FH v Commissioner, New South Wales Department of Corrective Services

CITATION:	FH -v- Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72
DIVISION:	General Division
PARTIES:	APPLICANT FH RESPONDENT Commissioner, New South Wales Department of Corrective Services
FILE NUMBER:	013233
HEARING DATES:	21/02/2003
SUBMISSIONS CLOSED:	02/21/2003
DATE OF DECISION:	04/07/2003
BEFORE:	O'Connor K - DCJ (President)
APPLICATION:	Privacy - information protection principle - personal information - alteration of
MATTER FOR DECISION:	Principal matter
LEGISLATION CITED:	Crimes (Administration of Sentences) Act 1999 Crimes (Administration of Sentences)(Correctional Centre Routine) Regulation 1995 Privacy & Personal Information Protection Act 1998 State Records Act 1998
CASES CITED:
REPRESENTATION:	APPLICANT In person RESPONDENT P Singleton, barrister
ORDERS:	Orders made on 21 February 2003; 1. Application dismissed.

1 The applicant has filed an application for review of the conduct of a public sector agency pursuant to s 55 of the Privacy and Personal Information Protection Act 1998 (PPIPA). The public sector agency is the Department of Corrective Services.

2 Part 5 of PPIPA deals with the review of certain conduct of public sector agencies in respect of their handling of personal information. Part 5 applies to three types of ‘conduct’, the first of which is relevant to this case, i.e. ‘the contravention by a public sector agency of an information protection principle [IPP] that applies to the agency’: s 52(1)(a). A person who is aggrieved by ‘the conduct of a public sector agency’ may seek a review of that conduct, first by the agency (see s 53, and this is called ‘internal review’), and if dissatisfied with the results of that review, may seek review of the conduct by the Tribunal (s 55). A public sector agency that receives a request for internal review must advise the Privacy Commissioner, and the Commissioner has various powers enabling his office to become involved in the resolution of the matter (s 54). The Tribunal must notify the Privacy Commissioner of any application to it, and the Commissioner has a right to be heard and appear in any proceedings before the Tribunal (s 55). The Commissioner has exercised that right in this case.

3 The powers of the Tribunal are set out in s 55(2), as follows:

‘(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take
any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the
applicant damages not exceeding $40,000 by way of compensation for any loss or damage
suffered because of the conduct,
(b) an order requiring the public sector agency to restrain from any conduct or action in
contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of
practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public
sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or
damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a
public register,
(g) such ancillary orders as the Tribunal thinks appropriate.’

4 The applicant is a former prison inmate. After serving a part of his sentence, his conviction was set aside, and there was an order that he not be retried. The applicant is aggrieved that information about him continues to be held in the active part of the computerised Offender Management System (OMS), operated by the Department in connection with the management of the prison population. He wishes to have the information removed from circulation, and ‘deleted’.

5 In accordance with the procedure set down by PPIPA, the applicant complained to the Department. The complaint was the subject of an internal review determination dated 21 November 2001. (The present application for external review of the conduct was filed prematurely on 3 October 2001.)

6 In its determination the Department referred to cl 21 of the Crimes (Administration of Sentences) (Correctional Centre Routine) Regulation 1995 (the Regulation) as providing the legal authority for collection of personal information on inmates sentenced to full-time custody in New South Wales correctional centres. The determination also referred to the obligations cast on public sector agencies by the State Records Act 1998 (the State Records Act) to protect and preserve records, and the possibility of penalties being imposed for their destruction where intentional and not permitted by law.

7 The determination acknowledged that at the time of the applicant’s original application to have his records removed from the system, there was a provision in force (cl 23 of the Regulation, since repealed) which provided for the destruction of the records of unconvicted inmates. This provision was seen as not applicable to the present case, as the applicant had been convicted, even though the conviction was quashed on appeal. The determination then gave various reasons as to why it was desirable to retain the record, including that there is an obligation at law to ensure that the record is retained.

8 This observation appears to be an allusion to the State Records Act requirements. It may be an overstatement of the position. At some point it may become necessary to reconcile the privacy protections conferred by PPIPA with the provisions of the State Records Act; but that task is not necessary in this case.

9 The applicant was dissatisfied with the outcome of the case, and made the present application. Following planning meetings held in 2002, and a mediation session (undertaken by a Tribunal mediator) which was unsuccessful, the application for review of the conduct by the Tribunal was heard on 21 February 2003. At the conclusion of the hearing the Tribunal decided not to take any action on the matter and accordingly dismissed the application, with fuller reasons to be published later. The reasons follow.

10 In its submissions to the planning meetings and at hearing, the Department acknowledged that information about the applicant continued to be held in its inmates record system. The records are divided into Inmate Records and Ex-Inmate Records.

11 There is a manual system and a computerised one. For day-to-day operational purposes, the computerised system is the significant one. They are held on the one database and are accessible to officers of the Department in accordance with Departmental policies.

12 In his application for review the applicant asserted that the information about him was held in contravention of various IPPs.

13 The applicant claimed that the continued holding of any information about his time in the custody of the Department contravened s 12(a) and s 12(c) of the Retention and Security IPP which provides relevantly to this case:

‘ 12. Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the
information may lawfully be used, and
(b)
(c) that the information is protected, by taking such security safeguards as are reasonable in the
circumstances, against loss, unauthorised access, use, modification or disclosure, and against all
other misuse, and
(d) .’

14 The Department in the course of the planning meetings, and in light of the concerns expressed by the applicant, gave a commitment to remove the manual record relating to the applicant from its manual system, seal it, and mark it only to be opened by certain authorised officers, and for a record to be kept of any occasions on which it was opened (see Ex B in these proceedings). This is a practical measure which should provide a high level of security for the manual record and protect the applicant against unauthorised use or disclosure of the contents of the record.

15 The situation in relation to the computerised record which remains in the active system is discussed below.

16 The applicant also referred in his submissions to the Correction Information Protection Principle, s 15 which provides:

‘ 15. Alteration of personal information
(1) A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
(a) is accurate, and
(b) having regard to the purpose for which the information was collected (or is to be used) and to
any purpose that is directly related to that purpose, is relevant, up to date, complete and not
misleading.
(2) If a public sector agency is not prepared to amend personal information in accordance with a request
by the individual to whom the information relates, the agency must, if so requested by the individual
concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of
being read with the information, any statement provided by that individual of the amendment sought.
(3) If personal information is amended in accordance with this section, the individual to whom the
information relates is entitled, if it is reasonably practicable, to have recipients of that information notified
of the amendments made by the public sector agency.’

17 The records held in relation to the applicant, in particular the computerised record, were not put into evidence. Therefore the Tribunal has proceeded on the basis that the computerised record is of a standard kind that conforms with the evidence given by a senior officer of the Department, Mr Guy, Director of Sentence Administration (affidavit, Ex A in the proceedings) and that form part of the Department’s OMS. It is clear that there is no difference between an Inmate and Ex-Inmate Record as far as its substantive content is concerned, except that the latter will include discharge information.

18 The Director of Sentence Administration is considered by the Department to be the owner or custodian of the inmate information in issue in this case. He is a regular user of the kind of information in issue, and he is a member of the Department’s information technology security committee.

Retention Now

19 IPP s 12(a) provides that a public sector agency that holds personal information must ensure that the information is kept for ‘no longer than is necessary for the purposes for which the information may lawfully be used’. The first issue is whether the record has been held for longer than necessary having regard to the purposes for which it may be lawfully used.

20 Mr Guy’s evidence was that all inmate records (present and past) are stored in the one database which is in constant use, as prisoners come in and move around the correctional system. The main protection that is afforded to the ex-inmate data is through access restrictions. Fewer officers are permitted to access ex-inmate data.

21 The applicant’s basic contention is that a record should not be retained at all once a prisoner leaves the system, especially one whose conviction has been quashed. In the alternative, he submitted that the record should at least not be retained in the active system.

22 There is in my opinion no doubt that ex-inmate records need to be retained. Mr Guy gave a number of cogent justifications for the need to continue to hold inmate records after a prisoner has left the system (including those who have spent some time in custody but are acquitted or subsequently have their conviction set aside).

23 The justifications include the need to have a record in the event that it is sought later in connection with litigation over events that occurred when in prison; as an intelligence resource in the event that police need to enquire as to who the prisoner’s cell mates, associates or visitors were during the period in custody; and in the event that it is necessary for the prisoner to establish that he or she was in prison at a particular time (as in an alibi defence). It may also be necessary to take account of information about past custody in the event that the former inmate re-enters the system – for classification purposes and the like. These are all substantial reasons for retaining such records. See also the Policy on Disclosure of Information (Annexure C to Mr Guy’s affidavit, Ex A).

24 This applicant’s record only goes back a few years. At this point, it can not, in my view, be reasonably argued that the record has been held beyond a reasonable time having regard to the purposes outlined. Mr Guy acknowledged in evidence that at some point a policy will need to be developed as to retention of ex-inmate records.

25 He said that ex-inmate records had been stored in the computerised system from when it was established in 1987. The first such system had operated from 1987 to 1997. A second system was now in operation. A third system was planned to commence in the near future.

Lack of Differentiation in Treatment of Ex-Inmate Records

26 As noted, the applicant’s alternative submission is that if his ex-inmate record is retained, it should be removed from the active system. IPP s 12(c) provides that personal information is to be protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse. The applicant refers to IPP s 12(c) and argues that the safeguards are insufficient to protect the records against unauthorised use and disclosure. He points to the possibility that people with access to the inmate records can easily obtain access to the ex-inmate records.

27 The Department has acknowledged that it would be preferable that the ex-inmate information be held in a less active environment. Mr Guy said that much more limited ex-inmate information will be held in the active environment of the new system (inmate’s name, date of birth and MIN [Master Index Number] number). The remaining data will be stored in an archival form. Mr Guy explained that the more limited information would only be accessible to certain authorised officers at head office. It would not be accessible at other locations. This is a strengthening of security safeguards as compared to present practice.

28 IPP s 12(c)’s injunction is that ‘such security safeguards’ be taken ‘as are reasonable in the circumstances’. Had the Department been doing nothing to address the issue of differential treatment highlighted by this case, it may well be that the Tribunal would have formed the view that the present security safeguards in respect of ex-inmate data are insufficient. But steps are being taken to address the issue, and in the circumstances I consider that the appropriate response is for the Tribunal to take no further action in relation to this aspect of the complaint. It is not therefore necessary to reach a conclusion on whether present practice amounts to a contravention.

29 In examining security issues, some recognition must, I consider, be given to the evolutionary character of security practices, especially in a major operational environment (such as the one under notice here). The Department is at an advanced stage in moving to the new system.

30 If the Department fails to implement the new security controls on ex-inmate records in the timeframe promised (12 months), then it may be that the Tribunal on a future action would form a different view as to compliance with the IPPs.

General Inadequacy of Security Policy

31 The applicant’s next objection relates to the same principle, IPP s 12(c) but is broader in scope.

32 It is to the effect that the security policy and practices of the Department do not possess safeguards that are reasonable in the circumstances in respect of loss, unauthorised access, use, modification or disclosure, and against all other misuse (s 12(c)). The Security Policy presently in force, issued 1 November 2001, is annexure B to Mr Guy’s affidavit.

33 The Security Policy produced by Mr Guy was a comprehensive one, and on its face, seeks to deal appropriately with a range of security risks.

34 As to the Department’s practices, the applicant did not produce any evidence to suggest that there were any practical safeguards problems. He referred to experiences he said he had when in prison over the use of data on the system in inappropriate ways. He referred to publicised cases of corrupt access to data by prison officers, referring specifically to a case in South Australia. This is not evidence in any meaningful sense.

35 He asked that he be allowed to have an outside expert enter the Department and inspect its operations. There is in my view insufficient material to suggest that an investigation of this kind be permitted by the Tribunal, if it has in fact such a power (a matter which counsel for the Department questioned). I note that there are powers to conduct investigations and inquiries available to the Privacy Commissioner: see generally, PPIPA, Part 4, Div 2.

36 Mr Guy gave helpful oral evidence expanding on his affidavit. Some issues of concern to the Tribunal emerged in the course of that evidence, in particular: (1) the possibility of casual oversighting of the data on screens by persons not authorised to sight the data who happen to be in the vicinity of the screen (those persons include other employees working in the same area – they, of course, would remain subject to public service and other disciplines if they misused the information - and, more problematically, prisoners who perform duties within the work area); (2) and the lack of logging of uses of the system by authorised officers (a matter that the Tribunal was informed is not likely to be addressed in the final design of the new system).

37 In the two areas mentioned above, the system is, as I see it, less than adequate. The Department has recognised casual oversighting of ex-inmate data as a problem. It is to be addressed, as I understood Mr Guy’s evidence, by the centralisation of access to that data and the restriction of access to a limited number of officers for limited reasons. This is an appropriate response to the problem.

38 At hearing, I indicated that casual oversighting by serving prisoners would seem to be a particular problem. There is, of course, great value in prisoners being given to perform useful work while in custody, and that should include clerical work. There was no evidence before me in this case as to what protocols or procedures were adopted to ensure that the prisoners selected to work in connection with prisoner information could be trusted to undertake that work, and as to what disciplines applied to the misuse of any information especially after release (Mr Guy did refer to prosecution under Crimes (Administration of Sentences) Act 1999, s 257 (unauthorised disclosure of information obtained under Act)). These are issues that might fall to be addressed more closely on a future occasion.

39 The most significant continuing problem, as I see it, is the absence of arrangements to keep a record (a log) of who inside the administration is using the records, when and what for purpose. This case is about ex-inmate records. It is not necessary on this occasion to form any view on the absence of logging in respect of the inmate records. As to the ex-inmate records, the steps being taken by the Department to restrict access to these records in the way described Mr Guy would appear to provide an opportunity to introduce logging of those records. They will be relatively separated, as compared to the present, from the active record system.

40 As to the general issue of logging, a matter that had been discussed at the planning meetings, Mr Guy’s evidence at para [15] of his affidavit was that:

‘The OMS does not currently have the capacity to identify users who have accessed offender information.
Consideration was given to this issue in the late 1990s. However, it was found that in order to make the
system capable of logging users in this way, the OMS would need to be almost entirely re-programmed
and the cost would be millions of dollars. The costs were considered to be excessive and so no formal
evaluation or costing were undertaken.’

41 These shortcomings in the system as they relate to ex-inmate data (the matter in issue in this case) could not, I consider, reasonably justify the conclusion that viewed overall the security system lacks adequate safeguards. It is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.

42 The applicant did not challenge the accuracy of the record per se. The applicant’s argument was a general one, to the effect that his record should be ‘deleted’ from the system because it was not lawful to continue to hold it. The applicant’s argument relies on IPP s 15(1)(b), which requires that a record be ‘relevant, up to date, complete and not misleading’ having regard to the purpose for which it was collected and any directly related purpose. This argument revisits essentially the same points that I have dealt with earlier in these reasons in connection with IPP s 12. For the same reasons, it is rejected.

43 The original purpose for the collection of inmate information is to assist in ensuring the orderly management of their period in custody. This was clearly explained by Mr Guy. The reasons for keeping the record after the prisoner leaves include ones that can, in terms of IPP s 15, be reasonably described as ‘directly related purposes’ (the possibility of return to the system, later inquiries as to the whereabouts of the prisoner at particular times). It is a commonplace feature of all institutional record keeping (take hospitals, schools and universities as examples) that records of attendance and participation in the system by individuals have to be kept for a long time after the person leaves the institution for a range of purposes including purposes that are directly related to the purpose for which the person entered the institution in the first place. It may be that there can be staged removals of data fields as time passes so as to meet the requirement of ‘relevance’. Practices of this kind are more easily able to be pursued in a computerised environment; as distinct from a manual environment. It is not necessary on this occasion to explore closely that topic.

44 There is no basis for concluding that any further action should be taken at present by the Department to meet the applicant’s concerns.

Order
1. Application Dismissed.