GHX v Department of Education

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	GHX v Department of Education [2025] NSWCATAD 95
Hearing dates:	4 December 2024, written submissions closed 5 February 2025
Date of orders:	02 May 2025
Decision date:	02 May 2025
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	D Dinnen, Senior Member
Decision:	(1) The Tribunal affirms the Respondent’s reviewable decision of 28 March 2024 that the Respondent breached s 18 of the Privacy and Personal Information Protection Act 1998 (NSW). (2)   The Tribunal sets aside the remainder of the Respondent’s reviewable decision of 28 March 2024, and in accordance with these reasons for decision, in substitution, decides that: (a) the Respondent breached s 12(c) of the Privacy and Personal Information Protection Act 1998 (NSW); and (b) the Respondent did not breach s 17 of the Privacy and Personal Information Protection Act 1998 (NSW). (3) Pursuant to s 55(2)(g) of the Privacy and Personal Information Protection Act 1998 (NSW), the Tribunal orders the Respondent to review and update its Privacy Bulletin on Photographs and Recordings in accordance with these reasons for decision and disseminate the updated Privacy Bulletin to School staff and School Communities. (4) The publication or broadcast of the name of the Applicant, the Applicant’s Child, the School attended by the Child, the School’s Principal and staff is prohibited. This order is made under section 64(1)(a) of the Civil and Administrative Tribunal Act 2013.
Catchwords:	ADMINISTRATIVE LAW – Privacy – Information Privacy Principles – IPP 5 Protection of personal information – IPP 10 Use of personal information – IPP 11 Disclosure of personal information – whether “use” or “disclosure” - Photography of school students – publication of School newsletters – appropriate relief
Legislation Cited:	Civil and Administrative Tribunal Act 2013 Privacy and Personal Information Protection Act 1998
Cases Cited:	AFC v Sydney Children’s Hospital Specialty Network [2012] NSWADT 189 AFP v Hunter New England Local Health District [2012] NSWADT 141 AIN v Medical Council of New South Wales [2017] NSWCATAP 23 ALZ v WorkCover NSW [2015] NSWCATAP 138 ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 AW v Vice Chancellor University of Newcastle [2008] NSWADT 86 BXK v Western Sydney University [2016] NSWCATAD 235 CNC v NSW Police Force [2017] NSWCATAD 94 CYL v YZA [2016] NSWCATAD 314 Director General, Department of Education and Training v MT (2006) 67 NSWLR 237 Director General, Department of Education and Training v MT (GD) [2005] NSWADTAP 77 EIG v North Sydney Council [2022] NSWCATAD 127 FH v Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72 GKT v Fire and Rescue New South Wales [2024] NSWCATAD 335 KJ v Wentworth Area Health Service [2004] NSWADT 84 KO and KP v Commissioner of Police, NSW Police Force (GD) [2005] NSWADTAP 56 MT v Director General, NSW Department of Education & Training [2004] NSWADT 194 NZ v Director General, NSW Department of Housing [2005] NSWADT 58 OD v Department of Education and Training [2005] NSWADTAP 74 PN v Department of Education and Training [2010] NSWADTAP 59 RL v Department of Education and Training [2009] NSWADT 257 XW v Department of Education and Training [2009] NSWADT 73
Texts Cited:	Privacy NSW, A Guide to the Information Protection Principles, 1999 Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8 -11, November 1996
Category:	Principal judgment
Parties:	GHX (Applicant) Department of Education (Respondent)
Representation:	Counsel: J A Darvall (Applicant) Solicitors: Crown Solicitor (Respondent)
File Number(s):	2024/00164729
Publication restriction:	The publication or broadcast of the name of the Applicant, the Applicant’s Child, the School attended by the Child, the School’s Principal and staff is prohibited. This order is made under section 64(1)(a) of the Civil and Administrative Tribunal Act 2013.

REASONS FOR DECISION

1. The Applicant, referred to in these proceedings as GHX, commenced proceedings on behalf of his child (Child), seeking administrative review of conduct of the Department of Education (the Department/Respondent) under the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The public school attended by the Child published the Child’s name and image in the School’s Newsletter without parental consent on 2 occasions, in Term 1 Week 6 2023 (the 2023 Newsletter) and Term 2 Week 10 2022 (the 2022 Newsletter).

2. A chronological outline of notifications and interactions between GHX, the School’s Principal, and the Department regarding the non-consensual publications is below.

3. On 24 January 2024 GHX lodged a privacy complaint with the Department in relation to the 2023 Newsletter. On 25 January 2024 the Department acknowledged the complaint as:

The department published the name and image of your [Child] in term 1 week 6 edition of the School newsletter. You have alleged that you wrote to the Principal of the School to remove the newsletter from the internet. You have also alleged that the Principal informed you that the newsletter had been taken down from the internet in 2023 but as of 23 January 2024, the newsletter was still accessible online and an image of your [child] was also available online.

4. GHX responded to the Department on 31 January 2024, identifying that a further identifiable image of his child was published in the School’s 2022 Newsletter. On 5 February 2024 the Department confirmed the 2022 Newsletter would be considered as part of the Privacy Internal Review being conducted.

5. On 28 March 2024 the Department finalised the Privacy Internal review, relying on a Report produced by a departmental legal officer, determining that the School had breached ss 17 and 18 of the PPIP Act (also known as IPPs 10 and 11 respectively). Specifically, the Department determined that (emphasis added):

In relation to the First Newsletter, although the inclusion of the personal information collected … may be classified as a directly related secondary purpose, the department specifically requires consent to be obtained from parents and carers in order to publish information about students in publicly accessible communications. In this instance the school had a permission to publish form relating to [the Child] from the Applicant advising that permission was not given for [the Child’s] information to be included in publicly accessible communications. I therefore find that there was a breach of IPP 10.

In relation to the Second Newsletter, although the department did not collect the personal information at the point the school retained the information for the purpose of inclusion in the school newsletter it became personal information collected and held by the department. Given there was a permission to publish form relating to [the Child] advising that permission was not given for [the Child’s] [information] to be included in publicly accessible communications I therefore find that there was a breach of IPP 10.

Publication is a form of disclosure…The department disclosed [the Child’s] personal information when it published [the Child’s] name, image and honorary title in the First Newsletter and when [the Child’s] photo was published in the Second Newsletter. As the department expressly were not granted permission to publish personal information of [the Child] publicly, I find there was a breach of IPP 11.

6. The Department determined that breaches of s 15 of the PPIP Act (IPP 8) could not be confirmed in relation to data which was no longer held by the Department following deletion, and that the IPPs did not apply to the cached versions of the 2022 Newsletter and 2023 Newsletter held by Google.

7. The Department agreed with the Report recommendations to:

• By way of refresher training, the School Principal is to complete the following online privacy training within 3 months;

a. the privacy module within the course called School Leaders & The Law – Extension 1 (available online in MyPL).

b. The Data Breach Response Plan – Managing Data Breaches. (available online in MyPL).

• The Director Educational Leadership is to ensure that all departmental staff from the School:

1. familiarise themselves with the department’s intranet pages “Permission to publish” and “Privacy” which provides privacy information for staff in particular information about obligations when publishing identifying information.

2. familiarise themselves with the following:

- Consent – IPC Fact Sheet

- Tips for Reducing Data Breaches when Sending Emails – IPC Fact Sheet

• The School to implement a process to minimise the potential for staff to publish student information where parental permission has not been provided to do so.

• The School Principal is to coordinate a review of all public facing communications to identify if there is any additional personal information of the Applicant’s children in any of the School’s publicly facing documentation, to be completed within a month.

8. In proceedings before this Tribunal, the Department conceded its breaches of s 18 of the PPIP Act, but withdrew the concession in its Privacy Internal Review that s 17 of the PPIP Act had been breached. The Department submitted that the correct and preferable decision was to determine that the Department breached s 18 of the PPIP Act, but otherwise take no further action.

9. The Applicant contended that the Privacy Internal Review did not consider or address the question of breach by the Department of s 12(c) of the PPIP Act, and pressed for a determination that ss 12(c), 17 and 18 of the PPIP Act had been breached.

10. The matter was heard on 5 December 2024. The School Principal provided an affidavit and was cross examined by the Applicant’s counsel at hearing. I made orders following the conclusion of the hearing for the filing of written closing submissions, which the Tribunal received on 19 December 2024, 28 January 2025 and 5 February 2025.

11. The following issues require determination by the Tribunal:

1. Did the Department breach s 12(c) of the PPIP Act;

2. Did the Department breach s 17 of the PPIP Act;

3. What, if any, action should be ordered by the Tribunal pursuant to s 55(2) of the PPIP Act in relation to the Department’s conduct?

Legal Principles

12. The Tribunal's review jurisdiction in these proceedings is the alleged conduct and contravention by the Respondent of IPPs pursuant to sections 52(1)(a) and 55(1)(a) of the PPIP Act.

13. The PPIP Act regulates the manner in which NSW Government agencies, including the Respondent, deal with and manage personal information. Sections 8 to 19 of the PPIP Act set out the twelve IPPs that govern the way in which an agency (in this case the Respondent) must collect, store, access, use and disclose personal information.

14. Section 55(1) of the PPIP Act states as follows:

55   Review of conduct by the Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with:

(a)   the findings of the review, or

(b)   the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

15. In an application for administrative review under section 55(1) of the PPIP Act, the Tribunal is limited to reviewing the scope of the application for the internal review by the agency: see KO and KP v Commissioner of Police, NSW Police Force (GD) [2005] NSWADTAP 56 at [13]; OD v Department of Education and Training [2005] NSWADTAP 74; BXK v Western Sydney University [2016] NSWCATAD 235 at [13].

16. Whilst it is correct to state that the scope of the internal review sets the scope for the application for review of the conduct by the Tribunal, this should be determined by the content of the Applicants’ application for internal review, not by the reviewer. In determining whether an agency's conduct amounts to a contravention of an IPP, the key question for the purpose of the Tribunal's administrative review is what facts and circumstances has the applicant referred to which might give rise to questions of compliance with the IPPs, and to identify the relevant principles: see KO and KP v Commissioner of Police, NSW Police Force (GD) [2005] NSWADTAP 56 at [13]-[14]; BXK v Western Sydney University [2016] NSWCATAD 235 at [13].

17. In AFP v Hunter New England Local Health District [2012] NSWADT 141 (at [22]), the Tribunal agreed with the Privacy Commissioner's submission that when assessing whether or not conduct is identified in the internal review application (and thus reviewable by the Tribunal), it is open to the Tribunal to approach the task having in mind the beneficial nature of the PPIP Act, that a broad interpretation of the conduct described in the internal review application is preferable to a narrow interpretation; and that conduct can potentially be relevant to more than one IPP.

18. Section 12 of the PPIP Act, IPP 5, states:

12 Retention and security of personal information

A public sector agency that holds personal information must ensure--

(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

19. Section 12(c) requires protection of personal information “by taking such security safeguards as are reasonable in the circumstances”. The level of security safeguards considered reasonable will depend on both the nature of the information and the medium in which it is stored: see ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 at [31]. Failure to have a policy about handling personal information, a policy about restricting access, storing student files in a way accessible to all teachers, and lack of awareness or a system of staff training about privacy, have previously been found to indicate a failure to take “such security safeguards as are reasonable in the circumstances”: MT v Director General NSW Department of Education & Training [2004] NSWADT 194 at [179]-[180]. Extent of staff training regarding access to personal information is also a relevant factor in considering whether security safeguards are reasonable, as is the response time of staff to concerns raised about security issues: GKT v Fire and Rescue New South Wales [2024] NSWCATAD 335 at [37], XW v Department of Education and Training [2009] NSWADT 73 at [92].

20. Section 17 of the PPIP Act, IPP 10, states:

17 Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless--

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

21. Section 18 of the PPIP Act, IPP 11, states:

18 Limits on disclosure of personal information

(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless--

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

22. The PPIP Act distinguishes between the “use” and “disclosure” of personal information by making each a separate IPP. There remains some debate as to whether conduct can amount to both ‘use’ and ‘disclosure’. In Privacy NSW, A Guide to the Information Protection Principles, 1999, at p 32, the Privacy Commissioner stated:

"Use refers to the treatment and handling of personal information within an organisation, particularly when this involves making decisions on the basis of the information. Disclosure refers to making personal information available to people outside the organisation, other than to the individual concerned and includes the publication of personal information.

It should be noted that in the case of large public sector agencies constituting of specialised units, exchange of personal information between units may constitute disclosure. … Where doubt occurs, agencies are advised to act cautiously and to treat any transfer as a disclosure to a separate body".

23. The Federal Privacy Commissioner takes a strict view of these terms in the Commonwealth Privacy Act’s Information Privacy Principles in Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 8 -11, November 1996, at page 11:

"An agency's action cannot be both a use and a disclosure. Use does not mean disclosure and disclosure does not mean use".

24. The Tribunal has explored this distinction in a number of decisions. In KJ v Wentworth Area Health Service [2004] NSWADT 84 at [50]:

“While generally speaking the expression “disclosure” refers to making personal information available to people outside an agency, in the case of large public sector agencies consisting of specialised units, the exchange of personal information between units may constitute disclosure”.

25. In MT v Director General, NSW Department of Education & Training [2004] NSWADT 194 at [163]:

“(T)he words ‘use’ and ‘disclosure’ are intended to refer to different functions of an agency… (however) the distinction between operations that are internal to an agency and those that are external is not an absolute one”.

26. In NZ v Director General, NSW Department of Housing [2005] NSWADT 58 at [69]:

‘Use’ is different to ‘disclosure’. ‘Use’ refers to the handling of personal information within the collecting agency, whereas ‘disclosure’ refers to the giving of the information by the collecting agency to a person or body outside the agency. This understanding is reflected in the contrasting language of s 17 and s 18”.

27. In EIG v North Sydney Council [2022] NSWCATAD 127, the Tribunal found that in the context of the health privacy principles (HPPs), ‘use’ and ‘disclosure’ are “separate concepts”, at [89]:

“it would render the statutory distinction between those concepts in HPP 10 and HPP 11 inutile to find that an agency has breached HPP 10 by ‘using’ information in disclosing it”.

28. IPP 10 is directed to the use of personal information. ''Use'' refers to action taken by the agency to use information for its own purposes, internally: Director General, Department of Education and Training v MT (GD) [2005] NSWADTAP 77 at [39]; CYL v YZA [2016] NSWCATAD 314 at [100], PN v Department of Education and Training [2010] NSWADTAP 59 at [29]

28. The distinction between the ''use'' of information and the ''disclosure'' of information depends primarily upon whether the handling of the information is internal to the agency (that is, a use) or the provision of information to a party external to it (a disclosure): CNC v NSW Police Force [2017] NSWCATAD 94 at [20]. The ‘use’ of information should be considered in the context of the purpose for which the information was 'collected’: AW v Vice Chancellor University of Newcastle [2008] NSWADT 86 at [28]; ALZ v WorkCover NSW [2015] NSWCATAP 138 at [103]. A breach will arise if the purpose for which the information was collected differs from the purpose for which it is later used: RL v Department of Education and Training [2009] NSWADT 257 at [27].

29. If the Tribunal finds the Respondent has breached any of the IPPs, the Tribunal can either decide to take no action, or make orders pursuant to s 55(2) of the PPIP Act, which states:

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders--

(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

Evidence

31. The parties agreed to the following relevant Chronology:

1. On 30 June 2022 the 2022 Newsletter was published online.

2. On 2 March 2023 the 2023 Newsletter was published online.

3. On 9 December 2023, the School Principal was notified of the publication of name and image of the Child without parental consent in 2023 Newsletter. The School Principal lodged a Data Breach Incident Notification Form with the Department of Education (the Respondent) to report the incident.

4. On 12 December 2023 the School Principal advised the Applicant that she had reported the breach to the Respondent’s data breach response team, to assess and action under Part 6A of the PPIP Act.

5. On 14 December 2023 the School Principal notified the Applicant that the 2023 Newsletter has been taken down from website.

6. On 15 January 2024 the Applicant emailed the Department’s Privacy Team and others, notifying them that despite the request for removal of the image in December, it was still accessible online.

7. On 23 January 2024 an employee of the Respondent, Ms C, wrote to the Applicant and stated that the Child’s name and image had been removed from the 2023 Newsletter.

8. On 24 January 2024 the Applicant emailed Ms C and noted that the version of the 2023 Newsletter containing the Child’s name and image was still available through a Google search and "had not been destroyed". The Applicant requested an internal review of the conduct under s 53 of the PPIP Act.

9. On 31 January 2024 the Applicant emailed the Department’s Privacy inbox advising that the School had published an image of the Child without parental consent in the 2022 Newsletter.

10. On 7 February 2024 Ms C wrote to the Applicant outlining the additional steps taken by the School, including requesting the Respondent’s IT Directorate to undertake an investigation and sending a formal request to Google to remove any trace of the 2023 Newsletter.

11. On 26 February 2024 an employee of the Respondent, Mr M, informed the School Principal that the Child’s image might have been included in the 2022 Newsletter.

12. On 27 February 2024 the School Principal directed office administration staff at the School that were responsible for the publication of Newsletters to remove the image of the Child from the 2022 Newsletter.

13. On 14 March 2024 Mr M was notified that the 2023 Newsletter was removed from worldwide Google display.

32. The student application form, completed by the Applicant, contained the following:

The personal information collected on this application is for purposes directly related to your child’s education including processing this application.

Any information provided to the NSW Department of Education (the Department) will be used, disclosed and stored consistent with the NSW privacy laws.

Certain information is required by the Department to meet its duty of care and other legal obligations under public health, education and child protection legislation and for meeting data collection and reporting requirements under Commonwealth – State funding agreements which may involve evaluation and assessment of student outcomes.

33. The enrolment forms included information on “Publishing Student Information”:

Publishing student information

The school/Department may publish information about your child for the purposes of sharing his/her experiences with other students, informing the school and broader community about school and student activities and recording student participation in noteworthy projects or community service.

This information may include your child’s name, age, class and information collected at school such as photographs, sound and visual recordings of your child, your child’s work and expressions of opinion such as in interactive media.

The communications in which your child’s information may be published include but are not limited to:

■ Public websites of the Department including the school website, the Department’s intranet (staff only), blogs and wikis

■ Departmental publications including the school newsletter, annual school magazine and school report, promotional material published in print and electronically including on the Department websites

■ Official departmental and school social media accounts on networks such as the school’s YouTube, Facebook and Twitter pages.

Parents should be aware that when information is published on public websites and social media channels it can be linked to by third parties and may be discoverable online for a number of years, if not permanently. Search engines may also cache or retain copies of published information.

34. The “Permission to Publish” (PTP) form stated the following:

I have read the information about publishing student information (above) and

I give permission / I do not give permission

for the school/Department to publish information about my child in publicly accessible communications. This permission remains effective until I advise otherwise

35. The School’s Principal gave evidence about the practices in place at the School for obtaining, using, storing, and disclosing personal information of the School’s students. Parents of students were required to complete various forms upon enrolment which provided the School with authority to collect, use, and store personal information. A PTP form provided a student’s parent or guardian with an opportunity to elect not to have the student’s photograph or other personal information published. Publications included the School newsletter, which was distributed to parents and also published on the School website. There was a system in place recording which students were on the “no publication list” for each of the classes being taught at the School, by which the teachers of each class were intended to be informed.

36. The Principal did not know how many students at the School had nominated “no permission to publish”, and could not indicate a rough percentage of the students who had done so. She estimated that it “could be up to 5 students a class”, and that there were “up to 26 classes per week” for all students in Year 1 to Year 6. She described a system for ensuring students who had elected “no permission to publish” were not included in the School newsletter as containing “potentially four” levels of review, being:

1. Enrolment: When parents and carers enrolled their children at School, they were required to complete an “Application to enrol in a NSW Government school” form, which included the option to provide a “Permission to Publish” (PTP). A PTP allows the School to publish certain personal information about students in publicly accessible materials.

2. Stored online against students’ information: The decisions of parents and carers in relation to PTP were recorded on the Enrolment and Registration Number (ERN) system.

3. Collated and provided to classroom teachers in the classroom role/information spreadsheet: The PTP information on the ERN system was provided to staff members at the School on their class rolls.

4. Link provided to teachers prior to newsletters publication with collated information.

37. According to the School Principal’s written evidence, when teachers compiled images for newsletters or other publicly accessible materials, they were reminded by the Office Administrative Staff at the School to check those photos to ensure that a student without a PTP was not identified, and staff received an email reminding them about students that did not have a PTP prior to the publication of every newsletter.

38. The School Principal explained that the teacher for each class was provided with a spreadsheet containing information about the students in the particular class they were teaching, with such information as whether a student had elected “no permission to publish” contained in that spreadsheet. The School Newsletter was prepared by herself, School administrative staff, and other contributors. Teachers and other contributors such as the Parents’ Committee would submit articles, with photos filed in an electronic folder, accessible to the administrative staff collating the information, to be formatted into the School Newsletter.

39. The School Principal stated that it was the teachers’ role to check and ensure there were permissions for the information and photographs they were sending for publication. It was not the role of administrative staff to check those permissions. Once the Newsletter was compiled by administrative staff, it was sent to the School Principal for final review and editing. The final review and edit included a review of formatting, spelling, grammar, and that there was “no information which should not be included”. Administrative staff would then put it on the School Website and send a message to the School community that it was available on the website.

40. It was “not regular”, but “not rare” that teachers had not appropriately identified which students’ personal information should not be included in the School Newsletter. The School Principal estimated that this occurred “maybe one thing, once per term”. She clarified that this “once per term” occasion generally involved a “background” photo requiring the blurring of a name, not the image of a student with “no permission to publish”, as “if a teacher is taking a photo, they would not take a photo of a “no permission to publish” child”. The example she gave was a classroom photo in which a student’s name could be seen on an artwork. Prior to the Applicant’s concerns being raised, the School Principal could not remember an occasion in which a student’s identifiable image had been published where that student had not given PTP.

41. The School Principal stated that she did not look at photos in the draft Newsletter and compare them to the “no PTP” list, as she assumed this was done at a teacher level. She could not say whether the Deputy Principal reviewed photos for publication permission. She relied on the teachers to either not take the photo or to remove or blur out identifying personal information in the photos they submitted to the School Newsletter.

42. The School Principal was not willing to accept that the publication of the Applicant’s Child’s personal information in the 2022 Newsletter and 2023 Newsletter constituted breaches, or that the system for ensuring there were no such breaches was inadequate. She insisted “I don’t consider it a breach”, that “there are systems in place” and that it was “human error that this has occurred”. She did, however, “accept we did not do the right thing”. She did not completely understand the Applicant’s concern that the Newsletters had not been completely removed from the internet, and was not aware of any “IT system vulnerabilities” which would have required contact with the Department’s Cyber Security team. She relied on the Department’s advice, and because she wasn’t instructed by the Department to inform the School community of the breach, she did not do so.

43. Specifically in relation to the request to the 2022 Newsletter, the photo of the Applicant’s child had been submitted by the School’s music coordinator and was taken by a parent from the School’s Parents Committee. The School Principal admitted that she had no actual knowledge that the photo had been cross-checked with the student publishing permissions by any teacher. She had no way of verifying whether the photo had been checked but it was her “understanding that any teacher or staff member who submits a photo, checks the permissions”. The Parents Committee did not have records of student authorisations or permissions and did not request or require such permissions when taking or submitting photos.

Was there a breach of s 12(c) of the PPIP Act?

44. As discussed above at [15] to [19], the Tribunal must consider the reasonableness of the security safeguards taken by the School and the Department against loss, unauthorised access, use, modification, misuse or disclosure of personal information. As outlined in XW v Department of Education and Training [2009] NSWADT 73 at [67] and [92], what is reasonable requires an objective evaluation of:

1. the nature of the information, including its sensitivity;

2. the potential gravity of the consequences of any loss, unauthorised loss, use or disclosure of the information;

3. “who in the agency needs to be able to access [the information] and how access is regulated”; and

4. the practical difficulties facing the agency, including any resource issues in maintaining and upgrading security arrangements and the fact that the process of upgrading may be gradual.

45. The Applicant submitted that the School had failed to comply with the Department’s own privacy policies, expressed in Privacy Bulletins which are accessible on the Department’s website, specifically referring to shortfalls in the collection of personal information contrary to PB02 “Collecting personal and health information”, and PB05 on “Photographs and recordings”. The Applicant submitted that:

the Respondent has, at best, paid lip service to its obligation under the Act and to the extent that there are principles and procedures established, they are either or both, deficient or not followed. In this case, that systemic failure is evidenced by, firstly, the publication of the prohibited images – the Publication issue, and secondly, the failure to remedy in a timely manner, the continuing publication of the prohibited images – the Correction issue.

46. With respect to the process described by the School Principal in her affidavit and oral evidence regarding the maintenance of “no permission to publish” records and the checking and review of those records prior to Newsletter publication, the Applicant submitted that:

At face value, this system of recording and dissemination of those students on the No Permission to Publish list, coupled with the system of review by teachers, staff and Principal if dutifully followed, ought to have avoided any publication breach.

47. The Respondent submitted that it was reasonable for classroom teachers to be principally responsible for conducting the review of the “no permission to publish” list prior to submitting articles and photos for Newsletter publication, because “teachers spend the most time with students in their classes and would be best placed in identifying the students without a PTP”. The Respondent also submitted that the fact that there were two disclosures of the Applicant’s Child’s personal information does not necessarily demonstrate a “system failure” in breach of s 12(c) of the PPIP Act, because the security safeguards need not be “perfect or ideal in every respect” (see FH v Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72, at [41]), nor did s 12(c) impose “absolute regulatory liability” (see Director General, Department of Education and Training v MT (2006) 67 NSWLR 237 at [46]).

48. Having regard to the objective evaluation of reasonableness, I consider that the information is personal information which identifies a minor Child by image and name. Whilst not ‘confidential’ information, personal information is inherently sensitive. The Department acknowledged the Applicant’s grave concerns about his Child’s personal information being disclosed, particularly given the Applicant’s employment background. I accept the Applicant’s safety concerns for his Child consequent to the disclosure of their personal information as reasonable, although not necessarily significant or imminent.

49. While it is reasonable that teachers are primarily involved in identifying which students are subject to publication restrictions, because the record of whether a student had a PTP or not was held by each class’s teacher, the evidence demonstrates that it was not just classroom teachers who submitted information and photographs to the School Newsletter for publication. As was the case with the 2022 Newsletter, photographs taken by individuals not employed by the School (in a classroom teaching capacity or otherwise) were accepted for submission. The Parents Committee had no record or knowledge of which students had granted PTP, and which had not, and yet photos taken by them were clearly accepted by the School’s administrative staff and Principal for publication in the School Newsletter.

50. The School Principal’s evidence under cross examination also did not satisfy me that in practice, the system intended to safeguard students’ personal information was implemented. She made no mention of the process referred to in her written evidence, described above at [37], and I am not satisfied on the evidence before me that administrative staff did, in fact, check permissions to publish with class teachers, or that emails were sent to staff reminding them about students that did not have a PTP prior to the publication of each School Newsletter. Those safeguards, in any event, would not protect a student’s personal information being submitted by the Parents’ Committee or by teachers or other School employees who did not have access to a particular class list containing the relevant students’ PTP.

51. I therefore find that there has been a breach of s 12(c) of the PPIP Act by the Respondent with respect to the reasonableness of safeguards in place for the protection of students’ personal information at the School. Those safeguards are not reasonable in the circumstances.

Was there a breach of s 17 of the PPIP Act?

52. The Privacy Internal Review report found that the publication of the Child’s personal information in the 2022 Newsletter and the 2023 Newsletter was “use” of that personal information within the meaning of s 17 of the PPIP Act, in addition to “disclosure” within the meaning of s 18 of the PPIP Act.

53. In the Privacy Internal Review a breach of s 17 of the PPIP Act was found on the basis that the Department requires “consent to be obtained from parents and carers in order to publish information about students in publicly accessible communications” and that consent had not been obtained. At hearing, however, the Respondent submitted that that this finding “proceeded on the erroneous assumption that the publication of the Child’s personal information in the 2022 and 2023 Newsletters constituted a separate use that breached s 17”.

52. A breach of s 17 of the PPIP Act, or IPP 10, will arise if the purpose for which the information was collected differs from the purpose for which it is later used: RL v Department of Education and Training [2009] NSWADT 257 at [27]. The Applicant submitted that “he did not give permission for this specific use”, being the publication of his Child’s personal information in publicly accessible communications, and that “[w]ithout permission [the School] did use the personal information that it had collected in ‘publicly accessible communications’ by publishing the newsletter with the Child’s personal information”. The Respondent submitted that the issue of whether consent to publish had been provided is only relevant to whether s 18 was breached, not s 17, and that a breach of s 18 was conceded.

53. As discussed above, the authorities are undecided as to whether an Agency’s action can constitute both a “use” and a “disclosure” under the PPIP Act, or if finding that one has occurred precludes the other. In my view the correct approach is to view disclosure as a particular form of use, consistent with Director General, Department of Education and Training v MT (GD) [2005] NSWADTAP 77 at [29] and [33]. However, as discussed in AFC v Sydney Children’s Hospital Specialty Network [2012] NSWADT 189 at [42], and AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [81], there cannot be both “use” and “disclosure” arising from the same action or course of conduct. Whether conduct amounts to both a “use” and a “disclosure”, or either a “use” or “disclosure” is dependent on the effects of that conduct. In this context, the “use” of the Child’s personal information is its “disclosure” by publication to the School community via the 2022 and 2023 Newsletters. There is no evidence of “use” which is separate from the act of “disclosure” by publication. I agree with the Respondent’s submission that:

The newsletters were prepared for the purpose of communicating to parents, carers and the broader community information and links on activities, policies, and future plans for the school, as well as to showcase and celebrate students’ achievements. The preparation and publication of the 2022 and 2023 Newsletters should be viewed as “one course of conduct that falls to be considered as a disclosure” and not a “use”.

56. There is no evidence of “use” of the Child’s personal information for any purpose other than that for which it was collected. I therefore find that there was no breach of s 17 / IPP 10 by the Respondent.

Relief sought

57. The Applicant sought the following relief:

1) Order the Department to establish a process of review of proposed publications providing for:

a) a suitably qualified person to review all publications to avoid publication of information in respect of persons who have notified their decision against publishing the person’s personal information (the first qualified person).

b) the first qualified person is to certify that they have inspected the publication to confirm that the publication does not include any prohibited information. A further qualified person is to review the article or proposed publication and the authorisation provided by the first qualified person and to provide a record of that inspection by way of further authorisation.

c) the Principal or any Acting Principal to review that the dual level of inspection and authorisation has been provided.

2) In the event of an unauthorised disclosure, upon notification of or detection of such an unauthorised disclosure:

a) the Principal or their nominee is to notify the breach in accordance with the Department’s Data Breach Policy and to provide notice also to the Cyber Security team.

b) the School is to remove the publication and confer with Cyber Security team about its removal.

c) the Cyber Security Team is to confirm that the publication has been removed.

58. The relief sought by the Applicant for breaches of the Act did not distinguish between the alleged breaches.

59. The Respondent submitted that the Tribunal should make no further orders under s 55 of the PPIP Act. I do not agree that is the correct and preferable course in the circumstances of these proceedings. The evidence demonstrates that there is a disconnect between the Department’s privacy obligations and their practical implementation at a School level, where there is broad scope for breaches of student privacy to occur. A parent less aware of their child’s privacy rights and the Department’s obligations than the Applicant, and less tenacious at advocating for their Child and pursuing their rights, would likely experience similar issues to those encountered by the Applicant. Orders are appropriate to ensure that disconnect is rectified, to ensure the Department can better meet its privacy obligations to students’ personal information.

60. The Applicant submitted that the Respondent’s publishing guidelines distinguished between “School Communities” and “General Public” publications, and a superficial review of other School websites demonstrated that many other public primary and high school websites contained newsletters which were freely available to the general public, rather than being restricted to the School Communities, as required by the Respondent’s guidelines. I give that evidence little weight in circumstances where the relevant issue before the Tribunal was the Respondent’s breaches in relation to the Applicant’s Child’s personal information, and there was no evidence from other individuals whose personal information had been affected in a similar manner. Even so, the Applicant’s evidence demonstrates that the Department does, in fact, have processes and published guidelines in place to ensure that the IPPs are complied with at a School level. The Child’s School failed to implement the Respondent’s Guidelines and processes to ensure the information they collected from students, and the manner in which it was disclosed, was consistent with the Respondent’s privacy obligations.

61. In my view the evidence in these proceedings does not directly demonstrate that the privacy breaches by the Department – specifically, failing to comply with s 12(c) and s 18 of the PPIP Act with respect to the Applicant’s Child’s personal information – are necessarily systemic throughout other Schools under the Department’s control. This is largely because the Department effectively delegates oversight and management of the Department’s privacy obligations towards students to the individual Schools at which those students are enrolled, and the evidence in these proceedings demonstrates that, in at least the School subject of these proceedings, the School relies on individual class teachers to ensure compliance with privacy obligations. The devolution of responsibility with little active oversight, expect where complaints are made, supports the Tribunal drawing inferences on the evidence provided, on the balance of probabilities, that many such breaches occur without the affected parties’ knowledge or awareness, and the number of breach notices or complaints received by the Department would be only a subset of the actual breaches occurring at a School level.

62. The Applicant’s proposed relief requires a secondary and tertiary level of review of School publications to ensure they do not contain the personal information of those students who had elected “no permission to publish”. The Respondent submitted that the Applicant’s proposed orders would not necessarily reduce the risk of “human error”; would be time consuming and expensive:

… there were around 650 to 750 students enrolled at [the School]. It could be expected that it would take a significant amount of time and additional resources for the qualified persons to undertake the secondary and tertiary reviews of this large number of students enrolled at [the School], who might be included in a publicly accessible publication. This would involve cross-checking each student whose personal information is included in a newsletter has a PTP. The difficulty of this task is compounded by the lack of familiarity a qualified person might have with the students, as compared to their classroom teachers. Further, if a [School] staff member were appointed as a “qualified person”, it could be expected that the undertaking of the secondary and tertiary review would divert that staff member from their regular duties.

63. In my view it is disingenuous for the Respondent to complain about the School’s particular resourcing capabilities in ensuring compliance with the Department’s privacy obligations. It is the Department’s obligation to ensure that Schools are sufficiently resourced to comply with statutory obligations. I also do not accept that the implementation of an additional review of any publications would “involve cross-checking each student whose personal information is included in a newsletter has a PTP”, the implication being that the publication would need to be cross-checked against a list of 650 to 750 students. On the School Principal’s evidence, taken at her highest estimate, the potential list of students with no PTP would amount to 130 students. There is no reason why that list of students should not be cross-checked, instead of the entire student population.

64. Where the School’s system fails is at the point of submission. The School relied entirely on individual class teachers to ensure the information being submitted for publication by them did not violate the Department’s privacy obligations. As discussed above, this is insufficient.

65. More significantly, the School also accepted submissions for publication from individuals and organisations in the “School Community”, including the Parents’ Committee, in circumstances where those individuals and organisations had no knowledge of any permissions or refusal of permissions provided by the students, no formal relationship with the School or the Department requiring their knowledge or compliance with Departmental privacy policies, and no acknowledgement of their own privacy or other statutory obligations. In these circumstances, the Parents’ Committee collected personal information of the Child (and other students), submitted that personal information for publication to the School, and that personal information was published by the School without further checks.

66. For these reasons, it is insufficient to rely solely on the person or organisation providing a submission to a School for publication, to ensure compliance with the Department’s privacy obligations. A secondary level of review before a School publishes information online is necessary. According to the School Principal in these proceedings, this secondary review is already being done, by her, as part of a final review of the draft School Newsletter including formatting, spelling and grammar. Taking into account the numbers of students at a School and the workloads of administrative staff, teachers and principals, it is still reasonable for a School to have an individual – whether the Principal or an administrative staff member familiar with that School’s students – conduct a final review of each publication before it is publicly disseminated on the internet, to ensure compliance with the Department’s privacy obligations. This reviewer would have to have knowledge of the Department’s privacy obligations, relevant policies, as well as the specific list of permissions or non-permissions provided by individual students. Without this secondary review, there should be no external publication.

67. In relation to the second order proposed by the Applicant, I am satisfied that the Respondent has appropriate data breach policies in place and I am not convinced on the evidence before me that there are systemic issues warranting involvement with the Department’s Cyber Security Team as a matter of course. While the Department’s actions in dealing with the privacy complaint and actioning the Applicant’s requests were not immediate, in my view the Department took appropriate action within a reasonable timeframe, given the time of year in which the request was made. The School Principal notified the breach immediately and the 2023 Newsletter was removed from the School website within 4 days. Whilst it remained accessible online for another 3 months, I am satisfied that the Department was actively taking steps to ensure its removal with external parties such as Google, and kept the Applicant informed of its actions.

68. I agree with the recommendations made by the Department’s Report, outlined above at [7]. The School Principal’s evidence is that those recommendations were implemented, and I accept that evidence. In my view, as a consequence of the breaches identified in these proceedings, what is missing from those recommendations is requiring the Department, through the School, to make the School Community aware of the Department’s privacy obligations, and specifically those privacy obligations regarding photographing students. This is necessary and reasonable where Schools are routinely involving members of their School Communities in taking photos and assisting in activities involving their children and other students, as occurred in these proceedings.

69. Additionally, in my view the Principal’s decision not to inform the School Community that there had been a privacy breach, because she was not required to by the Department, was unfortunate. Failing to inform the School Community of the breach was a missed opportunity for accountability by the School, and education of the School Community of its privacy rights and obligations. Where there has been an acceptance or acknowledgement by the Department that its privacy obligations were breached by the School in particular circumstances, this should be communicated to those affected by that breach. In these circumstances, those affected included not only the Child and the Applicant, but the audiences of the 2022 and 2023 Newsletters.

70. The Applicant submitted that the School had failed to comply with the Department’s own privacy policies, expressed in Privacy Bulletins PB02 and PB05 which are accessible on the Department’s website. The Department’s Privacy Bulletin on “Photographs and recordings” accessible at was last revised in June 2020 and last updated on 16 July 2021. Having regard to the breaches found and the provisions of s 55(2) of the PPIP Act, it is appropriate for the Tribunal to order pursuant to s 55(2)(g) that the Department review its Privacy Bulletin on Photographs and Recording, and update it in accordance with these reasons for decision to include the obligations of members of School Communities, a requirement for a secondary review by the School prior to disclosure and publication to ensure compliance with individual PTPs, and requirements for breach notifications. The updated Privacy Bulletin should be disseminated to School Communities by Schools in their respective School newsletters, bulletins, and however else they communicate with their School Communities.

Orders

1. The Tribunal affirms the Respondent’s reviewable decision of 28 March 2024 that the Respondent breached s 18 of the Privacy and Personal Information Protection Act 1998 (NSW).

2. The Tribunal sets aside the remainder of the Respondent’s reviewable decision of 28 March 2024, and in accordance with these reasons for decision, in substitution, decides that:

1. the Respondent breached s 12(c) of the Privacy and Personal Information Protection Act 1998 (NSW); and

2. the Respondent did not breach s 17 of the Privacy and Personal Information Protection Act 1998 (NSW).

3. Pursuant to s 55(2)(g) of the Privacy and Personal Information Protection Act 1998 (NSW), the Tribunal orders the Respondent to review and update its Privacy Bulletin on Photographs and Recordings in accordance with these reasons for decision, and disseminate the updated Privacy Bulletin to School staff and School Communities.

4. The publication or broadcast of the name of the Applicant, the Applicant’s Child, the School attended by the Child, the School’s Principal and staff is prohibited. This order is made under section 64(1)(a) of the Civil and Administrative Tribunal Act 2013.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 02 May 2025