Fzu v University of NSW

Case

[2024] NSWCATAD 99

16 April 2024

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

  • Amendment notes
Medium Neutral Citation: FZU v University of NSW [2024] NSWCATAD 99
Hearing dates: 13 March 2024
Date of orders: 16 April 2024
Decision date: 16 April 2024
Jurisdiction:Administrative and Equal Opportunity Division
Before: M Deane, Senior Member
Decision:

The Respondent’s reviewable decision of 3 November 2023 is affirmed under s 63(3)(a) of the Administrative Decisions Review Act 1997.

Catchwords:

ADMINISTRATIVE REVIEW - Privacy and Personal Information Protection Act – jurisdiction only to review conduct which is subject of internal review application – meaning of “collection” – meaning of “use” - whether information used for a purpose directly related to the purpose for which it was collected – whether information disclosed for a purpose which is directly related to the purpose for which it was collected

Legislation Cited:

Administrative Decisions Review Act 1997 (NSW)

Civil and Administrative Tribunal Act 2013 (NSW)

Privacy and Personal Information Protection Act 1998 (NSW)

Cases Cited:

Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19

ALZ v WorkCover NSW [2015] NSWCATAP 138

Cessnock City Council v EMF [2022] NSWCATAP 72

Department of Education and Training v GA (No 3) [2004] NSWADTAP 50

Director General, Department of Education and Training v MT (GD) [2005] NSWADTAP 77

Director General, Department of Education and Training v MT [2006] NSWCA 270

FHI v Dental Council of New South Wales [2022] NSWCATAD 347

GR v Department of Housing (GD) [2004] NSWADTAP 26

JD v Department of Health (GD) [2005] NSWADTAP 44

KJ v Wentworth Area Health Service [2004] NSWADT 84

Nakhl Nasr v State of New South Wales; George Nasr v State of New South Wales [2007] NSWCA 101

PN v Department of Education and Training (GD) [2010] NSWADTAP 59

SF v Shoalhaven City Council [2013] NSWADT 94

Vice-Chancellor Macquarie University v FM [2005] NSWCA 192

Wojciechowska v Secretary, Department of Communities and Justice; Wojciechowska v Registrar, Civil and Administrative Tribunal [2023] NSWCA 191,

ZR v Department of Education and Training [2010] NSWADTAP 75

Texts Cited:

Johnston A PPIPA in Practice, Edition 17.4, 31 January 2024

Category:Principal judgment
Parties: FZU (Applicant)
University of NSW (Respondent)
Representation: Solicitors:
Applicant (self-represented)
Sparke Helmore Lawyers (Respondent)
File Number(s): 2023/00315250
Publication restriction:

1. The publication or broadcast of the name of the Applicant is prohibited pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW).

2. The disclosure of the details of the Applicant’s research topic and research trip is prohibited other than for the purposes of these proceedings pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW).

REASONS FOR DECISION

Non-disclosure orders

  1. On 9 October 2023, the Tribunal made the following order under s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (the NCAT Act):

1. The publication or broadcast of [the Applicant’s name] (FZU) is prohibited.

  1. On 13 November 2023, the Tribunal made another non-disclosure order under s 64(1)(c) of the NCAT Act:

1. The disclosure of the details of the Applicant’s research topic and research trip is prohibited other than for the purposes of these proceedings.

Background

  1. The following summary is comprised of information from FZU’s (the Applicant’s) written evidence contained in five bundles of documents, the Applicant’s oral submissions and evidence, UNSW’s (the Respondent’s) written and oral submissions and the documents provided to the Tribunal by the Respondent under s 58 Administrative Decisions Review Act (ADR Act).

The application for internal review

  1. On 18 July 2023 the Applicant submitted an Application for Internal Review of Privacy Complaint under s 53 of the Privacy and Personal Information Protection Act 1998 (PPIP Act). The complaint involved two separate incidents:

  1. the Applicant’s name and thesis topic being listed under the Teaching and Supervision Tab of her academic supervisor’s Staff Profile on the Respondent’s website and remaining on the academic supervisor’s Staff Profile after the supervision arrangement ended on 17 February 2023 until the Applicant requested that it be removed on 7 April 2023.

  2. regarding the handling of a pre-trip approval form (PTA) which the Applicant had submitted to the respondent on 16 June 2023 for approval of a field trip. While the PTA was being processed, it was forwarded to the Head of School for approval who had modified the reasons field to include the timeframe for the trip and omit one of the central concerns for the Applicant’s thesis. The PTA was approved and the original wording was reinstated when the Applicant noted the changes.

  1. The parties agreed on the following summary of the allegations made by the Applicant in the internal review application:

  1. that the Respondent (through its staff members) breached the Information Protection Principles (IPPs) when it:

  1. published her name and PhD research topic without her consent during the period up to and including 17 February 2023 on a UNSW staff profile (allegation 1);

  2. failed to remove that information from a UNSW staff profile between 17 February 2023 and 7 April 2023 (allegation 2);

  3. amended the wording of her ‘Pre-Trip Approval’ travel form without her consent sometime between 19 June 2023 and 3 July 2023 (allegation 3).

  1. The internal review was not completed within the mandatory 60 day period (s 53(6) PPIP Act).

The administrative review proceedings

  1. The Applicant commenced administrative review proceedings against the Respondent in the Administrative and Equal Opportunity Division of the NSW Civil and Administrative Tribunal (the Tribunal) on 5 October 2023.

  2. After orders were made by the Tribunal on 9 October 2023 for the internal review application to be reviewed by the Respondent, on 3 November 2023 an officer of the Respondent’s Legal & Compliance Unit (the Review Officer) concluded that there was no evidence that the Respondent’s conduct which was the subject of the Applicant’s complaint was in breach of the Information Protection Principles (IPPs) as set out in the PPIP Act.

  3. The Applicant submitted that the conduct regarding the publication of her personal information on her supervisor’s Staff Page on the Respondent’s website and the failure to remove it when the supervisor ceased that role (described in allegations 1 and 2) contravened IPPs 1, 2, 3, 5, 9, 10, 11 and 12.

  4. The Applicant submitted that the conduct in relation to modifying the personal information in the PTA (described in allegation 3) breached IPPs 1, 2, 3, 4, 5, 6, 9, 10 and 11.

  5. At the hearing, the Applicant confirmed that orders were sought under ss 55(2)(a), (e) and (g) of the PPIP Act requiring the Respondent to;

  1. pay the Applicant damages in the amount of $40,000 by way of compensation for any loss or damage suffered because of the conduct;

  2. take specific steps to remedy any loss or damage suffered by the Applicant and

  3. other ancillary orders as the Tribunal thought appropriate.

  1. The Respondent acknowledged that the information which was the subject of the Applicant’s complaint was ‘personal information’ for the purposes of the PIPP Act. The Respondent also accepted that the conduct had occurred. The Respondent contended that the IPPs were not breached through the conduct. In the event that the Tribunal found that the IPPs had been breached, the Respondent submitted that any damage suffered by the Applicant as a result of that conduct was not reasonably foreseeable and was not caused by the conduct.

Preliminary matters

  1. The parties have agreed on the outline of the Applicant’s allegations as set out in allegations 1, 2 and 3. The Respondent has accepted that the conduct alleged by the Applicant in allegations 1, 2 and 3 took place and that the relevant information constitutes personal information under the PPIP Act.

Conduct of concern

  1. The Applicant noted that the application had been brought before the Tribunal on 5 October 2023 due to perceived reprisals coincident with a student complaint made by the Applicant.

  2. Section 53 of the PIPP Act allows a person who is aggrieved by the conduct of a public sector agency to have that conduct reviewed by the agency concerned. Section 52(1) of the PPIP Act provides that the conduct which may be reviewed is limited to:

  1. the contravention by a public sector agency of an information protection principle that applies to the agency;

  2. the contravention by a public sector agency of a privacy code of practice that applies to the agency; and

  3. the disclosure by a public sector agency of personal information kept in a public register.

  1. Under s 55(1) of the PIPP Act an application for administrative review may be made to the Tribunal if a person is not satisfied with:

  1. the findings of the review, or

  2. the action taken by the public sector agency in relation to the application.

  1. In administrative review proceedings, the Tribunal does not have jurisdiction to review conduct of the Respondent that is not the subject of the application for internal review. As noted by the Appeal Panel of the Administrative Decisions Tribunal (ADT Appeal Panel) in Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at [7]:

The Tribunal has jurisdiction to review "the conduct that was the subject of the application" under s 53. Consequently, the Tribunal cannot review any conduct that was not the subject of the application to the agency. That conduct may be more accurately or specifically identified in subsequent correspondence or discussions between the applicant and the agency.

  1. As a result, in this application for administrative review of the Respondent’s conduct under s 55 PPIP Act, the Tribunal is limited to reviewing the conduct of concern which is the subject of the original application for internal review in relation to the potential breaches of any IPPs. It follows that the Tribunal does not have jurisdiction to consider any claim by the Applicant regarding breaches of other University policies or perceived reprisals.

Confidentiality

  1. A point of contention centred on whether the Applicant’s PhD thesis topic was in fact confidential. The Applicant alleged that a term of the Conflict of Interest declaration (CoI) she had completed stipulated that the topic should remain confidential.

  2. The Respondent provided a copy of the CoI. On the face of that document, the CoI itself was confidential but it did not require that the Applicant’s thesis topic be kept confidential.

  3. The Applicant submitted that, in any event, her permission needed to be sought before publishing her name and thesis topic. The Applicant pointed to a more recent development where PhD students were asked to opt in on creating their own profiles. However, the development of this option postdated the conduct at issue and does not impose additional obligations on the Respondent at the time that the conduct took place.

  4. While a request for confidentiality has been found to affect the appropriate manner of dealing with a complaint under the PPIP Act (Cessnock City Council v EMF [2022] NSWCATAP 72 at [73]), in this case, the evidence provided does not indicate that the CoI imposed any additional or specific confidentiality obligations over the Applicant’s thesis topic. The mere fact that the CoI was marked confidential, without anything more specific, did not of itself confer confidential status on the Applicant’s thesis topic over and above the PPIP Act.

  5. The Respondent was obliged to abide by the IPPs in handling personal information. Accordingly in making a determination in this matter, I need to consider:

  1. Whether any of the IPPs have been breached by the Respondent’s conduct;

  2. If so, whether orders should be made under s 55(2) PIPP Act.

Consideration of submissions on the privacy complaint

  1. The IPPs are set out in Part 2 of the PPIP Act (ss 8‑19).

IPP 1

  1. IPP 1 (s 8 PPIP Act) relates to the collection of personal information for lawful purposes. A public sector agency must not collect personal information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) A public sector agency must not collect personal information by any unlawful means.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not lawful, because its purpose was not directly related to the Respondent’s function or activities and necessary for that purpose; the purpose appeared merely to have been to boost the supervisor’s professional profile.

  2. The Respondent did not make submissions on IPPs 1, 2, 3 and 4 other than that the conduct complained of did not relate to the collection of information because the information was already held by the Respondent and so IPPs 1 – 4 were not relevant.

  3. The Court of Appeal has described the 12 IPPs as having “a clear bifurcation” between collecting and holding personal information, in which IPPs 1-4 focus on the collection of personal information, while the remaining IPPs 5-12 “are all concerned with when a public sector agency ‘holds personal information’” (Vice-Chancellor Macquarie University v FM [2005] NSWCA 192 at [20]; as discussed in Johnston A PPIPA in Practice, Edition 17.4, 31 January 2024 (p69)).

  4. In PN v Department of Education and Training (GD) [2010] NSWADTAP 59 at [25] the ADT Appeal Panel held that the term 'collection' is to be understood as referring to circumstances where the agency is, or has, engaged in the gathering together of information about an individual.

  5. The conduct contained in allegations 1 and 2 does not involve the collection of the Applicant’s personal information for the purposes of IPP 1; the information was already held by the Respondent and so was not gathered together by being placed on the supervisor’s Staff Profile. IPP 1 does not apply to allegations 1 and 2 and was not breached by the conduct set out in those allegations.

Allegation 3

  1. The Applicant submitted that the modification of the reason field in the PTA form without her consent was not lawful as it resulted in the PTA no longer being directly related to the Respondent’s stated functions or activities.

  2. The Respondent has contended that IPPs 1 – 4 do not apply because the personal information involved was not “collected.”

  3. In ZR v Department of Education and Training [2010] NSWADTAP 75 at [56]-[58] the ADT Appeal Panel considered whether information contained in a complaints form had been “collected”:

The Commonwealth definition of ‘solicited’ covers information that is ‘requested’. A complaints form is a means by which an agency might be seen as ‘requesting’ information even though the information may be undesired. We would be inclined to the view that an agency practice involving the use of a complaints form gives rise to a ‘collection’ of information, and is not an instance of ‘unsolicited’ acquisition of information. That is most clearly the case, as we see it, in relation to the personal particulars that are required by the first part of the form. They are essential to the task of responding to the complaint, and also in ensuring that it is a genuine complaint. As to the text authored by the complainant in relation to the matter of concern, we are inclined to the view that insofar as the information provided is relevant to the purposes of the agency, it ought be regarded as collected, and not treated as unsolicited. It is not, as we see it, a mere instance of passive receipt. This is a situation where the practice of the agency is to get the complaint in writing and create a record. It is requesting the information to that extent.

  1. These observations similarly apply to the PTA form, where the Respondent is requesting information from the Applicant regarding the details of the proposed field work trip. The information in the PTA was “collected” from the Applicant, in the sense that the Respondent sought the information from the Applicant.

  2. However, allegation 3 does not relate to how the Applicant’s personal information was collected, or the purpose of its collection, but rather as to how it was modified by the Head of School in the course of approving the PTA. IPP 1 does not apply to allegation 3 and was not breached by the conduct set out in allegation 3.

IPP 2

  1. IPP 2 (s 9 PIPP Act) relates to the collection of personal information directly from an individual. A public sector agency must, in collecting personal information, collect the information from the individual to whom the information relates unless—

(a) the individual has authorised collection of the information from someone else, or

(b) in the case of information relating to a person who is under the age of 16 years—the information has been provided by a parent or guardian of the person.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not direct as it was not collected directly from her.

  2. As noted above, the conduct in Allegations 1 and 2 does not relate to the collection of personal information. IPP 2 does not apply to allegations 1 and 2 and was not breached by the conduct set out in those allegations.

Allegation 3

  1. The Applicant submitted that the collection was not direct because the personal information for the “reason” field was not collected from her. However, an email from the Applicant to the Head of School (who modified the reasons field) dated 26 June 2023 sets out the same information regarding the trip duration as was included in the PTA reasons field by the Head of School. On the evidence provided, the personal information in the PTA was collected directly from the Applicant and there is no evidence that the Respondent breached IPP 1 by the conduct set out in Allegation 3.

IPP 3

  1. IPP 3 (s 10 PPIP Act) relates to the requirements when collecting personal information. If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following—

(a) the fact that the information is being collected,

(b) the purposes for which the information is being collected,

(c) the intended recipients of the information,

(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,

(e) the existence of any right of access to, and correction of, the information,

(f) the name and address of the agency that is collecting the information and the agency that is to hold the information.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not open as she was not informed by the Respondent that the supervisor would publish it and/or why he would make it publicly available on the internet.

  2. As noted above, the conduct in Allegations 1 and 2 does not relate to the collection of personal information. IPP 3 does not apply to allegations 1 and 2 and was not breached by the conduct set out in those allegations.

Allegation 3

  1. The Applicant submitted that the collection was not open “as I was not informed but misled about why my original PTA was collected and what was done with it.” This submission had also been included in her submissions to the Respondent’s privacy unit for the internal review by email dated 28 August 2023.

  1. The Applicant had already previously submitted a PTA in November 2022 for a different time period (the previous PTA).

  2. However on the available evidence, the application for internal review was out of time in relation to the previous PTA.

  3. Under s 53(3) PPIP Act, an application for internal review must be lodged at an office of the agency within 6 months (or such later date as the agency may allow) from the time that the applicant first became aware of the conduct the subject of the application.

  4. In the internal review application form, the Applicant refers to the PTA which was lodged in June 2023 and states that (in relation to that PTA) the conduct complained of took place between 19 June 2023 to 3 July 2023, which is also when she became aware of the conduct.

  5. However, the previous PTA application was lodged in November 2022 and the application for internal review was not lodged until 18 July 2023. Accordingly conduct complained of in relation to the previous PTA and of which she was aware at that time falls outside the time limits under s 53(3) PPIP Act.

  6. Even if the review application had been made within time in relation to the previous PTA, or an extension had been granted, on the basis of the evidence provided I have determined that, in the limited circumstances of the completion of a PTA form and in light of the type of information involved (being travel details), there would be no basis on which to find that the Respondent breached IPP 3 for the reasons set out below.

  7. The Administrative Decisions Tribunal held in KJ v Wentworth Area Health Service [2004] NSWADT 84 at [36] in relation to the requirements of IPP 3:

The Privacy Commissioner has submitted, and I agree, that the type of personal information at issue is relevant in determining whether an agency has taken such steps as are reasonable in the circumstances to make an individual aware of the matters in section 10.

  1. Section 10 provides for flexibility in its application by the use of the qualifier “must take such steps as are reasonable in the circumstances”; ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 at [65].

  2. Relevantly to the previous PTA, the Applicant provided a document titled “Travel Request” (the form). The document shows the information which appears to have been entered into the previous PTA form. She also provided a copy of the Respondent’s Travel Procedure policy which was relevant at the time of the previous PTA and which sets out:

1.2. Pre-Trip Approval/Information

1.2.1 All proposed travel is to be recorded in the University’s Pre-Trip Approval/Information system (PTA).

1.2.2 The PTA will capture the preliminary information for the purposes of recordkeeping, audit processes and help the University discharge its obligation to provide duty of care and safety. In particular, the justification that travel is essential.

1.2.3 Where required the PTGA can be prompted to seek authority from the Delegated Officer. The Delegated Officer is usually the Supervisor or Line Manager (or someone of higher delegation than the Traveller). …

  1. The Applicant submitted email correspondence with the Respondent’s Travel Service Manager dated 9 December 2022 regarding her query about changing the dates for travel. The Travel Service Manager replied:

Date changes aren’t too much of an issue with regards to approval and risk assessment.

As Risk haven’t approved it yet – you can always ask them to send it back to you for amendment and you can then update the dates to a more realistic time. …

  1. It is clear from the form and the Travel Procedure policy that the information is being collected and that it is for the purposes of pre-trip approval “recordkeeping, audit processes and [to] help the University discharge its obligation to provide duty of care and safety” (ss 10(a) and (b)). The form and the Travel Procedure policy list the intended recipients of the information; (s10(c)). To the extent necessary, reasonable steps to ensure awareness of the factors set out in 10(d) in the context of the travel request are comprised in the fact that the information is being volunteered by the individual to have the trip approved and there is no suggestion that the information is required by law. Section 10(e) was addressed in the Travel Service Manager’s email correspondence, and he is listed in the Travel Approval as the requester with his email address. In circumstances where the form has been submitted to the Respondent in accordance with the Respondent’s policy, the Respondent is clearly the relevant agency for s 10(f).

  2. The Applicant was providing her own travel information, the reason for the trip, the proposed dates and destination for a field work trip in circumstances where she sought approval from the Respondent in order to undertake the trip. Taking into account the type of personal information collected and the circumstances, to the limited extent necessary to provide pre-trip approval for field research, the Respondent has taken reasonable steps to make the individual to whom the information relates aware of the factors set out in ss 10(a) to (f).

  3. Even if the internal review application had been made within time in relation to the previous PTA, the evidence does not provide a basis on which to find a breach of IPP 3 in relation to allegation 3.

IPP 4

  1. IPP 4 (s 11 PIPP Act) relates to other requirements relating to the collection of personal information. If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that—

(a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and

(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

Allegation 3

  1. The Applicant submitted that the collection was not relevant because the modified wording for the ‘reason’ was not her own, and was replaced without her consent with wording which was inaccurate, incomplete, not up-to-date, excessive and which did unreasonably intrude into her personal affairs. The Applicant submitted that the PTA ‘reason’ field text was replaced with a timeframe, rather than a reason; but above the ‘reason’ field of the PTA there was already a field for ‘travel dates’. The applicant submitted that even if the PTA had required amendment, as the data and copyright owner, she should have been advised what and why, and she should have been asked as the applicant to make any necessary changes to the PTA herself with the assistance of the Travel Manager.

  2. Although the Applicant objected to the information in the PTA being modified without consulting her, the evidence provided does not support her contention that the Respondent has breached IPP 4 in relation to the collection of the information. The information collected was relevant to the Pre-Trip Approval for “recordkeeping, audit processes and help the University discharge its obligation to provide duty of care and safety”. It was provided by the Applicant and so was accurate, up to date and complete. The information sought related only to her proposed travel for her field trip which was relevant to having the trip approved. There is no evidence that it intruded on the Applicant’s personal affairs to an unreasonable extent and there is no evidence that the Respondent breached IPP 4 by the conduct set out in Allegation 3.

IPP 5

  1. IPP 5 (s 12 PPIP Act) relates to the security of personal information. A public sector agency that holds personal information must ensure:

(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

  1. In GR v Department of Housing (GD) [2004] NSWADTAP 26 at [57] the ADT Appeal Panel noted that the obligation in s 12 is addressed to the keeping of personal information by the public sector agency. It should not ‘keep’ information for longer than it may lawfully be used.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not secure because the Respondent did not protect it from unauthorised access, use, modification or disclosure by the supervisor, or potentially others.

  2. The Respondent contended that IPP 5 was not breached. Although the CoI had been marked confidential, the Applicant’s name and research topic was not information which was obtained for the purposes of the CoI, nor was it identified in the CoI or subsequent management plan as information to be kept confidential. The Respondent submitted the expectation of confidentiality arising from the CoI did not preclude the Respondent from using the Applicant’s personal information for its intended purpose and the Respondent did not breach IPP 5 by putting the Applicant’s name and research topic on the Respondent’s website.

  3. The evidence does not disclose any breach of IPP 5 in relation to Allegations 1 and 2. The Applicant was still pursuing her PhD when the conduct occurred and the information was not kept for longer than necessary, nor was it required to be disposed of. In light of the consideration set out above regarding confidentiality over the CoI, objectively the information was not sensitive or confidential and as such, there is no indication that any further security safeguards were required.

Allegation 3

  1. The Applicant submitted that her PTA was not securely stored because it was not protected from unauthorised access, use, modification or disclosure. Her PTA personal information was violated. In order for the modification to be made, the Head of School would have also asked the Travel Manager to assist with technically modifying the ‘reason’ field/research data; the modified PTA was then ‘approved’ and also sent to the UNSW Travel Risk for the purpose of approval of the related Travel Risk Assessment Form.

  2. The Respondent contended that its security controls for its travel approval system provided for access to be granted only to staff who required access to the information in order to perform their legitimate work functions.

  3. The respondent referred to a statement from the UNSW Travel Service Manager dated 28 February 2024 which had been submitted with the s58 documents and sets out:

6. The PTA [purpose built pre-trip approval system] was built in accordance and collaboration with the UNSW Cyber Security Team and can only be accessed via the internal travel SharePoint site within the UNSW Intranet. Access to the travel SharePoint site is via MyUNSW and requires a login using a UNSW issued username … and a password.

7. All travel requesters need a travel profile. For staff, profiles are automatically created by a feed from the UNSW HR system (PiMS). Student profiles need to be created manually. For staff, the “one up” manager would be set as the default approver. For students, the appropriate approver is set at time of profile creation and the appropriate approver is determined based on the reason the student is travelling. In order to be an approval for student travel, the approver needs to already have that status in the travel system (ie - already approves travel for other travellers).

8. An approver does not automatically have access to a traveller profile and an approver will only see the information that has been entered onto the pre-trip approval request (PTA) by the traveller for that particular trip. The approval will receive an email with a summary of information that has been entered on the PTA and will also receive any attachments that have been included as part of the PTA request. The approver then has three choices – APPROVE, REJECT or REQUEST CHANGE.

9. An approver only has access to the requests that are work flowed to them for approval. They do not otherwise have administrative access to review travel history or requests generally.

  1. The Respondent submitted that these security controls were reasonable in maintaining the protection of personal information whilst also allowing for the general administration of the Respondent’s functions. The Head of School was authorised to review and approve trip approval applications as part of his role and responsibilities. On 22 June 2023, the Applicant was copied into an email from another lecturer involved in the Applicant’s studies notifying the Applicant that the travel request would be reallocated to the Head of School for approval. The Applicant had responded to that email, stating her preference that someone outside the School approved the PTA and nominating two of the Respondent’s staff members for that role.

  2. The Respondent submitted that the Applicant had been notified that the PTA would be allocated to the Head of School for approval who was authorised to access the Applicant’s PTA form and accordingly there had been no breach of IPP 5.

  3. The Respondent has provided evidence regarding the safeguards it takes against loss, unauthorised access, use, modification or disclosure, and against all other misuse of the information held in the PTA system. The information is held in a closed system, accessed only by authorised persons with registered profiles. Approvers only have access to the requests that are workflowed to them and do not have administrative access to other information. I am satisfied that this demonstrates that the requirements of s 12(c) are met. Although the Applicant expressed a preference for another person to approve her PTA, there is nothing in the evidence to suggest that her consent to the relevant approver was required. On the basis of the email correspondence of 22 June 2023, I accept that the Head of School was authorised to access and deal with the PTA and IPP 5 was not breached in that process.

IPP 6

  1. IPP 6 (s 13 PPIP Act) relates to information about personal information held by agencies. A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain—

(a) whether the agency holds personal information, and

(b) whether the agency holds personal information relating to that person, and

(c) if the agency holds personal information relating to that person—

(i) the nature of that information, and

(ii) the main purposes for which the information is used, and

(iii) that person’s entitlement to gain access to the information.

Allegation 3

  1. The Applicant submitted that the PTA modification by the Head of School meant the access, accuracy and use of her personal data was not transparent. It created issues of research integrity in the form of inaccuracy and lack of transparency in both the record and the approval process.

  2. The Respondent contended that it had at all times been transparent in relation to privacy and the handling of information that it collected. The Respondent's privacy statement was readily accessible and a link to access it appeared at the bottom of every page in its website. The Respondent’s privacy statement subsequently referred to the Respondent’s obligations under the PPIP Act, and links to several other privacy related documents which related to the Applicant, including but not limited to the UNSW Privacy Policy and the UNSW Student Privacy Statement.

  3. IPP 6 relates to an agency’s privacy systems, rather than the conduct of the agency per se. The Respondent provided copies of its Privacy Statement, its Student Privacy Statement and its Privacy Policy. In relation to personal information collected through websites, the Respondent’s Privacy Statement sets out what kinds of personal information it collects; the use and disclosure of personal information gathered through its websites and general rights to access and amendment. That document notes that other statements also apply for students, employees, Alumni and Donors.

  4. The Student Privacy Statement outlines the types of personal information collected from students by the Respondent and outlines the purposes for which the personal information will be used.

  5. The Student Privacy Statement then sets out the student’s rights to personal information and advises that a student may request access to and amendment of personal information held by the University.

  6. While, for current purposes, I accept that these documents demonstrate that the Respondent has relevant systems in place to meet IPP 6, allegation 3 is not relevant to IPP 6.

  7. The Applicant alleges that the modification of the PTA resulted in inaccuracy and lack of transparency, rather than the Respondent’s Privacy Systems being insufficient. The Applicant’s concern relates to conduct, not systems. As a result, IPP 6 does not apply to allegation 3 and was not breached by the conduct set out in allegation 3.

IPP 9

  1. IPP 9 (s 16 PPIP Act) requires the agency to check the accuracy of personal information before use. A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not accurate because she was not his student at the time that she discovered it; the supervisor had withdrawn from supervision several months earlier. The Applicant contended that information was not passively sitting on the website; the site was live and changing.

  2. The Respondent contended that, in relation to allegation 1, the Applicant’s name and research topic as listed on her then supervisor’s staff profile was accurate, up to date, and not misleading at the time that it was used and, as such, that the Respondent had not breached IPP 9 in relation to allegation 1.

  3. The Applicant’s submissions in relation to IPP 9 focussed on the failure to remove her personal information after the supervisor arrangement ended. She did not contend, nor is it apparent, that her personal information was irrelevant, inaccurate, not up to date, incomplete or misleading at the time that it was included on the supervisor’s staff page and IPP 9 was not breached in relation to allegation 1.

  4. In relation to allegation 2, the Respondent noted that the obligation under IPP 9 was to ensure that the information was relevant, accurate, up-to-date, complete and not misleading before use. Before the information was placed on the website, it was accurate because the academic staff member was her supervisor at the time.

  5. The Respondent relied on the ADT Appeal Panel decision in Department of Education and Training v MT (GD) [2005] NSWADTAP 77 (MT) at [42] and [44] in contending that the definition of ‘use’ in IPP 9 required something more than unauthorised access or the “mere act of browsing… (“Use”) involves some administrative action or consequence.”

  6. The Respondent noted that the Applicant’s personal information was “used” for the purposes of s 16 of the PPIP Act when the Applicant’s name and PhD research topic were listed on her supervisor’s website and the Respondent amended the Applicant’s PTA. However, the Respondent submitted that when the Applicant’s information remained on her former supervisor’s academic staff profile after he withdrew on 17 February 2023, the Applicant’s personal information was not ‘used’ for the purposes of s 16 PPIP Act because there was no administrative action involved in the information remaining in place from 17 February 2023.

  1. The Respondent referred to SF v Shoalhaven City Council [2013] NSWADT 94 (SF) at [181] to support the contention that “use” required action and that information passively sitting on a website did not constitute “use” for the purposes of s 16.

  2. The Respondent further submitted that it took reasonable steps to ensure that the Applicant’s information was up to date and accurate. The supervisor, on being informed that the Applicant’s name and PhD topic remained listed on the staff profile on 7 April 2023, took immediate measures to correct the publication, which was done within one hour.

  3. In JD v Department of Health (GD) [2005] NSWADTAP 44 (JD) at [33] and [44] the ADT Appeal Panel held:

‘Use’. The question of when ‘use’ of the kind to which s 16 is addressed occurs in the handling of information in an administrative environment involves a judgement based on all the circumstances. …We agree with the submissions of the Privacy Commissioners…that the mischief that s 16 is intended to address involves an agency taking action on the basis of information it holds about an individual and in a way which is adverse to the interests of that individual without taking reasonable steps to ensure the information is accurate and not incomplete, irrelevant, out of date or misleading. The Privacy Commissioner submitted, and we agree, that it is only possible to give effect to s 16 if use is interpreted as the process of considering, assessing or weighing up personal information so as to make a decision or adopt a further course of action.

  1. The ADT Appeal Panel further noted at [41]-[42] that, in the Act, ‘use’ is differentiated from other activities such as ‘collection’, ‘access’ and ‘disclosure’ and the standards which apply to the ‘use’ of information are separated from the standards that apply to the ‘disclosure’ of the information:

In our view, if an agency merely retrieves information in its possession and discloses that to an external person or body, there is no ‘use’ involved. The action is governed by the standards relating to the ‘disclosure’ of information. Similarly, there may be situations in which the agency ‘uses’ information and then ‘discloses’ the information.

  1. On the basis of the decisions in JD and MT (as noted by the Respondent in oral submissions, MT was overturned in Director General, Department of Education and Training v MT [2006] NSWCA 270 - but on a different basis) a distinction has been drawn in the PPIP Act between “use”, “disclosure”, “collection” and “access. ” “Use” entails some administrative action which is based on the personal information.

  2. Once the personal information was included on the webpage, there is no evidence that the Respondent took any further action with it; even though, as the Applicant submitted, the website might have changed around it, the information itself was untouched by the Respondent.

  3. In SF, the Tribunal accepted that a Council’s actions in providing a live CCTV feed to the local police, amounted to “mere retrieval” for the purposes of disclosing footage to the police, and that “mere retrieval” did not amount to a ‘use’ for Council’s purposes at [181]; as discussed in Johnston A PPIPA in Practice, Edition 17.4, 31 January 2024 (p 159 and 172).

  4. On the basis of the existing case law, even if the Applicant’s personal information was accessed after the supervision arrangement ceased, there was no “use” of the Applicant’s personal information and there was consequently no breach of IPP 9 in relation to allegation 2.

Allegation 3

  1. The Applicant submitted that the PTA modification by the Head of School meant the use of her personal data was not accurate.

  2. The Respondent contended that the amendment to the wording of the PTA form was not accurate having regard to the purpose for which the information was proposed to be used, and the information was based on information provided by the Applicant. Amendment was not inconsistent with IPP 9 in view of the purpose for which the information was proposed to be used, which was as a pre-trip approval. The trip was then approved. Further, upon being informed of the Applicant’s concerns the PTA form was changed back to the original wording. The Respondent submitted that it did not breach IPP 9 in relation to allegation 3.

  3. The Respondent submitted email evidence to demonstrate that the modification which was made to the PTA form reflected information which the Applicant had provided. In the limited context of the PTA form’s purpose, which was to pre-approve the Applicant’s trip for field research, there was little more that the Respondent could do to ensure accuracy than use information provided by the Applicant. This constitutes reasonable steps in the circumstances to ensure the accuracy of the information in the PTA which was used by the Respondent and the Respondent did not breach IPP 9 in relation to allegation 3.

IPP 10

  1. IPP 10 (s 17 PPIP Act) imposes limits on the use of personal information. A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless—

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not limited as she did not give consent for the information collected by the Respondent to be disclosed publicly. Further, in her submissions she refers to the purpose of the use of her personal information not being directly related to the Respondent’s function or activities and necessary for that purpose, the purpose appeared merely to have been to boost the professional profile of the supervisor. She submitted that it was also contrary to the Student Privacy Statement and specifically contravened her express wish for privacy.

  2. The Respondent acknowledged that the Applicant’s personal information was “used” for the purposes of s 17 of the PPIP Act when the Applicant’s name and PhD research topic was listed on the supervisor’s staff profile on the UNSW website.

  3. The Respondent contended that the UNSW Student Privacy Statement provides that

personal information is collected for purposes that are directly related to and reasonably necessary for the legitimate functions and activities of the University, and will be used to administer a student’s enrolment, to enable the delivery of a student’s academic program and extracurricular activities, to provide a student with student services, and to support the University's planning and quality improvement activities.

  1. The Respondent noted that under s6 of the University of New South Wales Act 1989, the object of the University is the promotion, within the limits of the University’s resources, of scholarship, research, free inquiry, the interaction of research and teaching, and academic excellence. The listing of the Applicant’s name and PhD research topic on the supervisor’s staff profile was used for a purpose that was directly related to and reasonably necessary for the legitimate functions and activities of the University and was used to support the interaction of research and teaching. Consequently, the Respondent submitted that the listing of the Applicant’s name and PhD research topic on the supervisor’s staff profile on the UNSW website was not an unauthorised use of the Applicant’s personal information. It was authorised by s 17(b) of the PPIP Act and the Respondent did not breach IPP 10.

  2. Section 17(b) of the PPIP Act provides an exception to the obligation not to use the personal information for a purpose other than for which it was collected, where the other purpose for which the information is used is directly related to the purpose for which the information was collected.

  3. The purposes outlined in the UNSW Student Privacy Statement were: “purposes that are directly related to and reasonably necessary for the legitimate functions and activities of the University.” The Respondent submitted that the furtherance of the University’s statutory objectives of “scholarship, research, free inquiry, the interaction of research and teaching, and academic excellence” was directly related to the legitimate functions and activities of the University.

  4. Seen objectively, it is in the interests of broader scholarship and research to enable the free exchange of ideas and perspectives throughout the academic community. Openness and engagement in relation to current research projects is part of that free exchange. The Applicant alleged that her personal information was included on her supervisor’s staff page to bolster his own profile. That is a possible ancillary effect, however it does not exclude the Respondent’s contention, which I accept, that listing the Applicant’s name and thesis topic was for the purpose of furthering scholarship and free inquiry.

  5. Those purposes are directly related to the legitimate functions of the Respondent as stipulated in its statutory objectives such that s 17(b) applies and there is no breach of IPP 10 in relation to allegations 1 and 2.

Allegation 3

  1. The Applicant submitted that the PTA modification by the Head of School meant the access, accuracy and use of her personal data was not transparent.

  2. The Respondent contended that the Head of School had the authority to review and approve trip approval applications. The use of the Applicant’s personal information by the Head of School was directly related to the purpose for which the Applicant’s personal information was proposed to be used. Whilst the Applicant had raised confidentiality concerns and requested that the contents of her application only be shared in the process of assessing approving her travel request by someone with suitable delegation, the Head of School who was copied into that correspondence is a person who had suitable delegation to assess an approver travel request. Further the Applicant was notified that the travel request would be reallocated to the Head of School for approval.

  3. IPP 10 is not relevant to allegation 3. There is no evidence that the personal information in the PTA was used for any purpose other than for which it was collected, being to pre-approve the Applicant’s trip. There is no evidence to demonstrate that IPP 10 was breached in relation to allegation 3.

IPP 11

  1. IPP 11 (s 18 PPIP Act) imposes limits on the disclosure of personal information. A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless—

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

  1. If personal information is disclosed in accordance with IPP 11 to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not restricted as she did not give consent for the information collected by the Respondent to be disclosed publicly.

  2. The Respondent relied on the same submissions as were made regarding IPP 10 to contend that there was also not an unauthorised disclosure of the Applicant’s personal information and the Respondent did not breach IPP 11.

  3. The essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know: Nakhl Nasr v State of New South Wales; George Nasr v State of New South Wales [2007] NSWCA 101 at [127] per Campbell JA (Beazley and Hodgson JJA agreeing). By using the information to include it under the Teaching and Supervision tab on the academic supervisor’s Staff Profile on the Respondent’s website, the Respondent also disclosed the information to anyone who should happen across that page.

  4. I have already found in relation to IPP 10 that the use of the Applicant’s personal information was for a purpose which was directly related to the purpose for which it was collected; the furtherance of the University’s statutory objectives of “scholarship, research, free inquiry, the interaction of research and teaching, and academic excellence” was directly related to the legitimate functions and activities of the University.

  5. Openness and engagement in relation to current research projects is part of the free exchange of ideas. In those circumstances, the purpose of the disclosure was also in furtherance of the University’s objectives of scholarship, research, free inquiry, the interaction of research and teaching, and academic excellence and so directly related to the legitimate functions and activities of the University for which it was collected. The fact that there was a dedicated tab on the academic supervisor’s Staff Profile for “Teaching and Supervision” indicates that it was common practice for such information to appear and there is no evidence of any reason that the Respondent would have to believe that, at the time that the disclosure was made, the Applicant would object to that disclosure.

  6. Accordingly there is no evidence that IPP 11 has been breached in relation to allegations 1 and 2.

Allegation 3

  1. The Applicant submitted that the PTA modification meant the access, accuracy and use of her personal data was not restricted.

  2. The Respondent contended that there was no evidence to suggest that the Applicant’s personal information was disclosed to a person outside of UNSW.

  3. If there was disclosure, the Applicant was made aware that the PTA was to be forwarded to the Head of School for approval in accordance with s 18(b). There is no evidence to demonstrate that IPP 11 was breached in relation to allegation 3.

IPP 12

  1. IPP 12 (s 19 PPIP Act) imposes special restrictions on the disclosure of personal information. A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person. Subsection 19(2) prohibits an agency from disclosing personal information that it holds to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless certain conditions exist.

Allegations 1 and 2

  1. The Applicant submitted that the academic supervisor’s listing and publishing of the title of her PhD topic, together with her name under the Teaching and Supervision tab on his Staff Profile on the Respondent’s website was not safeguarded as she was not aware and did not give consent for the information collected by the Respondent to be disclosed publicly and it was information relating to her ethnic or racial origin, political opinion, religious or philosophical beliefs, including her copyright.

  2. The Respondent did not address IPP 12 in submissions.

  3. In Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19, the Court of Appeal held at [1], [65] and [104] that a statement that a person was “from Egypt” was not a statement which disclosed the person’s ethnic or racial origin. Meagher JA (with whom Campbell JA and Handley AJA agreed) said at [65] that the words ‘ethnic or racial origin’ “have been held to describe an historically determined social identity which distinguishes persons having a sufficient combination of “shared customs, beliefs, traditions and characteristics derived from a common or presumed common past, even if not drawn from what in biological terms is a common racial stock”.

  4. In FHI v Dental Council of New South Wales [2022] NSWCATAD 347, the Tribunal found that “disclosure of a name only” is not sufficient “to disclose an ethnic or racial origin” (at [33]).

  5. In the context of IPP 12, the Tribunal found that (at [34]):

A philosophical belief concerns a genuine belief about a profound and substantial aspect of human life and behaviour with a status or cogency comparable to a religious belief. It is belief that is independent of a particular time and context.

  1. The special categories of information specified in IPP 12 go beyond the disclosure of the Applicant’s thesis topic.

  2. Objectively, the Applicant’s name and thesis topic do not fall within any of the special categories of information specified in IPP 12. Copyright is not included under IPP 12. Accordingly the inclusion of the Applicant’s name and thesis topic on her (then) academic supervisor’s Staff Profile does not fall within the scope of IPP 12 and there is no evidence that IPP 12 has been breached.

Any other IPPs

  1. Whilst considering the Applicant’s submissions in detail against the IPPs that the Applicant alleges have been breached, I have also considered whether any other IPPs have been breached. I do not consider that any other IPPs are relevant in this matter.

Damages

  1. The Applicant claimed $40,000 in damages for financial loss, psychological and physical harm for conduct which she alleged amounted to victimisation for having made complaints to the Respondent’s Conduct and Integrity Unit and the application for the internal review of the privacy complaint.

  2. The Respondent submitted that while the Applicant had provided evidence of psychological and psychosocial harm generally, in the absence of evidence of harm caused by the conduct, the Tribunal could not be satisfied that the Applicant had suffered financial loss, psychological or physical harm because of the conduct.

  3. Under s 55(2)(a) of the PPIP Act, the Tribunal may make an order requiring the agency to pay the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct.

  4. In Wojciechowska v Secretary, Department of Communities and Justice; Wojciechowska v Registrar, Civil and Administrative Tribunal [2023] NSWCA 191, Kirk JA (with Mitchelmore JA and Griffiths AJA agreeing) rejected a submission that the Tribunal could make an order under s 55(2)(a) even if the alleged contravention was not made out. Kirk JA said at [116] and [129] that the remedy in s 55(2)(a) depends upon there having been a finding of a contravention of an information protection principle or a privacy code.

  5. As I have not found any breaches of the IPPs there is no basis on which to consider the Applicant’s claim for damages.

Conclusion

  1. After carefully considering the evidence and submissions provided by the parties, I have not found any of the IPPs to have been breached by the Respondent. As a result, the correct and preferable decision is to affirm the Respondent’s reviewable decision of 3 November 2023 under s 63(3)(a) of the Administrative Decisions Review Act 1997.

  1. Further, as I have not found evidence that any of the IPPs have been breached by the Respondent, I have decided not to take any action on the matter under s 55(2) of the PPIP Act.

orders

  1. The Respondent’s reviewable decision of 3 November 2023 is affirmed under s 63(3)(a) of the Administrative Decisions Review Act 1997.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Amendments

16 April 2024 - Deleted Registrars signature which appeared twice at the end of the decision.

Decision last updated: 16 April 2024

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0

Cases Cited

14

Statutory Material Cited

3

Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19
Department of Education and Training v GA (No 3) [2004] NSWADTAP 50
Director General, Department of Education and Training v MT [2005] NSWADTAP 77