Webb v iCare NSW

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	Webb v iCare NSW [2023] NSWCATAD 230
Hearing dates:	25 July 2023
Date of orders:	24 August 2023
Decision date:	24 August 2023
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	A Christie, Senior Member
Decision:	1. The Respondent's internal review decision dated 17 August 2022 is set aside. 2. Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Chair of the Board of the Respondent, Insurance and Care NSW (known as iCare), addressing and apologising for (a) the Respondent's contravention of IPP 11 identified in these Reasons for Decision and (b) all harm, distress, humiliation and embarrassment caused to the Applicant resulting from such. 3. Within seven (7) to fourteen (14) days (but not before seven (7) days) of providing the written apology required by Order (2) above, the Respondent must seek to remedy (at least in part) the damage caused to the Applicant by notifying each person to whom/to which it disclosed Ms Webb's personal information (the subject of these Reasons for Decision) and: (a) inform them that the information was provided to them unlawfully in breach of IPP 11; (b) request that they delete that information from all records they hold or control including if they received such via or hold such in an agency system; (c) request that they confirm receipt of the notice and whether they have complied or will comply with Order (3)(b) above; and (d) if confirmed in writing by Ms Webb within seven (7) days of receipt of the apology referred to in Order (2) above, include a copy of that apology with each notice to be issued in accordance with this Order (3). 4. Within fourteen (14) days of the Applicant providing to the Respondent their bank account (or any other acceptable payment method) details, the Respondent is to pay to the Applicant a total of $1,500 as compensation for the harm suffered by the Applicant caused by the Respondent's breach of IPP 11. 5. Within fourteen (14) days of the date of these Reasons for Decisions the Respondent is to perform IPP 11 in relation to all personal information of the Applicant (Ms Webb) held by the Respondent, including by implementing such: (a) training, awareness raising and safeguards; and (b) administrative measures, necessary to ensure the Respondent will, ensure that Ms Webb's personal information is only disclosed in compliance with IPP 11, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances.
Catchwords:	ADMINISTRATIVE LAW – Privacy and Personal Information Protection Act 1998 (NSW) –ss 5, 18, 25(b) and 26(2) PPIP Act and s 54 Government Information (Public Access) Act 2009 –ss 25(b) and 26(2) exemptions from compliance with IPP 11 - whether submissions on the ss 25(b) and 26(2) PPIP Act exemptions potentially applying to a GIPA access applicant (another person) are relevant.
Legislation Cited:	Administrative Decisions Review Act 1997 (NSW) Civil and Administrative Tribunal Act 2013 (NSW) Government Information (Public Access) Act 2009 (NSW) Privacy and Personal Information Protection Act 1998 (NSW)
Cases Cited:	Amos v Central Coast Council [2019] NSWCATAD 226 CCM v Western Sydney University [2019] NSWCATAP 103 CJU v SafeWork NSW [2018] NSWCATAD 300 Commissioner of Police v Ritson (No 2) [2023] NSWSC 854 CYL v YZA [2016] NSWCATAD 314 FM v Vice-Chancellor, Macquarie University [2003] NSWADT 78 Insurance and Care NSW v EEH [2021] NSWCATAP 350 NG v Department of Education and Training [2004] NSWADT 137 Sneesby v Shoalhaven City Council [2019] NSWCATAD 234 Vice-Chancellor, Macquarie University v FM (GD) [2003] NSWADTAP 43 Vice-Chancellor, Macquarie University v FM (No 2) [2004] NSWADTAP 61 Webb v iCare NSW [2023] NSWCATAD 111
Texts Cited:	Nil
Category:	Principal judgment
Parties:	Telina Webb (Applicant) iCare NSW (Respondent) NSW Privacy Commissioner (Intervenor)
Representation:	Solicitors: Applicant (Self-Represented) Crown Solicitor (Respondent) Intervenor (Self-Represented)
File Number(s):	2022/00264601
Publication restriction:	Under ss 64(1)(a) and (d) of the Civil and Administrative Tribunal Act 2013 (NSW) the disclosure of the contents of (including the names of the persons referred to in) Mr Howard's affidavit and the closed part of the hearing of 22 March 2023 is prohibited (including to the applicant) and the disclosure of the recording and/or the transcript of the closed part of the 22 March 2023 hearing (including to the applicant) is also prohibited.

REASONS FOR DECISION

1. The Applicant, Ms Telina Webb, applied to the Tribunal on 5 September 2022 under ss 53 and 55 of the Privacy and Personal Information Protection Act 1998 (NSW) ("PPIP Act") for the administrative review by the Tribunal of certain conduct of concern ("AR Application") which was the subject of an internal review decision of the Respondent, iCare, dated 17 August 2022 ("IR Decision").

2. There have been numerous interim miscellaneous applications (including a successful appeal of the Tribunal's decision in latest of these) in these proceedings related to the appearance of a witness/the setting aside of a summons to appear issued on behalf of by the Applicant. Of most relevance to these Reasons for Decision is the Tribunal's decision in Webb v iCare NSW [2023] NSWCATAD 111 ("PI Decision") on the 'preliminary issue' of whether or not the Applicant's name was, in the circumstances, 'personal information' under s 4 PPIP Act ("Preliminary Issue") (see paragraph 7 below).

3. On 23 July 2023 the Tribunal heard the parties on the substantive, remaining and final issues to be determined by the Tribunal in respect of the AR Application ("July 2023 Hearing"). At the July 2023 Hearing the Applicant appeared by AVL, the Respondent appeared in person represented by the Crown Solicitor and the witness, Ms Lilli Tzinberg, also appeared in person.

Background

4. By letter to the Respondent dated 16 June 2022 the Applicant made an internal review request under s 53 PPIP Act ("IR Request"). The IR Request noted that it concerned the disclosure of Ms Webb's personal information related to a "Formal Access Application" made to the Respondent by (i.e. on behalf of) the "NSW Freedom of Information" a trading name of DraftCom Pty Ltd ("NSWFOI" or the "GIPA access applicant") under the Government Information (Public Access) Act 2009 ("GIPA Act") which the Applicant, Ms Webb, had physically submitted for and on behalf of NSWFOI. The specific conduct of concern for which the Applicant sought an internal review is stated in the IR Request to be ("Conduct of Concern"):

"The conduct occurred when iCare's Ms Lilli Tzinberg Right to Information Officer disclosed my personal information to a third-party private organisation identified as the NSW Right to Information & Privacy Practitioners Network (NIPPN) Ms Nikki Gibbs-Steele."

5. The IR Decision noted, in summary and most relevantly, that:

1. the issue the Respondent considered for its internal review is "whether there has been a disclosure of your [i.e. the Applicant's] personal information contained in your [sic] Formal Access Application [under the GIPA Act] to iCare";

2. after citing various provisions of the PPIP Act and exemptions in respect of the alleged 'disclosure' of the Applicant's personal information 'within the Respondent', (a) the Tribunal and Appeal Panel "has determined that the provisions of the PPIP Act are not concerned with the internal movement of personal information within agencies" and (b) "under s.5 of the PPIP Act, nothing in the PPIP Act affects the way the GIPA Act operates"; and

3. "accordingly, I have determined that a breach of IPP 11 cannot be substantiated on the basis that your personal information was alleged to have been disclosed to the Privacy Officer [of the Respondent]".

6. The AR Application attaches relevant supporting documentation, being an email chain evidencing the Conduct of Concern.

7. In the PI Decision the Tribunal decided, most relevantly as regards the Preliminary Issue, that:

"(1) The Applicant's name is 'personal information' falling with s 4 of the Privacy and Personal Protection Information Act 1998 (NSW).

(2) The Applicant's name is not exempted from being personal information under s 4(1) by the operation of s 4(3)(b) of the Privacy and Personal Information Protection Act 1998 (NSW).

(3) The information that the Applicant made a Government Information (Public Access) Act 2009 (NSW) application to the Respondent on behalf of a named organisation is prima facie the personal information of the Applicant falling within s 4 of the Privacy and Personal Protection Information Act 1998 (NSW) of that Act.

(4) The personal information of the Applicant referred to in Order (3) above is not exempted from being personal information under s 4(1) by the operation of s 4(3)(b) of the Privacy and Personal Information Protection Information Act 1998 (NSW) as it is not information about the Applicant contained in a publicly available publication." [emphasis added]

8. In addition, although not relevant to the July 2023 Hearing per se, the Tribunal's Orders dated 28 March 2023 under ss 49(2), 64(1)(a) and (d) of the Civil and Administrative Tribunal Act 2013 (NSW) ("CAT Act") confirmed the Tribunal's rulings during the 22 March 2023 hearing as regards a confidential affidavit, a closed part of that hearing and certain related non‑disclosure/non‑publication orders.

9. The substantive issues remaining to be determined by the Tribunal and the subject of the July 2023 Hearing and these Reasons for Decision are whether ("Substantive Issues"):

1. the correct and preferable decision is that the Respondent breached IPP 11/s 18 PPIP Act by disclosing the Applicant's personal information (see the bolded part of paragraph 7 above) to the relevant third parties; and

2. in relation to (1), the Applicant 'expressly consented' to her personal information (as distinct from the GIPA access applicant's information) being shared with the relevant third parties such that the Respondent is therefore not required to comply with s 18 PPIP Act (IPP 11) under s 26(2) PPIP Act; and/or

3. in relation to (1), the Respondent is exempt from compliance with IPP 11/s 18 PPIP Act under s 25(b) PPIP Act as regards the Applicant's personal information as any non‑compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) as part of the Respondent's obligation to undertake third party consultations pursuant to s 54(1) GIPA Act in relation to the GIPA access application made by the GIPA access applicant (i.e. NSWFOI).

10. As at the date of the July 2023 Hearing:

1. the Respondent had, most relevantly for the July 2023 Hearing:

1. filed the s 58 Administrative Decisions Review Act 1997 ("ADR Act") bundle of documents on 17 October 2022;

2. submitted written submissions dated and filed on 28 November 2022 ("Respondent Submissions"); and

3. lodged an Affidavit of Ms Sophie Maltabarow sworn and filed with the Tribunal on 28 November 2022 ("Ms Maltabarow Affidavit") attaching, among other things, a copy of the Information and Privacy Commission NSW "Guideline 5 Consultation on public interest considerations under section 54 and 54A of the [GIPPA Act]" (April 2019) ("PC Guideline");

2. in addition to the AR Application the Applicant had, most relevantly for the July 2023 Hearing, submitted the "Applicant Reply," dated and filed on 5 December 2022 ("Applicant Submissions"); and

3. the Privacy Commissioner of New South Wales ("Privacy Commissioner") had submitted its written submissions dated and filed on 15 December 2022 ("PC Submissions").

11. In addition to the materials noted in paragraph 10 above, at the July 2023 Hearing both parties and the Privacy Commissioner also made oral submissions to the Tribunal and Ms Lilli Tzinberg appeared as a witness.

12. These Reasons for Decision are limited to (a) the Substantive Issues and, (b) if it is found that the correct and preferable decision is that the Respondent breached IPP 11 as a result of the Conduct of Concern, the appropriate remedies.

Administrative review by the Tribunal

13. The role of the Tribunal in undertaking an administrative review such as this is to decide what the "correct and preferable" decision is having regard to the material before it: s 63 Administrative Decisions Review Act 1997 ("ADR Act"). The Tribunal is required to make its decision on the material available to it at the time of the hearing and is not limited to material that was before the decision-maker.

14. This is a merits review and therefore the Tribunal is not concerned with the question of whether the decision under review (i.e. the IR Decision, in this case) was itself correct or incorrect but (as noted) to determine the correct and preferable decision.

15. The relevant issues for these Reasons for Decision as regards the AR Application (i.e. the Substantive Issues) are, in summary, whether the correct and preferable decision as regards the Respondent's disclosure of the Applicant's personal information (not the GIPA access applicant's information) is that the Respondent is exempt or excused from complying with IPP 11/s 18 PPIP Act pursuant to either of ss 25(b) or 26(2) PPIP Act or, if not, if the Conduct of Concern resulted in the Respondent breaching IPP 11/s 18 PPIP Act.

16. It is the responsibility and obligation of the parties to administrative reviews by the Tribunal to ensure (and the Tribunal is entitled to assume) that the parties present all relevant evidence and make all relevant submissions on all matters in issue in the proceedings in order to assist the Tribunal to make the correct and preferable decision (see Insurance and Care NSW v EEH [2021] NSWCATAP 350 at [59] and [61] and Commissioner of Police v Ritson (No 2) [2023] NSWSC 854 ("Ritson") at [158] and [160]). As specifically noted by Dhanji J in Ritson:

"[158] … it was for the [respondent in the original proceedings] to determine the grounds on which she would resist the application. Whilst she sought to limit the nature of the contest before the Tribunal, she was not entitled to proceed on the basis that she would be successful in this regard. … In this context, it was not for the Tribunal to positively satisfy itself that the [respondent] had 'considered and given effect to' various provisions of the legislation which may have operated to allow her to deny the [applicant in the original proceedings] his personal information …

[160 … The [respondent] has obligations under the PPIP Act and an obligation to be familiar with them …"

17. In this case, the principles noted in paragraph 16 above required the Respondent to submit all relevant evidence and to make all relevant submissions as regards the Conduct of Concern (in this case) and the alleged resulting contravention of IPP 11 referred to in (or reasonably understood from) the IR Request. This is so the Tribunal may make the correct and preferable decision on all of the matters within the Tribunal's administrative review jurisdiction. As set out in IR Request, this case relates to the disclosure of Ms Webb's personal information by the Respondent and not the disclosure of the information of the GIPA access applicant (NSWFOI).

18. Section 30(2)(b) CAT Act provides that the Tribunal may exercise the functions that are conferred or imposed on it by the CAT Act, the ADR Act and the enabling legislation (i.e. PPIP Act in this case) in connection with the conduct and resolution of these proceedings. By s 63(2) ADR Act, in an administrative review the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the 'administrator' who made the relevant decision. In this case the relevant administrator is the person making the IR Decision, even though the IR Decision itself is not per se the subject of the review by the Tribunal.

Applicable law and relevant principles

19. Section 5 PPIP Act provides:

"(1)   Nothing in this Act affects the operation of the Government Information (Public Access) Act 2009.

(2)   In particular, this Act does not operate to lessen any obligations under the Government Information (Public Access) Act 2009 in respect of a public sector agency."

20. Section 18 PPIP Act (IPP 11) provides:

"Limits on disclosure of personal information

(1)   A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless—

(a)   the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b)   the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c)   the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. …"

21. Section 25 PPIP Act provides as follows:

"Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with sections 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a)   the agency is lawfully authorised or required not to comply with the principle concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998)."

22. The exemption in s 25(a) PPIP Act requires the express authorisation or requirement not to comply with the relevant section of the PPIP Act, an IPP or IPPs to be set out in the relevant Act or law. The exemption in s 25(b) PPIP Act, however, only requires that non-compliance is otherwise (i.e. while not expressly stated in an Act or law as permitted or required it is) "necessarily implied or reasonably contemplated" under an Act or any other law. It is the exemption under s 25(b) PPIP Act that the Respondent submits is applicable in this case.

23. Section 26 PPIP Act provides, most relevantly:

"Other exemptions where non-compliance would benefit the individual concerned

(1)  …

(2)  A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned."

24. Section 53 PPIP Act provides, most relevantly:

"Internal review by public sector agencies

(1)  ….

(7)  Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following—

(a)  take no further action on the matter,

(b)  make a formal apology to the applicant,

(c)  take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),

(d)  provide undertakings that the conduct will not occur again,

(e)  implement administrative measures to ensure that the conduct will not occur again. ..."

25. Section 55 PPIP Act provides, most relevantly:

"Administrative review of conduct by Tribunal

(1)  …

(2)  On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders—

(a)  subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)  an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)  an order requiring the performance of an information protection principle or a privacy code of practice,

(d)  an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)  an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)  an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)  such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4)  The Tribunal may make an order under subsection (2) (a) only if—

(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b)  the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency. …"

26. Section 54 GIPA Act provides, most relevantly:

"Consultation on public interest considerations

(1)  An agency must take such steps (if any) as are reasonably practicable to consult with a person before providing access to information relating to the person in response to an access application if it appears that—

(a)  the information is of a kind that requires consultation under this section, and

(b)  the person may reasonably be expected to have concerns about the disclosure of the information, and

(c)  those concerns may reasonably be expected to be relevant to the question of whether there is a public interest consideration against disclosure of the information.

(2)  Information relating to a person is of a kind that requires consultation under this section if the information—

(a)  includes personal information about the person, or

…

(4)  The purpose of consultation under this section is to ascertain whether the person has an objection to disclosure of some or all of the information and the reasons for any such objection.

(5)  The agency must take any objection to disclosure of information that the agency receives in the course of consultation into account in the course of determining whether there is an overriding public interest against disclosure of government information. …"

27. In paragraph 1 of Schedule 4 to the GIPA Act a "person" for the purposes of the GIPA Act is noted as:

"person includes an agency, the government of another jurisdiction (including a jurisdiction outside Australia) and an agency of the government of another jurisdiction.

Note—

This definition does not limit the definition of person in the Interpretation Act 1987, which includes an individual, a corporation and a body corporate or politic."

28. Section 63 ADR Act provides:

"Determination of administrative review by Tribunal

(1)  In determining an application for an administrative review under this Act of an administratively reviewable decision, the Tribunal is to decide what the correct and preferable decision is having regard to the material then before it, including the following:

(a)  any relevant factual material,

(b)  any applicable written or unwritten law.

(2)  For this purpose, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

(3)  In determining an application for the administrative review of an administratively reviewable decision, the Tribunal may decide:

(a)  to affirm the administratively reviewable decision, or

(b)  to vary the administratively reviewable decision, or

(c)  to set aside the administratively reviewable decision and make a decision in substitution for the administratively reviewable decision it set aside, or

(d)  to set aside the administratively reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal."

The Respondent's submissions

29. In the Respondent Submissions and at the July 2023 Hearing the Respondent submitted, most relevantly and in summary, that:

1. The Respondent acknowledges that the Applicant checked the box offered by the Respondent on the GIPA Application to say that she did not consent to her name and/or the name of the GIPA access applicant (NSWFOI) being provided to third parties in the course of any s 54 GIPA Act consultation.

2. Despite (1) above, when this 'request' of the Applicant on the GIPA Application is read together with the GIPA access applicant's cover letter which notes that the fact of the GIPA Application and what information has been requested may need to be discussed with other members of NIPPN, the Applicant has 'consented' to her name and that of NSWFOI (the GIPA access applicant) being disclosed to third parties, being the members of NIPPN. The Respondent submits that the Applicant's and the GIPA access applicant's (i.e. NSWFOI's) express refusal of consent in section 4 of the GIPA Application is inconsistent with the GIPA Application when read as a whole with the GIPA access applicant's cover letter.

3. In the GIPA access applicant's cover letter to the GIPA Application the GIPA access applicant (i.e. NSWFOI) notes that:

"I understand the Chair of NIPPN is Ms Nikki Gibbs-Steele of iCare, and as such I would expect Ms Gibbs-Steele has full access to the requested information.

In the unlikely event Ms Gibbs-Steele asserts that she does not have access to the requested information, as the chair of NIPPN, she is naturally expected to be fully aware of the Secretary or some such person within NIPPN who has access to the requested information.

As such, in the unlikely event Ms Gibbs-Steele asserts she cannot assist with this formal access application, I envisaged the application can be effectively transferred to the right person who may or may not be positioned in a third-party agency. Ms Gibbs-Steele will be able to provide iCare's Right to Information Officer with the correct contact details of that right person".

4. It is 'apparent from the GIPA access applicant's cover letter' (quoted in paragraph 29(3) above) that the GIPA Application was made by NSWFOI to iCare because of the role of Ms Gibbs-Steele of the Respondent as the Chair of NIPPN. The GIPA access applicant (NSWFOI) expressly contemplates in its cover letter to the GIPA Application that the fact of the GIPA access application (and the information requested) may need to be discussed with another NIPPN member, such as the Secretary of NIPPN. In those circumstances the Respondent submits it would be inconsistent for the Applicant to say that her privacy was breached by way of her identity as the individual that sent the GIPA Application on behalf of NSWFOI (i.e. her personal information) being revealed to members of NIPPN in a s 54 GIPA Act consultation in respect of the GIPA access applicant's GIPA access application.

5. The Respondent relies on s 26(2) PPIP Act in submitting that the Respondent was not required to comply with s 18 PPIP Act (IPP 11) in circumstances where the Applicant has "expressly consented" to 'disclosure' to other members of NIPPN of the fact of the GIPA Application and that she was the individual who physically submitted the GIPA Application to the Respondent on behalf of NSWFOI.

6. As regards the authorisation or requirement to disclose certain information pursuant to s 54(1) GIPA Act about the GIPA access applicant, therefore resulting in the Respondent being exempt under s 25(b) PPIP Act from complying with IPP 11 presumably in respect of certain personal information of the GIPA access applicant, the Respondent submits, most relevantly and in summary, that:

1. "The first and second email was sent for the purposes of consultation, which iCare is required to undertake pursuant to s 54(1) of the GIPA Act. Nothing in the PPIP Act effects the operation of the GIPA Act: s 5, PPIP Act. Any disclosure was lawfully authorised or required and therefore exempt under s 25 of PPIP Act."

2. "Section 54 relevantly applied with respect to the GIPA Application. The [GIPA access] applicant [NSWFOI] sought, among other things, the names of the Network's members. That the individuals are members of the Network is personal information for the purposes of cl. 4(1) of Sch 4 to the GIPA Act. An email dated 21 April 2022 in response to the second email, consulting the members of NIPPIN, received the following reply:

"The release of the details in the list could pose a risk of individuals being individually named, harassed or intimidated. The [GIPA access] applicant does make a point of publishing the names of individuals working in the NSW public sector's privacy and right to information space on the Freedom of Information website media releases"."

3. "Given the Network [NIPPIN] Chair had access to the Network email addresses, the first and second emails, requesting the views of the Network members on the release of the requested information, were a reasonably practicable step to consult for the purposes of s 54(1)."

4. "The respondent submits that, pursuant to s 25 of the PPIP Act, iCare was lawfully authorised not to comply with s 18, or non‑compliance was otherwise permitted (or necessarily implied or reasonably contemplated) under s 54(1) of the GIPA Act."

5. "Section 54(1)(b) of the GIPA Act looks to the concerns a third party may have about the disclosure of information. Knowledge of the identity and/or organisation of the [GIPA] access applicant [NSWFOI] is likely to be an important part of the assessment of third parties in considering whether their consent to the release of information that contains their personal information. Section 54 therefore at least reasonably contemplates that the identity of the [GIPA] access applicant [NSWFOI] will be disclosed in the course of consultation pursuant to s 54."

6. The Respondent also refers to paragraph 4.8 of the PC Guideline which provides:

"4.8   Third parties may ask the name of the access applicant who is requesting their personal or other information. Third parties may be more willing to agree to the disclosure of information concerning them if they know who is requesting the information and context of that request. Agencies should treat the identity of access applicants like any other personal information they hold. It is advisable for agencies to obtain the consent of the applicant prior to disclosing his or her identity and other particulars to third parties. (my emphasis)"

7. "This paragraph [i.e. the paragraph noted immediately above in paragraph 29(6)(f)] acknowledges that providing the name and context of the [GIPA] access application may, in some circumstances, lead to consent from third parties to release information, thereby furthering the object of the GIPA Act."

8. "However, as is clear from the language used in the [PC] Guideline, obtaining consent is advisable. It is not a legal requirement sourced in the legislation."

9. The Respondent acknowledges that it "did seek consent, and such consent was not expressly provided" by the Applicant to release her identity (i.e. personal information) or that of the GIPA access applicant (i.e. NSWFOI).

10. "The respondent submits that, for the purposes of s 25 of the PPIP Act, it was at least reasonably contemplated by s 54 of the GIPA Act that consultation may, in certain circumstances, involve the disclosure of the identity of the [GIPA] access applicant [NSWFOI]. … The respondent accepts that the consent of the [GIPA] access applicant [NSWFOI] should be sought, and the [GIPA] access applicant's response is an important consideration. However, the respondent submits that the legislation permits the identity of the [GIPA] access applicant [NSWFOI] to be disclosed in the course of consultation. Whether or not an agency decides to do so is at the discretion of the agency. If an [GIPA] access applicant did consent, an agency could additionally rely on the exception to the prohibition in s 18 in s 26(2) of PPIP Act."

11. The Respondent submits that s 25(b) PPIP Act is a broad provision and, quoting paragraphs [63] to [64] of CCM v Western Sydney University [2019] NSWCATAP 103, the Respondent concludes that this "supports the respondent's contention that disclosure of an [GIPA] access applicant's [NSWFOI’s] identity is at least reasonably contemplated by s 54 of the GIPA Act. Further, it indicates that the Tribunal need not "drill down" into the requirements of s 54; rather, the inquiry is at a higher level of where the disclosure would be 'reasonably contemplated'.

12. "The respondent's contention that disclosure of an [GIPA] access applicant's identity when consulting is reasonably contemplated by s 54 of the GIPA Act is further strengthened by s 5(1) of the PPIP Act, which provides that nothing in the PPIP Act effects the operation of the GIPA Act. This section provides a statutory command not to read down what is authorised or reasonably contemplated under s 54 of the GIPA Act by reference to the prohibition on disclosure of personal information in s 18 of the PPIP Act."

7. The Respondent also acknowledges and agrees that because the Applicant's "identity … was sent from within iCare to external emails, at some point a 'disclosure' occurred for the purposes of the PPIP Act. It is not necessary for the purposes of these proceedings to determine the exact point at which the disclosure occurred."

The Applicant's submissions

30. In the Applicant Submissions and at the July 2023 Hearing the Applicant submitted, most relevantly and in summary, that:

1. "The Applicant did not at any time consent in any manner to the 'GIPA Act application being provided to the network'. The Respondent has conceded that "the Applicant ticked 'no' in the checkbox as to whether iCare could disclose her name and/or company [i.e. the GIPA access applicant's] name for the purposes of consultation". The Applicant submits "there is nothing even remotely ambiguous about the Applicant's intentions on this issue."

2. Section 4 headed "Consultation" of the Respondent's "Access Application Form" ("AAF") provides, most relevantly, as follows:

"iCare may be required to consult with third parties before deciding the application. … For the purposes of consultation, please indicate if iCare can disclose the following information about you to third parties:

Your name and/or company name ["yes" and "no" checkboxes were provided and "no" has been ticked]

Your request for information [again "yes" and "no" checkboxes were provided and, in this case, the "yes" checkbox was ticked]"

3. Section 9 of the AAF headed "Privacy statement" provides, most relevantly, as follows:

"iCare is subject to the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.

Your personal information is being collected to process your application for information pursuant to Part 4 Division 1 of the Government Information Public Access Act 2009. The provision of personal information is voluntary, however, if you do not provide it we may not be able to process your application. iCare may use your personal information for the purpose of processing your application within the agency. iCare will not disclose your personal information without your consent unless authorised by law. …" [emphasis added by Applicant]

4. Referring to the Respondent's submission that the Applicant 'agreed' to the disclosure of her personal information, "[t]here is no such agreement by the Applicant that the [GIPA] Application or any part of her personal information would be provided to any member of the network as iCare has made clear it views the Network as non-governmental."

5. "iCare was bound by the PPIP Act 1998 s 18. The PPIP Act 1998 s 25(a) is not applicable and nor is s 25(b) PPIP Act applicable either."

6. It appears the Respondent is allowing NSW government agencies the privilege of personal information protection principles where their information is already published, yet it is not allowing the same privilege for the Applicant in these proceedings which is "decidedly discriminatory and misleading". The contact details for the privacy and GIPA officers (and/or relevant contacts) of each government agency are published by those NSW government agencies.

7. "While third-party consultations under s 54 of the GIPA Act 2009 may be undertaken, there was not at any time any mechanism within the section [section 4 of the GIPA Application] to disclose the Applicant's personal information."

8. "Referring to the Office of the NSW Information & Privacy Commission's (IPC) 'Information Access Resources for Agencies', Template Letter – Third Party Consultation [with a link provided] the IPC makes clear 'if you are going to include the [GIPA access] applicant's personal information, such as name or other information from which the applicant's identity can be identified, make sure that this is only done in accordance with your agency's privacy obligations'."

9. "The Respondent concedes that the 'Agency should treat the identity of [GIPA] access applicants like any other personal information they hold. It is advisable for agencies to obtain the consent of the applicant prior to disclosing his or her identity and other particulars to third parties'."

10. "The Respondent concedes that the Applicant's personal information was disclosed."

11. "The Applicant requests the Tribunal to consider what has occurred in this specific instance and to 'draw the logical and only conclusion that is that iCare has breached the Applicant's personal privacy, confirmed by the Respondent's numerous concessions to that effect'."

The NSW Privacy Commissioner's submissions

31. In the PC Submissions and at the July 2023 Hearing the Privacy Commissioner, most relevantly and in summary:

1. Noted that the Privacy Commissioner had exercised the right to appear and be heard in the Tribunal's review under s 55(6) PPIP Act.

2. Noted that "[t]he Applicant asked the Tribunal to determine whether the disclosure of the Applicant's name in the email of 19 April 2022, and noting any relevant consent, was permitted by the Act (IPP 11, 'limited disclosure principle')."

3. "The Privacy Commissioner notes that the access application circumstances in the current proceedings involved a formal application process, and particularly notes the privacy notice in that [GIPA] access application form."

4. Noted in particular the following considerations for the Tribunal to consider and apply in the current proceedings:

"(a) the Applicant made an application for information not in her right as a natural person but on behalf of NSWFOI, with the application including a templated letter for NSWFOI …

(e) the access application form asked the applicant whether they permitted the Respondent to disclose their name and the request for information; and also provided a privacy statement on the collection of personal information for the purpose of processing the [GIPA] application within the agency [and the Applicant ticked to indicate that it did not permit the disclosure of her or the GIPA applicant's (NSWFOI's) name] ...

(g) in consulting the third parties under s. 54, the Respondent provided the Applicant's name and identity as the [GIPA] access applicant and the information items sought by the application."

5. After referring to the Respondent's evidence referring to the PC Guideline and s 54(a) GIPA Act, noted that "the Privacy Commissioner was consulted on the development of that guideline … and particularly endorses the bolded text in the following citation … [only the bolded text is reproduced below]:

"Agencies should treat the identity of [GIPA] access applicants like any other personal information they hold. …".

6. "The Tribunal has stated that GIPA does not require the consent of the [GIPA] access applicant prior to consulting any person to who s 54 consultation will be undertaken: see, Sneesby v Shoalhaven City Council [2019] NSWCATAD 234 at [5] –[6]."

6. "There is no explicit protection over an [GIPA access] applicant's name in the GIPA Act's regime for processing and determining an access application. Similarly, there is no express or implied confidentiality attaching to responses to a s 54 consultation process: see Amos v Central Coast Council [2019] NSWCATAD 226 [("Amos")] at [45] which derived its position from noting also that a third party has access to review rights." The Privacy Commissioner noted that the purpose of s 54 GIPA Act was summarised in Amos at [49] and the Respondent is only required, pursuant to s 54 GIPA Act, to:

"(a)   inform the third-party of the access application and what information pertaining to the third party is being sought;

(b)   ascertain whether the third-party person has an objection to disclosure of some or all of the information and reasons for any such objection (s 54(4);

(c)   take any third party objection into account in determining whether there is an overriding public interest against disclosure of the information (s 54(5)); and

(d)   before the information is released, give the third party notice of any decision to provide access to the information over the third party objection, and provide the third party with notice of their rights to have the decision reviewed (s 54(6))."

8. "The Privacy Commissioner notes that item 4, 'consultation', of the [GIPA] access application form asks an applicant to designate "yes or no" to whether the Respondent can disclose their name and their request for information to third parties. The applicant clearly designated "no", however, the Tribunal is asked to consider the effect of the [GIPA access] applicant's permission in the cover letter …"

9. As regards the s 25 PPIP Act exemption of the Respondent from the obligations under s 18 PPIP Act (IPP 11), the Privacy Commissioner notes:

1. "The Tribunal has commented this 'strikes a balance between a person's right to privacy and the need to preserve an agency's capacity to carry out its functions'; NG v Department of Education and Training [2004] NSWADT 137 at [39]."

2. "With respect to determining whether the exemption under s 25 applies in a particular case, the Tribunal has stated that 'each decision will, however, turn upon an analysis of the ultimate law involved in the connection between that law and what would otherwise be the privacy contravention': CYL v YZA [2016] NSWCATAD 314 at [96]."

3. "In this case, and if the conduct is disclosure, then non-compliance with s 18 (IPP 11) would be permitted if the Tribunal accepts that the GIPA Act authorised the disclosure (conduct for which s 18 would apply under the PPIP Act)."

Considerations and findings

32. In considering the Substantive Issues in these Reasons for Decision as regards the Respondent's disclosure of the Applicant's personal information (not NSWFOI's, as the GIPA access applicant, information), the Tribunal will first address each of the two submitted exemptions from the Respondent complying with IPP 11 in the circumstances of this case under (a) s 26(2) PPIP Act (see paragraph 9(2) above) and (b) s 25(b PPIP Act (see paragraph 9(3) above). If, based on the material before the Tribunal, neither of these exemptions apply in the circumstances then the Tribunal will need to determine whether the correct and preferable decision is that the Conduct of Concern is a breach of IPP 11 (s 18 PPIP Act) by the Respondent, again based on the material before the Tribunal.

Application of the exemption under s 26(2) PPIP Act

33. In the Respondent Submissions and orally at the July 2023 Hearing the Respondent submitted that the Applicant consented to the disclosure of her personal information effectively as a part or as the result of the GIPA Application by NSWFOI (i.e. the GIPA access applicant) and the NSWFOI cover letter. The Respondent also submitted that (without submitting any reasons as to why) these NSWFOI actions should be taken as the "express consent" of the Applicant (i.e. not the GIPA access applicant) required under s 26(2) PPIP Act to exempt the Respondent from complying with IPP 11 as regards the Applicant's personal information.

34. Even if the Tribunal was to accept the submissions of the Respondent that the NSWFOI cover letter (when read with the NSWFOI's GIPA Application as a whole) was the 'express consent' needed under s 26(2) PIPP Act of the GIPA access applicant (i.e. NSWFOI), this would only permit the Respondent to disclose NSWFOI's name as the GIPA access applicant in relation to s 54 GIPA Act consultation by the Respondent. That is, these are not persuasive submissions as to the 'express consent' of the Applicant to allow the Respondent to disclose her personal information contrary to IPP 11.

35. Apart from NSWFOI's cover letter relating to its GIPA Application, the Respondent presented no evidence of any "express consent" given by the Applicant to disclose her personal information (i.e. as opposed to the information of the GIPA access applicant) sufficient to meet the requirements of 'express consent' in order to rely on s 26(2) PPIP Act: see FM v Vice-Chancellor, Macquarie University [2003] NSWADT 78 at [63] and [76] and Vice-Chancellor, Macquarie University v FM (GD) [2003] NSWADTAP 43 at [97]. Further, the Respondent did not sufficiently explain how any 'express consent' of NSWFOI (as the GIPA access applicant), if established, was (or could be understood to be) the 'express consent' of the Applicant to the disclosure of her personal information by the Respondent.

36. The following acknowledgements and admissions of the Respondent also severely limit the persuasiveness of its submissions in respect of the application of the s 26(2) PPIP Act exemption to the Applicant's personal information in this case:

1. The Respondent acknowledged that:

1. the Applicant checked the box indicating that she did not consent to her personal information being provided to third parties (see paragraph 29(1) above);

2. the Applicant and GIPA access applicant (NSWFOI) expressly refused to consent in Section 4 of the GIPA Application (paragraph 29(2) above); and

3. consent to disclosure was "not expressly provided" by the Applicant (see paragraph 29(6)(i) above).

37. In the matters raised by the Privacy Commissioner for the Tribunal's consideration, both in the PC Submissions and made at the July 2023 Hearing, the Privacy Commissioner noted that (a) the Applicant ticked the "no" checkbox on the AAF and (b) the GIPA Application was not made by the Applicant "in her own right" (see paragraphs 31(4) and (8) above).

38. I am satisfied that, based on the materials before the Tribunal and without deciding whether NSWFOI as the GIPA access applicant has expressly consented to the disclosure of its name as the GIPA access applicant, the Respondent has not established that the Applicant expressly consented (for the purposes of s 26(2) PPIP Act) to the disclosure by the Respondent of her personal information contrary to IPP 11. Therefore, in this case, s 26(2) PPIP Act does not exempt the Respondent from complying with IPP 11 in relation to the Applicant's personal information.

Application of the exemption under s 25(b) PPIP Act

39. While the Applicant may have physically sent or submitted the GIPA Application to the Respondent, as the Privacy Commissioner notes and the evidence before the Tribunal shows, the cover letter was on the 'letterhead' of NSWFOI and NSWFOI (a separate legal person to the Applicant) is the GIPA access applicant.

40. Without determining the merits or otherwise of the Respondent's submission that s 54 GIPA Act permits non‑compliance with IPP 11 or that such is necessarily implied or reasonably contemplated in the circumstances as regards the disclosure of the GIPA access applicant's (NSWFOI's) name, no persuasive submissions were made or evidence put before the Tribunal by the Respondent as to why the disclosure of the Applicant's personal information (as opposed to the name or identity of the GIPA access applicant, NSWFOI) is permitted, necessarily implied or reasonably contemplated by s 54 GIPA Act in respect of the Respondent's consultation with third parties about the GIPA access application of NSWFOI (the GIPA access applicant).

41. Even if the Respondent's submissions were accepted as establishing that s 54 GIPA Act permitted, reasonably contemplated or necessarily implied disclosure of the GIPA access applicant's (i.e. NSWFOI's) name as part of such consultations, the Applicant is not the GIPA access applicant in this case. As separate legal persons it does not automatically flow (without persuasive submissions and evidence as to why) that s 54 GIPA Act would also (or separately) permit or reasonably contemplate or necessarily imply the disclosure by the Respondent of the personal information of an individual who is not the GIPA access applicant (i.e. in this case, of the Applicant). The Respondent made no persuasive submissions and presented no evidence to establish that s 54 GIPA Act permits, reasonably contemplates or necessarily implies that the personal information of an individual who is not the GIPA access applicant is permitted to be disclosed for the purposes of consultation with third parties under s 54 GIPA Act.

42. Without deciding whether s 54 GIPA Act permits, reasonably contemplates or necessarily implies the disclosure of a GIPA access applicant's information in relation to their GIPA access application, based on the material before the Tribunal I am satisfied that there is no reading of s 54 GIPA Act available that permits, reasonably contemplates or necessarily implies that the personal information of an individual who is not the GIPA access applicant is permitted to be disclosed contrary to IPP 11 for the purposes of third party consultation.

43. I am satisfied that, based on the material before the Tribunal and in the context of this case where the Applicant is not the GIPA access applicant, s 25(b) PPIP Act has not been established by the Respondent as exempting the Respondent from complying with IPP 11 as regards the Applicant's personal information (i.e. the Conduct of Concern).

Does the Conduct of Concern result in the Respondent breaching IPP 11

44. As noted in paragraph 7 above, the Tribunal decided in the PI Decision that the Applicant's name (i.e. her identity) as the individual who physically sent/submitted the GIPA Application for and on behalf of the GIPA access applicant (NSWFOI) is her personal information (see the bolded part of paragraph 7 above).

45. The terms of IPP 11 are clear, a public sector agency (the Respondent in this case) must not disclose the personal information of a person (in this case the Applicant) to another person or body (whether or not a public sector agency) unless any of the exceptions (a) to (c) of s 18 PPIP Act apply or, as submitted in this case, an exemption under ss 25(b) or 26(2) PPIP Act applies exempting the Respondent from complying with IPP 11 (i.e. the prohibition on disclosure) in relation to the Applicant's personal information.

46. No submissions were made or evidence presented to the Tribunal by the Respondent as to the application of any of s 18(1)(a) to (c) and, as concluded above, the exemptions from compliance with IPP 11 under s 25(b) and 26(2) PPIP Act are not available to the Respondent in respect of the Applicant's personal information. However, the Respondent acknowledged that the Applicant's identity/name as the individual who physically sent/submitted the GIPA Application for and on behalf of NSWFOI (i.e. the Applicant's personal information) was 'disclosed' by the Respondent for the purposes of IPP11/s 18 PPIP Act.

47. In the absence of any submitted exception in s 18(1)(a) to (c) or exemption under ss 25(b) or 26(2) applying and given the Respondent's acknowledgement of the disclosure, the Conduct of Concern is contrary to the prohibition on disclosure of personal information in IPP 11 (s 18(1) PPIP Act). Therefore, based on the material before the Tribunal, I am satisfied that the Conduct of Concern resulted in the Respondent breaching IPP 11 in relation to the Applicant's personal information.

Remedies

48. The parties made submissions to the Tribunal as regards appropriate remedies during the July 2023 Hearing. There were no written submissions or substantive evidence from either party provided in respect of the remedies sought by the Applicant during submissions made in the July 2023 Hearing. However, during the July 2023 Hearing the Respondent agreed that, if the Tribunal found in favour of the Applicant (i.e. that there had been a breach of IPP 11) an apology from the Respondent would be an appropriate remedy in the circumstances.

49. As noted in Vice-Chancellor, Macquarie University v FM (No 2) [2004] NSWADTAP 61 at [19]:

"Ordinarily where a breach is demonstrated, some sanction should be applied to the agency: …"

50. While that the Applicant submitted she had suffered significant harm, no compelling evidence of any substantial harm caused by the Conduct of Concern was provided to the Tribunal by the Applicant. However, from her submissions and appearances before the Tribunal it is clear to me that the Applicant was caused some distress by the Respondent's breach of IPP 11. As noted in CJU v SafeWork NSW [2018] NSWACATAD 300 at [117], damages for "mere distress" are a recoverable psychological harm. However, in the absence of any evidence of significant psychological harm being caused to the Applicant by the Conduct of Concern, only a limited award of damages for distress caused by the Conduct of Concern can be justified.

51. I am satisfied that, on the materials before the Tribunal, the Applicant's distress was caused by the Conduct of Concern and the Respondent's resulting breach of IPP 11 and the Respondent's ongoing denial of any wrong doing throughout these proceedings has exacerbated her distress. The Respondent's denial of any wrongdoing continued throughout the proceedings even though, as was pointed out in the PC submissions, the Applicant was not the GIPA access applicant. In the PC Submissions the Privacy Commissioner clarified that the Applicant was not the GIPA access applicant and, in fact, that NSWFOI (a separate legal entity) was the GIPA access applicant. Despite this and the Tribunal's questioning during the July 2023 Hearing the Respondent made no substantive or persuasive submissions as to why NSWFOI (a separate legal entity) should be ‘ignored’ as the GIPA access applicant (or the corporate veil lifted) and, instead, the Applicant should be considered to be the GIPA access applicant in this case, for the purposes of the Respondent's submissions.

Orders

1. The Respondent's internal review decision dated 17 August 2022 is set aside.

2. Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Chair of the Board of the Respondent, Insurance and Care NSW (known as iCare), addressing and apologising for (a) the Respondent's contravention of IPP 11 identified in these Reasons for Decision and (b) all harm, distress, humiliation and embarrassment caused to the Applicant resulting from such.

3. Within seven (7) to fourteen (14) days (but not before seven (7) days) of providing the written apology required by Order (2) above, the Respondent must seek to remedy (at least in part) the damage caused to the Applicant by notifying each person to whom/to which it disclosed Ms Webb's personal information (the subject of these Reasons for Decision) and:

1. inform them that the information was provided to them by the Respondent unlawfully in breach of IPP 11;

2. request that they delete that information from all records they hold or control including if they received such via or hold such in an agency system;

3. request that they confirm receipt of the notice and whether they have complied or will comply with Order (3)(b) above and provide a list of all persons contacted and their response to this request within fourteen (14) days of the notification referred to in this Order (3); and

4. if requested to do so in writing by Ms Webb within seven (7) days of receipt of the apology referred to in Order (2) above, include a copy of that apology with each notice to be issued in accordance with this Order (3).

4. Within fourteen (14) days of the Applicant providing to the Respondent their bank account (or any other acceptable payment method) details, the Respondent is to pay to the Applicant a total of $1,500 as compensation for the harm suffered by the Applicant caused by the Respondent's breach of IPP 11.

5. Within fourteen (14) days of the date of these Reasons for Decisions the Respondent is to perform IPP 11 in relation to all personal information of the Applicant (Ms Webb) held by the Respondent, including by implementing such:

1. training, awareness raising and safeguards; and

2. administrative measures,

necessary to ensure the Respondent will only disclose Ms Webb's personal information in compliance with IPP 11, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 24 August 2023