NS v Commissioner, Department of Corrective Services - [2004] NSWADT 263

No judgment structure available for this case.

CITATION: NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 revised - 14/01/2005

DIVISION: General Division

PARTIES: APPLICANT
NS
RESPONDENT
Commissioner, Department of Corrective Services

FILE NUMBER: 033218

HEARING DATES: 25/06/2004

SUBMISSIONS CLOSED: 06/25/2004

DATE OF DECISION:
11/16/2004

BEFORE: Higgins S - Judicial Member

APPLICATION: Privacy - information protection principle - disclosure to third party

MATTER FOR DECISION: Principal matter

LEGISLATION CITED: Administrative Decisions Tribunal Act 1997
Interpretation Act 1987
Privacy & Personal Information Protection Act 1998

CASES CITED: Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132
GR v Director-General, Department of Housing (GD) [2004] NSWADT 26
KO v Anor v Commissioner of Police, New South Wales Police (GD) [2004] NSWADT 21

REPRESENTATION: APPLICANT
NT, agent
RESPONDENT
T Anderson, counsel

ORDERS: The application is dismissed.

Decision revised 30/11/2004: In these reasons the names of all private individuals have been anonymised so as to preserve the privacy of their personal affairs. The names of public servants involved in the performance of official functions are not anonymised.

1 This is an application by NS seeking review of conduct that was the subject of his application for internal review under s.53 of the Privacy & Personal Information Protection Act 1998 (“the PPIP Act”). The conduct complained of by NS was that of Ms Munro, a probation and parole officer of the Department of Corrective Services (“the Department”). The conduct related to Ms Munro gaining access to the Department’s computerised data concerning the criminal history of NS in Queensland, and disclosing that criminal history to parents of children who were members of a Scottish dance group and Ms Munro gaining access to the Department’s record of visitors for NS while he was in custody and advising one of those visitors, Ms 'A', of the fact that he had been re-arrested and charged with an offence against a ten year old child and that he had pleaded guilty. At no time was Ms Munro the probation and parole officer for NS.

2 NS, who was subsequently convicted of a further offence, remains in custody and he authorised his mother, NT, to act as his agent in regard to this application.

3 NT initially lodged a written complaint with the Department on 12 February 2003 concerning conduct engaged in by Ms Munro between October 2002 and February 2003. On 21 May 2003, Brian Norman, District Manager of the Department, wrote to NT and advised her that her complaint had been referred to the Professional Conduct Management Committee of the Department (“the Committee”). He went on to advise that the Committee had dealt with the complaint on 26 February 2003 and that the complaint had been finalised that day and that the matter had been closed.

4 Prior to receiving the abovementioned letter from Brian Norman, NT had written to Privacy NSW requesting an investigation of Ms Munro’s conduct and a review of the way the Department had dealt with the complaint. It would appear that the Department had already advised NT orally of the outcome of the meeting of the Committee on 26 February 2003.

5 In response to NT’s’ letter, Ms Anna Johnson of Privacy New South Wales [Deputy Privacy Commissioner] advised her of options that were available to her son under the PPIP Act. In this regard, she made reference to the ability to make a complaint to the Department and Privacy NSW under Part 4 of the PPIP Act, and the requirement of the Department to conduct an internal review under Part 5 of the PPIP Act in respect of the conduct that was complained about. She also stated that it was possible for complaints to be made to the Department about alleged offences committed under the PPIP Act. In this regard she made reference to s.62 of the Act, which creates offences of corrupt disclosures and use of personal information by public sector officials. It should be noted that Ms Johnson did not make any comments or provide any advice in respect of the alleged conduct of Ms Munro or the Department’s response thereto.

6 Following receipt of the letter from Anna Johnson, NT made a verbal request to the Department to treat her written complaint of 12 February 2003, as an application for a review under s.53 of the PPIP Act.

7 On 7 July 2003, Kathleen Crilly, a senior legal officer of the Department, prepared an Internal Review Report, based on an internal investigation conducted by the Department. In her report Ms Crilly set out the actions of Ms Munro and her findings relating thereto. On 12 July 2003, Ron Woodham, the Commissioner of the Department wrote to NT and advised her that he had accepted Ms Crilly’s findings and that he had decided to take no further action as, in his opinion, sufficient action had already been taken.

8 In the application for review to the Tribunal, filed on 11 August 2003, NT stated that the reason for the application was the inadequate outcome of the internal review determination. In particular, having regard to the extent and continuation of the disclosures by Ms Munro, it was contended that counselling and a warning letter did not go far enough. She went on to say:

“This type of punishment only gives other people who may divulge information that they are privy to the impression that they can get away with virtually no punishment”.

9 The Tribunal has jurisdiction to hear and determine this application by virtue of s.55 of the PPIP Act and s.38(1) of the Administrative Decisions Tribunal Act 1997 (“the ADT Act”).

Relevant Legislation

10 The purpose of the PPIP Act is to provide for the protection of personal information and for the protection of the privacy of individuals generally. Section 53 of the PPIP Act enables any person who is aggrieved by the “conduct” of a public sector agency to seek review of that conduct. Conduct is defined in s.52 of the PPIP Act, which provides as follows:

52. Application of Part

1) This part applies to the following conduct:

a) the contravention by a public sector agency of a information protection principle that applies to the agency,

b) the contravention by a public sector agency of a privacy code of practice that applies to the agency,

c) the disclosure by a public sector agency of personal information kept in a public register.

2) A reference in this part to conduct includes a reference to alleged conduct.

3) This Part does not apply to any conduct that occurred before the commencement of this Part.

4) Section 53 (internal reviews) of the Administrative Decisions Tribunal Act 1997 does not apply to or in respect of conduct to which this Part applies”.

11 An information protection principle is defined in s.3 of the PPIP Act to mean a provision set out in Division 1 of Part 2 of the Act. Section 16 of the PPIP Act is a provision contained within Division 1 of Part 2.

12 When conducting a review, the public sector agency whose conduct is the subject of an application is given power to do one or more of the following (see s.53(7)):

- Make a formal apology to the applicant.

- Take such immediate action as it thinks appropriate.

- Provide undertakings that the conduct will not occur again.

- Implement administrative measures to ensure that the conduct will not occur again.

13 Section 55(a) of the PPIP Act provides that an applicant who is not satisfied with the findings of the internal review by the public sector agency, or he/she is not satisfied with the action taken by the public sector agency in relation to his/her application for internal review, may apply to the Tribunal for a review of the conduct that was the subject of the application for internal review.

14 Section 55(2) of the PPIP Act sets out the Tribunal’s power in respect of conducting a review of the conduct of the public sector agency. That section provides as follows:

a) subject to sub-section (3), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

b) an order requiring the public sector agency to restrain from any conduct or action in contravention of an information protection principle, or a privacy code practice,

c) an order requiring the performance of an information protection principle or a privacy code of practice,

d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

e) an order requiring the public sector agency to take specific steps to remedy any loss of damage suffered by the applicant,

f) an order requiring the public sector agency not to disclose personal information contained in a public register,

g) such ancillary orders as the Tribunal thinks appropriate”.

15 In this application the relevant private information protection principles that are alleged to have been breached by the Department are those contained in s.12, s.17 and s.18 of the PPIP Act. These sections provide, so far as is relevant, as follows:

12. Retention and security of personal information

A public sector agency that holds personal information must ensure:

…

c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonable within the power of the agency is done to prevent unauthorised use or disclosure of the information,

17. Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a) the individual to whom the information relates has consented to the purpose for which the information was collected; or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

18. Limits on disclosure of personal information

(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure; or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2) If personal information is disclosed in accordance with subsection (1) to a person or a body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.” (Emphasis added).

16 Part 8 of the PPIP Act contains miscellaneous provisions. Included in this Part is an offence by a public sector official who, otherwise than in connection with the lawful exercise of his or her official functions, discloses or uses any personal information about another person to which that official had or had access in the exercise of his or her official function: s.62 of the PPIP Act. There is also an offence of offering to supply such information or holding oneself out as being able to supply that information: s.63 of the PPIP Act.

Evidence

17 At the hearing, NT tendered into evidence a statement by her dated 16 April 2004, a statement by 'A' dated 22 April 2004, and a copy of the findings of Ms Crilly dated 7 July 2003.

18 Ms Anderson, on behalf of the Department, tendered into evidence a copy of the original complaint to the Department, a further letter from NT to the Department dated 19 February 2003 providing additional information in respect of the complaint, a copy of the flag that comes up on the computer screen each time a parole officer of the Department seeks access to information concerning persons in prison or on probation and parole, and a copy of the information security policy of the Department.

19 In her report Ms Crilly identifies three incidents where Ms Munro accessed, used or disclosed personal information about NS that was contained on the Department’s data base. These were as follows:

b) Ms Munro’s disclosure of NS’ criminal record to a parent of a child in the Scottish dancing community – this also occurred around 22 October 2002; and

c) obtaining access to the Department’s records of visitors to NS while he was in custody, and using that information to contact these persons and inform them of NS’ criminal record and new criminal charge – this occurred around February 2003.

20 In this regard, at the hearing the Department conceded that it was a “public sector agency” as defined in s.3 of the PPIP Act and that Ms Munro was a “public sector official” as defined in the same section. However, it did not concede the fact that Ms Munro had engaged in the conduct, the subject of the review, in her capacity as a “public sector official”.

21 The other relevant facts, which are not disputed in this application, are as follows:

“The information from the system now available to you is confidential and must NOT be disclosed to unauthorized persons under any circumstances, nor are you authorised to access such information for personal reasons…”

c) In 1998, NS had been convicted, in Queensland, of offences that involved minors. He was released from custody in February 2000 but remained on parole.

d) During the relevant periods, NS was a prohibited person under the Child Protection (Prohibit Employment) Act 1998.

e) NT conducted Scottish dancing classes up until November 2002. In August 2002, she and her husband commenced a driving trip around Australia, and she asked her son to conduct her dancing classes in her absence. Before she left, NT spoke to the mother of every child in the dancing classes and asked them to ensure that they were present during each lesson that he took. Whether NT was aware of her son’s parole conditions is not clear but it is hard to imagine she was not. It would appear that she did not understand that her son was a prohibited person.

f) On or about 22 October 2002, Ms Munro contacted NS and advised him that she had found a file at her work that disclosed his criminal convictions and directed him to telephone the mother of the each child in his mother’s dance class and tell them that he was a prohibited person, and what he had done. She gave him10 minutes to make the necessary calls and informed him that if he did not do this, she would inform the parents.

g) At all relevant times, Ms Munro was the President of the Scottish Dancing Association. She was and continues to be employed by the Department as a probation and parole officer.

h) Having accessed the Department’s computerised database concerning NS’ criminal record, Ms Munro contacted his probation and parole officer.

i) On or about 23 October 2002, NS was arrested for breaching his parole conditions and taken into custody. He remained in custody until 10 February 2003, when he was released. However, he was immediately re-arrested and charged with a new offence involving sexual assault of a minor, who had been a Scottish dancing student.

j) On or about 10 February 2003, Ms Munro accessed the Department’s records of NS’ visitors while he was in custody. One of these visitors was Ms A, a relative of NS’ father. Ms Munro telephoned Ms A and after identifying herself as Liz Munro of the Scottish Dancing Association, advised her that NS had been re-arrested and charged with an offence against a ten year old child and that he had pleaded guilty. She also advised that the child was from the Scottish Dancing School and that she may wish to talk to members of her family that have had contact with him and ask them the necessary questions.

22 NS did not dispute any of the findings that Ms Crilly had made. These were that the initial access by Ms Munro and the disclosure to the probation and parole officer did not amount to a contravention of an information protection principle but there had been a contravention by the Department in respect of the remaining incidents.

23 In respect of the disclosure by Ms Munro to a parent of a child of the Scottish dancing community (see para.19(b) above), Ms Crilly stated the following:

…

From the date that Ms Munro became aware of NS’ status and the period during which Ms Munro disclosed that information there was only one day when NS was not in full time custody.

…

At the time of the disclosures, Ms Munro was not acting in her role as a probation or parole officer but rather as a person involved in the Scottish dancing community.

…

I have noted that at the time of Ms Munro’s disclosure, NS himself had advised a number of persons about his history. It is apparent that this advice was discussed amongst what appears to be a close knit group. Accordingly, I am not satisfied that the information that Ms Munro disclosed had not already been received from either NS himself or persons who had been informed by NS.”

24 In respect of Ms Munro’s access to the Department’s records of visitors to prisoners (see para.19(c) above), Ms Crilly stated the following:

“I am satisfied that upon receipt of information from investigating police, Ms Munro accessed the Department’s records and obtained a list of persons who visited NS whilst in custody”.

25 Ms Crilly found that the Department’s policies with regard to disclosure of personal information was adequate. She made reference to the fact that the Department had taken steps to ensure that Ms Munro was familiar with the Department’s policies and the information protection principles contained in the PPIP Act. Ms Crilly had found that Ms Munro’s actions on the second and third occasions constituted a breach by the Department of ss.17 and 18 of the PPIP Act, however, she was of the opinion that the Department had taken the appropriate action in making a formal apology to NS and his family.

Submissions

26 Ms Anderson, on behalf of the Department, submitted that NS’ application was a review of the “conduct” that was the subject of the internal review application to the Department pursuant to s.53 of the PPIP Act. In this regard, Ms Anderson argued that the Tribunal was required to consider the matter afresh, and that the findings as set out in Ms Crilly’s report were of no relevance, nor did they amount to an admission by the Department of liability for the conduct of Ms Munro. This conduct, it was submitted, was not condoned or authorised by the Department. It was conduct, when viewed correctly, that was engaged in by Ms Munro in her private capacity as President of the Scottish Dancing Association and not in her capacity as an officer of the Department. Accordingly, the Department had not contravened any of the privacy protection principles under the PPIP Act.

27 Ms Anderson also submitted that the PPIP Act does not make a public sector agency liable for unauthorised acts of a public sector official. The basis of this submission was the fact that the Act contained a separate and express provision making officials liable for their unauthorized disclosure or use of personal information about another person that they acquired as part of their official duties (i.e. s.62 PPIP Act).

28 Ms Anderson also contended that an applicant seeking review of conduct to s.55(1) of the PPIP Act, bears the onus to establish that the agency had breached an information protection principle and that the onus was on the balance of probabilities. I have understood this to mean that an applicant is required to prove those factual matters which constitute the alleged breach on which he/she relies on the balance of probabilities.

29 NT in her submissions relied on the findings of Ms Crilly, in particular the findings that there had been a breach by the Department in respect of the conduct identified in paragraph 19(b) & (c) above. She contended that as she accepted these findings the Department should not be able to resile from them.

30 In her submissions NT sought orders that required Ms Munro to apologise for her actions and express regret to NS and his family as well as requiring the Department to introduce a training program for employees with access to personal information of third parties that comprehensively deals with their obligations under the PPIP Act. In her oral submissions, NT also suggested that access by probation and parole officers to personal information about prisoners, contained on the Department’s database, be limited to those prisoners for whom they are responsible.

31 The Deputy Privacy Commissioner also provided written submissions. In those submissions, she contended that the Tribunal’s power under Part 5 of the PPIP Act provided the Tribunal with considerable flexibility in dealing with an application for review. She also submitted that on its proper construction s.62 of the PPIP Act does not draw a clear line between the conduct of an agency and the conduct of a public sector official. She pointed to the provisions of s.21 of the PPIP Act which requires public sector agencies to comply with the information protection principles as set out in Part 2 of the Act. These principles relate to specified conduct by public sector agencies in respect of personal information about a person and it is contended that compliance with these principles would be rendered nugatory if agencies were not held responsible for the conduct of its employees. On the other hand, s.62 of the PPIP Act, which is contained in Part 8 of the Act, creates an offence where a public sector official, intentionally and without authority uses or discloses personal information that the official had obtained access to in his/her official functions. That is, on a proper construction of the Act, where there has been an unauthorised breach of one or more of the information protection principles by a public sector official, the agency has available to it two remedies against the official i.e. disciplinary action in accordance with the agency’s internal policies, or prosecution under s.62 of the PPIP Act.

32 The Deputy Privacy Commissioner also submitted that there was no rule that the applicant bears an onus of proof in reviews of conduct under the PPIP Act and in this regard relied on the decision of GV v Officer of the Director of Public Prosecutions [2003] NSWADT 177. She went on to submit that if such an onus was to be placed on an applicant then applicants would be greatly disadvantaged as they do not have any knowledge of the way the agency manages the personal information it holds and they are therefore not in the same position as the agency to ascertain the exact nature of the conduct complained about.

Reasons and Decision

33 In my opinion, this application raises the following issues:

b) does an applicant for review under s.55(1) of the PPIP Act bear an onus of proof?

c) is the Department responsible for the actions of Ms Munro?

d) if the Department is responsible for the actions of Ms Munro, did these actions amount to a breach of one or more of the information protection principles in the PPIP Act? If a breach is established what are the appropriate orders, if any? For the reasons set out below it is unnecessary to deal with this issue.

34 Section 55(1) of the PPIP Act expressly provides that an application lies to the Tribunal for “review of the conduct that was the subject of an application under s.53” (underling added).

35 Section 53(1) of that Act provides that a person who is “aggrieved” by the “conduct” of a public sector agency is entitled to a review of that conduct. This subsection is stated be subject to the provisions of s.51(1) of the Act. However, it would appear that this is a typographical error as there is no s.51(1) and s.51 does not appear to have any relevance to this particular section.

36 As mentioned above, the term “conduct” is defined in s.52 of the PPIP Act and includes alleged conduct (see s.52(2) of the Act). The term “conduct” in this section has a specific meaning in that it refers to acts and omissions that amount to a contravention of an information protection principle or a privacy code of practice or a disclosure of personal information held on a public register.

37 Sub-section 53(8) of the PPIP Act provides that on the completion of the review the public sector agency is to notify the applicant, in writing, of the following matters:

b) the action proposed to be taken by the agency (and reasons for taking that action); and

c) the right of the applicant to have the agency’s findings, and the agency’s proposed action reviewed by the Tribunal.

38 Yet, as mentioned above, s.55(1) expressly states that the Tribunal’s jurisdiction is to review “conduct” as opposed to “ the agency’s findings and the agency’s proposed action”.

39 The question of whether the Tribunal’s jurisdiction under s. 55(1) was to review “findings” or “conduct” was considered by the Appeal Panel in GR v Director-General, Department of Housing (GD) [2004] NSWADT 26, and the Deputy President in Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132. These decisions also considered the question whether an application under s. 55(1) was a “reviewable decision” or an “original decision for the purposes of the ADT Act.

40 In both decisions, it was held that, notwithstanding some inconsistencies in the PPIP Act, applications made under s.55 of the PPIP Act are applications for a review of a reviewable decision and that the Tribunal is conducting a review of “conduct” and not a review of the public sector’s “findings” in respect of that conduct (see GR at [35] and Fitzpatrick at [12]).

41 In GR (at [53]), the Appeal Panel stated as follows:

“…In Privacy Act cases, the Tribunal undertakes a second review of the conduct in issue, the first being that conducted as an internal review by the agency. The difference is that the Tribunal is not engaged in review of the internal review outcome. But as is the case when decisions are being reviewed, the Tribunal is a second-stage reviewer of the original matter, here conduct rather than a decision whatever the proper characterisation of the Tribunal’s role for the purposes of the Tribunal Act, qualitatively the function is one of review…”

42 Accordingly, the role of the Tribunal is to ascertain if the contravening conduct or alleged contravening conduct, the subject of the application under s.53, was in fact conduct that amounted to a breach by the respondent agency of one of the information protection principles in Part 2 of the PPIP Act or one of the other contraventions set out in s. 52. This will require an examination of the relevant acts and omissions and where the Tribunal is satisfied, on the evidence before it, that the agency engaged in the acts and omissions which amounted to a breach/contravention as set out in s. 52 (i.e. a contravention of one or more of the information protection principles), the Tribunal has a discretion, subject to the circumstances of the application and the evidence before it, to make one or more of the orders set out in s.55(2) of the PPIP Act.

43 This means that even though an applicant is not dissatisfied with the findings of the internal review, those findings are of no relevance in a review application before the Tribunal unless both parties agree that there is no issue between them in this regard.

44 While there is a dispute as to Ms Grilly’s findings, in this application there is no dispute that Ms Munro engaged in the acts and omissions complained of. The only dispute is whether the Department was responsible for these acts and omissions and whether they constituted a contravention as set out in s. 52.

Onus of Proof

45 I agree with the submissions of the Deputy Privacy Commissioner in respect of onus of proof. The Appeal Panel recently adopted such an approach in KO v Anor v Commissioner of Police, New South Wales Police (GD) [2004] NSWADT21 at [40 to 43].

46 In GR (at [35] and [36]), the Appeal Panel adopted observations made by the Australian Law Reform Commission in its report entitled “Managing Justice: A Review of the Federal Civil Justice System” in respect of merit review by the tribunals as applying equally to a review under s.55(1) of the PPIP Act. These observations expressly stated that in a merits review “neither the applicant nor the respondent agency carries a burden of proof to prove or disprove a fact”. The Appeal Panel then went on at [37] and [38] to say the following:

38. The position is different in relation to the first type of order listed – an order for monetary compensation (para(a)) – a ‘damages’ or ‘money’ order. In this instance it is for the applicant to put material before the Tribunal in support of such an order. The agency must have the opportunity to test that material…”

47 I agree with these principles.

48 In this application, Ms Anderson on behalf of the Department advised the Tribunal that it did not propose to call Ms Munro to give evidence and invited NT to call her or for the Tribunal to join her as a party. In my opinion, neither of those actions were appropriate. Ms Munro cannot be made a party to these proceedings as the only relevant respondent is the public sector agency who had undertaken the review of the conduct in question. Furthermore, s. 55(2) does not give the Tribunal jurisdiction to make orders against individual officials of an agency.

49 Additionally, as Ms Munro remains an employee of the Department and on the basis of the decision in GK and KO, the Department was the most appropriate person to make her available if necessary. In my opinion, this was not necessary as there did not appear to be any dispute about what Ms Munro did and said as identified in Ms Crilly’s report, in particular that at all times Ms Munro acted for her own private purposes and not in her official capacity. What the Department did dispute were the conclusions Ms Crilly reached from those acts and omissions.

Is the Department responsible for the conduct of Ms Munro?

50 In my opinion, the construction placed on s.62 of the PPIP Act by the Department cannot be supported when one has regard to the overall objectives of the PPIP Act (see s.33 of the Interpretation Act 1987). In this regard I agree with the submissions of the Deputy Privacy Commissioner that the main thrust of Parts 2, 3, 4 and 5 of the Act is to ensure that public sector agencies adhere to and are accountable for the specified information protection principles in respect of personal information collected, held, used and disclosed by them. An agency can only act through its officials, which is recognised in the Act by placing an obligation on agencies to put into place appropriate systems that will ensure the security, accuracy and limited use and disclosure of such information. Accordingly, in my opinion, for the purposes of Part 5 of the PPIP Act, an agency is prima facie responsible for acts and omissions of its officials in respect of personal information of another person that an official obtains in the course of his/her employment. If this was not the case then it would be easy for agencies to avoid their core responsibilities under the Act.

51 As I have mentioned, this responsibility only applies to conduct coming within Part 5 of the PPIP Act – it does not extend to an agency being responsible for acts and omissions that amount to criminal conduct by its official under s.62 of the Act. This particular section operates independently of the provisions in Part 5 of the Act.

52 The fact that an agency is prima facie responsible for its officials does not mean that the agency will in fact be held to be have contravened an information protection principle under Part 2. What needs to be assessed is whether the agency has taken every reasonable step to ensure that its systems of collecting, accessing, using and disclosing personal information comply with the PPIP Act and that its officials are aware of the official’s and the agency’s obligations in respect of that information. What amounts to reasonable steps will vary depending on the nature of the personal information collected, used or held by an agency, how that information is stored or recorded, and who needs to have access to the information for the proper functioning of the agency.

53 In this application, there were two incidents in which Ms Munro sought access to information contained on the Departments data base. The first occasion was when she sought information about the criminal record of NS. I accept the Department’s evidence that prior to accessing this information, her computer screen (“the computer flag”) showed that she was not authorised to obtain access to that information for her own personal needs, nor was she authorised to disclose that information to an unauthorised person. In my opinion, this computer flag, although its wording may possibly be improved, provides adequate warning to the Department’s officials that they are not to seek access to the information on the Department’s data base for their own private purposes. Implicit in this is that they are also not authorised to use or disclose the information for their own private purposes.

54 In respect of the initial access by Ms Munro to the Departments data base and her disclosure to the probation and parole officer, the question is whether this conduct amounted to a breach, by the Department, of s 12, 17 and 18 of the PPIP Act. The acts and omissions relevant to a breach of s. 12 are not only those of Ms Munro but also those of the Department, in particular what systems were in place to prevent an unauthorised access. For the reasons already stated, in my opinion, the Department’s computer flag was an adequate security safeguard and I find that there has been no breach of s.12 of the PPIP Act by the Department.

55 In my opinion, Ms Munro’s initial access was for a dual purpose, her own private reasons and also for the purpose of fulfilling her duties as a probation and parole officer. While there is no direct evidence, in my opinion it can be inferred that Ms Munro in her capacity as President of the Scottish Association became aware that NS was undertaking dancing classes and that she became concerned about the safety of the children as she knew or believed that NS had a criminal record. In such circumstances it is arguable that she as a probation and parole officer also had a duty to verify what that record was and inform the appropriate persons if she found that this criminal record had a bearing on him undertaking the dancing classes. For these reasons, even though Ms Munro was not NS probation and parole officer, this did not mean that her official duties excluded her from accessing such information and informing the appropriate persons. An exclusion of this kind would, in my opinion, seriously affect the operation of the agency in performing its function of supervising persons on parole. Again by inference, Ms Munro used and disclosed the information she had obtained to NS’s probation and parole officer clearly because she believed that it was necessary to prevent or lessen a serious and imminent threat to the health of the children in the dancing classes under his instructions. For these reasons I find that the Department has not breached ss. 17 or 18 of the PPIP Act in respect of the initial incident.

56 In respect of the second access (i.e. the third incident) as referred to in paragraph 19(c) above, I find that Ms Munro obtained access on this occasion entirely for her own private purposes, as at this time, to the knowledge of Ms Munro, NS was in custody and he continued to remain in custody.

57 However, for the reasons stated above I am satisfied that the Department, through its computer flag, had in place adequate warning that her access for such purposes was unauthorised. In light of this, and the fact that Ms Munro expressly stated that she was acting in her capacity as the President of the Scottish Dancing Association, I am satisfied that the Department is not responsible for the disclosure of the personal information concerning NS to Ms A. That is, there has been no breach by the Department of ss. 12, 17 and 18 of the PPIP Act. This does not mean that Ms Munro has not breached the Department’s information security policy and may be subject to disciplinary action. However, this is not a matter for the Tribunal.

58 This leaves the second incident as set out in paragraph 19(b) above. Again I find that Ms Munro was acting in her private capacity when she disclosed personal information about NS to parents of the Scottish dancing community. This disclosure was as a result of the information that Ms Munro had obtained from the Departments data base. As mentioned above, when accessing that data base Ms Munro was advised in the computer flag that a disclosure of this information in circumstances such as these were unauthorised. Accordingly, for the reasons I have already stated I am satisfied that the Department is also not responsible for the disclosure of the personal information concerning NS to parents of the Scottish dancing community.

59 In light of my findings, it is unnecessary to consider the final matter in issue. However, as this application demonstrates, the Department has an ongoing obligation to ensure that it informs its officials of the Department’s responsibilities under the PPIP Act and in this regard it is important to ensure that the terms of any policy or other written measure is clear and that these are brought to the attention of its officials on a regular basis. As part of this exercise the Department may consider it appropriate to re-examine the terms of the wording on its computer flag and in its information security policy so that the provisions of the PPIP Act are more clearly stated.

60 For the reasons set out above, the Tribunal orders that the application is dismissed.

Actions

Download as PDF Download as Word Document

Citations

NS v Commissioner, Department of Corrective Services [2004] NSWADT 263

Most Recent Citation

SW v Forests NSW [2006] NSWADT 74

Cases Citing This Decision

23

FZP v Sydney Children's Hospitals Network [2025] NSWCATAD 144

GKT v Fire and Rescue New South Wales [2024] NSWCATAD 335

GFX v Secretary, Department of Communities and Justice [2024] NSWCATAD 322

Cases Cited

4

Statutory Material Cited

3

GV v Office of the Director of Public Prosecutions [2003] NSWADT 177

Fainstein v University of New South Wales and Professor Piggott [2004] NSWADT 26

Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132

CITATION:	NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 revised - 14/01/2005
DIVISION:	General Division
PARTIES:	APPLICANT NS RESPONDENT Commissioner, Department of Corrective Services
FILE NUMBER:	033218
HEARING DATES:	25/06/2004
SUBMISSIONS CLOSED:	06/25/2004
DATE OF DECISION:	11/16/2004
BEFORE:	Higgins S - Judicial Member
APPLICATION:	Privacy - information protection principle - disclosure to third party
MATTER FOR DECISION:	Principal matter
LEGISLATION CITED:	Administrative Decisions Tribunal Act 1997 Interpretation Act 1987 Privacy & Personal Information Protection Act 1998
CASES CITED:	Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132 GR v Director-General, Department of Housing (GD) [2004] NSWADT 26 KO v Anor v Commissioner of Police, New South Wales Police (GD) [2004] NSWADT 21
REPRESENTATION:	APPLICANT NT, agent RESPONDENT T Anderson, counsel
ORDERS:	The application is dismissed.