FMM v Insurance and Care NSW

Case

[2023] NSWCATAD 114

23 May 2023

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

  • Amendment notes
Medium Neutral Citation: FMM v Insurance and Care NSW [2023] NSWCATAD 114
Hearing dates: 12 December 2022
Date of orders: 23 May 2023
Decision date: 23 May 2023
Jurisdiction:Administrative and Equal Opportunity Division
Before: P French, Senior Member
Decision:

(1) A further oral hearing in relation to the description of iCare NSW and the proper respondent to the application is dispensed with in accordance with s 55(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW).

(2)          The name “iCare NSW” is amended to “Insurance and Care NSW t/a iCare NSW”.

(3)          Insurance and Care NSW t/a iCare NSW is removed as the respondent to the application.

(4)          The name of the respondent is amended to Workers Compensation Nominal Insurer.

(5)          The decision under review is varied.

(6) In variation of that decision the Tribunal determines that the conduct of the agency constituted a contravention of Information Privacy Principles 5 and 11 (ss 12(c) and 18 of the Privacy and Personal Information Protection Act 1998) and HPP 5 and 11 (clauses 5(1)(c) and 11 of Schedule 1 of the Health Records and Information Privacy Act 2002).

(7)          The Nominal Insurer must pay FMM $20,000.00 immediately.

(8) By 30 June 2024 the Nominal Insurer must ensure that its agent Insurance and Care NSW t/a iCare designs and implements a secure on-line portal for the making available of Cost of Claims reports pursuant to s 147 of the Workers Compensation Regulation 2016 (NSW). Access to Costs of Claims reports via the portal must only be available to persons who authenticate their identity and entitlement to access the report by a unique electronic password or key.

(9)          By 30 September 2023 the Nominal Insurer must ensure that its agent Insurance and Care NSW t/a iCare institutes the following security safeguards in relation to the present broadcast method of distribution of Cost of Claims reports:

-           Distribution lists must be cross-checked against Costs of Claims reports by two senior officers with this designated responsibility each of whom must certify in writing the accuracy of the distribution before any email containing Costs of Claims reports is released,

-           Emails containing Cost of Claims reports must be encrypted such that they are only capable of being opened and read by the person for whom they are intended upon submission of a unique electronic password or key,

-           Each Cost of Claims data file must also be password protected such that it is only capable of being opened by the person for whom it is intended upon submission of a unique electronic password or key.

(10)       The application is otherwise dismissed.

(11) The publication or broadcast of the name of the applicant is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW).

(12) The publication or broadcast of the names of the persons other than the applicant listed in column G under the heading “Worker Name” of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November 2022 is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Review Act 2013 (NSW).

Note: A reference to the name of a person includes a reference to any   information, picture or other material that identifies the person or is likely to lead to the identification of the person.

(13) The publication of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November is prohibited pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW).

(14) Disclosure to the applicant of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November 2022 is prohibited pursuant to s 64(1)(d) of the Civil and Administrative Review Act 2013 (NSW).

Catchwords:

ADMINISTRATIVE LAW – Privacy and Personal Information Protection Act 1998 – administrative review of a reviewable decision – administrative review of conduct of the agency – disclosure of personal and health information – security safeguards

Legislation Cited:

Administrative Decisions Review Act 1997 (NSW) – ss 55, 58

Business Names Act 2002 (NSW)

Civil and Administrative Tribunal Act 2013 (NSW) – ss 50, 64, 60

Criminal Records Act 1991 (NSW) – s 13

Government Information (Public Access) Act 2009 (NSW)

Health Records Information Privacy Act 2002 (NSW) – ss 3, Schedule 1

Privacy and Personal Information Protection Act 1998 (NSW) – ss 3, 18, 20, 21, 53, 55

State Insurance and Care Governance Act 2015 (NSW) – s 4, 17

Workers Compensation Act 1987 (NSW) – ss 154A, 154B, 154C, 185A

Workers Compensation Regulation 2016 (NSW) – s 147

Workplace Injury Management and Workers Compensation Act 1998 (NSW) – ss 183A, 243

Cases Cited:

AOZ v Rail Corporation NSW (No. 2) [2015] NSWCATAP 179

CHY v Family and Community Services [2018] NSWCATAD 84

CLT v Department of Education and Communities [2016] NSWCATAD 98

CPJ v The University of Newcastle [2017] NSWCATAD 350

DED v Randwick City Council [2017] NSWCATAD 327

Department of Education and Training v GA (No. 3) [2004] NSWADTAP 50

EPT v The Sydney Children’s Hospital Network [2022] NSWCATAD 137

GA v Commissioner of Police, NSW Police [2004] NSWADT 254

JD v NSW Department of Health [2007] NSWADT 210

JD v New South Wales Medical Board [2008] NSWADT 67

KO v Commissioner of Police, NSW Police Force (GD) [2005] NSWADTAP 56

March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506

Nakhl Nasr v State of New South Wales; George Nasr v State of New South Wales [2007] NSW 101

OD v Department of Education and Training (GD) [2005] NSWADTAP 74

NS v Commissioner, Department of Corrective Services [2004] NSWADT 263

Shi v Migration Agents Regulatory Authority (2008) 235 CLR 286

State of NSW (Justice Health) v Dezfouli [2008] NSWADTAP 69

XW v Department of Education and Training [2009] NSWADT

ZR v NSW Department of Education and Training [2009] NSWADT 84.

Texts Cited:

Nil

Category:Principal judgment
Parties: FMM (Applicant)
Nominal Insurer (Respondent)
Representation:

FMM (Self-represented)

Solicitor:
Crown Solicitor (Respondent)
File Number(s): 2022/00242083
Publication restriction:

The publication or broadcast of the name of the applicant is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW).

The publication or broadcast of the names of the persons other than the applicant listed in column G under the heading “Worker Name” of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November 2022 is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Review Act 2013 (NSW).

Note: A reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person.

The publication of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November is prohibited pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW).

Disclosure to the applicant of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November 2022 is prohibited pursuant to s 64(1)(d) of the Civil and Administrative Review Act 2013 (NSW).

REASONS FOR DECISION

Introduction

  1. This is an application by FMM (the applicant) under section 55 of the Administrative Decisions Review Act 1997 (ADR Act) for an administrative review under section 55(1) of the Privacy and Personal Information Protection Act 1998 (PPIP Act) of conduct by Insurance and Care NSW t/a iCare (the agency) which has been the subject of an internal review pursuant to s 53 of that Act and s 21 of the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) that she alleges was in contravention of information protection principles contained in Part 2, Division 1 of the PPIP Act and Schedule 1 of the HRIP Act. This application was made to the Tribunal on 16 August 2022 (the application).

  2. For the reasons set out in greater detail following, the Tribunal has determined that the impugned conduct of the agency did constitute a very serious contravention of ss 12(c) and 18 of the PPIP Act and clauses 5(1)(c) and 11 of Schedule 1 of the HRIP Act (Information Privacy Principles (IPP) 5 and 11 and Health Privacy Principles (HPP) 5 and 11). It has varied the reviewable decision accordingly. It has determined that the agency’s disclosure of the applicant’s personal information was causal of a serious exacerbation of her pre-existing psychological injury. It has awarded the applicant $20,000.00 in damages in relation to that further injury. Having found that the agency’s security safeguards in relation to the applicant’s personal and health information were not reasonable, the Tribunal has also made orders that will require the agency to introduce additional security safeguards to protect the type of personal and health information that was subject to unlawful disclosure in this case.

Publication restriction

  1. At a Case Conference conducted on 21 March 2022 the Tribunal, differently constituted, made orders pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) (NCAT Act) prohibiting the publication or broadcast of the applicant’s name and assigning her the pseudonym “FMM”. Those orders are published in these reasons. The issue has not been redetermined.

  2. On 25 November 2022 the agency filed a supplementary bundle of documents pursuant to s 58 of the ADR Act. That bundle contained an unredacted copy of a ‘Cost of Claims’ report which lists the names of injured workers of a particular employer, including the name of the applicant. The agency sought non- publication orders with respect of that document, as set out at orders 12 to 14 above, pursuant to s 64 of the NCAT Act. This request arose in the following circumstances.

  3. Prior to the agency filing this supplementary bundle, on 14 November 2022, the Tribunal issued at the applicant’s request a summons in respect of the email containing the Cost of Claims report and some other documents. I set out following a summary of what occurred in response to the issue of that summons which is taken from the agency’s submissions dated 9 December 2022:

26. On 15 November 2022, a copy of the original email to Mr Kyle Howes including its attachment, being the Cost of Claims report, that is the subject of these proceedings and requested in the summons, was provided to the applicant on the understanding that the email and attachment had already been included in the s 58 documents, and to attempt to allay the applicant’s concerns that there might have been other attachments to the original email which had not been provided to her.

27. On 17 November 2022, it came to the respondent’s attention that the original email together with the spreadsheet that had been provided to the applicant on 15 November 2022 was not the same as the PDF version that had been filed in the s 58 documents. The difference was that the attachment was not the abridged version that had been filed and instead contained information relating to other workers compensation claimants. On the following day, Friday 18 November 2022, the respondent (through its solicitor) wrote to the applicant requesting that she delete any copies of the spread sheet, which had been mistakenly provided to her.

28.   On Monday, 21 November 2022, the matter was listed for directions before Senior Member Higgins, to deal with ... issues related to the issuing of the summons. At that hearing, the applicant confirmed that she had deleted the email and attached spreadsheet, as requested. This was subsequently confirmed in writing, by email from the applicant, also on 21 November 2022. …

29. On 24 November 2022, the matter was listed for return of summons before Registrar Skinner. At that hearing, the respondent indicated that it intended to file complete copies of the costs of claims report, on an open basis and on a confidential basis, as supplementary documents produced pursuant to s 58 of the ADR Act. The respondent also confirmed that the document referred to in the internal review as the formal apology letter was the letter of 30 May 2022, which was attached to [the applicant’s application].

30. On 25 November 2022, the respondent filed the supplementary s 58 documents. In respect of the confidential bundle, the respondent seeks non-publication and non-disclosure orders pursuant to s 64 …

  1. Section 64 of the NCAT Act provides, relevantly:

64   Tribunal may restrict disclosures concerning proceedings

(1)   If the Tribunal is satisfied that it is desirable to do so by reason of the confidential nature of any evidence or matter or for any other reason, it may (of its own motion or on the application of a party) make any one or more of the following orders –

(a)   an order prohibiting or restricting the disclosure of the name of any person (whether or not a party to proceedings in the Tribunal or a witness summoned by, or appearing before, the Tribunal.

(c)   an order prohibiting or restricting the publication of evidence given before the Tribunal, whether in public or in private, or of matters contained in documents lodged with the Tribunal or received in evidence by the Tribunal,

(d)   an order prohibiting or restricting the disclosure to some or all of the parties to the proceedings of evidence given before the Tribunal, or of the contents of a document lodged with the Tribunal or received in evidence by the Tribunal, in relation to the proceedings.

(4)   For the purposes of this section, a reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person.

  1. The principles governing the Tribunal’s discretion to make an order under s 64 of the NCAT Act were distilled in State of NSW (Justice Health) v Dezfouli [2008] NSWADTAP 69 at [81] and Nationwide News Pty Ltd [2018] NSWCATAD 92 at [6] in respect of equivalent provisions in predecessor legislation. The relevant considerations are (citing Dezfouli):

81    ... (a) the presumption in favour of open justice; (b) the need for an applicant for a suppression order to establish good grounds for making the order; (c) the comparative breadth of the criterion of ‘desirability’; (d) the important differences between the types of suppression order that may be made – between (for instance) an order (as in this case) prohibiting disclosure of the identity of a participant and an order that a hearing occur in closed session, without notice to a party; (e) the undoubted breadth of the range of purposes that may be served (‘any other reason’); (f) the possibility that the purposes to be served may be a mixture of private and public interests; and (g) the possibility that, although generally speaking the prospect of damage to reputation or ‘embarrassment’ affecting a participant in the proceedings will not provide sufficient grounds for a suppression order, there may be unusual circumstances where this is the principal consideration underlying an order.

  1. The agency submits that there is a compelling reason why it is desirable that non-publication and non-disclosure orders are made in respect of the Cost of Claims report. That is because it contains confidential personal and health information of other persons in addition to the applicant. I did not understand the applicant to cavil with this proposition. I am also satisfied that this is a reason sufficient to depart from the general presumption in favour of open justice with respect to this document.

  2. The agency concedes that a non-disclosure order that would deprive the applicant of access to a document that may be relevant to the determination to be made by the Tribunal would require a strong reason. Nevertheless, it applies for an order pursuant to s 64(1)(d) prohibiting disclosure of that document to the applicant. It contends that there continues to be utility in such an order despite its erroneous disclosure to the applicant on 15 November 2022 because the applicant has provided it with assurances that she has deleted the email and unredacted copy of the Cost of Claims Report, and that she has not retained any form of copy.

  3. I am satisfied that the fact that the Cost of Claims report contains confidential personal and health information of other persons is a strong reason justifying an order that prohibits its disclosure to the applicant. I am also satisfied that there continues to be utility in such an order even though it has already been erroneously disclosed to the applicant because she has destroyed any record of the copy she received. The Tribunal ought to do what it can to protect the privacy of those persons whose personal information appears in the Cost of Claims report despite any earlier compromise of their privacy.

Proper respondent

  1. The applicant named “iCare NSW” as the respondent party in her application and the proceedings continued on the basis that iCare NSW was the proper respondent up to and including the final hearing. During deliberation two issues arose in relation to the identification of the respondent party. First, whether iCare is a proper description of that agency. Second, whether that agency is the proper respondent. I took the preliminary view that the proper description of iCare NSW was “Insurance and Care NSW t/a iCare” and that the proper respondent to the application was the Workers Compensation Nominal Insurer.

  2. I requested the Divisional Registrar to refer these issues to the parties for their consideration. They were invited to make submissions on these issues prior to the publication of these reasons. In that referral I also indicated to the parties that I took the preliminary view that both Insurance and Care NSW t/a iCare and the Workers Compensation Nominal Insurer were public sector agencies for the purposes of the PPIP Act and the HRIP Act. They were also invited to make submissions on this issue. I note that I indicated to the parties that I proposed to dispense with a further hearing in relation to these issues and invited them to make any submission in relation that proposed course of action in their submissions.

  3. Both parties have made written submissions in relation to these issues for which I am grateful. Neither party contends that there should be any further oral hearing in relation to these issues. I am also satisfied that the issues to be determined are of narrow compass and can be adequately dealt with on the material before the Tribunal. I therefore dispense with a further oral hearing in relation to these issues.

  4. A search of the Australian Securities and Investments Commission’s Business names register reveals that “ICare NSW” a business name held by “Insurance and Care NSW”. This business name was first registered on 22 October 2015 and continues to be registered to Insurance and Care NSW. Insurance and Care NSW is constituted under s 4 of the State Insurance and Care Governance Act 2015 (NSW) (SICG Act). Having regard to that, I am satisfied that the agency ought to be identified as “Insurance and Care NSW t/a iCare NSW” (iCare NSW) and I have amended the application accordingly.

  5. In her submissions the applicant states that she has only ever dealt with the agency by the name iCare. She is concerned that this change may have implications with respect to her internal and external review applications. It will not. The amendment does not change the entity beneath the name. It merely identifies that entity by its proper legal name which is necessary in the context of legal proceedings such as these.

  1. In its’ submissions the agency agrees that Insurance and Care NSW is the proper name for the agency but suggests that the Tribunal should dispense with the words “t/a iCare”. I disagree. While the name of the agency is created by statute, in the conduct of its business it uses a business name registered to it under the Business Names Act 2002 (NSW). That business name is the public face of the agency. A proper description of the agency requires the incorporation of that business name.

  2. As is set out in greater detail following, in relation to the subject matter of these proceedings, iCare NSW acts as agent for the Workers Compensation Nominal Insurer which is established under s 154A of the Workers Compensation Act 1987 (NSW) (WC Act). In this respect s 154C of the WC Act provides (relevantly):

154C   Authority to act for nominal insurer

(1) ICNSW acts for the Nominal Insurer and anything done or omitted to be done by ICNSW on behalf of or in the name of the Nominal Insurer is taken to have been done or omitted by the Nominal Insurer.

(2) In acting for the Nominal Insurer, ICNSW has and may exercise all the functions of ICNSW under this Act, the 1998 Act or any other Act or law.

(3) A liability incurred by ICNSW when acting for the Nominal Insurer is a liability of the Nominal Insurer and not a liability of ICNSW or the State.

“ICNSW” is defined in s 3 of the WC Act to be “Insurance and Care NSW”.

  1. Having regard to s 154C(1) and (3) of the WC Act I am satisfied that the proper respondent to these proceedings is the Nominal Insurer established under s 154A of that Act. Insurance and Care NSW t/a iCare acts as agent only for the Nominal Insurer in relation to the subject matter of these proceedings. The Nominal Insurer is the principal in relation to that subject matter. I have therefore removed Insurance and Care NSW t/a iCare NSW as respondent to the application and substituted in its place the Workers Compensation Nominal Insurer.

  2. In its submissions the agency expresses concern that substitution of the Workers Compensation Nominal Insurer may give rise to a jurisdiction issue because the applicant did not make an application for internal review to the Workers Compensation Nominal Insurer and the Tribunal’s jurisdiction to conduct administrative review is dependent upon there first having been an internal review by the agency. Attention is drawn to the words of s 53(1) and (3) which require a person aggrieved by the conduct of a public sector agency to make an application for internal review addressed to the public sector agency concerned. Attention is also drawn to ss 4 and 9 of the PPIP Act and HRIP which require that personal and health information must be “held by” an agency for those Acts to operate in relation to the agency. It is submitted the applicant’s personal and health information was not held by the Workers Compensation Nominal Insurer.

  3. I cannot see any jurisdictional difficulty. Insurance and Care NSW t/a iCare is a public sector agency which acts as agent for the Nominal Insurer in relation to its workers compensation functions. It performs all the Workers Compensation Nominal Insurer’s functions, including its’ functions as a licenced insurer to issue Costs of Claims reports pursuant to s 147 of the Workers Compensation Regulation 2016 (NSW). In this respect s 154CA of the WC Act is instructive:

154CA   Nominal Insurer functions of ICNSW

(1) ICNSW has such additional functions as may be necessary or convenient for enabling ICNSW to act for the Nominal Insurer and to ensure that the functions of the Nominal Insurer are able to be exercised without restriction by any of ICNSW’s other functions.

(2) When acting for the Nominal Insurer, ICNSW has and may exercise all the functions of the Nominal Insurer and is not limited by any of ICNSW’s other functions.

  1. There is no issue that the applicant made a valid internal review request to iCare NSW. Pursuant to s 154C(1) of the WC Act iCare NSW dealt with that internal review request on behalf of the Workers Compensation Nominal Insurer. The internal review concerned conduct by iCare NSW for which the Workers Compensation Nominal Insurer is liable pursuant to s 154C(1) and (3) of the WC Act. With respect to whether information is “held” by the Workers Compensation Nominal Insurer, Insurance and Care NSW t/a iCare, being a statutory “person”, is “engaged” by statute (s 154C) to carry out all the functions of the Workers Compensation Nominal Insurer as a licensed insurer (see 134B of the WC Act). Those functions include the collection and holding of personal and health information on injured workers.

  2. The ultimate issue is a simple one. The proper respondent to the application is the “person” liable for the conduct that was the subject of the internal and administrative reviews, and which is legally responsible for complying with the Tribunal’s remedial orders. This is important should enforcement of the Tribunal’s orders become an issue. Having regard to the terms of s 154C there can be no doubt that this is the Workers Compensation Nominal Insurer in this case. I note that the State Insurance Regulation Authority has taken an equivalent view. When it issued a censure in relation to the conduct that is the subject matter of this administrative review (as to which see following) it was the Workers Compensation Nominal Insurer (being the licensed insurer) and not Insurance and Care NSW t/a iCare (its agent) that was subject to the censure.

Evidence and submissions

  1. The following material has been considered in reaching this determination:

Applicant

  1. The administrative review application filed on 16 August 2022 and its attachments,

  2. A bundle of documents filed on 22 November 2022,

  3. A bundle of documents filed on 24 November 2022,

  4. A bundle of documents filed on 28 November 2022,

  5. A ‘medical statement’ filed on 9 December 2022, and

  6. A bundle of documents filed on 11 December 2022

Agency

  1. Primary bundle of documents filed on 15 September 2022 pursuant to s 58 of the ADR Act (primary s 58 documents),

  2. Supplementary bundle of documents filed on 25 November 2022 pursuant to s 58 of the ADR Act (supplementary s 58 documents),

  3. A bundle of materials filed on 9 December 2022 (agency’s materials),

  4. Submissions filed on 9 December 2022,

  5. Affidavit of Jackie Deane, affirmed 8 December 2022, and annexures.

  1. I note that in the post hearing period the applicant filed further evidence and submissions other than in relation to the proper description of the agency and the proper respondent. No leave had been granted for this to occur and its’ filing was subject to objection by the agency. I have not considered this material.

  2. The hearing was conducted in person. The applicant gave evidence in her own cause under a solemn promise to tell the truth. The agency called as a witness Ms Jackie Deane, who is iCare NSW’s Manager, Workers Compensation. Ms Deane also gave oral evidence under a solemn promise to tell the truth. The parties had the opportunity to present their respective cases, to ask FMM and Ms Deane questions and to make final submissions to the Tribunal

Material facts

  1. The applicant is a former employee of a local government agency (the employer). While in the employment of the employer, she experienced an injury at work. At the material time for this application, she continued to receive worker’s compensation in relation to that injury.

  2. The agency is constituted as a body corporate with the corporate name Insurance and Care NSW under s 4(1) SICG Act. It trades, or is styled, as iCare NSW. It is designated an NSW Government agency “for the purposes of any Act” by s 4(2) of that Act. There is no issue that iCare NSW is a “public sector agency” within the meaning of s 3 of the PPIP Act and HRIP Act to which both Acts apply.

  3. Relevantly to these proceedings, iCare NSW exercises functions under the WC Act on behalf of the Workers Compensation Nominal Insurer established under s 154A of that Act. The functions of the Nominal Insurer are partly set out in s 154B of the WC Act.

  4. Section 154B(1) provides that the Nominal Insurer is taken to be a licenced insurer as if it were the holder of a license in force under Division 3 of Part 7 of the WC Act. Consequently, it is subject to regulation by the State Insurance Regulation Authority which is constituted under s 17 of the SICG Act.

  5. Section 154B(2) of the WC Act provides that the Nominal Insurer’s functions include such functions as may be conferred or imposed by the regulations made under that Act. In this respect, s 147 of the Workers Compensation Regulation 2016 (NSW) (WC Regulation) provides, relevantly:

147   Certificates relating to costs of claims

(1)   For the purpose of ascertaining the premium payable by an employer in respect of a period of insurance –

(a)   an employer to whom a policy is issued by an insurer,

may, by notice in writing served on the insurer who issued the policy not later than 1 month after the commencement of the period of insurance, require the insurer who issued the policy to furnish the employer …, within 21 days of service of the notice, with a certificate in the approved form, specifying (with respect to the whole or any part of the last 3 injury years which occurred or will have occurred before the commencement of the period of insurance) the particulars relating to costs of claims required by the form to be inserted in it.

  1. iCare NSW exercises the Nominal Insurer’s functions under s 147 of the WC Regulation. In her Affidavit dated 8 December 2022 at paragraph 13 Ms Deane states that iCare NSW provides Costs of Claims reports to employers in two circumstances: in response to a one-off request sent to its Workers Insurance reporting inbox and in response to a request by the employer or their appointed insurance broker to be provided with the reports monthly. The applicant’s former employer is an employer who requested iCare NSW to provide it with monthly Cost of Claims reports.

  2. In this respect, in her Affidavit dated 8 December 2022, Ms Deane states:

8   Employers who have workers compensation premiums over $25,000 in the Nominal Insurer scheme are entitled to receive (on request) a Cost of Claims report distributed automatically by icare each month. … The purpose of the Cost of Claims report is to assist employers with understanding their claims’ costs and frequency under the NSW Workers compensation scheme.

11   To meaningfully utilise the Costs of Claims reporting, employers and/or their broker need to be able to identify the specific claim and the details of the claimant for claims management and return to work purposes.

14   Up until May 2022, a Cost of Claims report included the personal and health information of injured workers, which was restricted to a high-level overview of the claim information, as follows:

a.   Name

b.   Date of birth

c.   Claim number

d.   Date and time of compensable injury

e.   Date compensable injury was reported

f.   Sex (Male/Female)

g.   Date claim was closed

h.   Working days/time lost due to injury

i.   Occupation description

j.   Date the payment ceased and/or resumed

k.   Employer name

l.   Liability status (e.g. accepted or declined)

m.   Nature of Injury/Disease Classification (high level classification of the injury or a disease type based on Type of Occurrence Classification System)

n.   Bodily Location of Injury/Disease Classification (identifies the part of the body affected by the most serious injury or disease based on Type of Occurrence Classification System)

o.   Mechanism of Incident Classification (identifies the action, exposure or event that triggered the incident/injury based on the Type of Occurrence Classification System)

p.   Agency of Injury/Disease Classification (identifies the object, substance, or circumstance that was principally involved in causing the incident based on Type of Occurrence Classification System)

q.   Weekly payment amount

r.   Gross amount paid on the claim.

15.   The personal and health information contained in the Cost of Claims report was information that would already be known by the employer and any appointed broker but is consolidated.

  1. At issue in these proceedings is the disclosure by the agency of a Cost of Claims report to an insurance broker who had no connection to the applicant’s employer.

  2. In her Affidavit dated 8 December 2022 Ms Deane says the following in relation to insurance brokers with whom the agency deals on behalf of an employer:

9.   Employers commonly engage insurance brokers to act as their agent or representative to manage their worker’s compensation claims and premiums on their behalf. Prior to dealing directly with an employer’s agent for any reason, including for the purpose of sharing claims reporting, icare must be satisfied that the broker is properly engaged as an agent of the employer. This satisfaction can be reached upon the submission and verification of a signed letter of appointment. The letter of appointment contains the current policy details of the employer and the terms icare requires the employer and agent to agree to comply with, including “all privacy and health obligations, that would apply to the Employer”….

  1. On 9 May 2022 the agency sent an email attaching a Cost of Claims report intended for the applicant’s former employer to Mr Kyle Howes, Director of Workers Comp Savings Pty Ltd, which is a provider of workers compensation claims management services to other employers who have workers compensation policies with the Nominal Insurer. Mr Howes is wholly unconnected with the applicant’s former employer. He is not authorised by it to act as its agent or representative in relation to workers compensation matters (the incident).

  2. The Cost of Claims report sent to Mr Howes was in the form of an Excel spreadsheet which had the file name that was a compilation of a policy number, employer name and the date of report. The spreadsheet included 6 “workbooks” or tabs. The fifth tab, which was labelled “data”, contained data relating to workers compensation claimants employed by the applicant’s employer, including that of the applicant.

  3. In her Affidavit dated 8 December 2022 Ms Deane explains how this incident occurred as follows:

13   Up until May 2022, the provision of Cost of Claims reports was manually undertaken …

16   For the month of April 2022, while transcribing the master distribution list from one Excel spreadsheet to another (being a condensed version of the master distribution list required by the Data & Analytics team to distribute the monthly Cost of Claims Report), the data extract was pasted one row down in the receiving spreadsheet. This resulted in a misalignment between the employer email address and the employer policy number, in circumstances where the policy number is used to identify and extract related claims data and information from icare’s claims systems. This error occurred at the top of the distribution list.

17   The Excel spreadsheet containing the condensed distribution list was then sent by a member of the Data & Analytics team to a third-party provider of cloud computing services, Amazon Web Services. The Cost of Claims reports were emailed as an attachment through a server hosted by AWS. AWS automates the process of sending large numbers of emails and is not a third party to the information contained in the reports.

18   The distribution of the Costs of Claims reports for the month April 2022 commenced based on the incorrect distribution list in the Excel spreadsheet referred to in paragraph 15 (sic 17?) above. There were 572 email recipients who received a Cost of Claims Report intended to be provided to a different recipient. The number of injured worker records contained in the reports was 191,870.

  1. At paragraph 22 of her Affidavit, Ms Deane explains the actions taken by the agency in response to the incident:

22   I am informed that icare became aware of the distribution error on 10 May 2022. As soon as icare became aware of the incident, an Incident Response Team was established to investigate the matter and develop a response. The following remedial steps were subsequently undertaken:

a.   any employers or brokers who contacted icare to advise that they had received an incorrect report were asked to delete the information immediately as it had been issued in error.

b.   A Register was set up to capture all calls and confirmation from employers that the reports had been deleted.

c.   An email was sent on Friday, 13 May 2022 from icare to employers and brokers who either received the wrong report or whose report was sent to an incorrect recipient requesting the recipient to delete the report and confirm when they had done so.

d.   Between May and June 2022 notification was provided to affected workers with open claims or claims closed in the previous 12 months (with certain identified exceptions) and were notified of their review rights under the Privacy and Personal Information Protection Act 1998 (‘PPIP Act’).

e.   icare wrote to all contracted CSPs to advise of the distribution error.

f.   CSP’s were requested to advise any employers or brokers who made contact to delete the incorrect reports from their systems. An icare contract point for CSP enquiries was provided.

g.   IDCARE were engaged to provide Case Management services for workers requesting support and to provide guidance on icare’s response and mediation.

h.   Affected workers were provided with access to a free counselling service.

i.   A complete review was undertaken to understand the root cause and determine the appropriate further actions to address this issue.

  1. In the following paragraphs of her Affidavit Ms Deane explains the privacy safeguards that were in place in the agency at the time of the incident and those which have been instituted since:

19.   The Cost of Claims reports which were attached to the emails in the form of Excel spreadsheets were not password protected and the emails were not encrypted. I am informed by documents I have reviewed that encryption of emails had previously been explored, however was not considered feasible at the time, as encrypted (or zipped) files are generally rejected by recipient servers and therefore it was anticipated that a significant amount of reports would not reach the employers or the brokers requiring them.

20.   I am informed that the process in place at the time of the distribution of the April 2022 repots involved a small sample of control files (being generated Costs of Claims reports) being checked following the provision of the condensed distribution list to the Data & Analytics team.

21.   While the distribution of Costs of Claims reports via email was automated, the preparation of the distribution list was not. Icare had been giving consideration to the implementation of a process for automating the provision of Cost of Claims data to employers through an Employer portal and had been consulting with the icare IT Team on the most effective solution. However, at this point in time, the data is not in a form which could be migrated to a Portal. Icare is continuing to work towards implementation of a Portal.

23.   icare also suspended the distribution of the Cost of Claims reports pending the post incident review. The distribution list error was determined to be the result of an isolated human error. The post incident review did, however, identify a number of control weaknesses in the process that could be addressed to further minimise the risk of recurrence.

24.   Cost of Claims reporting resumed from 12 July 2022. Whist a long-term solution is being developed, the Cost of Claims reporting process continues to be undertaken manually with the following additional controls:

a.   the reports are de-identified with the “Worker Name’, ‘Sex’, ‘DOB’ and ‘Age At Injury’ Fields removed.

b.   Historical data are to be limited to information relevant to the current policy term, being the previous four years plus the current policy year

c.   a sample of the Costs of Claims report is to be peer reviewed prior to distribution.

d.   Cost of Claims Reports are to be sent in smaller cohorts to reduce the amount of data sent in each individual release and to allow for more effective review of the data being released.

25.   In June 2022, the following improvements were also implemented in respect of the distribution list:

a.   the currency of the distribution list is to be managed more robustly, with bounce back emails being removed from the list as received;

b.   the distribution list is to be peer reviewed each month to confirm all required actions to maintain currency have been taken;

c.   additional staffing resources were allocated to the process.

26.   Additional administrative measures are currently being developed, including the piloting of an automated process for distribution of the Cost of Claims report using a software program called Syncplicity which has inbuilt controls and protections to safeguard against unauthorised disclosure or access. Syncplicity has been implemented in two stages. Stage 1 was successfully implemented on 22 November 2022 for the manual provision of Cost of Claims reports in response to daily requests, with positive feedback received to date, from both internal and external stakeholders. Stage 2 is in progress and involves the implementation of Syncplicity for all automated Cost of Claims reports distributed monthly.

Security safeguards in place to protect the information in the costs of claims report at the time of the incident

27.   All icare employees are required to undertake mandatory privacy training on an annual basis to ensure that obligations with respect to the personal and health information icare handles are understood and complied with.

28.   The Cost of Claims report contains privacy disclaimer on the cover page which states as follows:

“icare distributes the information in this report as a general resource for the named recipient only. Because this report may contain person or health, confidential or commercially sensitive information – users of this report are expected to treat any personal and health information captured in this report within the terms of icare’s privacy responsibilities and obligations regulated by the NSW Privacy & Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002 and if you are not the intended recipient you must not use, reproduce or distribute any part of this report or disclose its contents to another party.”

29 Employers are bound by the disclosure provisions contained in s 243 of the Workplace Management and Workers Compensation Act 1998. Employers also have direct obligations to comply with the PPIP Act, the Privacy Act 1988 (Cth) and/or the Health Records and Information Protection Act 2002.

  1. The agency relies upon a Statutory Declaration made by Kyle Howes dated 26 September 2022. In that Declaration Mr Howes states, relevantly:

3.   I am a Director of Workers Comp Savings Pty Limited. I have been in this position since February 2011.

4.   My duties in this role include acting as an insurance consultant under an agency agreement for various employers to assist them in claims management obligations and premium analysis under the workers compensation.

5.   As part of my role, I receive Cost of Claims report from Insurance and Care NSW to undertake claims management obligations and premium analysis for a number of employers.

Incident

6.   In May 2022 I received an email attaching a Cost of Claims report from Insurance and Care NSW (icare).

7.   On the date I received these reports, I noticed that several reports were not meant for me (by identifying the employer name) and I deleted these reports on the same day without opening the reports or reviewing any data about claimants.

8.   I did not on-forward the email or attached Cost of Claims report.

9.   On 24 May 2022, I received an email from Rizwan Hague, Strategic Broker Manager, Employer Engagement, icare seeking written confirmation that the email and attached Cost of Claims report had been deleted.

10.   On 24 May 2022, I sent an email to Rizwan Hague, Strategic Broker Manager, Employer Engagement, icare confirming the email containing the incorrect Cost of Claims report had been deleted.

  1. On 30 May 2022 the agency sent the applicant a letter by email to inform her of the incident. That letter stated as follows:

I am writing to you about your workers compensation claim.

I’m very sorry to say that on 10 May 2022, icare inadvertently forwarded a report containing a limited amount of information relating to your workers compensation claim to another employer, who should not have received it.

Some of our employers receive a workers compensation claims report from us each month. These reports contain a summary of workers’ claims history including details such as the workers name, date of birth and injury category but does not contain person financial information or contact details. Unfortunately, through human error, some employers or their insurance brokers, received the wrong report for April 2022.

I would like to extend our sincere apologies for the error and upset this matter may cause you.

Icare has contacted the employer who had mistakenly received the limited information about your claim, advised them of the error and requested them to delete the information. We have also asked them to confirm with us when this has been completed.

We have disclosed this breach of privacy to the Information and Privacy Commission of NSW and are working with them as we remedy this situation.

I understand the concern this may have caused you and once again, I apologise.

Should you be dissatisfied with how icare has dealt with this matter you may contact icare on [telephone number]

  1. The applicant replied to this email later on 30 May 2022 asking: “how this happened”, “what was the “limited information” that was forwarded…”, and requesting “a cop of their confirmation to delete all of the information once [received]”.

  2. At the same time the applicant lodged with the agency a “Privacy Complaint: Internal Review Application Form”. In the section of the form that requires the applicant to identify the specific conduct she is complaining about the applicant states “inadvertently forwarded a report containing a “limited amount” of information regarding my workers compensation claim to my former employer – [local government agency] (who terminated me due to my injury)”. In the section of the form which requires the applicant to tick “which of the following describes [her] complaint” the applicant marked “disclosure of my personal or health information”. In sections 10 to 12 of the form the applicant states as follows:

10.   What effect did the conduct have on you?

This has concerned me deeply and has escalated my anxiety levels since being notified. I can hardly breathe and my jaw is clenched so tight that it is very painful. The very thought of my ex employer creates a state of heightened panic in my body. I’m currently suffering psychological injuries from my ex employer.

11.   What effect might the conduct have on you in the future?

I don’t know what effect this could have in my future, due to my general anxiety disorder and major depression it makes me think that “maybe” my ex employer can use this information against me somehow.

12.   What would you like to see the agency do about the conduct?

I would like to see transparency as to: “how did this happen?”, “why did it take 20 days to either notice or notify me?” I would like to know what is the “limited information” that was inadvertently sent to my ex employer who caused this injury and later terminated me for not being fit for duty?

  1. The agency’s Privacy Specialist replied to the applicant’s email and application for internal review by letter dated 3 June 2022 sent by email. In response to the applicant’s questions the Privacy Specialist stated:

Who received your information?

I confirm that your information was inadvertently disclosed to a broker, who has confirmed deletion of your information. I confirm that your previous employer, [name of employer], has not received any information that they were not supposed to receive.

What information has been disclosed?

As specified in the letter, reports contain a summary of your claims history, including details such as your name, date of birth, and injury category, but does not contain personal financial information or contact details. As mentioned above, I confirm that the broker who inadvertently received your information has deleted it.

Can you receive a copy of the deletion confirmation?

I confirm that I have sighted the confirmation of deletion from the broker who inadvertently received your information. Your information has been deleted. We may provide you with a copy of the deletion, however, all information that does not relate to you will be redacted. Please let me know via reply email if this is something you would like.

  1. At the conclusion of her letter, under the heading “Further Information” the agency’s Privacy Specialist states:

We would be happy to arrange for someone from icare to call you to discuss your concerns. Please let me know via return email if this would be acceptable to you.

Furthermore, I acknowledge that the information that you received in the latter may be concerning to you. If you feel anxious or stressed, we encourage you to contact our free mental health support service [name of support service and telephone number]. They are available to take calls 24 hours a day, 7 days a week … There are 3 initial sessions of counselling available to you and you may request further sessions … if required.

  1. The applicant replied to this correspondence stating in part “thank you for your offer of counselling but I have raised with my psychologist during my last session”.

  2. It is apparent from what the applicant states in her internal review application that she initially had a misconception that the Cost of Claims report had been disclosed to her former employer, rather than to Mr Howes. It was to this that she initially objected.

  3. iCare NSW’s Principal Privacy Officer (the internal reviewer) conducted an internal review of the agency’s conduct as specified in the applicant’s internal review application and provided the applicant with a report setting out her findings on 29 July 2022.

  4. In relation to whether iCare NSW was permitted to include the applicant’s personal and health information in the Cost of Claims report that was to be provided to her former employer, the internal reviewer concluded that this was a permitted disclosure under the Workplace Injury Management and Workers Compensation Act 1998 (NSW) (WIMWC Act) setting out her reasons for reaching that conclusion. No contravention of a IPP or HPP was found in these circumstances (IPPs 1 and 11 were considered). I do not understand the applicant to now cavil with this conclusion.

  5. The internal reviewer then went on to consider at issue [3] the transmission of the Cost of Claims Report to Mr Howe:

[3]   Consequences of icare inadvertently sending your Cost of Claims report to the incorrect employer

Disclosure

your personal and health information can only be disclosed for a directly related purpose, or with consent under IPP 11 and HPP 11. We do not specifically obtain consent every time we disclose your information. We consider that, by law, icare has consent to disclose your information for the purpose of managing your claim. Unfortunately, however, on this occasion, due to human error, there was an inadvertent disclosure of your information.

On 10 May 2022, icare inadvertently sent the [employer] Cost of Claims report to another employer’s insurance broker (a third party). This report contained a summary of your information. This inadvertent disclosure was a breach of IPP 11 and HPP 11.

The report that included your information had been inadvertently sent to the incorrect mailbox. The third party who inadvertently received the [employer] Cost of Claims report confirmed on 24 May 2022 that they had deleted the report from their mailbox. …

Consequences

The insurance broker who inadvertently received the Cost of Claims report containing your information would have received an email that had attached the Cost of Claims report. The email was only accessed by the insurance broker for the purposes of deletion. I can confirm that the insurance broker who received your report in error is in no way associated with your former employer. As such, it is extremely unlikely that there will be any material consequences that result from this inadvertent disclosure.

In your application, you have expressed concern that you could potentially experience identity theft as a consequence of this breach.

As part of icare’s remediation process, icare partnered with IDCARE, a national, independent, not-for-profit identity support service, which provides specialist advice to address concerns about identity when there has been an inadvertent disclosure. Icare and IDCARE in their risk assessments have both found that the risk of identity theft and misuse is not likely.

  1. At sections 7 and 8 of her report, the internal reviewer sets out her findings and recommendations as follows:

7.   Findings

Based on the information before me, I am of the view that there have been breaches of:

•   IPP 11   Limits on the disclosure of personal information, and

•   HPP 11 Limits on the disclosure of health information.

specifically, in relation to the inadvertent disclosure of your information to an insurance broker other than your previous employer …

8    Recommendations

Pursuant to section 53(7)(e) of the PPIP Act, icare has changed the process including the content of the report to ensure that inadvertent disclosure such as this one does not happen again, and further that icare has issued you with a formal apology letter.

  1. On 29 September 2022 the Chief Executive of the State Insurance Regulatory Authority issued the Workers Compensation Nominal Insurer with a letter of censure in relation to the incident. This letter was published (made public) pursuant to s 183A(5) of the WC Act on 2 October 2022. That letter relevantly states:

I refer to the review conducted by the State Insurance Regulatory Authority (the Authority) of the recent privacy incident involving the Costs of Claims Report (Claims Report) issued by icare on behalf of the Workers Compensation Nominal Insurer (NI)

I am writing to advise you that the Authority has finalised its review and is satisfied that the NI has contravened s 243(1) of the Workplace Injury Management and Workers Compensation Act 1998 (1998 Act).

For the reasons outlined below, the Authority has decided to issue NI with a letter of censure pursuant to s 183 of the Workers Compensation Act 1987 (1987 Act).

Section 183A of the 1987 Act provides:

(1)   If the Authority is satisfied that a person who is or was a licensed insurer or self-insurer has contravened its license or this Act or the regulations, the Authority may -

(a)   impose a civil penalty on the person not exceeding $50,000, or

(b)    issue a letter of censure to the person.

The privacy incident

[the details of the incident and iCare’s remedial action are set out]

On 15 August 2022 the Authority issued a show cause notice to icare, on behalf of the NI, outlining the proposed findings of fact as a result of the Authority’s review of the matter. By letter dated 5 September 2022 icare accepted the incident was a breach of s 243(1) of the 1998 Act, and that it may have been distressing to affected workers. The Authority acknowledges the concession made.

The Authority has considered the entirety of icare’s submissions, with all material gathered in the course of its review of the matter, and has determined that:

• in issuing the Claims Report to the incorrect employers on or about 6 May 2022 the Authority is satisfied the NI contravened section 243(1) of the 1998 Act.

•   A letter of censure is an appropriate outcome for the following reasons:

○   Information relating to thousands of injured workers was sent to incorrect email addresses in the privacy incident with a significant potential risk of distress to those workers.

○   There was a lack of appropriate safeguards in place in relation to the handling of the Claims Report notably:

•   Compilation of the distribution list for the Claims Report was reliant on a manual process and therefore at more risk of human error. There is no evidence of an independent check or verification mechanism in relation to the compilation of the list.

•   The Claims Report was forwarded to employers by way of email attachment with greater risk of inadvertent disclosure than other means. No encryption, password, or other security mechanism was applied to the Report.

The Authority also notes that it considers the following aspects of icare’s response to the incident unsatisfactory:

•   Notification to affected workers stated no “personal financial information” was included in the Claims Report. While no banking information was included, the Report did contain information regarding compensation payment amounts which is arguably financial in nature. The Authority considers that the notification should have been clearer on this issue.

• Icare originally determined not to notify workers with open psychological claims of the privacy incident due to the potential impact on them. However, the Authority understands icare did sent notifications to these workers in error Section 243 of the WIMWC Act provides, relevantly:

243    Disclosure Requirements

(1)   A person must not disclose any information obtained in connection with the administration or execution of this Act unless that disclosure is made -

(a)   with the consent of the person from whom the information was made, or

(b)   in connection with the administration or execution of this Act, or

(c)   for the purposes of any legal proceedings arising out of this Act or of any report of any such proceedings, or

(d)   in accordance with section 72 (inspection of relevant claims information etc), or

(e) in accordance with the requirement imposed under the Ombudsman Act 1974, or

(f)   with other lawful excuse.

  1. On 5 December 2022 the agency issued the applicant with a confidential letter of apology in relation to the incident. A copy of this letter appears at Annexure B of Ms Deane’s Affidavit.

Application for administrative review

  1. In the Administrative Review Application Form the applicant filed on 16 August 2022, she states in the section “grounds for application”:

The Internal Review had 3 issues investigated, only issue no. 3 was relevant. Issues 1 & 2 were not raised by me and were irrelevant to the privacy breach, there were two other issues that were raised by me but not addressed. Icare breached the privacy of 193,000 other clients on the same day yet they chose not to investigate the why and how it happened. I find the Internal Review to be insulting, it didn’t address what was being asked of them. I can’t see how they could misunderstand when there were 193,000 other others as stated in the SMH & icare website …

  1. In a cover letter attached to her Application the applicant elaborates on these grounds, relevantly, as follows:

(1)   On 30/5/2022 I was informed by icare that my personal and health information had been sent to the incorrect employer on the 10/5/2022.

(2)   They played it down as a “one-off’ but it involved 193,0000 Workers Compensation clients, that’s quite a big mistake for a Govt Dept especially when they would have privacy policies, procedures and management plans in place.

(3)   They informed me it was a Broker and not an Employer on 10/7/2022 which is conflicting information.

6)    Issue 3 is the only part of the investigation pertaining to my request

Consequences of icare inadvertently sending my Cost of Claim Report to the incorrect employer – although they stated that it was sent to an Insurance Broker. There are a few inconsistencies in who received the private information.

7)    The questions that I asked were not included in the Internal Review

I asked HOW could this happen and WHAT information was shared?

This was not addressed.

8)   Also, I would like to know why I was notified on 30/05/2022 and yet icare had known about it for close to 2 weeks prior to informing me, once they had rectified the situation with the incorrect broker …   

9)   There is evidence to suggest that icare are in breach of IPP1 and HPP1.

The private information shared was not directly related to the management of my injury as the agency was not connected in any way to my claim. Icare is aware of my fragile mental health due to the psychological injury relating to my workers compensation and instead of providing an explanation they have tried to put it back on me that I signed permission for them to share this personal information – this is correct – but only for the parties directly related to my injury. I find it insulting that they handled it this way.

10)   Internal Review Assessment

The sharing of the Cost of Claims Report to associated parties for my injury management is not in dispute. The sharing of both my personal and health information with an unauthorised agent is the real issue I would like addressed. Please see “essence of disclosure” the unauthorised Broker had no prior knowledge of my personal and health information until it was disclosed to them.

11)   Internal Review Consequences

Icare stated that the Broker only accessed the email containing my private information to delete it. I find it had to believe that an Insurance Broker doesn’t read their emails? Assuming hey would normally read their emails.

I would like to know HOW this could happen in a Government Department when they have Policies and Procedures in place? Especially due to high amount of workers compensations client’s personal information inadvertently disclosed.

Relief sought by the applicant

  1. The applicant seeks relief in the form of compensation for economic loss that she contends she has incurred in instituting this proceeding, issuing two summons and in instituting an access application under the Government Information (Public Access) Act 2009 (NSW) in relation to the same subject matter. These costs are not quantified, itemised, or supported by any documentary evidence.

  2. The applicant also applies for an order for compensation in the amount of $40,000.00 for non-economic loss, being psychological harm, she contends she has suffered because of the incident. This aspect of the relief sought by the applicant is supported by some medical evidence which is identified and discussed following.

  3. The applicant also continues to pursue by way of relief an apology from the agency, despite the apology issued to her dated 5 December 2022, because she does not consider that apology sufficiently contrite or genuine.

  4. It is also clear from the applicant’s presentation of her case that she seeks by way of remedy orders that would require the agency to introduce security safeguards to protect her personal and health information in the future, specifically password protection and encryption of this data.

Contentions of the parties

Applicant

  1. Despite her reference to IPP1 and HPP 1 in her Administrative Review Application, the applicant contends in fact that the agency contravened IPP 11 and HPP11 in transmitting the Cost of Claims Report to Mr Howe on 9 May 2022. She contends that this was a very serious breach of her privacy and one which has resulted in an acute exacerbation of her psychological injury. She contends that the fact that this breach occurred demonstrates that the agency does not have adequate safeguards in place to protect the personal and health information of injured workers from being unlawfully disclosed. That amounts to an alleged contravention of IPP 12 and HPP 12.

  2. The applicant does not accept that Mr Howe did not read the email containing the cost of claims report except for the purposes of deleting it. She is also concerned that he was not the only recipient of it, despite the agency’s assurances to the contrary, because she has received different versions of the email and Cost of Claims reports which she believes have different time stamps.

  3. The applicant contends that the agency’s provision to her on 15 November 2022 of an unredacted copy of the Cost of Claims report (which identified the names of other injured workers) in response to her Summons constituted another serious contravention of the personal and health information of those injured workers which ought also to be the subject of this administrative review.

Agency

  1. The agency does not dispute that it transmitted a Cost of Claims report to Mr Howe on 9 May 2022 which contained the personal and health details of injured employees of a particular local government authority including those of the applicant. It does not dispute that Mr Howe had no authority to receive that information. However, despite Internal Reviewer’s determination that this constituted a contravention of PPIP 11 and HRIP 11, it now contends, citing as authority Nasr v State of NSW [2007] NSWCA 101 that this transmission did not constitute a “disclosure” of the applicant’s personal and health information to Mr Howe for the purposes of IPP 11 and HPP 11 because he did not read the document containing this information before deleting it. It therefore submits that the Tribunal should determine that there has been no contravention of a IPP or HPP in these circumstances.

  2. The agency accepts that a fair reading of the applicant’s application for administrative review encompasses the security safeguards that the agency had in place to protect her personal and health information and that, consequently, IPP 12 and HPP 12 are engaged in the review, notwithstanding that this was not an issue addressed in the internal review. However, it submits that there was no contravention of IPP 12 and HPP 12 because the security safeguards the agency had in place at the time were reasonable in the circumstances.

  3. The agency contends that the release of the Cost of Claims report to the applicant on 15 November 2022 in response to her summons was not the subject of the internal review. Consequently, it submits that the Tribunal does not have jurisdiction to review this conduct.

  4. Having regard these considerations the agency submits that the Tribunal should determine to take no action in the matter pursuant to s 55(2) of the PPIP Act, particularly considering the steps that have been taken by the agency to prevent any recurrence of the incident on 9 May 2022 since that time.

The applicable law

  1. The role of the Tribunal in determining an application for administrative review under s 55 of the ADR Act is set out in s 63 of that Act:

63   Determination of administrative review by Tribunal

(1)   In determining an application for an administrative review under this Act of an administratively reviewable decision, the Tribunal is to decide that the correct and preferable decision is having regard to the material then before it, including the following:

(a)   any relevant factual material,

(b)   any applicable written or unwritten law.

(2)   For this purpose, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

(3)   In determining an application for the administrative review of an administratively reviewable decision, the Tribunal may decide:

(a)   to affirm the administratively reviewable decision, or’

(b)   to vary the administratively reviewable decision,

(c)   to set aside the administratively reviewable decision and make a decision in substitution for the administratively reviewable decision it set aside, or

(d)   to set aside the administratively reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.

  1. With respect to s 63(1) Keifel J (as she then was) said in Shi v Migration Agents Regulatory Authority (2008) 235 CLR 286 at [140] that a “correct” decision is one that is rightly made, while preferable is apt to refer to a decision involving discretionary considerations.

  2. Section 66 of the ADR Act explains the effect of an administrative review decision made by the Tribunal in an administrative review:

66   Effect of administrative review decision

(1)   A decision determining an application for an administrative review under this Act of an administratively reviewable decision takes effect on the date on which it is given or such later date as may be specified in the decision.

(2)   If such decision varies, or is made in substitution for, an administrator’s decision, the decision of the Tribunal is taken:

(a)   to be the decision of the administrator (other than for the purposes of an administrative review under this Act), and

(b)   to have had effect as the decision of the administrator on and from the date of the administrator’s actual decision unless the Tribunal orders otherwise.

  1. Part 2, Division 1 of the PPIP Act and Schedule 1 of the HRIP Act prescribe information protection principles in relation to ‘personal information’ that apply to public sector agencies by operation of ss 20(1) and 11 of those Acts respectively. A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle (IPP) or health privacy principle (HPP) applying to the agency: s 21(1) of the PPIP Act and s 11(3) of the HRIP Act respectively. The contravention by a public sector agency of an IPP or HPP that applies to the agency is conduct to which Part 5 of the PPIP Act applies: s 21(2) of the PPIP Act and s 21(1)(a) of the HRIP Act.

  2. “Personal information” is defined in ss 4(1) and 5(1) of the PPIP Act and HRIP Act respectively to mean, relevantly:

“personal information” means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion

  1. “Health information” is defined in s 6 of the HRIP Act as follows:

6   Definition of “health information”

In this Act, “health information” means –

(a)   personal information that is information or an opinion about -

(i)   the physical or mental health or a disability (at any time) of an individual, or

(ii)   an individual’s express wishes about the future provision of health services to him or her, or

(iii)   a health service provided, or to be provided, to an individual, or

(b)   other personal information collected to provide, or in providing, a health service, or

(c)   other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or substances, or

(d)   other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or

(e)   healthcare identifiers, but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.

  1. Section 12 of the PPIP Act and clause 5 of schedule 11 of the HRIP Act (IPP 5 and HPP 5) impose obligations on public sector agencies in relation to, relevantly, to the security of personal information and health information:

12   Retention and security of personal information

A public sector agency that holds personal information must ensure –

(c)   that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse,

...

5   Retention and security

(1)   An organisation that holds health information must ensure that –

(c)   the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

...

(2)   An organisation is not required to comply with a requirement of this clause if –

(a)   the organisation is lawfully authorised or required not to comply with it, or

(b)   non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law ….

(3)   An investigative agency is not required to comply with subclause

  1. Section 18 of the PPIP Act and clause 11 of schedule 1 of the HRIP Act (IPP 11 and HPP 11) impose obligations on public sector agencies in relation to the disclosure of personal information and health information:

18   Limits on disclosure of personal information

(1)   A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless –

(a)   the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)   the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c)   the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

11   Limits on disclosure of health information

(1)   An organisation that holds health information must not disclose the information for a purpose (a “secondary purpose”) other than the purpose (the “primary purpose”) for which it was collected unless –

(a)   the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b)   the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

(b1)   the disclosure of the information for the secondary purpose meets the following conditions –

(i)   the secondary purpose is to assist is a stage of an emergency,

(ii)   the disclosure of the information is reasonably necessary to assist in the stage of the emergency,

(iii)   it is impracticable or unreasonable for the organisation to seek the consent of the individual to whom the information relates to the disclosure of the information for the secondary purpose, or

(c)   the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent –

(i)   a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii)   a serious threat to public health or public safety, or,

[there are various other exceptions set out which are not relevant in this case]

  1. Part 5 of the PPIP Act contains provisions for internal and external review of conduct by public sector agencies that may contravene an information protection principle.

  2. The provisions relating to internal review by agencies are found in s 53, which relevantly provides:

53   internal review by public sector agencies

(1)   A person (“the applicant”­) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.

(2)   The review is to be undertaken by the public sector agency concerned …

(5)   In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by -

(a)   the applicant

(7)   Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following –

(a)   take no further action on the matter,

(b)   make a formal apology to the applicant,

(c)   take such remedial action as its thinks appropriate (eg the payment of monetary compensation to the applicant),

(d)   provide undertakings that the conduct will not occur again,

(e)   implement administrative measures to ensure that the conduct will not occur again.

(8)   As soon as practicable (or in any event within 14 days) after the completion of the review, the public sector agency must notify the applicant in writing of –

(a)   the findings of the review (and the reasons for those findings), and

(b)   the action proposed to be taken by the agency (and the reasons for taking that action), and

(c)   the right of the person to have those findings, and the agency’s proposed action, administratively reviewed by the Tribunal.

  1. The provisions related to external review are found in s 55, which relevantly provides:

55   Administrative review of conduct by Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with: -

(a)   the findings of the review, or

(b)   the action taken by the public sector agency in relation to the application,

The person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53

(2)   On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders -

(a)   subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)   an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)   an order requiring the performance of an information protection principle or a privacy code of practice,

(d)   an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)   an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)   an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)   such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4)   The Tribunal may make an order under subsection (2)(a) only if –

(b)   the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

(5)   If, in the course of an administrative review, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.

Consideration

What conduct of the agency is within the scope of this administrative review?

  1. It is well established principle that the Tribunal will only have jurisdiction to conduct an administrative review under s 55 of the ADR Act if three ‘pre-conditions’ are satisfied. First, the applicant must first make an application to the agency for internal review under s 53 of the PPIP Act. Second, the applicant is dissatisfied with the findings of the internal review, or the action taken by the agency in relation to the internal review application. Third, the applicant asks the Tribunal to review the conduct that was the subject of the internal review: GA v Commissioner of Police, NSW Police [2004] NSWADT 254 at [4]. The Tribunal cannot review any conduct that was not the subject of the application to the agency for internal review: Department of Education and Training v GA (No. 3) [2004] NSWADTAP 50 at [7]; OD v Department of Education and Training (GD) [2005] NSWADTAP 74 at [13].

  1. While it is commendable that the agency was ensuring at the time that all staff participated in mandatory annual privacy training this is a very weak safeguard against the systems failure that led to the disclosure of the applicant’s personal and health information in this case. The evidence does not indicate that the disclosure occurred because of any deliberate act of a staff member despite the privacy training that person had received. Rather it was a system failure caused by a human error.

  2. For the reasons I have stated above I accept that the Cost of Claims cover page ‘disclaimer’ Ms Deane reproduces at paragraph 28 of her Affidavit would have some protective effect within the industry to which Costs of Claims reporting is made. However, for that disclaimer to be read, the person to whom the Cost of Claims report was sent would have to open it which would reveal the injured worker’s personal and health information. The disclaimer therefore could only operate as a safeguard against further disclosure of the injured worker’s personal and health information. It relies upon the recipient to act ethically in this respect. It is a relatively weak security safeguard in this respect. In this respect, the issues in this case are different in principle to those that pertained in NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 at [53]. That case concerned a staff member gaining unauthorised access to the agency’s data base despite a warning appearing on the computer screen to the effect that she was not authorised to access information. This case does not involve a staff member of the agency acting contrary to her obligations to her employer. It concerns the disclosure by the agency of the applicant’s personal and health information to a stranger. In this respect NS is of no assistance to the agency in establishing that the disclaimer was a reasonable security safeguard.

  3. Similarly, I accept that the confidentiality obligations imposed on employers and others by s 243 of the WIMWC Act would have some protective effect at the time of the incident within an industry where these obligations are known. Ms Deane also refers to the obligations of employers to comply with the PPIP Act, the Privacy Act 1988 (Cth) and/or the HRIP Act. I do not see how the agency obtains any real benefit in terms of its security safeguards from any obligation of an employer to comply with privacy legislation. The agency’s responsibility to have reasonable security safeguards on the personal and health information it has in its possession and control cannot be delegated in this way.

  4. For the foregoing reasons, I am satisfied that the security safeguards the agency had in place at the time of the incident were wholly inadequate to protect the applicant’s very sensitive personal and health information the unlawful disclosure of which had very serious potential consequences.

  5. I turn now to the security safeguards the agency has introduced or plans to introduce following the incident. These are explained at paragraphs 24 to 26 of Ms Deane’s Affidavit. Ms Deane refers to a “long term solution being developed” but in the meantime to “the Costs of Claims reporting process still being undertaken manually”. The Cost of Claims reports are now deidentified. Cost of Claims reports will only contain current year and four previous year claims information. A sample of the Cost of Claims reports are peer reviewed prior to distribution, and they are sent in smaller cohorts to enable more effective sampling.

  6. I accept that the deidentification of the injured worker’s personal and health information is potentially an additional security safeguard. However, I do not understand the agency to contend that a Costs of Claims report no longer contains personal and health information. Additionally, at paragraph 64(d) of its submissions, the agency states with reference to Ms Deane’s Affidavit evidence: “[t]o utilise costs of claims reporting effectively, employers or their brokers “need to be able to identify the specific claim and specific details of the claimant for claims management and return to work purposes”. It would thus appear that the identity of the injured worker will still be apparent despite any de-identification of the summary of their claim. I am therefore not satisfied that the deidentification measure reduces the sensitivity of the information or the gravity of the consequences of its potential disclosure.

  7. The only impact I can ascertain from the limitation of Costs of Claims reports to 5 years including the current year is that this will reduce in some or all instances the number of injured workers whose claims are reported. That is, claims that are finalised more than 4 years before the current year will not be reported. While that may reduce the number of injured workers whose claims are included in Cost of Claims reports, it will not affect the sensitivity of the personal and health information of those injured workers whose claims are included. Nor will it affect the gravity of the consequences of the potential disclosure of their information.

  8. On the evidence before me, I am unable to know if the ‘peer review’ process that is now in place is any more robust than that which was in place at the time of the incident, which I have found to be wholly inadequate. Ms Deane does not explain in her Affidavit the mechanics or methodology of the review process. I accept at a general level that the preparation of Cost of Claims reports in smaller cohorts may have the potential to make peer review more effective, but in the absence of a fully explained methodology that can be given limited weight. The transmission of Costs of Claims reports in smaller batches has the potential to reduce the scale of a future disclosure of personal and health information should there be a system failure in the future in terms of the number of people affected. However, it will not reduce the sensitivity of the information or the gravity of the consequences of its potential release to those who are affected.

  9. At paragraph 25 of her Affidavit Ms Deane refers to a process improvement which has been undertaken from June 2022 which involves the “currency” of the distribution list being “managed more robustly” “with bounce back emails being removed from the list as received”. Those words bare some reflection. They indicate that even after the incident Costs of Claims reports were still being sent to email addresses that were no longer in use. Those reports that “bounce back” now results in the email address to which the report was sent being deleted. The question of whether there remain active email addresses on the distribution list to which Cost of Claims reports should not be sent due to the recipient’s change of circumstances (left role, no longer the employer’s authorised representative) is left begging for an answer in my view. Ms Deane does go on to say that the distribution list “is to be peer reviewed each month to confirm all required action to maintain currency have been taken” but she does not provide any information about what those required actions are. On the evidence before me I cannot be satisfied that the distribution list for Cost of Claims reports has reasonable security safeguards surrounding it.

  10. Ms Deane also refers to “additional staffing resources” being allocated to “the process”, which I take to mean the Costs of Claims reporting process, including the management of the distribution list. Ms Deane does not say anything about the number of staff, their level of seniority, or their qualifications and/or specialisation. While I accept at a general level that additional staffing may give the agency greater capacity for implementation of security safeguards in relation to Costs of Claims reporting, in absence of any satisfactory information about their specialisations and the security systems and procedures they will be implementing this measure can be given limited weight. In this respect, I note that the agency has not conducted its case on the basis that the incident was caused by a lack of staffing resources at the material time.

  11. Potentially, the most substantial additional security safeguard the agency has introduced since the incident is the piloting of the software program Syncplicity which Ms Deane explains in paragraph 26 of her Affidavit. It is said that Syncplicity is a platform which provides for an “automated process for distribution” of the Cost of Claims reports which has “inbuilt controls and protections to safeguard against unauthorised disclosure or access”. What these controls and protections are is not explained. However, I give this development some weight.

  12. Nevertheless, having regard to the totality of the evidence, I remain unimpressed by the agency’s security safeguards of the personal and health information contained in the Costs of Claims Reports. Specifically, I am not satisfied on the evidence before me that the distribution list is managed to ensure that Costs of Claims reports are only sent to recipients presently authorised to receive those reports. Nor am I satisfied that the emails and the data files they contain have reasonable security safeguards, being encryption and password protection, that would prevent the personal and health information they contain from being disclosed to an unauthorised recipient.

Conclusion

  1. It follows from this that I am satisfied that the conduct of the agency that was the subject of the internal review was in contravention of s 12(c) of the PPIP Act and clause 5(1)(c) of the HRIP Act. The security safeguards the agency had in place at the time this conduct occurred were wholly inadequate. Nor am I satisfied that the steps that have been taken by the agency since that conduct occurred have resulted in reasonable security safeguards being instituted to protect the personal and health information of injured workers contained in the Costs of Claims reports.

Conclusion

  1. It follows from these conclusions that I am not satisfied that the reviewable decision is the correct or preferable decision. It must be varied in accordance with my determinations that the conduct of the agency constituted a contravention of Information Privacy Principles 4 and 11 (ss 12(c) and 18 of the Privacy and Personal Information Protection Act 1998 and clauses 5(1)(c) and 11 of the Health Records and Information Privacy Act 2002 respectively).

Remedy

Compensation for economic loss

  1. I have outlined the applicant’s claim for compensation for economic loss above. There are three fundamental difficulties with it. First, in substance, it is a claim for costs, not compensation. Different principles apply in the determination of an application for costs. If the applicant wishes to make an application for costs now that the outcome of her application is known, she may do so. She should have regard to s 60 of the NCAT Act before doing so. Second, part of the costs claim includes costs incurred by the applicant in pursuing an application lodged with the Tribunal under the Government Information (Public Access) Act 2009 (NSW) (GIPA Act) in relation to the same subject matter as the present application. While the subject matter may be the same, the costs of the costs of the GIPA Act application can only be recovered in that proceeding. They cannot property be the subject of a costs application in this proceeding. The third difficulty for the applicant has already been stated above. The cost claimed are not quantified, itemised, or supported by any documentary evidence.

  2. I note that there are references in the applicant’s submissions to the incident resulting in harm to her reputation, or potentially resulting in such harm. There is no evidence of any actual harm to the applicant’s reputation. I accept the agency’s submission that, in any event, the applicant must establish that she has suffered financial loss from the reputational hard for it to be compensable under s 55 of the PPIP Act: CPJ v The University of Newcastle [2017] NSWCATAD 350 at [30]. The applicant does not contend for any such loss and there is no evidence of any such loss.

  3. For these reasons, I am not satisfied that the applicant is entitled to a remedy by way of an order for compensation for economic loss.

Compensation for non-economic loss

  1. In a claim for damages under s 55(2) of the PPIP Act it is not sufficient for the applicant to prove contravention of an IPP or HPP by the agency, she must also, relevantly, prove she has suffered psychological harm because of that breach. In other words, there must be a causal connection recognised in law between the contravention of an IPP or HPP which has been found and the psychological injury: AOZ v Rail Corporation NSW (No. 2) [2015] NSWCATAP 179 at [29]; DED v Randwick City Council [2017] NSWCATAD 327 at [60].

  2. Causation is ultimately a question of common sense and experience, determined on the facts of each case. It is a question of identifying where legal responsibility should lie. A ‘but for’ analysis is not a sufficient test for causation, although it may be a guide. Where there are multiple elements, each one sufficient on its own to have caused the loss, the causation test may be considered satisfied by each one of them: CPJ v University of Newcastle [2017] NSWCATAD 350 at [5] applying principles distilled in March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506.

  3. In her application for internal review the applicant states that the disclosure of her personal and health information “has escalated” her “anxiety levels”, that she “can hardly breathe”, and that her “jaw is clamped so tight … it is very painful”. She states that “very thought of ex-employer creates a state of heightened panic in my body”.

  4. The applicant has filed two medical reports in support of her claim for damages for psychological injury. These appear at pages 61 to 63 of the applicant’s bundle. The first report is that of a Consultant Psychiatrist and the second is that of a Clinical Psychologist both of whom have been involved in the long-term treatment of the applicant. Those reports establishing the following to my satisfaction:

- At the time of the incident the applicant had a pre-existing psychological injury. He diagnosis included major depression with panic attacks and agoraphobia. This was a ‘chronic’ condition,

- Following the disclosure of her personal information the applicant experienced an exacerbation of symptoms:

○ her feelings of vulnerability intensified,

○ her stress levels have heightened to panic proportions,

○ suicidal thoughts have again emerged,

○ she feared that the prospects of her recovery and regaining employment in the future were diminished

- the applicant’s symptoms have also been exacerbated by the stress she has experienced due to these proceedings,

- the applicant requires regular psychiatric review and psychological intervention to assist her to deal with the exacerbation of her symptoms.

  1. The agency, properly, accepts that the applicant’s pre-existing psychological injuries have been exacerbated by the incident. It resists a compensation order for psychological injury on the basis that there was no contravention of IPP 11 or HPP 11 and that there was only a perceived breach of IPP 5 and HPP 5 neither of which is capable of being ‘causal’ for the purposes of s 55(2) of the PPIP Act. However, those arguments must fail in circumstances where I have found that the agency’s conduct did contravene each IPP 5 and 11 and HPP 5 and 11.

  2. I am thus satisfied that the disclosure of applicant’s personal and health information did directly cause an acute exacerbation of the applicant’s pre-existing mental health condition and psychological injury. That exacerbation was triggered by the applicant being informed of the disclosure on 30 May 2022 and it continues up to the hearing. In this respect I note that I was able to observe and interact with the applicant during the hearing. That experience left me in no doubt as to the veracity of the medical evidence.

  3. With respect to the exacerbation of the applicant’s symptoms caused by these proceedings, the agency submits that it has made every effort to respond informally to questions raised by the applicant and to resolve the proceedings without the need for a hearing. I accept that is the case and I am grateful to the agency’s representatives for the way they have conducted its’ case. Nevertheless, these proceedings arise directly from the agency’s impugned conduct and the applicant’s dissatisfaction with the remedy the agency was prepared to provide her in relation to that conduct. The agency cannot reasonably be heard to say that the applicant should have avoided the exacerbation of her symptoms by not pursuing her rights to administrative review.

  4. In JD v NSW Department of Health [2007] NSWADT 210 at [57] the Tribunal said:

“… the fact that JD may be susceptible to mental illness does not affect any entitlement to compensation he may have … awards should be restrained but not minimal, compensation should be assessed having regard to the complainant’s reaction (including injury to feelings, distress and humiliation) and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances, and in an appropriate case aggravated damages may be awarded.

  1. In EPT v The Sydney Children’s Hospital Network [2022] NSWCATAD 137 at [89] the Tribunal held that the talem qualem principle applies in the context of awards of damages under the PPIP Act. That is:

In this area of law, as in negligence, the talem qualem principle is applicable i.e. employers take their employees as they find them. With respect to psychological injury there an ‘eggshell psyche’ principle which, like the equivalent ‘eggshell skull’ principle, is a rule of compensation not of liability.

  1. It is clear from these authorities that the agency is liable for any damage the applicant has suffered because of the exacerbation of her symptoms by its impugned conduct notwithstanding her pre-existing condition. In assessing loss, the Tribunal should look to the impact the impugned conduct on the applicant rather than speculate how it might have impacted on theoretical person. Nevertheless, the applicant’s pre-existing condition is a relevant consideration in the assessment. The agency is not liable in respect of that pre-existing condition.

  2. The agency submits that if the Tribunal is minded to make an award of damages it ought to be at the lower end of the scale because there is insufficient evidence that the applicant will incur any additional medical expenses due to the exacerbation of her condition, the applicant has taken appropriate remedial steps and provided the applicant with an apology, the conduct was not done maliciously or in bad faith, and damages in comparative cases (which are cited) have been for amounts less than $5,000.00.

  3. I accept that there is no satisfactory evidence that the applicant has or will suffer financial loss in the form of additional medical expenses or otherwise due to the exacerbation of her condition. However, it is not necessary for her to prove that she has done or will do so to be able to recover damages for psychological harm. Psychological harm is an alternative head of damage to financial loss.

  4. On any fair view, the impact of the impugned conduct on the applicant has been extreme. It has resulted in an acute exacerbation of symptoms which result in an ongoing risk to her life (suicide), and which have a severe negative impact on her quality of life. It has interrupted her recovery trajectory from her pre-existing psychological injury, and this will inevitably delay and diminish her prospects of regaining employment. Whether the conduct would have had that effect on another person is not to the point. It has had that effect on her.

  5. While the impugned conduct was not malicious, it represents a most serious system failure which is attendant upon wholly inadequate security safeguards. The conduct constituted the commission of a civil penalty offence under s 243(1) of the WIMWC Act as found by the State Insurance Regulatory Authority on 29 September 2022. The agency has tended to minimise the impugned conduct and its’ impact in response to the incident. In this respect, the agency’s conduct was reprehensible, particularly given that it is responsible for the protection of the personal and health information of vulnerable people, being injured workers. For the reasons I have stated above, I am not satisfied that the steps taken by the agency since the incident have resulted in reasonable security safeguards being instituted.

  1. Having regard to these matters, I am not persuaded that the comparative damages awards that I have been taken to by the agency should be followed in this case. This is not a case where a ‘minimal’ award of damages is appropriate. The applicant has suffered a severe exacerbation of her psychological injury because of the agency’s conduct and her damages should be substantial.

  2. The applicant contends that the Tribunal should award her the maximum damages available being $40,000.00. I am not satisfied that this is the case. I consider that the conduct (at least as it is before me for administrative review) was a single event. The impugned disclosure was to a single person who I accept deleted the information without reading it. These objective features of the disclosure must be weighed in the balance.

  3. Having regard to the relevant considerations I have set out above I assess the applicant’s damages for psychological injury caused by the agency’s conduct at $20,000.00.

Apology

  1. As I have set out above, the agency has provided the applicant with two letters of apology. In this respect an apology was incorporated into the agency’s letter dated 30 May 2022 notifying the applicant of the incident. The agency also provided the applicant with a more substantial apology by letter dated 5 December 2022.

  2. Although the applicant continues to be dissatisfied with the apologies she has received from the agency, she was unable to explain to me at the hearing how the apology letter dated 5 December 2022 was inadequate or could be improved upon. Rather, her position appeared to be that she did not trust the sincerity of that letter.

  3. I am satisfied that the apology letter dated 5 December 2022 constitutes a substantial apology. I am unable to identify any way in which that apology could be improved to be more acceptable to the applicant. That being so, I decline to make an order requiring any further apology.

Security safeguards

  1. In its submissions, the respondent accepts that the Tribunal has power in this administrative review by operation of s 53(7)(e) of the PPIP Act and s 63(2) of the ADR Act to make orders with respect to additional security safeguards the agency could implement. However, it submits that that Tribunal ought to refrain from doing so because it would be satisfied that this is unnecessary having regard to the additional security measures the agency has implemented since the incident. For the reasons I have stated above, I reject that proposition. I remain concerned that the security safeguards surrounding the disclosure of personal and health information by the agency in Cost of Claims reports remain inadequate and not ‘reasonable’ having regard to the requirements for IPP 5 and HPP 5.

  2. The agency fulfils its obligations under s 147 of the WC Regulation by transmitting Cost of Claims Reports to persons it believes are authorised to receive them. It does not require those persons to authenticate their entitlement to receive the report before it is delivered. Ms Deane gave evidence that the agency intends to move towards a secure on-line portal for the making available of Cost of Claims Reports to authorised persons. As I understand it this would involve a log-in system which would require the authorised person to authenticate their identity and entitlement to access the report before it is available to them. A security safeguard of this kind would eliminate the risk of Costs of Claims reports being sent to unauthorised persons in error or to stale email addresses. In my view it is imperative that a security safeguard of this kind is implemented. However, it must be accepted that this is a significant undertaking. The agency should have until 30 June 2024 to comply with an order requiring this.

  3. Until such a system is in place, transmission of emails containing Cost of Claims reports requires additional security safeguards to protect the personal and health information of injured workers. Distribution lists must be cross-checked against Costs of Claims Reports by two senior officers with this designated responsibility each of whom must certify in writing that the distribution is accurate before emails containing the Costs of Claims reports are released. Each email containing a Cost of Claims report must be encrypted such that it is only capable of being opened by the person for whom it is intended upon submission of an electronic password or key. Each Cost of Claims data file must also be password protected such that it is only capable of being opened by the person for whom it is intended upon submission of an electronic password or key. These security safeguards must be put in place by 30 September 2023.

Order

  1. For the foregoing reasons I make the following orders:

  1. A further oral hearing in relation to the description of iCare NSW and the proper respondent to the application is dispensed with in accordance with s 55(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW).

  2. The name “iCare NSW” is amended to “Insurance and Care NSW t/a iCare NSW”.

  3. Insurance and Care NSW t/a iCare NSW is removed as the respondent to the application.

  4. The name of the respondent is amended to Workers Compensation Nominal Insurer.

  5. The decision under review is varied.

  6. In variation of that decision the Tribunal determines that the conduct of the agency constituted a contravention of Information Privacy Principles 5 and 11 (ss 12(c) and 18 of the Privacy and Personal Information Protection Act 1998) and HPP 5 and 11 (clauses 5(1)(c) and 11 of Schedule 1 of the Health Records and Information Privacy Act 2002).

  7. The Nominal Insurer must pay FMM $20,000.00 immediately.

  8. By 30 June 2024 the Nominal Insurer must ensure that its agent Insurance and Care NSW t/a iCare designs and implements a secure on-line portal for the making available of Cost of Claims reports pursuant to s 147 of the Workers Compensation Regulation 2016 (NSW). Access to Costs of Claims reports via the portal must only be available to persons who authenticate their identity and entitlement to access the report by a unique electronic password or key.

  9. By 30 September 2023 the Nominal Insurer must ensure that its agent Insurance and Care NSW t/a iCare institutes the following security safeguards in relation to the present broadcast method of distribution of Cost of Claims reports:

-   Distribution lists must be cross-checked against Costs of Claims reports by two senior officers with this designated responsibility each of whom must certify in writing the accuracy of the distribution before any email containing Costs of Claims reports is released,

-   Emails containing Cost of Claims reports must be encrypted such that they are only capable of being opened and read by the person for whom they are intended upon submission of a unique electronic password or key,

-   Each Cost of Claims data file must also be password protected such that it is only capable of being opened by the person for whom it is intended upon submission of a unique electronic password or key.

  1. The application is otherwise dismissed.

  2. The publication or broadcast of the name of the applicant is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW).

  3. The publication or broadcast of the names of the persons other than the applicant listed in column G under the heading “Worker Name” of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November 2022 is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Review Act 2013 (NSW).

Note: A reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person.

  1. The publication of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November is prohibited pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW).

  2. Disclosure to the applicant of the spreadsheet contained in the confidential supplementary bundle of documents filed by the agency pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) on 25 November 2022 is prohibited pursuant to s 64(1)(d) of the Civil and Administrative Review Act 2013 (NSW).

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Amendments

25 March 2024 - Case name amended - see [2024] NSWCATAP 43

Decision last updated: 25 March 2024

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

3

FMM v Insurance and Care NSW [2025] NSWCATAD 195
FMM v iCare NSW [2024] NSWCATAD 374
EMQ v Cumberland City Council [2024] NSWCATAD 148
Cases Cited

20

Statutory Material Cited

11

CYH v Family and Community Services [2018] NSWCATAD 84
CLT v Department of Education and Communities [2016] NSWCATAD 98
CPJ v The University of Newcastle [2017] NSWCATAD 350