from [the conduct] such as impact upon her work sleeping, lifestyle, relationships or treatment for her state of mind”.

77. A medical report that establishes a causal connection between the Relevant Conduct of Concern (in this case) and the psychological harm suffered by the Applicant will meet the precondition in s 55(4)(b), as noted in RD v Department of Education and Training [2005] NSWADT 195 at [31]. However, a medical report that simply says that an applicant’s stress has been aggravated by their dealings with an agency is probably not sufficient to establish that the person is suffering from a physical or psychological condition “because of the [relevant] conduct of the public sector agency” (see GR at [46]). An applicant’s claim for damages for psychological harm also failed in SW v Forests NSW [2006] NSWADT 74 at [53] on the basis of insufficient evidence, including a lack of a “specific diagnosis or prognosis in respect of any psychological harm”.

An Order for costs

78. As regards costs orders, s 60 of the Civil and Administrative Tribunal Act 2013 provides:

60    Costs

(1)   Each party to proceedings in the Tribunal is to pay the party's own costs.

(2)   The Tribunal may award costs in relation to proceedings before it only if it is satisfied that there are special circumstances warranting an award of costs.

(3)   In determining whether there are special circumstances warranting an award of costs, the Tribunal may have regard to the following:

(a)   whether a party has conducted the proceedings in a way that unnecessarily disadvantaged another party to the proceedings,

(b)   whether a party has been responsible for prolonging unreasonably the time taken to complete the proceedings,

(c)   the relative strengths of the claims made by each of the parties, including whether a party has made a claim that has no tenable basis in fact or law,

(d)   the nature and complexity of the proceedings,

(e)   whether the proceedings were frivolous or vexatious or otherwise misconceived or lacking in substance,

(f)   whether a party has refused or failed to comply with the duty imposed by section 36 (3),

(g)   any other matter that the Tribunal considers relevant.

Consideration

IPP 1 – s 8 PPIP Act – Collection of personal information for lawful purposes

79. The Applicant considered that their personal information in and related to the Complaint was not “collected” by the Respondent and thus IPP 1 did not apply, although the IR Request and the Relevant Conduct of Concern enlivened IPP 1. As I concluded in paragraphs [45] to [48] above, the Respondent has collected the personal information of the Applicant related to the Complaint. As noted in paragraph [48] above, even if originally considered unsolicited, once the Respondent assessed, considered or dealt with the Complaint by, in this case, assessing whether it qualified as a code of conduct complaint and/or putting it in its electronic information management system, the personal information was collected and is held by the Respondent and thus IPP 1 is relevant.

80. I am satisfied that the General Manager, on behalf of the Respondent, was entitled to (and did) collect the Applicant’s personal information in and related to the Complaint for the lawful purpose of considering the Complaint as a code of conduct complaint. However, even though the General Manager later determined that the Complaint was not a code of conduct complaint, this does not change the lawful purpose for which the Applicant’s personal information in and related to the Complaint was collected (i.e. at the time of collection) and any subsequent use of it falls to be considered under IPP 10 and the LG Privacy Code in relation to its use other than as a code of conduct complaint.

81. Relying on the decision in CBL, I find that re‑directing the Complaint from the General Manager to other Council staff using the document management system is not a fresh ‘collection’ by each recipient in the Respondent of the personal information related to the Complaint. The initial collection by the General Manager is a single collection by the Respondent as a whole and there are no separate collections by each (or any other) staff member of the Respondent. However, each such “re‑direction” or making the Complaint available to others in the Respondent may be a use (or, in some cases, a disclosure) which may on each occasion, subject to the LG Privacy Code, be an unauthorised use (or possibly disclosure) of the Applicant’s personal information under IPP 10 (and/or IPP 11) if such are not for the ‘lawful purpose’ for which it was collected.

IPP 3 – s 10 PPIP Act – Requirements when collecting personal information

82. IPP 3 requires that the Respondent (in this case) to take reasonable steps to ensure that the Applicant (in this case) is made aware either before or as soon as reasonably possible after the collection of the Applicant’s personal information of, most relevantly, the purpose(s) for which the information is being collected and the intended recipients of the information.

83. The purpose of the IPP 3 notification obligation imposed on agencies is to allow a person the choice as to whether to give (or refuse to give) their personal information to the agency on an informed basis (see DQU v University of New England [2020] NSWCATAD 226 at [133]).

84. In AOZ v Rail Corporation NSW [2014] NSWCATAP 76, the Appeal Panel described the notification principle (i.e. IPP 3) as establishing “an important right” and noted at [70]:

“… the provision is one that requires of agencies a practice that clearly addresses the matters in paragraph (a) to (f) [of IPP 3] to the extent applicable and relevant. This was … a routine aspect of this area of an administration … there should, in our view, have been a standard notice in place to address the matters to which (the notification principle) refers.”

85. Given my conclusion that personal information in and relating to the Complaint was solicited (or, in the alternative, collected once it was assessed by the General Manager) then the Respondent is obliged under IPP 3 to take reasonable steps to notify the Applicant clearly of how it intends to deal with the Applicant’s relevant personal information prior to, or as soon as reasonably possible after, that collection.

86. The Tribunal has rejected as “without merit” an argument from the respondent in ALZ v WorkCover NSW [2014] NSWCATAD 49 (ALZ) that having a Privacy Management Plan published on its website which provided general information about collections and disclosures was sufficient to comply with HPP 4 in the Health Records and Information Privacy Act 2002 (in that case) the equivalent of IPP 3. Specifically, the Tribunal noted at [100]:

“HPP 4 required the Respondent to take any steps that are reasonable to notify the Applicant that they had collected the medical report and what they were going to do with it. They did not do so…”

87. Applying the reasoning in ALZ and the clear words of IPP 3, even ad-hoc collections (e.g. when collecting the personal information in a complaint) require at least “reasonable steps” to deliver the notification required in IPP 3 and even if such notice is after the collection. Based on the prior decisions of the Tribunal and on the plain reading of IPP 3, a specific IPP 3 notice directed at the subject (i.e. the Applicant in this case) making code of conduct complaints (or any specific type of complaint) is required.

88. In this case, at the time and place of notifying how and where a code of conduct complaint can be made (e.g. the Respondent’s relevant website page), an appropriate privacy collection notice or statement meeting the requirements of IPP 3 could have been linked to on the page for (or at least specifically drawn to the attention of) each potential complainant. However, there was no evidence that this was done or any other reasonable steps were taken in this case.

89. There was no evidence presented that, on receipt of the Complaint (i.e. after the personal information was collected), the Respondent took any reasonable steps to send (by post or email), as soon as possible after receipt, an IPP 3 compliant statement specifying how the Applicant’s personal information in and related to the Complaint would be dealt with by the Respondent.

90. Also, there was no evidence that reasonable steps were taken to refer to the Respondent’s “Privacy Statement” on its website (or to provide a link to it) to the Applicant. While not necessarily an IPP 3 notice, this is the general public privacy statement of (or promise by) the Respondent to individuals about the way the Respondent will handle their personal information and any statements in it will, in the absence of an IPP 3 statement, prevail over any inconsistent rights or exemptions given to Council under the LG Privacy Code. In the absence of an IPP 3 statement, the Privacy Statement may be referred to by individuals in deciding whether to provide their personal information to the Respondent. In this case the Privacy Statement would give comfort to individuals as to how their personal information in relation to a complaint “will be treated [by the Respondent] as you access and interact with Council”, as follows:

“Any personal information you provide us may be used … for the purpose for which it was collected …”

91. There is no mention in the Privacy Statement that one’s personal information provided for a specific complaint (e.g. a code of conduct complaint) would be used for any other type of complaint or of the additional rights granted to the Respondent in regards to use of their personal information for other purposes under clause 4.11(1) LG Privacy Code.

IPP 5 – s 12 PPIP Act – Retention and security of personal information

92. The Applicant asserts that the Respondent failed to comply with IPP 5 although did not advance any evidence in support of this.

93. The Respondent conceded that the Applicant’s personal information related to and in the Complaint was stored in the Respondent’s electronic document management system and disclosed to a number of staff and used for a purpose other than a code of conduct complaint review (i.e. as a privacy complaint), without notification to or the consent of the Applicant. However, in the absence of any evidence from the Applicant of any unauthorised access by or disclosure to anyone outside of the Respondent and the failure of the Respondent to take reasonable steps to keep their personal information secure (see paragraphs [59] to [60] of EIG), I find that the Relevant Conduct of Concern did not result in any failure of the Respondent to comply with IPP 5.

IPP 10 – s 17 PPIP Act – Limits on use of personal information

94. As previously noted (see [64]), clause 4.11(1) LG Privacy Code expands the purpose(s) for which the Respondent (in this case) may use personal information it collects. However this expansion, as a right, can be limited or overridden by conduct or statements to the contrary, especially as regards information (including personal information) provided on a confidential basis. In essence, a use cannot be for a “Council’s lawful and proper function/s” where such use is either contrary to any statement of the Respondent (in this case) as to use of that information or to its obligations of confidentiality in relation to that information.

95. Given the wording of the Privacy Statement (see [90]) and since the Complaint was marked as ‘confidential’ and ‘for the addressee only’, in considering the application of the modification of IPP 10 available to the Respondent under clause 4.11(1) LG Privacy Code, the Respondent should have considered:

1. that no IPP 3 statement had been provided to the Applicant and that the Privacy Statement limited the Respondent’s use of personal information to the purpose for which it was collected, limiting the effect of clause 4.11(1) LG Privacy Code;

2. the ‘confidential’ nature of the Complaint (including the personal information in and related to it). That is, it is not for a lawful and proper function of the Respondent to use information (including personal information) collected on a confidential basis for a specific function for any other function (without consent of the Applicant) where to do so would be contrary to the Respondent’s obligations of confidentiality (i.e. breach the law of confidentiality); and

3. that the Applicant would likely (and did) object to their personal information in or related to the Complaint being handled by anyone other than the General Manager and/or used for any purpose other than a code of conduct complaint.

96. In the circumstances of this case, even though the General Manager determined that this was not a code of conduct complaint, given the statement in the Privacy Statement and that the Complaint was marked as ‘confidential’ and ‘for the addressee only’, it was incumbent on the Respondent to only use that personal information for the sole lawful purpose of assessing a code of conduct complaint. Once assessed as not meeting the criteria of a code of conduct complaint the Respondent could not lawfully use it for any other purpose without first obtaining the Applicant’s consent to do so.

97. If the Respondent wishes to continue to use the personal information collected for one type of complaint or provided on a confidential basis for a specific purpose for another type of complaint or other purpose (in the case of confidential information) the Respondent should notify the complainant of such and consider providing them with an to “opt-out” mechanism to be able to avoid their personal information being used for any other complaint, especially where it has been collected on a ‘confidential’ basis for a specific purpose.

IPP 11 – s 18 PPIP Act – Limits on disclosure of personal information

98. The Applicant complained about “disclosure/use/access of personal information without consent” and specifically referred to s 18 PPIP Act/IPP 11. IPP 11 provides, in essence, that personal information can only be disclosed with a person’s consent or if the person was told at the time that it would be disclosed and if it is directly related to the purpose for which the information was collected and there is no reason to believe the person would object.

99. There is no allegation or evidence of the disclosure by the Respondent of any of the Applicant’s personal information in or related to the Complaint outside of the Respondent (i.e. to a third part or other agency).

100. In the circumstances of this case and this Respondent, being a local council rather than a large public sector agency, I am satisfied that no ‘disclosure’ (for the purposes of IPP 11) of the Applicant’s personal information occurred by the Respondent providing it (or access to it) to the various officers and staff of the Respondent and/or including such in its electronic information management system (collectively Access). Thus, IPP 11 is not relevant in this case to the Access.

101. Accordingly, I find that the Relevant Conduct of Concern has not resulted in a failure of the Respondent to comply with IPP 11.

IPP 12 – s 19 PPIP Act – Special restrictions on disclosure of personal information

102. For the reasons noted in paragraphs [99] and [100] above, there has been no ‘disclosure’ of any of the personal information in or related to the Complaint by the Respondent for the purposes of IPP 12.

103. Accordingly, I find that the Relevant Conduct of Concern has not resulted in a failure of the Respondent to comply with IPP 12.

Consideration of systemic or broader issues

104. The Tribunal’s role is to review certain conduct (in this case the Relevant Conduct of Concern) rather than merely determining whether there has been a contravention of the PPIP Act by the agency. However, the Tribunal may look at systemic issues or broader issues concerning compliance with the PPIP Act, the IPPs and an agency’s culture with respect to privacy issues in considering the context in which the Relevant Conduct of Concern occurred. 

105. Addressing systemic issues which contribute to a finding of conduct in contravention of the IPPs is a relevant factor for the Tribunal when considering what orders should be made under s 55(2) of the PPIP Act (MH v NSW Maritime [2011] NSWADT 248 (MH) at [25]). This principle was followed in BKM v Sydney Local Health District [2015] NSWCATAD 87 (BKM) where the Tribunal noted at [45] that:

“It is clear that the Tribunal can (where the evidence following a review of conduct indicates a need) examine systemic or broader issues when considering what actions to take generally under section 55(2)(g) or to enliven aspects of section 55 … of the PPIP Act.”

106. In BKM the Tribunal noted “many dozens of instances” in which the Tribunal has, following a privacy review, made orders “concerning the systemic nature of an information practice/system or in respect of administrative practices relating to privacy policies, training, practices and procedures, and general education of staff within the agency” (BKM at paragraph [44]).

107. At paragraph [46] of BKM the Tribunal also noted:

“Those examples are in addition to but sometimes include cases where damages were ordered, or positive findings of breaches were made.”

108. The principle in MH with respect to examining systemic issues was also explicitly followed in DSG v Department of Education [2019] NSWCATAD 182 at [102] and, most recently, in EIG at paragraphs [81] to [83].

109. The Applicant made submissions as to (and provided evidence of) a number of the Respondent’s non-compliances with the IPPs, most of which were not addressed by the Respondent. In addition, I have considered the “lessons” referred to in the findings in EMF1 (especially as regards dealing with communications marked “confidential” which are collected for a specific purpose).

110. Following the reasoning in the cases noted above in [104] to [107], I am satisfied that there are systemic or broader privacy compliance issues within the Respondent relating to the Relevant Conduct of Concern and my findings of the Respondent’s failure to comply with IPPs 3 and 10. These are, in my view, matters on which orders relating to systemic issues and ancillary orders are appropriate.

Consideration of damages sought with supporting evidence provided

111. The Applicant seeks damages of $40,000 for distress and psychological harm they allege was suffered, including the loss of use of their assistance dog due to the inability to certify the dog and the Applicant’s use of the dog due to the aggravation of pre‑existing clinically diagnosed depression and anxiety. The Applicant presented a “Psychological Assessment & Report” dated 3 April 2021 from a registered psychologist as evidence of the causal connection between this harm and the Relevant Conduct of Concern. This report was not challenged by the Respondent as to the psychological harm caused by the Relevant Conduct of Concern. In summary, and without wanting to provide too much information exacerbate the Applicant’s concerns as to their privacy, the psychologist concluded that the Relevant Conduct of Concern “has had a profound deleterious psychological impact” on the Applicant.

112. Also, as noted in the earlier discussion (see [70] to [77] above), compensation may be awarded where the conduct at issue (i.e. the Relevant Conduct of Concern in this case) is found to have contributed towards or exacerbated a pre-existing psychiatric condition or psychological state (see NZ v NSW Department of Housing [2006] NSWADT 173 (NZ) at [48]).

113. Applying the reasoning in APV and DRX, I am satisfied that the Applicant has met the burden of establishing the causal link between the Relevant Conduct of Concern and the harm they suffered. That is, applying the reasoning in CJU, the Applicant has presented objective evidence to support their claim for an award of damages.

114. I note that once the causal link between the Relevant Conduct of Concern (in this case) and the relevant harm suffered by the Applicant meets the pre‑condition in s 55(4)(b) PPIP Act then the Respondent takes the individual (the Applicant in this case) as they find them: see NZ at [48]. That is, similar to the “eggshell skull” principle in the law of torts, recognising that some people will have a more severe reaction to an event than others. In summary, the damage or harm caused should not be assessed against a “reasonable person” or limited to what the Respondent or Tribunal may expect is the “usual” impact of such conduct but must consider the harm actually suffered by the individual in question.

115. The amount of the damages to be awarded by the Tribunal for psychological harm should also be assessed based on the actual harm suffered by the individual (i.e. the Applicant in this case), not limited to the expectation of the Respondent or Tribunal as to what the reasonable consequences or harm should be in the circumstances (see NZ at [26]).

116. Where it is found that the actual harm caused to and suffered by the individual (i.e. the Applicant), as established to have the requisite causal connection with the Relevant Conduct of Concern, is significant then the upper limits of the cap on damages in s 54 PPIP Act should be considered, assessed against how substantial the negative impacts on the individual actually were.

117. In coming to the amount of damages to be awarded in this case I have considered the reasoning and decision in NK v Northern Sydney Central Coast Area Health Service (No. 2) [2011] NSWADT 81 in which the maximum amount of damages (i.e. $40,000) was awarded by the Tribunal. While I accept that the Respondent’s behaviour in this case is not as egregious (in fact it was likely unintentional), the impacts of the Relevant Conduct of Concern on the Applicant were extremely severe.

Consideration of a costs Order

118. As noted in DSC v South Eastern Sydney Local Health District (No. 2) [2019] NSWCATAD 216 at [22], the “special circumstances” to be made out in order for a costs order to be made “concerns the conduct of the proceedings, not the basis for bringing the proceedings” or, in this case, the Relevant Conduct of Concern. There were no submissions as to the Respondent’s behaviour in relation to the proceedings as contemplated in s 66(3) CAT Act or otherwise as special circumstances and there was no evidence of such in the material before me. Therefore, in accordance with s 66(1) CAT Act, I make no Order as to costs in this case.

Conclusion

119. For the reasons noted above, I am satisfied that the Relevant Conduct of Concern resulted in the Respondent failing to comply with IPPs 3 and 10 and that there is evidence of systemic or broader privacy compliance issues within the Respondent with respect to the Relevant Conduct of Concern. I am also satisfied that the evidence provided by the Applicant has established the causal link between the psychological harm suffered by the Applicant and the Relevant Conduct of Concern.

120. I have considered and taken into account the Applicant Submissions and requests in relation to the orders and remedies sought by the Applicant (see [38] above). While I urge the Respondent to consider the suggestions of the Applicant as to the specific programs, checklists and guides issued by the IPC that may be relevant to the Respondent, I have decided not to be quite so prescriptive in making my Orders. I do not believe such prescriptive orders are the most effective means of addressing either the specific failures to comply with IPPs 3 and 10 or the systemic issues. My Orders therefor allow the Respondent scope to consider a wide range of ways in which to meet and comply with them in order to address the non‑compliance and systemic issues I have found to have occurred in relation to the Relevant Conduct of Concern.

Orders

1. The decision of the Respondent is set aside.

2. Within 30 days of the date of these Reasons for Decision the Respondent is to provide an unreserved written apology to the Applicant addressing and apologising for the Respondent’s breaches of IPPs 3 and 10 as identified in these Reasons for Decision and for all distress and harm caused to the Applicant as a result of such.

3. Within 180 days of the date of these Reasons for Decisions the Respondent is to:

1. perform IPP 3 by implementing such measures as are reasonable in the circumstances to ensure IPP 3 compliant notices are issued in relation to all personal information collected by the Respondent,

2. amend the Privacy Statement to be (and keep it) consistent with all IPP 3 notices issued,

3. ensure all IPP 3 notices and the Privacy Statement clearly state any rights or exceptions under the Privacy Code of Practice for Local Government or other law or code the Respondent will rely on to permit other uses of information collected by it,

4. perform IPP 10 by implementing such measures necessary to ensure that no personal information collected by the Respondent is used other than for the lawful purpose(s) of collection unless either consented to by the individual whose personal information it is or such is permitted by a right or exception noted in an IPP 3 notice in accordance with (a) and (c) above, and

5. implement such administrative measures necessary to ensure that the conduct of concern the subject of these proceedings will not occur again.

4. The measures implemented in accordance with Order (3) must specifically address the Respondent’s position as to information submitted to it in confidence and when and in what circumstances any personal information marked confidential collected by the Respondent may be used for purposes other than that for which it was lawfully collected.

5. The Respondent is to amend the Privacy Management Plan to reflect the measures implemented in accordance with Order (3) above.

6. Pursuant to s 54 Privacy and Personal Information Protection Act 1998, within 30 days of the Applicant providing their bank account (or other acceptable payment method) details to the Respondent, the Respondent is to pay the Applicant $30,000 as compensation for the harm suffered by the Applicant as a result of the Relevant Conduct of Concern.

7. Under s 64(1) of the Civil and Administrative Tribunal Act 2013 the disclosure of the Applicant’s name or of material that identifies the Applicant or is likely to lead to the Applicant’s identification is prohibited.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Amendments

27 July 2021 - Minor formatting corrections at [1], [10], [28], [43], [48], [50] and [105]; subparagraph numbering corrected at [36]; "in their" omitted at [90] (duplicate/unnecessary text); "an" changed to "and" at [102]

Decision last updated: 27 July 2021