FMH v Cumberland Council

Case

[2022] NSWCATAD 293

30 August 2022

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: FMH v Cumberland Council [2022] NSWCATAD 293
Hearing dates: 18 January 2022
Date of orders: 30 August 2022
Decision date: 30 August 2022
Jurisdiction:Administrative and Equal Opportunity Division
Before: A Christie, Senior Member
Decision:

(1) Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (CAT Act) the publication of the name of the applicant and any of the witnesses in these proceedings or reference to any information, picture or other material that identifies any of those persons or is likely to lead to the identification of any of those persons is prohibited.

(2) Pursuant to s 64(1)(c) CAT Act the publication by other than the Applicant of the evidence and submissions of the parties filed with the Tribunal or otherwise served on either party in these proceedings (including the matters contained in such) is prohibited.

(3) A further hearing in relation to the joined HRIP Act AR Application (i.e. the Health Case) and the Applicant's Application for Miscellaneous Matters dated 6 July 2022 is dispensed with under s 50 of the CAT Act.

(4)   The internal review decision of the Respondent is set aside.

(5)   Within 21 days of the Applicant providing their bank account (or other acceptable payment method) details to the Respondent, the Respondent is to pay the Applicant $12,500 as compensation for the harm and loss suffered by the Applicant as a result of the Conduct of Concern.

(6)   Within 21 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant signed by the Mayor of Cumberland City Council addressing and apologising for the Respondent's breaches of IPPs 5,10, 11 and 12 and HPPs 4, 5, 10 and 11 in respect of the personal, health and IPP 12 restricted information of the Applicant, as identified in these Reasons for Decision, and for all harm, distress, loss and embarrassment caused to the Applicant resulting from such.

(7)   Within 21 days of the date of these Reasons for Decision the Respondent is to perform IPPs 5 and 12 and HPP 5 by:

(a)   for all copies (digital and hard copies) of the Personal and Health Information provided to each of the Witnesses, redacting from or retrieving all of the personal and health information which each Witness does not (or in the case of these proceedings no longer) require for their evidence. For example, all of the Personal and Health Information not referred to in their witness statement or reasonably required for them to give their evidence and all of the IPP 12 restricted information disclosed to all non-employee witnesses must be redacted from what was provided to them or retrieved by the Respondent and appropriate security safeguards are implemented to satisfy the Respondent that none of the Witnesses retain or have misused any of that information;

(b)   in relation to any personal and/or health information about the Applicant in the Personal and Health Information to be retained by the Witnesses (and any IPP 12 restricted information to be retained by the employee witnesses), implementing such administrative measures necessary to ensure that the Applicant's personal, health and/or IPP 12 restricted information is protected by taking such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse (which steps might include an appropriate confidentiality or non-disclosure agreement with each of the Witnesses); and

(c)   for all other and any future proceedings involving FMH, implementing such administrative measures necessary to ensure that FMH's IPP 12 restricted information is not disclosed except as permitted by IPP 12 and FMH's personal and/or health information used or disclosed in relation to any such proceedings is protected by taking such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse of that information (which includes use contrary to IPP 10 and HPP 10 and disclosure contrary to IPPs 11 and 12 and HPP 11).

(8)   Within 45 days of the date of these Reasons for Decisions the Respondent is to perform HPP 4 including by implementing such:

(a)   training, awareness raising and safeguards; and

(b)   administrative measures,

necessary to ensure that in respect of health information about FMH collected by the Respondent relating to any internal or external administrative review and related proceedings the Respondent takes such steps as are reasonable in the circumstances to ensure that FMH is aware of the matters noted in HPP 4(1).

(9)   Within 45 days of the date of these Reasons for Decisions the Respondent is to perform HPP 10 and IPP 10, in relation to all health and/or personal information about FMH held by the Respondent as a result of or in relation to any administrative reviews or resulting proceedings, including by implementing such:

(a)   training, awareness raising and safeguards; and

(b)   administrative measures,

necessary to ensure the Respondent will, having regard to the purpose for which FMH's health and/or personal information is collected, ensure that all of that health and/or personal information about FMH not reasonably required by any employee as a witness for the scope of their evidence is only used in compliance with, as relevant, HPP 10 or IPP 10.

(10)   Within 45 days of the date of these Reasons for Decisions the Respondent is to perform HPP 11 and IPP 11, in relation to all health and/or personal information about FMH held by the Respondent as a result of or in relation to any administrative reviews or resulting proceedings, including by implementing such:

(a)   training, awareness raising and safeguards; and

(b)   administrative measures,

necessary to ensure the Respondent will, having regard to the purpose for which FMH's health and/or personal information is collected, ensure that all of that health and/or personal information about FMH not reasonably required by any non-employee as a witness for the scope of their evidence is only disclosed in compliance with, as relevant, HPP 11 or IPP 11.

Catchwords:

ADMINISTRATIVE REVIEW – Privacy and Personal Information Protection Act – IPPs 5, 10, 11 and 12 – Health Records Information Protection Act – HPPs 2, 4, 5, 6, 10 and 11 – s 25(b) PPIP Act and exemption from compliance with IPPs – HPPs 5(2), 10(2) and 11(2) and exemption from compliance with relevant HPPs – unsolicited information and holding of the information for the purposes of IPPs 10 and 11 and HPPs 10 and 11 – assessing the level of compensation appropriate for the exacerbation of existing psychological conditions and financial losses

Legislation Cited:

Administrative Decisions Review Act 1997

Civil and Administrative Tribunal Act 2013

Health Records and Information Privacy Act 2002

Privacy Act 1988 (Cth)

Privacy and Personal Information Protection Act 1998

Privacy (Tax File Number) Rule 2015 (Cth)

State Records Act 1998

Cases Cited:

AIN v Medical Council of New South Wales [2017] NSWCATAP 23

ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122

AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179

APV v Department of Finance and Services [2016] NSWCATAD 168

CEU v University of Technology Sydney [2018] NSWCATAD 13

CJU v SafeWork NSW [2018] NSWCATAD 300

CPJ v The University of Newcastle [2017] NSWCATAD 350

DED v Randwick City Council [2017] NSWCATAD 327

Department of Education and Training v GA (No 3) [2004] NSWADTAP 50

Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44

Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409

DRX v City of Canada Bay Council [2020]

DTN v Commissioner of Police (No 3) [2020] NSWCATAP 73 (DTN No 3) at [105]

DTN v Commissioner of Police (No 3) [2020] NSWCATAP 73 (DTN No 3) at [105]

DTN v Commissioner of Police (No. 3) [2020] NSWATAP 73

DTN v Commissioner of Police [2022] NSWCATAD 134

EEC v Federation Council [2020] NSW CATAD 169 EMF v Cessnock City Council [2021] NSWCATAD 219

EQ v Office of the Australian Information Commissioner (Freedom of Information) [2016] AATA 785

EQH v Health Administration Corporation [2021] NSWCATAD 215

GR v Department of Housing [2003] NSWADT 268

Insurance and Care NSW v EEH [2021] NSWCATAP 350

JD v NSW Medical Board (No. 2) [2006] NSWADT 345

KT v Sydney Local Health Network [2011] NSWADT 171

March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506

Nasr v State of New South Wales (2007) NSWCA 101

NK v Northern Sydney Central Coast Area Health Service (No. 2) [2011] NSWADT 81

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4

RD v Department of Education and Training [2005] NSWADT 195

Ritson v Commissioner of Police [2022] NSWCATAP 223

State of New South Wales (Justice Health) v Dezfouli [2008] NSWADTAP 69

SW v Forests NSW [2006] NSWADT 74

WT v Auburn Council [2007] NSWADT 253

ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 (ZR)

Texts Cited:

Nil

Category:Principal judgment
Parties: FMH (Applicant)
Cumberland Council (Respondent)
Representation: Solicitors:
Applicant (Self-represented)
Storey & Gough (Respondent)
File Number(s): 2021/00205873 and 2021/00354501
Publication restriction:

Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 the publication of the name of the applicant in these proceedings or reference to any information, picture or other material that identifies any of those persons or is likely to lead to the identification of any of those persons is prohibited.

Pursuant to s 64(1)(c) CAT Act the publication by other than the Applicant of the evidence and submissions of the parties filed with the Tribunal or otherwise served on either parties in these proceedings (including the matters contained in such) is prohibited.

REASONS FOR DECISION

  1. In these Reasons for Decision the name of the Applicant has been anonymised and some details genericised so as to preserve the privacy of their personal affairs. The Applicant is referred to as “FMH” or “the Applicant”. While in separately initiated proceedings (now joined together with this proceeding) a different identifier was given to the Applicant, I have used "FMH" or "the Applicant" throughout to refer to the Applicant in the joined proceedings. I have also limited my discussion of the evidence in order to limit the possibility that the identity of the Applicant and the witnesses might be revealed.

  2. On 19 July 2021 the Applicant filed an application for administrative review by the Tribunal (AR Application) under ss 53(6) and 55 of the Privacy and Personal Information Act 1998 (PPIP Act). The conduct of concern the subject of the AR Application was detailed in the Applicant's request for an internal review submitted to the Respondent on 17 May 2021 (IR Request). In the IR Request the Applicant states that the conduct of concern related to the use, disclosure and security of certain of the Applicant's personal information under the PPIP Act and health information under the Health Records and Information Privacy Act 2002 (HRIP Act).

  3. Despite the express reference in the IR Request and the Tribunal's understanding that it and the AR Application related to alleged breaches of both the Information Privacy Principals (IPPs) under the PPIP Act and the Health Privacy Principles (HPPs) under the HRIP Act arising from the conduct of concern, the Applicant was concerned that the IR Request and resulting AR Application may be taken to solely relate to the IPPs. As a result of that concern, on 10 October 2021 the Applicant filed another request for internal review as regards alleged breaches of the HPPs in relation to the same conduct of concern as detailed in the IR Request (HRIP Act IR Request).

  4. The HRIP Act IR Request was the basis of a separate application for administrative review by the Tribunal filed on 14 December 2021 (HRIP Act AR Application) resulting in separate proceedings under the case number 2021/00354501 (Health Case).

  5. As a result of a directions hearing on 1 March 2022 and the Tribunal's Orders of 3 March 2022 requesting relevant submissions of the parties, by consent of the parties the Health Case and the original proceeding relating to the AR Application were joined together with all evidence, submissions and materials filed in either proceeding to be available to both and these joined proceedings.

  6. On 6 July 2022 the Applicant submitted an Application for Miscellaneous Matters requesting a non‑publication/non‑disclosure order for any text in these Reasons for Decision that could be used to identify and/or target the Applicant (Miscellaneous Application).

Background

  1. The Applicant and the Respondent both provided an outline of the events leading to the IR Request (which are the same in all material respects for the HRIP Act IR Request) and I understand that the chronology of events and evidence as to the content of the relevant documents is, as summarised below in [8] to [14], not in dispute.

  2. In an earlier application for administrative review by the Tribunal (First Proceedings) the Applicant (who is also the applicant in the First Proceedings) alleged certain conduct of concern relating to the use/disclosure of the Applicant's personal information by certain employees of the Council (i.e. the Respondent in this case), including Employee 1 and Employee 2, and a former employee of the Respondent who was an employee at the time of the alleged conduct of concern the subject of First Proceedings but not at the time of the conduct of concern relevant to these proceedings (Former Employee).

  3. As part of the First Proceedings on 8 March 2021 the Tribunal ordered (March 2021 Orders), in summary and most relevantly, that the applicant (i.e. the Applicant in this case) serve their "Points of Claim" by 23 March 2021 setting out, in respect of each alleged breach of privacy, the date, the person(s) who was/were alleged to have made the disclosure, the circumstances of such and which legislative provisions the disclosure breached and how. The Council (the Respondent in this case) was to file and serve its "Points of Defence" in response by 7 April 2021. The applicant in the First Proceedings was also ordered to give to the Tribunal and the Council by 6 April 2021 their evidence including any statements, documents and a summary of legal arguments about the alleged conduct of concern and in relation to any financial, psychological or physical harm suffered because of the conduct of concern the subject of the First Proceedings. The Council was to give the Tribunal and the applicant its evidence including statements, documents and a summary of legal arguments by 5 May 2021.

  4. In accordance with the March 2021 Orders the applicant in the First Proceedings (i.e. also the Applicant in these proceedings) filed and served their Points of Claim on 23 March 2021 and, on 6 April 2021, filed and served their evidence and summary of legal arguments. The Points of Claim were prominently marked with the words "Private and Confidential" and the applicant's evidence (primarily the 524 pages of documents attached to the applicant's "Evidence and Summary of Legal Arguments" document) was prominently marked with the words "All documents disclosed are confidential". The types of documents and personal, health and restricted information (as defined in [37] below) included in the 524 page bundle attached to the Evidence and Summary of Legal Arguments are detailed at [81] below.

  5. There is no dispute between the parties that the documents referred to in [10] above, filed by the Applicant in the First Proceedings, contain the personal, health and confidential information of the Applicant. I collectively refer to all of the personal, health, confidential and any restricted (i.e. IPP 12) information of the Applicant contained in these First Proceedings documents referred to in [10] above (and detailed in [12] and [81] below) and the Council's Points of Defence as the Personal and Health Information.

  6. In preparing for the First Proceedings, including preparing evidence and witness statements, the Respondent provided all to Employee 1 and some to Employee 2 and the Former Employee of the Personal and Health Information as its proposed witnesses in the First Proceedings (Witnesses). The provision of this information to the Witnesses to assist them with the preparation of their evidence for the Council was as follows:

  1. The entirety of the Personal and Health Information (including a version of the Points of Claim annotated by the Respondent by adding in paragraph numbers) was provided to Employee 1.

  2. In relation to Employee 2 and the Former Employee the Respondent formed the view that, because of the more 'limited allegations against these individuals', they would only need to review (and were only provided with) the Points of Claim (including the version annotated by the Respondent), the Points of Defence and the applicant's Evidence and Summary of Legal Arguments but were not provided with the 524 page bundle of documents attached to it.

  1. Witness statements for each of the Witnesses were filed and served on the applicant in the First Proceeding on 17 May 2021 and each witness statement contained a paragraph indicating the documents (and thus the Personal and Health Information) that each of the Witnesses had been provided with by the Respondent for review in preparing their witness statements.

  2. The Respondent has admitted that the Personal and Health Information (or the relevant parts of it), as detailed in paragraphs [12] above and [82] below, was provided to each of the Witnesses and, as at the date of the hearing in these proceedings, was still held by Witnesses.

  3. It is the provision of all or part (as the case may be) of the Personal and Health Information to each of the Witnesses in relation to the First Proceedings which is the conduct of concern raised in the IR Request and HRIP Act IR Request and thus which is the subject of these joined proceedings (i.e. the AR Application and HRIP Act AR Application) currently before the Tribunal. The conduct of concern in these proceedings, while arising out of actions taken by the Respondent in relation to the First Proceedings, is separate and distinct from the conduct of concern and the matters being considered in the First Proceedings.

The internal review requests

  1. The Applicant's requests for internal review of the conduct relating to the events detailed in [8] to [14] were the IR Request and the HRIP Act IR Request. In summary and most relevantly, the conduct of concern raised by the Applicant for internal review by the Respondent in these internal review requests (Conduct of Concern) is that:

  1. Without the Applicant's knowledge or permission the Respondent "disclosed" (or, in the context of the relevant IPP and HPP, "used" by providing) certain personal, sensitive, inflammatory and confidential information regarding the Applicant to the Respondent's employees, Employee 1 and Employee 2 (see [12(1) and (2)] above and [82] below as to what Personal and Health Information was provided to each of Employee 1 and Employee 2).

  2. The conduct (or use) in (1) above is alleged to be inappropriate as both of these employees had been the subject of several complaints by the Applicant to the Respondent of bullying and harassment of the Applicant, including by misusing the Applicant's personal information.

  3. Without the Applicant's knowledge or permission the Respondent disclosed certain personal, sensitive, inflammatory and confidential information regarding the Applicant to a former employee of the Respondent, the Former Employee, who was also (when an employee of the Respondent) the subject of complaints to the Respondent by the Applicant of bullying and harassment. Paragraph [12(2)] above and [82] below detail what Personal and Health Information was disclosed to the Former Employee.

  1. The personal, health, sensitive, inflammatory and confidential information regarding the Applicant referred to in subparagraphs (1) and (3) above (i.e. the Personal and Health Information) is included in:

  1. the Applicant's "Points of Claim" marked "PRIVATE AND CONFIDENTIAL" dated 23 March 2021; and/or

  2. a version of the Applicant's "Points of Claim" referred to in (a) above annotated by the Respondent to include paragraph numbers which is also marked "PRIVATE AND CONFIDENTIAL"; and

  3. the Respondent's "Points of Defence";

  4. a Summary of the Applicant's Evidence and Legal Arguments as submitted in the First Proceedings (First Proceedings Submissions); and

  5. attached to the First Proceedings Submissions, a 524-page bundle of evidence (i.e. various documents) filed in the First Proceedings by the Applicant (annotated with the words "ALL DOCUMENTS ENCLOSED ARE CONFIDENTIAL") which variously contained sensitive and confidential documents, personal information, restricted information under s 19 of PPIP Act, health information about the Applicant and certain of the Applicant's tax returns and their Tax File Number.

  1. The Applicant has no control over how any of the Witnesses have or will use or misuse the Personal and Health Information they have been provided with and the Respondent appears to have provided the Personal and Health Information to them without imposing any controls, taking any steps or imposing any security measures to protect the Personal and Health Information.

  1. The Applicant alleges that the Conduct of Concern breaches the IPPs and HPPs related to the use, disclosure and security of the Personal and Health Information and also likely breaches the Respondent's obligations of confidentiality, Code of Conduct policies and certain specific other legislation (Other Legislation). In summary and most relevantly, in the IR Request and HRIP Act IR Request the Applicant alleges the Conduct of Concern results in breaches of the IPPs and HPPs as follows:

  1. The Respondent's use of the Personal and Health Information by providing all of the Personal and Health Information to Employee 1 and part of it to Employee 2 breaches IPP 10 and HPP 10.

  2. The Respondent's disclosure of some of the Personal and Health Information to the Former Employee breaches IPPs 11 and 12 and HPP 11.

  3. Although phrased in terms of the relief sought under the heading "What would you like to see the agency do about the conduct?" in the IR Request and HRIP Act IR Request, the failure of the Respondent to take appropriate security steps to prevent misuse of the Personal and Health Information provided to the Witnesses breaches IPP 5 and HPP 5.

  4. The Conduct of Concern also breached HPPs 2(a) and (b), 4(i)(c) and (d) and 6(i)(c)(ii) as regards the health information contained in the Personal and Health Information provided to each of the Witnesses.

  5. Generally, the use and disclosure of the Personal and Health Information (or part of it) breaches the confidentiality obligations imposed on the Respondent by its acceptance of the Personal and Health Information noted as confidential and/or under the Respondent's policies and Code of Conduct.

  6. The providing to Employee 1 of pages 180-183 of the 524-page bundle of documents attached to the First Proceedings Submissions (see [16(4)(e)] above) which contains confidential information and other personal information (of the Applicant and others), disclosure of which breaches the Other Legislation.

The administrative review applications

  1. On 19 July 2021 the Applicant filed the AR Application under ss 53(6) and 55 PPIP Act on the basis that no internal review decision of the Respondent had been notified to the Applicant within 60 days of the IR Request. The AR Application attached the IR Request and other documents.

  2. On 14 December 2021 the Applicant filed the HRIP Act AR Application under ss 53(6) and 55 PPIP Act on the basis that no internal review decision of the Respondent had been notified to the Applicant within 60 days of the HRIP Act IR Request. The HRIP Act AR Application attached the HRIP Act IR Request.

Internal review decision on the IR Request

  1. On 24 August 2021, a month after the AR Application had been filed by the Applicant, the Respondent provided the Applicant with its 1 and ¼ page report of its decision in relation to the IR Request (IR Decision). The IR Decision notes the Respondent's findings and "reasoning", in full, as follows:

"- s 18 of the [PPIP] Act relates to the external disclosure of personal information, as in external to Council. As [Employee 1] and [Employee 2] are Council employees, s 18 does not apply as the personal information was disclosed within the agency.

- Information was disclosed to [the Former Employee], a former Council employee, for the purpose in which it was collected, namely to assist Council in preparing a response to the Points of Defence, as ordered by the NSW Civil & Administrative Tribunal.

- s 17 of the [PPIP] Act relates to the internal use of personal information, as in internal to Council. Information used by [Employee 1] and [Employee 2] was directly related to the purpose for which the information was collected, in that the information was used for the express purpose of preparing a response to the NCAT order."

  1. The IR Decision concluded, after the quoted full findings and reasoning noted in [20] above, that:

"Pursuant to ss 53(8)(c) and 55 of the [PPIP] Act, I note that you have exercised your right to apply to the Civil & Administrative Tribunal (NCAT) for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the Application under s 53."

Scope of administrative review proceedings under the PPIP Act and the HRIP Act

  1. It is not in dispute that the Tribunal has jurisdiction to determine these matters pursuant to ss 53(6) and 55 PPIP Act, s 30 Civil and Administrative Tribunal Act 2013 (CAT Act) and s 63 Administrative Decisions Review Act 1997 (ADR Act). Also, as regards any health information contained in the Personal and Health Information the subject of the Conduct of Concern and thus these proceedings, s 21 HRIP Act provides that Part 5 PPIP Act applies to the conduct of an agency that is in contravention of an HPP that applies to the agency and, for that purpose, a reference to personal information in Part 5 PPIP Act is taken to include health information (see DTN v Commissioner of Police (No. 3) [2020] NSWATAP 73 at [108]).

  2. The scope of the requests for internal review (i.e. the IR Request and HRIP Act IR Request in this case) set the scope of the AR Application and HRIP Act AR Application (in this case) and thus frame the extent of the external administrative review before the Tribunal. The 'conduct of concern' to be considered is a matter of fact to be determined by objectively and reasonably construing the IR Request and HRIP Act IR Request.

  3. Several decisions of the Appeal Panel have set out of some fundamental principles that govern the scope of a review of an agency's conduct under the PPIP Act (and thus the HRIP Act) by this Tribunal. In an application for administrative review of an agency's (i.e. the Respondent's) conduct under s 55 PPIP Act (i.e. the AR Application and HRIP Act AR Application in this case) the Tribunal is limited to reviewing the conduct of concern the subject of the original application(s) for the internal review (in this case the IR Request and HRIP Act IR Request) in relation to resulting potential breaches of any IPPs and/or HPPs (as relevant). The Tribunal does not have jurisdiction to review conduct of the Respondent that is not the subject of the application for internal review (i.e. the IR Request and HRIP Act IR Request in this case): Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at [7]; Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44 at [17]; and CEU v University of Technology Sydney [2018] NSWCATAD 13 at [77]. Nor does the Tribunal have jurisdiction under ss 52, 53 and 55 PPIP Act and s 21 HRIP Act to consider breaches by the agency of other than of the IPPs, the HPPs and/or a relevant privacy code of practice.

  4. The Tribunal's role is to review the conduct of concern in issue (in this case the Conduct of Concern) and to consider whether such contravenes any IPP and/or HPP (in this case) and, if so, what action(s), if any, should be taken by the agency (i.e. the Respondent in this case). The Tribunal's role is not to review the findings of the internal review report (i.e. the IR Decision in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [51]. Often the internal review decision of an agency can assist the Tribunal's considerations, but the Tribunal must consider the conduct of concern afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171.

  5. Unfortunately, the IR Decision is inadequate and of no assistance to the Tribunal in this case. In such circumstances the Tribunal has the option of referring the IR Decision back to the Respondent to reconsider the IR Request and/or to make a decision as regards the HRIP Act IR Request and document its internal review decisions in accordance with the requirements of ss 53(5) and (8) PPIP Act as discussed in EEC v Federation Council [2020] NSW CATAD 169 at [32]. However, in applying the guiding principle in s 36 CAT Act, I have decided not to further delay the consideration of the real issues as between the parties in these proceedings by referring the IR Decision back to the Respondent and/or requiring the Respondent to issue a decision in respect of the HRIP Act IR Request. That is, in accordance the guiding principle in s 36 CAT Act, I have decided to proceed to make a decision in these proceedings based on the material placed before the Tribunal by the parties. As noted by the Appeal Panel in Insurance and Care NSW v EEH [2021] NSWCATAP 350:

"[22] … The Tribunal at first instance was conducting an administration review. It was entitled to assume that the agency, which was under an obligation to cooperate with the Tribunal to give effect to the guiding principle of the Civil and Administrative Tribunal Act 2013 that the just, quick and cheap resolution of real issues in the proceedings be facilitated, had placed all relevant material before it …

[61] …Parties, particularly agencies, should come to the hearing of a matter prepared to adduce all of their evidence and make all of their submissions in relation to the matters in issue in the proceedings."

  1. Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed on it by the CAT Act, the ADR Act and the enabling legislation in connection with the conduct or resolution of these proceedings. By s 63(2) ADR Act, in an administrative review the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the relevant decision. In this case the relevant administrator is the person making (or not making, as the case may be) the internal review decision, even though the IR Decision itself (or the failure to make it within 60 days of the IR Request or any decision within 60 days of the HRIP Act IR Request) is not the subject of the review by the Tribunal.

Applicable Legislation

PPIP Act

  1. 'Personal information' is defined by s 4(1) PPIP Act as:

"personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

  1. Section 4 PPIP Act provides a clarification as regards the collection and holding of personal information by agencies as follows:

(4) For the purposes of this Act, personal information is held by a public sector agency if:

(a) the agency is in possession or control of the information, or

(b) the information is in the possession or control of a person employed … by the agency in the course of such employment …

(5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.

  1. As noted in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [112], the definition of 'personal information' in the PPIP Act is broad and is to be interpreted broadly. The Full Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 found at [64], in applying the then very similar definition of 'personal information' in the Privacy Act 1988 (Cth), that:

The words 'about an individual' direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not 'about an individual' it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

  1. The various IPPs are set out in Part 2 of the PPIP Act (ss 8-19) which, most relevantly in this case, include IPPs 5, 10, 11 and 12 in relation to the use, disclosure and security of the Applicant's personal information included in the Personal and Health Information provided to each of the Witnesses (see [12] above and [82] below).

  2. Section 12 PPIP Act (IPP 5) relates to the security of personal information. A public sector agency that holds personal information must ensure, most relevantly:

(c)  that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and…

  1. The Applicant bears the burden of adducing some evidence to suggest that appropriate measures were not taken to protect their personal information as required by IPP 5. However, this burden is not high because the knowledge of how the information in question is protected and what security safeguards are actually in place is held by the agency (i.e. the Respondent in this case). Common sense therefore dictates that the party which has relevant information in their possession should put that information before the Tribunal. Further, if the facts are mostly within the knowledge of one party to an issue, a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn by the Tribunal.

  2. The Privacy Commissioner in 'Privacy NSW, A Guide to the Information Protection Principles, 1999' (Guide) states that the appropriate level of security required will depend on both the nature of the information and the medium in which it is stored. At page 17 of the Guide it is noted that "if information is extremely sensitive or likely to find an illicit market it should receive more comprehensive protection". The Tribunal followed this approach in ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122 at [32] and has continued to apply it.

  3. Section 17 PPIP Act (IPP 10) provides as follows:

17  Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless—

(a)  the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b)  the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c)  the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

  1. Section 18 PPIP Act (IPP 11) provides that an agency must not disclose (i.e. outside of the agency) personal information to other than the individual to whom the information relates (i.e. the Applicant in this case) unless, in summary and most relevantly:

  1. the disclosure is directly related to the purpose for which it was collected and there is no reason to believe the individual concerned would object (s 18(1)(a) PPIP Act);

  2. the individual concerned (i.e. the Applicant in this case) is reasonably likely to have been made aware that such information is usually disclosed to that other person (s 18(1)(b) PPIP Act); or

  3. the agency believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious or imminent threat to life or health of any person (s 18(1)(c) PPIP Act).

  1. As regards the disclosure of certain specified "restricted" personal information s 19 PPIP Act (IPP 12) provides, most relevantly, that:

(1)  A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities [(restricted information)] unless the disclosure is necessary to prevent a serious and imminent threat to a life or health of the individual concerned or another person …

  1. Section 25 PPIP Act provides as follows:

A public sector agency is not required to comply with sections 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a)  the agency is lawfully authorised or required not to comply with the principle concerned, or

(b)  non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

  1. The exemption in s 25(a) PPIP Act requires the express authorisation or requirement not to comply with the relevant section of the PPIP Act, an IPP or IPPs to be set out in the relevant Act or law. The exemption in s 25(b) PPIP Act, however, only requires that non-compliance is otherwise (i.e. while not expressly stated in an Act or law as permitted or required it is) "necessarily implied or reasonably contemplated" under an Act or any other law.

HRIP Act

  1. The HRIP Act regulates the manner in which public sector agencies collect, use, store and disclose health information and contains 15 health privacy principles (i.e. HPPs) set out in Schedule 1 of the HRIP Act.

  2. 'Personal information' is defined in s 5(1) HRIP Act in the same terms as in the PPIP Act as:

… information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

  1. 'Health information' is defined in s 6(1) HRIP Act as, most relevantly:

6  Definition of "health information"

In this Act, health information means:

(a)  personal information that is information or an opinion about:

(i)  the physical or mental health or a disability (at any time) of an individual, or …

  1. Section 9 HRIP Act details "what constitutes 'holding' information", most relevantly in the same terms as the PPIP Act, as follows:

For the purposes of this Act health information is held by an organisation if:

(a)  the organisation is in possession or control of the information …, or

(b)  the information is in the possession or control of a person employed … by the organisation in the course of such employment …

  1. Section 10 HRIP Act provides that "[f]or the purposes of this Act, health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited".

  1. Section 11 HRIP Act deals with "How this Act applies to organisations" and provides, most relevantly:

11  How this Act applies to organisations

(1)  This Act applies to every organisation … that collects, holds or uses health information.

Note. The term organisation means a public sector agency or a private sector person.

(2)  An organisation to whom or to which this Act applies is required to comply with the Health Privacy Principles ….

(3)  An organisation must not do any thing, or engage in any practice, that contravenes a Health Privacy Principle ….

  1. Section 21 HRIP Act deals with complaints against public sector agencies and, most relevantly, provides:

21  Complaints against public sector agencies

(1)  The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies:

(a)  the contravention of a Health Privacy Principle that applies to the agency,

(b)  ….

(2)  For that purpose, a reference in that Part:

(a)  to personal information is taken to include health information, and

(b)  …, and

(3)  …

  1. Schedule 1 HRIP Act includes, most relevantly, the following HPPs:

  1. HPP2:

2  Information must be relevant, not excessive, accurate and not intrusive

An organisation that collects health information from an individual must take steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected to ensure that:

(a)  the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete, and

(b)  the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

  1. HPP4:

4  Individual to be made aware of certain matters

(1)  An organisation that collects health information about an individual from the individual must … take steps that are reasonable in the circumstances to ensure that the individual is aware of the following:

(c)  the purposes for which the information is collected,

(d)  the persons to whom (or types of persons to whom) the organisation usually discloses information of that kind, …

  1. HPP 5:

5  Retention and security

(1)  An organisation that holds health information must ensure that -

(c)  the information is protected by such security safeguards as a reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and …

(2)  An organisation is not required to comply with a requirement of this clause if -

(a)  the organisation is lawfully authorised or required not to comply with it, or

(b)  non-compliance is otherwise permitted or is necessarily implied or reasonably contemplated under an Act or any other law (including the State Records Act 1998).

  1. HPP 6:

6  Information about health information held by organisations

(1)  An organisation that holds health information must take such steps as are, in the circumstances, reasonable to enable any individual to ascertain:

(c)  if the organisation holds health information relating to that individual:

(iii)  the main purposes for which the information is used, …

  1. HPP 10:

10  Limits on use of health information

(1)  An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless-

(a)  Consent

the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b)  Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note—

For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose. …

(2)  [Sub-paragraph (2) is in identical terms to sub-paragraph (2) of HPP 5 (see [47(3)] above).]

  1. HPP 11:

11  Limits on disclosure of health information

(1)  An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless -

(a)  Consent

the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b)  Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note—

For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose. …

(2)  [Sub-paragraph (2) is in identical terms to sub-paragraph (2) of HPP 5 (see [47(3)] above).]

On the papers

  1. Section 50 CAT Act provides, in summary and most relevantly, that:

(2)   The Tribunal may make an order dispensing with a hearing if it is satisfied that the issues for determination can be adequately determined in the absence of the parties by considering any written submissions or any other documents or material lodged with or provided to the Tribunal.

(3)   The Tribunal may not make an order dispensing with a hearing unless the Tribunal has first:

(a)   afforded the parties an opportunity to make submissions about the proposed order, and

(b)   taken any such submissions into account…

An Order for damages under s 55(4) PPIP Act

  1. An order requiring the Respondent to pay the Applicant damages by way of compensation for any loss or damage suffered because of the Conduct of Concern (in this case) can only be made if the Tribunal is satisfied that the Applicant has suffered financial loss and/or psychological or physical harm because of that conduct of concern (s 55(4) PPIP Act).

  2. As noted in APV v Department of Finance and Services [2016] NSWCATAD 168 (APV) at [15], the Applicant bears the onus of "establishing the causal link between the breach of privacy [i.e. the Conduct of Concern where non‑compliance with an IPP or HPP is found] and the damage allegedly suffered". APV was followed in DRX v City of Canada Bay Council [2020] NSWCATAD 26.

  3. The Deputy President of the Tribunal in CPJ v The University of Newcastle [2017] NSWCATAD 350 (CPJ) at [26] and [28], rejecting the previous causation test applied by the Tribunal, held that the 'material contribution' test was the relevant test. In favouring the 'material contribution' test the Deputy President in CPJ followed the AAT decision in EQ v Office of the Australian Information Commissioner (Freedom of Information) [2016] AATA 785 (EQ) at [48], interpreting the equivalent provision under the Federal Privacy Act and relied, to some extent, on the common law principles in March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506. In CPJ at [25] the Deputy President, quoting from EQ, stated:

"… in law, causation is a question identifying where legal responsibility should lie, rather than examine the cause of event from a scientific or philosophical viewpoint, policy issues and value judgments have a role to play in determining whether for legal purposes, a circumstance we found to be causative of loss."

  1. In order to persuade the Tribunal to the level of satisfaction required by s 55(4) PPIP Act, specific evidence is required that the conduct of the agency that is the subject of the complaint (i.e. the Conduct of Concern in this case) and not the conduct of the Respondent more generally caused the alleged loss or harm (see GR v Department of Housing [2003] NSWADT 268 (GR) at [47]).

  2. As noted in JD v NSW Medical Board (No. 2) [2006] NSWADT 345 at [54], psychological harm "is intended to encompass a situation where an individual suffers some impairment of their mental state and processes". This can include "conditions such as depression and anxiety" as held in WT v Auburn Council [2007] NSWADT 253 at [27].

  3. In CJU v SafeWork NSW [2018] NSWCATAD 300 (CJU) at [117] the Tribunal following AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 accepted that "mere distress" is a recoverable psychological harm and added the following commentary at [124]:

"It seems to me the expression "psychological harm" in the section is of wide import. … "Psychological", and not the word "psychiatric", is the chosen term. No degree of such harm has been imposed such as a requirement for "serious" psychological harm."

…it could readily be foreseen by the legislature that a breach such as unlawful release of personal information could produce a range of justifiable reactions such as distress, worry, humiliation or fear of some real significance.

…it does not seem to me that the legislature would have expected "psychological harm" to be limited to a mental condition that is only capable of identification by diagnosis from a doctor or psychologist."

  1. In CJU at [98] the Tribunal suggested that the types of claims, supported by some independent evidence, that would be needed to seek compensation on the grounds of psychological harm by way of distress would be "specific consequences that flowed from [the Conduct of Concern] such as impact upon her work, sleeping, lifestyle, relationships or treatment for her state of mind".

  2. A medical report that specifies a causal connection between the Conduct of Concern (in this case) and the psychological harm suffered by the Applicant will meet the precondition in s 55(4)(b) PPIP Act as noted in RD v Department of Education and Training [2005] NSWADT 195 at [47]. However, a medical report that simply says that an applicant's stress has been aggravated by their dealings with an agency, for example, is probably not sufficient to establish that the person is suffering from a physical or psychological condition "because of the [relevant] conduct of the public sector agency" (see GR at [47]). The applicant's claim for damages for psychological harm also failed in SW v Forests NSW [2006] NSWADT 74 at [53] on the basis of insufficient evidence, including a lack of a "specific diagnosis or prognosis in respect of any psychological harm".

Non‑publication/non‑disclosure under s 64 CAT Act

  1. Section 64 of the NCAT Act provides that:

64   Tribunal may restrict disclosures concerning proceedings

(1)   If the Tribunal is satisfied that it is desirable to do so by reason of the confidential nature of any evidence or matter or for any other reason, it may (of its own motion or on the application of a party) make any one or more of the following orders -

(a)   an order prohibiting or restricting the disclosure of the name of any person (whether or not a party to proceedings in the Tribunal or a witness summoned by, or appearing before, the Tribunal),

(b)   an order prohibiting or restricting the publication or broadcast of any report of proceedings in the Tribunal,

(c)   an order prohibiting or restricting the publication of evidence given before the Tribunal, whether in public or in private, or of matters contained in documents lodged with the Tribunal or received in evidence by the Tribunal,

(d)   an order prohibiting or restricting the disclosure to some or all of the parties to the proceedings of evidence given before the Tribunal, or of the contents of a document lodged with the Tribunal or received in evidence by the Tribunal, in relation to the proceedings.

  1. As regards s 64(1)(d) CAT Act, the Tribunal noted in EQH v Health Administration Corporation [2021] NSWCATAD 215 that:

[17] Ordinarily, the Tribunal is bound by principles of procedural fairness or natural justice. It ‘may enquire into and inform itself on any matter in such manner as it thinks fit, subject to the rules of natural justice’ (the CAT Act, s38(2)). An express exception to this is found at s64(1)(d) of the CAT Act. The Tribunal is permitted pursuant to that section to make an order that evidence be withheld from a party if the Tribunal considers this to be ‘desirable’. The word ‘desirable’ should be interpreted with regard to the most basic common law precept of open justice (see State of New South Wales (Justice Health) v Dezfouli [2008] NSWADTAP 69 at [61], with reference to the predecessor to s64(1) of the CAT Act, being s75(2) of the Administrative Decisions Tribunal Act 1997 (as it was then known)). …

[20] In Dezfouli at [81], the Appeal Panel set out the following considerations of relevance in a case determining whether an order pursuant to the equivalent of s64 should be made as follows:

“(a) the presumption if favour of open justice;

(b) the need for an applicant for a suppression order to establish good grounds for making the order;

(c) the comparative breadth of the criterion of ‘desirability’;

(d) the important differences between the types of suppression order that may be made - between (for instance) an order as in this case prohibiting disclosure of the identity of a participant and an order that a hearing occur in closed session, without notice to a party;

(e) the undoubted breadth of the range of purposes that may be served (‘any other reason’);

(f) the possibility that the purposes to be served may be a mixture of private and public interest; and

(g) the possibility that, although generally speaking the prospect of damage to reputation or ‘embarrassment’ affecting a participant in the proceedings will not provide sufficient grounds for a suppression order, there may be unusual circumstances where this is the principal consideration underlying an order.”

The Hearing

  1. The hearing in relation to the AR Application took place by telephone on 18 January 2022 (Hearing).

  2. In addition to the oral submissions presented by both parties at the Hearing, at the time of the Hearing the following written submissions and evidence had been submitted by the parties for consideration by the Tribunal:

Applicant

  1. The AR Application and attached documents filed on 19 July 2021.

  2. The Applicant's Summary of Legal Arguments & Submissions and attached documents (bundles "EMQ 205873-1b", "EMQ 205873-2a" and "EMQ 205873-2b") filed on 22 November 2021 (Applicant Submission).

  3. The Applicant's Evidence and Submissions in Reply, attached documents and a CD recording of the First Proceedings filed on 5 January 2022 (Applicant Reply Submissions).

Respondent

  1. The Respondent's Summary of Legal Argument filed on 20 December 2021 (Respondent Submissions).

  2. The affidavit of Mr Colin McFadzean and attached documents filed on 20 December 2021 (McFadzean Affidavit).

After the Hearing

  1. On 10 February 2022 the Respondent applied to have the Health Case proceeding dismissed or joined with the AR Application proceeding on the basis that the same circumstances and alleged conduct of concern, as that referred to in the IR Request and AR Application, was raised in the HRIP Act IR Request and the HRIP Act AR Application. The only difference being that in the Health Case the Applicant only alleges the Conduct of Concern gave rise to breaches of the HPPs.

  2. As noted in [5] above, in response to the 3 March 2022 Orders of the Tribunal in the Health Case the parties consented to the joining of the matters with all evidence, submissions and materials filed in either case being available to both and the joined proceedings.

The HRIP Act IR Request

  1. The conduct of concern raised for internal review in the HRIP Act IR Request was the same as the conduct of concern in the IR Request (ie the Conduct of Concern), see [16] above.

  2. The alleged breaches of the relevant HPPs (as regards the Applicant's health information) arising from the Conduct of Concern in the HRIP Act IR and the HRIP Act AR Application are of:

  1. the HPPs 'equivalent' to the IPPs alleged to be breached in the IR Request by the Conduct of Concern; and

  2. in addition, HPPs 2(a) and (b), 4(1)(c) and (d) and 6(1)(c)(ii).

  1. The Tribunal is of the view that the IR Request and thus the AR Application expressly raised the alleged breaches of HPPs 5, 10 and 11 in relation to the Applicant's health information included in the Personal and Health Information. Given the joining of the AR Application proceeding with the Health Case proceeding in these joined proceedings, there can be no doubt that the Tribunal is to consider the Conduct of Concern in light of the alleged breaches in the IR Request of both the relevant IPPs for the personal and/or restricted information in the Personal and Health Information and HPPs for the health information in the Personal and Health Information, in addition to the alleged breaches of HPPs 2, 4 and 6 noted in the HRIP Act IR Request for the health information in the Personal and Health Information provided to the Witnesses.

  2. Pursuant to 3 March Orders in the Health Case (as subsequently amended as to the time for compliance in the Orders of the Tribunal on 30 March 2022 and 9 May 2022), on 14 April 2022 the Applicant submitted the "Applicant's Response to … Order 3 of Orders" dated 3 March 2022" (Applicant Health Submissions) attaching an "Affidavit of [the Applicant]" dated 24 March 2022 (Applicant Affidavit) and on 10 May 2022 the Respondent submitted its "Outline of Legal Argument" (Respondent Health Submissions). Despite an extension of time to 30 June 2022, the Applicant did not submit any submissions in reply to the Respondent Health Submissions.

  3. In the Respondent Health Submissions the Respondent submitted that the Health Case (i.e. the HRIP Act AR Application), now part of these joined proceedings, could be heard on the papers without the need for a further hearing and the Applicant in the Applicant Health Submissions did not object to such, leaving the determination of this issue in the hands of the Tribunal.

  4. On 18 May 2022 the Respondent submitted to the Tribunal by email that the decision of the Appeal Panel in relation to an interlocutory order of the Tribunal in these proceedings denying the Applicant's application for interlocutory orders under s 64(1)(d) CAT Act (AP Decision) was both an authority binding on the Tribunal and one which impacted the decision that could be made by the Tribunal in relation to the substantive issues being addressed in these proceedings.

The Miscellaneous Application

  1. After the lodging of the Miscellaneous Application, on 7 July 2022 the Tribunal ordered (7 July 2022 Orders) that the Applicant submit any written submissions limited to the specific issues raised in the Miscellaneous Application by 14 July 2022 and that the Respondent may provide written submissions in response. The 7 July 2022 Orders also required that both parties' submissions should indicate whether they agreed to the Tribunal determining the Miscellaneous Application on the papers or, if not, to make submissions as to why not.

  2. While dated 13 July 2022 (ie within time), on 21 July 2022 (after the time for submission provided for in the 7 July 2022 Orders) the Applicant's solicitor lodged the "Applicant's Submissions on Non‑Disclosure" which included the Applicant's requested redactions (Applicant Non‑Disclosure Submissions).

  3. On 11 August 2022 the Respondent notified the Tribunal by email (Respondent 11 August 2022 Letter) that, while it did not agree with all "assertions" made by the Applicant in the Applicant Non‑Disclosure Submissions, the Respondent did not object to the redactions requested by the Applicant in the Applicant Non‑Disclosure Submissions.

  4. Despite the late submission of the Applicant Non‑Disclosure Submissions and failure to lodge any submissions as to why time should be extended, given the Respondent did not object to the redactions requested by the Applicant or the late submission of the Applicant Non-Disclosure Submissions and the guiding principle in s 36 CAT Act, on 24 August 2022, the Tribunal ordered that it would consider the Applicant Non‑Disclosure Submissions in determining the Miscellaneous Application.

Preliminary issues for determination

  1. From the IR Request, the AR Application, the HRIP Act IR Request, the HRIP Act AR Application, the Miscellaneous Matter and the submissions of the parties, the preliminary issues that arise to be determined by the Tribunal are:

  1. if any additional issues arising from the HRIP Act AR Application (i.e. the Health Case) and the Miscellaneous Application can be dealt with on the papers in the absence of the parties;

  2. the scope of the Tribunal's review in these proceedings;

  3. the personal information, health information and/or restricted information included in the documents making up the Personal and Health Information;

  4. what Personal and Health Information was provided to each of the Witnesses; and

  5. the impact of the AP Decision on the substantive issues being considered in these proceedings.

Preliminary issues – consideration and findings

  1. Given the lack of objection of the parties, the consent of the Respondent, to the determination of the HRIP Act AR Application and the Applicant to the determination of the Miscellaneous Application having heard the parties at the Hearing and based on the "guiding principle" set out in s 36(1) CAT Act, I am satisfied based on the material before the Tribunal that there is nothing that could be added by having a further hearing in respect of the HRIP Act AR Application (i.e. the Health Case) or the Miscellaneous Application. That is, I am satisfied that the issues for determination in relation to the Applicant Health Submissions and Respondent Health Submissions and the Applicant Miscellaneous Application Submissions can be adequately dealt with in the absence of the parties by considering the material that is before me in these proceedings on the papers.

  2. As noted in [16] above, the IR Request and HRIP Act IR Request detailed the alleged conduct of concern of the Respondent (i.e. the Conduct of Concern). From the Tribunal's consideration of the Conduct of Concern and those areas indicated on the IR Request and HRIP Act IR Request forms completed by the Applicant which "describes [the] complaint" and the "specific conduct you are complaining about", the potential breaches of the IPPs and HPPs arising from the Conduct of Concern relate to the use, disclosure and security of the relevant Personal and Health Information provided to each of the Witnesses.

  3. The Applicant also alleges that obligations of confidentiality owed to the Applicant by the Respondent were breached, as were the Respondent's Code of Conduct and other policies and the Other Legislation. However, as noted in [23] above, only the breaches of the IPPs and HPPs (as relevant) resulting from the Conduct of Concern are within the Tribunal's jurisdiction in relation to an application under s 55 PPIP Act for administrative review by the Tribunal (i.e. the AR Application and HRIP Act AR Application in this case). Although, any breaches of confidentiality obligations, relevant Codes of Conduct applicable to the Respondent and/or legislation including the Other Legislation, if established, may factor in the Tribunal's consideration of the alleged breaches of the relevant IPPs and/or HPPs arising from the Conduct of Concern.

  4. Therefore, in summary and most relevantly, the scope of these joined proceedings before the Tribunal (i.e. the Tribunal's administrative review) is limited to the Conduct of Concern (see [16] above) and any potential breach of the relevant IPPs and HPPs as follows:

  1. The use of the Personal and Health Information by providing all of it to Employee 1 and some of it to Employee 2 under IPP 10 and/or HPP 10.

  2. The disclosure of some of the Personal and Health Information to the Former Employee under IPPs 11 and 12 and/or HPP 11.

  3. The uses and disclosure referred to in subparagraphs (1) and (2) above occurring without appropriate security measures having been taken by the Respondent to ensure that misuse of the Personal and Health Information (or any part of it) by any of the Witnesses does not occur under IPP 5 and/or HPP 5.

  4. The collection of the health information of the Applicant in the Personal and Health Information under HPPs 2 and 4.

  5. The inability of the Applicant to ascertain the main purposes for which their health information is to be used by the Respondent under HPP 6.

  1. The Tribunal therefore has not specifically considered in and of themselves and does not address in these Reasons for Decision the other matters and issues and alleged breaches raised in the submissions and evidence of the parties which are outside of the scope of the Tribunal's administrative review as outlined in [77] above, unless and except (and then only to the extent that) they directly relate to or impact the matters that are within the scope of the Tribunal's review.

  2. The Tribunal has treated the Tax File Number information included in the Personal and Health Information (see [74(4)(c)] below) as personal information subject generally to the IPPs. However, this should not be taken as the Tribunal in any way considering, addressing or determining any issues under the relevant Federal privacy legislation, the Privacy Rule (Tax File Number) Rule 2015 (Cth) or any obligation to notify the disclosure of the Tax File Number information as an "eligible data breach" under the Privacy Act 1988 (Cth).

  3. As noted in [1] above, I have sought to limit my discussions of the evidence and have avoided specific details of the personal information, health information and restricted information contained in the Personal and Health Information to limit the possibility of revealing the identity of the Applicant or the Witnesses. As a result, I have kept my discussion of the evidence and the details of the personal information, health information and restricted information in [81] below to a minimum.

  4. After identifying the document and/or the group of documents that include the Personal and Health Information below, I note briefly the general types of personal information and/or health information and/or restricted information (i.e. IPP 12 information) included in such:

  1. The Points of Claim and Points of Claim as annotated by the Respondent (Points of Claim) include the personal information (e.g. certain allegations against the Applicant), health information (e.g. the Applicant's mental health) and restricted information of the Applicant.

  2. The Respondent's Points of Defence (Points of Defence) includes the personal information (as noted in (1) above) and some restricted information of the Applicant.

  3. The first 8 pages of the 532 page bundle of documents filed by the Applicant in the First Proceedings (i.e. the First Proceedings Submissions) (Limited Bundle) includes some personal information (e.g. certain allegations against the Applicant), health information (e.g. medical reports, notes and certificates of capacity) and restricted information (as noted in (1) above) of the Applicant.

  4. The remainder of the 532 page bundle referred to in (3) above (i.e. the 524 pages of documents attached to the First Proceedings Submissions) (Bundle of Documents) include significant amounts of the personal information (including that noted in (1) above), health information (including that noted in (1) and (3) above) and restricted information of the Applicant. Broadly, this information includes:

  1. several detailed medical reports relating to the Applicant;

  2. allegations, accusations and findings of investigations and reports into allegations against the Applicant and the details of the Applicant's alleged activities and the names (and other identifying information) of the other individuals involved in the alleged activities;

  3. a number of tax returns of the Applicant, some of which include the Applicant's Tax File Number;

  4. summaries of complaints and discussions of identified interviewees and witnesses including information noted in (b) above; and

  5. the Applicant's detailed responses to certain of the allegations made against them as part of confidential investigations (both internal to the Respondent and independent) including the information noted in (b) and (d) above.

  1. It is not in dispute that each of the Witnesses was provided with the following Personal and Health Information (i.e. the personal, health and/or restricted information as identified in [81] above):

  1. Employee 1: all of the Personal and Health Information included in the Points of Claim, Points of Defence, Limited Bundle and Bundle of Documents.

  2. Employee 2 and the Former Employee: all of the Personal and Health Information contained in the Points of Claim, Points of Defence and Limited Bundle.

  1. Of course the AP Decision binds this Tribunal in these proceedings as regards its subject matter. However, the AP Decision relates to interlocutory matters and the earlier decision of the Tribunal not to issue a s 64(1)(d) CAT Act order at that time to prevent (in these proceedings) the documents containing the Personal and Health Information, already provided to the Witnesses in the First Proceedings, from being provided to the Witnesses by the Respondent again for the purposes of these proceedings. In my opinion and contrary to the suggestion of the Respondent that the AP Decision is "relevant to the Tribunal's [substantive] decision as to whether the [Conduct of Concern] was in breach of the PPIP Act", the Appeal Panel in the AP Decision was not determining whether any of the Conduct of Concern breached the IPPs and/or HPPs. Rather the AP Decision is limited to whether a s 64(1)(d) CAT Act order was, at that point in time in these proceedings, appropriate. That is, in the circumstances and at that time in the proceedings was it appropriate for the Tribunal to intervene in the Respondent's preparation of its defence to these proceedings by prohibiting it from re-sharing any of the Personal and Health Information with any proposed witnesses. The Appeal Panel, in the AP Decision, was not determining whether or not any use or disclosure of the Personal and Health Information in the Conduct of Concern was or was not in breach of the IPPs and/or HPPs. That is, the Appeal Panel in the AP Decision was not determining the substantive matters to be determined in these proceedings.

The issues for determination

  1. Based on the conclusions above as regards the preliminary issues, the real and substantive issues to be determined by the Tribunal in these proceedings are:

  1. In respect of the Conduct of Concern and the relevant Personal and Health Information provided to each of the Witnesses whether, in the circumstances, such is:

  1. exempted under s 25 (b) PPIP Act such that IPPs 10, 11 and/or 12 do not apply to the Conduct of Concern and/or, where relevant, exempted under HPPs 5(2), 10(2) and/or 11(2) such that HPPs 5, 10 and/or 11 do not apply to the Conduct of Concern; and, if and to the extent not exempted,

  2. exempted, at least in respect of IPPs 5, 10, 11 and 12 and HPPs 5, 10 and 11, as it was and remains unsolicited by the Respondent; and, if not exempted,

  3. contrary to IPP 10 and/or HPP 10; and/or

  4. contrary to IPP 11 and/or HPP 11; and/or

  5. if relevant, contrary to IPP 12; and/or

  6. contrary to HPP 5; and/or

  7. contrary to HPP 2(a) and/or (b); and/or

  8. contrary to HPP 4(i)(c) and/or (d); and/or

  9. contrary to HPP 6(i)(c)(ii).

  1. If the Conduct of Concern is, in the circumstances, contrary to IPP 5 (as the exemption in s 25 PPIP Act does not apply to s 12 PPIP Act/IPP 5).

  2. Subject to the determinations in relation to (1) and (2) above, the remedies to be awarded/orders made by the Tribunal.

  3. If relevant, whether as joined proceedings a single cap of $40,000 for damages under s 55(2)(a) PPIP Act applies in total to all breaches of the IPPs and the HPPs under both the AR Application and the HRIP Act AR Application or if the cap applies separately to each of:

  1. the IPP breaches and/or the AR Application; and

  2. the HPP breaches and/or the HRIP Act AR Application.

  1. Whether the redactions and non‑disclosure orders sought by the Applicant in the Miscellaneous Application, the subject of the Applicant Non‑Disclosure Submissions, should be made by the Tribunal in the circumstances.

Applicant's submissions

  1. In summary and most relevantly, the Applicant Submissions and the Applicant Health Submissions in general and in relation to the specific alleged breaches of the IPPs are:

  1. Throughout the First Proceedings the Council relentlessly argued that the scope of the review was limited and the Tribunal's Orders of 3 May 2021 in the First Proceedings reflect this limitation of scope. The implication of this being that there was excessive information used by the Respondent by providing all of the Personal and Health Information to Employee 1 and part of the Personal and Health Information to Employee 2 and by disclosing part of the Personal and Health Information to the Former Employee.

  2. Based on the limited scope of the review in the First Proceedings and given that the statements of the Witnesses in the First Proceedings have not included or referred to much, if any, of the Personal and Health Information, the Council's case at hearing in the First Proceedings does not require or relate to the bulk of the Personal and Health Information provided to each of the Witnesses. The Witnesses continue to hold unredacted copies of the Personal and Health Information they were provided with.

  3. The Respondent received various complaints from the Applicant about the misuse of the Applicant's personal information by the Witnesses to bully and harass the Applicant prior to the Respondent providing the relevant Personal and Health Information to them for the First Proceedings. Such complaints show that the Applicant would never have authorised or consented to the Respondent providing any of the Personal and Health Information to any of the Witnesses.

  4. Given the circumstances noted in (3), it was also appropriate and necessary for the Respondent to take additional steps to safeguard and protect the Personal and Health Information provided to the Witnesses from unauthorised access, disclosure and misuse by the Witnesses and no such steps are evident from the Respondent's evidence.

  5. The Respondent's Privacy Management Plan (PMP) (section 3.5) states that the Respondent may comply with [the security principle (e.g. IPP 5 and HPP 5)] using the procedures and suggested measures in the "Records and Archive Services Manual" or "the Council's Policy on Security of and Access to Misconduct Files". To the Applicant's knowledge none of the measures contained in these documents were used and the Respondent presented no evidence that such were followed. Also, little or no evidence of the measures (if any) implemented by Respondent to protect the Personal and Health Information in the hands of the Witnesses was submitted by the Respondent. That is, for example, there was no evidence of instructions to or the agreement of the Witnesses that the Personal and Health Information was to be kept confidential, not to be disclosed to anyone else, to be kept in a secure place, protected against loss and to be immediately and securely disposed of on request. The Witnesses were not required to sign a relevant agreement or similar acknowledgement of any such requirements.

  6. The Applicant did not consent to the release of any of the Personal and Health Information to the Witnesses and, given the limitation of the scope of the review in the First Proceedings, there was no need for the Respondent to have provided all of the relevant Personal and Health Information it provided to each of the Witnesses or for the Witnesses to now keep it. That is, provision of the relevant Personal and Health Information to each of the Witnesses without redaction was not for the purpose for which the Personal and Health Information was collected by the Respondent.

  7. The Respondent shared the Personal and Health Information with the Witnesses for a purpose that was "not directly related" to them having reasonably necessary information to prepare a relevant witness statement for the First Proceedings with regard to the limited scope of the internal review request as much of the information provided to them was irrelevant to that limited scope of the First Proceedings and/or their specific evidence.

  8. The Respondent has not addressed (and has stated that it does not intend to address) 129 paragraphs of the Points of Claim or use/refer to anywhere near the entirety of the 524 pages of the Bundle of Documents in the Respondent's case at the hearing in the First Proceedings. Despite this the Witnesses have retained all of the Personal and Health Information provided to them and such has not been securely retrieved and/or disposed of.

  9. While it may be necessary for the Respondent to provide certain limited amounts of the Personal and Health Information to each of the Witnesses, sufficient for each Witness to be able to understand the context of the relevant internal review request allegations that each of the Witnesses were responding to and in relation to the limited evidence they were to provide (i.e. in their witness statements), the Applicant assumed that the Respondent would assess and limit the extent of the Personal and Health Information provided to each of the Witnesses to what was reasonably necessary for that purpose. That is, limit the use/disclosure to that necessary for the purpose of giving of their evidence (i.e. preparing a witness statement) on a case-by-case basis in relation to the specific internal review request allegation relating to or on which they were giving evidence for the Respondent in the First Proceedings.

  10. The Applicant was not aware that any confidential documentation (i.e. the Personal and Health Information) was needed to (or would) be provided to any of the Witnesses for them to provide their evidence. The Applicant was not provided any information in accordance with s 10 PPIP Act (IPP 3) or otherwise alerted by the Respondent to the fact that, irrespective of the reasonable but limited requirement for certain specific Personal and Health Information to be provided to each of the Witnesses for the specific purpose noted above, all of the Personal and Health Information in one case and significant parts of it in the two other cases would simply be provided to the Witnesses without consideration of the reasonableness of such uses or disclosure for the limited purpose for each of the Witnesses to give their specific and limited evidence on the relevant alleged breach of the IPP or HPP on which they were to provide evidence.

  1. In respect of the specific alleged breaches of the HRIP Act and the HPPs the Applicant submitted in the Applicant Submissions, orally and in the Applicant Health Submissions, most relevantly and in summary:

  1. The specific health information of the Applicant included in each of the Points of Claim, Points of Defence, Limited Bundle and Bundle of Documents was not reasonably necessary for the Witnesses to prepare their evidence.

  2. The Respondent did not take reasonable steps to protect the health information included in the Personal and Health Information provided to the Witnesses against unauthorised access, use or disclosure by the Witnesses and the Witnesses still appear to have a copy or copies of that health information previously provided to them (even after the Orders of the Tribunal limiting the scope of the dispute in the First Proceedings). The Respondent has not done anything to seek to prevent the unauthorised use or disclosure of the Applicant's health information by the Witnesses.

  3. In order for the Witnesses to properly respond to the allegations in the First Proceedings they each only needed to be provided with sufficient understanding of the allegations relating to them or on which they were to give evidence. They did not need the Applicant's health information (or personal information) relating to the impact on the Applicant's mental health, emotional or financial state for that purpose. This is confirmed by the fact that none of the Witnesses referred to the Applicant's health information (or in fact, much of the personal information noted above) in their witness statements. Also, as none of the Witnesses were offered up as health care practitioners or financial experts, none of the Witnesses could be called to give evidence on the Applicant's health/medical and/or financial status or emotional state and therefore they did not reasonably need access to (most of) the Personal and Health Information provided to them.

  1. For the reasons noted above at [111] to [115] in relation to IPP 10, I am satisfied that the disclosure of any of the Applicant's personal information in the Personal and Health Information not reasonably necessary for the Former Employee to prepare their witness statement for the First Proceedings is not a disclosure for the purpose (or a purpose directly related to the purpose) for which that information was collected by the Respondent.

  2. Even if the disclosure of the personal information of the Applicant in the Personal and Health Information which was irrelevant to the evidence of the Former Employee in the First Proceedings was considered to be for a purpose directly related to the purpose for collection, it cannot be said that the Respondent had 'no reason to believe that the Applicant would object to the disclosure'. As noted in [116], the marking of the Personal and Health Information as 'confidential' and the fact that the Applicant had made at least one complaint about the Former Employee (in addition to the allegations made in the First Proceedings) means that in these circumstances, the Respondent cannot say it had 'no reason to believe' the Applicant would object to this disclosure. Therefore, s 18(1)(a) PPIP Act is not made out.

  3. Section 18(1)(b) PPIP Act exempts disclosures to third parties (i.e. the Former Employee in this case) where the Applicant (in this case) is likely to have been aware that the personal information in the Personal and Health Information (in this case) is of a kind usually disclosed to such third parties. In the absence, as in this case, of an express notification by the Respondent of such disclosures (e.g. in accordance with s 10 PPIP Act) the Respondent has to establish another basis by which or how the Applicant was "reasonably likely" to have been aware of such as a 'usual disclosure'.

  4. As to the likely awareness of the Applicant that the Personal and Health Information is usually disclosed to potential witnesses by the Respondent without 'curating it' (i.e. assessing it and providing only that which is reasonably required for each of the Witnesses to give their evidence), I prefer the Applicant's detailed evidence as to their lack of awareness of this generally and the Respondent's lack of any efforts to make the Applicant aware of such.

  5. I also note the Applicant's detailed submissions on and evidence in respect of the Code of Conduct and PMP requirement for officers of the Respondent to keep confidential information confidential. These public documents further support the Applicant's expectation that only those parts of the Personal and Health Information that were clearly relevant to the Former Employee's evidence (i.e. the specific allegations that, as a Witness, they were to address in their witness statement) would be disclosed to them. I am satisfied that the Applicant in this case was not reasonably likely to have been aware (and was not made aware) of the usual disclosure by the Respondent to non-employee witnesses of personal information not reasonably relevant to their evidence. On the contrary, the obligations under the Code of Conduct and PMP and the Applicant's submissions and evidence establish an expectation that such disclosure would not usually happen.

HPP 11 Act

  1. For the reasons noted in [117] to [122] above, I am also satisfied that all of the health information in the Personal and Health Information disclosed to the Former Employee as part of the Conduct of Concern was in breach of HPP 11.

IPP 12

  1. The prohibition in IPP 12 on disclosing restricted information is only subject to one exception – if the disclosure is necessary to prevent a serious and imminent threat to life or health.

  2. Given no submissions were made and no evidence was submitted by the Respondent that the disclosure of the restricted information was necessary to prevent a serious and imminent threat to life or health in this case, if there was any disclosure of the restricted information in the Personal and Health Information disclosed by the Respondent to the Former Employee as part of the Conduct of Concern then this will breach IPP 12.

  3. The allegations and occurrence of investigations and conclusions of such investigations as to alleged activities of the Applicant included in the Personal and Health Information disclosed to the Former Employee are personal information about the Applicant and, whether they are true or not, also contain restricted information subject to the prohibition in IPP 12.

  4. As noted in [81] and [82] above, the restricted information was disclosed to the Former Employee in the Personal and Health Information provided to them by the Respondent. I am therefore satisfied, based on the evidence before me, that the Conduct of Concern was in breach IPP 12.

HPP 5

  1. I am satisfied that the Applicant's submissions and evidence that the Conduct of Concern breached HPP 5 raised a legitimate concern as to the apparent lack of reasonable steps or measures taken in accordance with HPP 5 by the Respondent to protect/secure the health information in the Personal and Health Information in the hands of all of the Witnesses. That is, the evidence presented by the Applicant raised the likelihood that the Conduct of Concern may have breached HPP 5 (i.e. the security obligations) in relation to the health information of the Applicant in the Personal and Health Information provided to each of the Witnesses.

  2. The Respondent's limited submissions and evidence in relation to this issue focussed on the training that 'should have been given' previously to the Witnesses as employees (and the Former Employee as a former employee) and the expectation that the two employee Witnesses would generally comply with the existing policies and codes of practice of the Respondent and, for all of the Witnesses, that the threat of 'contempt of court' for any misuse of the Personal and Health Information would be (a) known by the Witnesses and (b) sufficient protection for the health information in the Personal and Health Information. In essence the Respondent's submission is that, in the circumstances, the prior training on the Respondent's Code of Conduct (even for the Former Employee who may no longer legally be obliged to comply with it) and the possibility of being in contempt of court were sufficient steps for the Respondent to meet the requirements of HPP 5, without evidence of the Respondent having taken any specific steps contemporaneous with the provision of the information in question to the Witnesses to protect it from misuse.

  3. Based on the materials before me and the analysis in [128] and [129] above, I am satisfied that, given the sensitivity of the health information of the Applicant in this case, not taking any specific steps or implementing security measures contemporaneous with the providing of the health information in the Personal and Health Information to each of the Witnesses was in breach of the requirements of HPP 5. The failure of the Respondent to take reasonable security safeguards in the circumstances to prevent unauthorised use and/or disclosure or misuse of the health information in the Personal and Health Information in each case of use with Employee 1 and Employee 2 and the disclosure to the Former Employee were in breach of HPP 5.

IPP 5

  1. Having reviewed all of the material before the Tribunal and based on the reasoning above in relation to HPP 5 (see [128] to [129] above), in relation to the personal information in the Personal and Health Information provided to the Witnesses, I am satisfied that the Conduct of Concern was in breach of IPP 5.

HPP 2

  1. HPP 2 is applicable pursuant to the reasoning in [107] or [108]. However, I am satisfied that the health information in the Personal and Health Information was provided by the Applicant to the Respondent as part of their submissions and evidence in the First Proceedings. As such, the collection by the Respondent of that health information in the Personal and Health Information (as provided by the Applicant) for the purpose of the Respondent defending the First Proceedings is not irrelevant, excessive or incomplete and does not intrude to an unreasonable extent on the personal affairs of the Applicant. That is, the Respondent is entitled to collect the information provided to it (and the Tribunal) by the Applicant as part of the Applicant's case before the Tribunal in the First Proceedings.

  2. Based on the evidence before the Tribunal and the analysis in [132] above, I am satisfied that the Conduct of Concern did not breach HPP 2 in relation to any of the health information contained in the Personal and Health Information submitted by the Applicant and collected by the Respondent in and for the purpose of defending the First Proceedings.

HPP 4

  1. HPP 4 is applicable pursuant to the reasoning in [107] or [108] and the requirements of HPP 4(1) are clear. HPP 4(1) requires that the Respondent, in this case, as soon as practicable after collection of the health information of the Applicant takes such reasonable steps in the circumstances to ensure the individual is (i.e. the Applicant in this case was) aware of the matters listed in HPP 4(1).

  2. It is not a question of whether or not the Applicant was or should have been reasonably aware of the matters in HPP 4(1). The question is what steps the Respondent took to ensure that the Applicant was aware of the HPP 4(1) matters and if those steps were reasonable in the circumstances.

  3. On the basis of the submissions and evidence of the Applicant and in the absence of any evidence from the Respondent as to what steps it actually took in relation to HPP 4(1) and if such were reasonable in the circumstances and the analysis in [134] and [135], I am satisfied the Conduct of Concern breached HPP 4(1).

HPP 6

  1. Very little (if any) evidence in relation to the alleged breach of HPP 6(1)(c)(ii) arising from the Conduct of Concern was submitted by the Applicant or the Respondent. On that basis I am unable to find a breach of HPP 6(1)(c)(ii) arising from the Conduct of Concern. However, given that the Applicant provided the health information in question to the Respondent as part of the First Proceedings I believe that, in the circumstances where such health information was provided by the Applicant to the Respondent, it would be extremely hard for the Applicant to establish a breach of HPP 6(1) arising from the Conduct of Concern.

Remedies

  1. In addition to the orders available to the Tribunal under s 55(2) PPIP Act, as noted in [27] above, the Tribunal also has available to it the actions that were available to the relevant administrator under s 53(7) PPIP Act.

  2. The Applicant has, in summary and most relevantly, requested that the following orders be made should the Tribunal find that the Conduct of Concern breached any of the IPPs or HPPs:

  1. Award monetary compensation to the maximum amount permitted for any breaches of the IPPs and separately for any breaches of the HPPs for the financial and psychological loss and damage suffered by the Applicant because of the Conduct of Concern.

  2. Require a formal apology for the Conduct of Concern resulting in breaches of the IPPs and/or HPPs.

  3. Require the implementation of security measures to ensure that the Personal and Health Information provided to each of the Witnesses will not be misused including the return of the irrelevant information provided and execution of appropriate non‑disclosure agreements.

  4. Require appropriate training for the officers of the Respondent.

  5. Prohibiting the Respondent from further disclosing the Applicant's Personal and Health Information without the consent of the Applicant.

  1. There are limits to the orders that the Tribunal can make, as noted in [26] above, and thus I have interpreted the Applicant's requested remedies and orders in light of the orders available to the Tribunal in these proceedings. In particular, as regards [139(5)] the Respondent may in the future legitimately be entitled under the PPIP Act and/or HRIP Act to use/disclose some or all of the Personal and Health Information and this order, if made, would be contrary to the PPIP Act and/or HRIP Act.

  2. Section 55(2)(c) PPIP Act empowers the Tribunal to make an order requiring the performance of relevant IPPs and/or HPPs. I am of the view that, in the current case, s55(2)(c) of the PPIP Act empowers the Tribunal to order the performance of IPPs 5, 10, 11 and 12 and HPPs 4, 5, 10 and 11 by the Respondent because the Conduct of Concern has been found to contravene these IPPs and HPPs.

  3. The orders available to the Tribunal in this case also include what may be described as those requiring the implementation of administrative measures to ensure that the Conduct of Concern or similar will not occur again to the Applicant. In support of this, as noted in DTN v Commissioner of Police (No 3) [2020] NSWCATAP 73 (DTN No 3) at [105], the Appeal Panel found that:

… If the conduct was to be too narrowly construed, there would be no or little role for any decision to put in place administrative measures to ensure that the "conduct" will not occur again. Any such decision is of course a discretionary remedy depending on all of the circumstances and the submissions of the parties.

  1. Also, as regards the requested monetary compensation, I note that the Conduct of Concern in these proceedings has exacerbated (but is not the original cause of) the financial loss of and psychological damage to the Applicant. The main source or origination of such financial loss and psychological damage is a more appropriate consideration (and for which substantial evidence including the Personal and Health Information has been submitted) in relation to the conduct of concern in the First Proceedings. Therefore, my consideration of monetary compensation for the damages and loss suffered by the Applicant from the Conduct of Concern in these proceedings has focused on the exacerbation of any such financial loss and psychological damage caused by the Conduct of Concern. As a result the issue of the $40,000 cap, whether the monetary cap under s 55(2)(a) PPIP Act in these joined proceedings would apply as an aggregate total or for each of the AR Application and the HRIP Act AR Application does not arise for the consideration of the Tribunal.

  2. I am satisfied from the evidence submitted by the Applicant (see [79(5)] above) that the Conduct of Concern has exacerbated and worsened the existing psychological condition, including anxiety, suffered by the Applicant and perpetuated their difficulty in seeking and obtaining new employment. In particular, I refer to the doctor's letter dated 21 October 2021 referring to the Conduct of Concern and concluding, in summary, that:

This [Conduct of Concern] has escalated [the Applicant's] anxiety … There are now additional psychological barriers for [the Applicant] to overcome.

  1. In coming to the amount of damages to be awarded in this case I have considered the doctor's letter and the reasoning in NK v Northern Sydney Central Coast Area Health Service (No. 2) [2011] NSWADT 81 and DTN v Commissioner of Police [2022] NSWCATAD 134 at [89] to [92]. Based on the material before me I am satisfied that the psychological impact of the Conduct of Concern on the Applicant in this case was in the moderately severe range (i.e. as causing an escalation of the Applicant's anxiety and imposing additional psychological barriers for them to overcome). Also, given the lack of evidence as to the exact incremental financial impact of the Conduct of Concern on the Applicant's ability to seek and secure employment (as opposed to any financial impact and loss caused by the conduct of concern in the First Proceedings), I have only awarded a token amount of $5,000 for the Applicant's financial loss as regards the incremental delays caused by the Conduct of Concern to the Applicant re-entering the workforce.

  2. Based on the materials before the Tribunal, taking into account the submissions of the parties and the other orders I am making, I am satisfied that the specific redactions requested by the Applicant can adequately be dealt with by rephrasing or genericising them, which I have done, or by leaving the wording in these Reasons for Decision as is where I am satisfied that such wording does not reasonably (especially with the other changes made) identify the Applicant (see Ritson v Commissioner of Police [2022] NSWCATAP 223 at [74] and [82]). That is, the Tribunal has addressed those issues raised by the Applicant (which were accepted by the Tribunal) without the need for ordering specific redactions to and/or non‑disclosure of (or any part of) these Reasons for Decision under s 64 CAT Act.

  3. However, based on the materials before me and given the extreme sensitivity of much of the Personal and Health Information (and the fact that it contains restricted information) and that such is used and referred to throughout the evidence and submissions of the parties, I am satisfied that in order to avoid the detriment that would otherwise arise from publication of the Personal and Health Information of the Applicant it is desirable within the meaning of s 64(1) CAT Act that some of the relevant publication restrictions under s 64 CAT Act requested by the Applicant be imposed.

Conclusion

  1. Given the analysis above, in making orders under ss 53 and 55 PPIP Act, I have sought to remedy the 'loss and damage' suffered by the Applicant resulting from the Conduct of Concern, generally ensure that the Respondent performs the relevant IPPs and HPPs and, specifically, that the Conduct of Concern or similar does not occur again in relation to the Applicant.

Orders

  1. Pursuant to s 64 of the Civil and Administrative Tribunal Act 2013 (CAT Act) the publication of the name of the applicant and any of the witnesses in these proceedings or reference to any information, picture or other material that identifies any of those persons or is likely to lead to the identification of any of those persons is prohibited.

  2. Pursuant to s 64(1)(c) CAT Act the publication by other than the Applicant of the evidence and submissions of the parties filed with the Tribunal or otherwise served on either party in these proceedings (including the matters contained in such) is prohibited.

  3. A further hearing in relation to the joined HRIP Act AR Application (i.e. the Health Case) and the Applicant's Application for Miscellaneous Materials dated 6 July 2022 is dispensed with under s 50 of the CAT Act.

  4. The internal review decision of the Respondent is set aside.

  5. Within 21 days of the Applicant providing their bank account (or other acceptable payment method) details to the Respondent, the Respondent is to pay the Applicant $12,500 as compensation for the harm and loss suffered by the Applicant as a result of the Conduct of Concern.

  6. Within 21 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant signed by the Mayor of Cumberland City Council addressing and apologising for the Respondent's breaches of IPPs 5,10, 11 and 12 and HPPs 4, 5, 10 and 11 in respect of the personal, health and IPP 12 restricted information of the Applicant, as identified in these Reasons for Decision, and for all harm, distress, loss and embarrassment caused to the Applicant resulting from such.

  7. Within 21 days of the date of these Reasons for Decision the Respondent is to perform IPPs 5 and 12 and HPP 5 by:

  1. for all copies (digital and hard copies) of the Personal and Health Information provided to each of the Witnesses, redacting from or retrieving all of the personal and health information which each witness does not (or in the case of these proceedings no longer) require for their evidence. For example, all of the Personal and Health Information not referred to in their witness statement or reasonably required for them to give their evidence and all of the IPP 12 restricted information disclosed to all non‑employee witnesses must be redacted from what was provided to them or retrieved by the Respondent and appropriate security safeguards are implemented to satisfy the Respondent that none of the Witnesses retain or have misused any of that information;

  1. in relation to any personal and/or health information about the Applicant in the Personal and Health Information to be retained by the Witnesses (and any IPP 12 restricted information to be retained by the employee witnesses), implementing such administrative measures necessary to ensure that the Applicant's personal, health and/or IPP 12 restricted information is protected by taking such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse (which steps might include an appropriate confidentiality or non‑disclosure agreement with each of the Witnesses); and

  2. for all other and any future proceedings involving FMH, implementing such administrative measures necessary to ensure that FMH's IPP 12 restricted information is not disclosed except as permitted by IPP 12 and FMH's personal and/or health information used or disclosed in relation to any such proceedings is protected by taking such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse of that information (which includes use contrary to IPP 10 and HPP 10 and disclosure contrary to IPPs 11 and 12 and HPP11).

  1. Within 45 days of the date of these Reasons for Decisions the Respondent is to perform HPP 4 including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure that in respect of health information about FMH collected by the Respondent relating to any internal or external administrative review and related proceedings the Respondent takes such steps as are reasonable in the circumstances to ensure that FMH is aware of the matters noted in HPP 4(1).

  1. Within 45 days of the date of these Reasons for Decisions the Respondent is to perform HPP 10 and IPP 10, in relation to all health and/or personal information about FMH held by the Respondent as a result of or in relation to any administrative reviews or resulting proceedings, including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure the Respondent will, having regard to the purpose for which FMH's health and/or personal information is collected, ensure that all of that health and/or personal information about FMH not reasonably required by any employee as a witness for the scope of their evidence is only used in compliance with, as relevant, HPP 10 or IPP 10.

  1. Within 45 days of the date of these Reasons for Decisions the Respondent is to perform HPP 11 and IPP 11, in relation to all health and/or personal information about FMH held by the Respondent as a result of or in relation to any administrative reviews or resulting proceedings, including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure the Respondent will, having regard to the purpose for which FMH's health and/or personal information is collected, ensure that all of that health and/or personal information about FMH not reasonably required by any non-employee as a witness for the scope of their evidence is only disclosed in compliance with, as relevant, HPP 11 or IPP 11.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 31 August 2022

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

2

GNJ v University of NSW [2025] NSWCATAD 216
GGP v Lismore City Council [2024] NSWCATAD 308
Cases Cited

27

Statutory Material Cited

7

ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122
APV v Department of Finance and Services [2016] NSWCATAD 168
CEU v University of Technology Sydney [2018] NSWCATAD 13