WY v Hunter New England Area Health Service
[2008] NSWADT 265
•18 September 2008
CITATION: WY v Hunter New England Area Health Service [2008] NSWADT 265 DIVISION: General Division PARTIES: APPLICANT
RESPONDENT
WY
Hunter New England Area Health ServiceFILE NUMBER: 083045 HEARING DATES: 2 July 2008 SUBMISSIONS CLOSED: 22 August 2008
DATE OF DECISION:
18 September 2008BEFORE: Molony P - Judicial Member CATCHWORDS: Privacy - information protection principle - breach MATTER FOR DECISION: Principal matter LEGISLATION CITED: Privacy and Personal Information Protection Act 1998
Protected Disclosures Act 1994
Administrative Decision Tribunal Act 1997
Independent Commission Against Corruption Act 1988CASES CITED: N/A REPRESENTATION: APPLICANT
RESPONDENT
In person
C S Ward, barristerORDERS: The decision of the Agency is affirmed.
REASONS FOR DECISION
Background
1 WY is an employee of the Respondent Agency. He has been the subject of an investigation and disciplinary action relating to alleged breaches of the NSW Health Code of Conduct. That investigation, and subsequent actions by the Agency, followed the receipt by the Agency in July 2007 of an anonymous letter which made allegations of serious misconduct within the Pharmacy where WY was employed by the Agency. It alleged that two Schedule 4 drugs had been misappropriated from the Pharmacy on or about 15 May 2007. At that time WY says he was seconded to a University position.
2 On 3 December 2007 WY made an application to the Agency under section 53 of the Privacy and Personal Information Protection Act 1998 (‘the PPIPA’) seeking an internal review of its conduct with respect to its use of the information contained in that anonymous letter, and obtained in the course of the investigation following its receipt. WY complained that the Agency had breached the information protection principle set out in section 16 of the PPIPA which provides:
3 On 25 January 2008 the internal review by the Agency was completed. The review officer found that the anonymous letter and the information obtained in the investigation arising out of it, was not personal information to which the PPIPA applied. This was so because the anonymous letter was a protected disclosure within the meaning of the Protected Disclosures Act 1994 (‘the PDA’). As a result, both it and information obtained in the course of investigation arising out of it, were not ‘personal information’ within the meaning of the PPIPA. The review officer therefore found that there had been no breach of the information protection principle, because the PPIPA did not apply to the information concerned.
A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
4 On February 2008 WY lodged with the Tribunal an application to review the conduct of the Agency under section 55 of the PPIPA. In that application WY indicated that he was seeking orders that:
5 Section 63 of the Administrative Decision Tribunal Act 1997 says that in determining an application for review the Tribunal is to make the correct and preferable decision having regard to the material before it, and any applicable written or unwritten law.
That the organisation be compelled to admit that they have acted on unverified information and should not have proceeded with any investigation until the information had been verified, and that they issue me with a formal, public, apology.
The organisation must also retract any action that results from the use of the unverified information. Also, the organisation be reprimanded and/or penalised for its failure to comply with the Privacy legislation.
6 WY’s application for review was first listed for a planning meeting on 4 March 2008. It was agreed that the decision should be remitted for reconsideration by the Agency, such reconsideration to be completed by 8 April 2008. The application for review was listed for a further planning meeting on 15 April 2008, after the reconsideration was completed. That reconsideration confirmed that the anonymous letter was a protected disclosure and that, as a consequence, there had been no breach of the information protection principle.
7 At the planning meeting on 15 April 2008 it was agreed that the application should be listed for hearing on the issue of whether or not the anonymous letter is personal information to which the PPIPA applies. That hearing took place on 2 July 2008 at Newcastle, when I heard evidence and submissions form both parties. During that hearing I made directions that the Agency provide the Tribunal with a confidential copy of the anonymous letter pursuant to section 75(1)(d) of the Administrative Decisions Tribunal Act 1997, and that the letter not be disclosed to WY. The Agency, under cover of a short, confidential affidavit identifying the document, provided the Tribunal with a copy of it. At the conclusion of the hearing I reserved my decision.
8 On 18 July 2007 while considering my decision it became clear to me that I had not during the hearing been provided with a copy of an Agency Policy, referred to in evidence, which appeared relevant to my consideration. As a result, the Registrar, at my request, wrote to the parties in the following terms:
9 The Policy has since been produced and submissions received.
Judicial Member Molony reserved his decision with regard to this application on 2 July 2008.
In considering his decision Mr Molony has come to the view that he should request the Respondent to produce a copy of its Policy numbered 99/12. This policy was referred to by Mr Ellis in his evidence, but is not among the documents in evidence before the Tribunal. In making this request Mr Molony notes that the Tribunal is required by section 73(5)(b) of the Administrative Decisions Act 1997 to ensure that all relevant material is disclosed, “so as to enable it to determine all of the relevant facts in issue in any proceedings”. Mr Molony considers that the document is relevant to the “protected disclosure” issue.
As a result Mr Molony has directed that:
1. The Respondent file and serve a copy of its Policy numbered 99/12 on or before 8 August 2008.
2. The Respondent file and serve any submission with respect to the relevance of that Policy on the protected disclosure issue on or before 8 August 2008.
3. The Applicant file and serve any submission in reply by 22 August 2008.”
The issue for determination
10 The issues which requires consideration in this case is whether the anonymous letter contained personal formation to which the PPIPA applies, or whether, that letter is a protected disclosure under the PDA, and hence not personal information under the PPIPA.
The Relevant Legislation
11 The PPIPA contains provisions, among other things, dealing with the lawful collection of personal information by Agencies, from whom personal information may be collected, the manner of collection, the relevance and reasonableness of such collection, its retention and security, its accessibility by the person to whom it relates, its alteration, accuracy, use and disclosure. These provisions are embodied in the information protection principles in Part 2 of the PPIPA.
12 In this case WY alleges a breach of section 16 which requires that an agency not use personal information “without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.”
13 The PPIPA does not apply to all personal information, but only to personal information that falls within the meaning of personal information defined in section 4:
14 In the present case the issue is whether the information contained in the anonymous letter received by the Agency is information which is excluded from the definition of personal information by section 4(1)(c), being “ information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994.” (‘the PDA’)
(1) In this Act, "personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.
(3) Personal information does not include any of the following:
(4) For the purposes of this Act, personal information is "held" by a public sector agency if:
(a) …
(e) information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a protected disclosure,
(f) …
(5) For the purposes of this Act, personal information is not "collected" by a public sector agency if the receipt of the information by the agency is unsolicited.
(a) the agency is in possession or control of the information, or
(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or
(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
15 This in turn requires a consideration of the provisions of the PDA to see if the anonymous letter is a protected disclosure. The purposes of the PDA include seeking to “encourage and facilitate the disclosure, in the public interest, of corrupt conduct, maladministration and serious and substantial waste in the public sector:” section 3. To be a protected disclosure a disclosure must satisfy the requirements applicable to it for it to be protected under Part 2 (section 7 to section 19) of the PD Act: section 4 and section 7.
16 First, section 8 provides that:
17 Secondly, the disclosure must have been made voluntarily in the sense specified in section 9:
(1) To be protected by this Act, a disclosure must be made by a public official:
(a) to an investigating authority, or
(b) to the principal officer of a public authority or investigating authority or officer who constitutes a public authority, or
(c) to:
(i) another officer of the public authority or investigating authority to which the public official belongs, or
(ii) an officer of the public authority or investigating authority to which the disclosure relates,
in accordance with any procedure established by the authority concerned for the reporting of allegations of corrupt conduct, maladministration or serious and substantial waste of public money by that authority or any of its officers, or
(d) to a member of Parliament or to a journalist.
18 Because the disclosure contained in the anonymous letter was made to a public official, to be protected it must also comply with section 14 which provides:
(1) To be protected by this Act, a disclosure must be made voluntarily.
(2) A disclosure is not made voluntarily for the purposes of this section if it is made by a public official in the exercise of a duty imposed on the public official by or under an Act.
(3) A disclosure is made voluntarily for the purposes of this section if it is made by a public official in accordance with a code of conduct (however described) adopted by an investigating authority or public authority and setting out rules or guidelines to be observed by public officials for reporting corrupt conduct, maladministration or serious and substantial waste of public money by investigating authorities, public authorities or public officials.
(4) …
19 To properly understand the operation of section 14 it is necessary to refer to definitions of corrupt conduct, maladministration as defined. Section 4 provides that corrupt conduct has the meaning given to it by the Independent Commission Against Corruption Act 1988.
(1) To be protected by this Act, a disclosure by a public official to the principal officer of, or officer who constitutes, a public authority must be a disclosure of information that shows or tends to show corrupt conduct, maladministration or serious and substantial waste of public money by the authority or any of its officers or by another public authority or any of its officers.
(2) To be protected by this Act, a disclosure by a public official to:
(a) another officer of the public authority to which the public official belongs, or
(b) an officer of the public authority to which the disclosure relates,
in accordance with any procedure established by the authority concerned for the reporting of allegations of corrupt conduct, maladministration or serious and substantial waste of public money by that authority or any of its officers must be a disclosure of information that shows or tends to show such corrupt conduct, maladministration or serious and substantial waste (whether by that authority or any of its officers or by another public authority or any of its officers).
(3) In this section:"public authority" includes an investigating authority.
20 Importantly for the present purposes corrupt conduct, by section 8(2) of the Independent Commission Against Corruption Act 1988, “includes any conduct of any person (whether or not a public official) that adversely affects, or that could adversely affect, either directly or indirectly, the exercise of official functions by any public official, any group or body of public officials or any public authority and which could involve” fraud, theft, embezzlement, illegal drug dealings or forgery.
21 Maladministration for the purposes of the PDA is defined in section 11(2) of that Act:
22 “Public Official” is defined in section 4 of the PDA:
For the purposes of this Act, conduct is of a kind that amounts to maladministration if it involves action or inaction of a serious nature that is:
(a) contrary to law, or
(b) unreasonable, unjust, oppressive or improperly discriminatory, or
(c) based wholly or partly on improper motives.
Consideration
public official means a person employed under the Public Sector Management Act 1988, an employee of a State owned corporation, a subsidiary of a State owned corporation or a local government authority or any other individual having public official functions or acting in a public official capacity, whose conduct and activities may be investigated by an investigating authority, and (without limitation), includes a member of the Police Service, a PIC officer or a PICI officer.
23 The anonymous letter was received by a member of Internal Audit Services unit of the Agency in July 2008. In his evidence Mr Ellis, the Internal Audit Manager, said that all members of that unit hold delegations enabling them to receive protected disclosures on behalf of the agency. While the letter was anonymous it is apparent from reading the confidential copy that it’s author is a public official working for the Agency, albeit unidentified. I note that Mr Ellis gave evidence that he is aware of the identity of the author.
24 There is no reported decision on the question of whether an anonymous disclosure of information may be a protected disclosure. In my opinion, the fact that the letter was anonymous does not prevent it from satisfying the requirements of section 8 of the PDA. There is no provision in the PDA which requires that a public official who makes a disclosure identify himself or herself by name. Rather, the requirement is that a disclosure be made by a public officer. Without seeking to prescribe the methods by which that requirement can be satisfied, it is my view that evidence such as the nature of the information disclosed, its source, and claims made by the person making an anonymous disclosure, may be sufficient to enable the agency or officer to whom the disclosure is made to be satisfied that it was made by a public official. Equally, one can foresee cases in which an anonymous disclosure contains information which does not enable such a conclusion to be drawn. That view is consistent with the objects of the PDA in encouraging disclosure by public officials of information in their possession relating to corrupt conduct and maladministration. To require that an official disclose her or his identity, in order for a disclosure to be protected, would be inconsistent with that object, and would impute a requirement which is not apparent on a plain reading of the PDA. In this case, having read the anonymous letter, I am satisfied that it is a disclosure made by a public official to an officer of the agency (a public authority) to which the public official belonged and to which the disclosure related.
25 There is no doubt, in my view, that the information contained in the disclosure reported allegations that tended to show corrupt conduct or maladministration by officers of the Agency: the misappropriation of Schedule 4 drugs. The misappropriation of Schedule 4 drugs from the Agency by an officer, depending on the method employed would constitute theft or fraud: both of which fall squarely within the definition of corrupt conduct. Similarly, it would constitute maladministration, being action by an officer of a serious nature contrary to law. In submissions WY addressed the lack of particulars of the disclosure that had been provided to him, and suggested it was no more than a bare allegation. Having read the anonymous letter I am satisfied it tended to show corrupt conduct or maladministration. It was not necessary for the letter to establish the existence of corrupt conduct or maladministration, to satisfy the requirements of the PDA.
26 Whether the disclosure was made voluntarily as required by section 9, and whether it was made “in accordance with a procedure established by the authority for the reporting of allegations of corrupt conduct, maladministration or serious and substantial waste of public money,” as required, by both section 8(1)(c)(ii) and section 14(2)(b), is a matter of some contention.
27 The evidence of Mr Ellis was that until last year the Agency had in place a policy (99/12) concerning ‘Fraud Control’ (“the Fraud Policy’). This was a policy of the Hunter Area Health Service which subsequently, but before the disclosure, merged with the New England Area Health Service, to form the respondent Agency. Mr Ellis’ evidence was that this policy was ratified in April 1999 and was written in 1998 to comply a Department of Health directive. There was also policy (92/01), again a policy of the Hunter Area Health Service, which related to “Reporting of Corrupt conduct’ under section 11 Independent Commissions Against Corruption Act 1988’ (‘the Corrupt Conduct Policy’). This was amended in June 2000. Following the merger of the two area health services he said it remained in force until replaced by the new policy.
28 The new policy (HNEH 07_25), which superseded them, relates to ‘Corruption Management’ and according to submission made by the Respondent came into operation on 27 August 2008, after the disclosure in issue was made.
29 The Corrupt Conduct Policy set out requirements for the internal reporting of corrupt conduct so as to enable the Chief Executive to comply with duties imposed by the Independent Commission Against Corruption Act 1988. It outlined what is considered to be corrupt conduct and required that corrupt conduct, or reasonably held suspicions of corrupt conduct, be reported. Paragraph 5 of the Policy is concerned with ‘How and When to Report.’ It relevantly provided:
30 Paragraph 8 of the Corrupt Conduct Policy was headed ‘Protection of the Interests of Staff’. It provided:
5.1 Whenever a member of staff becomes aware of a matter that may involve corrupt conduct, the matter should be reported to any one of:
5.2 Reports should be made by telephone in the first instance followed by a written report. If in doubt as to whether a matter should be reported, the matter should still be reported.
- General Manager of relevant Sector/Unit
- Manager, Internal Audit Unit, Area Administration
- Chief Executive Officer, Area Administration
- Director, Human Resources
5.3 The officer receiving the report will clearly explain to the person reporting the matter what will happen in relation to the information received.
5.4 Where the matter is reported to a General Manager or the Manager, Internal Audit Unit, they will then provide a written report to the Chief Executive Officer that will include:
5.5 All staff involved in the reporting of suspected corrupt conduct should ensure that confidentiality is maintained to avoid prejudicing the investigation of the matter reported and to avoid unjustified harm to the reputation of other members of staff.
- a short history and relevant documentation
- details of action already taken and intended further action
- details of any other bodies to which the matter has been or will be referred
5.6 While staff should be encouraged not to report suspected corrupt conduct anonymously, as this makes investigation more difficult, all anonymous reports should be reported in accordance with this policy.
…
31 The Fraud Policy outlined that its purpose was to prevent fraud or corruption within the Agency, provided a definition of fraud, and explained the role of internal control and of the internal audit unit in fraud control. At paragraph 7 provided:
The Area Health Service will take all possible measures to protect the identity of the person making the report. However, it must be understood that, on occasions to enable full investigation, the source may need to be revealed. Should such a need arise, the identity of the staff member will be revealed to the minimum number of people possible. Any member of staff who believes that victimisation has occurred as a result of making a report should advise the Chief Executive Officer. Detrimental action taken against a person primarily as a reprisal for making a protected disclosure is a punishable offence under the Protected Disclosures Act 1994. (Further details on the Protected Disclosures Act are available in the Hunter Area Health Service Fraud Control Plan.)
32 In paragraph 8 the Policy set out the following reporting procedure:
The detection of fraud and corruption is the responsibility of each employee of the Hunter Area Health Service. Whilst management and the Internal Audit Unit have an overriding responsibility in this area, all employees must be made aware of the fact that they have a duty to report any behaviour which they feel indicates fraud and/or corruption.
Channels for reporting suspected fraud/corruption have been identified by the Executive and Board of the Hunter Area Health Service and are detailed in Area Policy 92101 Reporting of Corrupt Conduct under S11 Independent Commission Against Corruption Act 1988. Staff are encouraged to report any suspicions via these channels and are assured of confidentiality and protection under the Protected Disclosures Act (see Page 9 of this document).
33 In his evidence Mr Ellis said that both the Fraud Policy and the Corrupt Conduct Policy were in force when the anonymous letter was received by the internal audit unit. He said it was the responsibility of all staff to be aware of and comply with the policies. He said that as part of their induction training all staff were made aware of the policies.
When a member of staff becomes aware of a matter that may involve corrupt conduct, the matter may be reported to:
Reports can initially be made by telephone and followed up with a written report. Although reports may be made anonymously, a reporting structure exists to provide feedback on the progress of actions in regard to information provided. This also allows for extra information to be sought in relation to the report made.
- General Manager/Director of the relevant Sector or Business Unit, - Manager, Internal Audit,
- Chief Executive Officer
- The independent Commission Against Corruption
Staff reporting suspected corrupt conduct should ensure that confidentiality is maintained to avoid prejudicing any investigation and avoid unjustified harm to the reputation of any member of staff.
34 WY took issue with this. He argued that the policies were policies of the Hunter Area Health Service, and did not apply to the merged Agency. He did not specify why this was so. He said that he had not been aware of the policies, and, in submissions, said had been unable to locate them. He also relied on NSW Health Department Policy Directive 2005_135 which required agencies to develop or review policies dealing with protected disclosures, to show that there was no protected disclosure policy in existence. That Policy Directive was annexed to the written submission he made before for the hearing. Implicit, in WY’s submission, was an understanding that the Policy Directive somehow brought the continued operation of the Fraud Policy and the Corrupt Conduct Policy to an end. It did not do so.
35 WY did tender a letter to him from the Manager, Risk Management and Regulatory Affairs of the Department of Health, dated 19 June 2008. The letter was, apparently, written in response to a complaint made by WY to the Director - General. It advised, in part:
36 WY submitted that the Agency had no policy in place with respect to making of protected disclosures and, as a result, the information contained in the anonymous letter could not be a protected disclosure.
With regards to the specific policies and legislation that you have brought to the D-G's attention:
PD2005_263 only applies to the Department of Health and not the Area Health Services;
PD2005_135 directed the Area Health Services to develop and issue a Protected Disclosure, policy incorporating certain procedures for handling a Protected Disclosure;
Protected Disclosure Act 1994 the legislation only covers the person making the disclosure arid not the subject of the disclosure.
HNEAHS may not have complied with PD2005_135 in that they did not develop and issue their own policy on managing protected disclosures as required by P02005-135. It is believed a policy has been developed but as yet has not been implemented.
37 I reject that submission. The requirement, in both section 8 and section 14 of the PDA, is that the disclosure be made “in accordance with any procedure established by the authority concerned for the reporting of allegations of corrupt conduct, maladministration or serious and substantial waste of public money by that authority or any of its officers.” Whether or not the Agency had in place a protected disclosure policy, the evidence establishes that the Agency had in place, at the time the disclosure was made, two policies which established a procedure for “reporting of allegations of corrupt conduct, maladministration or serious and substantial waste of public money by that authority or any of its officers.” These were the Corrupt Conduct Policy and the Fraud Policy. I note that in submissions the Agency submitted that these policies satisfied the requirement of PD2005_135 in any case. That is a matter which it is not necessary for me to decide.
38 I am satisfied, on Mr Ellis’ evidence, that both the Fraud Control and the Corrupt Conduct policies were in force within the Agency when the disclosure was made. WY’s view that, because those policies were policies of the Hunter Area Health Service, they did not apply to the merged agency is contradicted by the direct evidence of Mr Ellis on this issue. Mr Ellis, because of his position and role within the Agency, has a detailed knowledge of the Agency’s policies and procedures, which I prefer to the assertions made by WY. Further, WY’s view that the policies were somehow rendered ineffective by the merger, rather than carried across to the merged Agency, offends against common sense. If the situation were as WY insists, mergers of such agencies would be administratively impossible, with all existing policies and procedures ceasing to have effect. WY was unable to point to any provision which justified his assertion, or outline a course of reasoning which justified it.
39 I am also satisfied that the disclosure made in accordance with those policies was made voluntarily as required by section 9 of the PDA. While the policies are not called a ‘code of conduct’, they were adopted by the Agency and set out rules or guidelines to be observed by public officials for reporting corrupt conduct, maladministration or serious and substantial waste of public money by investigating authorities, public authorities or public officials. As such, I am satisfied that the disclosure was made voluntary by operation of section 9(2).
40 It follows that I am satisfied that the anonymous letter was protected disclosure under the PDA. As a consequence, it did not contain not personal information to which PPIPA applies.
41 In both in his evidence and his submissions to the Tribunal, WY raised many other issues going to the conduct of the investigation, alleged breaches of the PDA by the Agency, and the taking of disciplinary action against WY, which it is neither within the Tribunals power nor necessary to address in considering an application under the PPIPA.
Conclusion
42 For the reasons outlined above I am satisfied that the anonymous letter was a protected disclosure of information under the Protected Disclosures Act 1994, and as result, that information is not personal information to which the Privacy and Personal Information Protection Act 1998. As a consequence the decision under review, which found that the Privacy and Personal Information Protection Act 1998 did not apply, was the correct and preferable decision. It is affirmed.
0
0
4