Redimed Pty Ltd and Australian Information Commissioner (Freedom of information)
[2024] AATA 38
•19 January 2024
Redimed Pty Ltd and Australian Information Commissioner (Freedom of information) [2024] AATA 38 (19 January 2024)
AppID:Redimed Pty Ltd and Australian Information Commissioner
MatterType: Freedom of information
Division:FREEDOM OF INFORMATION DIVISION
File Number: 2022/2185
Re:Redimed Pty Ltd
APPLICANT
AndAustralian Information Commissioner
RESPONDENT
Appeal from: ‘AAQ’ and Redimed Pty Ltd (Privacy) (Corrigendum dated 1 March 2022) [2022] AICmr 7 (17 February 2022)
DECISION
Tribunal:Senior Member Dr M Evans-Bonner
Date:19 January 2024
Place:Perth
The Reviewable Decision is affirmed.
.......................[Sgd].................................................
Senior Member Dr M Evans-Bonner
CATCHWORDS
PRIVACY – Privacy Act 1988 (Cth) – Applicant engaged by an employer to conduct a pre-employment medical assessment of an individual – individual requested access to his personal information – personal information provided with redactions – unredacted personal information provided seven months after the individual made a complaint to the Information Commissioner – Information Commissioner found breach of Australian Privacy Principles (APP) – Applicant disputes that it breached APP 12.1 – Applicant claims redacted information fell within exemption in APP 12.3(b) and APP 12.3(j) – whether giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process – meaning of “evaluative information generated within the entity in connection with a commercially sensitive decision-making process” – consideration of whether the commercially sensitive decision-making process must be internal to the entity – the nature of remedial action the Applicant should be required to undertake – privacy breach substantiated – Reviewable Decision affirmed
LEGISLATION
Privacy Act 1988 (Cth) ss 2A, 33(2)(k), 33B(2)(iv), 36, 40(1), 52, 52(1)(a), 52(1)(b)(i), 52(1)(b)(iv)
Freedom of Information Act 1982 (Cth) ss 47(1), 47(1)(b)
CASES
C v Insurance company [2006] PrivCmrA 3
Drake and Minister for Immigration and Ethnic Affairs (No 2) (1979) 2 ALD 634 (Drake No 2)
‘ZN’ and a School (Privacy) [2021] AICmr 95 (17 December 2021)
SECONDARY MATERIALS
Attorney-General’s Department, Factsheet 14 – commercially sensitive information, Foreign Influence Transparency Scheme (28 February 2019)
Australian Charities and Not-for-profits Commission, Commissioner’s Interpretation Statement: Commercially sensitive information
Cambridge Dictionary, online version (2023)
Office of the Australian Information Commissioner, FOI Guidelines: Guidelines issued by the Australian Information Commissioner under s 93A of the Freedom of Information Act (November 2023)
Office of the Australian Information Commissioner, The Australian Privacy Principles (January 2014) paras 12.1, 12.2, 12.3, 12.3(b), 12.3(j), 12.5, 12.9
Office of the Australian Information Commissioner, Australian Privacy Principles Guidelines version 1.1 (December 2022) paras 12.61, 12.70, 12.71
REASONS FOR DECISION
Senior Member Dr M Evans-Bonner
19 January 2024
THE PRIVACY COMPLAINT AGAINST REDIMED
Redimed is a company that, amongst other things, is in the business of conducting pre-employment medical assessments.
Redimed’s clients are prospective employers who engage Redimed to undertake pre-employment medical assessments of persons they are considering hiring.
Mr AAQ applied for a role within the company he was working for. He was required to attend a pre-employment medical assessment with Redimed (T2/13).
On 19 October 2018, Mr AAQ requested that he be provided the results from his medical assessment. In an email sent later that day, Redimed refused to provide a copy of his pre-employment medical results to him (T5/45).
Mr AAQ emailed Redimed again on 15 November 2018, stating that he had spoken to the Office of the Australian Information Commissioner (OAIC) and that he had a right to access the records that Redimed was holding about him (T5/44-45).
However, in response to a follow-up email from Mr AAQ on 16 November 2018, Redimed refused to release the results to Mr AAQ. They relied on a declaration that he had signed on 10 September 2018 which stated that Mr AAQ acknowledged that he would not be able to receive a copy of the results (T5/44 and 46).
On 19 November 2018, Mr AAQ made a privacy complaint to the OAIC, pursuant to s 36 of the Privacy Act 1988 (Cth) (Privacy Act). He said in his complaint, amongst other things, that he was not given a privacy statement, was pressured into signing the declaration, and that he was concerned that he had not seen his own confidential medical records, who they may have been shared with, in what capacity they were being held and for how long. Mr AAQ requested access to his medical records that were being held by Redimed. He sought confirmation as to whether they were being held securely and why Redimed needed to continue to hold them (T5/37-43).
On 21 May 2019, which was during the OAIC’s preliminary enquiries, Redimed provided Mr AAQ with a copy of the medical information, which included completed pro-forma forms for various medical assessments, and which contained redactions (T9/57;A1/EM-6/32-63). The name of the doctor was redacted in the documents, and so were comments in various sections of the report in boxes titled, “Examiner comments” and alternately “Doctor’s comments”.
Mr AAQ responded by email on the same day. He stated that he did not understand why the documents had been “deleted and altered”. He requested the “full original report with out [sic] your alterations added, without further delay” (T9/57).
As at 9 November 2020, Mr AAQ’s complaint had not been resolved through the OAIC’s early resolution process, or a conciliation conference held on 4 March 2020. The complaint was referred to the privacy investigation team and the OAIC opened an investigation under s 40(1) of the Privacy Act (T19/84).
The OAIC provided a preliminary view on 23 August 2021 on Mr AAQ’s privacy complaint dated 23 July 2021 (T36/226).
Redimed provided submissions in response to the OAIC’s preliminary view (T34/215-220) in an email dated 23 August 2021. They also provided an unredacted copy of Mr AAQ’s personal information in a further email dated 7 September 2021 (T36/225).
THE REVIEWABLE DECISION
On 17 February 2022 (with a corrigendum dated 1 March 2022), the Respondent (who I will refer to as the Commissioner) made a determination under s 52 of the Privacy Act which found the complaint substantiated in that Redimed had interfered with Mr AAQ’s privacy by breaching Australian Privacy Principle 12 – access to personal information (APP 12). This is the Reviewable Decision in this application.
More specifically, the Commissioner found that Redimed engaged in conduct that interfered with Mr AAQ’s privacy by:
·Declining to give him access to his personal information contained in the pre-employment screening medical report, in breach of APP 12.1.
·Failing to take steps that were reasonable in the circumstances to give access in a way that met the needs of Redimed and Mr AAQ, in breach of APP 12.5.
·Failing to give Mr AAQ a written notice setting out several matters including mechanisms to complain about the refusal, in breach of APP 12.9.
The complaint was otherwise dismissed.
The Commissioner’s findings with respect to the breach of APP 12.1 can be summarised as follows:
·With respect to the redactions in the medical report, including names of the treating doctor and the examiner’s comments, the Commissioner was not satisfied that the exemption in APP 12.3(b) (that giving access would have an unreasonable impact on the privacy of other individuals) applied (T2/17).
·The Commissioner was not satisfied that APP 12.3(j) applied. Whilst the Commissioner considered the information was evaluative, she was not satisfied that any commercially sensitive decision-making process belonged to Redimed, but rather to the referring employer (T2/19).
·The Commissioner found that even though a complete copy of the medical report was provided to Mr AAQ, that did not remedy the failure to provide it at first instance. Specifically, the Commissioner found that Redimed failed to take reasonable steps to give access to the information in an alternative way that met the needs of Redimed and Mr AAQ (T2/19-20).
·Redimed had not complied with APP 12.9 because it did not provide Mr AAQ with a notice setting out complaint mechanisms and options available. Instead, Redimed told Mr AAQ that he could contact the employer company for a copy of the results (T2/20).
The Commissioner also made declarations that Redimed take remedial steps to ensure that the conduct was not repeated or continued (T2/25-26). Those remedial steps were set out at paragraph [114], sub-paragraphs 2-6 of the Reviewable Decision and were that Redimed:
2) must, within 60 days of the date of the determination, engage an independent reviewer with privacy expertise to undertake a review of [Redimed’s] current APP 12 privacy compliance procedures, policies and processes.
3) must require the reviewer to produce a report setting out the reviewer’s findings and any recommendations (independent reviewer’s report) within 60 days of their engagement.
4) must provide a copy of the independent reviewer’s report to the Office of the Australian Privacy Commissioner (OAIC) within 14 days of receiving the report.
5) must, within 6 months of receiving the independent reviewer’s report, complete a further independent assessment of its own APP 12 practices to determine the effectiveness of any recommendations implemented as a result of the independent reviewer’s reports, and provide the OAIC with a copy of those assessment findings.
6) [Redimed] has liberty to seek an extension of time to comply with declarations 2-5.
On 16 March 2022, Redimed lodged an application in this Tribunal seeking review of the Reviewable Decision (T1). The Applicant also applied for a stay order in relation to the declaration which the Commissioner consented to.
APP 12
I will briefly outline the relevant parts of APP 12 which assist to understand the findings of the Commissioner.
APP 12.1 gives an individual the right to request access to their personal information. It provides:
Access
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
There are some exemptions whereby the entity, being an agency or an organisation, holding the information does not have to give the individual access. APP 12.2 sets out exemptions for an agency, and APP 12.3 sets out exemptions for an organisation and therefore applies to Redimed. APP 12.3 provides:
Exception to access—organisation
12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:
…
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
…
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
If an entity refuses access, they should nevertheless take reasonable steps to provide access in a way that meets the needs of the parties. This is provided for in APP 12.5:
Other means of access
12.5 If the APP entity refuses:
(a) to give access to the personal information because of subclause 12.2 or 12.3; or
(b) to give access in the manner requested by the individual;
the entity must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual.
If an entity refuses access to personal information, they must give a written notice to the individual which complies with APP 12.9:
Refusal to give access
12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:
(a) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
(b) the mechanisms available to complain about the refusal; and
(c) any other matter prescribed by the regulations.
THE ISSUES IN DISPUTE
As I have outlined above, the Commissioner found that Redimed’s refusal to provide Mr AAQ with his personal information, and then providing that information in a redacted form, breached APP 12.1, 12.5 and 12.9.
Redimed is only appealing the Commissioner’s findings that it breached APP 12.1 (based on the exemption in APP 12.3(j)) and by implication the Commissioner’s finding that it breached APP 12.5. Redimed did not seek to challenge the Commissioner’s finding with respect to APP 12.3(b) (the redactions of the doctor or examiner’s name), stating that “the case isn’t about that” (transcript/3), although some submissions were subsequently made which I have addressed below. Redimed otherwise accepted the Commissioner’s determination. This included conceding that its policies and procedures caused it to contravene APP 12.9.
My understanding, from Redimed’s various written and oral submissions, was that it regarded the issue for determination in these proceedings as being whether Redimed breached APP 12.1 by redacting information from Mr AAQ’s medical assessment forms, and specifically whether:
·The redacted information, which comprised parts of the pre-employment assessment forms in the “Examiner comments” and “Doctor’s comments” sections, fell within the exemption in APP 12.3(j) (or indeed, whether the entirety of the unredacted forms fell within the exemption).
·Redimed breached APP 12.9 by providing a copy to Mr AAQ of his personal medical information with redactions, instead of providing the information in an unredacted format.
·Any further remedial action was required by Redimed.
Redimed requested that I make the following declarations under the Privacy Act:
·That the complaint was substantiated with respect to APP 12.9 (s 52(1)(b)(i));
·To dismiss the rest of the complaint (s 52(1)(a)); and
·That it would not be appropriate for Redimed to be required to undertake any further remedial action (s 52(1)(b)(iv)).
The Commissioner’s summation of the issues that I should determine were generally consistent with those made by Redimed. The Commissioner summarised the issues as follows (the “Complainant” referred to is Mr AAQ):
On the basis of the Applicant’s SFIC, the Respondent [Commissioner] considers the primary issues for the Tribunal’s consideration to be:
(a) whether the Applicant breached APP 12.1 and 12.5 in responding to the Complainant’s request for access to his pre-employment screening forms on 19 October 2018. This requires particular consideration as to whether the redacted pre-employment screening forms provided to the Complainant on 21 May 2019:
(i) fell within the exemption in APP 12.3(j) such that it concealed “evaluative information” generated within the Applicant in connection with a commercially sensitive decision-making process;
(ii) was a sufficient step for the Applicant to take in order to discharge its obligation to give access to the Complainant’s personal information in a way that meets the needs of the Applicant and the Complainant; and
(b) the nature of the remedial action that should be taken by the Applicant to ensure that its conduct is not repeated or continued.
This is in circumstances where the Applicant has not sought to disturb the Respondent’s findings in the determination to the extent that they relate to APP 1, 5, 12.3(b) or 12.9.
(Footnote omitted.)
I agree with the Commissioner’s summation of the issues which is a more detailed outline of the issues before me.
The Commissioner submitted that I should affirm the Reviewable Decision.
DID REDIMED BREACH APP 12.1?
As I explained above, APP 12.1 gives an individual, such as Mr AAQ, the right to request access to their personal information. However, there are exemptions whereby an entity does not provide access. The main area of dispute was with respect to APP 12.3(j), but I will also briefly address APP 12.3(b) below.
Redimed submitted that it did not have to provide Mr AAQ with access to the redacted personal information because the information falls within the exemption in APP 12.3(j). Indeed, in subsequent written submissions, Redimed submitted that all the pre-employment forms for Mr AAQ fell within the exemption in APP 12.3(j) to the extent that it did not have to provide Mr AAQ with anything at all in response to his request.
Redimed further submitted that the redacted information was “evaluative information” and that it was generated in accordance with two commercially sensitive decision-making processes. These were:
·Firstly, Redimed’s decision-making process as to what recommendation to make in relation to Mr AAQ; and
·Secondly, the prospective employer’s hiring decision in relation to Mr AAQ.
The Commissioner submitted that, having regard to the ordinary meaning of the words, the redacted information was almost entirely not “evaluative information”, and even if it could be regarded as such, it was not part of a commercially sensitive decision-making process.
The Commissioner also disagreed that there were two decision-making processes and submitted that the commercially sensitive decision-making process needed to be internal to the entity (in this case, internal to Redimed).
Does the exemption in APP 12.3(j) apply?
As I have outlined above, APP 12.3(j) contains an exemption whereby despite APP 12.1, an entity is not required to give the individual access to their personal information to the extent that giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
The “entity”
Mr AAQ requested his personal information from Redimed, and consequently the relevant “entity” is Redimed. Therefore, Redimed was not required to give Mr AAQ access to his personal information to the extent that giving access would reveal evaluative information generated within Redimed.
“Evaluative” information
The first question is therefore whether the redacted information was “evaluative information”.
“Evaluative information” is not defined in the Privacy Act, nor in the Australian Privacy Principle Guidelines, (the Guidelines), and there is no judicial consideration.
The parties agree that I should have regard to the natural and ordinary meaning of the words.
Redimed cited the definition of the verb “evaluate” from the online version of the Cambridge Dictionary (2023), which they submitted means “to judge or calculate …”. Redimed observed that the ordinary meaning of the adjective “evaluative” derives from the word “evaluate”.
Redimed submitted that, based on this definition: “It follows that the ordinary meaning of “evaluative information” is information used in the process of or in connection with a judgement or calculation (ie., an assessment)”.
Redimed did not, however, cite a definition of “evaluative” in reaching this conclusion, and with respect to Redimed, when the full definitions of “evaluate” and “evaluation” are considered, the ordinary meaning they proposed appears to be broader than the natural and ordinary meaning.
The complete definition in the Cambridge Dictionary is “to judge or calculate the quality, importance, amount, or value of something”.
The Cambridge Dictionary also defines the adjective “evaluative” as “involving judging or calculating the quality, importance, amount, or value of something”.
The noun, “information” is also defined as “facts about a situation, person, event …”.
The words “evaluative information” should be read together, whereby the adjective “evaluative” qualifies the definition of “information”.
The Guidelines also provide some assistance in this regard. With respect to the exemption in APP 12.3(j), the Guidelines state, at [12.61]:
… An example of evaluative information is a score card weighting system and score card result. The ground applies only to the evaluative information, and not to personal information on which a decision was based.
(Footnote omitted.)
The Commissioner, citing Drake and Minister for Immigration and Ethnic Affairs (No 2) (1979) 2 ALD 634 (Drake No 2) at 640 per Brennan J, stated that the Tribunal as the decision-maker will generally apply policy such as that contained in the Guidelines unless there are cogent reasons not to do so. Redimed submitted that the Guidelines “have no legal force or effect” (transcript/40). The Commissioner submitted that Brennan J’s comments in Drake No 2 concerned the use of policy in the exercise of discretion. However here, the Commissioner was asking the Tribunal to use the Guidelines as a statutory interpretation tool, which was an incorrect interpretation of Drake No 2. I agree with Redimed’s submission that the Guidelines should not be used to interpret the Privacy Act.
In the Preface to the Guidelines, the Commissioner stated, amongst other things, that the Guidelines have been prepared “to promote an understanding and acceptance of the Australian Privacy Principles (APPs) and the objects of those principles”. In the Guidelines the Commissioner further stated that: “The APP guidelines are not legally binding and do not constitute legal advice about how an entity should comply with the APPs in particular circumstances”. Thus, the Guidelines provide an outline of the relevant principles and provide clarification and examples of how the APPs may apply to specific circumstances, but they are not legally binding.
With that clarification in mind, it is my view that statement in [12.61] of the Guidelines (referred to above), is consistent with the legislation and I agree that the exemption applies to the evaluative information only and not to personal information, such as the medical history told to the examiner of doctor by Mr AAQ.
In my view, the Applicant’s suggested definition is broader than the natural and ordinary meaning suggested by the above dictionary definitions. If the Applicant’s definition is accepted, the implication is that all information considered by the examiner or doctor, including the medical history provided by Mr AAQ during the pre-employment screening process would fall within that definition and be exempt. Such a construction would result in all information in the pre-employment screening forms being redacted which would produce an irrational or unreasonable result. That finding about irrationality is further supported by reference to the objects in s 2A of the Privacy Act. Those objects include “to promote the protection of the privacy of individuals” and “to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities”. Further, that broad construction, which would have permitted all information filled out in Mr AAQ’s pre-employment assessment forms, does not accord with APP 12.1 which provides a right to the individual to access their personal information that is being held by an entity.
Based on this analysis, I find that evaluative information is information in the form of a qualitative or quantitative judgment or calculation by the examiner or doctor.
I now turn to the information that was redacted with respect to Mr AAQ that relates to the exemption claimed with respect to APP 12.3(j).
Before I do so, I will attempt to address a submission made by Redimed as to the approach I should adopt. Redimed submitted that it would be incorrect for me to only review the redacted information. Instead, they submitted that the correct approach is that I look at the unredacted entirety of Mr AAQ’s pre-employment medical information to decide whether giving access to the entirety of the information would reveal any evaluative information generated in connection with a commercially sensitive decision-making process. Specifically, Redimed stated that, “For example, it would be an error to conclude that, simply because the information redacted by an entity is not of itself evaluative information, that its disclosure within a given context would necessarily not reveal evaluative information”. With respect to Redimed, the submission is not clearly articulated. It may relate to their submission as to the natural and ordinary meaning of “evaluative information”, which I have rejected above. The central question concerns whether Redimed breached APP 12.1 and 12.5 in responding to Mr AAQs request for access to his personal information. The way they responded was to redact some of the personal information in the forms. It is therefore my view that it is appropriate to look at the specific information that was redacted.
In the form titled “Medical Summary”, the following “Examiner Comments” were deleted (T25/135):
Left hand fracture 2010, workers comp, resolved
Mild high fz hearing loss, meets driver requirements
In a form titled “Medical History”, the following “Examiner Comments: (Please comment on all YES answers)” were deleted in “Section 4 – General Health” (T25/137):
Hospital hand as below
Stitches to head, rugby, nil concussion or overnight stays, 20 years ago. No ongoing issues.
In the same form under “Section 5: Occupational Health”, the following “Examiner Comments: (Please comment on all YES answers)” were deleted (T25/137):
Left broken hand 2010, surgical plate, 3rd metacarpal, hand therapy post op, resolved
Again, in this form, under “Section 6: Musculoskeletal Health”, the following comments of the same description were deleted (T25/138):
As above
Hernia umbilical 2005, surgically repaired, resolved
In “Section 12: Fatigue & Heat Management” the comment of “Nil issues” was deleted (T25/140).
In “Section 14: Vaccination History” the comment “2017” was deleted (T25/141).
In another form titled, “Driver Health Questionnaire”, in response to the question, “Have you ever had any other serious injury, illness, disability, operation or accident or been in hospital for any reason? (please describe)” the following “Doctor’s comments” were deleted (T25/145):
Surgery for left hand fracture and umbilical hernia. No ongoing issues.
Under the heading “6. Alcohol” the following “Doctor’s comments” were deleted (T25/146):
AUDIT score 2.
In a “Functional Assessment” form, in the section titled, “Risk rating”, the following “Comments/Recommendations” were redacted. I have removed the name of the occupation because it may assist in identifying Mr AAQ:
Met all requirements for [name of occupation]. Low risk
Good general physical capacity
I will now turn to whether any of the redacted information was “evaluative information”. I find that:
·“AUDIT score 2” is evaluative information because it was a quantitative score given by the doctor based on their professional judgement.
·“Met all requirements for [name of occupation]. Low risk Good general physical capacity” meets the definition of evaluative information. Whether Mr AAQ met the requirements for a specific occupation involved a value judgment by the doctor assessing him. An assessment as to the risk rating is also a qualitative assessment made by the assessing doctor. Therefore, this was an overall assessment of Mr AAQs physical capacity.
·The redacted information that Mr AAQ “meets driver requirements” was based on a qualitative assessment made by the assessing doctor, despite Mr AAQ having a heavy vehicle driver’s licence. This is because he was being assessed for a particular job that evidently had driving requirements. The wording used, that Mr AAQ “meets driver requirements” necessarily involved a qualitative judgement otherwise a factual statement, such as, “has heavy vehicle driver’s licence” would likely have been noted instead.
In summary, they were qualitative or quantitative judgments or calculations by the examiner or doctor as to whether specific requirements were met for the specific role Mr AAQ was applying for, and value judgements as to risk and capacity based on the assessor’s professional judgement.
Further, I find that all the other redactions that I described above were not redactions of “evaluative information” and therefore did not fall within the exemption in APP 12.3(j). I will refer to these redactions as the Non-exempt Redactions. Rather, the Non-exempt Redactions comprised the medical history given to the doctor by Mr AAQ. That is, the doctor or examiner had recorded the factual history recounted by Mr AAQ and there was nothing evaluative about it and no judgement was required or evident in the words stated. For completeness, I find that the Non-exempt Redactions include the comments about issues being “resolved” or reference to there being “no ongoing issues”. The context in which those comments appear indicate that they were not value judgements made by the doctor or examiner, but rather were self-reporting by Mr AAQ that he no longer suffered from those issues.
“Generated”
I agree with the Commissioner’s submission that the information in the Non-exempt Redactions was not “generated” within Redimed. The Cambridge Dictionary defines the verb “generate” to mean “to cause something to exist”. Redimed did not cause this information to exist. Rather, it existed because of the self-reporting of the information by Mr AAQ. In contrast, the redacted information that was “evaluative information” was generated within Redimed because it comprised a value judgement made by the examiner or doctor working for Redimed.
“Commercially sensitive decision-making process”
I now turn to whether the evaluative information was generated in connection with a commercially sensitive decision-making process.
There was no dispute, and consequently no submissions, about the meaning of a “decision-making process”. The steps involved in Redimed’s decision-making process were set out in detail in the witness statement of EM, who is the Operations Manager/ Manager – Health Screenings for Redimed (A1). This decision-making process involves Redimed conducting a pre-employment screening of a prospective candidate which culminates in “an overall evaluation and assessment of the candidate as well as a recommendation about the candidate’s risk level for the particular role against which they are being assessed on that day” (A1/[29]). I do not have any evidence about any decision-making process of the prospective employer, other than to observe there would have been one because they ultimately decided not to hire Mr AAQ.
The parties disagreed as to whether APP 12.3(j) is referring to the decision-making process of the entity only, or whether it could extend to the decision-making processes of a third party. In this case, the dispute concerned whether it is only a decision-making process of Redimed that falls within APP 12.3(j), or whether a decision-making process of an employer who has engaged Redimed to conduct a pre-employment assessment is also included in the exemption. My view is that “a commercially sensitive decision-making process” uses the indefinite article, “a” and therefore the decision-making process is not specific to Redimed and could also include a commercially sensitive decision-making process of a third party, in this case the employer who engaged Redimed to conduct the assessment of Mr AAQ.
The Applicant also submitted that “commercially sensitive” attaches only to the “decision-making process” and not to the “evaluative information”, and consequently that judicial authorities in relation to the expression “commercially sensitive” are of no assistance because they relate to whether, for example, documents contain commercially sensitive information. I agree that commercially sensitive relates to the decision-making process, but I would add that the “evaluative information” is also linked to that process. The words, “in connection with” form a conjunction between the “evaluative information generated within the entity” and “a commercially sensitive decision-making process”. The result is that APP 12.3(j) provides that if the evaluative information would reveal details of a commercially sensitive decision-making process, then the evaluative information does not have to be disclosed. There is a necessary link between the two, and without that link, APP 12.3(j) is illogical. Thus, judicial authorities in relation to the expression “commercially sensitive” may be of some assistance.
The parties also disagree as to the meaning of “commercially sensitive”. Those words are not defined in the Privacy Act, in the Guidelines, nor in judicial authorities concerning the Privacy Act.
The Applicant submitted, based on their consideration of the separate definitions of “sensitive” and “commercial” from the Cambridge Dictionary, that a “commercially sensitive decision-making process” is:
…a decision-making process related to a business and its activities that is:
(a)easily influenced or affected; or
(b)needs to be dealt with carefully or kept secret; or
(c)both.
The Commissioner submitted that the definition of “a commercially sensitive decision-making process” should be as follows:
… for the decision-making process to be “commercially sensitive” … it should involve commercially valuable information, the value of which would be diminished if the information were disclosed.
The Commissioner based this definition on legal authorities that I will now outline.
The Commissioner referred to ‘ZN’ and a School (Privacy) [2021] AICmr 95 (17 December 2021), in which the Commissioner considered whether exemptions in 12.3, including 12.3(j), applied. The Commissioner stated, at [60]:
For something to be commercially sensitive, the decision-making process should involve commercially valuable information, the value of which would be diminished if the information were disclosed. For example, decisions about proposed projects that, if disclosed, would place the entity at a commercial disadvantage.
The Commissioner also referred to the Australian Charities and Not-for-profits Commission “Commissioner’s Interpretation Statement: Commercially sensitive information” (CIS 2016/01). That statement “sets out the general approach the ACNC will take in considering such applications and determining whether commercially sensitive information should be withheld or removed from the Register”. The statement provides the following guidance, at [2.2]:
The ACNC generally understands commercially sensitive information to be any information of a confidential nature which has commercial value that would be reduced if the information was disclosed. This definition largely reflects the exemption set out in section 47(1) of the Freedom of Information Act 1982 (Cth) and the current understanding as shown in the case law.
Further, the Commissioner referred to the Attorney-General’s Department, Factsheet 14 – commercially sensitive information, Foreign Influence Transparency Scheme. The Factsheet provides the following definition:
Commercially sensitive information is information of a confidential nature that has commercial value that would be reduced if the information was disclosed. Commercially sensitive information covers information contained in commercial contracts that would cause detriment to the parties or expose sensitive information relating to a company’s operations, expenditure or employees if it was revealed.
The Commissioner also referred to s 47(1) of the Freedom of Information Act 1982 (Cth) (FOI Act). That section provides:
Documents disclosing trade secrets or commercially valuable information
(1)A document is an exempt document if its disclosure under this Act would disclose:
(a) trade secrets; or
(b) any other information having a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were disclosed.
(My emphasis.)
The wording of s 47(1)(b) of the FOI Act is similar to the definitions in the other legal sources that I have just outlined above, and I note that the FOI Act is referred to in the CIS 2016/01. The Office of the Information Commissioner, FOI Guidelines: Guidelines issued by the Australian Information Commissioner under s 93A of the Freedom of Information Act (FOIGuidelines) (page 38) provide the following Guidance with respect to whether information has a “commercial value”:
The following factors may assist in deciding in a particular case whether information has commercial value:
• whether the information is known only to the agency or person for whom it has value or, if it is known to others, to what extent that detracts from its intrinsic commercial value
• whether the information confers a competitive advantage on the agency or person to whom it relates — for example, if it lowers the cost of production or allows access to markets not available to competitors
• whether a genuine ‘arm’s-length’ buyer would be prepared to pay to obtain that information
• whether the information is still current or out of date (out of date information may no longer have any value)
• whether disclosing the information would reduce the value of a business operation or commercial activity — reflected, perhaps, in a lower share price
(Footnotes omitted.)
Redimed submitted that I should not rely on these authorities for reasons including that those decisions were about the disclosure of documents in different statutory contexts.
However, I am not satisfied that separate dictionary definitions of “sensitive” and “commercial” when added together offer the best insight into the natural and ordinary meaning of the phrase “commercially sensitive”, which is sometimes used as a term of art in business and law. I therefore do think it is relevant to consider the phrase in a legal sense.
These legal sources are based, at least in part, on caselaw concerning the words “commercially sensitive”, albeit in different statutory contexts. They are nevertheless of assistance in determining the natural and ordinary meaning of the words in a business and legal context. I find that the consideration in the above legal sources of the phrase “commercially sensitive” is likely to provide a better indication of the meaning than adding together the separate dictionary definitions of “sensitive” and “commercial”.
I therefore find that “a commercially sensitive decision-making process” is a process whereby, if evaluative information was disclosed, that evaluative information would disclose a commercially sensitive decision-making process of the entity (Redimed) or a third party entity (the prospective employer of Mr AAQ). That is, the evaluative information needs to relate to, and in some way reveal and potentially compromise the value of, aspects of a decision-making process. Such a disclosure may have the effect of damaging the commercial interests of the entity because, for example, confidential details of that decision-making process (such as the unique design, model, or methodology of that decision-making process) which have a commercial value may be available to competitors and therefore its value may be diminished.
Regarding the relevance of confidentiality, Redimed disagreed that the decision-making process must be confidential or have an element of confidentiality, and further disagreed that the evaluative information must be confidential (transcript/20-21). Redimed referred to other sections of the Privacy Act which referred to “confidential commercial information” (including s 33(2)(k) and s 33B(2)(iv) of the Privacy Act). Redimed submitted that the difference in the wording in APP 12.3(j) which did not refer to confidentiality, indicated that confidentiality was not necessary. With respect, I do not accept this submission. A commercially sensitive decision-making process necessarily requires confidentiality. By implication it would not be “commercially sensitive” if it was not confidential. A similar observation can be made about the relevance of “value”. For a decision-making process to be commercially sensitive, the decision-making process must, by implication, have a value that could be damaged by the disclosure of information.
None of the redactions that fell within the definition of “evaluative information”, (namely, “AUDIT score 2”; “Met all requirements for [name of occupation]. Low risk Good general physical capacity”; and “meets driver requirements”), if released to Mr AAQ, disclosed a commercially sensitive decision-making process of Redimed or the employer entity. There is no evidence that, if details of Redimed’s decision-making process were revealed, Redimed’s business may be damaged, Redimed may lose a competitive advantage, or the value of Redimed’s pre-employment screening assessments would be reduced. There is no evidence that confidential practices and procedures regarding how candidates are assessed by the employer entity would be revealed or compromised.
Redimed’s situation is different from that of the insurance company in C v Insurance company [2006] PrivCmrA 3, which Redimed submitted was a “clear analogue” (transcript/18-19). In that decision the Privacy Commissioner found, with respect to a similarly worded exemption in the now superseded National Privacy Principle 6.2 (whereby an organisation could “withhold access to information where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process”), that some of the documents, if released to the complainant would reveal commercially sensitive information. The Commissioner explained:
These documents described the type of information the insurance company considered important in assessing insurance claims during an investigation. In the case of these documents the Commissioner considered the organisation could rely on National Privacy Principle 6.2.
Thus, the insurance company’s documents, if disclosed, would reveal confidential information as to the underwriting methodology of assessing claims during an investigation process. That is, confidential details of the process through which an insurance company takes on a financial risk, may be revealed. However, even when Mr AAQ’s documents are viewed in totality without any redactions, they do not reveal any unique or confidential methodology associated with Redimed’s decision-making process that may be of a commercially sensitive nature, or indeed those of the prospective employer of Mr AAQ. Practically speaking, it is not obvious on the face of the documents or from the redacted information as to the methodology upon which the doctor or examiner noted Mr AAQ met the driver requirements, decided that he met the requirements for the specific role he was applying for (or what those requirements were) or the methodology by which the assessor formed the “Audit Score 2”, and even what that score meant.
Indeed, there is insufficient evidence to suggest that Redimed’s decision-making process is commercially sensitive at all. For example, there is no evidence of any unique design, model, or methodology in Redimed’s decision-making process that might have a commercial value. There is also no evidence upon which to conclude that any decision-making process of AAQ’s prospective employer was commercially sensitive because there is no evidence about their process of deciding whether to hire a candidate.
I therefore find that the exemption in APP 12.3(j) did not apply to any of the redactions made by Redimed. Mr AAQ should have been provided with his personal information without any of these redactions. Consequently, I find that Redimed breached APP 12.1.
Does the exemption in APP 12.3(b) apply?
In several of Mr AAQ’s pre-employment medical assessment forms, the name of the doctor was redacted.
The Commissioner also submitted that there is no evidence that including the name of the doctor in the medical report would have an unreasonable impact on that person’s privacy. Therefore, Redimed could not claim the exemption in APP 12.3(b). Thus, even if I were to find that the information included in the examiner or doctor’s comments fell within the exemption in APP 12.3(j), the breach of APP 12.3(b) remains, and I find there was still a breach of APP 12.1.
In response to this submission from the Commissioner, the Applicant submitted that APP 12.1 is limited to personal information about the individual and that information about other people does not fall within its nominal scope. Therefore, Redimed submitted, there was no need to rely on APP 12.3(b).
In my view, the name of the doctor or examiner who assessed or commented on Mr AAQ’s medical information forms part of the “personal information about an individual [Mr AAQ]” referred to in APP 12.1 because those practitioners undertook the various assessments of Mr AAQ. There is no evidence that giving access to those names “would have an unreasonable impact on the privacy of those individuals”, and indeed they are likely to have provided their names to Mr AAQ when they conducted his assessments.
I also find that the exemption in APP 12.3(b) did not apply to the redactions made to the doctor or assessor’s names. Consequently, I find that Redimed breached APP 12.1 by redacting this information.
DID REDIMED BREACH APP 12.5?
As I outlined above, APP 12.5 provides for other means of access if an APP entity refuses to provide access.
The Commissioner submitted that Redimed breached APP 12.5 because there was no evidence of any steps taken to give Mr AAQ access to his personal information in a way that met the needs of the parties prior to the OAIC’s involvement, noting the expectations set out in chapter 12 of the Guidelines paras [12.70]-[12.71], which state that reasonable steps should be taken within 30 calendar days where practicable to give access in a way that meets the needs of both parties, and that Redimed did not contact Mr AAQ to try to satisfy his request.
As I have noted, Redimed submitted that all Mr AAQs pre-employment assessment forms (which they referred to as the “AAQ Report”) fell within the exemption in APP 12.3(j) so that they did not have to give Mr AAQ access to the information at all. However, Redimed conceded that, “if the Tribunal considers that some parts of the AAQ Report did not fall within the scope of APP 12.3, then Redimed concedes that it breached APP 12.5 but that its breach was limited to its delay in providing AAQ with the redacted AAQ Report (i.e., it says that providing the Redacted AAQ Report satisfied APP 12.5).”
After considering these submissions, I find that Redimed breached APP 12.5 when it provided Mr AAQ with the redacted copy of his pre-employment screening forms on 19 October 2018. Redimed did not provide Mr AAQ with an unredacted copy until seven months later as part of an early resolution process of the OAIC. There is no evidence that Redimed contacted Mr AAQ to work with him to try to satisfy his request in a way that met both parties’ needs.
THE NATURE OF THE REMEDIAL ACTION
Redimed submitted that no further remedial action was required because it had updated its privacy policy, had made changes to its responses to candidates and had a proposal to implement a two-stage assessment process whereby any evaluation of medical information will be included in a separate report that would be provided to candidates who requested their personal information.
The Commissioner contended that the remedial steps outlined in the Commissioner’s determination were correct or preferable. This was because, the Commissioner submitted, Redimed had, and continued to have, insufficient compliance procedures, policies and/or processes in place to effectively deal with Mr AAQ’s request for his personal information and/or future requests of that kind.
The Commissioner stated that the only remedial action that Redimed had in fact undertaken was to update its privacy policy (A1, para [43] and EM-9). Amongst other submissions, the Commissioner stated that Redimed apparently considered that similar redactions could be made in the future when responding to similar future requests for personal information. This was evidenced by EM’s evidence that Redimed had formalised a response to future requests for personal information for use on every occasion, together with a proposal to include information that it deemed to be evaluative in a separate form that would not be provided to the candidate (A2, paras [8] and [9]). This suggested that Redimed intended to redact the same information in every case and would not consider the contents of the medical assessment reports on each occasion. The Commissioner submitted, in summary, that this was illustrative that Redimed continued not to understand its obligations under the Privacy Act.
I acknowledge that Redimed has taken some remedial action by:
·Updating its privacy policy to include information for individuals who are not satisfied with the outcome of a privacy request.
·Proposing a formalised response for every individual who requests their personal information, which states that the individual can be provided with a redacted copy of their results which “will not include the examiner assessment or other evaluative information generated within Redimed in connection with a commercially sensitive decision-making process”.
·Proposing a two-stage process whereby the medical history and data collection will be in one report, and the doctor or examiner’s evaluation and assessment will be in another report.
I appreciate that Redimed has proposed these changes based it its understanding of its obligations under APP 12.1, 12.3 and 12.5. However, as I have outlined above, Redimed has misunderstood those obligations. That was demonstrated by the bulk of the submissions as to the construction of the exemptions in issue, including the submission that the entirety of Mr AAQs pre-assessment medical forms were exempt under APP 12.3(j) and did not have to be provided to him at all.
I am concerned that the proposed standard response (which simply repeats the wording of APP 12.3(j)), and the two-stage process where the same information is divided between two reports, produces the same result as in the current application. That is, the same personal information would be redacted or not provided to the individual when it should be provided. It is a slightly different formulation of the type of conduct that resulted in the breaches of APP 12.1, and 12.5 in the first place.
I am therefore satisfied that the remedial action proposed by the Commissioner in Declarations 2 through to 6 (T2/25) is appropriate.
I provide the following clarifications for the avoidance of any doubt in the implementation of my decision:
·In Declaration 2, “the date of the determination” is now the date of my decision in this application.
·Any extension of time request, as contemplated in Declaration 6, should be made to the Commissioner and not to this Tribunal, because from the time I deliver this decision the Tribunal is functus officio.
CONCLUSION
In summary, I have made the following findings for the reasons given above:
·The exemptions in APP 12.3(b) and APP 12.3(j) did not apply to the personal information.
·Therefore, Redimed breached APP 12.1 by refusing to give Mr AAQ access to his personal information.
·Redimed also breached APP 12.5 by failing to take reasonable steps to provide Mr AAQ access to his personal information in a way that met the needs of the parties.
·Although it was not in dispute and was conceded by Redimed, for the avoidance of any doubt, I find that Redimed breached APP 12.9 by failing to give Mr AAQ a written notice setting out matters including mechanisms to complain about the refusal.
·The nature of the remedial action proposed by the Commissioner in Declarations 2 through to 6 is appropriate.
DECISION
The Reviewable Decision is affirmed.
...............[Sgd]...........................................
Associate
Dated: 19 January 2024
Date of hearing:
Date final submissions received:
1 June 2023
10 August 2023
Representative for the Applicant: Mr N Burmeister instructed by Mr M Stutley, Kingston Reid Representative for the Respondent:
Ms C Campbell, HWL Ebsworth
Key Legal Topics
Areas of Law
-
Administrative Law
-
Statutory Interpretation
Legal Concepts
-
Judicial Review
-
Procedural Fairness
-
Statutory Construction
-
Remedies
-
Standing
0
0
0