EPT v The Sydney Children's Hospital Network

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	EPT v The Sydney Children’s Hospital Network [2022] NSWCATAD 137
Hearing dates:	30 September 2021
Date of orders:	28 April 2022
Decision date:	28 April 2022
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	C Mulvey, Senior Member
Decision:	(1) Pursuant to s 64 (1)(a) of the Civil and Administrative Tribunal Act 2013, the name of any person (whether or not a party to proceedings in the Tribunal or a witness summoned by, or appearing before, the Tribunal) is prohibited. (2) The decision made by the Respondent on 5 March 2021 is set aside. (3) In substitution thereof, the Respondent breached s 12(c) of the Privacy and Personal Information Protection Act 1998 by failing to secure the applicant’s personal information between February 2017 to May 2018. (4) Within 28 days, the Respondent is to provide to the Applicant an unreserved written apology addressing and apologising for the Respondent’s breach of s 12(c) of the Privacy and Personal Information Protection Act 1998 as identified in these Reasons for Decision and for all distress and harm caused to the Applicant as a result. (5) Within 28 days, the Respondent is to pay the Applicant the sum of $10,000.
Catchwords:	PRIVACY - breach of s 12(c) of the Privacy and Personal Information Protection Act 1998 – breach of IPP – damages – compensation - material factor
Legislation Cited:	Administrative Decisions Review Act 1997 Anti-Discrimination Act 1977 Civil and Administrative Tribunal Act 2013 Government Sector Finance Act 2018 Government Service Audit Act 1983 Health Records and Information Privacy Act 2002 Health Services Act 1997 Mental Health Act 2007 Privacy and Personal Information Protection Act 1998
Cases Cited:	AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 BVS v Sydney Local Health District [2015] NSWCATAD 171 at [77] CYH v Family and Community Services [2018] NSWCATAD 84 Director-General Department of Education and Training v MT [2005] NSWADTAP 77 EMF v Cessnock City Council [2021] NSWCATAD 2019 HP v Hunter New England Area Health Services [2009] NSWADT 186 Jackson v University of NSW [2018] NSWCATAD 12 MT v Department of Education and Training (2004) NSWADT 194 Roads & Maritime Services v AF; AF v Roads & Maritime Services [2011] NSWADTAP 63
Category:	Principal judgment
Parties:	EPT (Applicant) The Sydney Children’s Hospital Network (Respondent)
Representation:	Solicitors: Applicant self-represented Crown Solicitor (Respondent)
File Number(s):	2021/00073135
Publication restriction:	Pursuant to s 64 (1)(a) of the Civil and Administrative Tribunal Act 2013, the name of any person (whether or not a party to proceedings in the Tribunal or a witness summoned by, or appearing before, the Tribunal) is prohibited. A reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person.

REASONS FOR DECISION

1. This application concerns conduct by the Sydney Children’s Hospital Network (“the Respondent”) in connection with the management of personal information of EPT, (a pseudonym) (“the Applicant”).

2. By his application filed in this Tribunal on 15 March 2021 (“the application”), the Applicant is seeking a review of the conduct of the Respondent that he alleges amounted to a “breach of privacy”. It is evident from the way in which the application is framed, the Applicant is alleging a breach of the Privacy and Personal Information Protection Act 1998 (“the PPIP Act”) and equivalent provisions in the Health Records and Information Privacy Act 2002 (“the HRIP Act”).

3. The application was made following an internal review by the Respondent, which it treated as an application made pursuant to s 53 of the PPIP Act. In reading the scope of the complaint, the Applicant claims the Respondent contravened one or more of the Information Privacy Principles (“IPPs”) contained in Division 1 of Part 2 of the PPIP Act. It is also implicit in the internal review application that the Respondent is also alleged to have contravened a Health Privacy Principle (“HPP”) contained in Schedule 1 to the HRIP Act.

4. I note that the Respondent has proceeded on the basis of the alleged breaches pursuant to the PPIP and HRIP Acts and as such has treated this proceeding as an administrative review under the Administrative Decisions Review Act 1997 (“the ADR Act”) of the conduct that was subject to the application under s 53 of the PPIP Act (see s 55(1) of the PPIP Act).

5. The internal review decision was made by the Respondent on 5 March 2021. It is this decision which is the reviewable decision (‘the reviewable decision’).

6. I note at this juncture the Respondent concedes that it breached s 12 of the PPIP Act. Therefore, the Respondent submits the only issue for my determination is what remedy, if any, flows from that breach.

Background to the complaint

7. Until 19 February 2021, the Applicant was employed by the Respondent as an Electronics Technician in the Biomedical Engineering Service at the Newborn and Paediatric Emergency Transport Service (‘NETS’).

8. On 17 July 2021, a complaint was made by the Applicant to his immediate Manager (“the Manager”) concerning treatment by a colleague (“the colleague”) also in the employ of the Respondent. The Applicant was alleging, amongst other things, victimisation and relevantly, the access by the Manager of Computer Drives. At the time the Applicant left the employ of NETS, he was of the view that the complaint remained unresolved.

9. The network drives at NETS included a G and H drive. The G drive, was a common drive available to all NETS employees, accessible when an employee logged on to a computer on the NETS network. The H drive was a personal drive and, ordinarily, could only be accessed by the employee whose personal log in details had been entered into the NETS network.

10. On 11 October 2017, the Applicant had files stored on his personal H drive. The Manager copied those files to the Manager’s H drive. The files included work-related information, the Applicant’s personal information, credit card statements and payslips. The copying of those files was undertaken by the Manager unbeknown to the Applicant.

11. It is also uncontroversial that on 9 March 2018, the Applicant was requested by the Manager to complete a spreadsheet which related to activities he undertook within a two-week period.

12. On 27 March 2018, the Applicant in his response to that request alleged this to be an example of victimisation following the complaint he made against the colleague.

13. On 20 April 2018, the Applicant found his files located in the Manager’s H drive. On 30 April 2018, the Applicant made a complaint to the Respondent about this and other workplace concerns.

14. On 19 July 2018, the Respondent’s investigation into the complaints about the colleague were set out in a letter to the Applicant. The letter was remiss any detail concerning the complaint he made about the H drive.

15. On 20 July 2018, the Applicant was taken to the Campbelltown Hospital by the police, pursuant to s 22 of the Mental Health Act 2007 (on a belief on reasonable grounds that he may attempt suicide or cause serious physical harm to himself).

16. Relevantly, on 8 January 2019, the Respondent advised the Applicant about an investigation undertaken concerning the H drive. The letter also referenced a complaint the Applicant made concerning a fellow employee filming him, which was originally part of the internal review decision, but is no longer pressed by the Applicant in this application.

17. Between 2019 to 2020 various unrelated work issues continued to be agitated between the Applicant and the Respondent.

18. On 19 February 2021, the Applicant’s agreed voluntary redundancy took effect, ending his employment relationship with NETS.

Jurisdiction

19. The Applicant’s written submissions, dated 14 September 2021, contend this application is not a review under the ADR, but rather a complaint under the Anti-Discrimination Act 1977. I reject this contention. It is evidently clear in my mind, and based on the evidence before me, that the review is one under the ADR. Any claim the Applicant wishes to make pursuant to the provisions of the Anti-Discrimination Act must first be commenced before Anti-Discrimination NSW. Depending on the outcome of that complaint, the President of Anti-Discrimination NSW may refer the complaint to NCAT. The Applicant has also conflated a number of other employment disputes in his written submissions concerning this application that may be relevant to a complaint in another jurisdiction.

20. Therefore, this proceeding is to be determined according to the provisions of the PPIP Act, the HRIP Act and the ADR Act.

21. The Respondent has set out the requisite jurisdiction in written submissions, which I adopt and reproduce below.

22. The information stored on the Applicant’s H drive included his credit card statements and his payslips. It may be assumed that the Applicant’s identity was apparent from those documents. Accordingly, the information is ‘personal information’ for the purposes of the definition in s 4(1) of the PPIP Act.

23. Part 5 of the PPIP Act, which provides for internal review and administrative review by NCAT of certain conduct, applies to conduct by a ‘public agency’. Section 3(1) of the PPIP Act defines ‘public sector agency’ to include, relevantly, ‘(d) an auditable entity within the meaning of the Government Service Audit Act 1983 …’ (‘the GSA Act’).

24. Section 4(1)(a) of the GSA Act defines ‘auditable entity’ to mean, relevantly, ‘(a) a GSF agency’. ‘GSF agency’ is defined in s 2.4 of the Government Sector Finance Act 2018 to include, relevantly, ‘(b) a New South Wales health entity’. ‘NSW health entity’ is defined in s 2.3 of that Act to mean, relevantly, ‘a statutory health organisation within the meaning of the Health Services Act 1997’ (‘the HS Act’).

25. The dictionary to the HS Act defines ‘statutory health organisation’ to mean a local health district or statutory health corporation. The Respondent is a statutory health corporation constituted by s 41(1) of the HS Act (see Sch. 2 to that Act).

26. Accordingly, I accept that the Respondent is a ‘public sector agency’ for the purposes of the PPIP Act.

27. The internal review is a reviewable decision. The alleged contravention which is identified as conduct by the Applicant includes ‘my Manager stole my personal files off the network drive …’ and such conduct alleged can lead to a contravention of an IPP (s 12 and/or s 16 and/or s 17 of the PPIP Act).

28. The Tribunal therefore has jurisdiction to consider the application for review.

29. The reviewable decision is a decision which can be reviewed pursuant to s 63 of the ADR Act.

30. The Tribunal must decide the correct and preferable decision having regard to the material before me which includes any factual material and any applicable written or unwritten law.

31. In determining this application s 63(3) of the ADR Act provides the Tribunal jurisdiction to consider the following:

‘(a)   to affirm the administratively reviewable decision, or

(b)   to vary the administratively reviewable decision, or

(c)   to set aside the administratively reviewable decision and make a decision in substitution for the administratively reviewable decision it set aside, or

(d)   to set aside the administratively reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.’

Preliminary application s 64 of the Civil and Administrative Tribunal Act 2013

32. On 31 August 2021, the Respondent filed a miscellaneous application for an order pursuant to s 64(1)(a) and/or (c) of the Civil and Administrative Tribunal Act 2013 (‘the NCAT Act’).

33. The Respondent sets out that the application is made to anonymise the Applicant, whose private health information is contained in documents before the Tribunal. Further, individuals are referred to in those documents, against whom allegations are made not relevant to these proceedings.

34. The Applicant, while he states an order is not necessary, agrees that the Tribunal should use non-identifiable initials within the published Judgment.

35. I am satisfied that an order should be made pursuant to s64(1)(a) prohibiting the disclosure of the names of the individuals in connection with the proceedings.

36. I make that order.

Did the Respondent breach s 12(c) of the PPIP Act in respect of the accessibility of the H drive?

37. Relevantly, s 12 of the PPIP Act provides:

’12   RETENTION AND SECURITY OF PERSONAL INFORMATION

A public sector agency that holds personal information must ensure-

…

(c)   that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

…’

38. The Respondent concedes that it holds personal information that an employee stores on its H drive.

39. In a statement of AA dated 31 August 2021, a Director of the Respondent sets out how NETS staff can search the H drive of other staff members. The Respondent accepts that between February 2017 and May 2018, the network security setting lacked reasonable security such that there was a breach of s 12(c) of the PPIP Act. I accept the evidence of AA that that security failure has now been corrected.

40. In the Applicant’s written submissions, he contends that there is no breach of s 12(c) of the PPIP Act. He submits:

‘I stand by my claim of ‘breach of privacy’ occurred due to malicious intent. The malicious intent caused the breach and commenced the chain of events. The malicious intent was then continued within the false risk assessment created about me (figure 1.5) regardless if [BB] provides an explanation. If the Manager has properly available information about an employee this should not by any means be used in a malicious manner and in this case it was. Regardless if the risk assessments were implemented against me or not I have proven through submission of evidence that the malicious intent was there.’

41. I accept the Respondent’s submissions that malicious intent on the part of an employee of the Respondent, even if proved, does not amount to a breach of an IPP. The PPIP Act is not concerned with the intent of a potential breach of an IPP, but rather whether the conduct leads to the prescribed breaches as set out in the Act.

42. The Respondent has admitted to a breach of s 12(c) of the PPIP Act due to its inadequate security of staff members’ H drive and its contents. I find there has been a breach of s 12(c) of the PPIP Act between the period February 2017 and May 2018. The Tribunal must, therefore, consider what remedy flows because of the breach.

43. Irrespective of the intent behind the access to this information, the Tribunal is required to examine whether the information accessed was used and if that use contravenes an IPP. If use is established, the Tribunal must examine the significance of that use and how that may affect any remedy available to the Applicant.

44. As I have already determined this is not a claim under the Anti-Discrimination Act, I reject the theme of the Applicant’s contention that I ought to consider and make findings that relate to the intent of the Manager accessing the H drive. This is not a matter for my consideration in determining whether there has been a breach of the PPIP Act or an IPP.

Was there a breach of the HRIP Act?

45. As indicated above, the attachments to the internal review application, while not specifically referring to the HRIP Act, implicitly allege a breach of a Health Privacy Principle (‘HPP’), namely, HPP 5(1)(c) (the equivalent of s12(c) of the PPIP Act), in so far as his mental health information being available to the Manager.

46. The Respondent submits that there is no breach of HPP 5(1)(c). In reviewing the statement of BB made 30 August 2021, an Associate Director in the human resource area of the Respondent, I find that there is no breach. BB sets out that the Applicant’s Medical Certificate dated 3 August 2016, contained in the H drive, in support of a payment for sick leave would have been available to the Applicant’s Manager as part of the Respondent’s sick leave management procedure. BB states that employees who are absent from work are required to notify their manager of any absence. The reason for absence and estimated length of time must be directed to the manager. An employee must provide a medical certificate to the manager who will approve the leave in the rostering system for payment purposes. The medical certificates are not retained on an employee’s personnel file but are kept by the relevant manager.

47. I find that an employee’s medical records relating to sick leave for the Applicant, are properly available to the Applicant’s Manager. In those circumstances there is no breach of HPP 5(1)(c) of Schedule 1 to the HRIP Act.

Was there ‘use’ of the Applicant’s personal information for the purposes of sections 16 and 17 of the PPIP Act?

48. The following provisions of ss 16 and 17 of the PPIP Act are relevant when examining the ‘use’ of information concerning IPPs:

‘16   Agency must check accuracy of personal information before use

A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

1. Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless-

(a)   the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b)   the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c)   the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.’

49. It is evident that the application of the ‘use’ when examining IPPs requires a ‘use’ of personal information by the public sector agency. ‘Use’ was considered in Director-General Department of Education and Training v MT [2005] NSWADTAP 77 at [44] to mean ‘which involves some administrative action or consequence’. The Tribunal in Jackson v University of NSW [2018] NSWCATAD 12 at [102] said:

‘Mere accessing or viewing information will not constitute a ‘use’, unless the information is also ‘employed’ for some purpose.’

50. When examining s 17(b) of the PPIP Act, the word ‘collected’ means ‘obtained’ (see MT v Department of Education and Training (2004) NSWADT 194 at paragraph [171]).

51. The Applicant contends that the ‘use’ was that a draft risk assessment created by the Manager, in the terms set out below, was based on the personal information stored on the Applicant’s H drive. The draft risk assessment in relation to the Applicant included:

‘Based on the alleged incompetent technical ability of EPT, with the insistence of a calibration of a XXYY appeared that the calibration was not completed and rushed, also that it was sent to Biomedical Engineering CHW for review and the review was completed by a mechanical technician at CHW Biomedical Engineering and findings were as follows.’

52. The Applicant says that the use of the term ‘XXYY’ was obvious, such that there was no piece of equipment being referred to for calibration and that the draft risk assessment was a template to be used against him when required.

53. The Applicant also contends that the following words written in the risk assessment are an example of the use of his personal information:

‘EPT is known to have had previous mental health emergencies and these should be taken into consideration when discussing issues with him.’

54. The Applicant contends at no stage was his Manager ever informed by him that he had been admitted to emergency for mental health reasons in the past.

55. The Applicant contends that the draft risk assessments were undertaken by his Manager with a ‘malicious intent’ designed to engineer his termination or other employment outcome.

56. The Applicant’s contention is in my view based upon a suspicion that his personal information was used by the Manager to create the draft risk assessment. A mere suspicion is not sufficient to demonstrate ‘use’ in the context of an IPP. The evidence is devoid of a nexus between the Applicant’s personal information (his payslips and credit card statements) being ‘employed’ which in some way involve an administrative action or consequence being the creation by his Manager of the draft risk assessment. Similarly, even if the medical certificate was personal information for the purposes of the HRIP Act, the certificate pre-dates the Applicant’s 2018 hospital admission. There is no evidence that reference in the draft risk assessment to “mental health emergencies” can be linked to the medical certificate or other personal information of the H drive.

57. I have considered that the draft risk assessments appear to relate to possible employment disciplinary review, or other action, concerning the Applicant and the calibration of unknown equipment. The draft risk assessment does not refer to any of the personal information which was contained in his H drive that could amount, in my view, to a ‘use’ of that personal information.

58. As indicated above, the Applicant’s contention that I should take into consideration alleged malicious intent by his Manager, is not a factor in which I am to determine these proceedings.

59. For these reasons I find that there is no evidence to suggest that the draft risk assessments were ‘employed’ against the Applicant in a way involving some administrative action or consequence.

60. I also find that the copying of the Applicant’s personal information on the H drive does not constitute a ‘use’ unless the information was employed for some purpose or was involved in some administrative action or consequence. Despite the Applicant’s suspicion, the evidence before me does not reveal that the Applicant’s personal information (being payslips and credit card statements) which was copied by the Manager was in any way involving some administrative action or consequence.

61. I further find that the copying of the Applicant’s personal information does not of itself constitute a ‘use’ of that information for the purposes of the ‘use’ of IPPs.

62. For completeness, the Applicant includes in his evidence documents relating to the theft of his identity. Correspondence is provided from Equifax, a purported credit agency, reporting a credit ban requiring his attention. The Applicant also received an email from the Applicant to Equifax indicating that he had been a victim of a fraud and that he received a letter stating he had applied for a credit card with a $10,000 limit of which he had no knowledge. The Applicant also provided undated COPS event reports that, he contends were reports made by him about personal identity theft. I note that the email to Equifax is dated 22 October 2019, a period of some 2 years after the events concerning his personal information being copied on the H drive.

63. While it may be coincidental and certainly unfortunate that, the Applicant has been a victim of fraud, there is no evidence before me which establishes the use of his personal information by the Respondent concerning identity theft and fraud as contended by the Applicant.

64. I find the evidence is insufficient to establish such a use.

What remedy should follow?

65. When reviewing the conduct of a public service agency s 55(2) of the PPIP Act is apposite. Sections 55(2), (3) and (4) provide:

‘(2)   On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders-

(a)   subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)   an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)   an order requiring the performance of an information protection principle or a privacy code of practice,

(d)   an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)   an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)   an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)   such ancillary orders as the Tribunal thinks appropriate.

1. Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

2. The Tribunal may make an order under subsection (2) (a) only if-

   (a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

   (b)   the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.’

   66. I am also able to make orders pursuant to the powers conferred by s 63 of the ADR Act.

   67. The Applicant seeks the following redress, which I have adopted using the same heads as referenced by the Applicant.

Compensatory damages

68. In Annexure 3.1 to the Applicant’s written submissions he seeks the following compensation:

Net wages per hour/year	$42.00 $90,000.00
Sick leave days per annum	10 $3,200.00
Annual leave days per annum (10 plus years)	25 $8,000.00
On call allowance per fortnight	$220.00 $5,800.00
Superannuation per annum	9% $8,100.00
Superannuation per annum growth portfolio	10% $810.00
Additional expenses:
Public liability per annum	$1,000.00
No longer having workers compensation - Accident and sickness per annum	$1,600.00
Psychological damages 85% of wage per annum for 5 years
Mental health and psychology	$76,500.00
Annual CPI	2.5% $2,675.00
Years until retirement	34
Total loss per annum	$31,185.00
Total loss	$1,060,290.00
Total psychological damages	$382,500.00
Total compensation	$1,442,790.00

69. I am constrained pursuant to the provisions of s 55(2)(a) in making an order requiring a public sector agency to pay compensation which must not exceed $40,000. The claim by the Applicant exceeds the jurisdictional limit of damages which can be awarded to him.

70. Relevantly, s 55(4) provides that the Tribunal can only make an order for compensation where I am satisfied the Applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

71. In accordance with a number of decisions of this Tribunal and its predecessor, the Administrative Decisions Tribunal, I must find that the alleged loss and harm was because of, or caused by, the contravening conduct of the agency (see BVS v Sydney Local Health District [2015] NSWCATAD 171 at [77]; HP v Hunter New England Area Health Services [2009] NSWADT 186 at [43]; AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 at [29]).

72. I accept the Respondent’s submissions that the contravening conduct is not the workplace dispute between the Applicant and the colleague or the Applicant’s view of the Respondent’s conduct of that dispute. The Applicant’s alleged financial or psychological loss can only be considered, in the context of the offending conduct of the Respondent, being the accessibility of his personal information on the H drive to other NETS employees, including the Manager.

73. It is trite to say that damages under s 50(2)(a) of the PPIP Act are compensatory. They are not punitive. The purpose of damages is to return the Applicant, as best as possible, to the position he was in but for the breach. In doing so, the Tribunal is constrained by the maximum damages it can award as set out in s 55(2)(a).

74. The Applicant bears the onus of establishing a causal link between the conduct of the Respondent amounting to a breach of his privacy and the damage suffered. The common law test of causation is that if the agency’s breaches ‘materially contributed’ to the loss or damage suffered, it will be regarded as a cause of the damage or loss, despite other factors or conditions having played an even more significant role in producing the loss or damage. As long as the breach materially contributed towards the damage, a causal connection will ordinarily exist even though the breach without more would have not brought on the damage (see CYH v Family and Community Services [2018] NSWCATAD 84 at [94] to [96]).

75. The damages claim by the Applicant for, what is essentially, a loss of future income is rejected. The Applicant has not established that him leaving his employment with NETS was as a direct consequence of the contravening conduct. Further, there is no evidence to establish that because of the breach, the Applicant is unable to continue to work in any capacity. Such a causal connection is essential for an award to be made. For completeness, even if the evidence led to a finding that damages could have been awarded for economic loss, I also find that the Applicant’s claim far exceeds the jurisdictional limit of what could have been awarded, being $40,000.

Financial harm

76. At 4.3 of the Applicant’s bundle, he evidences a financial loss of $1,500 paid to a firm of solicitors to obtain counselling records in support of his claim for compensation in these proceedings. The recovery of these costs amounts to an award for costs and disbursements in the context of s 60 of the NCAT Act. An award for costs and disbursements is only granted in ‘special circumstances’ warranting such an award as set out in s 60(2) of the NCAT Act. I am not satisfied that there are special circumstances which would warrant such an order. The default position set out in s 60(1) of the NCAT Act, therefore, applies. The default position is that each party to proceedings in the Tribunal is to bear its own costs.

77. I, therefore, reject the claim for financial harm in the amount of $1,500.

Psychological harm

78. At 5.1 of the Applicant’s bundle is a collection of hospital and progress notes from the South Western Local Health District - Campbelltown Hospital concerning an admission to hospital on 20 July 2018. The Applicant relies upon these documents to support his claim that the Respondent’s conduct caused or led to a significant decline in his mental health. In his oral submissions the Applicant said that the only evidence before the Tribunal in relation to this head of damage is the hospital notes found at 5.1 in his bundle.

79. It is evident on reviewing the hospital notes that 'work stressors’ played a significant role in the decline in the Applicant’s mental health. The records include numerous references to workplace bullying and harassment.

80. The hospital notes record the admission relating to the Applicant receiving the email on 19 July 2018 notifying him the outcome of his complaint. I note that this email did not refer to any outcome concerning the Applicant’s complaint about the H drive. The hospital notes include reference to the Applicant experiencing financial stress and other stressors, including those relating to his family.

81. The Applicant has not provided any expert evidence that one might usually find in a claim for psychological harm. There is no expert evidence concerning a specific causal link between the contravening conduct and a recognised psychological injury. However, I am satisfied that the Applicant’s evidence alone and his presentation to hospital, establishes that he experienced distress and a fear of what use, or other repercussions may result from the Respondent’s conduct, including his complaint about the H drive and the use of his personal information. I have also considered that the Respondent did not make a decision about the H drive complaint until 8 January 2019, a few weeks before the Applicant left the employ of NETS. The delay in making a decision contributed to his distress.

82. I find there is insufficient evidence to demonstrate that the contravening conduct of the Respondent, solely caused the harm (see EMF v Cessnock City Council [2021] NSWCATAD 2019 at [73], [77]). However, I find that the Applicant had a real suspicion, distrust and fear that the subject conduct of the Manager, was part of the Respondent’s desire to manage him out of the organisation and this was a factor which materially led to the 2018 hospital admission and ongoing distress and harm.

83. I find that the contravening conduct of the Respondent led to an increased distrust of the Respondent by the Applicant and him not feeling safe whilst at work, which in turn caused him harm.

84. I reject the Respondent’s argument that the Applicant has not demonstrated that the Respondent’s breach of s12(c) of a PPIP Act was a material contributor to the stress exhibited by him. Whilst the counselling notes at 4.1 of the Applicant’s bundle do not specifically demonstrate that the main issue of his counselling related to the Respondent’s breach, where there is a combined set of factors that each contribute to his emotional state, it is not for the Tribunal to unscramble that egg. I accept the Applicant’s written submissions in relation to the stress and anxiety experienced because of the breach, which warrants a finding of an award of damages because the breach was a material factor contributing to his stress and anxiety.

85. The requirement in s 55(4) of the PPIP Act is met.

86. In making this finding, I am mindful of the Appeal Panel’s decision in Roads & Maritime Services v AF; AF v Roads & Maritime Services [2011] NSWADTAP 63 at [38] where the Appeal Panel stated:

‘The Tribunal should be cautious in allowing the hearing process in privacy cases to be used as a collateral way of revisiting the justification of the particular administrative decisions and the particular administrative processes to which the personal information transactions were regarded as relevant.’

87. In determining quantum, I have considered that the breach is not the only factor which has caused the Applicant’s distress, but none the less it was material. The Applicant did not provide any independent expert evidence as to the extent and impact of the breach on his mental health. I have taken into consideration the concessions made by the Respondent that the Applicant ought to be entitled to an award of damages that result from the breach, noting the limitations I should consider in assessing quantum which have been set out in the Respondent’s written submissions.

88. I have considered that although the letter the Applicant received from the Respondent dismissing his related employment complaint, while not relating to the H drive compliant, the conduct was a contributing factor that led to his admission to hospital with assistance of the police. The hospital records note that the admission was on a background of suicidal ideation, relating to, inter alia, stressors at work. One of those stressors is the copying of his personal information from the H drive. I have also considered the length of time the Respondent took to determine the Applicant’s complaint about the H drive.

89. It is well established in common law that when assessing damages, the ‘eggshell skull’ rule is apposite. As the Applicant was clearly predisposed to mental health issues, it is reasonable in my view to take into consideration that the subject breach may have had a more significant effect on EPT than the ordinary person without such a predisposition.

90. I note and have considered the various decisions concerning an award of compensation which are set out in paragraph 67 of the Respondent’s written submissions.

91. An award of damages is discretionary, and I find, having considered the nature and effect of the Respondent’s conduct which in part led to his admission to the emergency department on a background of suicidal ideation, the length of time the Respondent took in resolving his complaint about the H drive and in considering and applying the parameters as set out in s 55(2)(a) of the PPIP Act, EPT is to be awarded the sum of $10,000.

92. I also find that the Applicant is to be provided with an unreserved written apology addressing and apologising for the Respondent’s breach of s 12(c) of the PPIP Act as identified in these Reasons for Decision and for all distress and harm caused to the Applicant as a result.

Orders

1. Pursuant to s 64 (1)(a) of the Civil and Administrative Tribunal Act 2013, the name of any person (whether or not a party to proceedings in the Tribunal or a witness summoned by, or appearing before, the Tribunal) is prohibited.

2. The decision made by the Respondent on 5 March 2021, is set aside.

3. In substitution thereof, the Respondent breached s 12(c) of the Privacy and Personal Information Protection Act 1998 by failing to secure the applicant’s personal information between February 2017 to May 2018.

4. Within 28 days, the Respondent is to provide to the Applicant an unreserved written apology addressing and apologising for the Respondent’s breach of s 12(c) of the Privacy and Personal Information Protection Act 1998 as identified in these Reasons for Decision and for all distress and harm caused to the Applicant as a result.

5. Within 28 days, the Respondent is to pay the Applicant the sum of $10,000.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 28 April 2022