XW v Department of Education and Training

Case

[2009] NSWADT 73

3 April 2009

No judgment structure available for this case.

CITATION: XW v Department of Education and Training [2009] NSWADT 73
DIVISION: General Division
PARTIES:

APPLICANT
XW

RESPONDENT
Department of Education and Training
FILE NUMBER: 063319
HEARING DATES: 11 December 2007, 11 March 2008
SUBMISSIONS CLOSED: 3 September 2008
 
DATE OF DECISION: 
3 April 2009
BEFORE: Pearson L - Judicial Member
CATCHWORDS: Privacy – information protection principle – personal information – securityHealth information – health privacy principle - security
LEGISLATION CITED: Privacy and Personal Information Protection Act 1998
Health Records and Information Privacy Act 2002
Administrative Decisions Tribunal Act 1997
CASES CITED: BE v University of Technology, Sydney [2008] NSWADT 139
Director-General, Department of Education and Training v MT [2006] NSWCA 270
FH v Commissioner, NSW Department of Corrective Services [2003] NSWADT 72
KO and KP v Commissioner of Police, NSW Police (GD) [2005] NSWADTAP 56
McGuirk v Attorney General’s Department [2007] NSWADT 138
Toleafoa (No 2) v Commissioner of Police [2000] NSWADT 48
Trlin v Director General, Department of Fair Trading [2000] NSWADT 192
WL v Randwick City Council (GD) [2007] NSWADTAP 56
ZR v Department of Education and Training [2008] NSWADT 199
REPRESENTATION:

APPLICANT
ZR, agent

RESPONDENT
J McDonnell, solicitor
ORDERS: 1.The publication of any material that identifies the applicant or the school is prohibited
2.The matter is to be listed for further directions on May 12 at 2pm.


1 In these reasons the names of private individuals, and other information which might identify them, have been anonymised so as to preserve the privacy of their personal affairs. The applicant is referred to as XW. He has been represented in these proceedings by his mother, as agent, and in these reasons she is referred to as ZR. These proceedings concern the security of documents containing information relating to the personal affairs of XW held by a school (referred to as "the School") operated by the NSW Department of Education and Training ("the Department").

Background

2 The applicant XW attended the School from 1997 to 2002. In October 2005 ZR applied on behalf of XW under the Freedom of Information Act (the FOI Act) for access to a copy of all files kept by the school, including "school files, counsellor records, correspondence sent to the school by [XW's doctor], sick bay records, and records kept by Head Teacher, Teaching and Learning". The Department provided access to XW's student file records. The applicant claimed that certain documents were missing, and on 21 March 2006 lodged a complaint alleging breaches of the Privacy and Personal Information Protection Act 1998 (the PIPP Act). The applicant stated that the missing documents included copies of medical reports supplied to the school by XW's doctor and XW's speech pathologist, school counsellor notes from private meetings and correspondence with the Board of Studies relating to special examination provisions. The applicant stated that not all the missing files were school counsellor files, as reports had been sent to the Principal or the School Counsellor so that there were documents missing from the normal school records as well as the school counsellor's file. The applicant requested that the Department:

          Investigate why these files are missing, if the school has appropriate security to protect confidential files, if the breach in security was reported and the subsequent action and a guarantee they are not in the possession of an unauthorised person and will not be used in a manner detrimental to my future career.

3 A legal officer of the Department conducted an investigation and provided a report to the Director, Legal Services. In that report the officer identified the substance of the complaint to be:

          -The Department is unable to locate XW's counselling file

          -Two specific sets of documents are missing from the copy of XW's student file, namely copies of medical reports provided by [XW's doctor] and [XW's speech pathologist], and school counsellor notes from private meetings and personal correspondence with the Board of Studies relating to special examination provisions.

4 The investigation report noted that the Department first became aware that XW's counselling file was missing when responding to the 2005 FOI application. A search of the Department's TRIM system indicates that there was a counselling file in the name of XW. According to the TRIM record that file was registered in 1999, and this was the date when records under the old TRIM system were re-entered into the new TRIM system. The report noted that the school counsellor had advised that there had been a number of incidents where there appeared to have been unauthorised entry into the counsellor's office at the school between 2001 to 2005. The report detailed the school's responses to the unauthorised entries.

5 In relation to the documents missing from XW's student records, the report noted that the Department first became aware that reports from XW’s doctor and speech pathologist were missing when it was notified of the privacy application, as it believed that all documents had been provided in response to the FOI application. The report outlined the school's system for retention of and access to student files. The report concluded that:

          It is not possible from the information available to definitively explain why copies of medical reports are missing from [XW's] student record file. [The school] can only speculate that copies of medical reports may have disappeared as a result of unauthorised access into the school office.

6 In relation to the complaint that copies of school counsellor notes and correspondence relating to special examination provisions were missing, the report outlined the school's practice for preparation of special provision applications, and concluded:

          Again, it is not possible from the information available to definitively ascertain why the correspondence from the Board of Studies is missing from [XW's] student record file. [The school] can only speculate that it may have disappeared due to incidents of unauthorised access into the school office as mentioned above… It is also possible that it was misfiled or otherwise misplaced.

7 The report concluded:

          It appears that documents have gone missing most likely as the result of a number of unauthorised access incidents at [the School]. It is concluded that the complained conduct does not amount to a breach of the PPIP Act on the evidence available as reasonable measures were taken to ensure files containing personal information were securely stored and to prevent unauthorised access. These measures have been reviewed and tightened and since 2005 there have been no further incidents.

8 The report expressed the view that the school had taken reasonable measures to safeguard the counselling files and student record files as required by s12 of the PIPP Act. The report noted that the Department was not in a position to meet the request for a guarantee that the missing documents are not in the possession of an unauthorised person and will not be used in a manner detrimental to his future career, and recommended that an electronic record system detailing access and other relevant information relating to student counselling files be investigated as an alternative to the present manual tracking record system.

9 The applicant was notified of the internal review determination accepting the findings and conclusions of the investigation report, namely that there had not been a breach of the PIPP Act, by letter dated 28 July 2006.

10 The applicant applied to the Tribunal for review on 23 August 2006, stating that the Department had contravened s12(c) of the PIPP Act by not ensuring that "files containing personal information were securely stored. They were kept in an unlocked, open room to which many students, teachers, parents had unauthorised or unsupervised access". The applicant also stated that the respondent had contravened a privacy code of practice 10(c) as "files were kept in unlocked, open room allowing unsupervised access".

11 At the first planning meeting the matter was referred for mediation. That proved unsuccessful. Several planning meetings and directions hearings were held. The matters discussed at those meetings have concerned the issue of a summons, identification of appropriate departmental and school witnesses, timetables for the filing and serving of witness statements, and identification of which witnesses should be made available for cross examination. Oral evidence was heard at hearings held on 11 December 2007 and 11 March 2008. Both parties, and Privacy NSW, were given the opportunity to file written submissions. After submissions closed on 25 June 2008 and the matter was reserved, the respondent raised a jurisdictional issue arising from the decision of Judicial Member Montgomery in ZR v NSW Department of Education and Training [2008] NSWADT 199 published on 21 July 2008. The applicant was given the opportunity to respond by written submissions.

Applicable legislation

12 The two relevant pieces of legislation are the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (the HRIP Act).

13 The PPIP Act provides for the protection of personal information and the privacy of individuals by reference to a number of Information Protection Principles set out in Part 2 of the PPIP Act, which public sector agencies are required to observe. The key term is "personal information", which is defined in s4 of the Act as follows:

          4 Definition of “personal information”

          (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

          (2) Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.

          (3) Personal information does not include any of the following:

          (a) information about an individual who has been dead for more than 30 years,

          (b) information about an individual that is contained in a publicly available publication,

          (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,

          (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,

          (e) information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a protected disclosure,

          (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,

          (g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,

          (h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,

          (i) information about an individual that is contained in a document of a kind referred to in clause 1 or 2 of Schedule 1 (restricted documents) to the Freedom of Information Act 1989 (ie Cabinet documents or Executive Council documents),

          (j) information or an opinion about an individual’s suitability for appointment or employment as a public sector official,

          (ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,

          (k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.

          (4) For the purposes of this Act, personal information is held by a public sector agency if:

          (a) the agency is in possession or control of the information, or

          (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

          (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.

          (5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.

14 Section 12 of the PPIP Act provides:

          12 Retention and security of personal information

          A public sector agency that holds personal information must ensure:

          (a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

          (b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

          (c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

          (d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

15 The HRIP Act commenced on 1 September 2004, and applies to 'health information', which is defined in s6 as follows:

          In this Act, health information means:

          (a) personal information that is information or an opinion about:

          (i) the physical or mental health or a disability (at any time) of an individual, or

          (ii) an individual’s express wishes about the future provision of health services to him or her, or

          (iii) a health service provided, or to be provided, to an individual, or

          (b) other personal information collected to provide, or in providing, a health service, or

          (c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or

          (d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual,

          but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.

16 The Health Privacy Principles set out in Schedule 1 to the HRIP Act are in similar terms to those in ss 8 to 19 of the PPIP Act. Clause 5 provides:

          5 Retention and security

          (1) An organisation that holds health information must ensure that:

          (a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

          (b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and

          (c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

          (d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.

          Note. Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

          (2) An organisation is not required to comply with a requirement of this clause if:

          (a) the organisation is lawfully authorised or required not to comply with it, or

          (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

          (3) An investigative agency is not required to comply with subclause (1) (a).

17 Section 53 of the PPIP Act provides that a person who is aggrieved by certain conduct of a public sector agency can apply to the agency for review of that conduct. The relevant conduct is defined in s52 of the PPIP Act as follows:

          (1) This Part applies to the following conduct:

          (a) the contravention by a public sector agency of an information protection principle that applies to the agency,

          (b) the contravention by a public sector agency of a privacy code of practice that applies to the agency,

          (c) the disclosure by a public sector agency of personal information kept in a public register.

          (2) A reference in this Part to conduct includes a reference to alleged conduct.

          (3) This Part does not apply to any conduct that occurred before the commencement of this Part.

          (4) Section 53 (Internal reviews) of the Administrative Decisions Tribunal Act 1997 does not apply to or in respect of conduct to which this Part applies.

18 If a person who applies for review under s53 is not satisfied with the findings of the review, or the action taken by the public sector agency in relation to the application, the person may apply to the Tribunal for review of the conduct that was the subject of the internal review application. The Tribunal's role under s55 of the PPIP Act is to undertake a review of the conduct that was the subject of the complaint. The Tribunal may decide not to take any action on the matter, or may make anyone or more of the orders specified in s55(2) as follows:

          (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

          (a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

          (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

          (c) an order requiring the performance of an information protection principle or a privacy code of practice,

          (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

          (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

          (f) an order requiring the public sector agency not to disclose personal information contained in a public register,

          (g) such ancillary orders as the Tribunal thinks appropriate.

19 Under the HRIP Act, the provisions for review of conduct in Part 5 of the PPIP Act apply to the following complaints:

          21 Complaints against public sector agencies

          (1) The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies:

          (a) the contravention of a Health Privacy Principle that applies to the agency,

          (b) the contravention of a health privacy code of practice that applies to the agency.

          (2) For that purpose, a reference in that Part:

          (a) to personal information is taken to include health information, and

          (b) to an information protection principle is taken to include a Health Privacy Principle, and

          (c) to a privacy code of practice is taken to include a health privacy code of practice.

          (3) This section applies only to conduct engaged in after the commencement of this section.

20 The Department accepts that the documents relating to XW could have gone missing some time during the period 2001 to 2005. Section 4A of the PPIP Act excludes all health information from the definition of personal information from 1 September 2004. If the conduct complained of occurred before 1 September 2004 it would relate to personal information under the PPIP Act; if it occurred after 1 September 2004, it would be health information, and s21 of the HRIP Act would apply. This matter has proceeded on the basis that whether it is the PPIP Act or the HRIP Act which applies, the obligation in s12(c) of the PPIP Act and cl 5 of Schedule 1 to the HRIP Act is the same, and the central issue is whether the security safeguards for protection of information about the applicant were reasonable in the circumstances.

Issue estoppel and scope of the review

21 ZR v Department of Education and Training [2008] NSWADT 199 (Tribunal file 073081) is an application for review of conduct including an alleged breach of s12(c) of the PPIP Act in relation to security of student files relating to another of ZR’s children who attended the School. In that matter the Department submitted that the Tribunal should not deal with the allegation in respect of security of storage of ZR’s son’s files because that was the issue that forms the basis of these proceedings. The submission was rejected by Judicial Member Montgomery, who stated:

          37 For the reasons argued by ZR, I consider that there is no merit in this submission. Matter No. 063319 was commenced by XW. It relates to XW’s discovery that his school counselling files as well as copies of medical/speech pathology reports were missing from the student files. In his application for an Internal Review XW requested that the Department “investigate why these files are missing, if the school has appropriate security to protect confidential files, if the breach in security was reported and the subsequent action …”.

          38 It is that conduct which is the subject of Matter No. 063319. I have referred to the conduct that is the subject of these proceedings above. To the extent that each concerns security of information there is some similarity. However, these proceedings concern the security of parent information in an interview room (“the interview room”) located in the school’s administration block in 2004. Matter No. 063319 concerns the security of XW’s counselling files and medical reports in, and prior to, 2002. In my view, these proceedings and Matter No. 063319 do not concern the same subject matter. My findings in these proceedings will have no implications for the findings in Matter No. 063319. Accordingly, the Department’s submission that the commencement of the second proceedings is vexatious and oppressive and constitutes an abuse of process is rejected.

22 JM Montgomery went on to determine the issue of the adequacy of security of files in the interview room in the following terms:

          123 A number of student record systems are used in the school. These include general student files (“student files”) and confidential student files kept by the school counsellor. The documents that are the subject of these proceedings were stored on the student file relating to ZR’s son. It seems that access to the student files was governed by an unwritten system monitored by the Senior Administration Manager under the direction of the executive.

          124 Until the end of 2006, student files were kept in locked filing cabinets in the interview room. Staff occasionally used the interview room when interviewing parents and administration staff occasionally used it for administrative purposes. A staff member who had responsibility for organising casual teaching staff also used the interview room each morning. The only staff with a key to the door of the interview room were the Senior Administration Manager, the Registrar and the Principal. When the door was not locked it was usually closed. At the end of 2006 the filing cabinets were moved from the interview room to another office in the administration building.

          125 The filing cabinets in which student files were kept were locked at all times when not being accessed. The Senior Administration Manager held the only keys to the filing cabinets. If staff needed to access a student’s file they would ask the Senior Administration Manager or another member of the administration staff to open the filing cabinet and access the information sought. Teachers were only permitted access to documents relating to a student’s academic performance.

          126 It is clear from the words of section 12 that an agency must ensure that personal information is protected, by taking such security safeguards as are reasonable in the circumstances. The Senior Administration Manager gave evidence of the safeguards that are in place at the school. I am satisfied that the security safeguards were reasonable in the circumstances. While it seems that there are no written guidelines with respect to access to student files, I am satisfied that the school’s staff were aware of the procedure in place to obtain access to the student files and the fact that there does not appear to have been any unauthorised access to those files suggests that the procedures were effective. Nevertheless, I accept that it would be prudent to have had those procedures documented to ensure that staff are aware of their obligations under the Act. If I am wrong as to the level of security of the student files at the relevant time, I am satisfied that the Department is now taking such security safeguards as are reasonable in the circumstances. It is my view that no action on this matter is warranted. It is unnecessary that I discuss this matter in regard to the other complaints.

23 The Department submits that the alleged breach of s12(c) in relation to the security of XW’s files in the interview room at the School is one of the two main issues in this matter, and that for the applicant to maintain the argument in this matter, in light of the decision of JM Montgomery, would constitute an abuse of process. The Department relied on Toleafoa (No 2) v Commissioner of Police [2000] NSWADT 48 as authority for the proposition that the Tribunal should not allow the re-litigation of matters already decided between the same parties in a competent court, which has been applied in Trlin v Director General, Department of Fair Trading [2000] NSWADT 192 and McGuirk v Attorney General’s Department [2007] NSWADT 138. The Department submitted that a complaint brought in relation to an issue already determined by the Tribunal should be characterised as an “abuse of process” which falls within s73(5)(h) of the ADT Act.

24 The applicant submits that the proceedings in 073081 are not final; and further rejects the submission that the security of XW’s files in the interview room is one of the main issues in the application:

          The Respondent has not provided any evidence that any of XW’s medical reports or school counselling reports, the subject of this application, were ever placed in those files. The Respondent’s own witnesses rejected this assertion as unlikely in their testimony.

25 The proceedings in 073081 concern security of files relating to XW's brother, in 2004. These proceedings are brought by XW, and relate to security of his files held at the School during the period 2001 to 2005. While some of the evidence in these proceedings traverses security and access arrangements generally in the School, including in the interview room, in my view these proceedings do not concern the same subject matter, and the conclusion reached by JM Montgomery concerning adequacy of security safeguards for the interview room in 2004 will not have implications for findings made in this matter about security safeguards in the same part of the School over a different period of time, or in other parts of the School. Accordingly, I reject the Department’s submissions that continuation of these proceedings constitutes an abuse of process.

26 The application for internal review refers to files kept by the school counsellor and “normal” student records. The internal review investigation report discusses XW’s counselling file, and documents missing from XW’s student records, and refers to student record files being kept “in locked cabinets in the main school office”, and to documents kept in locked filing cabinets in the counsellor’s office. The application for internal review sets the scope of the application for review of the alleged conduct by the Tribunal under s55 of the PPIP Act: KO and KP v Commissioner of Police, NSW Police (GD) [2005] NSWADTAP 56. That concerns the security safeguards for storage of documents containing personal and health information at the School.

Applicant's case

27 The applicant relies on a written submission filed on 26 October 2007 (20 pages); an affidavit sworn by ZR dated 23 October 2007 (19 pages, with 18 annexures); a witness statement made by ZR on 21 February 2008; a written response to the respondent's evidence submitted at the hearing filed on 19 February 2008 (3 pages, with two annexures); and a written submission following the hearing filed on 9 May 2008 (40 pages). ZR gave oral evidence and was cross examined.

28 The applicant asserts that the following documents are missing:

          - a counselling file registered in the applicant’s name from primary school marked out to the School and containing counsellor files and psychology reports, notes from a case conference, copies of letters from XW’s doctor and occupational therapists and speech therapists, and preparatory work for consideration of OC placement;

          - documents held by the School Counsellor, including a folder of materials provided to her in 1999, including notes of conversations and medical and other reports; letters from XW’s doctor and speech pathologist to the School Counsellor; documents submitted to the Board of Studies

          - copies of medical reports from XW’s doctor sent to the Principal as well as to the School Counsellor

29 The applicant's case is that student access to keys, staff and student access to security access codes, and security more generally, were identified as a problem at the School, and that action was not taken to rectify most of the problems until after a Security Risk Review undertaken in March-April 2005. There were a number of unauthorised accesses to the office of the School Counsellor, and appropriate and reasonable steps were not taken to prevent a recurrence; the unauthorised accesses ceased when an independent locksmith changed the locks to the office in 2005. The security of files kept in the Principal's office was not adequate as the door of the office remained open during school hours when he was not in the office. The Department did not educate staff at the School on the PPIP Act and access to personal information until January 2007.

Respondent's case

30 The respondent provided written submissions filed on 18 September 2007 (17 pages); submissions in reply to the applicant's submissions of 26 October 2007; and submissions filed on 25 June 2008. Witness statements were provided by the School Counsellor, the Senior Administration Manager, former Principals AB and BC, a Deputy Principal DE, the current Principal EF, three teachers (FG, GH and HJ), the former Services Manager and former Business Services Manager, and a former Manager Student Counselling from the Department. The Senior Administration Manager, the School Counsellor, AB, BC, EF, FG, and the Business Services Manager, gave oral evidence and were cross examined.

31 The Department's case is that incidents of unauthorised access to the School Counsellor's office between 2001 to 2005 were reported to the School Education Director and on at least one occasion to the Safety and Security Unit and NSW Police, and that after each incident the School tightened its security arrangements; there may have been unauthorised access to the school office where student files, including medical reports, were kept, and that as a result security measures were reviewed. The respondent submitted that while there was evidence of unauthorised access, it took security safeguards that were reasonable in the circumstances. Student files were kept in locked filing cabinets and access to keys to those filing cabinets was restricted. In relation to the counsellor's files, while there were a number of incidents of unauthorised access from 2001 to 2005, after each one the respondent took appropriate steps in an attempt to ensure no recurrence.

Evidence

Department’s witnesses

32 AB was Principal at the School when XW first enrolled. His witness statement addressed his recollection of and response to an incident of unauthorised access to the counsellor's office over the 2000/2001 school holidays; management of keys; alarms; and storage of student records. In his written statement he stated that he reported an incident of unauthorised access to the counsellor’s office which occurred over the 2000/2001 school holidays to the police and District Office. He arranged to have the filing cabinet and door locks changed. Student files were stored in the interview room. Student advisers did not have offices but could work in the interview room if they needed to gain access to student files. The filing cabinets were locked at all times unless the Senior Administration Manager was accessing a file. The Senior Administration Manager had the keys to the filing cabinets. AB stated that he kept records on students in box files in his office. Student records were moved to the strong room after students completed Year 12. AB stated that "the security at [the School] was generally very good"; and in relation to keys, that the "system at [the School] was no less effective than at any other school at which I have worked".

33 In his oral evidence AB stated that security at the School was as good as any school he had been in. He stated that he had reported the incident in which the counsellor’s files had been interfered with in 2000 to 2001 to police and to the District office. It appeared that it was more a case of files being thrown around than anything missing. It was likely that it was staff, and not students, as it was school holidays. Records for students were kept in the form of counselling files, and in student files which followed each student from primary school. Those files were kept in locked filing cabinets; only the Senior Administration Manager had access to the filing cabinets, and teachers had to go to her for the key to access. If he wanted a file he would ask the Senior Administration Manager and she would get it for him, or she would give him the key and he would go, then return the key, and after using the file he would give it back to her. The Senior Administration Manager was fastidious about the filing cabinets being locked. The box files that he kept in his office were student action files rather than student record files. It would be unlikely he would put a medical report in the box file, and more likely that it would have been passed on to a student advisor or go to the student’s academic file. If he received a report and needed to share the information, he would mark it "copy to …” or if he did not need to keep it, "original to …".That would most likely be to the student advisor. It was possible he may have put a medical report on a student file, especially if it was relevant to the student’s learning situation, but it was more likely to go to the student's teachers, student advisor, and counsellor. Documents in the box files in his office were not very accessible, as they were behind his desk, which was close to cupboards, and there was a lot of floor space in front. There were about 20 box files, in the order according to those he used most. He did his own filing, and nobody else needed to get to the box files. If he was away from the school his office door was not open. If he was at school and walking around he would leave the door open. He was not aware of any unauthorised access. Students would not use the corridor outside as it was not convenient. The Department sent bulletins about privacy and he would have distributed them.

34 In cross examination AB stated that he did not open the mail, and would get a box file of whatever the Senior Administration Manager thought he should get. If something was marked "confidential" usually the staff would not open it. If he received "confidential" mail that was sensitive he would keep it at home where he had an office. After a student left the school the files would be destroyed. AB could remember XW's situation but could not remember anything deeply sensitive. He could not recall the School Counsellor asking him for copies of XW's medical reports. He was on leave in 2001 and the relieving principal used his room. The only person who could have accessed the box files was someone relieving him as Principal, which was basically one of the Deputy Principals. When a student left the school the box files were removed at some stage and stored in the strongroom or another store room. AB stated that as Principal he was responsible for the master keys; there was no record of them; there were only four master keys; and one was lost. When he started at the School it was a "K" system, and because of concerns about security that was changed to a "J" system. One "K" system master key was stolen in his time as Principal. The master keys were held by the Services Manager, the two deputy principals, and himself, and handed on personally. No "J" master key went missing. His home has an alarm system. While he was concerned about the 2000/2001 incident, there was nothing to suggest it was more than a one-off. AB was asked about police coming to the school and stated that they came on one occasion, because he could recall discussing with the School Counsellor what they had said. AB said that they had decided to change the locks for the School Counsellor's filing cabinets and office door. He was aware that some students had keys. There was no way of finding them all so he decided to introduce the "J" system, buy filing cabinets, and replace the locks after another incident in the School Counsellor's office. Replacement filing cabinets came from general stock. Subsequently the locks on the filing cabinets were changed and this was done by a locksmith. He did not assume anything about the exclusivity of the key system.

35 AB was asked about instructions to staff about confidentiality, and said that the staff talked all the time about the need for confidentiality. Lots of things were not put on paper, and lots was transmitted at weekly welfare meetings. They were aware of the need to guard confidential material. There was no specific school privacy policy, but staff would have had copies of the department policy.

36 BC was Principal from April 2003 to March 2007, with a period of leave during 2005. In his witness statement BC stated that an investigation into security issues had been conducted in 2002, and that after his arrival at the school he implemented its recommendations. That included arranging for the locks to the offices of the careers advisor and school counsellor to be changed and for a change to their computer security access, and a change to computer security access for the Senior Administration Manager. From April 2003 to the end of 2004 the School Counsellor reported a couple of incidents of unauthorised entry to her office and filing cabinets. Some time around August 2004 she reported that empty case note files had been found in the strong room. There was no evidence of forced entry associated with any of these incidents.

37 In his written statement and oral evidence BC outlined the key system at the School. In 2003 the administration block had a “J” master key system. Each member of the senior school executive had a master key. In 2004 the system was upgraded to a new “X” master key system. In 2004 the Business Services Manager arranged to have alarm PIN codes deleted and new ones issued. In oral evidence BC stated that there had been some sort of system for control over master keys; when the Business Services Manager took over she kept a key register. In his written statement BC stated that he had concerns about the possible involvement of a staff member in the unauthorised entry to offices in the administration area during 2003 and 2004, however despite formal and informal inquiries it was not possible to identify any individual/s responsible for these incidents. In oral evidence BC stated that after the transfer of two staff from the school there was one further incident of unauthorised access. In oral evidence BC stated that he had not called the police after every incident as the police had said that it should be handled by the Department. After at least two visits the police had said that they could not pursue it as there was no evidence of break and enter and needed to be managed internally. He reported matters to the Department. BC conceded that before the lock was changed in 2005 members of the senior executive staff could access the School Counsellor’s office. It was important for senior executive staff to have access to keys to all buildings for safety reasons.

38 DE was relieving Principal in terms 1 and 2, 2005. In his witness statement DE stated that at the end of term 1, the School Counsellor said that her office was accessed over the holidays and that her files were interfered with and some were missing. He contacted the local police station, and persons in the Department. Two police officers came and found no evidence of forced entry. He contacted an independent locksmith to have the locks changed. New locks were issued for the door of the counsellor's office and the filing cabinet, and the keys for the office door were kept by the counsellor and himself.

39 EF is the current Principal of the School, commencing in March 2007, having previously been employed in the Department's District office, with responsibility for the School from 2002 to 2004. In a witness statement EF stated that soon after taking over responsibility for the School, various members of School staff reported that their computer files were being accessed and deleted and documents and personal items in their offices were being tampered with and in some instances went missing. An Audit review was undertaken in 2003 by the Audit Unit, from which it was reported that the reported incidents did not involve a forced entry. The Department undertook a management review of the School in 2004, and one of the recommendations was that a security risk review be conducted.

40 The Senior Administration Manager at the School gave evidence that she has been employed in that position since 1998, having worked at the School since 1991. In her witness statement the Senior Administration Manager outlined her concerns in 2000 and 2001 that her administration and computer files were being accessed after school hours, and that she had reported this to a Deputy Principal. She was aware that the School Counsellor and the careers advisor also thought that things in their offices were being interfered with. There was an inquiry, following which the locks to the doors of the counsellor's office, careers advisor's office and administration office were changed, and they were issued with new passwords for computers. After these security measures were introduced she continued to have further incidents with her computer records, and the School Counsellor said that things in her office were being moved. She reported all further incidents to a Deputy Principal or the Principal. The Principal and School Counsellor asked her to ensure that the door to the School Counsellor's office was locked at all times she was not at school; on a number of occasions she arrived at work and found the door of the School Counsellor's office open and the light and her computer turned on. The Senior Administration Manager outlined the position relating to maintenance of student records. These were kept in locked filing cabinets in the interview room between 2001 to the end of 2006. This room is used on occasion by staff to interview parents, and administration staff have access to paper folding and franking machines kept there. The key to the interview room is on the "J" system, and the only people with a key to the room are herself, the registrar and the Principal. When the door is not locked it is usually closed. She has the only keys to the filing cabinets and if staff need to access a student file they ask her or another member of administrative staff to open the filing cabinet. The keys for the filing cabinets are kept in her desk drawer in the school administration office, and placed in a security tin with other school keys then locked in the administration safe after school hours.

41 The Senior Administration Manager's witness statement addressed other uses of the interview room, which included use by the person organising casual teaching staff from term 2, 2004 to the end of the 2006 school year; storage of items for the annual white elephant stall; and storage of items delivered for school staff. Records of students who had left school were stored for 12 months in the administration strong room and then moved to an archive room in the administration block. The key to the strong room is kept in a tin in the administration office during the day and locked in the administration safe at night; the only people with a key to the archive room are held by her, DE, and the maintenance team.

42 In oral evidence the Senior Administration Manager was asked about her vision of the counsellor's office from the administration office. She said that she could see into the counsellor’s room from the office, until the counsellor changed the position of furniture in her room. She is at her desk for a limited time as it is a busy office. In cross examination, the Senior Administration Manager stated that student files would contain mainly academic documents. Medical reports would not to her knowledge go on the files. She was not asked by the Principal to file that sort of document. She was not involved in the box files in the Principal's office. Around the time that AB left there were new keys and locks were changed. There was more access after the locks were changed.

43 The School Counsellor gave evidence that she has held that position since 1991, and was on leave in 1996. In her witness statement the School Counsellor outlined her contact with XW in 2002 in the context of his application to the Board of Studies for special provisions in his HSC exams. Special provisions applications in 2002 were handled by her and DE as Head Teacher Teaching and Learning; after an unauthorised entry into her office on term 1, 2002, she gave the folder of special provisions applications to DE to file. The School Counsellor recalled receiving a folder with information from XW when the Special Needs Co-ordinator left the school in around 1999, 2000.

44 In relation to counselling files, the School Counsellor stated that before implementation of the Student Counselling Policy of 2005, she kept case notes, consisting mainly of contemporaneous notes summarising information received or observed. The information in the folder received from the Special Needs Co-ordinator formed the basis of XW's case notes to which she added subsequent notes, including notes of conversations with XW and ZR, medical reports and speech therapist reports. The School Counsellor stated that ZR gave copies of these reports to XW’s teachers, the principal and her to inform them of XW's progress and special needs. Before implementation of the Student Counselling Policy in 2005, school counsellors would create a guidance file for a student when a psychometric assessment was administered or when a student received a significant counselling intervention. She did not create a registered guidance file for XW. The School Counsellor outlined departmental procedures for tracking and recording movement of registered counselling files, and states that she maintained a hand-written record of movements in and out of the school in addition to the tracking procedures. She kept this in one of the locked filing cabinets in her office. She could not recall requesting a guidance file from XW's primary school, or receiving or sighting a registered file for XW.

45 The School Counsellor's witness statement addresses the security of files in her office. It is her practice to close the door to her office when not in her room; however she may leave the door open if going to the administration office area across the hallway. Since the lock to her door was changed in 2005 it is not possible to open the door to her office without a key. The School Counsellor stated that between 2001 and 2005 there were a number of incidents that led her to believe someone was entering her office after school hours and interfering with her files and records. In particular,

          - after returning to work after the 2000/201 holidays she found all her case notes missing; she reported the incident to the then Principal and informed her District Guidance Officer; the Principal organised for new filing cabinets to be ordered and in the interim guidance files were stored in the strong room

          - during term 1 of 2002 one of the filing cabinets was accessed and the contents of the special provisions folder pulled apart and scattered throughout the filing cabinet drawers; she reported this to the then Principal, who arranged to have the door lock changed; at that time she kept the spare keys to the filing cabinets in her lockable desk drawer

          - on the first day of the 2003 school year she was let into her office because she did not have her office keys with her; she found the keys to the door and filing cabinets on top of her in-tray; the contents of the filing cabinets had been interfered with; she reported this incident to the District Guidance Officer and the Principal; the Principal arranged to have the locks on the filing cabinets replaced
          - during 2003 the new Principal BC organised for the lock to her office to be changed as there was evidence that her office was being accessed, including erasing of computer files and emails, and answering machine messages, and re-arranging of items on her desk and bookcase
          - during term 4, 2003, a number of guidance files transferred from other schools appeared on her desk in an opened envelope marked "confidential"
          -there was ongoing evidence of access to her office and computer files in 2004
          - in term 3 of 2004 she found empty case notes folders in an old counsellor's recycling box on the strong room; she informed the Principal, Deputy Principal, and her District Guidance Officer
          - at the commencement of term 2, 2005 she found her filing cabinets unlocked and keys to the filing cabinets in an envelope in the second drawer of a filing cabinet; in another filing cabinet containing case notes and guidance files the case notes were missing and the contents of both filing cabinets were rearranged; she informed the relieving Principal, and her District Guidance Officer. The relieving Principal DE arranged for an independent locksmith to relace the door locks and filing cabinet locks. She has both sets of keys to the filing cabinets; DE has a key to her office so he can let the cleaners into her room.

46 In oral evidence the School Counsellor clarified certain aspects of her witness statement, including that she received medical reports about XW from the Principal and not directly; and arrangements for keeping counselling files. The School Counsellor was asked about police responding to reports and stated that she recalled seeing them in 2005; she was in the office when AB phoned them in 2001, but could not recall whether they came, noting that she was only at the school two days a week. The School Counsellor stated that the keys she found in term 2, 2005 were not her keys; she assumed she had the only set of keys.

47 In cross examination the School Counsellor stated that she was aware of procedures to follow, and also in relation to counselling files, but these would not necessarily have been called a privacy policy. In the staff information booklet there were procedures for confidentiality. She understood it was crucial for documents to be kept confidential. They talked about it at staff meetings. Those responsible for security as far as she was concerned were the Principal and the District Guidance Officer.

48 The Business Services Manager for the School from July 2004 to June 2007 gave evidence. In her witness statement the Business Services Manager states that when she commenced at the school there were three master key systems in existence; there was a computerised key register which she was unable to access. In November 2004 the Department's Security unit deleted all PIN codes from the alarm system and she reissued staff with a 6 digit code. She introduced a new key register system over the 2004/2005 school holidays. In oral evidence the Business Services Manager provided further details of her role as Business Services Manager, and the key system. She stated that when she arrived at the School she organised a key audit over the holidays; she was not entirely happy with it, as she had nothing to audit against. In cross examination, the Business Services Manager stated that she was responsible for the physical aspects of security: if there as a physical breach for example a break in she would report it, if there was an internal breach of security she would not necessarily know about it. She looked up the department’s policy on security. The Business Services Manager stated that there was a formal policy for staff leaving to return keys, however it was up to the Head Teacher to make sure this happened, and sometimes the Head Teacher would reallocate a key and let her know. It was possible that former staff had keys. The Business Services Manager gave evidence concerning access to security fobs for the alarms, and stated that if they were lost she would delete the program.

49 FG is a teacher at the School with responsibility for student welfare. In his witness statement he states that he does not recall any boxes containing student files in the corridor outside his office. Since he has become involved with student welfare all student files have been kept in filing cabinets in one room, and access has always been through the School Administration Manager. The keys to the filing cabinets are kept in a metal box in her desk drawer in the administration office. In oral evidence FG was asked about school policy regarding access to student record files, and stated that the policy was to read the files in the room and not take them outside the room. He could not recall whether there was a written policy, however it was always clear that the information was private. He could not recall receiving information on privacy. There was a written security policy in the staff handbook however he had got one a long time ago. Nearly every year there were documents on revised policy. In re-examination FG stated that he recalled seeing the department’s Privacy Bulletin. FG gave evidence concerning the key audit conducted by the Business Services Manager in 2004. He listed the keys, some of which he no longer needed, and returned them in an envelope. When he started at the school he was given a key by the Principal, he did not recall signing anything.

50 The Services Manager and Business Manager at the School from 1989 to 2002 provided a witness statement, in which he described the alarm system at the School. There were two key systems, an older GMK system and a more recent JMK system. An active key register was maintained; lost keys were recorded and names of staff issued with new keys logged. It was inevitable that keys would go missing, be stolen or lost, and students were regularly found with keys in their possession. Locks were changed to the counsellor’s office after the incident in 2000/2001 school holidays.

51 GH was the School careers advisor from 2001 to 2004, and a Year advisor. In her witness statement she described procedures for staff accessing student records: the Senior Administration Manager had the keys for the student record filing cabinets which were located in the interview room, and the keys were kept in a safe in the administration office. The Senior Administration Manager and the Principal had a key to the safe. In her capacity as Year Advisor she kept notes of information about students in her Year Advisor diary until the end of the year when the notes and diary were disposed of in commercial disposal bins. The door to the interview was kept locked when not in use before 2004. In 2004 HJ used it early in the mornings to organise casual staff. There were occasions when the interview room was accessed for other purposes. There was a lot of evidence of unauthorised entry into her office from 2000 to 2004, and things would disappear inexplicably. Files went missing from her computer, filing cabinet and off her desk. GH comments on disruption within the school, and documents and mail going missing.

52 The Manager Student Counselling with the Department from August 2002 to May 2007 provided a witness statement in which he describes the process for establishing a Student Counselling File (previously known as a guidance file); and audit and transfer of files. It had been the practice of some school counsellors to keep case notes separate from the Student Counselling File; this practice was clarified in 2005 making case notes part of the Student Counselling File. The Student Counselling Manual contains policies and procedures for school counsellors including file management. Student counselling files do go missing from time to time; there are about 360,000 student counselling files. Files are stored in lockable filing cabinets of the usual type provided by the department. The Manager Student Counselling stated that he recalled conversations with the School Counsellor; on one occasion she rang him to advise that during an unauthorised entry into her office several student counselling files had gone missing. His contact with the School Counsellor, her colleagues and supervisors indicated that she followed the Department procedures for management of Student Counselling Files.

53 HJ is a teacher at the School, and was responsible for arrangements for casual staff. In her witness statement she states that from term 1 2004 she used the interview room from 6.15am to 8.30am. She did not lock the interview room when she left in the morning, however the filing cabinets containing student records were locked and she never saw them open except when they were being accessed by a member of staff. Administrative staff would change the files at the end of the year removing all Year 12 files and making room for new year 7 files. On occasions staff would conduct interviews in the room; administration staff would use it from time to time for the franking and paper folding machines, and it was also used to store goods.

54 The School Education Director with responsibility for the School from 2005 until March 2007 provided a witness statement. On the first day of term 2, 2005 someone from the School contacted his office about an incident during the school holidays involving unauthorised access to the counsellor’s office. He attended the school and was told that police had been notified, and advised the school to contact the Safety and Security Unit and arrange to have the locks on the counsellor’s office replaced. After this incident the Principal Education Officer undertook a review of counselling records; the Safety and Security Unit identified the security code used to enter the area as one that had been allocated to a teacher who had left the school some years prior to the incident, locks on the door to the student counsellor’s office and filing cabinets were changed and local police attended the School.

Applicant’s witness

55 ZR gave evidence and was cross examined. In her affidavit of 23 October 2007 ZR provided background to her involvement at the School. Her observations were that the door to the interview room was usually open when she attended the School; and the door of the Principal’s office was rarely closed. The corridor is used as a regular thoroughfare for parents and students wanting to pay accounts at the registrar’s office. ZR listed the material continued in XW’s counselling file created at primary school, and stated that during his time at the School XW’s doctor would send reports to the school and reports from the speech pathologist would also be added to his file. ZR outlined her concerns for security of student files at the School. In term 2, 2003 while she and other people were cleaning out the sickbay and cleaning out a storage room, several boxes of student files were discovered with medical records.

56 Parts of this affidavit include comments on points made in the Internal Review, and comments on points made in witness statements by the Department’s witnesses. Some of this material includes details of background. Where relevant to the issues to be determined I have had regard to that part of the material as submissions on behalf of the applicant.

57 In a witness statement filed on 21 February 2008 ZR outlined her contact with police about reports of entry at the School.

58 In her oral evidence ZR stated that she rarely saw the door to the interview room closed; she had been allowed into the administration office to look up parent contact details; she frequently saw students walking along the corridor past the door to the Principal’s office; she often saw the counsellor’s door open when she was not there, and saw files on her desk. ZR stated that in term 2, 2003 she and others found boxes of school files while cleaning out the sickbay, and a Deputy principal took them away. She was given a fob for the alarm some years ago.

59 In cross examination, the Department’s representative focussed on the framing of the application for review to the Tribunal, in particular the reference to the interview room. ZR stated that she now believes the missing files were not in the interview room and had to be somewhere else. ZR was asked what evidence she had to suggest that the Department’s storage was not reasonable; ZR stated that it was the fact that the files were missing. Apart from the fact that the files were missing, there was the evidence of discovering files in the sickbay, and episodes of student pictures on noticeboards with details of medical conditions. XW’s file is missing and she saw other files, and there was no evidence of a clear desk policy. ZR stated that she had spoken about security at meetings of a subcommittee of the P& C at which members of the senior executive would attend. She had been asked by the School Counsellor to provide extra copies of reports, and she was asked to provide copies of reports for other students seen as part of her professional practice.

60 The Department’s representative tendered a file note written by him of a telephone conversation between him and ZR dated 19 October 2007 in support of his argument that ZR had changed her approach to the application for review and that she was no longer arguing that the files had gone missing from the interview room. ZR was given the opportunity to cross examine the representative. I admitted the file note. Its relevance is discussed below.

Consideration

61 In Director-General, Department of Education and Training v MT [2006] NSWCA 270, Spigelman CJ commented in relation to s12(c):

          46 Nothing in the text or the scope and purpose of the legislative scheme suggests that Parliament intended to impose absolute regulatory liability. Indeed, s12(c) itself imposes an obligation only to adopt such “safeguards as are reasonable in the circumstances”.

62 Previous decisions of the Tribunal have considered what is meant in taking security safeguards that "are reasonable in the circumstances". In FH v Commissioner , NSW Department of Corrective Services [2003] NSWADT 72, O'Connor DCJ considered a complaint brought by a former prison inmate whose conviction had been set aside after part of his sentence had been served. That matter concerned information retained on an active, rather than archival, system. In that case, O'Connor DCJ noted at [29]:

          29 In examining security issues, some recognition must, I consider, be given to the evolutionary character of security practices, especially in a major operational environment (such as the one under notice here). The Department is at an advanced stage in moving to the new system.

63 O'Connor DCJ noted at [41] that

          41 These shortcomings in the system as they relate to ex-inmate data (the matter in issue in this case) could not, I consider, reasonably justify the conclusion that viewed overall the security system lacks adequate safeguards. It is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.

64 This matter concerns security safeguards for information held in a documentary form rather than on a computer database. The Department accepts that the applicant’s counselling files went missing probably between 2001 and 2005 in one of a number of incidents of unauthorised access to the school counsellor’s room and filing cabinet. The Department submits, based on the decision in FH, that factors relevant to the application of s12(c) include:

          - The fact that stronger safeguards may be available does not mean that existing safeguards may not still be considered reasonable in the circumstances;

          - The relevant question is whether the security safeguards as a whole provide protection that is reasonable in the circumstances;

          - The fact that the agency is taking steps to address a particular issue is relevant;

          - Practical difficulties facing agencies are taken into account given the recognition of the evolutionary character of security practices;

          - The lack of a logging system that tracks uses of the system by authorised officers is a matter of particular concern.

65 Both the Department and the applicant referred in their submissions to Privacy NSW’s guide to the IPPs, which states:

          The level of security that may be appropriate very much depends on the nature of the personal information and the medium in which it is stored. Agencies should apply principles of risk management to determine what is a reasonably appropriate level of security protection. For example, if information is extremely sensitive or likely to find an illicit market it should receive more comprehensive protection. Likewise, information on a stand alone computer to which only one person ahs access may need a lesser level of protection than information on a networked system.

66 The applicant submits that it is not the intention of the Act to allow different individuals in different agencies to determine whether security safeguards are “reasonable” as this would allow for inconsistency and confusion between officers, schools, departments and agencies; and that the reasonableness of safeguards will be determined by the minimum requirements specified in government guidelines and Australian standards for a government agency as well as the requirements of the State Records Act. Reasonable security is not the same for all “personal information”; the inclusion of the phrase “in the circumstances” requires that an agency determine the level of security safeguards according to the level of sensitivity of the personal information. The applicant submitted that, based on FH, the following issues are relevant:

          - Whether existing safeguards are reasonable is best judged by their effectiveness and the existence of evidence in any meaningful sense to suggest that there are any practical safeguard problems; reference should be made not just to whether steps are being taken but whether the steps taken address the issue;

          - Any shortcomings have to be weighed against satisfactory aspects; the significance of the shortcomings needs to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of persons, and the potential gravity of the consequences of any intrusion;

          - Whether an agency is taking steps to address a particular issue that has ben present for some time is relevant to determining whether the existing practice is reasonable in the circumstances;

          - Recognition of practical difficulties due to the evolutionary character of security practices means that if there were simple, relatively inexpensive methods to enhance security, it is expected they would be used;

          - Lack of a logging system to track uses of the system by authorised officers is a matter of concern.

67 Section 12(c) requires security safeguards that are reasonable in the circumstances. That is clearly an objective evaluation, and one that requires consideration of the nature of the information, which would include its sensitivity, and the consequences of loss, unauthorised access, use or disclosure. The s12(c) obligation applies in relation to information the agency has a need to hold, which is the only information an agency should hold (s12(a) PPIP Act). The issue of who in the agency needs to be able to access it, and how access is regulated, is relevant.

68 The evidence, both oral and documentary, in this matter is extensive, covering the period that XW was a student at the School and the three years after he left. In general terms the oral evidence given by the Department’s witnesses confirmed the material in their statements, and I accept that evidence subject to certain qualifications noted below. The applicant’s case was limited to the evidence of his mother, and the respondent submits that some of her evidence was not credible. Part of the respondent’s case involves criticism of the applicant for changing his case. The respondent contends that the reference in the application to the Tribunal for review to documents held “in an unlocked, open room to which many students, teachers, parents had unauthorised and/or unsupervised access”, could only be a reference to the interview room, and that in the course of the Tribunal proceedings XW has sought to extend the inquiry to other parts of the School administration area. As noted above, these proceedings are a review of the conduct the subject of the initial complaint, and as discussed above, I am satisfied that that conduct was the storage and security of documents relating to students at the School. It is not relevant whether or not, as the respondent contends, the applicant has “changed his case”, and to that extent, while I admitted the file note made by the respondent’s representative, it has limited relevance to these proceedings.

69 As noted by the Appeal Panel in WL v Randwick City Council (GD) [2007] NSWADTAP 58, a complainant to a public sector agency of a breach of privacy standards “is in a difficult position in getting precise evidence of what might have occurred”. The Appeal Panel went on to say (at [11]):

          It is therefore important that the internal review undertaken by the agency in response to the complaint be thorough. This includes obtaining a full statement as to what occurred from any officer with direct knowledge.

70 In this matter, as part of preparing its case before the Tribunal the respondent has obtained and provided evidence as to the practice of document handling and storage in the School that was not before the officer who conducted the internal review. One example of this is the evidence of AB as to his practice of keeping documents about students in box files in his office and at his home. All the evidence relevant to determining whether security safeguards at the School were reasonable over the five year period in issue must be considered.

71 In considering the weight to be given to the evidence on behalf of the applicant, I note that the applicant’s mother is not legally trained, and has pursued some issues that are of marginal relevance to the issues to be determined. In cross examination she qualified some of her more absolute assertions as to her observations at the School. If, as the respondent contends is supported by the note of the telephone conversation between ZR and the respondent’s representative, the applicant’s case has changed, that does not of itself impact on the weight to be given to the evidence of ZR. That evidence must be evaluated in its entirety and in the context of the evidence given by others.

72 The School is a large secondary school, and I accept, based on the evidence of AB, BC, and the former Services Manager, that security generally is complex because of its size, nature and location. The security issues in this matter relate to documents and files held in the administration area of the school. The security issues in that part of the school would be common to schools generally, where many different people, including counsellors, year advisors, and teachers, would need to have access to a range of information concerning students enrolled at the school. Some of that information, such as medical information or information about family circumstances, would be extremely sensitive. Further, as is the case at any school, each year one cohort of students leaves and another arrives, requiring movement and re-location of large numbers of files and documents on an annual basis.

73 Based on the copies filed by the applicant and respondent, there were four formal reviews of security issues at the School during the relevant period: a report by the Department’s Audit Directorate in April 2003; a Program Review in September 2003; a Management Review in October-November 2004; and a Security Risk review in August 2005. The Audit Directorate report focuses on security of the School’s computer system. The Program Review report noted that (at p 8) that parts of the security system had been repeatedly vandalised by students and was therefore not functional. The Management Review (which focussed on another part of the School) recommended (at p43) that there be an audit of security throughout the school including all access security codes, overriding codes and key arrangements. The Security Risk review conducted in response to this recommendation while primarily focussed on external security, addressed the School’s alarm system. The report noted (at 20) that “a great deal of time, effort, energy and money has been invested into creating a safe environment for the students and staff at [the School]”. However, the report noted that at the time of the review in March/April 2003, the alarm system was not operating to its capacity in specified parts of the School, including the administration area (at p14), and stated (at p23) that there was a problem with past and present students having access to many different areas of the School. This review recommended (at p 23) the establishment of a key register with tighter access controls, and implementation of a master key system with strict monitoring of access to the keys.

74 Based on the evidence of the Manager Student Counselling, the Department has systems for creation, and movement (including tracking) of student counselling files, of which there are some 360,000 in New South Wales. I accept the evidence of the Manager, who held that position for five years and another senior position for the previous six years, that despite the Department’s systems, files go missing. I accept his evidence that the School Counsellor is very professional, and followed Department procedures. I accept the School Counsellor’s evidence that she reported the incidents of unauthorised access to her office to the Principal and in some instances to her District Guidance Officer.

75 The evidence concerning the key system used at the School was generally consistent. Based on the evidence of AB and BC, over the course of time changes were made to the key system used, including a change from the “K” system to a “J” system some time before 2003; and a change from the “J” system to an “X” system in 2004. By July 2004, when the Business Services Manager commenced, there were three master key systems in existence across the School. Based on the evidence of the Senior Administration Manager, the older master key systems are still in use, as the interview room is still on the “J” system. The evidence as to who had access to a master key was also consistent. AB’s evidence was that during his time as Principal master keys were held by himself, deputy principals, and the Services Manager. BC’s evidence was that senior executive staff had access to keys for all buildings. While the evidence of the Services Manager (who was at the School until 2002) was that there was an active key register, on the evidence of the Business Services Manager who commenced in July 2004 it was not effective or accessible, at least for a period of time. I accept that access to keys was not confined to staff, a fact which was known to AB as Principal and others in the School, including the Services Manager.

76 Based on the evidence of the Business Services Manager, which was supported by FG, by the end of 2004 the Business Services Manager had taken steps to have PIN codes for the alarm system changed, and initiated a key audit.

77 The evidence as to handling, filing, and storage of documents relating to students was generally consistent. The evidence of all the School witnesses was that the central place for filing documents relating to any student was in that student’s file, which was kept in year groups in the filing cabinets in the interview room. I am satisfied that access to those filing cabinets was limited; that the keys were held by the Student Administration Manager who locked them in the safe each night, and that staff could access the files only through her and only in the interview room. The applicant’s submission was that the door to that room was usually open. That is contradicted by the evidence of the Department’s witnesses. In that regard I accept the evidence of the Senior Administration Manager, who was the person most likely to be accessing the room on a regular basis, that when the door was not locked it was usually closed. AB’s evidence was that he kept files for some students in his office, and that given the nature of these files it was unlikely that he would have put any medical reports there. I accept the evidence of BC that these files were removed after AB left the School in 2003. Based on AB’s evidence, the door to his office was not always closed.

78 The interview room and Principal’s office are on a corridor across from the central administration office. I accept the evidence of the Senior Administration Manager that students were not permitted to use this corridor. While it may be, as the Senior Administration Manager suggested, that they would not do so as it was not convenient, it is conceivable that on occasion some might do so despite the prohibition, and to that extent I accept ZR’s evidence that she observed this. I accept that it was the practice of staff in the administration office to observe the Principal’s office from their office. While the photographs provided of the layout of the administration office confirm that this would be possible, there would be times in a large and busy school when, for example, staff were at their desks on the telephone or attending to people at the other window, that was not possible.

79 I accept the evidence of the School Counsellor that she kept her own files, consisting in the case of XW of documents provided to her by the Special Needs Co-ordinator, her own notes, and medical reports and speech pathologist reports. Until a change in departmental policy in 2005, the School Counsellor kept her case notes in a file separate from any guidance file relating that student. Any guidance file was registered in departmental records, and movements tracked. The School Counsellor also had documents relating to applications for special provisions for exams at relevant times. The School Counsellor’s evidence was that while it was her practice to close the door to her office when she was not in her room, she might leave the door open if she was going to the administration office area across the hallway. Based on the evidence of AB, during his time as Principal he kept files in his office, and on occasion at his home. AB’s evidence was that documents relating to individual students would also be passed on to, and held by, individual teachers, year advisors, and others within the School. Based on the evidence of the Senior Administration Manager, files relating to students who had left the school are held either in a strong room or an archive room in the administration area of the School. I accept her evidence that access to keys to those rooms was restricted.

80 Based on the documents provided, I accept that the respondent Department provided general information to staff about their obligations under the PPIP Act. Bulletin No 4, dated 16 February 2001, addresses the storage of and access to personal information. The clearest guidance provided in that bulletin is that “where practicable, filing cabinets containing personal information should be locked and personal information stored on electronic files should be password protected”. I accept that as committed professionals, staff at the School were conscious of the need to protect personal information. AB noted in his evidence that some matters were discussed at meetings rather than being put on paper. The School Counsellor noted that the need for confidentiality was discussed at staff meetings. FG gave evidence that when he moved offices he was assisted by students, but took his files himself because of his concern that students not see them. However, apart from the general Department bulletins, there does not appear to have been any written or unwritten guide or policy about handling documents relating to students, apart from, according to FG’s evidence, a staff handbook which he had received some time earlier. The respondent relied on publications including a School “Communications” document, however on the evidence of the School Counsellor this document dates from some time in 2005 to 2006; in any event, it refers only to “use” of personal information and not its security.

81 The evidence was consistent as to the practice for access to student files in the interview room, which was that staff could ask the Senior Administration Manager to obtain a file, or read from the file in the interview room after the Senior Administration Manager had provided access. In other respects, however, access to documents relating to students was less controlled. AB’s evidence was that reports relating to a student might go from him to the student’s teachers, advisors and the counsellor. There was no evidence as to School or Departmental policy for individual teachers or others who received documents relating to students, apart from the School Counsellor.

82 Viewed in context, I am satisfied that in many respects the School was conscious of the need for, and took steps to ensure, appropriate security in the administration area. The School upgraded the master key system over time, and access to master keys was restricted to those with a legitimate need to have such access. I am satisfied that individual staff were conscious of the need to be careful about distribution of documents relating to individual students. However, while policy and practice as to filing and storage of such documents was in general clear and followed, there were gaps, for example in how individual teachers and year advisers dealt with the documents passed on to them from the Principal. The evidence of the School Counsellor was that staff such as year advisors and those involved with student welfare would often maintain their own files and keep copies of documents for ease of access. There did not appear to be any consistent practice for disposal of such documents: on the School Counsellor’s evidence, after an individual student left the School some year advisors would transfer information on to the School file, while others would destroy the documents.

83 The applicant pointed to specific instances which, it was asserted, demonstrated poor security. In particular, there was the allegation that student files were found in a corridor. ZR did not have direct first hand knowledge of this, and FG could not recall such an event. There was the allegation that student medical records were found in the sick bay. ZR was adamant that while she did not look inside the files she was sure that they were student files because they had student names on them. I accept the evidence of the Senior Administration Manager that documents containing some medical information about students would routinely be kept in the sick bay. In the absence of direct first hand evidence as to the contents of any folders located in the sick bay, I am unable to make a finding as to whether medical information about identifiable students was kept there longer than was necessary for the purposes for which it was held there.

84 The overall picture of safeguards for storage of and access to documents relating to individual students is one part of a consideration of whether the security safeguards were reasonable in the circumstances. It is necessary also to consider the incidents of unauthorised access, and in particular the response of the School and Department, in more detail. The evidence of the Senior Administration Manager was that she became concerned that her administration office and computer files were being accessed after school hours in 2000 and 2001. That this was not limited to the main administration office is supported by the evidence of GH, the careers advisor, who stated that there was evidence of unauthorised access to her office from 2000 to 2004. Both referred to multiple incidents of things in the office being interfered with. The situation as described by the School Administration Manager and GH appears to be one where general unease was created. In December 2002 the Principal, AB, contacted the Department’s Audit section, which conducted an inquiry and reported in April 2003. That report refers to earlier contact between AB and an officer in the department in November 2002.

85 The first incident reported by the School Counsellor relating to access to files in her office occurred at the commencement of the 2001 school year. Based on the evidence of the School Counsellor and AB, who was Principal at the time, this was reported to the police and to the District office. Based on the evidence of the School Counsellor and AB, the filing cabinet and door locks were changed. AB did not consider that there was anything to indicate that the incident was anything other than a one-off.

86 There were a further three incidents of access to files in the School Counsellor’s filing cabinets. In term 1 of 2002, one of the filing cabinets was accessed, and the special provisions applications were relocated in the filing cabinet; the School’s response was to change the door lock. At the beginning of the 2003 school year, both filing cabinets were accessed, and case management notes were missing; the locks on the filing cabinets were changed. At the beginning of term 2 in 2005 both filing cabinets were accessed and the case notes were missing; an independent locksmith replaced the door locks and filing cabinet locks. Other incidents of concern to the School Counsellor occurred during 2003; the office lock was changed in 2003. By 2004 the School Counsellor was so concerned about security of documents in her office that she did not keep special provisions forms in her office, and she took some counselling files, described by her as the ones she could not afford to lose, home.

87 The applicant relied on what was argued to be a failure to inform police of the unauthorised access. I accept, on the evidence of the School Counsellor and AB, that after the first incident in 2001 the police were contacted and that their advice was that in the absence of evidence of forced entry it was a matter for the School. The applicant provided a copy of an Event Summary that confirms that police attended the School on 28 April 2005 in response to the last incident of unauthorised access to the School Counsellor’s office. There was no evidence of forced entry on that occasion, and it was apparent that keys had been used. I do not regard any decision not to contact police in response to any of the other incidents of unauthorised access, in the absence of evidence of forced entry, as indicating an unsatisfactory response.

88 There was evidence of tampering with the mail in and out of the School. The School Counsellor gave evidence that in 2003 guidance files transferred from other schools appeared in her office in an opened envelope.

89 There is no evidence of interference with files kept in the interview room, the strong room, or archive room. There is evidence of interference with files kept in the office of the School Counsellor, and the office of GH, the careers advisor. There is no suggestion that GH held any documents relating to XW. The School Counsellor did.

90 Several of the witnesses gave evidence to the effect that it was believed that a staff member of the School was responsible for the unauthorised entries. BC stated that he had concerns during 2003 and 2004. GH stated that she suspected that a Deputy Principal had interfered with her office. The Services Manager stated that there were rumours to that effect. The investigations conducted did not substantiate these rumours, and the evidence before me does not establish positively whether those concerns were warranted.

91 Deputy President Handley noted in BE v University of Technology, Sydney [2008] NSWADT 139 that loss of correspondence is not of itself evidence that security safeguards are inadequate. I agree. The test in s12 is an objective one, and focuses on whether security safeguards are reasonable “in the circumstances”. The applicant argued that adequate security safeguards would include such things as implementing a privacy management plan, and adopting standards applied elsewhere in the NSW public sector. I agree with the respondent’s submissions that the provisions of the State Records Act 1998 are not relevant to the issues raised in this matter, and that the Department of Commerce Guide to Labelling Sensitive Information does not assist. That document contains one reference to security of sensitive documents, in its reference (at 7.3) to the need for “adequate custodial arrangements”.

92 The decision in FH supports the proposition that practical difficulties facing agencies need to be taken into account. I accept that there are resource issues in maintaining and upgrading security arrangements, and that the process of upgrade may be gradual. That was confirmed in this matter by the evidence of upgrade of master key systems over time. However, even in this context, the School’s response to the specific concerns about security issues, including access to the computer system, was slow. While steps were taken, the time taken is relevant to a consideration of their adequacy. While the School Administration Manager and GH referred to their concerns in 2000 and 2001, it was not until late 2002 that the School initiated the review by the Audit Directorate. While it was accepted by several witnesses that keys were in the hands of people not entitled to have access, including students, it was not until late 2004 that there was a key audit. While the School’s response to the first incident of unauthorised access to the School Counsellor’s office at the beginning of 2001 may have at the time been perceived as appropriate, it should have been apparent after the incident in term 1 of 2002 that this was not a “one-off” event. The School Counsellor’s decision in 2002 to give the special provisions forms to DE confirms that she did not regard her office as a secure place to store important documents. Given the sensitivity of the documents held by the School Counsellor it would have been reasonable to take additional steps to ensure the security of her office, beyond changing the door locks while retaining the same master key.

93 For the above reasons, I conclude that the security safeguards adopted in the School against loss or unauthorised access to personal information were not reasonable in the circumstances, and accordingly there was a failure to comply with s12 of the PPIP Act. The applicant sought an order pursuant to section 55(2) of the Act. The matter should be relisted to consider the further progress of the matter in regard to that issue.

Orders

      1.The publication of any material that identifies the applicant or the school is prohibited.

      2.The matter is to be listed for further directions on May 12 at 2pm.

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

11

FZP v Sydney Children's Hospitals Network [2025] NSWCATAD 144
GHX v Department of Education [2025] NSWCATAD 95
FYH v Commissioner of Police, NSW Police Force [2025] NSWCATAD 71
Cases Cited

10

Statutory Material Cited

3

ZR v NSW Department of Education and Training [2008] NSWADT 199
Toleafoa (No 2) v Commissioner of Police [2000] NSWADT 48
Trlin v Director General, Department of Fair Trading [2000] NSWADT 192