Waters v Transport for NSW

Civil and Administrative Tribunal

New South Wales

• Amendment notes

Medium Neutral Citation:	Waters v Transport for NSW [2018] NSWCATAD 40
Hearing dates:	20 October 2016, 19 May 2017, 18 August 2017.Last submissions 23 October 2017.
Date of orders:	15 February 2018
Decision date:	15 February 2018
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	J McAteer, Senior Member
Decision:	1) The decision of the respondent is set aside.   2) Pursuant to section 55 (2) (b) of the Privacy and Personal Information Protection Act 1998, the respondent is to refrain from the conduct in breach of Information Protection Principle 1 concerning any collection of personal information relating to travel movement history of the applicant in contravention of section 8 (1) (b) of the Act.
Catchwords:	ADMINISTRATIVE Law - PRIVACY – Personal Information – Whether reasonably necessary to collect information for allied purpose – Right to anonymous travel - Travel History -– Purpose of collection unrelated to collection – Purpose of collection unrelated to use – General right to privacy.
Legislation Cited:	Administrative Decisions Review Act 1997 Civil and Administrative Tribunal Act 2013 Health Record Information Privacy Act 2002 Passenger Transport Regulation 2007 (Repealed) Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 State Records Act 1998
Cases Cited:	AFW v WorkCover Authority of New South Wales [2013] NSWADT 133 AIN v Medical Council of New South Wales [2017] NSWCATAP 23 ALZ v WorkCover NSW [2015] NSWCATAP 138 APV and APW v Department of Family and Community Services [2015] NSWCATAD 140 Barton v Armstrong [1973] 2 NSWLR 598 Crescendo Management Pty Ltd v Westpac Banking Corporation (1988) 19 NSWLR 40 CRP v Department of Family and Community Services [2017] NSWCATAD 164 DAB v Byron Shire Council [2017] NSWCATAD 104 Durant v Financial Services Authority [2003] EWCA Civ 1746 Edem v The Information Commissioner, The Financial Services Authority [2014] EWCA Civ 92. EG v Commissioner of Police, NSW Police Service [2003] NSWADT 150 FM decisions - Vice-Chancellor, Macquarie University v FM (No.2) (GD) [2004] NSWADTAP 37 GA v Department of Education and Training & NSW Police (No 2) [2005] NSWADT 10 JD v New South Wales Medical Board [2008] NSWADT 67 Mulholland v Australian Electoral Commission [2004] HCA 41 NR and NP v Roads and Traffic Authority [2004] NSWADT 276 Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 SW v Forests NSW [2006] NSWADT 74 Tofilau v The Queen (2007) 231 CLR 396. TV Shopping Network v Scutt (1998) 43 IPR 451 WL v Randwick City Council (No 2) [2010] NSWADT 84 Y v Director General, Department of Education & Training [2001] NSWADT 149
Texts Cited:	Guide: What is Personal Information OAIC May 2017 Fact Sheet: Reasonably Ascertainable identity January 2017 FS 2017/001 Office of NSW Privacy Commissioner IPC Privacy NSW Guide to IPP’s 1999
Category:	Principal judgment
Parties:	Nigel Waters (Applicant) Transport for NSW (Respondent)
Representation:	Solicitors: N Waters, Applicant (Self Represented) NSW Crown Solicitors Office (Respondent) Privacy Commissioner (Interested Party)
File Number(s):	2016/00378056, 1610285
Publication restriction:	Pursuant to section 64 (1) of the Civil and Administrative Tribunal Act 2013 publication of the name of the applicant is prohibited.

Reasons for decision

What these proceedings are about

1. These proceedings concern whether the requirements of Transport for NSW in respect of electronic (Opal) ticketing for public transport concession entitlement holders contravene an Information Protection Principle (IPP) under the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The dominant concern is that the introduction of electronic ticketing removed the ability of certain concession entitlement holders to travel anonymously under that entitlement, with their movements tracked by the respondent agency (as an arm of the Government), contrary to the privacy protections of citizens under the PPIP Act. One issue is whether the collection of personal information for that purpose is reasonably necessary having regard to the stated purpose that the information is collected.

Background

2. On 2 May 2016 the applicant filed an application for administrative review with the Tribunal. That application concerned how the respondent had dealt with the applicant’s request for Internal Review under the PPIP Act. In that Internal Review application the applicant had made a general policy type complaint about the reasonable necessity to collect certain information at the time that Gold Opal cards are registered. However it is clear that at some time this personal information was collected from the applicant (in order for him to register his Gold Opal card), and that when using consequential on the use of the card, the applicant’s travel movements were collected by the respondent. As a result the applicant agitated a breach of section 8 (IPP 1) of the PPIP Act in respect of his personal information.

3. CNS is the applicant’s pseudonym. The Tribunal has de-identified the applicant’s name from any open reasons consistent with the practice of the Tribunal in privacy reviews. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act).

4. The applicant has attained the age of 60 years and as a result is eligible (as a Senior) for a Gold Opal Card which entitles him to a reduced tariff for daily travel on public transport. Prior to the introduction of the Opal Electronic ticketing system Seniors could access similar concessions by purchasing paper tickets from a vendor. Whilst those tickets were sold and were to be used subject to legal conditions there were apparently no limitations on their purchase, only on their use.

5. The evidence before the Tribunal indicates that batches of tickets for future use could be purchased and no checks were conducted or verification carried out at point of sale. The system appeared to focus on verifying eligibility of the user when the ticket was in use (by inspectors) and other compliance checks at entry and exit points and on trains, buses and ferries during the journeys. Under the current electronic ticketing system, some concession holders are required to register their tickets with the respondent. The Seniors category falls into this group.

6. The applicant’s general grievance is that this change in the policy has introduced an effective form of surveillance over his ingress and egress within the relevant parts of the State by the lack of any equivalent option for anonymous travel. The applicant ties this grievance to various IPP’s but predominantly his grievance is that the ‘requirement’ of collection of his personal information is not reasonably necessary for the unstated purpose of travel on public transport as an eligible Senior. This central argument equates to a breach of IPP 1 and as a result is contrary to the requirements in s 8 of the PPIP Act.

The relevant legislation

7. These proceedings will traverse a number of threshold requirements in the PPIP Act in order to ascertain whether the decision of the respondent should be affirmed, varied or set aside. Due to the complexity of the issues in these proceedings and the broad public interest matters that may arise in my view the appropriate course is to address all of the potential legal privacy issues irrespective of whether a threshold question might otherwise determine the matter conclusively.

8. This approach is consistent with the view of the parties as agreed as the case developed over the course of the hearing. It also acknowledges that many of these issues would appear (from the evidence before the Tribunal) to have only been considered for the first time due to the applicant raising them. This is not a critical comment concerning the respondent, rather an observation as to how the respondent’s case developed and changed over the 12 months of hearings and adjournments for further evidence and submissions as the arguments before the Tribunal developed.

9. The PPIP Act defines personal information at s 4. The requirement that the data meets the personal information definition is the precondition to coverage under the PPIP Act. This (s 4) requirement in the current matter extends to the nature of the data or information subject to the claimed breach. Section 4 provides:

4 Definition of “personal information”

(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

(2) Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.

(3) Personal information does not include any of the following:

(a) information about an individual who has been dead for more than 30 years,

(b) information about an individual that is contained in a publicly available publication,

(c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,

(d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,

(e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure,

(f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,

(g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,

(h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,

(i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009,

(j) information or an opinion about an individual’s suitability for appointment or employment as a public sector official,

(ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,

(k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.

(4) For the purposes of this Act, personal information is held by a public sector agency if:

(a) the agency is in possession or control of the information, or

(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.

(5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.

10. Section 4(3) (above) contains 12 exemptions to the definition of personal information. In my view none of those exemptions arise in the current proceedings.

11. As indicated at paragraph 7 above, a number of threshold requirements apply to privacy determinations under the PPIP Act. Having established preliminary jurisdiction (that the breach occurred in or originated from New South Wales) the first of these requirements relates to whether the information at the centre of the grievance constitutes personal information as defined in the PPIP Act. I will return to this matter but first need to establish preliminary jurisdiction in the Tribunal.

12. The PPIP Act provides that privacy grievances involving New South Wales public sector agencies can be dealt with by way of an internal review. An internal review has various statutory pre-conditions or requirements as set out at Part 5 and specifically s 53 of the PPIP Act. An internal review takes the form of a fact-finding investigation whereby the reviewer accumulates evidence and material to the extent necessary to make a factual finding concerning the alleged conduct (the conduct under review) and then applies those findings to the relevant provisions of the PPIP Act. After considering the statutory provisions and the availability (or otherwise) of various exemptions, the reviewer then makes a series of findings in respect of the IPP’s and any ensuing recommendations as and where appropriate.

13. Section 53 (6) of the PPIP Act provides guidance on the appropriate timeframes for conducting an Internal Review. Whilst the PPIP Act does not specify a strict time, it uses the words that 'the review must be completed as soon as is reasonably practical'. In addition it provides that if the review is not completed within 60 days, the applicant/complainant may apply to the Tribunal for a review of the conduct concerned.

14. It is uncontroversial between the parties that the applicant made a valid application for internal review under Part 5 of the PPIP Act. The Internal Review response dated 5 April 2016 from the respondent refers to the applicant’s request for an internal review of conduct under the Privacy and Personal Information Protection Act 1998 dated 3 February 2016. The review was therefore in writing and appears in conformity with the provisions of s 53.

53 Internal review by public sector agencies

(1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.

(1A) There is no entitlement under this section to the review of the conduct of a Minister (or a Minister’s personal staff) in respect of a contravention of section 15 (Alteration of personal information).

Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A).

(2) The review is to be undertaken by the public sector agency concerned.

(3) An application for such a review must:

(a) be in writing, and

(b) be addressed to the public sector agency concerned, and

(c) specify an address in Australia to which a notice under subsection (8) may be sent, and

(d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and

(e) comply with such other requirements as may be prescribed by the regulations.

15. I make these observations because the Tribunal has not been provided with a copy of the actual internal review application, however during the course of the proceedings the applicant provided written material which detailed the terms of his initial privacy grievance.

16. The application for administrative review was lodged on 2 May 2016. The application attached the completed internal review (report) from the respondent and included the following grounds in the application:

TfNSW have reached an incorrect decision on my complaint about a breach of the Privacy and Personal Information Protection Act 1998, partly due to a misunderstanding of the basis of my complaint, and partly due to misinterpretation of the requirements of the Information Protection Principles. They have also failed to take into account of views expressed to them by the Privacy Commissioner which can be considered supportive of my complaint.

Jurisdiction

17. Based on the above history I am satisfied that the Tribunal has jurisdiction to determine the matter under section 55 (1) of the PPIP Act.

55 Administrative review of conduct by Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with:

(a) the findings of the review, or

(b) the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

18. Section 55 lists a number of other matters concerning an administrative review by the Tribunal. The remainder of the section relevantly provides:

55 Administrative review of conduct by Tribunal

(1) ….

(1A) ....

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4) The Tribunal may make an order under subsection (2) (a) only if:

(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

…

(6) The Privacy Commissioner is to be notified by the Tribunal of any application for an administrative review. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an administrative review.

The remaining sections of s 55 are not relevant to the issue in these proceedings.

The initial review

19. The respondent summarised the application in their internal review report. The initial privacy internal review request included in summary:

• The justification for collection of personal information for Gold Opal cardholders appears to be to enhance the ability to verify entitlement through data matching.

• This policy approach is discretionary as it is not applied to young people travelling on a concession entitlement.

• In order to justify the ‘reasonably necessary’ test under s 8 TfNSW would need to support the approach by significant evidence of abuse of seniors’ entitlements.

• Mere administrative convenience or efficiency should not be a sufficient reason for mandating registration, having major privacy implications.

• Other jurisdictions provide anonymous travel for entitlement based discounts.

• Assurances about the management of the data are irrelevant to the s 8 reasonably necessary (to collect) argument.

20. The review summarised the OPAL Electronic Ticketing System and the Opal Card in the following manner in their response :

All Opal Cards can be registered, however travelling on a full fare Adult or half fare Child/Youth Opal Card are not required to register the card.

When a customer registers an Opal Card, a customer profile is created and linked to the card. In creating a customer profile, the customer is required to provide their title, first name, last name and address. The customer profile is stored on the Customer Relationship Management Database.

21. In the internal review the respondent addressed the privacy legislation and the relationship with the Opal Privacy Policy. Of note is the fact that the respondent was satisfied that the information in question constituted personal information under the PPIP Act.

22. Later at hearing the respondent resiled from this position and argued that the information was not personal information, in contradiction to the published Opal Privacy Policy. The reviews stated:

I am satisfied that the information collected for the purpose of obtaining and registering an Opal Gold Card is within the definition of ‘personal information’ for the purpose of the PPIP Act.

23. The review identified that s8 (IPP 1) was the relevant issue in the applicant’s grievance and provided the following information from their Opal Privacy Policy (OPP):

4.2 Our collection of information

The nature of the personal information that we collect under the Opal Ticketing System and the way that we collect it depends on the type of Opal card, how a customer acquires, adds value to or uses the Opal card, and whether the Opal card is registered.

In relation to registered and/or concessional Opal card holders, we only collect information that is reasonably necessary for the purpose of providing and managing the Opal Ticketing system having regard to the Card type. Before using the information, we take reasonable steps to ensure that it is relevant, correct, not misleading and up to date having regard to the purpose for which it is to be used. However, we rely on customers to provide us with accurate and up to date personal information. Information provided in support of an application for certain categories of concessional Opal cards is validated by or on behalf of us.

[paragraph 4.2]

24. The respondent observed that the Opal Gold Card is different from other types of concession cards in that it was not only age based, but also employment based, in that a holder could only work a minimum number of hours per week. The respondent rejected the applicant’s assertion that evidence of significant abuse of the travel entitlements was necessary to justify the reasonable necessity of the collection of personal information by way of mandated registration. The respondent found that:

The collection of personal information for the purpose of registering the Gold Card would appear to be reasonably necessary for the purpose of regulating the types of tickets and other ticketing arrangements.

25. The respondent went on to outline their ‘understanding’ as to how the information was recorded and linked.

…, as I understand the system, personal information in not being accessed at the transaction point as it is not possible to identify the individual from this information alone.

For all Opal Cards, information is transferred from the Opal reader to the Customer Relationship Management Database within a couple of hours of the transaction being recorded.

26. The respondent concluded that the travel patterns of registered and unregistered cards could be requested in specific circumstances (permitted by law including privacy law) and that such a history can only be accessed and assessed sometime after the person has used their Opal Card. As the accessing of the applicant’s information was never alleged that aspect was not addressed, and the respondent concluded that there had been no breach of s 8 (IPP 1) of the PPIP Act.

The hearing before the Tribunal

27. Following an initial Case Conference in July 2016 the matter was set down for hearing in October 2016, initially for one day. As the arguments of the parties developed and there was a desire to lead higher quality evidence by the respondent, the matter was eventually heard over three days. The matter was protracted due to the need for the parties to consider the second suite of evidence filed in late 2016 following the October hearing, and then decide to proceed further with testing of that evidence at hearing. Timetables were set between these further hearings for the filing and serving of submissions and material in reply. At all times the Tribunal was conscious of the need to resolve the matter in a timely manner and the significance of the guiding principle applying to the Tribunal. The parties were reminded of these issues at the hearings, and the need to finalise the matter in a just, quick, and cheap manner.

Applicant’s Written Evidence

28. The applicant tendered a number of documents as evidence in support of his application. These mainly took the form of written submissions attaching primary documents issued by the respondent as evidence of the arguments that the applicant was putting forth.

29. The formal written evidence of the applicant comprised:

• Application for review dated 29 April 2016 filed 2 May 2016 with a series of grounds – Exhibit ‘A 1’.

• Signed 16 page statement of the applicant dated 28 August 2016 attaching 14 ‘attachments’/annexures of evidence – Exhibit ‘A 2’.

• Signed statement/submission by the applicant (6 pages) dated 7 October 2016 - Exhibit ‘A 3’.

• Signed statement/submission by the applicant (8 pages) dated 6 January 2017 – Exhibit ‘A 4’.

• Seven page statement by the applicant dated 10 May 2017 referencing evidence of the respondent and the Privacy Commissioner – Exhibit ‘A5’.

30. Other material was before the Tribunal as referred to at [15] (above) including detailed written submissions. These were additional to the evidence outlined above and comprised material dated 8 August 2017 (Final Submissions including a response to new material from the respondent), and 20 October 2017 being further final submissions and response to further material filed by the respondent.

Respondent’s Written Evidence

31. The formal written evidence of the respondent comprised:

• Statement of M. Iverach signed 4 November 2016 – Exhibit ‘R1’.

• Statement of L. Clark signed/filed 4 November 2016 – Exhibit ‘R2’.

• Supplementary Statement of L. Clark signed/filed 5 December 2016 – Exhibit ‘R3’.

• Supplementary Statement of M. Iverach signed 28 April 2017 including annexures – Exhibit ‘R4’.

• Submissions and evidence filed 23 September 2016 – Exhibit ‘R5’.

• ‘Business Rule’ (for disclosure of Opal information to law enforcement agencies under the PPIP Act dated September 2015 issued by TfNSW – Exhibit ‘R6’.

• Affidavit of L Clark affirmed 27 July 2017 (including annexures) – Exhibit ‘R7’.

32. The respondent filed four detailed sets of submissions and material (not referred to above). These were:

• Supplementary Submissions dated 5 December 2016;

• Submissions in reply dated 20 February 2017;

• Respondent’s Further Submissions dated 26 July 2017 (attaching transcript of hearing on 19 May 2017);

• Respondent’s submissions 18 August 2017.

33. A number of further bundles were tendered enclosing copies of cases referred to by the parties.

34. I note that the respondent having completed a review did not file documents under the provisions of s 58 of the Administrative Decisions Review Act 1997. This position seems somewhat inconsistent with the change from a review of conduct, (as referred to in s 55 of the PPIP Act prior to the enactment of the Civil and Administrative Tribunal Act 2013 and the repeal of the Administrative Decisions Tribunal Act 1997), to an administrative review of conduct. However, the general approach of respondent agencies in privacy reviews since the change of the legislation is to continue to file in some form the internal review, and then to file the evidence and material they seek to rely on in resisting the application through a hearing de-novo or fresh review (however limited to the scope of the original conduct under review).

35. I also observe consistent with the s 58 observations that the respondent agencies in practice do not file the material which has been gathered in the internal review process and material which substantiates the conclusion of that review. It may be that nothing of any significance turns on this point however I note that due to the lack of any significant documented material available pre-hearing (other than Exhibits R5 and R7) by the respondent, the Tribunal was required to give leave for the respondent to adduce further evidence to substantiate their position at the conclusion of the first day of hearing. However I note that the provisions of s 58 of the Administrative Decisions Review Act 1997 remain in force.

58 Duty of administrator to lodge material documents with Tribunal where decision reviewed

(1) An administrator whose administratively reviewable decision is the subject of an application for review to the Tribunal must, within 28 days after receiving notice of the application, lodge with the Tribunal:

(a) a copy of any statement of reasons given to the applicant under section 49 (or, if no such statement was given to the applicant, a statement of reasons setting out the matters referred to in section 49 (3)), and

(a1) a copy of any statement of reasons for a decision in an internal review conducted in respect of the administratively reviewable decision, and

(b) a copy of every document or part of a document that is in the possession, or under the control, of the administrator that the administrator considers to be relevant to the determination of the application by the Tribunal.

36. In addition to the parties at various times during the proceedings the Privacy Commissioner exercised their right to appear and be heard in the proceedings. [See Section 55 (6) as per [18] above]. The Privacy Commissioner initially advised in October 2016 that she would not be taking part in the proceedings (due to the applicant relying on public statements of the Commissioner to support his case). In February 2017 and April 2017 the Privacy Commissioner responded positively to the Tribunal’s request for comment on the statutory provisions examined at hearing and provided written material by way of submissions. In addition a representative of the Privacy Commissioner appeared at the final hearing date.

Evidence at Hearing

37. The applicant did not give evidence at the hearing and this position was consistent with the argument put forth concerning a contravention of s 8 of the PPIP Act.

8 Collection of personal information for lawful purposes

(1) A public sector agency must not collect personal information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) A public sector agency must not collect personal information by any unlawful means.

(Emphasis added)

38. In opening submissions at hearing the applicant stated that due to having a registered Opal Gold Card, he has standing to run the privacy grievance in accordance with Part 5 of the PPIP Act. The fact that he has applied for and received a card means that the collection of the information has occurred, and that information is put to a use once the card is used. The applicant submitted that the respondent had ‘misunderstood’ his privacy grievance.

39. The applicant submitted that the design of the Gold Card could have been done in a better way in order to include the notion of privacy by design. In respect of the ‘reasonably necessary’ argument the applicant submitted that the respondent had failed to rebut his complaint and in the review had failed to show how they had complied with s 8 (1) (b) of the PPIP Act.

40. In opening submissions the respondent submitted that a question for the Tribunal was whether travel movement data constituted personal information. The issue becomes one whereby ‘personal information’ is the pre-condition for all of the IPP’s and as such it becomes a precondition for the s 8 (1) (b) ‘reasonably necessary’ prong. The respondent submitted that it was not personal information. Reliance was placed on the case of WL v Randwick City Council (No 2) [2010] NSWADT 84 at [33] in respect of the timing as to when data becomes personal information.

33   When taken the photographs were digitally recorded in the camera Mr Kerr used. These photographic images on the camera did not identify the street location of the unit. However, in my opinion it would be incorrect to find that this was the moment in time when this information was ‘collected’ by the Council and this is the relevant point in time to determine if the information is ‘personal information’.

41. Reference was also made to the decision in Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [54]-[70] concerning an analysis of the meaning of the term personal information under the PPIP Act.

Definition of 'personal information'

54. We have concluded that, depending on the circumstances, sources of information other than the information or opinion which contains the personal information, may be consulted to ascertain the person's identity. That conclusion is based on the natural and ordinary meaning of the text. It is also supported by the beneficial purpose of the legislation and the legislative scheme in general.

55. The task of statutory construction must begin and end with a consideration of the text itself but that text must be considered in context. The context includes the legislative history and extrinsic materials, but that information "cannot displace the meaning of the statutory text": Federal Commissioner of Taxation v Consolidated Media Holdings Ltd [2012] HCA 55 at [39]; [2012] HCA 55; (2012) 87 ALJR 98 at 107 [39] French CJ, Hayne, Crennan, Bell and Gageler JJ. The starting point when construing a statutory provision is the natural and ordinary meaning of the words: Cooper Brookes (Wollongong) Pty Ltd v Commissioner of Taxation [1981] HCA 26; (1981) 147 CLR 297 at 305, 320-321.

56. The definition of personal information states that the information is about an individual "whose identity is apparent or can reasonably be ascertained from the information or opinion." Those words do not mean that other material cannot be consulted. That is obvious from the fact that there are two ways in which information or an opinion may disclose a person's identity. Either the identity is "apparent" from the information or it "can reasonably be ascertained" from that information. The dictionary definition of the adjective "apparent" is "capable of being clearly perceived or understood; plain or clear." (Macquarie Dictionary online). The verb "ascertain" means "to find out by trial, examination, or experiment, so as to know as certain; determine." (Macquarie Dictionary online). By including the option that a person's identity can "reasonably be ascertained" from the information, the legislature was intending to allow a person to find out or determine the identity of the person from the information and, where reasonably identifiable from other information, from that other information.

57. That construction is supported by the beneficial purpose of the PPIP Act. An interpretation that would promote that purpose is to be preferred to a construction that would not promote it, but the purpose cannot override the clear words in the statute: Interpretation Act 1987 (NSW), s 33.

58. The primary focus or purpose of the legislation is to protect the privacy interests of persons about whom public sector agencies collect information: Director General, Department of Education and Training v MT (2006) 67 NSWLR 237; [2006] NSWCA 270 (29 September 2006) Spigelman CJ (with whom Ipp JA and Hunt AJA agreed) at [29]. Because the PPIP Act is beneficial legislation, it must be interpreted liberally to achieve its beneficial purpose: [49]-[50].

59. We acknowledge, as Spigelman CJ has pointed out, that:

That does not mean that it must be interpreted in such a way that whatever may be regarded as improving its enforcement must fall within the intention of the legislature: While the PPIP Act is beneficial legislation because it is designed to protect an individual's personal information, not every provision has a beneficial purpose or is to be construed beneficially: ADCO Constructions Pty Ltd v Goudappel [2014] HCA 18, French CJ, Crennan, Kiefel and Keane JJ at [29].

60. The case of Director General, Department of Education and Training v MT did not relate to the meaning of "personal information" but to whether a public sector agency is liable for the conduct of its employees which had nothing to do with that employee's employment. The Chief Justice's conclusions were made in the context of deciding that the public sector agency was not liable for the employee's conduct. The circumstances of this case do not are different because the definition of personal information is a provision which should be construed beneficially. This is a case where the narrow interpretation put forward by the Office of Finance and Services would defeat the beneficial purpose of the legislation: Khoury v Government Insurance Office of NSW (1984) 165 CLR 621 at 638 per Mason, Brennan, Deane and Dawson JJ.

61. The other parts of the definition of "personal information" also support our view. Section 4(3)(b) states that:

Personal information does not include any of the following:

(b) information about an individual that is contained in a publicly available publication

62. The Office of Finance and Services assumed that the information on the NSW government's tendering website is in a "publicly available publication" and submitted that it would defeat the purpose of the exception in s 4(3)(b) if regard were to be had to such information in determining a person's identity.

63. The Tribunal did not need to make a finding about whether the information on the NSW tendering website, linking APV's and APW's address with their names, was information in a "publicly available publication". If that information is a "publicly available publication" the information that APV and APW were the successful tenderers for the property and that they live at that address, is not personal information. But the other information in the Conservation Management Plan and the Schedule of Repair Works, including photographs of the interior of their home, the floor plan and interior design features, was not available on the website and is therefore not excluded from the definition of "personal information" by s 4(3)(b). That conclusion does not have the effect of defeating the purpose of the exception in s 4(3)(b).

64. The extent to which other information may be consulted to ascertain a person's identity depends on the context in which it is collected, used or disclosed. Various contexts have been considered in previous cases.

65. In Re Pfizer and Department of Health, Housing and Community Services (1993) 30 ALD 25 647, [80] the Administrative Appeals Tribunal interpreted the former definition of "personal information" in s 6 of the Privacy Act 1988 (Cth) on which the definition in the PPIP Act was based. The AAT held that that "if the identity is apparent or can be reasonably ascertained from a telephone number or other material, then such material would fall within the section."

66. The Administrative Appeals Tribunal has given detailed consideration to the equivalent definition of "personal information" in s 4(1) of the Freedom of Information Act 1982 (Cth) (FOI Act) (Cth): Re Lobo and Department of Immigration and Citizenship [2011] AATA 705; (2011) 124 ALD 238 at [287] - [302]. One issue in that case was whether certain information was exempt from disclosure under s 41(1) the FOI Act (Cth) because it would involve the unreasonable disclosure of "personal information" about any person. Forgie DP concluded at [300] and [301] that if access is given to the document, it becomes part of the information that is available to the public. The Deputy President went on to say that:

If the identity of an individual is apparent or can reasonably be ascertained by reading both the information in the document and that which is already available in the public arena, the "information or opinion" in the requested document is no less the "source or origin" of the identification. It is the source or origin of information that gains its meaning from the context in which it is disclosed. As the definition of "personal information" requires that an individual's identity is apparent or can reasonably be ascertained from the information or opinion, the context in which that is ascertained must also be defined by reference to the information that is apparent in the public arena or can reasonably be ascertained from it.

67. Deputy President Forgie then mentioned some examples:

If, for example, information in the wider context were only available from a private source, that would not be in the public arena and could not be used to decide whether the information enabled the identity of an individual to be identified as required by the definition of "personal information". If that information were in the public arena but could only be obtained after complicated and tedious searches, that would be a factor in determining whether the individual's identity "can reasonably be ascertained" (emphasis added) from the information or opinion.

68. The following year Forgie DP re-iterated and summarised her views: Re Denehy and Superannuation Complaints Tribunal [2012] AATA 608; (2012) 131 ALD 413 at [26]. We note that the definition of "personal Information" in the Privacy Act 1988 (Cth) has been amended. As from 12 March 2014 the relevant part of the definition has been:

"personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

69. Similar recommendations by the NSW Law Reform Commission have not led to any legislative amendment to the PPIP Act: NSW Law Reform Commission, "Access to Personal Information" (Report 126).

70. While the AAT decisions relate to the operation of the definition of "personal information" in an exemption to the FOI Act, the Appeal Panel of the Administrative Decisions Tribunal has used similar reasoning in relation to the PPIP Act. One issue for consideration in WL v Randwick City Council [2007] NSWADTAP 58 was whether photographs of the inside of a home unit taken by Mr Kerr, a compliance officer employed by the Council, was "personal information" about the owner. The Appeal Panel held at [15] - [16] that:

15 Documents which themselves do not contain any obvious features identifying an individual may take on the quality by virtue of the context to which they belong. We accept that the photographs of building works, without more, might not reasonably be said to contain 'information ... about an individual whose identity is apparent or can reasonably be ascertained from the information'. However, if the photographs were taken in circumstances where the identity of the owner of the property was known to the photographer, it might at least be arguable that the photographer (and the organisation to which he or she belonged) knew that the photographs recorded the condition of a property owned by a specific individual. This combination of factors might produce the conclusion that the information as a whole was information to which s 4(1) applied.

16 Even if Mr Kerr did not know at the time who owned the property, he quickly proceeded to obtain that information from the Council files, in order to take the enforcement steps. It is strongly arguable that by this point the photographs formed part of a body of information which amounted to 'information ... about an individual whose identity is apparent or can reasonably be ascertained from the information'.

42. The respondent submitted that the collection of travel movement information (by itself) does not constitute personal information. Reference was made at hearing to the initial written submissions of the respondent filed 23 September 2016. Paragraphs 71-75 of those submissions addressed the collection and use of Opal data. The submissions stated the respondent does not collect personal information concerning the applicant’s travel history directly from him. Instead the respondent collects information from a number of differing sources which if combined can identify the travel history of an Opal card user.

43. The relevant submissions went on to state that:

73. Personal information collected as part of the application for a Gold Opal card is stored in a dedicated database which is compliant with applicable safety and security standards. Information held in this databases (“PAS Database”) is subject to data retention and disposal policy for Opal data.

74. Travel data collected from Opal readers at train stations and on buses and ferries and stored on a separate database within a data centre, managed by a contracted third party, Cubic Transportation Systems Australia (“Opal Database”)….

75. The Opal Database records each transaction involving an Opal card. Each transaction record contains information such as the card number, time, date and location of the tap on or off, the mode of transport, the value of the journey and any discounts applied. The Opal Database does not contain links to the personal information in the PAS Database and cannot link the Opal card used to the person issued with the card without access to the PAS Database.

76. The information collected from the Opal readers is not collected in real time and “live tracking” cannot be performed.

77. TfNSW does not routinely link these data sets. Data matching may be performed in the event that a customer seeks information regarding his or her own travel history or specific information is required by law to be given (for example, to law enforcement agencies). Auditable records are generated when the matching process is undertaken and access is limited to staff with a relevant function necessitating the data linking.

78. Customers who have registered on Opal.com.au may access their own travel history through the website. The functionality of the site links the information in the PAS Database to the travel history in the Opal Database.

44. I observe as a preliminary point that the submission made by the respondent in paragraph 78 of the September 2016 submissions appears to contemplate a functionality whereby the link becomes seamless and the types of information (if defined separately as personal/non-personal) become fused as what could only be described as personal information. However at this stage this is merely a preliminary observation.

45. The respondent made a number of background submissions concerning the Opal card, namely that the card itself contained a ‘smart chip’ which stored a dollar value and limited travel history and some code ensuring that the correct fare is charged. The respondent submitted that the limited travel history concerns the last 5-7 tap on/off events only.

46. Submissions were also made concerning the terms and conditions of use of the Gold Opal card and at paragraph 22 of their September 2016 submissions the respondent advised that:

22… TfNSW regularly revalidates eligibility with the concession entitlement issuer. This is done automatically through a bulk, online verification process. Where the process identifies that the individual is no longer entitled to the concession, the individual is notified and the Gold Opal card can be remotely cancelled. It is therefore necessary to identify the specific Gold Opal card issued to each individual concession holder.

47. Presumably this data matching of personal information occurs under the provisions of s 23(4) or (5)(d)(i) of the PPIP Act (protection of public revenue) or some other provision not articulated in the hearing. That section provides:

23 Exemptions relating to law enforcement and related matters

…

(4) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue.

(5) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned:

…

(d) is reasonably necessary:

(i) for the protection of the public revenue,

…

48. Various other submissions were made as to the basis that the registration of the Opal Gold card was reasonably necessary in order to deal with and otherwise mange fraud and loss. Resource statistics were asserted concerning 300 enforcement officers not being practical to cover the entire network or cost effective. Following discussion and direction by the Tribunal it was agreed that the respondent would put on evidence to substantiate some of these submitted arguments concerning the issue where the linking of the registration data was reasonably necessary.

49. The applicant raised a concern with one aspect of the respondent’s submissions whereby they made reference at paragraph 15 to relevant Regulations (since repealed).

Passenger Transport Regulation 2007 (Repealed)

69 Definitions

In this Part:

…

concession ticket means a ticket intended to provide free travel, or travel at a reduced fare, on a public passenger vehicle or train.

….

Part 6 Division 4 Clause 77C

77C Concession tickets

(1) A person must not travel, or attempt to travel, on a public passenger vehicle or train on the authority of a concession ticket unless the person is entitled to the concession ticket.

Maximum penalty: 5 penalty units.

50. It was submitted that these matters were a statement of fact and at no time was the applicant trying to argue that he was free to travel without a ticket or absent the entitlement to the concession.

51. The applicant returned to his ongoing submission that collection is not reasonably necessary and that:

TfNSW has stubbornly refused to factor the issue into their design of the system.

52. The hearing was adjourned in order for the respondent to put on further evidence and the parties to prepare arguments and submissions about that evidence.

53. Prior to considering the evidence of reasonable necessity (or whether the collection was reasonably necessary), it appears appropriate to now address the issue of whether the information is personal information.

Consideration of personal information threshold

54. The applicant argues that the information in question is personal information. The respondent (after initially conceding at review stage) that there was no controversy concerning the personal information issue, during the progress of the hearing developed significant and at times evolving arguments as to how the information in question was not personal information within the definition of the PPIP Act. The relevant part of the definition is produced at [9] (above). The central provisions being s 4 (1) of the PPIP Act:

(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

Applicant’s personal information collection grievance

55. The applicant’s argument concerns the collection of personal information. In many ways it is a quite straightforward argument. The applicant objects to the collection of personal information for the purpose of

‘verifying entitlement through data-matching’ (Internal review request 3 February 2016).

‘It is the mandatory provision of personal information for the purpose of registering the card (i.e linking the particular card to my personal particulars) to which I object, and which I submit is a breach of section 8 of the PPIP Act because it is not ‘necessary’. (Internal review application supplemental information 13/6/2016).

‘It is the routine and automatic collection of travel movement information about identifiable individuals which I allege is a breach of IPP 1 / Section 8 (1) (b) in respect of all Opal Gold card holders using their card, because of the mandatory registration of Opal Gold Card holders. (submissions 28 August 2016 Pg 2 paragraph 5)

Applicant’s personal information collection non-grievance

56. The applicant goes on to state that the collection of personal information for two other purposes does not concern him. That is for policing the use of the card on public transport and applying for the card and establishing entitlement.

‘I have no objection to providing personal information, either at the point of acquiring a card or while it is in use, in order to verify my entitlement to a concession card.’ (Internal review application supplemental information 13/6/2016).

57. The respondent seems to have considered this grievance more akin to a use of personal information rather than a collection. These proceedings (as stated many times during the hearing) only concern the collection of personal information. The applicant does not agitate the use principle or to the extent that the respondent believes that he does or must, the applicant abandons any such right.

58. IPP 1 / s8 of the PPIP Act does, in my view, link to the ‘active’ IPP’s (such as use, disclosure, access etc.) due to the presence of the following emphasised words in the section.

8 Collection of personal information for lawful purposes

(1) A public sector agency must not collect personal information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) A public sector agency must not collect personal information by any unlawful means.

(Emphasis added)

59. I note that many of the respondent’s submissions throughout the three days of hearing and the written material focused on this issue of personal information and submitted that the information was sufficiently removed from the definition of personal information (as supported by the cited cases). However in my view, when one looks to the totality of the complaint, and the fact that it concerns a grievance about the collection of personal information for a purpose that goes beyond the matters raised in the evidence (verification of entitlement and enforcement), then the majority of the respondent’s preliminary arguments fall away.

Does the grievance concern personal information

60. I note that the respondent provides the following evidence in respect of the type of information collected from relevant customers. At paragraph 5 of Exhibit ‘R2’ the following is stated:

5. When applying for the Gold Opal card NSW Senior applicants are notified that their personal information is collected and Transport for NSW will need to access the database of their concession card issuers to verify the details provided with their application.

6. To complete the application, the customer must provide their NSW Seniors Entitlement Card number, First Name, Last Name and Date of Birth. The applicant must consent to this information being verified with their concession entitlement issuer.

7. During the application process, applicants must also create a profile, enabling them to utilise features such as auto top up and to allow us to post a card to their nominated address. Any personal details provided by the applicant during the creation of the profile are not verified and may be completed using a pseudonym.

(Emphasis added)

61. In respect of creating an Opal account, personal information is collected which is not validated and is not required to be consistent with the name of the applicant for a Gold Opal card. The respondent requires the address to be accurate however, as this is the address that the card is posted to. All of this information also constitutes personal information under the PPIP Act. At the time of creating an Opal account the respondent collects:

• An account holder’s full name;

• Account holder’s address; and

• Email address or phone number

(paragraph 4 Exhibit ‘R7’)

62. It is difficult to see how, on the applicant’s construction of his grievance/complaint, the information that he objects to the collection of, is anything other than his personal information. The tracking information concerns a card that is registered to the applicant. It appears to me that the arguments concerning tracking and movement surveillance are easily understood. Whether those arguments are legally founded remains to be seen. However the applicant’s concerns appear to be based at a far more primary level, in that he objects to the collection of his personal information for a future use/additional purpose (travel movements). The objection is that in his view, such a collection is not reasonably necessary for the purpose of managing ongoing entitlement.

63. The applicant’s argument as I understand it concerns the mandatory provision of personal information when registering/activating the card, after having already been allocated a card through vetting for eligibility. This collection of information allows for the separate purpose of the applicant’s travel movements, due to the functionality of the registered card. In the evidence of the respondent’s witness at hearing it was conceded that there was a staged process to fraud/loss prevention prior to the introduction of the Gold Opal card. This involved removing ‘vending machine based’ purchases, and eventually the removal of paper based tickets. Once the card was introduced a different staged process occurred involving a process of: application, verification, allocation and registration (including activation).

64. It could be described that the first Opal process was to limit availability of the Gold Opal Card to those entitled to be allocated one. This was done by collecting certain personal information from an individual who ‘applies’ for a Gold Opal card in order to ascertain that they qualify for the card and then sending the card to the individual. However the second phase, requiring a user to ‘activate’ the card by ‘registering it’ through a website in order for the card to be active and capable of use, is part of the point of contention.

65. There are a great number of cases which deal with personal information over the 20 years of privacy cases under the PPIP Act. As stated, it appears from a proper understanding of the applicant’s grievance that the issue is quite straightforward, however I will review some of the cases that the parties put forth to argue their opposing positions.

66. The applicant made submissions concerning the case of CRP v Department of Family and Community Services [2017] NSWCATAD 164. In that case I observed the following concerning whether information about a person’s place of employment was personal information at [72]-[75].

72. In deciding whether the work address was personal information the Tribunal is guided by the cases referring to the correct approach to this question.

73. The case of EG v Commissioner of Police, NSW Police Service [2003] NSWADT 150 made the following observations at paragraph 24:

24. I accept the Privacy Commissioner's submission that since the PPIP Act is beneficial legislation, s 4(1) should be interpreted broadly and the exclusions from the definition of personal information should be construed narrowly. I also accept the Privacy Commissioner's submission that meaning is gleaned from both the content and the context in which information or an opinion appears. This was recognised by President O'Connor in Y v Director General, Department of Education & Training [2001] NSWADT 149 when considering the exception in s 4(3)(j):

The test ... must in each case be whether having regard to the content of the information in issue and the context in which it is found it can reasonably be said to be `about an individual's suitability for appointment or employment."

74. The case of JD v New South Wales Medical Board [2008] NSWADT 67 provides authority that the Tribunal should not adopt an overly technical approach to this question. At paragraph 24 the following observation was made:

24 In my opinion Parliament did not intent that an overly technical approach be taken when considering whether particular information was or was not ‘personal information’ or ‘health information’. The information should be viewed in its proper context and not necessarily dissected into parts or analysed in detail word for word.

75. In my view the information is about an individual in that the information was both requested and provided in a context solely concerning the applicant. His identity was apparent in that context. Whilst the information concerned the applicant’s work address, as distinguished from the recent Federal Court case of Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 in that whilst the information was about the applicant and his work address, it never ceased to be information of this kind. In the Telstra case whilst the broad request might have related to an individual, the technical aspects of the request (seeking his specific call data) and the resultant data sought resulted in the response data being information about billing, calls and location data, not information about the caller as an individual. In the current matter the information (even if argued as not being personal information strictly) always retained the identity by name of the applicant in both the request and the holdings from which the response was obtained.

76. Importantly from the Telstra case the full Federal Court found at paragraph 63 that:

63.The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

67. It would appear from the information before the Tribunal that the information collected under section 8 was clearly about CNS, and it would also appear (from the evidence given about travel history etc. during the hearing) that the tapping on and off at various locations was information about CNS, as his identity could be ascertained both by combining it with other information (in respect of the respondent seeking a travel history for law enforcement purposes or customer queries), or the customer checking their own travel history seamlessly. In addition (noting the Telstra case) for all relevant purposes, especially concerning a mandatorily registered Gold Opal card, the travel information was more about CNS than about the card. There was no purpose attached to the card information (unique to its requirement for registration) that was not about CNS.

68. Whilst it is true that the respondent aggregates travel data for planning and other related issues, this is true of all cards, registered or otherwise. On this basis the baseline aggregated Opal travel information attaches to all cards. However, the applicant’s card (by being registered) brought that information into the realm of personal information whereby it was not just the number of persons who passed through a transport hub on a certain day etc. It also provided information (where capable of being identified – by the linking to the registered user) which showed the details of the individuals who passed through that hub.

69. The aggregation of the ‘de-identified’ data for transport planning/demographic or similar purposes is not in issue in these proceedings. The applicant raises the issue that he should be able to travel anonymously on a Gold Opal card from an electronic use perspective (the tapping on and off). I note from the evidence in the proceedings that the ‘history of a card also shows where and when the card was topped up and the dollar value. Why this information has been built into the system was not advanced during the hearing. The respondent says that that option is open to him, but only if he obtains an unregistered adult Opal (full fare) card.

70. I note that evidence was given that unregistered users (adult full fare Opal cards and children) can check their own travel history (in respect of the most recent suite of transactions). This history includes when/where they ‘tapped’ on and off and the dollar value of top ups. This adds to my view that this information constitutes personal information of the relevant individual – and in these proceedings, the personal information of CNS.

71. Following on from the Telstra case the Australian Privacy Commissioner issued a Guide in May 2017 concerning what constitutes personal information. That Guide was issued in conjunction with the relevant Guideline under the Privacy Act 1988 (Cth)

“Information is ‘about’ an individual where there is a connection between the information and the individual. This is ultimately a question of fact, and will depend on the context and the circumstances of each particular case.

…

Information will also be ‘about’ someone where it reveals or conveys something about them - even where the person may not, at first, appear to be a subject matter of the information”.

72. More recently in the case of AIN v Medical Council of New South Wales [2017] NSWCATAP 23 the NCAT Appeal panel considered whether letters written by another containing information on the applicant, were the applicant’s personal information. At paragraph 112 the Appeal panel stated:

We accept that the definition of personal information is very broad: ABA v Randwick City Council [2007] NSWADTAP 58 at [20]; OS v Mudgee Shire Council [2009] NSWADT 315 at [19]. However, we agree with the Medical Council that none of the information referred to is personal information within the meaning of the PPIP Act. The information supplied in the first two categories consisted of contentions by the Medical Council as to what it had done in response to AIN’s complaint about the Contravening Publication and as to its responsibility for what had occurred. The apology, the third category of information relied upon, was information about the Medical Council’s stance in relation to AIN’s complaint. All of that information was information about the Medical Council’s response and stance in relation to AIN’s complaint. Clearly, AIN was very interested in this reaction from the Medical Council, but it was not information ‘about’ AIN.

73. In AIN the information was about the medical Council’s response, not AIN. In my view that finding does not detract from the applicant’s arguments concerning personal information.

74. The respondent relied on the case of DAB v Byron Shire Council [2017] NSWCATAD 104 to argue that the travel information was not personal information of the applicant. However the facts in DAB were significantly different to the current matter. A vehicle registration number was briefly transmitted by a parking meter to a server overseas so as to check whether that number was on a list of parking exemption numbers. Neither the meter nor the server held records that the number check had occurred. In the absence of any record there was no way in which it was possible to link the meter information with the owner’s details and specific particulars held locally by the Council.

75. It would appear that the information that the respondent collected from the applicant when he applied for his Gold Opal card was personal information within the meaning of the PPIP Act. The information is his name, date of birth and address. Paragraph 6 of Exhibit ‘R2’ states the following:

6. Personal information is collected directly from individuals or their authorised representative. This information is provided by the customer through the Opal web portal or over the phone when applying for a concession Opal card.

76. The affidavit goes on to make a number of other observations about the collection of information, and the systems operated by or authorised by the respondent. At paragraphs 7 - 13 Mr Clark states:

7. The personal information is kept in a separate database to the transaction data and is only connected for a legitimate purpose, such as a request from the customer.

TRANSACTION DATA

Core Central System (CCS)

8. The CCS contains two separate databases which record interactions between ant ETS device and a smartcard (Opal). These are the Transaction Database and the Card Database.

9. Where an Opal card is processed by a smartcard reader, such as an Opal reader located on a bus, barrier gate or dedicated pole, this information is processed and recoded in the Transaction Database.

10. The Transaction Database is managed and controlled by Cubic Transportation System (Cubic) on behalf of TfNSW.

11. The information that is recorded for each tap on or off transaction includes:

• Opal card number

• Date / Time of transaction

• Location

• Mode of transport

• Type of Opal card used

• Journey cost

• Transaction sequence number

12. The second database in the CCS is the Card Database. This database contains the relevant information about [sic] the state of each Opal Card based on the transaction data processed. This includes:

• Opal card number

• Card balance

• Card status

• Top up status

• Auto load settings.

13. The two databases operate together to ensure that proper payment is made for each journey undertaken on public transport on the Opal network.

77. I observe that the card number and particulars relating to the actual card (as issued) are held on the second database in the CSS system. I also observe that the first item on both the first database (The Transaction Database) and the second database (the Card Database) is the actual Opal Card number.

78. It would appear that this item of information is the link between the two databases which opens up the issues of contention to the applicant.

79. The affidavit of Mr Clark (Exhibit ‘R2’) goes on to state the following concerning the customer information which is referred to as ‘personal information’. It refers to two further subsets of databases in a further system. At paragraphs 14 - 16 the following is deposed:

CUSTOMER PROVIDED INFORMATION

14. The personal information that is collected from the customer through the customer channels when applying for a concession Opal Card is stored in the Customer Support System. The information from customers is separated into two databases. The first is the Entitlement Management Database, which contains entitlement issuers (such as Universities and the Commonwealth Department of Human Services). The second is the Customer Database, which contains the Opal account information.

15. The Entitlement Management database is responsible for maintaining the relationship of entitlement validity between the ETS and the systems used to validate entitlements. This includes:

• Entitlement issuer identifier (An entity with authority to approve free or Concession travel for customers)

• Entitlement unique identifier

• Entitlement holder details:

- Entitlement holder name

- Entitlement holder date of birth

- Delivery address for card

• Entitlement expiry date

• Opal Card Number

16. The Customer Database contains information provided by the applicant when establishing an Opal account. This information is displayed to the customer via the Opal.com.au portal and smart phone apps. The information is not verified and can be updated and deleted by the customer at any time.

NSW Privacy Commissioner’s Submissions on ‘personal information’

80. The Privacy Commissioner made submissions concerning the personal information threshold. The Privacy Commissioner submitted in April 2017 that:

…the creation of the travel history information has one purpose: to identify the registered card holders. This makes the travel history to be information about the individual, even when interpreting the definition of personal information restrictively, namely capturing the biographical data.

The Privacy Commissioner noted that this issue was only raised by the respondent after the Telstra case was decided.

The agency introduced the question of whether the travel history information is ‘about’ the registered card users recently in this case and referred to the Federal Court’s judgment.

81. The Privacy Commissioner referred to a number of overseas cases and International law/policies to make the point that the travel information is personal information. The Privacy Commissioner observed in submissions that:

The registered card holder’s travel history data is about them even on the restrictive approach to the definition, which says the data must be biographical about the person.

The major judgments from the UK that discuss the restrictive approach are Durant v Financial Services Authority [2003] EWCA Civ 1746 and Edem v The Information Commissioner, The Financial Services Authority [2014] EWCA Civ 92.

Paragraph 28 of the Durant judgment says that there are two aspects: information may be biographical of the person or the information may have the person as its focus. It also says that the issue is about a continuum of relevance or proximity to the person.

This is consistent with the question that the Tribunal asked in MR Grubb’s (Telstra) case.

The UK Information Commissioner’s guidance, issued after the Durant case contains the following example of what is personal information at page 3:

‘Another example would be the details of a car photographed by a speed camera where those details are used to direct a notice of intention to prosecute to the registered keeper of the vehicle.”

The photograph cannot be said to be about the car. It is about the person. Similarly, travel history of registered card users is not about the card or the way the system works. It is about the person. The agency’s submission at paragraph 13 (20/2/2017) says:

‘Rather it is information the subject of which is an Opal card that is in the possession of a particular individual.’

This submission does not persuade. The agency uses data its system collects from registered Opal cards to aggregate with other information for billing purposes or disputes or enforcements. It also assist police to provide proof of biological information about users, namely their travel history. The card travel history data next to the other data the agency holds identify the registered card holder.

…

The network data in Mr Grubb’s case may well have been far along the continuum of relevance and proximity, so that they do not trigger the privacy right, but travel history information is especially close and relevant.

82. The Privacy Commissioner also referred to their Guidelines/Fact Sheet published in January 2017 issued under the Commissioner’s functions under s 36 (2) (b) of the PPIP Act. Those guidelines make the following ‘Key Points’:

A person’s identity can be apparent or ascertained even if they are not directly named.

The test is whether identification is possible by any person (or machine) other than the subject themselves.

The surrounding context, and other available information sources, can enable a person’s identity to become apparent or ascertainable from the information or opinion, if no more than moderate steps are required to combine the data sources.

If information has been de-identified to the point where re-identification is not possible, it is no longer ‘personal information’.

…

(Fact Sheet: Reasonably Ascertainable identity January 2017 FS 2017/001)

83. In submissions dated 2 February 2017 the Privacy Commissioner submitted the following:

The fact that the agency stores the information in question in separate databases does not take away the agency ability to bring the data together as it may choose or as it may be required and therefore aggregate it.

Separate storage is more an indication that the agency has recognised its privacy and security obligations because the information is “personal information”/ rather than the opposite.

(Emphasis added).

Findings on threshold issue

84. I have carefully considered all of the arguments of the parties (and the submission of the Privacy Commissioner) on this issue. All material has been considered even if not every case or matter has been referred to so far in these reasons. Some matters referred to above have been observed for the evidence and submissions even though they were not necessarily argued or otherwise focussed on at hearing. The ability of all Opal cards (registered or otherwise) to allow the seamless identification of the recent travel history through the respondent’s website is one such observation.

1. I make a finding consistent with the evidence as set out later in these reasons, and the submissions, arguments and consideration above, that the information provided by the applicant at the time of application and registration of the Gold Opal card is the applicant’s personal information.

2. I make a further finding that the travel history as recoded and accessible from the applicant’s registered Gold Opal card amongst other things (accessible from the card) meets the definition of personal information and is the personal information of the applicant.

Further evidence of respondent concerning the operation of the Opal card (the reasonably necessary argument).

85. The respondent provided two witnesses in the proceedings who both made signed statements/affidavits which were entered into evidence. The second day of hearing was entirely focussed on the evidence of one the witnesses Ms Iverach who gave evidence at the hearing.

86. Some of this evidence concerns both the ‘reasonably necessary’ argument and the ‘personal information’ argument. I have set out much of this evidence as I believe that it is relevant and provides a context for the necessary findings made in these reasons for decision.

Respondent’s witness

87. Melissa Iverach gave evidence at hearing for the respondent. Most of this witness’s evidence related to the reasonable necessity argument attaching to the registering of Opal Gold cards. Ms Iverach is the Principal Manager Security Revenue protection and Intelligence in the Service Delivery and Performance Branch within Transport for NSW. The witness adopted as true and correct her statements reviewed as Exhibits ‘R1’ and ‘R4’.

88. In cross-examination the witness was asked to clarify the reference in paragraph 17 of the respondent’s initial submissions concerning Opal Gold card eligibility. The witness stated that the Gold card can apply to pensioners, seniors, and some asylum seekers.

89. The witness was taken to the assertion in paragraph 25 of those submissions that there was significant risk of misuse that without the registration measures individuals would be able to obtain multiple cards which could be used by other, non-entitled individuals. When asked what figures support that assertion the witness advised that her ‘role was to ensure that the maximum number of passengers travel compliantly’.

90. The witness attested to the veracity of some of the assertions in the respondent’s written submissions, in particular those relating to the types and volume of ‘loss’ and related matters arising from the shift from paper to electronic ticketing. The witness accepted that the matters in the submissions were generalised statements concerning concession records.

91. The witness was asked to comment on one of the paragraphs of the submissions that she attested (No 29) concerning the 2013 restriction of concession tickets availability. (No longer available at vending machines – only available at a ticket window after presenting ‘proof of entitlement’). As a result of this change it was asserted that four million less concession tickets were sold and this resulted in $10 million in extra revenue. The witness was asked which percentage of the concession tickets referred to were Gold or Seniors card holders. The witness was unable to answer that question.

92. Questions were asked about paragraph 32 of the submissions concerning the linking of a card to an account and the ability to cancel the cards. The witness advised that Opal cards are valid for 9 years and for that reason it is vital that there is an ability to ‘cancel’ the cards. The witness drew an analogy with a lost credit card being a thing of value and the need to prevent the unauthorised use by a third party.

93. The applicant observed that the paragraphs of the submissions referring to loss and misuse and other related issues in some ways conflated two separate issues, being the ability of TfNSW to determine an individual’s eligibility when applying for a card, and the ability to do various things that arise from having the link between the person and the card. The witness agreed with this observation and noted that the results of the 2012 survey concerning the wide misuse of concession tickets was unexpected by the respondent. A decision was made that restricting access to concession tickets would result in individuals misusing them less.

94. The manner in which TfNSW verifies entitlement arises from a ‘data file’ being sent from the relevant institutions.

95. The Tribunal asked questions of the witness and sought to understand earlier evidence concerning the change from ticket sellers and vending machines, to ticket-sellers only (in respect of concession tickets). The witness agreed that the written evidence was only based on rail staff, not newsagents, bus drivers or other methods of face-to-face sale.

130. The respondent submitted at paragraph 5. Of 18 August 2017 submissions that:

5. As to consent, the respondent submits that the authorities establish that consent in law is voluntary where, as here, any pressure to obtain that concession eligibility information was not illegitimate but merely an inducement. (Reference was then made to TV Shopping Network).

133. Like my views expressed at paragraphs [129] and [130] the respondent seems to misunderstand that it is the reasonable necessity for the collection (for the allied purpose) that is in issue. There was no desire by the applicant to prevent the respondent from obtaining the concession eligibility information as it was given for that purpose. It is the collection for the further purpose that is the dispute.

134. As a result of the matters set out above I discount the respondent’s consent arguments and I so find.

Consideration of evidence

135. When looking at the equivalent provision under the Health Records Information Privacy Act 2002 (the HRIP Act) in ALZ v WorkCover NSW [2015] NSWCATAP 138 observed that In relation to HPP 1(1)(b), which requires that a collection of health information be “reasonably necessary for that purpose”, (similar to IPP 1) the Appeal Panel stated that:

51. What may be seen as ‘reasonably necessary’ falls towards the higher end of a continuum that might be seen as having ‘of some relevance’ at one end and ‘essential’ at the other end. In General Newspapers Pty Ltd v Telstra Corporation [1993] FCA 473; (1993) 117 ALR 629 at [38] Gummow J said (there considering the use of the term ‘necessary’ in a Commonwealth telecommunications law):

The term "necessary" will take its colour from its context; in ordinary usage it may mean, at one end of the scale, "indispensable" and at the other "useful" or "expedient": In re An Inquiry Under The Company Securities (Insider Dealing) Act 1985 (1988) AC 660 at 704.

136. The Appeal Panel also noted at paragraph 55 that:

55. In its statements at para [65], the Tribunal, as we see it, was simply alluding to the point that in an investigative context an item of information to which an investigator’s attention has been drawn may seem ‘reasonably necessary’ to be obtain based on what the investigator has been told about it, and then may turn out on receipt and closer examination to have none or limited value and relevance to the process. The standard laid down by HPP 1(1)(b) must, as we see it, be applied fairly and have regard to the uncertainties that will often surround the initial decision to collect information, especially in investigative contexts.

137. In the current case there seems little basis for the collection of the travel information for the stated purpose of enforcement/eligibility for the entitlement to the concession card.

138. The case of APV and APW v Department of Family and Community Services [2015] NSWCATAD 140 the Tribunal considered whether the collection of certain information was reasonably necessary for the relevant purpose. At paragraphs 42 – 49 the Tribunal observed and found:

Was the collection of the information was reasonably necessary for the purpose of the provision of conveyancing and related legal services to LHC?: s.8(1)(b)

42. The respondent submitted that a search of the DRIVES database was reasonably necessary, particularly in circumstances where, amongst other things, the bank guarantee suggested to Mr Hale that the applicants had middle names which, in his view (erroneously), needed to be included in the lease.

43. I accept that as the bank guarantee gave the applicants' full names Mr Hale was on notice of a possible discrepancy in the documentation relating to the transaction, and that the initial inquiries of Mr Jackson merely sought to resolve this apparent inconsistency.

44. Mr Hale’s evidence was that the searches were conducted so as to verify the Applicants' identities for the purpose of the certificate of correctness under s.117 of the RP Act. The RP Act requires the correct names of parties to a real property transaction. In contrast, the Registrar General’s Directions – at least the current version – requires the ‘full name of the lessee must be stated’. The Lease was subsequently registered without the inclusion of the Applicants' middle names, so it appears Mr Hale was mistaken in his belief that the inclusion of middle names in the Lease was required for the Lease to be in registrable form.

45. The applicants disputed the respondent’s claims about the apparent identity discrepancy, noting that the identity of APV had already been verified at the auction of the property, as was required in order to obtain the necessary bidder's card. The respondent observed though that identification would have been provided to the real estate agent at the auction for the purpose of preparing the bidders register, but it did not have access to that register. It is unknown if its client, LHC, had access to the register. Neither at the time of signing the Agreement for Lease, nor in the many months thereafter, were issues regarding the Applicants' identities raised until first, Ms Reid, and then, Mr Hale’s correspondence with the applicants’ solicitor, Mr Jackson commencing in April 2012.

46. I do not accept that the course of correspondence between Mr Hale, APW and Mr Jackson, demonstrates that the applicants resisted the requests to provide information verifying the identification as the respondent claimed, in circumstances where no time limit was specified for the response. It is unfortunate that the applicants’ - as distinct from their solicitor’s -correspondence, may have appeared to decline to co-operate until they had "received the courtesy of a written response from the Minister to all our correspondence and have had the chance to review the GIPA documents you will forward to us", in their broader dispute about the property.

47. Mr Hale regarded the applicant’s ‘refusal’ to provide information regarding their identities as unusual and which, in his view, warranted further investigation. Searches of publicly available sources of information had not resolved his concerns and, in fact, had highlighted further possible discrepancies which he considered warranted further investigation; and Mr Hale also had information that the applicants were using the address of the property for correspondence, which gave rise to concerns that there might be use of the property in a manner inconsistent with the requirements of the Agreement for Lease.

48. The respondent submitted that Mr Hale only took the "last resort" option of arranging a DRIVES search due to the persistent refusal of the applicants to provide this information directly. I do not agree. It was open to Mr Hale to press the applicants’ solicitor to provide the information, and in view of the short time since the information had been sought, should have adopted that course. To regard the DRIVES database as the ‘last resort’ was premature.

49. I find that Mr Hale’s search of DRIVES at that time was unnecessary for the purpose of providing conveyancing and related legal services. Consequently, in the absence of some other authorization to access the applicants’ personal information there was a breach of s.8 and s.9 of the PPIP Act.

139. The respondent referred to a number of cases supporting both the meaning and the obligation for reasonable necessity or the collection to be reasonably necessary for the stated purpose. Whilst Mulholland v Australian Electoral Commission [2004] HCA 41 deals with the meaning of the word necessary, these arguments do not in my view go to the real evidence adduced in these proceedings. The reasons for this are based on a consideration of the respondent’s evidence presented in the proceedings.

140. Consistently the respondent has argued that the Gold Opal card needs to be registered, so that they have the ability to cancel it, when appropriate due to user lack of eligibility or some other non-particularised misuse.

141. The respondent has never strongly submitted that it desires the travel history of the Gold Opal card holders, merely it would appear that this is a necessary attendant function intertwined with the technology and the system which the respondent enables and desires in order to monitor the eligibility of these cards.

142. In some ways the movement history function (linked to the user / applicant) as I have found, based on the arguments put forth in the proceedings is an unintended or unnecessary functionality that the respondent has no view about. Whilst the respondent clearly argued that travel history is useful to law enforcement situations (where authorised), significantly much of that travel history involves unregistered cards which cannot (via the Opal technology alone) be matched to any individuals.

143. The respondent refers to the case of Stanford v Roberts [1901] 1 Ch 440 at 44. Buckley J observes:

The second point is whether this is an alteration ‘reasonably necessary or proper’ to enable this property to be let. I understand ‘reasonably necessary or proper’ to mean something which, although not absolutely necessary, a reasonable or prudent owner of a property, if he were the absolute owner, would do. Mr Buckmaster says that tenants will be found if the floorboards are replaced from time to time. I agree that the new floor is not absolutely necessary, but in my opinion, it is what a reasonable and prudent owner would do if they were absolutely entitled to the property.

144. The respondent’s own submissions of 23 September 2016 (exhibit ‘R5’) at paragraph 47 contrast Stanford with the current facts in dispute. There the focus is on the collection of personal information at the time of application and registration solely for the purpose of ‘verifying eligibility and to determine ongoing eligibility of the applicant’. They submit that it is reasonable and prudent (reasonably necessary) for TfNSW to collect this information for this purpose. I observe again that this issue is not contentious to the applicant.

145. It is only the collection being extended to travel history that in the applicant’s view fails the ‘reasonably necessary’ test of s8 (1) (b). It may have been open to ventilate arguments concerning ‘top up’ amounts, and ‘top up’ locations (which provide some evidence as the geographical location of the card). Those arguments have not been explicitly advanced by the applicant, but are captured in the ‘objection to other uses’ argument of the applicant.

146. It appears that the transport movements data is a functional ‘by-catch’ of personal information necessitated by the design of the electronic ticketing system, and the apparent inability of the respondent to otherwise data-match concession holders to cards, in order to cancel them as and where necessary.

147. I note again that In relation to HPP 1(1)(b), which requires that a collection of health information be “reasonably necessary for that purpose”, in the same way as IPP 1, as the Appeal Panel observed in ALZ v WorkCover NSW [2015] NSWCATAP 138.

Health Privacy Principle 13

148. The respondent refers to the applicant’s submission on ‘anonymity’ as enlivened by HPP 13 of the HRIP Act. It is correct that the applicant has always and consistently argued for anonymous travel, and submitted that this was the NSW Government policy until the commencement of the roll-out/introduction of the Gold Opal card.

149. Whilst that HPP enlivens an anonymity argument and principle, as the applicant is a senior, and had not submitted any reason for the respondent to collect his health information (as if her were a disability pensioner for example), then it is difficult to see how from a legal perspective, the HPP is enlivened. That is because the matters do not appear to successfully traverse the threshold requirement for health information.

150. Health information is defined in the HRIP Act. Health information includes all aspects of personal information but is a particular type of personal information as further set out by the s 6 HRIP Act definition.

6 Definition of “health information”

In this Act, health information means:

(a) personal information that is information or an opinion about:

(i) the physical or mental health or a disability (at any time) of an individual, or

(ii) an individual’s express wishes about the future provision of health services to him or her, or

(iii) a health service provided, or to be provided, to an individual, or

(b) other personal information collected to provide, or in providing, a health service, or

(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or

(d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or

(e) healthcare identifiers,

but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.

151. The long title of the PPIP Act provides an expanded rights regime for individuals in respect of privacy. From a jurisprudential perspective the general notion of and right to privacy would be more attuned to the issues at play in these proceedings rather than anonymity as referred to as a relevant right in HPP 13.

152. The long title of the PPIP Act provides:

An Act to provide for the protection of personal information, and for the protection of the privacy of individuals generally; to provide for the appointment of a Privacy Commissioner; to repeal the Privacy Committee Act 1975; and for other purposes.

(Emphasis added)

153. The applicant submitted that the HRIP Act can be read widely and that the arguments extend to all dealings with NSW public sector agencies. (Organisations are defined as public sector agencies in the HRIP Act). HPP 13 provides:

13 Anonymity

Wherever it is lawful and practicable, individuals must be given the opportunity to not identify themselves when entering into transactions with or receiving health services from an organisation.

154. I do not accept that the anonymity ‘principle’ applies strictly to ‘non-health information’. I observe that from a statutory construction perspective having regard to the statute as a whole, the words entering into transactions with or receiving health services should be read conjunctively in that both the transactions and receipt relate to health services requiring the precondition of ‘health information’.

Finding on HPP 13

155. I therefore find that HPP 13 does not strictly apply to these proceedings concerning this applicant’s personal information. The situation may be different if an applicant before this Tribunal running a similar case was a disability pensioner or sight impaired person.

Further consideration arising from consideration of ‘privacy rights’.

156. I have already observed the ‘health information’ element of the HRIP Act, which in my view is necessary to enliven any HPP. The HRIP Act is a ‘second generation’ privacy statute which (as of design and function) includes rights principles that go beyond the earlier statues such as the PPIP Act. In addition I note that the HRIP Act includes ‘objects’ provisions whereas, other than the long title, the PPIP Act does not contain objects.

157. The notion of being able to not identify oneself (unless necessary for some public interest purpose) is a cornerstone of privacy and data protection regimes. The relevant regimes contemplate the collection of limited information for a specific purpose (or identified purposes). All privacy statutes provide for consent, necessity, limitations, security, and other protections for personal information. Where the society decides that there are competing interests that should override those protections, then those societies approve exemptions, or other methods of obviating the requirements of privacy statutes. Usually this is done by legislation.

158. This has been a common approach from the late 20th Century onwards whereby statutes such as the PPIP Act are initially drafted to be subordinate to other law. Section 25 for example provides:

25 Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a) the agency is lawfully authorised or required not to comply with the principle concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

159. In addition the privacy regimes contain bespoke and multifaceted ‘exemptions’, when the Parliament is asked to navigate a route around privacy requirements for law enforcement, safety and other ‘public interest’ grounds.

160. Part 2 Division 3 and Part 3 Division 1 of the PPIP Act all provide for departures from privacy requirements, both for obvious purposes (for example so police can effectively go about their core business), to less straight forward and obscure purposes. However these other purposes are part of the privacy ‘balance’ between individual protections and societal protections. In my view such matters are clearly ones which on balance are adjudged to be of sufficient merit. These ‘departures’ are an ongoing source of debate between privacy advocates, policy makers, and arms of government engaged in service delivery and program implementation. With the advent of a digital economy in some ways these ‘debates’ become more frequent and more strident.

161. The implementation of an electronic ticketing system is an example of this digital economy in practice, and the issues raised in these proceedings. The transport regulators are able to divide the fare breakdown between the three public transport entities which appear to continue to operate separately. (Buses, Ferries and Trains). There is now extension in part to privately operated ‘public transport’ arms of bus and ferry based services.

162. The benefits for Government are multiple, but include the aforementioned fare breakdown, the ability to ‘electronically’ implement fare increases instantaneously as well as the ability to obtain valuable planning data on route uses and breakdown of patronage. There are undoubtedly other benefits some of which have been referred to in these proceedings.

163. Evidence has been adduced about improvements to compliance which have arisen in tandem with the implementation of the Opal electronic ticketing system. The respondent’s main argument appears to conclude with the need to be able to cancel concession cards by access to the allocated registered number of the individual. By having a registered card the use of the card (which can only be lawfully used by that registered user), creates a travel/movement history capable of being linked (when and as required for lawful purposes). The applicant argues that the respondent has not established how that information can be collected in a mandated manner having regard to the terms of section 8 (1) (b).

164. The applicant’s argument is that the travel data is not reasonably necessary for the monitoring of eligibility and entitlement to use. The applicant’s argument is that the design of the card (capable of being registered and activated/cancelled) creates the problem and the respondent should create a different product whereby a travel history is not generated.

Final submissions

165. The applicant submitted matters relating to the Privacy Commission’s investigation into the Opal card (concerning anonymous travel) and similar ticketing regimes in other states. The Tribunal has not been provided with any report to Parliament by the Privacy Commissioner concerning the Opal Card and as a result is unable to comment further on any observations and findings that the Privacy Commissioner might make. I do however repeat that the Tribunal has considered the Privacy Commissioner’s submissions as to the law and meaning of the words in the statute and in general adopts the tenor of the Privacy Commissioner’s submissions on key threshold issues.

165. No evidence has been adduced as to how the systems in other States deal with compliance and limiting non-compliance with (for example) the ‘seniors’ (concession) on the Victorian ‘myki’ card. However, unlike NSW I note that both the Victorian and Queensland Privacy Commissioners have provided public reports on the privacy shortcoming of their State’s electronic transport systems early in their implementation. These matters were referred to in some detail by the applicant in submissions. It would appear that submission was mainly directed at remedies, and an attempt to show that the type of system that he seeks is achievable.

166. The applicant submitted that the meaning of s 8 (1) (b) should be interpreted as high as ‘almost essential’, in that the information should not be collected for a purpose unless that purpose was almost essential to the underlying activity concerned with the collection.

167. However the applicant did provide submissions on the Privacy Commissioner’s public interpretation of the requirement, in that the reasonably necessary argument meant that ‘the Agency would not be able to perform its functions without collecting the information’. (Privacy NSW Guide to IPP’s 1999 pg. 6).

168. The applicant referred to various Law Reform Commission reports and examinations of the anonymity principle. The applicant also referred to the respondent’s own concession card policy. At page 11 of the policy:

4.2.9 Opal Concession Cards

The Opal Ticketing System accommodates various concessions that depend on a customer’s fare entitlement status. Before a concession card is issued, the customer’s eligibility status is verified (with the customer’s consent) against information held or provided by various agencies and organisations such as universities, the Department of Human Services and Service NSW.

Customers who use a concessional fare Opal card for travel will not have the option of using that Opal Card without registering it. They must also produce the approved proof of concession eligibility on demand if required by authorised revenue protection officers or other authorised officers when they use a concessional Opal card.

(Emphasis added)

170. There has, to my view, been no cogent explanation of the need to register the Gold Seniors Opal Card (after validation and verification of entitlement), other than the (understandable) issue that the respondent needs to be able to cancel those cards where necessary. Part of the imperative for this relates to the fact that an ‘active’ card has a nine year life. It also seems to relate to the respondent having no other current method of ‘managing a card’ other than through registration.

171. Why registration captures/includes travel top up and other data appears related to the technical limitations or built in ‘functionality’ of the card. Once registered all ‘functions’ become linked. It would seem that the design fails to accommodate the provisions of IPP 1 (s8 (1) (b) ) in that it collects information for purposes beyond entitlement and registration, if an agency subsequently uses that information for an unnecessary purpose, meaning one that is not reasonably necessary or lawful.

172. I have made a number of preliminary and threshold findings in these proceedings. Those findings are set out at the relevant place that they arise in the reasoning and evidence. Having considered all of the arguments and evidence and submissions of both parties, I find that the respondent has collected the personal information of the applicant (through the travel, billing, location) history for a purpose (by the nature of that collection/information) that is not necessary (or reasonably necessary) for ensuring entitlement and enforcement of eligibility for the Gold Seniors Opal card.

Final finding

173. As a result I find that there is a breach of IPP 1 (specifically section 8 (1) (b) of the PPIP Act).

174. For the above reasons the decision of the respondent will be set aside.

Appropriate orders / remedies

175. The PPIP Act sets out a broad range of outcomes that the Tribunal may order following positive findings in an administrative review. These range for ‘taking no action on the matter’ to damages and remedies akin to specific performance.

176. Section 55 (2) provides that:

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

177. At the very least it would seem appropriate to consider some type of order in the nature of section 55 (2) (g) requiring the agency to put in place such steps as are necessary to ensure that the design of the Opal concession cards (specifically the Gold Opal Senior card) do not link to travel history/movements. Bearing in mind the associated planning and demographic use of these cards that the respondent appears to wish to continue using the Opal system for, this might not be an easily achievable outcome.

178. The nature of the response by the respondent could be in the practical realm by redesigning the card factoring in the privacy requirements, or a legal approach.

179. As observed above, ordinarily when the Tribunal has reviewed the conduct, and concluded that there is a breach of an IPP, some action would be warranted. The alternative would be to make an order consistent with section 55 (2) and disregard the range of ‘positive’ remedies under 55 (2) (a) – (5) inclusive. Authority for this proposition arises from one of the FM decisions - Vice-Chancellor, Macquarie University v FM (No.2) (GD) [2004] NSWADTAP 37 at [54]:

54   Ordinarily where a breach is demonstrated, some sanction should be applied to the agency; unless it can be shown that there it has responded in an adequate way already to the problem identified, and no order therefore is needed.

180. I note the apparent minimal impact of the s-8 (1) (b) conduct on the applicant, and the fact based on the evidence and submissions that ‘conduct’ was unnoticed and previously undetected or unforseen by the respondent. It is clear that they believed that their system was completely privacy compliant notwithstanding their own evidence concerning the need and basis for registration of Gold Opal cards.

181. In my view the ‘conduct’ appears unintended by the respondent’s design whereby they believed that a requirement for registration brought in an ‘all grounds’ collection and ‘all grounds’ use (even though use has not been argued by the applicant). Their design was focused on the transactional, fare aspects and planning aspect functionality of the card with compliance measures built into mandatory and discretionary registration. The case of SW v Forests NSW [2006] NSWADT 74 addresses this type of situation at paragraph 49. In this instance the Tribunal is addressing the appropriateness of an apology and privacy policy matters.

49 In the light of Forests NSW having breached the Information Privacy Principles relating to the collection, use and disclosure of the photographs, and there being reasonable concerns in relation to the security of the stored images in the officer’s computer, it is appropriate to exercise the powers entrusted to the Tribunal by s 55(2) of the PPIP Act to make the following orders:

1. That Forests NSW give SW an unreserved public apology recognising that it was responsible for breaches of her privacy as a result of the actions of one of its officers. This undertaking is not to be limited to an apology on behalf on the officer concerned only.

2. That Forests NSW will undertake: (a) to delete or destroy the relevant photographic images currently stored electronically on the officer’s computer; (b) to check whether any further copy of these images exists as a result of the ‘backing up’ of electronic data, and if a copy or copies does exist, Forests NSW undertakes further that these images will be deleted or destroyed.

3. That Forests NSW will review its privacy policy and make such changes as are necessary to ensure that personal information in the form of photographic images is included, the implementation of such changes to include appropriate staff training.

182. For these reasons, especially the lack of any evidence of impact on the applicant, other than a professional desire to correct the system and make it compliant, I doubt that an apology is useful or appropriate.

183. In FM (No 2) the Tribunal observed the following at [59]-[61] inclusive:

59 Our powers are not restricted to those given by s 55(2). Sub-section (3) leaves open to the Tribunal to be exercised the powers contained in the Administrative Decisions Tribunal Act 1997 (the Tribunal Act).

60   In this case we consider that the exercise of one of those powers is sufficient to provide an adequate response to the issues raised by this case – ‘to remit the matter for reconsideration by the administrator in accordance with any directions or recommendation of the Tribunal’ (s 63(3)).

61 In our view the matter is sufficiently addressed by our simply making a recommendation to Macquarie, if it has not already done so, to take steps to develop a policy for circulation to relevant academic and administrative staff which provides guidance on how to comply with the Privacy Act when providing detailed background information to other tertiary institutions in relation to the disciplinary history of students and former students; and in due course, formally to advise FM of the steps that it has taken.

184. The applicant argues for a design change to the registered cards. The applicant submitted in submissions of both August 2017 and October 2017 the following outcomes:

Under s.55 (2) (b), (c ) and/or (g) of the PPIP Act

• TfNSW to refrain from the conduct or action which is in contravention of IPP 1 / Section 8 (1) (b) (s.55 (2) (b) )

• TfNSW to perform IPP 1 / Section 8 in the operation of the Opal Card system, by way of offering Gold Opal Cards to seniors and age pensioners, after appropriate eligibility checks, but without mandatory registration of a specific card (s.55 (2) (c )).

• Any other orders that the Tribunal thinks appropriate in relation to the operation of the Opal card system, or any other similar systems (s.55 (2) (g) ).

185. The respondent did not argue for any outcomes other than that the decision be affirmed. Whilst they argued against the threshold criteria being positively found, the respondent did have ‘in the alternative’ arguments for the later provisions in the case. No arguments were directed however at any suggested remedies.

186. The applicant agitated a number of arguments concerning the manner in which the respondent conducted itself in the proceedings and the changing approach to their case which the applicant was required to rebut. The applicant stated that the respondent was constantly late in complying with Tribunal Orders and that the specific going back on earlier settled positions amounted to an abuse of process.

187. I appreciate the applicant’s frustrations with the respondent’s approach. A great deal of time was spent arguing the threshold issue (which was not contentious at the time of the respondent conducting the review). Whilst not ideal, the situation of a government agency changing it’s position at the time of administrative review is not unknown.

188. The Tribunal tried its best to accommodate the impact of the respondent’s position on the applicant (and where applicable the parties generally), by allowing more time for the hearing, filing of submissions and affording procedural fairness and natural justice to the parties and the witness.

189. The Tribunal allowed the applicant to go last and make the final submissions in part due to the ventilated concerns, but also noting that the fact that the applicant had less resources at his disposal and that the respondent is required to adhere to the NSW Government Model Litigant Policy.

190. The Tribunal notes that ultimately all matters were dealt with by consent, and any issues of conflict, apprehended bias, or other issues relating to the constitution of the Tribunal (due to the specific cases relied upon) were not problematic to the parties and no complaints were raised. As a result I determine that no further comment or orders will be made about the conduct of the proceedings.

Conclusion

191. As a result for the reasons and in the specific terms outlined above I find that the respondent has breached IPP 1 / s.8 (1) (b), and that some action must be taken by the respondent to ensure that they comply with the PPIP Act in respect of the Gold Seniors Opal card.

192. The details of what technical or other action can be taken will ultimately be a matter for the respondent, and will have regard to design, budget and technical limitations. There are clearly a number of approaches that could be taken to make the system compliant and there is neither the facility nor is it appropriate to go further into the detail as part of reasons for decision. It may be that the Queensland, Victorian and Hong Kong systems provide some insights into such an approach.

193. I recommend that the respondent take technical privacy, IT design and possibly legal advice in respect of these matters.

194. I also recommend that the respondent ensure that its Opal Privacy Policy and Privacy Management Plan conform with the Tribunal’s findings.

195. I do not believe that with regard to the technical nature of any remedies (other than a legislative approach), there is any utility in remitting the matter under section 63 (3) of the ADR Act. This is particularly so having regard to the size of the Opal system, and the broad impact that this decision may have on an aspect of that system.

196. I therefore make the following orders.

Orders

1. The decision of the respondent is set aside.

2. Pursuant to section 55 (2) (b) of the Privacy and Personal Information Protection Act 1998, the respondent is to refrain from the conduct in breach of Information Protection Principle 1 concerning any collection of personal information relating to travel movement history of the applicant in contravention of section 8 (1) (b) of the Act.********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Amendments

16 February 2018 - Order text amended

12 March 2018 - Anonymisation removed

Decision last updated: 12 March 2018