FMM v iCare NSW

Case

[2024] NSWCATAD 374

11 December 2024

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

  • Amendment notes
Medium Neutral Citation: FMM v iCare NSW [2024] NSWCATAD 374
Hearing dates: 23 September 2024
Date of orders: 11 December 2024
Decision date: 11 December 2024
Jurisdiction:Administrative and Equal Opportunity Division
Before: Emeritus Prof R Graycar, Senior Member
Decision:

The application for review is dismissed.

Catchwords:

Privacy and Personal Information Protection Act 1998 (NSW); Information Protection Principles (IPPs), Health Records and Information Privacy Act 2002 (NSW); Health Privacy Principles (HPPs); ”person aggrieved”; jurisdiction of Tribunal

Legislation Cited:

Administrative Decisions Review Act 1997 (NSW)

Civil and Administrative Tribunal Act 2013 (NSW)

Health Records and Information Privacy Act 2002 (NSW)

Interpretation Act 1987 (NSW)

Privacy and Personal Information Protection Act 1998 (NSW)

Cases Cited:

Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) (2009) 239 CLR 27; [2009] HCA 41

Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19

AOZ v Rail Corporation (No 2) [2015] NSWCATAP 179

AQO v Minister for Finance and Services [2016] NSWCA 248

Citta Hobart Pty Ltd v Cawthorn (2022) 276 CLR 216; [2022] HCA 16

JKQT and Commissioner of Taxation (Taxation) [2019] AATA 5034

Koowarta v Bjelke-Petersen [1982] HCA 27; (1982) 153 CLR 168

Kuswardana v Minister for Immigration and Ethnic Affairs [1981] FCA 66; (1981) 35 ALR 186

Nasr v State of New South Wales [2007] NSWCA 101

South East Forest Rescue Inc v Forestry Corporation of New South Wales (No 2) [2024] NSWCA 113

Texts Cited:

None

Category:Principal judgment
Parties:

FMM Applicant

iCare Respondent
Representation:

Counsel:
J Curtin (Respondent)

Solicitors:
Piper Alderman (Applicant)
Norton Rose (Respondent)
File Number(s): 2023/00424805
Publication restriction:

1. The publication or broadcast of the name of the applicant is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) (CAT Act).

2. The publication or broadcast of the names of the persons, other than the applicant, listed in column G under the heading 'Worker Name' of the Report contained in the attachment to the 9 May 2022 email in the Second Further Confidential Supplementary Bundle of Documents is prohibited pursuant to s 64(1)(a) of the CAT Act.

Note: A reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person.
3. The publication of the Report contained in the Second Further Confidential Supplementary Bundle of Documents is prohibited pursuant to s 64(1)(c) of the CAT Act.
4. Disclosure to the Applicant of the Report contained in the Second Further Confidential Supplementary Bundle of Documents is prohibited pursuant to s 64(1)(d) of the CAT Act.

REASONS FOR DECISION

Introduction and Background

  1. The applicant is seeking review of a decision relating to the conduct of the respondent in providing her with information that included her name, names of others and other personal data in a spreadsheet entitled “Cost of Claims Report (CCR).

  2. The disclosure occurred in the context of earlier Tribunal proceedings which concerned an email sent to a third party on 9 May 2022: see FMM v Nominal Insurer [2023] NSWCATAD 114 (FMM1); Insurance and Care NSW v FMM [2024] NSWCATAP 43 (FMM AP). The email sent on 9 May 2022 to an insurance broker had attached to it a spreadsheet containing personal and health information of the applicant. The recipient had opened the email but upon realising that it had been sent in error, deleted it before reading the attachment.

  3. In the course of preparing for the hearing of the matter resulting in the FMM1 decision, the applicant applied for the issue of a summons on 14 November 2022 by which she sought production of, among other things, “a full unedited version of the original email that icare sent out to the incorrect employer/broker who received a Report with my personal and sensitive health information complete with attachments, inclusive of the message contained in the body of the email and also including the recipients and sender of this email”.

  4. By an email sent at 6.29pm on 15 November 2022, a solicitor at the NSW Crown Solicitor’s Office (CSO) who had apparently accepted service of the summons on behalf of the respondent, sent the applicant an email and attachments, “to be of assistance”, noting that this was not a formal response to the summons and did not fully respond to the summons which was listed for a short hearing on Monday 21 November 2022. Attached to the solicitor’s email was a full unredacted copy of the CCR under cover of that email (15 November Email).

  5. By email of 18 November 2022, the same solicitor wrote to the applicant stating that the solicitor had been instructed that the 15 November Email was the same as the one that had been provided to the applicant and the Tribunal as part of the documents provided under s 58 of the Administrative Decisions Review Act 1997 (NSW) (ADR Act) in October 2022 for the FMM1 proceedings. However, the solicitor had subsequently become aware that the CCR sent under cover of the 15 November Email was not the same version. This was because it included “information unrelated” to the applicant’s claim. In fact, it was a full copy of the document whereas the document that was the subject of the FMM1 proceedings had been redacted to include only information about the applicant.

  6. As a result of the unredacted CCR being sent to the applicant by mistake, the solicitor requested by the email of 18 November 2022 that the applicant “delete all copies of the Cost of Claims Report and [the] email of 15 November attaching it as soon as reasonably practicable”. The solicitor also asked for written confirmation that this had been done.

  7. There was also apparently a telephone discussion between the solicitor and the applicant on 18 November 2022. On 21 November 2022, the applicant replied to the solicitor by email stating that she could “confirm that I have deleted the attachments”. Also on 21 November 2022, there was a case conference in preparation for the hearing of the FMM1 matter before the Tribunal. A transcript of that case conference is included in the bundle of material that was before this Tribunal.

  8. These proceedings concern the sending of the 15 November Email. The applicant raised concerns about her receipt of that email at the case conference on 21 November 2022 and there was some discussion as to the relevance of it to the proceedings then before the Tribunal which, as outlined above, concerned the email sent to a third party on 9 May 2022.

The internal review decision

  1. On 4 September 2023, the applicant submitted an application for internal review in relation to the disclosure to her of the unredacted material sent to her via the 15 November Email. On 3 November 2023, an internal reviewer found that iCare had not contravened the privacy legislation and recommended that the respondent take no further action in relation to the matter.

  2. The key points made in the internal review decision (IRD) included the following:

  1. The review related to “the conduct of legal advisers engaged by iCare for the purpose of proceedings in the Tribunal”. The IRD set out the text of what had been sought by the applicant via the summons of 15 November 2022 and noted that after the CSO was served with the summons, they in turn sought the original email from the respondent. The email and the CCR were provided by the respondent to the CSO, who then passed it on the applicant.

  2. After the respondent’s solicitor became aware that the full CCR had been sent to the applicant in error, the applicant was advised of the error and asked to delete it. She indicated on 21 November 2022 that, as requested, she had deleted the material. Although there was no “mandatory requirement” to do so, iCare notified the Information and Privacy Commissioner (IPC) of a data breach on 9 December 2022. ICare also notified the State Insurance Regulatory Authority (SIRA) of the breach on 8 December 2022.

  3. The Tribunal had made an order prohibiting the publication or broadcast of the names of any person listed in the spreadsheet other than the applicant on 23 May 2023, ie, when it made the decision in FMM1: see FMM1 orders 12, 13 and 14.

  4. The internal review was conducted pursuant to s 53 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). The IRD noted that the applicant was concerned about the disclosure of her colleagues’ information and that the incident had caused her stress and anxiety. She was seeking the answers to questions that included the cause of the disclosure; “why security measures weren’t in place”, and whether the CSO had access to iCare’s system. By way of remedy, she sought a formal apology and compensation.

  5. The IRD noted that the IPC was notified of the internal review application, as required by s 54(1) of the PPIP Act.

  6. The IRD referred to relevant provisions of the PPIP Act (ss 12 and 18) as well as relevant Information Protection Principles (IPPs), specifically IPP 5 (Retention and Security) and IPP 11 (Limits on the disclosure of health information). The reviewer also referred to the analogous provisions in the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) referring to s 6(1) and the Health Privacy Principles (HPPs): HPP 5 and HPP 11.

  7. The IRD found that the applicant was a person who was “aggrieved” by the conduct of a public sector agency for the purposes of s 53(1) of the PIPP Act, referring to a number of decisions that had considered s 53(1). In applying them to the facts of this case, the IRD referred to the following matters as demonstrating that the applicant had “suffered some tangible and measurable impact”:

  1. The email was sent to her and therefore the event of disclosure “personally involved her”;

  2. The disclosure had caused her “immense stress and anxiety”;

  3. The disclosure had had a “huge impact” on the applicant’s mental health and she had suffered psychological harm; and

  4. It could impact the applicant’s future employment opportunities due to her “lack of trust” that sensitive personal information is protected.

  1. The application for internal review was made outside the statutory period (6 months) but the IRD extended the time for making the application.

  2. In relation to the substantive issues, the IRD found:

  1. ICare did not contravene IPP5 and HPP5 as there were “no further security measures that iCare could have implemented to prevent disclosure by the CSO”.

  2. The provision of personal or health information to a solicitor retained by an agency is not a disclosure of information for the purposes of the PPIP Act or HRIP Act, but rather is a “use” of information. Thus the provision of the original email by iCare to its solicitor (CSO) for the purpose of the Tribunal proceedings was not a “disclosure” of information. It followed that iCare had not contravened IPP 11 and HPP 11.

  1. Having made those findings, the IRD recommended that iCare take no further action on the matter.

The Tribunal proceedings

  1. The applicant applied to the Tribunal for review on 23 November 2023. By submissions dated 19 January 2024, the respondent sought to have the proceedings dismissed pursuant to s 55(1)(b) of the Civil and Administrative Tribunal Act 2013 (CAT Act) which provides that the Tribunal may dismiss the proceedings if it considers that the proceedings are frivolous or vexatious or otherwise misconceived or lacking in substance. The main basis of the application was said to be that the Tribunal does not have jurisdiction to hear the application as the applicant is not a person “aggrieved” by the conduct of a public sector agency within the meaning of s 53(1) of the PPIP Act.

  2. The Applicant opposed the summary dismissal application for reasons set out in its submissions on jurisdiction filed on 2 February 2024 to which the respondent replied by submissions dated 19 February 2024.

  3. The Tribunal made a number of orders in the matter prior to the final hearing that took place on 23 September 2024. These include;

  1. Procedural orders dated 18 December 2023 and 5 February 2024, setting a timetable for evidence and submissions on the application made by the respondent pursuant to s 55(1)(b) of the CAT Act. While not a party to the application, the Information and Privacy Commissioner (IP Commissioner) was noted as appearing and having a right to be heard. Ultimately, the IP Commissioner did not participate in the proceedings.

  2. Orders made 14 June 2024: the Tribunal formed the view that the s 55(1)(b) application should not be determined separately from the substantive review so the matter was listed for further case conference on 21 June 2024 when further procedural orders were made. These included orders about an application filed by the Respondent on 21 December 2023 pursuant to s 59(1) of the Administrative Decisions Review Act 1997 (NSW) (ADR Act). Additionally, the Tribunal in a notation to the orders made 21 June 2024, referred to the fact that “in determining the applicant’s internal review application … the respondent found that she was an aggrieved person” and raised with the parties whether this was an issue relevant to the question of the applicant’s standing and/or the Tribunal’s jurisdiction.

  3. On 3 July 2024, further orders were made for the parties to provide evidence and submissions and the matter was set down for hearing on 23 September 2024. The respondent was required to provide the Tribunal with a copy on a confidential basis of the CCR in the form that had been provided to the Tribunal in FMM1. Confidentiality orders were also made under s 64(1)(a); (c) and (d) of the CAT Act. The orders of 3 July 2024 also contained detailed notes. The first summarised the subject of the application (being the “disclosure to the applicant, on 15 November, by the [CSO] of an unredacted copy of the respondent’s Costs of Claim Report as at 30 April 2022)”. It was also noted that the parties had been “encouraged to endeavour to resolve the matter” but that in the event the matter proceeded, the issues were identified as:

  1. Does the Tribunal have jurisdiction to hear and determine the applicant’s application?

  2. Was the conduct the subject of the applicant’s internal review application a breach of an information privacy principle under the PPIP Act or a health privacy principle under the HRIP Act?

  3. In the event (a) and (b) are satisfied, what action if any should be taken?

Summary of findings

  1. For the reasons elaborated upon below, the Tribunal has found:

  1. The Tribunal does not have jurisdiction to hear and determine the application as the applicant is not a person relevantly aggrieved by the conduct in issue;

  2. Even if, contrary to the finding above, the Tribunal had jurisdiction, the conduct the subject of the application was not a breach of an IPP under the PPIP Act or a HPP under the HRIP Act.

  3. It follows that there is no need to consider what action if any should be taken.

The relevant legislation

  1. Section 7(1) of the ADR Act provides that “An administratively reviewable decision is a decision of an administrator over which the Tribunal has administrative review jurisdiction”. While “decision” is broadly defined in s 6 of the ADR Act, by s 7(2) and “for the avoidance of doubt,  the conduct of an administrator (or a refusal by an administrator to engage in conduct) is an administratively reviewable decision if enabling legislation identifies that conduct or refusal as conduct or refusal over which the Tribunal has administrative review jurisdiction”.

  2. Section 9(1) provides:

9   When administrative review jurisdiction is conferred

(1)  The Tribunal has administrative review jurisdiction over a decision (or class of decisions) of an administrator if enabling legislation provides that applications may be made to the Tribunal for an administrative review under this Act of any such decision (or class of decisions) made by the administrator:

(a)  in the exercise of functions conferred or imposed by or under the legislation, or

(b)  in the exercise of any other functions of the administrator identified by the legislation.

  1. By s 9(2) of the ADR Act, “If enabling legislation makes provision for applications to be made to the Tribunal in respect of an administratively reviewable decision subject to certain conditions, the Tribunal has jurisdiction under the enabling legislation only if those conditions are satisfied”.

  2. Section 63 of the ADR Act relevantly provides:

63 Determination of administrative review by Tribunal

(1) In determining an application for an administrative review under this Act of an administratively reviewable decision, the Tribunal is to decide what the correct and preferable decision is having regard to the material then before it, including the following:

(a) any relevant factual material,

(b) any applicable written or unwritten law.

(2) For this purpose, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

  1. Section 28(1) of the CAT Act is also relevant. It provides: “The Tribunal has such jurisdiction and functions as may be conferred or imposed on it by or under this Act or any other legislation”. In relation to administrative review jurisdiction, s 30(1) of the CAT Act refers in turn to s 9 of the ADR Act, which refers to jurisdiction conferred on the Tribunal by enabling legislation.

  2. In this case the relevant enabling legislation is the PPIP Act. Part 5 of that Act is headed Review of Certain Conduct. Section 52(1) provides:

52 Application of Part

(1) This Part applies to the following conduct—

(a) the contravention by a public sector agency of an information protection principle that applies to the agency,

(b) the contravention by a public sector agency of a privacy code of practice that applies to the agency,

(c) the disclosure by a public sector agency of personal information kept in a public register.

  1. Section 53(1) of the PPIP Act provides that “A person (the applicant) who is aggrieved by the conduct of a public sector agency” may apply for internal review of a decision. And by s 55 of the PIPP Act, a person who has applied for internal review and is not satisfied by the outcome of the internal review, may “apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.”

  2. The PPIP Act also contains a number of relevant definitions and the IPPs which are set out in ss 8-19 of that Act. By s 4, personal information is defined as meaning “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. Sections s 18 and s 12 of the PPIP Act also provide:

18 Limits on disclosure of personal information

(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency,

unless—

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

  1. The applicant also relies on s 12 of the PPIP Act which provides:

12 Retention and security of personal information

A public sector agency that holds personal information must ensure—

(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

  1. The relevant IPP is No 5 (and see also HRIP Act Schedule 1 (Health Privacy Principles) (HPP) clause 5 which is in virtually identical terms to s 12 of the PPIP Act).

  2. The definition of “personal information” in s 4 of the PPIP Act excludes health information. Health information is defined in s 6 of the HRIP Act as follows:

In this Act, health information means—

(a) personal information that is information or an opinion about—

(i) the physical or mental health or a disability (at any time) of an individual, or

(ii) an individual’s express wishes about the future provision of health services to him or her, or

(iii) a health service provided, or to be provided, to an individual, or

(b) other personal information collected to provide, or in providing, a health service, or

  1. Section 3 of the HRIP Act provides:

3 Purpose and objects of Act

(1) The purpose of this Act is to promote fair and responsible handling of health

information by—

(a) protecting the privacy of an individual’s health information that is held in the public and private sectors, and

(b) enabling individuals to gain access to their health information, and

(c) providing an accessible framework for the resolution of complaints regarding the handling of health information.

(2) The objects of this Act are—

(a) to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and

(b) to enhance the ability of individuals to be informed about their health care, and

(c) to promote the provision of quality health services.

  1. Other relevant provisions include s 11 of the HRIP Act which applies to “every organisation that is a health service provider [defined in s 4] or that collects, holds or uses health information”. By ss 11(2) and (3):

(2) An organisation to whom or to which this Act applies is required to comply with the Health Privacy Principles and with any health privacy code of practice or provision of Part 4 that is applicable to the organisation.

(3) An organisation must not do anything, or engage in any practice, that contravenes a Health Privacy Principle or a health privacy code of practice or a provision of Part 4 in respect of which the organisation is required to comply.

  1. The relevant HPP in this case is HPP 11:

11 Limits on disclosure of health information

(1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected [subject to a range of exceptions]

  1. The review provision of the HRIP Act is s 21:

21   Complaints against public sector agencies

(1)  The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies—

(a)  the contravention of a Health Privacy Principle that applies to the agency,

(b)  the contravention of a health privacy code of practice that applies to the agency.

The applicant’s case

  1. In summary, the applicant contends that she is a person aggrieved by the conduct of a public sector agency for the purposes of s 53(1) of the PPIP Act (which, she notes, is consistent with the finding on internal review); and that the correct and preferable decision is that the conduct of the CSO solicitor in sending the applicant the 15 November Email (on behalf of the respondent) was a breach of s 18 of the PPIP Act; and of cl 11 of Schedule 1 the HRIP Act. The applicant also contends that the respondent breached s 12 of the PPIP Act and clause 5 of Schedule 1 of the HRIP Act.

  2. The applicant provided evidence by way of two affidavits as follows:

  1. Affidavit of FMM dated 2 February 2024 (First Affidavit): the applicant set out the circumstances of the “first breach” which concerned the release of her personal and health information to an unrelated third party on 9 May 2022 and noted that the Tribunal in FMM1 found that it caused a “severe exacerbation of [her] psychological injury”. She stated that there was a further disclosure on 15 November 2022 and that she became aware on 18 November 2022 that the 15 November Email was sent to her in error. She recalled seeing a list of information of her “friends, former colleagues and other individuals” which was “personal and sensitive” and included information about their wages/income; compensable injury and cause; investigation costs and medical costs. She claimed that reviewing those details in relation to those other persons “caused [her] to relive the events that caused [her] injury” and had caused her “significant distress”. She claims that her psychological condition, which precludes her from undertaking paid employment, has been exacerbated by the sending of the 15 November Email. Attached to the affidavit were reports from health practitioners:

  1. Report of Mr S Anthony, psychologist: 1 February 2024. Mr Anthony stated that “stress levels have increased in recent times due to exposure of personal information about herself and other workers compensation recipients including former colleagues.”

  2. Report of Dr Eddie So, Consultant Psychiatrist, 2 February 2024, provided in support of her “coming attendance at the Tribunal”. Dr So stated:

In my opinion, [the applicant]’s distress and illness is directly work related … in nature of a bullying practice and being stalked by a senior staff. [The applicant']s condition exacerbated and took on a chronic course since the breach of privacy (leaking of sensitive personal data) in the process of an extremely stressful and obfuscated iCare workers compensation process.

[The applicant’]s mental condition has further deteriorated in late 2022, after a second breach of sensitive personal data (a breach allegedly involving 1000 employee from [redacted] from icare through their legal representative.

  1. Affidavit of FMM dated 26 July 2024 (Second Affidavit): she explains that the “2nd breach” involved the disclosure to her of an excel spreadsheet with 1002 Cost of Claims reports containing personal and health information “relating to my claims, as well as the claims of my friends and former colleagues”. She states that she had applied for a summons; and she did not request an informal response to it. Nor did she anticipate that she would see a copy of the cost of claims report. She stated that she understood that the information would go to the Tribunal rather than to her. When she received it she opened the email as well as the attachment and read the contents. She stated: “I recall noting that the information was highly sensitive personal and health information, and that the majority of the information contained in the attachment, was not previously known to me and was named known to me only because of the second breach. I remember being distressed to know that so many employees and/or former employees of my former employer appeared to have suffered similar injuries to mine”. She became aware that it had been sent in error on receipt of a letter from the Crown Solicitor's Office which she annexed. She claimed that “reviewing the reports in relation to my friends and former colleagues, who suffered injuries in either identical or very similar circumstances to me caused me to relive the events that caused my injury, and it was extremely distressing to know information about them that I did not know and considered I should not have known”. She annexed reports from her treating practitioners and expressed the opinion that the second breach demonstrates that icare ”will continue to be careless” with personal and health information; “has failed to demonstrate any genuine insight into the impact of its careless conduct; will continue to carelessly disclose personal and health information of others; and will continue to try and avoid the consequences of its actions”. Annexed were:

  1. Letter from CSO to applicant 18 November 2022, notifying of erroneous disclosure and asking her to delete the information;

  2. Extracts from a publicly available Costs of Claims Glossary:

  3. Report of Mr Anthony 19 July 2024: He stated that the applicant “has continued to attend fortnightly consultations. … The impact of a further disclosure of personal information in November 2022 concerning workers compensation recipients has been significant … This has taken the form of vicarious traumatic reaction. …. [T]he traumas she has suffered as the as a result of the circulation of personal information in November 2022 regarding herself and other workers compensation recipients have demoralised her and self confidence in relation to employment has been shattered. Due to aggravated psychological injury she is now unlikely to apply for employment in the future

  4. Report of Dr Eddie So, 23 July 2024. Dr So repeats what was contained in his February 2024 report and then adds “The realisation and the shock that there exists such a high level of injuries and psychological damage in her workplace has precipitated immediate flashbacks and re traumatization in the patient”.

  1. The applicant gave oral evidence at the hearing where she was cross-examined by the respondent.

  2. The applicant also provided written submissions on jurisdiction dated 2 February 2024; submissions dated 2 July 2024 (in relation to an interlocutory application) and the substantive submissions on 26 July 2024. Her case, as put in those submissions and in oral submissions at the hearing, can be summarised as follows:

  1. The respondent is a “public sector agency” within the meaning of s 53 of the PPIP Act and a “health service provider” as defined in s 4(1) of the HRIP Act;

  2. Whether a person is “aggrieved” is a question of fact and in this case, the applicant’s interest is more than that of an ordinary member of the public;

  3. The applicant has suffered “severely, with tangible and measurable impact (including psychological harm) as a result of the disclosure”;

  4. The definition of a person “aggrieved” should be construed broadly (referring to the decision of the NSW Court of Appeal in Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19 (Altaranesi);

  5. An action under the PPIP Act is available where the complaint involves the person’s own personal information and also where a person other than the person about whom the information in question relates has suffered some tangible and measurable impact. In this case, the applicant falls into both categories.

  6. Since both the PPIP Act and HRIP Act are beneficial legislation, the expression “personal information” should be interpreted broadly and exclusions construed narrowly. Even if the applicant’s own information is not the subject of the conduct, the applicant is “aggrieved” if she was “specifically and adversely affected by the alleged breach”.

  7. The relevant disclosure does not fall within the scope of any of the exclusions identified in s 18(1) of the PPIP Act.

  8. While the relevant disclosure was a response to a summons issued by the applicant, the applicant had not requested informal production of the requested information, “nor did she intend to review the Costs of Claims attachment”.

  9. There is a breach of s 18(1) of the PPIP Act even if the disclosure is to the person who is the subject of the information (rather than to a third party). “Disclosure” should be given a “liberal construction” with due regard to the aims and objectives of the legislation; and should include “making known to a person information that the person to whom the disclosure is made did not previously know”. That can relate to information about the applicant herself.

  10. The applicant submitted that disclosure of information about persons other than herself interfered with the applicant’s financial interests or otherwise had a prejudicial effect on her because:

  1. the applicant does not anticipate being able to undertake paid employment in the near future or at all;

  2. the applicant is under pressure not to disclose the information she has found out about her colleagues which “has had a significant impact on the applicant’s mental health”;

  3. the applicant experiences great stress and fear when required to provide personal information to a government authority;

  4. as noted by the tribunal in FMM1, the first breach caused her psychological harm and the second breach has exacerbated those symptoms (referring to the evidence annexed to her February 2024 affidavit);

  1. The applicant relies on the medical reports annexed to the Second Affidavit.

  2. In relation to whether there has a breach of the PPIP Act or the HRIP Act, the applicant contends that the information disclosed in the 15 November Email was “personal and health information within the meaning of the PPIP and HRIP Acts”. The words in parentheses in s 18(1) - “(other than the individual to whom the information relates)”- should be read as applying only to information not already known to the person. In any event, clause 11 of Schedule 1 of the HRIP Act does not contain any similar carve out.

  3. In relation to the information in question, the information about herself was personal and health information that she did not previously know. There was also information disclosed to her about her colleagues, including two who were her own team members. That disclosure is actionable as it caused an exacerbation of her previous psychological harm.

  4. The circumstances in which the disclosure occurred are also relevant. The applicant did not seek an informal response to the summons and the fact that the 15 November Email was provided to the applicant by the CSO rather than the respondent is irrelevant as the CSO was acting on the respondent’s instructions.

  5. Finding that there have been breaches of s 18 of the PPIP Act and clause 11 of Schedule 1 the HRIP Act “would be consistent with the intended purpose and object of each of those Acts”.

  6. The respondent also breached s 12 of the PPIP Act and clause 5 of Schedule 1 of the HRIP Act by not having safeguards that prevented the wrongful disclosure of information, particularly in circumstances where the disclosure occurred in the context of proceedings about a different earlier disclosure.

  7. The applicant suffered financial loss in bringing the proceedings and has experienced “significant psychological harm as a result of the respondent’s conduct” and should be awarded the maximum damages available under the legislation, as a deterrent without which, she contends, the respondent will continue to “carelessly disclose personal and health information” and avoid the consequences of its actions.

  1. The respondent’s case, as relevant to this hearing, is set out in some detail in the following:

  1. submissions filed 19 January 2024 – on jurisdiction;

  2. submissions filed 19 February 2024- reply submissions on jurisdiction;

  3. submissions dated 30 August 2024.

  1. In addition to a bundle of documents provided pursuant to s 58 of the ADR Act, the respondent also provided confidential documents on 3 July 2024 and 5 July 2024. The respondent also provided an encrypted USB with the CCR on 30 August 2024. Supplementary tender bundles were filed on 30 August 2024 and 17 September 2024. At the hearing, the respondent provided the Tribunal with an aide memoire for each of those supplementary tender bundles, the contents of which are the records of the two health professionals whose reports are annexed to the First and Second Affidavits. Finally, due to difficulties accessing the confidential material provided, the respondent provided a further copy of the Second Further Confidential Supplementary Bundle of Documents on 3 October 2024 and orders were made pursuant to s 64 of the CAT Act on that date.

  2. The respondent’s case, as put in the submissions and orally at hearing, can be summarised as follows:

  1. The Tribunal has no jurisdiction to review the application pursuant to s 55 of the PPIP Act or s 21 of the HRIP Act as the applicant is not a person “aggrieved” within the meaning of s 53(1) of the PPIP Act and the right to seek review is limited to a person who is “aggrieved” by the conduct of a public sector agency.

  2. The fact that the respondent’s position on jurisdiction is contrary to that adopted by it on internal review does not prevent the respondent from taking this position in the Tribunal. It is for the Tribunal to satisfy itself that it has jurisdiction. That must be determined by reference to the relevant legislation that confers jurisdiction and a concession made by a public sector agency cannot confer jurisdiction. This also follows from the nature of the review jurisdiction of the Tribunal which is to review the conduct of the relevant agency, rather than to review the respondent’s findings in relation to that conduct.

  3. The meaning of the words “person aggrieved” was considered by the Court of Appeal in Altaranesi at [52] where that Court noted that in order to be “aggrieved” within the meaning of s 53(1), the disclosure of information must have “prejudicially affected that person’s interests”, referring in turn to the decision of the High Court of Australia in Koowarta v Bjelke-Petersen [1982] HCA 27; (1982) 153 CLR 168 at 184-185.

  4. After referring to a number of decisions of the Tribunal finding that an applicant did not have standing where the disclosure of information was about persons other than the applicant, the respondent contended that the applicant’s interests were not prejudicially affected by the sending of the 15 November Email and thus she was not a person aggrieved as:

  1. Section 18(1) and clause 11 of Schedule 1 of the HRIP Act (IPP 11 and HPP 11) do not prohibit the disclosure of a person’s health or personal information to the individual about whom the information relates. While the disclosure of health or personal information about a person may be actionable, any such disclosure must, for the purposes of enlivening s 18 of the PPIP Act, be to another person. The provision of information to the applicant of her own information is not conduct in breach of an IPP and it is not conduct to which IPP5 and HPP 5 (s 12, PPIP Act) are directed.

  2. The provision of the information was in response to a summons which the Applicant caused to be issued in which she sought the “full unedited version of the original email sent out to the incorrect employer/broker … complete with attachments”; and

  3. As for the provision to the applicant of information about persons other than the applicant, there is no evidence that that disclosure interfered with the applicant’s financial interests or otherwise had any prejudicial effect on the applicant. The applicant has not pointed to any authority in support of the proposition that psychological harm suffered as a result of disclosure to an individual of other people’s person information is sufficient to provide that individual with standing to seek review of that conduct.

  4. The applicant’s arguments about the impact of the disclosure on her, in particular the financial impact, focus on what she contends will be the negative effect on her future employment prospects thus suggesting that the harm she contends has occurred is related only to the disclosure of her own personal information.

  1. The respondent contends that it is not possible to distinguish between the disclosure of her own information and that of other people in relation to the contended for psychological impact of the disclosure and neither of the treating practitioners has done so. While the applicant contends that the disclosure of the 15 November Email has had a “retraumatising effect”, there is nothing contemporaneous with that disclosure in the medical evidence that would support that specific contention.

  2. The respondent also contends that the evidence relied on by the applicant does not distinguish between the impact of the first breach (the subject of the FMM1 decision) and the impact on her of the receipt of the 15 November Email (which was received in the context of preparation for the hearing in relation to the first breach). This is said to be significant because the Tribunal in FMM1 found (at [128]) that the impact of the disclosure of May 2022 “continues up to the hearing” which took place on 12 December 2022 (ie, after the applicant had received the 15 November Email).

  3. The later statements of the two health practitioner witnesses, which the respondent notes were provided after the respondent’s submissions identified what it contended were gaps in that evidence, annexed to the Second Affidavit, refer to the damage said to have flowed from the provision to the applicant of the 15 November Email. But the respondent contends that neither of those practitioners has been presented as expert witnesses whose evidence can be heard and tested by the Tribunal and the statements are “lacking in important detail as to the timing, mechanics, nature and expected duration of the psychological injury said to have been suffered”.

  4. At the hearing, the respondent provided two aide-memoires summarising the (sometimes illegible) handwritten notes of the two treating practitioners which had been produced under summons. The respondent submitted that there was no contemporaneous record in those notes of any impact said to have occurred at the time of the disclosure and on the contrary, the attempt to distinguish the impact of the 15 November Email from that which was the subject of the FMM1 decision only occurred in the notes that coincide with the recent reports. That is, there is nothing in those notes that specifically refers to the November 15 Email or the harm said to have been suffered as a consequence of it that predates 1 February 2024 which is the date of the first of the two sets of reports attached to the First Affidavit and the Second Affidavit.

  1. In the event that the Tribunal finds it has jurisdiction, the respondent further contends that the applicant’s reading of s 18(1) as not precluding disclosure to the person about whom the information relates if that information was not previously known, is misconceived. This is because the clear words of s 18(1) exclude from its scope information that is disclosed to the individual to whom the information relates. Thus it is said to be irrelevant that the information was information not previously known to the applicant. Reading the provision as excluding disclosure to the person of a person’s own information is both consistent with the plain meaning of the words in the text of s 18(1) and with the objects and purposes of the Act.

  2. Nor do the circumstances of disclosure affect whether there is a breach of s 18(1). Those circumstances are irrelevant to a reading of the scope of that provision.

  3. In relation to the contended for breach of s 12 of the PPIP Act and cl 5 of Schedule 1 of the HRIP Act, the respondent contends that the circumstances of the disclosure could not be said to arise from a failure to take “such security safeguards as were reasonable to prevent unauthorised use or disclosure” given that the respondent was required to provide its solicitors with the CCR in light of the issuing of the summons by the applicant.

  4. The respondent also rejects the steps the applicant has identified as “appropriate” noting that this is not the statutory test. Briefly, this is because:

  1. Identifying to the solicitor that the CCR contained personal and health information would not have assisted: this would already have been known to the CSO; and

  2. It is not reasonable to require the respondent to ensure that a senior member of its organisation approve any email and attachments before sending to its legal advisers.

  1. The disclosure of the CCR did not arise as a result of a failure to take such security safeguards as were reasonable or a failure to do everything reasonably in the respondent’s power to prevent the use or disclosure of the information: rather, the disclosure was the result of human error in that the CSO solicitor understood (incorrectly) that the CCR had already been provided to the applicant in full.

  2. Finally, the respondent contends that if the Tribunal finds, contrary to its primary submission that there is no jurisdiction, that there was a contravention of the PPIP Act and the HRIP Act in relation of the disclosure to her of the information of other people, the correct and preferable decision for the Tribunal would be to take no action. The financial loss to which the applicant refers is more in the nature of costs (cf CAT Act s 60(1)). And in terms of the psychological damage she claims to have suffered, the respondent contends that she has not established any causal link between the disclosure of the 15 November Email and her claim to have experienced distress. The claim for the maximum amount available under the PPIP Act ($40,000), “as a deterrent”, is not consistent with the principle that damages are compensatory in the sense of being intended to put the person back into the position she would have been in but for the injury. Rather the claims made by the applicant appear more akin to seeking punitive than compensatory damages, directed as they are to the future conduct of the respondent rather than to the loss suffered by the applicant.

Consideration

Does the Tribunal have jurisdiction?

  1. While a question of jurisdiction is often dealt with as a preliminary issue, thereby obviating the need for a full hearing, this was not considered to be a case where the issue could be decided in advance of a full hearing: see orders made by the Tribunal on 14 June 2024 and 21 June 2024, referred to above. This is because the key jurisdictional issue – whether the applicant is a person aggrieved under the PPIP Act – may require the Tribunal to consider substantive matters of evidence. This makes it difficult to address this issue by way of preliminary matter.

Is the applicant a person aggrieved?

  1. As noted above, s 9(1) of the ADR Act provides that the Tribunal has ‘administrative review jurisdiction’ over a decision if enabling legislation provides that applications may be made to the Tribunal for administrative review (and see also CAT Act s 28(1) and s 30). And, by s 9(2) of the ADR Act, if that review is subject to certain conditions, “the Tribunal has jurisdiction under the enabling legislation only if those conditions are satisfied”. Thus the issue of whether there is jurisdiction falls to be determined by reference to the enabling legislation, including any conditions imposed by that legislation – in this case, the PPIP Act and the HRIP Act.

  2. The entitlement to seek review of the conduct of a public sector agency is limited to a person who is aggrieved by that conduct: s 53(1). And by s 55 of the PPIP Act, only a person who has applied for internal review (and is not satisfied with the outcome of that review) may apply to the Tribunal for an administrative review of the conduct that was the subject of the application for internal review. Review pursuant to the HRIP Act is also limited to a “person aggrieved”: this is because s 21 refers to “conduct by a public sector agency … to which Part 5 (Review of certain conduct) of the PPIP Act applies”. That is, s 21 incorporates the requirements of Part 5 of the PPIP Act as a condition for the availability of review under the HRIP Act.

The relevance of the respondent’s internal review decision that the applicant was a person aggrieved

  1. There is no dispute that the internal review decision maker found that the applicant was relevantly a “person aggrieved”. However, this does not detract from the need for the Tribunal to determine for itself whether it has jurisdiction to hear the review application. As the respondent submitted (correctly in the Tribunal’s view), the role of the Tribunal is to determine what is the correct and preferable decision with respect to the conduct of which the applicant complains (see s 63(1) of the ADR Act). The Tribunal’s jurisdiction is not limited to reviewing the decision made on internal review, as it might be were it conducting a judicial review process.

  2. In Citta Hobart Pty Ltd v Cawthorn (2022) 276 CLR 216; [2022] HCA 16 the High Court, referring to a state tribunal, said (at [17]) that the “Tribunal has a duty and concomitant authority to ensure that a complaint referred to it is and remains within its jurisdiction to hear and determine” (and see also the concurring separate reasons of Edelman J at [62]-[65]). At [24] the High Court plurality stated (references omitted):

24 A tribunal that is not a court and that is invested with non-judicial power correspondingly has authority – in the exercise of non-judicial power – to "make up its mind" or "'decide' in the sense of forming an opinion" about the limits of its own jurisdiction "for the purpose of determining its own action". The authority is not to "reach a conclusion having legal effect" but to form an opinion for the purpose of "moulding its conduct to accord with the law”.

  1. For this reason, notwithstanding that the respondent made an internal review decision finding that the applicant was a person aggrieved, there can be no bar on the respondent putting a different position before the Tribunal. Nor can the taking of such a position by the respondent constitute some form of estoppel: see JKQT and Commissioner of Taxation (Taxation) [2019] AATA 5034 (JKQT) at [25]-[29] where there was also a standing precondition to the exercise of the Tribunal’s jurisdiction. Even if – which is not the case before the Tribunal - both parties had contended that the Tribunal had jurisdiction, that would not relieve the Tribunal of its responsibility to determine for itself whether its jurisdiction is enlivened pursuant to the enabling legislation: see JKQT referring in turn to the decision of the Federal Court in Kuswardana v Minister for Immigration and Ethnic Affairs [1981] FCA 66; (1981) 35 ALR 186 at 195.

  2. Accordingly, it is for the Tribunal to determine whether the applicant is a “person aggrieved” as that is a jurisdictional precondition for the making of an application to the Tribunal.

  3. The applicant and the respondent both referred to what was said by the Court of Appeal in Altaranesi at [52] where that Court (Meagher JA with whom Campbell JA and Handley AJA agreed) stated:

It may be accepted that the expression "aggrieved" in s 53(1) of the PPIP Act should be construed broadly and that it is sufficient for a person to have standing to make a complaint that any disclosure of information has prejudicially affected that person's interests (see Koowarta v Bjelke-Petersen [1952] HCA 27 (sic); (1982) 153 CLR 168 at 184-185). However, the appellant's complaint in relation to this information was expressed to be made "on behalf of" his wife. At no stage did the appellant suggest, when making and particularising the application for internal review, that it was made because the conduct consisting of the disclosure of information as to his wife's medical condition had had any prejudicial effect on him or his dealings with the second respondent or any of his worker's compensation claims.

  1. That passage effectively draws a distinction between on the one hand, the disclosure of “information” about an applicant herself; and on the other hand, information about other persons. It is clear that in both cases the disclosure needs to have “prejudicially affected” the person’s interests.

  2. While the Court of Appeal said that the term “aggrieved” in s 53(1) should be construed broadly, the High Court, in a frequently cited passage in Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) (2009) 239 CLR 27; [2009] HCA 41 stated (at [47], references omitted):

47 … [T]he task of statutory interpretation must begin with a consideration of the text itself. … Historical considerations and extrinsic materials cannot be relied on to displace the clear meaning of the text. … The language which has actually been employed in the text of legislation is the surest guide to legislative intention. … The meaning of the text may require consideration of the context, which includes the general purpose and policy of a provision …, in particular the mischief … it is seeking to remedy.

  1. Thus the Tribunal cannot ignore the plain words used in the statutory provision which is the starting point of any interpretative exercise. The same point was made by the NSW Court of Appeal in AQO v Minister for Finance and Services [2016] NSWCA 248 (AQO) which the applicant relies on in support of her contention that the legislation should be interpreted in accordance with its objects and principles. In AQO, the Court of Appeal (McColl JA at [73]) extracted a number of leading authorities on statutory interpretation (including the passage cited above from Alcan) in support of the proposition that the starting point must always be the text of the legislation. And at [74], the Court in AQO referred to s 33 of the Interpretation Act 1987 (NSW) for the proposition that the Court must undertake “the exercise of statutory construction with a view to promoting the purpose or object underlying the PPIP Act and the HRIP Act rather than construing the Acts in a manner which would not promote that purpose or object.”

  2. The applicant contended that while s 53(1) expressly requires, as a precondition for internal review, that a person is relevantly aggrieved, no such jurisdictional precondition limits review to the Tribunal. There is no reference in s 55 to a “person aggrieved”. The applicant relied for this proposition on the manner in which the Tribunal in FMM1 at [78] had summarised what is required by s 55 of the PPIP Act, referring to there being three ‘preconditions’ for the existence of jurisdiction:

  1. the person has applied for internal review;

  2. the person is dissatisfied by the outcome of that review; and

  3. the person has asked the Tribunal to review the conduct that was the subject of the application for internal review.

  1. Immediately following this paragraph at [79] the Tribunal in FMM1 found that it did not have jurisdiction to review the conduct that is the subject of the current matter before this Tribunal, ie, the sending of the 15 November Email attaching the unredacted CCR. This was, among other reasons, because at the time of the hearing in FMM1 (12 December 2022), no application had been made by the applicant for internal review in relation to the conduct involving the 15 November Email.

  2. It follows that what is said by the Tribunal in FMM1 at [78] is no answer to the fact that the review process in Part 5 of the PPIP Act is built upon the jurisdictional precondition that a person who seeks review is a “person aggrieved”. The suggestion that the fact the person was found by the internal review to be “aggrieved” (along with being dissatisfied by the outcome of the internal review) is all that is required to establish jurisdiction in the Tribunal has some analogy with the contention that there is a form of estoppel in that finding. It is premised (incorrectly, in the Tribunal’s view) on the assumption that the role of the Tribunal is to review the internal review decision, rather than to decide for itself what is the correct and preferable decision in relation to the conduct that was the subject of that decision (see ADR Act s 63(1)).

  3. The plain words of s 55(1) of the PPIP Act reinforce the Tribunal’s role as not being confined to review of the internal review decision: s 55(1) provides that a person who has applied for and is dissatisfied by internal review may apply to the Tribunal for an administrative review (by reference to the ADR Act) “of the conduct that was the subject of the application under section 53.” (emphasis added).

  4. For these reasons, the Tribunal rejects the applicant’s contention that the Tribunal’s review jurisdiction is enlivened merely by the fact that there has been an IRD. Rather, the Tribunal also must be satisfied that the person seeking review of the conduct of the public sector agency is a “person aggrieved” as the review is directed to the “conduct that was the subject of the application under” s 53.

Disclosure of information about the applicant to the applicant

  1. Section 18(1) provides that a public sector agency “that holds personal information must not disclose the information to a person (other than the individual to whom the information relates)” (emphasis added), other than in a number of limited circumstances. The respondent does not contend that any one of the exceptions applies: rather, the respondent’s case is that what occurred in this case is not a disclosure to which s 18(1) applies because the disclosure of personal or health information of the applicant to herself (as opposed to some other person) does not contravene that section. Nor does it contravene IPP 11 or HPP 11.

  2. The applicant contends that the applicant is aggrieved on two bases:

  1. The information disclosed to her was personal or health information about her;

  2. The information disclosed to her was personal or health information of other persons.

  1. In support of its argument as to the reading of the words in parentheses, the applicant relies on what was said by the Court of Appeal in Nasr v State of New South Wales [2007] NSWCA 101 at [127] (in the context of a claim of breach of s 13 of the Criminal Records Act 1991 (NSW)): “The essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know”. In this case, she contends, relying on the applicant’s evidence that she was not aware of the characterisation of her claim as a “mental disorder”, that the information disclosed to her was not previously known to her. Nor was she aware that her claim had associated with it an investigation or of the medical and legal expenses associated with her claim.

  2. In relation to the words in parentheses, the Tribunal does not consider that a reading of that phrase by reference to the objects and principles of the Act in the context of the legislation being considered “beneficial” legislation can lead to a finding that is contrary to the plain meaning of the words. The factual scenario in this case is quite distinct from that which characterised the disclosure the subject of the FMM1 and FMM AP proceedings. There the information about the applicant was sent, erroneously, to a third party who had no connection with the applicant’s case. Here, by contrast, in response to a specific request by the applicant, set out in the summons application as “a full unedited version of the original email that icare sent out to the incorrect employer/broker who received a Report with my personal and sensitive health information complete with attachments …”. the applicant was - erroneously - sent an unredacted copy of the CCR by way of informal response.

  3. In the Tribunal’s view, s 18(1) cannot be relied on to establish a breach of the PPIP Act where the applicant has been sent her own health or personal information, in response to her request, even if that sending was not meant to have occurred. Nor does the Tribunal accept that the words in parentheses are intended to relate only to information already known to the applicant. There is no textual support for reading the provision in that manner. Even if (which the Tribunal does not consider to be the case), disclosure of health or personal information about an applicant that was not previously known to the applicant was actionable in a case where it was sent to her, the applicant has not identified any such information. This is because the applicant acknowledged in the hearing when questioned by the respondent that there was no personal or health information of which she was previously unaware that was disclosed to her. What was previously not known to her was the “characterisation”, and related matters such as medical or legal costs. Those matters are not personal information or health information as defined in the PPIP Act or the HRIP Act.

  1. The applicant contends that there was a breach of cl 11 of schedule 1 of the HRIP Act. By contrast with s 18(1) of the PPIP Act, cl 11 of schedule 1 of the HRIP Act does not contain an analogous carve out excluding from an actionable breach a disclosure to the person about whom the information relates. Rather, it focuses on “purpose”: “An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless …” and there follow a series of exceptions none of which is said to be relevant here.

  2. The applicant submitted that the absence of the words that appear in parentheses in s 18(1) from cl 11 of Schedule 1 of the HRIP Act shows that any disclosure, including one to the person to whom the information relates, constitutes an actionable breach. This reading was also said to be supported by s 3 of the Act (the purpose and objects of the Act). The applicant was unable to take the Tribunal to any decision where such a disclosure had been found to be actionable. Nor did she identify any specific part of the Act, including s 3, the purpose and objects provision, that would support cl 11 of Schedule 1 of the HRIP Act being read in a manner that would render actionable the disclosure of information where the same disclosure would not constitute a breach of the PPIP Act. On the contrary, as is apparent from s 3, the objects place emphasis on enabling individuals to gain access to their own health information: see in particular s 3(1)(b) and s 3(2)(b). It would not be consistent with those provisions to render actionable a mistaken disclosure to a person of her own health information.

  3. Insofar as the material that was disclosed to the applicant by the sending of the 15 November Email concerned the applicant herself, that disclosure does not enliven s 18 of the PPIP Act. Nor does it give rise to a breach of cl 11 of Schedule 1 of the HRIP Act. It follows that the applicant is not a person aggrieved for that purpose and thus the Tribunal does not have jurisdiction in relation to that disclosure.

Disclosure to the applicant of the information of others

  1. The CCR, a copy of which was provided to and reviewed by the Tribunal and which is the subject of orders made under s 64(1)(a); (c) and (d) of the CAT Act, contains what the respondent described as a high level summary of more than a thousand claim records with a number of categories (the categories used in the report are publicly available as is evident from the Cost of Claims Glossary annexed to the Second Affidavit). Those categories include dates of incident, information about the incident, and matters such as rehabilitation costs, legal costs, investigation costs, and medical costs. Of the over 1000 records, two relate to the applicant: the rest concern other employees. The applicant’s evidence is that in the course of perusing the document in the time between when she received it and when it was deleted, she saw the names of two colleagues from her own team and learned information about them.

  2. The respondent acknowledged that the applicant could be a person aggrieved, and thus the Tribunal could have jurisdiction, based on a disclosure to the applicant of information about other persons. However, in order to be found to be relevantly aggrieved, she would need to establish, as put by the Court of Appeal in Altaranesi, that the disclosure had “prejudicially affected” her interests. That is, the mere fact of disclosure of information about other people to her is not itself actionable: it could only constitute a breach if that disclosure had prejudicially affected her interests.

  3. Whether a person is relevantly “aggrieved” falls to be determined by reference to the facts: as the NSW Court of Appeal recently stated in South East Forest Rescue Inc v Forestry Corporation of New South Wales (No 2) (SE Forest) [2024] NSWCA 113 at [121] (per Griffiths AJA at [121]: “the application of the principles of standing is very much fact and context specific”: Thus the applicant needs to demonstrate that she has an interest that is more than that of an ordinary member of the public: see further SE Forest at [34]-[45] per Basten AJA

  4. The applicant was questioned extensively by the respondent at the hearing about what she contended was the impact of the receipt of the information on her and was taken through the process by which she accessed the report and the information contained in it. She said that when it first arrived she opened the email and the attachment but did not have any idea what it was until she started to read its contents. At one point in her oral evidence, she stated that she “had it for weeks” and that she kept going back to it to try to make sense of it. In response to another question, she stated that she spent more than half an hour with the document. She later agreed that she had deleted it when asked to do so by the CSO following their letter to her of 18 November 2022 which she annexed to the Second Affidavit.

  5. She stated that what she found distressing about the information she received was that it used the term “mental disorder” which she said was unknown to her. She also stated that she discovered that there were “surveillance fees” (presumably referring to the category of investigation costs), and medical and legal fees associated with her claims.

  6. In relation to her response to claims about people other than herself she said that she scrolled through to see how many were identified by the category “mental disorder” and was disturbed by how many there were. When asked to estimate what that number was she stated it was “a lot” - perhaps 50 or more. When put to her that there were 17 entries out of 1002 in that category, she reminded the Tribunal that she has a psychological injury and it affects her train of thought.

  7. She stated that she phoned one of the colleagues who was identified but could not be sure when that occurred: possibly in the New Year (2023).

  8. She was asked whether she realised that what she had received was highly sensitive health information and she responded that she did not know what she thought when she received it. She was then taken to her Second Affidavit where she stated “I recall noting that the information was highly sensitive personal and health information”. She reiterated that she did not recall what she thought at the time she received the CCR. She also acknowledged that she was not aware when she received the 15 November Email that she had received information that she should not have received and agreed that she had not raised any concern about it when she emailed the respondent’s solicitor on 16 November 2022, the day after receipt. It was only when she was advised by the CSO on 18 November 2022 that she became aware that it had been sent in error.

  9. The respondent contended that there was no evidence of any negative effect that the disclosure of the 15 November Email had on the applicant, and in particular, no contemporaneous medical evidence of any psychological effect of that particular disclosure on the applicant. On the contrary, the respondent drew attention to the following:

  1. The email sent by the applicant to the respondent’s solicitor on 16 November 2022 raised no concern about the receipt of the CCR;

  2. The email from the applicant to the CSO solicitor of 21 November 2022 confirming that the applicant had deleted the attachments.

  3. Transcript of NCAT case conference in the FMM1 matter of 21 November 2022 (prior to the hearing taking place on 12 December 2022) in which the applicant also confirmed that she had deleted what she described as “the incorrect cost claims report that accidentally got attached to that email”. She stated that the document gave her access to cost of claims report for 1000 injured employees some of whom she knew. She also stated that when she realised that she had been given information about other people “I got out of it and didn't look any further but that in itself is another privacy breach”.

  1. The respondent further submitted that the medical reports attached to the First and Second Affidavits are not supported by anything in the summonsed records to the extent that they claim that the disclosure of the 15 November Email caused an exacerbation of the preexisting injury. The respondent submitted, and the Tribunal finds, that there is no reference to what came to be referred to as the “second breach” prior to the notes of 2 February 2024 (the date of the first of the annexed reports from the two health practitioners). To the extent that there is a reference in their notes to stress that the applicant is experiencing due to iCare disclosure(s), the references that predate the applicant’s evidence appear to refer to the stress caused by the FMM1 proceeding. While the applicant said that she would have told her treating practitioners that she was “reliving” the trauma over workplace injuries, there is no reference to that in their notes. This is particularly telling in the case of Mr Anthony who saw the applicant on 17 November 2022, the day before she had been informed that the CCR had been sent to her in error. There is nothing in the notes to suggest that the receipt of the CCR caused her any injury or exacerbation. Rather there is reference to the stress she is experiencing in anticipation of the upcoming hearing (for FMM1).

  2. Finally, the respondent submitted that the fact that the Tribunal in the FMM1 proceedings found that the breach for which the applicant was compensated continued to the date of hearing (12 December 2022) made it impossible to separate out any harm that occurred as a result of the 15 November Email as the effect of the first breach was considered by that Tribunal to be ongoing and continuing at the time of the “second breach”.

  3. The Tribunal finds that there is nothing in the records of both Dr So and Mr Anthony prior to February 2024 that refers to the 15 November Email and any exacerbation of her previous injury, nor to vicarious trauma that she has experienced. It is only from February 2024 onwards that there is reference to, among other things, the “second breach”; and the fact that her condition has been exacerbated by having seen the information of others that was disclosed to her in the CCR.

  4. The Tribunal accepts the respondent’s submissions that what is said in the reports annexed to the First and Second Affidavits is not supported by any other probative evidence from which the Tribunal could find that the applicant had been prejudicially affected by the release to her of the information about persons other than herself. It follows that the applicant is not a person aggrieved for the purpose of breaches of s 18 of the PPIP Act or cl 11 of Schedule 1 of the PPIP Act.

Is there a breach of s 12 of PPIP Act/cl 5 of Schedule 1 to the HRIP Act?

  1. These provisions require that a public sector agency that holds information take reasonable security safeguards to protect health and personal information and when it is necessary to give that information to a person, “everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information. What occurred in this case is not conduct akin to a data breach. Nor does it go to the manner in which the agency stores its information. What occurred was that the applicant issued a summons and the respondent provided a document to its solicitor which it was necessary and appropriate to provide in order to respond to that summons. It is of no relevance that the applicant did not request informal production.

  2. The Tribunal finds that there is nothing that the respondent could reasonably have done to protect the information that would have prevented its disclosure in the manner that occurred. The Tribunal also notes that the issue is not whether there are steps, as the applicant contends, that are “appropriate” for the agency to take. The statutory test is focused on what if anything the respondent could reasonably have done to protect the information from being released.

  3. For that reason, the Tribunal finds that no breach of s 12 PPIP Act or cl 5 of Schedule 1 to the HRIP Act has occurred pursuant to the sending of the 15 November Email.

  4. These findings: that the applicant is not a person aggrieved, and that even if she were, there is no breach established of either s 18 or s 12 of the PPIP Act or of Cll 5 or 11 of Schedule 1 of the HRIP Act make it unnecessary to determine what if any action should be taken. However should it have been necessary to consider, the Tribunal accepts what is put by the respondent to the effect that any consideration of damages ought to be undertaken on the basis that damages are compensatory: AOZ v Rail Corporation(No 2) [2015] NSWCATAP 179. There is insufficient evidence before the Tribunal from which to establish any causal link between the 15 November Email and the claimed exacerbation of the applicant’s psychological harm.

Decision

  1. The application for review is dismissed.

Orders

  1. For the reasons set out above, the Tribunal makes the following orders:

  1. The application for review is dismissed.

  2. The publication or broadcast of the name of the applicant is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) (CAT Act).

  3. The publication or broadcast of the names of the persons, other than the applicant, listed in column G under the heading 'Worker Name' of the Report contained in the attachment to the 9 May 2022 email in the Second Further Confidential Supplementary Bundle of Documents is prohibited pursuant to s 64(1)(a) of the CAT Act.

Note: A reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person.

  1. The publication of the Report contained in the Second Further Confidential Supplementary Bundle of Documents is prohibited pursuant to s 64(1)(c) of the CAT Act.

  2. Disclosure to the applicant of the Report contained in the Second Further Confidential Supplementary Bundle of Documents is prohibited pursuant to s 64(1)(d) of the CAT Act.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Amendments

19 February 2025 - Added "Senior Member" to coversheet

Decision last updated: 19 February 2025

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

1

FMM v Insurance and Care NSW [2025] NSWCATAD 195