Kelloway v Registrar of Births Deaths and Marriages
[2023] NSWCATAD 34
•14 February 2023
Civil and Administrative Tribunal
New South Wales
Medium Neutral Citation: Kelloway v Registrar of Births Deaths and Marriages [2023] NSWCATAD 34 Hearing dates: 14 October 2022 Date of orders: 14 February 2023 Decision date: 14 February 2023 Jurisdiction: Administrative and Equal Opportunity Division Before: J McAteer Senior Member Decision: (1) The decision of the respondent is set aside.
(2) The proceedings are listed for Directions before Senior Member McAteer on a date within 28 days of the publication of these reasons, (or such later date as may be agreed by the Tribunal), by arrangement with the Divisional Registrar.
Catchwords: ADMINISTRATIVE LAW - Privacy – Personal Information – disclosure – public register - whether Internal Review sought – whether jurisdiction of Tribunal enlivened – whether IPPs apply – where party runs a different case on review – conduct
Legislation Cited: Administrative Decisions Review Act 1997
Births Deaths and Marriages Registration Act 1995
Civil and Administrative Tribunal Act 2013
Civil and Administrative Tribunal Rules 2014
Health Records and Information Privacy Act 2002
Privacy and Personal Information Protection Act 1998
Privacy and Personal Information Regulation 2019
Privacy Act 1988 (Cth)
Cases Cited: AQK v Commissioner of Police, NSW Police Force [2014] NSWCATAD 55
CYL v YZA [2017] NSWCATAP 105
Drake v Minister for Immigration and Ethnic Affairs [1979] AATA; (1979) 46 FLR 409
HealthShare NSW v CJU [2022] NSWCATAP 316
PC v University of NSW [2005] NSWADT 157
PN v Department of Education and Training [2010] NSWADTAP 59
Skase and Minister for Immigration and Multicultural and indigenous Affairs [2005] AATA 200
University of New South Wales v PC (GD) [2008] NSWADTAP 126
Texts Cited: None Cited
Category: Principal judgment Parties: Sarah Kelloway (Applicant)
Registrar of Births Deaths and Marriages (Respondent)Representation: Counsel: N/A
Solicitors:
Applicant: SBA Lawyers
Respondent: Crown Solicitor
Privacy Commissioner: N/A
File Number(s): 2022/00147921 Publication restriction: Nil
Reasons for decision
-
These proceedings concern the disclosure by the Registrar of Births Death and Marriages (the Registrar) of personal information of Sarah Kelloway (Ms Kelloway) that they held in a Public Register. There is no dispute (subject to jurisdiction) that the information meets the definition of personal information, and that it was provided by the Registrar to a third party.
-
Ms Kelloway became aware that her personal information (a copy of her Birth Certificate) had been released to a third party engaged in private legal proceedings. After pursing the matter with the Registrar from February 2022 onwards Ms Kelloway then lodged an administrative review application with the Tribunal in late May 2022.
-
Initially the Registrar conceded that the release of the Birth Certificate amounted to a breach of the relevant privacy legislation and attempts were made to settle the matter confidentially by way of discussions between the parties. However after August 2022 the Registrar changed their position from previous statements and ran a fresh argument that the privacy legislation had not been contravened in the circumstances of Ms Kelloway’s personal information being released.
-
The Registrar also objected to jurisdiction in that the later position included a view that there had been no valid internal review so the Tribunal’s jurisdiction had not been enlivened. Finally even if the Tribunal had jurisdiction the Registrar maintained that there was no privacy breach due to the operation of privacy Legislation and their own Legislation concerning public registers.
-
Having considered the matter at hearing, and the submissions of the parties I have found that there is both jurisdiction to hear the application and that the disclosure of Ms Kelloway’s personal information held in a public register (in the circumstances of this disclosure) amounts to a breach of privacy Legislation.
Background
-
In March 2020 the Registrar provided a copy of Ms Kelloway’s Birth Certificate to a Solicitor. The Solicitor advised the Registrar prior to release that he acted for a relative who was considering legal proceedings against Ms Kelloway in a Court in Peru relating to previous property transactions between her and her mother.
-
The Solicitor also advised that the Birth Certificate would be important in maintaining and succeeding in the proposed legal proceedings. The Solicitor confirmed that he did not act for Ms Kelloway.
-
In early 2022 Ms Kelloway became aware of the release of her Birth Certificate and complained to the Registrar on 21 February 2022. On 28 February 2022 the matter was accepted by the Registrar as an Internal Review under s 53 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The matter was characterised as a breach of the Information Protection Principles (IPP’s) by the disclosure of person information in a Public Register as well as some related IPPs.
-
Under the PPIP Act a public sector agency musty complete the internal review as soon as practicable, but if it is not completed within 60 days then an applicant may apply to the Tribunal for Administrative Review.
-
As the Registrar had not finalised the Internal review within 60 days Ms Kelloway lodged her Administrative Review with the Tribunal on 23 May 2022.
Relevant legislation
-
Section 53 of the PPIP Act relevantly provides in respect of the Internal Review Process, the following:
53 Internal review by public sector agencies
(1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.
(1A) There is no entitlement under this section to the review of the conduct of a Minister (or a Minister’s personal staff) in respect of a contravention of section 15 (Alteration of personal information).
Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A).
(2) The review is to be undertaken by the public sector agency concerned.
(3) An application for such a review must:
(a) be in writing, and
(b) be addressed to the public sector agency concerned, and
(c) specify an address in Australia to which a notice under subsection (8) may be sent, and
(d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and
(e) comply with such other requirements as may be prescribed by the regulations.
(Emphasis added)
-
Section 18 of the PPIP Act concerns the alleged breaches identified by Ms Kelloway, that is the disclosure of her personal information being her Birth Certificate, to the Solicitor for a third party. Disclosure concerns an Information Protection Principal the relevant IPP being IPP 11 which concerns s 18 of the PPIP Act. Section 18 provides:
18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
-
Overarching these IPP’s is the definition of Personal Information provided for in section 4 of the PPIP Act. Section 4 provides:
4 Definition of “personal information”
(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.
(3) Personal information does not include any of the following:
(a) information about an individual who has been dead for more than 30 years,
(b) information about an individual that is contained in a publicly available publication,
(c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,
(d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,
(e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure,
(f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,
(g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,
(h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,
(i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009,
(j) information or an opinion about an individual’s suitability for appointment or employment as a public sector official,
(ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,
(k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.
(4) For the purposes of this Act, personal information is held by a public sector agency if:
(a) the agency is in possession or control of the information, or
(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or
(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
(5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.
-
The PPIP Act provides that a person who is not satisfied with the findings of an Internal Review or the action taken by the agency may apply to the Tribunal for an administrative review. (s-55). Following administrative review by the Tribunal a suite of actions are available to the Tribunal under s 55 (2) including to take no action on the matter.
-
Section 55 relevantly provides:
55 Administrative review of conduct by Tribunal
(1) If a person who has made an application for internal review under section 53 is not satisfied with:
(a) the findings of the review, or
(b) the action taken by the public sector agency in relation to the application,
the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.
(1A) A person (the applicant) who is aggrieved by the conduct of a Minister (or a Minister’s personal staff) constituting a contravention of section 15 (Alteration of personal information) may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct.
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.
-
There is no dispute that Ms Kelloway’s Birth Certificate is personal information as it contains matters which are the applicant’s particulars and meet the requirements of:
information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Internal Review by respondent: Is there jurisdiction?
-
Following receipt of the privacy complaint, the Registrar conducted an Internal Review. As foreshadowed above the Registrar subsequently changed their position on whether an Internal Review had been applied for and whether one had been conducted.
-
The documents filed under s 58 of the Administrative Decisions Review Act 1997 (the ADR Act) by the Registrar include a document titled ‘FO20 Internal Review’. This appears to be a chronology or timeline of events as to what transpired with the application for and release of Ms Kelloway’s Birth Certificate to the third party Solicitor. Also included at Tab 5 of the s-58’s is a copy of the completed Internal Review.
-
The Registrar’s delegate refers to the completed Internal Review and identifies various IPP’s being: s 12 (Retention and security of personal information), s – 17 (Limits on use of personal information), s-18 (Limits of disclosure of personal information), and s 19 (Special restrictions on disclosure of personal information). It appears from the contents of this document that the Registrar understood that they were dealing with an Internal Review under the PPIP Act and conducted and completed a review accordingly, albeit not within 60 days.
-
Of note is the fact that when conducting the Internal Review the reviewer addressed privacy beaches under both the PPIP Act and the Births Deaths and Marriages Registration Act 1995 (the BDMR Act). The Internal Review document is brief mainly comprising the equivalent of an executive summary rather than an outline of the inquires and investigation undertaken, preliminary findings and then findings after applying any relevant exemption provisions either within the IPP’s or within Part 2 Division 3 of the PPIP Act.
-
However notwithstanding the brevity it is clear from the Internal Review that the Registrar found that there was a failure to check the entitlement of the Solicitor to the Birth Certificate thus contravening s 12. There is also a finding that s 17 was breached in that the use (by disclosing the Certificate without Ms Kelloway’s consent) was a breach of the ‘use’ IPP and that consequently s 18 was breached because that use amounted to an unauthorised disclosure, as it was absent consent or alternate provisions such as dealing with imminent and serious threats were not enlivened.
-
The final PPIP Act finding concerned s 19, which covers special restrictions on disclosure of personal information. The section provides:
19 Special restrictions on disclosure of personal information
(1) A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.
(2) A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless—
(a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or
(b) the individual expressly consents to the disclosure, or
(c) the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual’s request, or
(d) the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or
(e) all of the following apply—
(i) the disclosure is for the benefit of the individual,
(ii) it is impracticable to obtain the consent of the individual to that disclosure,
(iii) if it were practicable to obtain such consent, the individual would be likely to give it, or
(f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or
(g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or
(h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law.
(3)–(5) (Repealed)
(Emphasis added)
-
Because none of the provisions applied in the absence of Ms Kelloway’s consent and that other provisions clearly were not enlivened in the circumstances the Registrar found that there was a breach of s-19 of the PPIP Act.
-
The Internal Review then addressed the BDMR Act issues that they believed applied to the matter. Section 48 of the BDMR Act was identified as relevant to the protection of privacy of Ms Kelloway as it applied to the release of her personal information held in a Public Register. The section provides:
48 Protection of privacy
In providing information extracted from the Register, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy.
-
The Registrar advised that subsequent to Ms Kelloway raising the release of her Birth Certificate without her consent, they had placed a ‘block’ on her birth record on 10 March 2022 to ensure security of her record.
-
Further in response to the findings, in addition to apologising for the privacy breaches, the Registrar advised that they had implemented measures to ensure that Ms Kelloway’s experience cannot be repeated, or reoccur (presumably with other individuals).
-
The Internal Review concluded with the appropriate procedural advice concerning an application to the Tribunal should she be dissatisfied with the outcome of the Internal Review. The Internal Review is undated but clearly was completed and forwarded to Ms Kelloway sometime after 23 May 2022.
-
The PPIP Act provides guidance as to the preconditions for an Internal Review. Part 5 of the PPIP Act provides for the review of certain conduct. Section 52 provides the scope of the application of the Part. Section 52 provides:
52 Application of Part
(1) This Part applies to the following conduct—
(a) the contravention by a public sector agency of an information protection principle that applies to the agency,
(b) the contravention by a public sector agency of a privacy code of practice that applies to the agency,
(c) the disclosure by a public sector agency of personal information kept in a public register.
(2) A reference in this Part to conduct includes a reference to alleged conduct.
(3) This Part does not apply to any conduct that occurred before the commencement of this Part.
(4) Section 53 (Internal reviews) of the Administrative Decisions Review Act 1997 does not apply to or in respect of conduct to which this Part applies.
(Emphasis added)
-
Ms Kelloway raised a privacy grievance with the Registrar. She wrote an email to the Registrar on 21 February 2022 stating:
‘I’ve just found out that my birth certificate has been obtained by someone else and submitted as part of overseas court paperwork (hasn’t been officially served yet) but I didn’t request this certificate. My parents didn’t request it and no one has been authorised to request it. ……
I’ve spoken to my solicitor who recommended contacting BDM to understand how this happened in order to proceed. …..
-
In my view it is clear that Ms Kelloway is raising a matter where she is concerned about the unauthorised release of her personal information (her Birth Certificate). She seeks to understand how the circumstances have arisen / occurred. In this regard she is asking BDM (the Registrar) to look into the matter. After various email exchanges confirming the matter Ms Kelloway advised on 28 February 2022 that she was seeking advice. She then requests:
I’ve been advised to make sure I note that these emails are a formal complaint about my birth certificate being obtained without my permission.
-
It appears that from this moment the Registrar treats the matter as a privacy Internal Review under the PPIP Act. In doing so they were clearly satisfied that the mandatory preconditions of s 53 (3) had been met in that the matter was (a) in writing (b) addressed to the relevant Agency concerned, (c ) provided an address in Australia for which the results / findings of the review can be sent to, (in this case Ms Kelloway’s email address being a yahoo.com.au address), (d) be lodged with the Agency within 6 months of becoming aware of the breach, in this regard her email of 21 February 2022 uses the words: ‘I’ve just found out…’ and (e) complies with such other requirement as the Regs provide. I note that no matters in respect of Internal Reviews are provided for in the Privacy and Personal Information Regulation 2019.
-
I also note that the case of PC v University of NSW [2005] NSWADT 157 deals with the form of an Internal Review application, especially in circumstances where a lay person is liaising with an Agency. At [9] of PC the Administrative Decisions Tribunal (ADT) observed that:
It is the case as Ms Sharp (for the agency) has explained that we do not insist in the Tribunal – and this in a sense reflects the point you [the applicant] are putting to me – that people write chapter and verse in their letter when requesting a review of an agency’s conduct – the name of the Act, the name of the section and refer to information protection principles. But normally you would expect to see that most of the letters that agencies get do do that but sometimes they do not. We have allowed matters to proceed here which rely on forms of communication to the agency which are less than perfect in mentioning the Act.
-
In CYL v YZA [2017] NSWCATAP 105 the Appeal Panel of this Tribunal applied a common sense approach, namely that if the Agency was able to work out what the issue being raised was, then they could apply the matter as an Internal Review. The issue of whether a (valid) Internal Review had been made, was to be determined objectively. At [58] the Appeal Panel observed:
58. For reasons, again explained in the Tribunal’s case-law, the scope of the application for internal review sets the scope of the proceedings before the Tribunal. Whether an application for internal review has been made is to be determined objectively: see, e.g., PC v University of New South Wales (GD) [2005] NSWADTAP 72 at [28]. Similarly, the scope of the application is a matter of fact to be determined objectively by construing the application reasonably: KO v Commissioner of Police, NSW Police Force (GD) [2005] NSWADTAP 56 at [13]- [17]. The focus is the conduct of which the applicant complains. ‘Conduct’ is the expression used in this area of the law to describe action by the agency or circumstances involving the agency that might amount to a possible contravention of an information protection principle: see PPIPA s 52. There needs to be material that can be understood by the agency, fairly read, as connecting the action or circumstances of concern to a principle, whether or not the principle itself is actually specified by the application.
-
I have considered the Registrar’s submissions at hearing and the position that no privacy practitioner would consider the undated two page determination referred to at [18] – [27] above to be a valid Internal Review. Having reviewed the relevant cases including the ones referred to in CYL, and noting that at the time of the Internal Review the Registrar treated it as a valid Internal Review and provided an outcome (findings and remedies recommended), I find that the provisions of Part 5 of the PPIP Act have been satisfied.
-
On that basis I find that the Tribunal has jurisdiction to determine the matter. The exchange of emails and information between the parties and the review response provide sufficient evidence (in addition to the Registrar’s initial acknowledgement of having conducted an Internal Review) to find jurisdiction.
Administrative review before the Tribunal
-
The application for review was lodged on 23 May 2022 within the 28 day period provided by s 55 of the ADR Act. I calculate this time from the fact that Ms Kelloway nominates 28 February 2022 as the date she asked the matter to be dealt with formally and it appears that the agency has treated the matter as a review from that time. As such the matter was lodged 23 days after the period provided in cl 24 (4) (a1) (ii) of the Civil and Administrative Tribunal Rules 2014.
-
The ADR Act provides in s 63:
Determination of administrative review by Tribunal
In determining an application for an administrative review under this Act of an administratively reviewable decision, the Tribunal is to decide what the correct and preferable decision is having regard to the material then before it, including the following:
(a) any relevant factual material,
(b) any applicable written or unwritten law.
For this purpose, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.
In determining an application for the administrative review of an administratively reviewable decision, the Tribunal may decide:
(a) to affirm the administratively reviewable decision, or
(b) to vary the administratively reviewable decision, or
(c) set aside the decision and make a new decision in substitution for the decision.
-
The Tribunal is required to make a fresh determination with respect to the application. It is however an administrative review of the conduct (as alleged within scope) and the findings of the respondent following that review.
-
The Tribunal’s function on review under section 63 of the Administrative Decisions Review Act 1997 (the ADR Act) is to make the correct and preferable decision having regard to the material before it, and any applicable written or unwritten law. It is well established that in considering an application for review the Tribunal is not constrained to have regard only to the material that was before the agency, but may have regard to any relevant material before it at the time of the review: Drake v Minister for Immigration and Ethnic Affairs [1979] AATA; (1979) 46 FLR 409.
-
In her application Ms Kelloway stated that she had officially complained to BDM and a review or explanation had not been provided. Ms Kelloway then summarises the conduct concerning the release of her Birth Certificate and notes that more than 60 days have elapsed since she raised the official complaint.
Evidence and Submissions
-
The Parties filed evidence in the proceedings and both parties filed written submissions. In addition both parties were legally represented by the time of the hearing and provided detailed oral submissions at hearing.
Ms Kelloway’s written evidence
-
Ms Kelloway filed a large volume of material in response to the Registrar’s s 58 documents. This material consisted of matters relating to the Peruvian Court case related to property transactions. There were three parts to the Court file in Spanish and accompanying translations and documents relating to disbursements. This evidence was mainly prepared for a damages aspect of the case (which was discussed in settlement discussions between the parties in the months prior to the hearing). The Tribunal did not formally receive this material at this stage as the parties agreed that the hearing would only deal with liability issues relating to jurisdiction, the legislation (including statutory interpretation), and whether there was any breach by the Registrar’s (or their delegate’s) conduct.
Registrar’s evidence
-
The Registrar filed one affidavit which was received without objection. The deponent was not called and the affidavit was read. (Affidavit of B Finn affirmed 25 August 2022 with annexures ‘A’ – ‘C’ inclusive). Exhibit ‘R-1’.
Registrar’s written submissions
-
I have placed these submissions first as Ms Kelloway’s submissions are in part in response to them. The submissions set out the background to the grievance and the history of the matter before the Tribunal including references to initial settlement approaches followed by a change of position in the Registrar’s response to the matter.
-
The Registrar submitted that any concession made by a party prior to the hearing of the substantive proceedings were immaterial to the role of the Tribunal. They submitted that in an administrative review if the matter does not resolve between the parties first, then the Tribunal determines the matter afresh, irrespective of any prior findings or position which may have been reached.
-
Reference was made to University of New South Wales v PC (GD) [2008] NSWADTAP 126 at [50]:
The Tribunal is not bound in review proceedings to adopt concessions emanating from the Bar Table. The duty of the Tribunal is to reach the ‘correct and preferable’ decision in the circumstances (ADT Act, s 63) by a process of inquiry. When undertaking the review of administrative conduct, as here, the Tribunal is not engaged in the resolution of an adversarial contest of the kind typical of civil litigation. It may well be that in the latter class of case, concessions must be adopted if they are given on an informed basis, and especially if competent counsel give them.
-
The Registrar submitted that fresh evidence on a different position (to that communicated previously) would be permissible and that to deny the receipt of such evidence would be procedurally unfair to that party.
-
The Registrar submitted that the previous findings of their agency were predominantly flawed in that (for example) the reference to the breach of the use principle (s-17) failed to take account of the Tribunal’s case law that use was confined to use within an Agency.
-
The Registrar also submitted that s 25 of the PPIP Act authorised the use in that information in public registers was available for members of the public and that was it purpose of being held in the register. Reliance was placed on the case of PN v Department of Education and Training [2010] NSWADTAP 59.
-
The Registrar also submitted that there was no breach of s 18 (1) (a) concerning disclosure because the information directly relates to the purpose for which it was collected and the Registrar has no reason to believe that Ms Kelloway would object to the disclosure (in the terms and context disclosed). This submission is somewhat broad reaching where it appears that the Agency is saying that any disclosure under s 18 (1) (a) is permissible unless the Agency is specifically aware of a valid basis of objection from the individual.
-
As a preliminary position this approach seems to put a reverse onus on the IPP’s and in my view is contrary to the long title of the PPIP Act. Whether the information is in a public register or not, the dominant interpretation has always been (in the absence of a specified legislative exemption) that personal information can be disclosed for the purposes for which it was collected, but only with consent unless when an individual lodges that information with the agency themselves and under a privacy notice is made aware of the purpose of collection and the nature of how the information will be used (if at all) including disclosure. The Registrar’s ‘reverse onus’ submission appears to require all individuals to notify an agency that their personal information is not to be disclosed, otherwise information will be disclosed routinely under s 18 (1) (a).
-
The Registrar submitted that there was no breach of s 18 because they only became aware of an objection to disclosure after the disclosure had occurred The Registrar submitted that:
-
The fact that it later became aware (of the objection) is not relevant to the availability of the exception in s 18 (1) (a).
As noted above I hold significant concerns about that submission, not just on the wording and interpretation of that disclosure IPP, but all of the IPP’s (s 9-19 inclusive), and the Registrar’s own policies which I address below.
-
The Registrar also submitted that the general s 25 PPIP Act exemption applies because the BDMR Act authorises the issuing of a certificate to a person who has adequate reason (s 46 and 47 of the BDMR Act).
-
The Registrar also submitted that s 19 of the PPIP Act did not apply because the disclosure outside of Australia was not made by the Registrar but the Solicitor who received the Birth Certificate.
-
Submissions were also made about the lack of applicability of s 12 to Ms Kelloway’s claim, (Retention and Security of personal information). In this regard the Registrar relied on the evidence of Mr B Finn (Exhibit ‘R-1’). Ms Finn who is the Director Operations at the NSW Registry of Births Deaths and Marriages sets out the uncontested history of the process that led to the release of Ms Kelloway’s Birth Certificate. The affidavit confirms that the Registrar knew that the information was to be used against Ms Kelloway.
4. On 21 February 2020 Battalion Legal responded to the letter sent 6 February 2020 to advise that they were not applying for the applicant’s birth certificate on her behalf, as their client’s court case was against her.’
-
The affidavit deposes that the Registrar received internal legal advice that the Certificate could be released for the purpose of court proceedings. Mr Finn deposes that he would have released the Certificate consistent with s 46 of the BDMR Act and consistent with the advice of the internal legal officer had Mr Finn been in a position to make the decision.
-
Mr Finn deposes at [16] that a privacy internal review was conducted (in response to Ms Kelloway’s complaint) and finalised ion 2 June 2022. The affidavit goes on at [17] to refer to the ‘access to information policy which provides direction on maintaining reasonable safeguards to protect personal information’, and the affidavit annexes the Policy at annexure ‘C’.
-
Annexure ‘C’ contains a document titled PO 06 Access to Information Contained in the Register Policy . That Policy lists at Item 2.1 which person or organisations are entitled to have access. In the main they are the person to whom the information relates, or their delegate such as an Attorney under an EPOA, or law enforcement entities. One item covers:
A person or organisation that has an adequate reason for wanting access to the Register.
-
Item 2.2 sets out what is an Adequate reason for allowing access to information. The section lists nature, sensitivity, intended use as matters that regard must be had to in considering whether to release information. Examples of adequate reasons under the policy include: purchasing a certificate, research by organisations with ethics approval, statistical purposes such as the ABS, research purposes for medical matters, to allow organisations to determine whether a person is deceased such as banks etc, to enable solicitors to act in a matter on behalf of a client who has an entitlement, and for investigative purposes.
Ms Kelloway’s written submissions
-
The submissions set out the history of the conduct central to the privacy grievance. The vast majority of what had transpired was not in dispute between the parties, the import of what had transpired was the issue.
-
The submissions then addressed the Registrar’s change of position in some detail. It was submitted that the applying Solicitor had not provided the Registrar with adequate reasons for the purpose of s 46 (1) (b) of the BDMR Act which provides:
46 General access to Register
(1) The Registrar may, on conditions the Registrar considers appropriate—
(a) allow a person or organisation that has an adequate reason for wanting access to the Register, access to the Register, or
(b) provide a person or organisation that has an adequate reason for wanting information from the Register, with information extracted from the Register.
(2) In deciding whether an applicant has an adequate reason for wanting access to the Register, or information extracted from the Register, the Registrar must have regard to—
(a) the nature of the applicant’s interest, and
(b) the sensitivity of the information, and
(c) the use to be made of the information, and
(d) other relevant factors.
(3) In deciding the conditions on which access to the Register, or information extracted from the Register, is to be given under this section, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy.
-
I note that those provisions generally reflect the policy position. However I note that s 48 (3) makes a particular reference to the protection of the privacy of the person to whom the personal information relates.
-
Ms Kelloway submitted that policy PO 06 applied and the decision maker may have regard to it. She submitted that none of the examples listed in the policy applied to the circumstances of her information release and that s 46 (3) had not been complied with.
-
Ms Kelloway through her Solicitor Mr Blanks submitted that Mr Finn’s evidence should be rejected in respect of the adequacy of the release. Submissions made suggested that no adequate reason (because no cogent reason consistent with the policy) was provided to the Registrar, contrary to Mr Finn’s evince at [9] of exhibit ‘R-1’.
-
Further submissions were made about the applicability of s 12 and 17 of the PPIP Act to the matter. A breach of s 12 (c ) and s 17 was maintained by Ms Kelloway.
-
Ms Kelloway submitted that the Registrar’s submission that they had no reason to believe that she would object to the disclosure (s-18) was absurd bearing in mind that the Solicitor had advised that they sought the Certificate in the context where they were acting for a party seeking to sue Ms Kelloway, the purpose of those proceedings was to declare void property transactions between her and her mother, and that obtaining of the Certificate was critical for the success of the proceedings against Ms Kelloway.
-
Ms Kelloway also submitted that the release of the Certificate is not sanctioned by s 25 of the PPIP Act because the release (on her submission) is not authorised by s 46 (1) (b) of the BDMR Act or any other section of the BDMR Act when one had regard to s 48 of that Act.
-
Ms Kelloway also submitted that s 19 (2) of the PPIP Act was enlivened because the Registrar was aware that the information would be sent overseas as the lawyers who applied for the Certificate were acting as Agent for lawyers in Peru.
-
In respect of s 48 of the BDMR Act Ms Kelloway submitted that there was little evidence that all of the personal information in the Birth Certificate was already known to the other party in the Court, and definitely not known to the solicitors. The inquiry seemed to be to confirm, qualify or otherwise verify information that that party held. Ms Kelloway submitted that: ‘The concept of unjustified intrusion of privacy is to be construed having regard to the requirement in s 46 (1) (b) (BDMR Act) for a person to provide adequate reasons to obtain a birth certificate and the respondent’s policy in relation to that requirement. The provision of the birth certificate without adequate reasons having been provided constitutes an unjustified invasion of privacy for the purposes of s 48.’
-
Further submissions were made in respect of quantum of damages. As the parties agreed at hearing that the Tribunal was to determine whether there had been a breach in the first instance, it is not necessary to address damages in these reasons.
Respondent’s further submissions
-
The respondent filed submission in reply on 23 September 2022. (four and a half pages). The first two pages dealt with Ms Kelloway’s submissions agitating concerns about the Registrar’s complete change of position in respect of her case. As the Tribunal is conducting a review of conduct on the information and case before it, and I have already made a finding about the validity of the Internal Review, then it is not necessary to restate those arguments of the parties concerning the change of position. The Internal Review provides a way into the jurisdiction of the Tribunal. The Tribunal (nor the agency – or any party for that matter) is not bound to considered findings and concessions made during that process, but may have regard to any material subject to the requirements of natural justice and procedural fairness. Both parties have had the opportunity to be heard on this issue.
-
This position is consistent with the finding of the Tribunal in the case of AQK v Commissioner of Police, NSW Police Force [2014] NSWCATAD 55. At [46] of AQK the Tribunal observed that:
… The Respondent, in its Internal Review, concluded that there had been a contravention of s.18 of the PPIP Act in the publication of the Minutes on the Intranet, but now resiles from that position.
-
The main other thrust of the Registrar’s submissions was that essentially the PPIP Act was not concerned with a breach of s 48 of the BDMR Act. The Registrar submitted that this position arises because s 56 of the BDMR Act only confers jurisdiction on the Tribunal for a decision of the Registrar. Because s 48 does not authorise the making of a decision then the Registrar submitted that no remedy under s 56 of the BDMR Act arises. The Tribunal notes that from the remedy referred to in s 56, there is only provision for the Tribunal to conduct an Administrative Review (by way of external review) under the ADR Act.
-
Therefore a failure to protect privacy under s 48 of the BDMR Act is not a decision but conduct, in this case arising from a decision, being the decision to release information from the Register. Because of the reference to the word ‘decision’ no ADR Act remedy before NCAT arises. In any event the remedies under the ADR Act are limited. Section 63 (3) provides that:
63 Determination of administrative review by Tribunal
(1)….
(2)….
(3) In determining an application for the administrative review of an administratively reviewable decision, the Tribunal may decide:
(a) to affirm the administratively reviewable decision, or
(b) to vary the administratively reviewable decision, or
(c) to set aside the administratively reviewable decision and make a decision in substitution for the administratively reviewable decision it set aside, or
(d) to set aside the administratively reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.
-
This is more limited than the remedies available under s 55 (2) of the PPIP Act as set lout at [15] above.
-
The Registrar submitted that Ms Kelloway’s application of policy to the statutory provisions was misplaced. Their position was that if the legislation lawfully authorised the release of information in a Public Register in the context of the provision that release is permitted to a person: ‘that has an adequate explanation’ then the Registrar is lawfully authorised to release the information.
-
Reference was made to PN’s case as referred to at [49] above. PN was authority for the proposition that where rights were allegedly breached in relation to different statutory mechanism, such as dealing with a workers compensation matter, then such issues should be dealt with through that tailored complaints mechanism not the PPIP Act. At [58] of PN the ADT Appeal Panel observed:
If the Department has breached the guidelines or the statutory provisions in the way it carried out its obligations under the workers compensation regime, as PN's submissions suggest, those are matters to be dealt with through the complaints mechanisms that the workers compensation regime has. The breaches are not open to be litigated within the framework of the privacy legislation.
-
Further submissions re-agitated arguments as to how s 25 of the PPIP Act applied and how sections 12, 17, 18, and 19 have not been contravened if jurisdiction was present.
-
Oral submissions of the parties
-
Both parties made detailed oral submissions during the hearing. No witnesses gave evidence and the Tribunal considered the written submissions and then using its powers under s 38 of the Civil and Administrative Tribunal Act 2013 (the NCAT Act) utilised its powers under s 38 to determine procedure and conduct an inquisitorial inquiry of the respective parties position on the law applied to the facts.
Consideration
-
I have already found preliminary jurisdiction to conduct the administrative review as set out at [34] and [35] above. For completeness I am satisfied that in conducting an administrative review before the Tribunal, a party is entitled to change their position up until the commencement of the hearing, (or at any time prior to the Tribunal’s decision) as long as procedural fairness has been afforded to all parties during that process.
-
In this regard I note that the hearing of the matter set down for 26 August 2022 was adjourned for seven weeks and the timetable for filing of evidence and submissions adjusted accordingly. Whilst Ms Kelloway made a brief submission seeking costs as she believed that the change of position by the Registrar had unnecessarily delayed the resolution of the matter and brought about the need to seek legal representation, the Registrar submitted that those matters did not amount to special circumstances. As s 60 of the NCAT Act applies to these proceedings further brief submissions will be sought once the substantive matter has been decided if costs are still pressed by either party. I do not propose to address costs further in these reasons.
-
Ms Kelloway restated at hearing that she relies in s 52 (1) (c ) of the PPIP Act to ground jurisdiction, especially if the Tribunal accepts that the conditions of s 53 of the PPIP Act have been met. Section 52 is expressed in terms set out more broadly at [28] above. Specifically the provision says:
52 Application of Part
(1) This Part applies to the following conduct—
(a) ..
(b)..
(c) the disclosure by a public sector agency of personal information kept in a public register.
-
It is difficult to see how the conduct of the Registrar (via their delegate) is not captured by this provision. The Registrar (as a public sector agency) disclosed personal information (Ms Kelloway’s Birth Certificate), being information kept in a Public Register.
-
The lawful exemption provided under the BDMR Act arises in the context of s 46 (1) (b) of that Act. The person requesting must provide an ‘adequate reason’. Section 48 of the BDMR Act provides that in providing information extracted from the Register, the Registrar must as far as is practicable, protect the privacy of the person to whom the entries in the Register relate from unjustified intrusion on their privacy.
-
It is clear from the Solicitor’s correspondence tendered in the s 58 documents and received as Exhibit ‘R-2’ that the Solicitors were not aware of the exact contents of Ms Kelloway’s Birth Certificate. In addition they were seeking to use it effectively against her in litigation. Not one of the stated legislative basis or policy guidelines for release appear to have been enlivened by the terms of the request.
-
It would appear, but I make no finding, that due to issues of recognising jurisdiction through a court seal by way of summons, subpoena or some other endorsed instrument or process which might not be recognised in a foreign jurisdiction such as Australia, no process issued for the information via the Court in Peru. Instead the plaintiff in those proceedings appears to have resorted to requesting the information.
-
Such a request might be appropriate when one is seeking non personal information outside the realms of privacy regimes such as the PPIP Act or the Public Registers referred to in both that Act and the BDMR Act.
-
When one considers the basis for the request, and that such information could not in my view ordinarily be held in a public register for release for such a purpose (to use against the person to whom it related without any legislative authority such as law enforcement etc), it seems perplexing that knowing the matters set out in the Solicitor’s correspondence of 21 January and 8 March, applying the policy referred to at s 53 of the BDMR Act and the privacy overarching provisions at s 48 of that Act, the information was still released in the terms sought.
-
My analysis of the statutory provisions identifies the following. The Parliament has passed the PPIP Act to protect the privacy of individuals by restricting access and use of personal information in certain circumstances. The Parliament saw fit to place Public Registers in the PPIP Act by giving them their own Part in that Legislation (Part 6). This clearly indicates that to some extent there is a presumption that privacy protections (however expressed) will apply in some way to the personal information held in public registers. I can think of no other reason to include them via their own Part in the PPIP Act.
-
In addition the Parliament also determined to include the review of conduct which might offend privacy provisions (the IPP’s) in the PPIP Act separate to Part 6. In that regard s 52 (1) (c ) of the PPIP Act provides that the processes and remedies under Part 5 of the PPIP Act apply to the matter of disclosure of personal information, which is IPP’s 11 and 12 or sections 18 and 19 of the PPIP Act. These matters are set out above.
-
Because Public Registers are placed directly within the PPIP Act it is clear to me that the Parliament believed that the disclosure of personal information in such registers was a serious and important matter warranting statutory privacy protection. Further to this the Parliament determined that in respect of disclosure from those registers, the full suite of remedies available under the PPIP Act under Part 5 should be available in such circumstances. It would then follow that the legislative authority to release information from a public register must be applied in conjunction with privacy protections. The BDMR Act makes this clear in my view by the provisions of sections 46 (1), 48 and 53 of that Act.
-
In respect complaints about inadequate retention and security of personal information, (s-12) and the use of that information, (s-17) I find that the Tribunal does not have jurisdiction to determine those matters because they do not fall within the terms of s 52 (1) (c ) of the PPIP Act.
-
It may be that Ms Kelloway has a remedy in respect of those matters by making a complaint to the Privacy Commissioner to deal with under the provisions of Part 4 Division 3 of the PPIP Act. Based on the finding that I have made at the paragraph above it is clear that the Tribunal only has jurisdiction under Part 5. The Privacy Commissioner has an oversight and advisory role under Part 5 when a matter proceeds including to the Tribunal (s 54 and s 55 (6) of the PPIP Act).
-
In respect of dealing with the remaining conduct (s18 – disclosure and for the present purposes s 19 of the PPIP Act in the context of disclosing personal information outside of NSW) I find on the evidence before the Tribunal that no breach of s 19 of that Act has occurred. The personal information was disclosed to a solicitor registered to practice in NSW. The disclosure occurred in NSW and there is no evidence that the Registrar disclosed personal information of Ms Kelloway directly to any person or body outside of NSW.
-
That leaves s 18 of the PPIP Act (disclosure) as the only relevant IPP remaining to consider in the conduct being reviewed by the Tribunal.
-
The Registrar submitted that the case of HealthShare NSW v CJU [2022] NSWCATAP 316 provides authority for the proposition that the Tribunal cannot conduct an inquiry into the merits of other legislation (such as the BDMR Act). At [89] of Heathshare the Appeal Panel observed:
89. The Tribunal’s analysis involved modifying the plain words of s 27A of the PPIP Act by reference to a policy. The Tribunal sought to limit and confine what can be considered to be one of the ‘inquiries’ referred to in s 27A(b)(ii) of the PPIP Act by reference to ‘the Respondent’s policy as regards referrals to other agencies (and/or Local Health Districts in particular)’. There is no warrant for reading down the words of a provision of the PPIP Act by reference to a policy document of an agency. Were that permissible, the meaning of the statutory provision could change from time to time without being amended, whenever the agency changed the terms of its policy. The proper approach to statutory interpretation is well established and does not include the use of policies to modify the meaning of words in statutes (see Project Blue Sky v Australian Broadcasting Authority [1998] HCA 28; 194 CLR 355 at [41] and [69]–[71]). There is, incidentally, no evidence that a policy of the type contemplated by the Tribunal exists. Neither party argued this point and nor were they given the opportunity to do so. It is raised for the first time in the proceedings in the Tribunal’s decision. The parties have therefore not been accorded procedural fairness in relation to it.
-
In my view this case is not directly on point with the current circumstances. In the current matter there is evidence that a policy exists, and that policy has been put in evidence before the Tribunal by the Registrar. In addition the policy is not being agitated in order to ‘write down’ the meaning of the words in s 48 or s 46 (1) or 53, but to amplify their meaning.
-
Whilst Ms Kelloway made significant reference to the Registrar’s Policy and the interplay with the privacy protection under s 48 of the BDMR Act, the alternate approach would envisage that the Parliament has prescribed privacy protections for information held in public registers as discussed above. In my view Ms Kelloway did not seek to modify the plain words of s 48 of the BDMR Act by reference to the policy, merely only to illustrate what in her mind the section meant. This position is bolstered by the inclusion in the BDMR Act of s 46 (3) of the BDMR Act
3) In deciding the conditions on which access to the Register, or information extracted from the Register, is to be given under this section, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy.
-
In addition there is the public register guidance provided by the PPIP Act because of the inclusion of Part 6 in that statute. Such guidance would in my view include the specific statutory language of the relevant sections where the IPP’s are set out in the PPIP Act. These are the only sections (8-19) inclusive and s 4 where the meaning and import of privacy is set out. All other provisions of the PPIP Act cover powers and applicability not directly concerned with privacy. This is clearly why the drafters have set up the definitions and then the principles separate to the rest of the Act. In the later statute the Health Records and Information Privacy Act 2002 (the HRIP Act), the drafters have taken this approach one step further and quarantined the Health Privacy Principles (HPP’s) in a schedule at the end of the Act.
-
Reference was also made by the Registrar to the case Skase and Minister for Immigration and Multicultural and indigenous Affairs [2005] AATA 200 (Skase) in a similar context to Healthshare.
-
At [34] and [35] of Skase the Administrative Appeals Tribunal; observed:
34. The ordinary meanings of the words “authorise” and “require” from which “authorised and “required” are respectively derived are:
“…. Authorise … 1. To give someone the power or right to do something. 2 to give permission for something…”
“ … require … 2. To demand, exact or command by authority. 3 to have as a necessary or essential condition for success, fulfilment, etc…”
35. There is no reason to depart from these ordinary meanings. If a law gives someone the power to disclose personal information or the right or permission to obtain it or if the law demands that personal information be disclosed, the record-keeper is not prevented from disclosing it by operation of cl.1 of IPP11.
-
This submission by the Registrar’s legal representative relying on Skase and also Healthshare, was made on the basis that the provision in s 25 of the PPIP Act is merely enlivened and no inquiry into the merits of any decision under the other legislation can be made by the Tribunal. In short, the submission being that if another Act confers a power to authorise conduct of the agency, then no inquiry into how that power was exercised and the merits of the use of that power – being the conduct under review – can be examined under the provisions of the PPIP Act. Section 25 is an ‘out’ provision both for and from the PPIP Act. It was submitted that the Tribunal cannot conduct a review of the operation of the power under the other Legislation and then determine if that operation was flawed in some manner, and if so, bring the matter back into the PPIP Act.
-
Ms Kelloway’s legal representative submitted that the Registrar’s submission on s 25 was extreme. In addition they submitted that this submission is not supported by PN, being a case relied upon by the Registrar.
-
Ms Kelloway submitted that in coming to a review position and decision in the matter the Tribunal needs to look at what the Birth Deaths and Marriages officers did. In doing that, without conducting a judicial review it is still necessary to go beyond the mere enlivening of the power that s 25 of the PPIP Act refers to.
-
A further submission was made about the objects provision of the BDMR Act at s 3. The objects provide:
3 Objects of Act
The objects of this Act are to provide for—
(a) the registration of births, deaths and marriages in New South Wales, and
(b) the registration of adoption information, and
(c) the registration of changes of name and the recording of changes of sex, and
(d) the keeping of registers for recording and preserving information about births, adoptions, deaths, marriages, registered relationships, changes of name and changes of sex in perpetuity, and
(e) access to the information in the registers in appropriate cases by government or private agencies and members of the public, from within and outside the State, and
(f) the issue of certified information from the registers, and
(g) the collection and dissemination of statistical information.
(Emphasis added)
-
In my view the Registrar’s reliance on Healthshare and Skase in the current matter is misplaced. That is because of the various references to privacy protections in the BDMR Act and public register references in the PPIP Act. In addition the current matter turns on different facts to those matters, and Skase was dealing with the Commonwealth Legislation (Privacy Act 1988 Cth) which is differently drafted. It appears inconceivable that the Legislature would include within Part 5 of the PPIP Act conduct relating to personal information in public registers if such registers were covered or authorised (as they would be) by other Legislation and therefore excised from the PPIP Act due to the operation of s 25 of that Act.
-
Additionally I do not agree that the two cases referred to in the paragraphs above are authority for the submission being put by the Registrar, that in effect the Tribunal is constrained for examining the circumstances of the conduct under another Act (in this case the BDMR Act), when determining an administrative review.
-
That argument and submission might hold some weight when the external Legislation is not identified by reference to public registers being imported into the PPIP Act. Put another way because of the references at 52 (1) (c ) of the PPIP Act, privacy matters relating to disclosure from public registers are captured. When looking as to whether such a disclosure is a breach of privacy the only guidance from the PPIP Act itself is s 18 (in this case). In order to ascertain whether the terms and provisions of s 18 have been offended the Tribunal, in reviewing conduct, must look to the actual conduct in question, and any statutory guidance available about the specific conduct under the auspices of the public register. In that manner the Tribunal must look to the BDMR Act.
-
Having regard to release of information from the public register under s 46 of the BDMR Act, the Registrar is required to have regard to s 46 (3) amongst other matters. The section provides:
(3) In deciding the conditions on which access to the Register, or information extracted from the Register, is to be given under this section, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy.
-
Having examined the conduct complained of it is clear on the material given in evidence by the Registrar, that insufficient regard was had to protecting the privacy of Ms Kelloway. In that regard prima facie the Registrar was in breach of s 18 of the PPIP Act in that they disclosed Ms Kelloway’s personal information from a public register without seeking her views, or in a practical sense having regard to their own polices, releasing the information in circumstances not envisaged in those polices or their own statute.
Findings
-
In my view none of the provision of s 18 of the PPIP Act were met by the Registrar’s delegate in releasing the information. Clearly in the circumstances the Registrar knew that Ms Kelloway would object to release. Their initial response dated 6 February 2020 to the Solicitors asked then to obtain Ms Kelloway’s consent. The Solicitor’s letter in reply dated 8 March 2022 [sic] (2020) indicates that they are applying ‘against’ Ms Kelloway, therefore implying that consent would not be forthcoming. In any event the Solicitor’s do not engage further on this issue.
-
The release by the Registrar of the personal information is therefore a breach of s 18 of the PPIP Act, because the conduct occurred contrary to the requirement in s 46 (3) of the BDMR Act. In that regard the conduct did not have regard to the Registrar’s policies arising under s 53 of the BDMR Act, nor did the conduct comply with the requirements of s 48 of the BDMR Act on the evidence and material before the Tribunal and I so find.
-
Having regard to the beneficial nature of the PPIP Act including the long title of that Act, and the privacy provisions of the BDMR Act, I draw guidance from s 18 of the PPIP Act in respect of the conduct complained of by Ms Kelloway. Whilst this review does not strictly concern a breach of the IPP’s (as it is brought under s 52 (1) (c ) of the PPIP Act rather than s 55 (1) (a)), the same principles for the remainder of Part 5 of the PPIP Act remain.
-
In that regard it is open to the Tribunal, having reviewed the conduct and made findings, to move to s 55 (2) of Part 5 of the PPIP Act.
-
In my view s 55 (2) of the PPIP Act is enlivened and available to Ms Kelloway because of the findings that I have made, and the provisions of s 52 (1) and 55 (1) of the PPIP Act.
Conclusion
-
As the parties have indicated that they seek to be heard on any remedies that might arise under the PPIP Act following any finding, I will not make any other substantive orders. I will arrange for the matter to be listed before me for directions where orders can be made for future hearing, or dealing with the reminder under s 50 (2) of the NCAT Act, and any necessary orders for the filing and serving of any further material and submissions.
-
In the interim having regard to s 36 of the NCAT Act being the guiding principle to resolve matters in a just quick and cheap manner, it remains open to the parties to resume their without prejudice settlement discussions informally should they both agree.
-
In respect of orders that flow from the findings that I have made, I make the following orders.
Orders
-
The decision of the respondent is set aside.
-
The proceedings are listed for Directions before Senior Member McAteer on a date within 28 days of the publication of these reasons, (or such later date as may be agreed by the Tribunal) by arrangement with the Divisional Registrar.
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
Decision last updated: 14 February 2023
0
1
8