Webb v Port Stephens Council

Case

[2025] NSWCATAD 191

01 August 2025

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: Webb v Port Stephens Council [2025] NSWCATAD 191
Hearing dates: 1 July 2025
Date of orders: 1 August 2025
Decision date: 01 August 2025
Jurisdiction:Administrative and Equal Opportunity Division
Before: A Christie, Senior Member
Decision:

(1) That part of the Respondent’s decision that there was no breach of ss 17 or 18 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPPs 10 and 11) is affirmed. However, the Respondent’s decision that there was no breach of any other IPPs is set aside and, in substitution for it, I find that the correct and preferable decision is that the Respondent breached ss 10 and 12 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPPs 3 and 5).

(2) Within twenty-eight (28) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Mayor of Port Stephens Council addressing and apologising for (a) the Respondent's contraventions of IPPs 3 and 5 identified in these Reasons for Decision and (b) all harm and distress suffered by the Applicant caused by the Respondent’s breaches of IPPs 3 and 5.

(3) Within twenty-eight (28) days of the Applicant providing to the Respondent her bank account details, the Respondent is to pay to the Applicant $3,000 as compensation for both the distress suffered by the Applicant ($2,500) and expense the Applicant was put to in order to have the Respondent comply with its existing legal obligations ($500), each of which were caused by the Respondent’s breaches of IPPs 3 and 5.

(4) Within twenty-eight (28) days of the date of these Reasons for Decision the Respondent is to perform IPP 5 in relation to all personal information of the Applicant uploaded by the Respondent into and still held in the GIPA Tool, including by implementing such:

(i) training, awareness raising and safeguards; and

(ii) administrative measures,

necessary to ensure the Respondent securely deletes such personal information it holds in the GIPA Tool in accordance with IPP 5, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

(5) Within sixty (60) days of the date of these Reasons for Decision the Respondent is to perform IPP 5 in relation to all other personal information uploaded by the Respondent into and still held in the GIPA Tool as part of its prior use of the GIPA Tool, including by implementing such:

   (i)   training, awareness raising and safeguards; and

   (ii)   administrative measures,

necessary to ensure the Respondent securely deletes all personal information it holds in the GIPA Tool in accordance with IPP 5, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

(6) Within seven (7) days of fully complying with Order (4) above the Respondent must notify the Applicant in writing that it has  fully complied with that Order.

(7) Within seven (7) days of fully complying with Order (5) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

(8) Within sixty (60) days of the date of these Reasons for Decision and prior to any re-commencement of use of the GIPA Tool by the Respondent, the Respondent is to perform IPP 3 in relation to all personal information collected by the Respondent in relation to all GIPA Act access applications made after this time, including by implementing such:

   (i)   training, awareness raising and safeguards; and

   (ii)   administrative measures,

necessary to ensure that the Respondent notifies all future GIPA Act access applicants of the matters prescribed in IPP 3, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances.

Catchwords:

ADMINISTRATIVE LAW – Privacy and Personal Information Protection Act 1998 (NSW) – whether there was a collection of personal information and a breach of IPP 3 – whether there was a breach of IPP 5 by failing to delete personal information – whether reasonable security safeguards were taken under IPP 5 – whether there was an unauthorised use or disclosure under IPPs 10 or 11 – systemic issues

Legislation Cited:

Administrative Decisions Review Act 1997 (NSW)

Civil and Administrative Tribunal 2013 (NSW)

Government Information (Public Access) Act 2001

Privacy and Personal Information Protection Act 1998 (NSW)

State Records Act 1998 (NSW)

Cases Cited:

BKM v Sydney Local Health District [2015] NSWCATAD 87

CJU v Health Share NSW [2021] NSWCATAD 372

CJU v SafeWork NSW [2018] NSWACATAD 300

DED v Randwick City Council [2017] NSWCATAD 327

Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409

DSG v Department of Education [2019] NSWCATAD 182

BKM v Sydney Local Health District [2015] NSWCATAD 87

CJU v Health Share NSW [2021] NSWCATAD 372

CJU v SafeWork NSW [2018] NSWACATAD 300

DED v Randwick City Council [2017] NSWCATAD 327

Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409

DSG v Department of Education [2019] NSWCATAD 182

Edwards v the Commissioner of Fair Trading, Department of Finance, Service & Innovation [2019] NSWCATAP 208

EEC v Federation Council [2020] NSW CATAD 169

EIG v North Sydney Council [2021] NSWCATAD 66

EMF v Cessnock City Council [2021] NSWCATAD 219

FM v Macquarie University [2003] NSWADT 78

Insurance and Care NSW v EEH [2021] NSWCATAP 350

Insurance and Care NSW v FMM [2024] NSWCATAP 43

GR v Department of Housing (GD) [2004] NSWADTAP 26

KJ v Wentworth Area Health Service [2004] NSWADT 84

KT v Sydney Local Health Network [2011] NSWADT 171

MH v NSW Maritime [2011] NSWADT 248

Nakhl Nasr v State of New South Wales; George Nasr v State of New South Wales [2007] NSWCA 101

Norkin v University of New England [2023] NSWCA 194

NSW Self Insurance Corporation v EEH [2023] NSWCATAP 181

Vice-Chancellor, Macquarie University v FM (No 2) [2004] NSWADTAP 61

ZR v Department of Education and Training (GD) [2010] NSWADTAP 75

Texts Cited:

The Privacy Commissioner, “Privacy NSW, A Guide to the Information Protection Principles, 1999”

NSW Government, Department of Finance, Services & Innovation, Cloud Policy, August 2015 (version 2)

Category:Principal judgment
Parties: Ms Telina Webb (Applicant)
Port Stephens Council (Respondent)
Representation: Solicitors:
Applicant (Self-Represented)
N Sloan (Respondent)
Crown Solicitor, Information Commissioner (Intervenor)
Privacy Commissioner (Second Intervenor)
File Number(s): 2025/00011655
Publication restriction: Nil

REASONS FOR DECISION

  1. This is an application under s 55(1) of the Privacy and Personal Information Protection Act 1998 (NSW) ("PPIP Act") made by the Applicant on 8 January 2025 for administrative review of the conduct of the Port Stephens Council which the Applicant alleges was in contravention of the Information Protection Principles ("IPPs") of the PPIP Act ("External Review Application").

  2. At the heart of the External Review Application is the alleged conduct of the Respondent in disclosing, using and continuing to hold certain of the Applicant's personal information in order for the Respondent to use a tool ("GIPA Tool") promoted by the Information and Privacy Commission NSW ("IPC") to assist the Respondent with handling the Government Information (Public Access) Act 2001 ("GIPA Act") access applications it received from the Applicant between 2015 and 2022 ("Conduct of Concern"). The Applicant alleges that the Conduct of Concern breached the PPIP Act and the IPPs.

  3. The Applicant submits that her personal information used/disclosed and still held in the GIPA Tool by the Respondent is the Applicant's full name, the type of applicant she was, her address, phone number(s) and email address which were all taken from her GIPA Act access applications made to the Respondent and uploaded by the Respondent into the GIPA Tool ("Applicant Personal Information"). This was done to enable the Respondent to use the GIPA Tool in relation to the Applicant's GIPA Act access applications during the period from 18 June 2015 to February 2022.

  4. On 14 October 2024 the Applicant applied to the Respondent for an internal review by the Respondent in relation to the Conduct of Concern relating to the Applicant Personal Information ("Internal Review Application"). The Applicant did not use the IPC internal review application form to make the Internal Review Application and so she was not prompted to detail the specific IPPs (as one is prompted to do on the IPC form) that she alleges were breached by the Conduct of Concern. The Applicant did note in her Internal Review Application, in summary and most relevantly, that:

  1. the “IPC External Review Report Ref No: IPC 24/R0000307 dated 8 October 2024” confirmed that the information uploaded to the GIPA Tool (i.e. the Applicant Personal Information) was personal information;

  2. the GIPA Tool is operated/on the IT infrastructure owned by a third party (not the IPC) and is provided to agencies on a subscription basis;

  3. at no time was the Applicant notified of or gave her permission for or consent to the sharing of the Applicant Personal Information:    

(a) with any other entity; or

(b) for a secondary or collateral purpose; and

  1. the Respondent has a mandatory obligation to notify the IPC of the Internal Review Application.

  1. On 12 November 2024 Mr Crosdale of the Respondent wrote to the Applicant acknowledging receipt of the Internal Review Application and noted that he had identified “(IPPs) 10 and 11 to be at issue”.

  2. On 19 November 2024 the Applicant replied by email to Mr Crosdale’s 12 November 2024 letter, reattaching the Internal Review Application and noted, most relevantly:

“Mr Wickham will be able to assist you with this…

However, it was the IPC report which provided solid confirmation which I’m confident you will agree is credible.

Trusting my valid request for review of agency conduct…is no longer    impeded by your lack of understanding.”

  1. Despite the Applicant referring in the Internal Review Application to the Respondent’s obligation to provide details of the Internal Review Application to the IPC (or the Privacy Commissioner), no evidence was submitted or submissions made by the Respondent that it had notified the IPC of the Internal Review Application. Nor were any submissions made or evidence provided by the Respondent as to whether a draft of the Respondent’s internal review decision was provided to the IPC or, if it was, if any response to the draft internal review decision was received from the IPC and/or if any such IPC responses were addressed in the final version of the Respondent’s internal review decision.

  2. A month after the Respondent provided access to the Applicant to various related documents under a GIPA Act access application (see paragraph [27] below), on 12 December 2024 the Respondent’s internal reviewer, Mr Crosdale, issued his decision (“Internal Review Decision”) finding, in summary and most relevantly, that:

  1. only IPPs 10 and 11 were considered to be at issue and thus considered by the Respondent in the Internal Review Decision;

  2. the Applicant’s information uploaded into the GIPA Tool (i.e. the Applicant Personal Information) and the subject of the Internal Review Application was noted as personal information in the IPC Report dated 8 October 2024;

  3. the Information Commissioner encouraged the use of the GIPA Tool and the Information Commissioner conducted a privacy impact assessment (“PIA”) on its (not the Respondent’s) use of the GIPA Tool in 2016, some time after the Respondent had commenced using the GIPA Tool;

  4. the GIPA Tool only requires and includes personal information associated with the GIPA Act access applications made by persons such as the Applicant;

  5. the IPC GIPA Tool PIA ‘established’ that any personal information uploaded to the GIPA Tool is only used to process that person’s GIPA application;

  6. the IPC GIPA Tool PIA ‘established’ that personal information held in and used with the GIPA Tool (i.e. the Applicant Personal Information) is “not generally released”;

  7. the IPC GIPA Tool PIA ‘found’ that the Information Commissioner’s use of the GIPA Tool fully complied “with the obligations outlined in IPPs 10 and 11”;

  8. the Privacy Code of Practice for Local Government (Code) modifies IPPs 10 and 11 and allows the Respondent to use and disclose personal information for a purpose other than that for which it was collected, where such use or disclosure is for the lawful and proper functions of Council (the Respondent in this case);

  9. only the Respondent can view the personal information it entered into the GIPA Tool; and

  10. based on the above and the information available to the reviewer (although there was little detail as to what exactly this was), the Respondent was “of the opinion that the alleged conduct in relation to IPP 10 and IPP 11 has not occurred” and, implicitly, that the Conduct of Concern did not breach any other IPPs.

  1. In submissions and answers to the Tribunal’s questions during the Hearing, the Respondent confirmed that it did not undertake its own PIA on its use of the GIPA Tool and that it had relied solely on the Information Commissioner’s GIPA Tool PIA.

  2. There is no evidence or submission of the Respondent that, in coming to the Internal Review Decision, Mr Crosdale considered either the documents accessed by the Applicant under her relevant GIPA Act application or any IPPs that might potentially be infringed by the Conduct of Concern other than IPPs 10 and 11. There is also no evidence or submission of the Respondent as to whether or not a draft of the Internal Review Decision was provided to the IPC (or the Privacy Commissioner), whether the IPC had any comments on such or, if it did, if those comments were addressed by the Respondent in the final Internal Review Decision.

  3. In the External Review Application the Applicant seeks a review of the Internal Review Decision which found no breaches of: (a) IPPs 10 or 11 (which Mr Crosdale assumed were the only IPPs in issue); or (b) by implication, any other IPPs by the Respondent. The Applicant states in the External Review Application that she is seeking a review of the Internal Review Decision under s 53 PPIP Act because she does not agree with the findings of the Internal Review Decision.

  4. The Applicant seeks, in summary and most relevantly, the following orders to be made by the Tribunal, that the Respondent:

  1. delete the Applicant Personal Information from the GIPA Tool;

  2. pay financial compensation to the Applicant for the lengthy period of unlawful use, disclosure and failure to delete the Applicant’s Personal Information and the distress, aggravation and expense that this has caused;

  3. make the appropriate ‘disclosure’ to and obtain necessary consents from individuals making GIPA Act access applications as required by the PPIP Act if the Respondent re-commences using the GIPA Tool;

  4. formally apologise to the Applicant for all of its breaches of the IPPs;

  5. publish the letter of apology noted in (4) above on and keep it on the Respondent’s website for the length of time the Applicant Personal Information had been misused (up to 9 years); and

  6. be referred to the Minister for Local Government in accordance with s 55(5) PPIP Act.

  1. The hearing by the Tribunal of the External Review Application occurred on 1 July 2025 (“Hearing”) at which the Applicant and the Respondent through its solicitor, both appearing in person, made oral submissions, answered various questions of the Tribunal and the Respondent’s witness, Ms Jamadar, was made available for cross-examination at the Hearing.

  2. The Information Commissioner, through the Crown Solicitor who appeared by a representative in person, submitted an affidavit of Mr Naylor and made him available for cross- examination at the Hearing.

  3. The Privacy Commissioner appeared in person at the Hearing through a representative and made oral submissions and answered various questions of the Tribunal at the Hearing.

  4. The Applicant’s position is that the Applicant Personal Information is the Applicant’s personal information under the PPIP Act and the Respondent’s disclosure, use and/or uploading of it into/with the GIPA Tool and its failure to delete the Applicant Personal Information from the GIPA Tool, once it was used for the purpose for which it was collected, are in breach of the PPIP Act and the IPPs.

  5. The Respondent does not dispute and, in fact, expressly agrees in its submissions that the Applicant Personal Information is the personal information of the Applicant, that it was ‘used’ by the Respondent and remains held in the GIPA Tool by the Respondent to date. That is, the Respondent agrees that the Conduct of Concern occurred but does not agree that such resulted in the breach of any IPPs by the Respondent.

  6. The Respondent’s position is, as set out in its written submissions, essentially:

“[22]…the nub of the Applicant’s contention concerns the technical operation and administration of the GIPA Tool rather than the Respondent’s use of it. Accordingly, the issue of how the GIPA Tool functions, and is administered, is a matter for the IPC. It is not for the Respondent to adduce evidence in these proceedings, or meet all of the Applicant’s arguments, in respect of those matters as it is just one of many agencies holding a user licence issued by the IPC at the encouragement of the Information Commissioner…”

  1. The Respondent submitted that the correct and preferable decision is that the Respondent did not engage in conduct that breached (i.e the Conduct of Concern did not breach) the PPIP Act and requests an order dismissing the External Review Application. However, the Respondent did not make any submissions as to the orders that should be made by the Tribunal should the Tribunal find against the Respondent in relation to any breaches of the IPPs arising from the Conduct of Concern.

  2. For the reasons that follow I have decided to affirm part and set aside part of the Internal Review Decision and, in substitution for that part of the Internal Review Decision being set aside, I find that the Conduct of Concern and thus the Respondent has breached IPPs 3 and 5.

Materials

  1. The Applicant relies on various bundles of documents and written submissions (to which the documents were ‘attached’) lodged with the Tribunal on 7 May 2025 and its written submissions in reply lodged with the Tribunal on 27 June 2025.

  2. The Respondent relies on written submissions lodged with the Tribunal on 13 June 2025. It also relies on:

  1. a bundle of documents lodged on 17 March 2025 pursuant to s 58 of the Administrative Decisions Review Act 1997 (NSW) (“ADR Act”) (“Section 58 Documents”);

  2. an affidavit Ms Holy Jamadar. Ms Jamadar is currently the Governance Coordinator at the Respondent and was previously a Senior Governance Officer at the Respondent. The Respondent’s internal reviewer, Mr Crosdale, did not provide an affidavit or any evidence at the Hearing; and

  3. an affidavit of Mr Ian Naylor submitted by the Information Commissioner as Intervenor. Mr Naylor is the Director of Corporate Services and Business Improvement at the IPC.

  1. Ms Jamadar and Mr Naylor were briefly cross-examined by the Applicant during the Hearing and also answered the questions of the Tribunal.

  2. The Privacy Commissioner, as Second Intervenor, made written submissions which were lodged with the Tribunal on 26 June 2025.

  3. The Applicant, Respondent and Privacy Commissioner all made oral submissions during the Hearing and answered the Tribunal’s questions.

Background to the Internal Review Application

  1. Having become aware of the existence of the GIPA Tool and its use by the Respondent, on 8 May 2024 the Applicant lodged a GIPA Act access application with the Respondent for a copy of each and every case management record in the GIPA Tool ‘relating to the GIPA Act access applications the Applicant had personally lodged’.

  1. On 12 November 2024 the Respondent provided the Applicant with its GIPA Act ‘Notice of Decision’ and agreed to release 21 unredacted and 7 redacted copies of the relevant case management records requested by the Applicant (“Records”). These were released to the Applicant and are attached to the Applicant’s written submissions.

  2. On receipt of the Records provided by the Respondent the Applicant saw a reference to a person named “Amol Mane”, noted as the last person to modify (and thus likely access) the Applicant Personal Information on a number of the Records. This is a name that the Applicant did not recognise as an employee of the Respondent.

  3. From the time of the possible access to the Applicant Personal Information by Amol Mane in 2017 up until the evidence of Mr Naylor of the IPC during the Hearing, in response to the Tribunal’s questions, the Respondent stated in the Hearing that it did not know who this person was and had made no enquiries to ascertain who it was, if, why and how that person had accessed the Applicant Personal Information in the Respondent’s GIPA Tool instance.

  4. The evidence of Mr Naylor of the IPC is that, through his own enquiries in preparing his affidavit, he was able to determine that Amol Mane was an employee of the Department of Communities and Justice in the IT department at the time of their access to the Records in 2017. Also, Mr Naylor believed it was likely that Amol Mane was running routine maintenance on the GIPA Tool but did not explain in detail why the Records noted that Amol Mane ‘modified’ the Respondent’s GIPA Tool instance or if the Applicant Personal Information would have been accessed as part of this maintenance.

The Tribunal’s administrative review jurisdiction

  1. The circumstances in which the Tribunal has administrative review jurisdiction over a ‘decision’ of an administrator is detailed in the ADR Act and s 30(1) of the Civil and Administrative Tribunal Act 2013 (NSW) (“CAT Act”).

  2. Section 9(1) ADR Act provides that the Tribunal has administrative review jurisdiction over a ‘decision’ or class of ‘decisions’ of an ‘administrator’ if the ‘enabling legislation’ provides that applications may be made to the Tribunal for an administrative review under the ADR Act. The term ‘enabling legislation’ is defined in s 4(1) ADR Act to mean legislation, other than the ADR Act, that provides for applications to be made to the Tribunal. In this case the enabling legislation is the PPIP Act.

  3. The word ‘administrator’ is defined in s 8 ADR Act. There is no dispute that the Respondent is an administrator. In this case the relevant administrator is the person making the Internal Review Decision on behalf of the Respondent, Mr Crosdale, even though the Internal Review Decision itself is not the subject of the review by the Tribunal.

  4. Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed on it by the CAT Act, the ADR Act and the enabling legislation (i.e. the PPIP Act in this case) in connection with the conduct or resolution of these proceedings.

  5. Under s 63(1) ADR Act the Tribunal’s role in determining an application for the administrative review of an administratively reviewable decision (i.e. the External Review Application in this case) is to decide what is the correct and preferable decision having regard to the material before it, including any relevant factual material and any applicable written or unwritten law. For this purpose, under s 63(2) ADR Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

  6. After completion of the internal review under s 53(7) PPIP Act, the administrator (the internal reviewer of the Respondent in this case) may do any one or more of the following:

  1. take no further action;

  2. make a formal apology;

  3. take such remedial action it thinks appropriate, including the payment of monetary compensation;

  4. provide undertakings that the conduct will not occur again; and/or

  5. implement administrative measures to ensure that the conduct will not occur again.

  1. Under s 63(3) ADR Act the Tribunal may also decide to: (a) affirm the reviewable decision; (b) vary the reviewable decision; (c) set aside the reviewable decision and make a decision in substitution for the reviewable decision that was set aside; or (d) set aside the reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.

  2. The Tribunal's role is to review the conduct of concern in issue (in this case the Conduct of Concern) and to consider whether such contravenes any of the IPPs (in this case) and, if so, determine what action(s), if any, should be taken by the Respondent (in this case). The Tribunal's role is not to review the findings of the internal review decision as detailed in the Internal Review Decision (in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [51].

  3. Often the internal review decision of an agency can assist the Tribunal’s considerations. However, the Tribunal must consider the Conduct of Concern (in this case) afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171.

The PPIP Act

  1. Part 5 of the PPIP Act makes provision for review of certain ‘conduct’ of a public sector agency. Section 52(1)(a) PPIP Act in Part 5 sets out the ‘conduct’ to which the Part applies and includes ‘conduct’ that contravenes, or is alleged to contravene, an IPP that applies to the public sector agency. The IPPs relate to the collection (ss 8-11 PPIP Act, IPPs 1-4), retention and security (s 12 PPIP Act, IPP 5), access (ss 13-14 PPIP Act, IPPs 6-7), alteration (s 15 PPIP Act, IPP 8), accuracy (s 16 PPIP Act, IPP 9), use (s 17 PPIP Act, IPP 10) and disclosure (ss 18 and 19 PPIP Act, IPPs 11-12) to/of personal information by a public sector agency.

  2. It is not in dispute that the IPPs and the PPIP Act apply to the Respondent and that the Respondent must comply with them.

  3. Section 53 PPIP Act makes provision for internal review of conduct falling within the circumstances set out in s 52 PPIP Act. Section 55 PPIP Act makes provision for a person to apply to the Tribunal for administrative review of that conduct if the person has made an application for internal review under section 53 ADR Act and is not satisfied with the findings of the review or the action taken by the public sector agency in relation to that application for review.

  4. On reviewing the conduct of the relevant agency, in addition to the options available to the Tribunal noted at [36] and [37] above, the Tribunal may decide not to take any action on the matter (s 55(2) PPIP Act), take any of the actions noted in s 53(7) PPIP Act as available to the administrator or it may make one or more of the orders described in s 55(2)(a)-(g) PPIP Act. Subject to certain exceptions these include, under s 55(2)(a) PPIP Act, an order requiring the agency “to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct”. I note that there is no similar $40,000 cap on the monetary compensation that an administrator (or the Tribunal in the case of an external review) can determine to be payable under s 53(7) PPIP Act as a result of the internal review.

  5. Personal information is defined in s 4 of the PPIP Act to mean, subject only to certain exclusions, “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. It is clear and not in dispute that the Applicant Personal Information is the Applicant’s personal information.

  6. Below I address each of the IPPs relevant to the External Review Application, IPPs 3, 5, 10 and 11 (ss 10, 12, 17 and 18 PPIP Act). These IPPs were raised in the written submissions of the Applicant and addressed in the written submissions of the Respondent for consideration by the Tribunal (“Relevant IPPs”).

  7. The Applicant and Respondent also both raised IPPs 4, 6 and 7 (ss 11, 13 and 14 PPIP Act) for consideration but the Tribunal does not address these in detail in these Reasons for Decision because, for the reasons briefly noted below, in the circumstances these IPPs are not relevant to the External Review Application:

  1. IPP 4: The Applicant Personal Information is clearly relevant for    the purpose for which it was originally collected by the Respondent. That is, to process the Applicant’s GIPA Act access applications.

  2. IPP 6: It is clear that the Applicant was aware that the Applicant Personal Information was collected and likely held by the Respondent as the Applicant had provided such to the Respondent when submitting her GIPA Act access applications.

  3. IPP 7: The Applicant does not submit that she made an access request on the Respondent under IPP 7 and so such is not a subject of the External Review Application.

  1. The Relevant IPPs are, in the Tribunal’s view, the most relevant to the Applicant’s allegations in these proceedings that, by the Conduct of Concern, the Respondent has breached the PPIP Act and the IPPs in relation to the collection, use, disclosure and holding of the Applicant Personal Information for/with/in the GIPA Tool.

IPP 3 – Requirements when collecting personal information

  1. Section 10 PPIP Act (IPP 3) requires that an agency (i.e. the Respondent) that collects personal information from an individual must take reasonable steps in the circumstances to ensure that the individual to whom the information relates is made aware of, most relevantly:

“ ….

  1. the purposes for which the information is being collected,

  2. the intended recipients of the information, …”

  1. The purpose of the notification under IPP 3 is to provide individuals with the information necessary for them to decide whether to provide or refuse to provide their personal information on an informed basis: see KJ v Wentworth Area Health Service [2004] NSWADT 84 (“KJ Decision”) at [35]. As noted in CJU v Health Share NSW [2021] NSWCATAD 372 at [66], the ‘collection notice’ required under IPP3 “also helps avoid differences of understanding between individuals making inquiries and providing personal information and the agency, which misunderstanding appears to have happened in this case”. In this case the ‘inquiries’ being the making of a GIPA Act access application to the Respondent and, before doing so, fully understanding what their personal information will be used for, how it will be used and to whom it will be disclosed.

  2. In Norkin v University of New England [2023] NSWCA 194 (“Norkin Decision”) the NSW Court of Appeal stated, most relevantly:

“[35] The legislation [PPIP Act] explicitly contemplates collection for multiple purposes. … The obligation to make individuals aware in s 10(b) extends to all of the purposes for which the information is collected...

[38] … there will … be a contravention of (IPP 3) if there are other undisclosed purposes of the collection …

[44] A generic statement that identifies the entirety of the University’s functions and activities and says that information is collected for those purposes falls short of achieving the object of s10. …”

IPP 5 - Security & Deletion

  1. Section 12 PPIP Act (IPP 5) generally relates to the security and deletion of personal information. A public sector agency that holds personal information must ensure, most relevantly:

  1. that the information is kept for no longer than is necessary forthe purposes for which the information may lawfully be used, and

  2. that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

  3. that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

  4. that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

  1. The Applicant bears the burden of adducing some evidence to suggest that appropriate measures were not taken to protect and/or delete their    personal information as required by IPP 5. However, this burden is not high    because the knowledge of how the information in questions is protected, what security safeguards are in place and if the personal information in question has been deleted or is still held by the agency (i.e. the Respondent in this case) and, if so, why it is being held are primarily known by the Respondent. Common sense dictates that the party which has relevant information in their possession should put that information before the Tribunal. Further, if the facts are mostly within the knowledge of one party to an issue, a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn by the Tribunal.

IPP 10 – use

  1. Section 17 PPIP Act (IPP 10) provides, most relevantly:

“Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless —

  1. the individual to whom the information relates has consented to the use of the information for that other purpose, or

  2. the other purpose for which the information is used is directly related to the purpose for which the information was collected, or …”

  1. A “use” is to employ the personal information for a purpose within the Respondent. As noted in FM v Macquarie University [2003] NSWADT 78 at [42]:

“The plain an ordinary meaning of the word use in this context is “to avail oneself’ of; apply to one’s purposes; (the Macquarie Dictionary, 3rd edition, the Macquarie Library).”

  1. Agreeing with the view expressed by the Privacy Commissioner in their 1999 “Privacy New South Wales, A Guide to the Information Protection Principles” that exchanges of personal information between specialised units of large public sector agencies may constitute a disclosure, rather than a use, in the KJ Decision at [50] the Tribunal noted:

“While generally speaking the expression disclosure refers to making personal information available to people outside an agency, the exchange of personal information between units may constitute disclosure.”

  1. It is also important to note that even unsolicited personal information will be subject to IPPs 10 and 11 where such is subsequently retained, used or disclosed by the agency. As the Appeal Panel found in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 (“ZR Decision”) at [71] as regards the unsolicited information exemption (which principle was subsequently also applied in EMF v Cessnock City Council [2021] NSWCATAD 219 (“EMF Decision”) at [48]):

“ .. [it] ought not be applied to the entirety of the information handling cycle. Information that was unsolicited at origin, once taken under the control of the agency for one of its administrative purposes should be treated as ‘collected’ and no longer retaining the character of ‘unsolicited information’.”

  1. It is also important to note for the External Review Application that, as the Respondent is a council, the terms of IPP 10 are, in effect, extended by clause 4.11 of the Privacy Code of Practice for Local Government (“Code”). The Code allows personal information to be used by the Respondent for a secondary purpose if it is reasonably necessary for the exercise of the Respondent’s lawful and proper functions.

IPP 11 – Disclosure

  1. Section 18 PPIP Act (IPP 11) provides, most relevantly:

“Limits on disclosure of personal information

  1. A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) …, unless—

  1. the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

  2. the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or …”

  1. The concept of disclosure has been addressed in a number of Tribunal and Appeal Panel decisions, most of which have applied the foundational decision of the New South Wales Court of Appeal on point in Nakhl Nasr v State of New South Wales; George Nasr v State of New South Wales [2007] NSWCA 101 (“Nasr Decision”). After considering a line of authority at [127], the Court determined in the Nasr Decision that the “essence of disclosure” is the “making known to a person information that the person to whom the disclosure is made did not previously know”.

  2. The Appeal Panel recently found, in Insurance and Care NSW v FMM [2024] NSWCATAP 43 at [68], that the Nasr Decision “is binding authority for the concept or general principle that information must be made known to the person for it to be disclosed”.

  3. In the context of the External Review Application it is also important to note the NSW Government, Department of Finance, Services & Innovation, Cloud Policy, August 2015 (version 2) (Cloud Policy) which specifically states, at page 8, that:

“The collection, storage, access, use and disclosure of personal information is governed by PPIPA and HRIPA. Where the use of cloud    computing requires the transmission or storage of personal information, including health information, agencies must ensure that their arrangements comply with the relevant privacy and disclosure requirements. ...

If an agency shares with or transfers personal information to a contracted cloud service provider and the cloud service provider simply holds the data and acts according to the instructions of the agency, then disclosure will not be considered to have occurred. If the cloud service provider uses the data provided for its own purposes, this may be unauthorised access, use, modification or disclosure.”

The ADR Act

  1. Section 58 ADR Act obliges the administrator (the Respondent in this case) to lodge relevant documents with the Tribunal in relation to the External Review Application and, most relevantly, provides:

  1. An administrator whose administratively reviewable decision is the subject of an application for review to the Tribunal must, within 28 days after receiving notice of the application, lodge with the Tribunal:

  1. a copy of any statement of reasons given to the applicant under section 49 (or, if no such statement was given to the applicant, a statement of reasons setting out the matters referred to in section 49 (3)), and

  1. a copy of any statement of reasons for a decision in an internal review conducted in respect of the administratively reviewable decision, and

  1. a copy of every document or part of a document that is in the possession, or under the control, of the administrator that the administrator considers to be relevant to the determination of the application by the Tribunal. …

  1. For the purposes of this section, a reference to a document in the possession of an administrator includes a reference to a document to which the administrator has an immediate right of access.

  1. In Edwards v the Commissioner of Fair Trading, Department of Finance, Service & Innovation [2019] NSWCATAP 208 (“Edwards Decision”) the Appeal Panel reviewed the purpose of s 58 ADR Act and concluded that:

“[13] The purpose of s 58 is to require production of documents from an administrative decision-maker, to assist the Tribunal, in an administrative review. Section 58(1)(b) imposes an obligation on the administrator to lodge with the Tribunal a copy of every document (or part of a document) in its possession, or under its control, that it considers to be relevant to the Tribunal’s determination of the application before it. ...

[14] An administrative decision-maker subject to s 58 obligations should not take an overly narrow view of the documents to be produced under s 58 and nor can it ‘pick and choose’ which ones to disclose. Documents that establish the facts or the exercise of the decision-maker’s discretion are relevant and fall within the terms of the statutory provision. The s 58 obligation is to be understood in light of the decision-maker’s ability to apply under s 59 of the ADR Act to be partially excused from complying with s 58.”

  1. However, it was also held in the Edwards Decision that, while failure to include all relevant documents in the s 58 bundle might constitute ‘special circumstances’ on a costs application, it will not constitute an error of law, procedural ultra vires or a denial of procedural fairness (see the Edwards Decision at [17] to [22]).

Considerations

The Internal Review Decision and the options available to the Tribunal

  1. In this case, in part due to the apparent failure of the Respondent to fully address all potentially relevant IPPs, the Internal Review Decision is of little assistance to the Tribunal. In such circumstances the Tribunal has the option of referring the Internal Review Decision back to the Respondent to reconsider the Internal Review Application based on direction from the Tribunal and to document its internal review decisions in accordance with the requirements of ss 53(5) and (8) PPIP Act, as discussed in EEC v Federation Council [2020] NSW CATAD 169 at [32].

  2. However, in applying the guiding principle in s 36 CAT Act, I have decided not to further delay the consideration of the real issues as between the parties in these proceedings by referring the Internal Review Decision back to the Respondent. That is, in accordance with the guiding principle in s 36 CAT Act, I have decided to proceed to make a decision in these proceedings based on the material placed before the Tribunal by the parties.

  3. As noted by the Appeal Panel in Insurance and Care NSW v EEH [2021] NSWCATAP 350:

“[22] … The Tribunal at first instance was conducting an administration review. It was entitled to assume that the agency, which was under an obligation to cooperate with the Tribunal to give effect to the guiding principle of the Civil and Administrative Tribunal Act 2013 that the just, quick and cheap resolution of real issues in the proceedings be facilitated, had placed all relevant material before it …

[61] …Parties, particularly agencies, should come to the hearing of a matter prepared to adduce all of their evidence and make all of their submissions in relation to the matters in issue in the proceedings.”

  1. Having said that, I note that submissions were made on all of the Relevant IPPs by the Applicant and Respondent in their written and oral submissions and some evidence was produced in relation to many of the Relevant IPPs by the parties.

The s58 ADR Act bundle

  1. Despite a number of Tribunal and Appeal Panel decisions providing guidance on the obligations on respondent agencies under s 58 ADR Act (see paragraph [63] above), the Respondent submitted that:

“[15] … the provision [s 58(1)(b) ADR Act] imposes a requirement on the Respondent to lodge the documents only if it “considers” that those documents were relevant to the determination of the application, at its discretion. …

[19] Even if the Tribunal took a different view, the fact that the Respondent considered that the documents were irrelevant means that    there has been no non-compliance with Order 3. … regardless of whether the Tribunal, or another party, considers that some other documents not provided could be relevant to the application.”

  1. While clearly relevant to the External Review Application, the ‘case management records’ (i.e. the Records) showing an unknown ‘Amol Mane’ had modified the Respondent’s GIPA Tool instance and potentially accessed the Applicant Personal Information, the Respondent did not include these in the Section 58 Documents. The alleged breach(es) of IPP 10 and/or 11 by the Respondent were specifically addressed in the Internal Review Decision and the Records showing a potential disclosure or use were clearly germane to the External Review Application and these proceedings. All agencies must remember that the obligation under s 58 ADR Act (a) must not be exercised as an arbitrary, ‘pick and choose’ or purely ‘discretionary’ matter and (b) is to assist and is owed to the Tribunal.

  2. However, as noted in paragraph [64] above, this does not give rise to an error or law or procedural ultra vires or a denial of procedural fairness. Fortunately, these documents were able to be submitted by the Applicant in these proceedings because they had been provided to her by the Respondent as a result a GIPA Act access application.

The Respondent’s approach to compliance

  1. I am concerned with the Respondent’s stated approach to compliance with its obligations under the PPIP Act and the IPPs in relation to the Conduct of Concern and the use of the GIPA Tool. This approach, as reflected in the Respondent’s submissions (see paragraph [18] above), evidences the Respondent’s lack of understanding of its obligations in practice in the circumstances of this matter. If this is reflective of the Respondent’s approach to compliance with its privacy obligations more generally, I expect the Tribunal will see a lot more of the Respondent before it in the future.

  2. To be clear, in the circumstances of the Conduct of Concern and in response to the Respondent’s submission noted in paragraph [18] above, under the PPIP Act the Respondent is responsible for complying with its obligations under the IPPs for all third-party tools or services it uses, even if such is recommended by the IPC and/or it is used by many other agencies. Also it is, for the purposes of these proceedings, necessary for the Respondent to adduce evidence and answer the Applicant’s submissions and establish how the Respondent met its obligations under the IPPs in respect of the Conduct of Concern and use of the GIPA Tool in this case.

IPP 3: Requirements when collecting personal information

  1. The Respondent submitted that the provision of the Applicant Personal Information by the Applicant as part of her GIPA Act access applications made to the Respondent was unsolicited and, as such, therefore IPPs 1 to 4 do not apply and are therefore not relevant to the External Review Application. This submission is made by the Respondent in light of the Respondent confirming that it is legally obliged to receive and process GIPA Act access applications, that it has a form and guidance on how to do so on its website and that the Respondent’s GIPA Act access application form requests specific personal information be provided to the Respondent by those applicants.

  2. The Respondent acknowledged that, in order to make a GIPA Act access application, applicants (including the Applicant) must provide the equivalent of the Applicant Personal Information as requested on the Respondent’s form. In essence, while accepting its legal obligation and the existence of its form requiring certain personal information be provided, the Respondent submitted that because individuals do not have to (i.e. are not forced to) make GIPA Act access applications, if they do then their personal information provided to the Respondent (even as expressly required by the Respondent’s form) is unsolicited.

  3. On a similar basis to the lengthy considerations in the ZR Decision, the EMF Decision and EIG v North Sydney Council [2021] NSWCATAD 66 (“EIG Decision’) that personal information provided in complaints, especially subject to a policy or publicised process, is not unsolicited and is collected by the agency, in this case the Applicant Personal Information is collected by the Respondent and is not unsolicited. This is because there is a legal obligation on the Respondent to accept and process GIPA Act access applications, which obligation is also the subject of a specific policy, form and guidance on its website, where specific personal information is requested to be provided in the Respondent’s form and required by the Respondent as part of its legal obligation to process GIPA Act access applications.

  4. As the Applicant Personal Information was collected by the Respondent, IPP 3 requires the Respondent take reasonable steps to notify the Applicant (in this case) of the prescribed matters in IPP 3, often referred to as a ‘collection notice’. Given that GIPA Act access applicants use the Respondent’s form available on its website, there is ample and a reasonable opportunity for the Respondent to provide (or link to) a relevant IPP 3 compliant collection notice to all GIPA Act access applicants. That is, it is not unreasonable in the circumstances for the Respondent to comply with IPP 3.

  5. The Respondent’s GIPA Act access application form relevantly provides (with no link or reference to an IPP 3 compliant collection notice):

“YOUR PRIVACY

Port Stephens Council is committed to protecting your privacy. We take reasonable steps to comply with relevant legislation and Council policy.”

  1. In the absence of any submissions made to or evidence of the Respondent placed before the Tribunal to the contrary I am satisfied, based on the material before the Tribunal, that the Conduct of Concern (and thus the Respondent) breached IPP 3.

IPP 5: Taking reasonable security safeguards

  1. As noted in [51] above, s 12(c) PPIP Act (IPP 5) requires that the Respondent (in this case) must protect the information it holds, including by taking such reasonable ‘security safeguards’ in the circumstances against, among other things, unauthorised disclosure ‘and against all other misuse’.

  2. While ‘security safeguards’ are not defined in the PPIP Act, the obligation in IPP 5(c) has been interpreted and applied by the Tribunal and its predecessors as requiring agencies to implement a combination of administrative, technical and physical measures that ensure the confidentiality, privacy and security of personal information and to prevent its inappropriate use and disclosure.

  3. The evidence of Ms Jamandar and Mr Naylor is that the Respondent’s access was limited to those employees who needed access for undertaking their functions and the Applicant Personal Information was not available to any other agency which used the GIPA Tool and all information held in the GIPA Tool was secure.

  4. I accept that the Respondent’s apparent sole reliance on the IPC’s GIPA Tool PIA and its admitted failure to investigate, at any time since 2017, who ‘Amol Mane’ was and why they had access to the Records and failure to undertake either: (a) its own PIA; or (b) formally consider at the time what reasonable safeguards were necessary to protect the Applicant Personal Information from unauthorised disclosure when using the GIPA Tool are problematic and not behaviour in line with agency obligations under the PPIP Act and IPPs. However, based on the material before the Tribunal, mostly related to the efforts of the third-party SaaS provider and the IPC, I am satisfied that in the circumstances reasonable safeguards were taken on behalf of the Respondent to protect the Applicant Personal Information. That is, the Conduct of Concern does not breach IPP 5(c).

IPP 5: Deletion of personal information

  1. The Respondent’s submission at paragraph [38] of its written submissions is that, despite the evidence of the Records accessed by the Applicant in November 2024 and attached to the Applicant’s written submissions, “there is no evidence before the Tribunal showing the Respondent ‘neglected to dispose of the personal information uploaded to the IPA GIPA Tool’.” During the Hearing, after further evidence of the Respondent that it still held the Applicant Personal Information in the GIPA Tool, the Respondent submitted that the Conduct of Concern did not breach IPPs 5(a) and (b) because the State Records Act 1988 (NSW) (“SRA”) generally prohibits the Respondent from deleting the Applicant Personal Information from the GIPA Tool. The Respondent did not detail the relevant provisions of the SRA or its processes that prohibited such deletion in these circumstances.

  2. The SRA does not always in all circumstances prevent the deletion of all information, including all duplicated information. Without any specific submissions or evidence from the Respondent detailing the actual SRA requirement(s) preventing the Respondent from deleting the Applicant Personal Information from the GIPA Tool, the Tribunal is left to consider the Respondent’s general assertion against a number of Tribunal decisions and agency practices discussed in those decisions to the contrary. As noted by the Appeal Panel in GR v Department of Housing (GD) [2004] NSWADTAP 26 at [57]:

“The obligation in s 12 [IPP 5] is addressed to keeping personal information by the public sector agency. It should not ‘keep’ information for longer that it may lawfully be used. It follows that it then should be disposed of possibly in accordance with State Records Act disposal procedures. It may be that the records could then by archived with the State Records Act in a way that does not offend the principle in s 12. In our view every attempt should be made to read the provisions of the Privacy Act (sic) and the State Records Act harmoniously.”

  1. In the Norkin Decision, the NSW Court of Appeal cautioned at [47]:

“It is far from clear that the risk of keeping data (or the exposure of a public sector agency to claims for loss in the event that the data is kept insecurely) is fully appreciated, despite the fact that the (PPIP) Act is now a quarter of a century old.”

  1. Finally, the Appeal Panel in NSW Self Insurance Corporation v EEH [2023] NSWCATAP 181 at [88] has raised the possibility that, even if the PPIP Act and the SRA cannot be read ‘harmoniously’, the provisions of the SRA may not prevail over the requirements of the PPIP Act and the IPPs:

“We also note that the appellant’s assertion that s 21(b) of the State Records Act clearly resolved any conflict between the appellant’s obligations under the PPIP Act and its obligations under the State Records Act in favour of the latter is not obviously correct. Section 21(b) provides that s 21 [State Records Act] prevails over a provision of any other Act enacted before the commencement of this section. … The PPIP Act was enacted after s 21 of the State Records Act was enacted, …and…commenced after s 21 had commenced.”

  1. In the absence of any substantive submissions or compelling evidence from the Respondent on either: (a) how specifically the SRA prevents it from deleting the Applicant Personal Information from the GIPA Tool; or (b) otherwise, why it is still necessary for the Respondent to keep the Applicant Personal Information (which is presumably a duplicate of that personal information already held by the Respondent elsewhere) in the GIPA Tool for the purpose for which it may lawfully be used, I am satisfied that the keeping of the Applicant Personal Information in the GIPA Tool in these circumstances is in breach of IPPs 5(a) and (b). That is, keeping the Applicant Personal Information in the GIPA Tool after the Respondent has ceased using it, well after the Applicant’s relevant GIPA Act access applications have been dealt with and the time for any challenge or review of them has long ago expired (i.e. the Conduct of Concern) is in breach of IPP 5.

  2. This breach of IPP 5 by the Respondent not only affects the Applicant in this case but the evidence shows a systemic issue which is likely to have and will continue to have a negative impact on the privacy of other individuals who made GIPA Act access applications to the Respondent between June 2015 and February 2022 when the Respondent used the GIPA Tool and where their personal information continues to be held by the Respondent in the GIPA Tool.

IPP 10: Use

  1. It is clear from the submissions and evidence that the GIPA Tool and thus the Applicant Personal Information uploaded to it were used at that time, by the Respondent for the purpose for which it was provided by the Applicant to the Respondent. That is, for the purpose of processing the GIPA Act access applications of the Applicant during the relevant period. The introduction of a new means by which to process GIPA Act access applications (in this case) or use of new technology to assist the processing of such GIPA Act access applications does not, alone and in these circumstances, constitute a new, different or secondary use of the Applicant Personal Information. It is still being used for the purpose of processing the Applicant’s GIPA Act access applications.

  2. I note that, even if this conclusion is incorrect, the processing of GIPA Act access applications is clearly part of the lawful purposes of the Respondent, in fact it is required by law of the Respondent. Therefore, the Respondent’s use of the Applicant Personal Information in the GIPA Tool, if it was a secondary use, is expressly permitted under the Code (see paragraph [57] above).

  3. The conclusion that the use of the Applicant Personal Information by the Respondent in/with the GIPA Tool is a permitted use under IPP 10 does not, however, negate the Respondent’s other obligations under the PPIP Act and the IPPs as regards its collection, use and disclosure of the Applicant Personal Information.

IPP 11: Disclosure

  1. The Respondent submits that the Respondent:

“[66] … as a matter of procedure, did not disclose an applicant’s [GIPA Act access applicant’s] personal information other than to the applicant. Furthermore, the GIPA Tool is designed such that only those officers from within an agency (with individual access accounts granted by the IPC) have access to the uploaded personal information.”

  1. This submission is supported by the evidence of both Ms Jamadar and Mr Naylor.

  2. Despite the evidence of the 2017 ‘modification’ by Amol Mane, being a person unknown to the Respondent, this did not raise in 2017 or subsequently any red flag for or lead to the Respondent investigating this ‘access’ which was contrary to the potential access restrictions noted above. The Respondent in its written submissions asserts that:

“[67] … Apart from the fact that the name [Amol Mane] appears on some of the case management records released to the Applicant…, there is no evidence establishing that anyone other than the Respondent’s employees had access to any of the Applicant’s information on the GIPA Tool. …”

  1. Based on the Information Commissioner’s GIPA Tool PIA, Mr Naylor’s evidence, the Cloud Policy (see [61] above) and the absence of compelling evidence to the contrary from the Applicant and the other material before me, I am satisfied that there is no disclosure of the Applicant Personal Information to Sales Force as the third-party SaaS provider or the Information Commissioner/IPC as the facilitator of the Respondent’s use of the GIPA Tool.

  2. While the Tribunal understands the Applicant’s concerns as regards the apparent disclosure of the Applicant Personal Information to a person unknown to the Respondent, Amol Mane, I accept the evidence of Mr Naylor of the IPC that this individual was, at the time of ‘modifying’ the Respondent’s GIPA Tool instance, an employee of the Department of Communities and Justice (the agency that was responsible for the IPC at the time) in the IT department and was likely only undertaking maintenance of the GIPA Tool.

  3. Given the Respondent’s obligations under the PPIP Act and IPPs, however, it is of concern to the Tribunal that from 2017 until the Hearing the Respondent did not know and took no steps to determine, even during the Internal Review Decision process, who Amol Mane was and what, if any, sort of access to the Applicant Personal Information Amol Mane had and the purpose for any such access to the Respondent’s GIPA Tool instance. This apparent lack of interest in who had access to the Applicant Personal Information and, presumably, all other personal information uploaded by the Respondent into the GIPA Tool shows, in my opinion, a systemic issue in respect of the Respondent complying with its obligations under the IPPs as regards its use of the GIPA Tool.

Consideration of systemic issues

  1. The Tribunal’s role is to review certain conduct (in this case the Conduct of Concern) rather than merely determining, generally, whether there has been a contravention of the PPIP Act or IPPs by the agency (in this case the Respondent). However, the Tribunal may look at systemic issues concerning compliance with the PPIP Act, the IPPs and an agency’s culture with respect to privacy issues in considering the context in which the Conduct of Concern occurred.

  2. As concluded in BKM v Sydney Local Health District [2015] NSWCATAD 87 (“BKM Decision”) at [45] it is clear that, where the evidence indicates a need for it, the Tribunal can examine systemic issues when considering what actions to take generally under section 55 (2) (g) or to enliven aspects of section 55 (2) (c) and (e) of the PPIP Act.

  3. The case of MH v NSW Maritime [2011] NSWADT 248 (“MH Decision”) makes the following observations in respect of the relationship between the systemic issues and the specific conduct complained of by an applicant and how they might be considered when looking to make an order under section 55 (2) PPIP Act following such a review:

“[24] As the Privacy Commissioner observed in his submissions, at [14]

It is clear that the hearing of the matter has of necessity looked into the background of the environment within the Respondent Agency as it relates to privacy matters and the handling of personal information.

The evidence relating to those matters has led to both MH and the Privacy Commissioner making submissions addressing wider 'systemic issues' concerning the agency's compliance with IPPs, its Privacy Management Plan, and the knowledge, understanding and implementation of privacy principles, policies and practices within the agency. The Privacy Commissioner expressed the view that -

‘... the proceedings highlight a general lack of knowledge, understanding, or compliance with the statutory obligations of the Agency as identified under the PPIP Act.’

[25] In my opinion the wider systemic issues within the agency form part of the background or context in which the conduct that MH complains of occurred. They are not of themselves the conduct about which MH is aggrieved, but form part of the organizational environment in which the conduct occurred. They do not fall within the scope of his internal review, reasonably construed, because they do not directly relate to the conduct complained of. They do not relate to specific breaches of IPPs or of a Privacy Code of Conduct but embrace wider issues concerning compliance with the Act and the agency's culture with respect to privacy issues. They are, nonetheless, relevant to the Tribunal's consideration of the conduct in issue, as they set, in part, the context in which the conduct occurred, and inform my decision making accordingly. Addressing systemic issues which contribute to a finding of conduct in breach of the IPP's may be a relevant factor for the Tribunal when considering what orders should be made under s 55(2).”

  1. Addressing systemic issues which contribute to a finding of conduct in contravention of the IPPs is therefore a relevant factor for the Tribunal when considering what orders should be made under s 55(2) PPIP Act (the MH Decision at [25]). This principle was followed in the BMK Decision.

  2. In the BKM Decision at [44] the Tribunal noted “many dozens of instances” in which the Tribunal has, following a privacy review, made orders “concerning the systemic nature of an information practice/system or in respect of administrative practices relating to privacy policies, training, practices and procedures, and general education of staff within the agency”.

  3. At [46] of the BKM Decision the Tribunal also noted:

“Those examples are in addition to but sometimes include cases where damages were ordered, or positive findings of breaches were made.”

  1. The principle in the MH Decision with respect to examining and addressing systemic issues was also explicitly followed in DSG v Department of Education [2019] NSWCATAD 182 at [102] and, more recently, in the EIG Decision at paragraphs [81] to [83].

  2. Given the Respondent’s evidence and admissions that it did not in this case and did not otherwise consider: (a) that it collected the Applicant Personal Information; or (b) formally prior to using the GIPA Tool, what reasonable security safeguards were necessary to protect the Applicant Personal Information or any other individual’s personal information in relation to its use of the GIPA Tool; or (c) if and when it should delete personal information from the GIPA Tool, I am satisfied that there are systemic privacy compliance issues within the Respondent exposed by the Conduct of Concern and my findings of the Respondent’s failure to comply with IPPs 3 and 5. I am also satisfied that these issues and breaches are likely to continue in relation to the Respondent continuing to hold personal information in the GIPA Tool and/or recommencing use of the GIPA Tool. These are, in my view, matters on which orders relating to systemic issues and ancillary orders are appropriate.

Damages for distress

  1. As noted in Vice-Chancellor, Macquarie University v FM (No 2) [2004] NSWADTAP 61 at [19]:

"Ordinarily where a breach is demonstrated, some sanction should be applied to the agency: …"

  1. While the Applicant requested financial compensation, no detailed evidence of the financial loss caused by the Conduct of Concern was provided to the Tribunal by the Applicant. However, there were some costs (such as filing fees, travel, printing and copying costs and the like) in having to undertake the External Review Application in order for the Applicant to enforce her legal rights, protect her personal information and make the Respondent comply with its legal obligations. Also, from her submissions and appearance before the Tribunal, it is clear to me that the Applicant was caused distress and aggravation by the Conduct of Concern and the Respondent's breaches of IPPs 3 and 5. As noted in CJU v SafeWork NSW [2018] NSWACATAD 300 at [117], damages for "mere distress" are a recoverable psychological harm.

  2. In the absence of any substantial evidence of the psychological harm caused to the Applicant by the Conduct of Concern, such as a medical certificate, there is a limit to the amount of damages the Tribunal should award for distress caused by the Conduct of Concern.

  3. I am satisfied that, on the material before the Tribunal, the Applicant was put to what should have been unnecessary expense and was caused distress and aggravation due to having to make the External Review Application in order to protect her personal information and to have the Respondent comply with its existing privacy obligations which, it is now known, it has been breaching over a prolonged period.

The Orders requested by the Applicant

  1. I have considered all of the Applicant’s requested orders. I have addressed the requested orders (1) to (4) noted in paragraph [12] above in the Tribunal’s orders. However, for the reason briefly noted below, I do not believe that the requested orders noted in (5) and (6) of paragraph [12] above are appropriate in the circumstances, based on the materials before the Tribunal:

  1. the apology ordered by the Tribunal in Order (2) is not subject to any Tribunal (and the Respondent cannot impose) any publication restrictions and the Tribunal Orders (4) and (5) will, in my view, adequately address the Applicant’s concerns both for her personal information and the personal information of other relevant GIPA Act access applicants still held by the Respondent in the GIPA Tool; and

  2. I believe in the circumstances that the Tribunal’s Orders are satisfactory, on this occasion, to redress the harm caused by the Conduct of Concern and, while there have been breaches of the IPPs, I am of the opinion that they do not trigger s 55(5) PPIP Act.

Orders

  1. For the reasons noted above and based on the material before the Tribunal, I have decided to set aside that part of the Internal Review Decision that found no breach of any IPPs and, in substitution for that part of the decision, I find that by engaging in the Conduct of Concern the Respondent breached ss 10 and 12 PPIP Act (IPPs 3 and 5) and I make the following orders:

  1. That part of the Respondent’s decision that there was no breach of ss 17 or 18 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPPs 10 and 11) is affirmed. However, the Respondent’s decision that there was no breach of any other IPPs is set aside and, in substitution for it, I find that the correct and preferable decision is that the Respondent breached ss 10 and 12 of the Privacy and Personal Information Protection Act 1998 (NSW) (IPPs 3 and 5).

  2. Within twenty-eight (28) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Mayor of Port Stephens Council addressing and apologising for (a) the Respondent's contraventions of IPPs 3 and 5 identified in these Reasons for Decision and (b) all harm and distress suffered by the Applicant caused by the Respondent’s breaches of IPPs 3 and 5.

  3. Within twenty-eight (28) days of the Applicant providing to the Respondent her bank account details, the Respondent is to pay to the Applicant $3,000 as compensation for both the distress suffered by the Applicant ($2,500) and expense the Applicant was put to in order to have the Respondent comply with its existing legal obligations ($500), each of which were caused by the Respondent’s breaches of IPPs 3 and 5.

  4. Within twenty-eight (28) days of the date of these Reasons for Decision the Respondent is to perform IPP 5 in relation to all personal information of the Applicant uploaded by the Respondent into and still held in the GIPA Tool, including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure the Respondent securely deletes such personal information it holds in the GIPA Tool in accordance with IPP 5, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

  1. Within sixty (60) days of the date of these Reasons for Decision the Respondent is to perform IPP 5 in relation to all other personal information uploaded by the Respondent into and still held in the GIPA Tool as part of its prior use of the GIPA Tool, including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure the Respondent securely deletes all personal information it holds in the GIPA Tool in accordance with IPP 5, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 or other law which is applicable in the circumstances.

  1. Within seven (7) days of fully complying with Order (4) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

  2. Within seven (7) days of fully complying with Order (5) above the Respondent must notify the Applicant in writing that it has fully complied with that Order.

  3. Within sixty (60) days of the date of these Reasons for Decision and prior to any re-commencement of use of the GIPA Tool by the Respondent, the Respondent is to perform IPP 3 in relation to all personal information collected by the Respondent in relation to all GIPA Act access applications made after this time, including by implementing such:

  1. training, awareness raising and safeguards; and

  2. administrative measures,

necessary to ensure that the Respondent notifies all future GIPA Act access applicants of the matters prescribed in IPP 3, subject to the valid exercise by the Respondent of any exemption or exception in the Privacy and Personal Information Protection Act 1998 which is applicable in the circumstances.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 01 August 2025

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0

Cases Cited

16

Statutory Material Cited

5

BKM v Sydney Local Health District [2015] NSWCATAD 87
CJU v HealthShare NSW [2021] NSWCATAD 372
DED v Randwick City Council [2017] NSWCATAD 327