In these reasons the names of private individuals have been anonymised so as to preserve the privacy of their personal affairs. The Applicant is referred to as ALZ. At relevant times ALZ was employed by a local council ("the Council"). The Respondent was previously known as WorkCover NSW but has undergone a change of name and is now known as SafeWork NSW.
ALZ alleges that the Respondent's conduct contravened several of the Health Privacy Principles ("HPPs") of the Health Records and Information Privacy Act 2002 ("HRIP Act") and also several of the Information Protection Principles ("IPPs") of the Privacy and Personal Information Protection Act 1998 ("PPIP Act").
I have set out the relevant background in my decisions in ALZ v WorkCover NSW [2014] NSWCATAD 49 ("ALZ No.1") and ALZ v WorkCover NSW [2014] NSWCATAD 93 ("ALZ No.2").
The conduct which was the subject of ALZ's complaint concerns a medical report dated 10 November 2011 ("the medical report") by a psychiatrist, Dr Prabal Kar. The medical report was prepared in relation to a workers compensation claim brought by ALZ against the Council. The workers compensation insurer which covered the Council for workers compensation claims was StateCover Mutual Limited ("StateCover"). StateCover and the Council were responsible for processing and managing ALZ's workers compensation claim. The Respondent obtained a copy of the medical report from the Council. In relation to the medical report, ALZ alleged breaches of HPPs and IPPs by Inspector Mick Dall as follows:
Use of personal or health information
Storage of personal or health information
Disclosure of personal or health information
Access and accuracy of personal health information
In a subsequent complaint ALZ complained:
"Mr Craig McBride, Privacy Officer, WorkCover NSW, while conducting an internal review of a privacy breach, collected both personal and health information about me, some of which was irrelevant, some of which is incorrect, and some of which is misleading.
He used the information in a way which was unfavourable to me, and which necessitated its disclosure to:
the office of the Privacy Commissioner
officers of the Administrative Decisions Tribunal, including the Tribunal member, and
legal representatives of WorkCover."
Mr McBride's internal review found that no breaches had occurred. ALZ sought review of the conduct of the internal review. She provided the additional clarification of this complaint:
"Collection: the collection principles were contravened because Mr McBride collected my personal and health information from people other than me. The information was not collected for a lawful purpose and it was not necessary for his investigation.
Retention and security: these principles have been contravened because, the collection was unlawful, and the information has been misused.
Accuracy: the information collected was irrelevant, inaccurate and misleading, which contravenes the accuracy principles.
Use and disclosure principles: are contravened because I did not consent to the use or disclosure of my personal and health information."
In ALZ No.1 I made a number of finding in relation to the Respondent's conduct. I found that the manner of collection of the medical Report by Inspector Dall involved a breach of HPPs 3 and 4. In a subsequent decision in ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 I found that the manner of retention and collection of the medical report by the Respondent after it was obtained by Inspector Dall breached HPP 5.
ALZ appealed the decision in ALZ No 1 to the Appeal Panel on the basis that I should have found that additional breaches of the HPPs had occurred.
In ALZ No.2 I remitted the matter to the Respondent for reconsideration and set a timetable for that reconsideration to be completed. I made the following findings of fact:
(i) Inspector Dall obtained Dr Kar's report from the Council's Return-to-Work Co-ordinator on 15 December 2011;
(ii) In regard to the determination of 14 September 2012, Mr McBride did not conduct a review of the alleged conduct because of the erroneous finding that the conduct did not occur;
(iii) ALZ did not make any complaint against StateCover that warranted review by the Respondent;
(iv) the investigation of ALZ's complaint concerning the collection of Dr Kar's report from the Council did not relate to the management of ALZ's workers compensation claim;
(v) it was not reasonably necessary for the Respondent to collect information from StateCover for the proper exercise of an investigation of ALZ's complaints;
(vi) the WIMWC Act does not lawfully authorise or require non-compliance with IPPs and HPPs as asserted by the Respondent in the circumstances of this matter; and
(vii) section 53 of the PPIP Act does not authorise or require non-compliance with IPPs and HPPs as asserted by the Respondent in the circumstances of this matter.
The Respondent made a new determination following the remittal. ALZ was not satisfied with the new determination and therefore the matter continues in the Tribunal. Each of the parties provided written submissions in relation to how the matter should be determined. It was agreed that the matter should not be determined until after the decision in the appeal from the decision in ALZ No 1 was handed down, as the Appeal Panel was to consider similar issues to those to be determined in this matter.
The Appeal Panel decision is recorded as ALZ v WorkCover NSW [2015] NSWCATAP 138 ("the ALZ Appeal Panel decision"). In addition to the breaches that I had found, the Appeal Panel found that the Respondent had also contravened HPP 6. HPP 6 places broad obligations on agencies to take reasonable steps to ensure that individuals know what kinds of health information are held by the agency, and for what purposes and how to exercise their right to access that information.
The Appeal Panel stated that where an organisation is called to account in relation to its compliance with HPP 6, it is required to demonstrate to the Tribunal, to a reasonable level of satisfaction, that it has complied with HPP 6. At paragraphs [83] - [85] the Appeal Panel stated:
83 In our view, the normal expectation of an ordinary member of the community trying to find information responsive to HPP 6 would be that there will be a document, easily able to found, which organises the information in way that refers to HPP 6 and directly corresponds with its structure. As already noted, this primary document might contain a summary, or overview statement, that is then fleshed out by one or more linked documents. The objects of the Act are not satisfied, in our opinion, by steps that require the interested individual to undertake a website navigation exercise directed to a host of documents, and tucked-away paragraphs in those documents. We do not consider it satisfactory as a way of demonstrating compliance with such an important obligation to take the reader or the Tribunal on a website tour of bland passages in documents that are not linked in any comprehensible way.
84 We are not satisfied from the material on which the respondent relied that that the Tribunal had any reasonable or persuasive basis for concluding that HPP 6 had been met. In our view there was only one conclusion open to the Tribunal on the basis of the material before it, i.e. that the organisation did not demonstrate compliance with HPP 6 in relation to the kind of health information under notice in this case.
85 Accordingly we enter a finding of contravention of HPP 6.
ALZ requested that the Tribunal's President refer questions of law concerning the interpretation of the HPPs to the Supreme Court for the opinion of the Court, however that request was refused. ALZ also filed a notice of intention to appeal in the Court of Appeal but did not proceed with that application.
[2]
General principles regarding Appeal Panel decisions
In NSW Breeding and Racing v Administrative Decisions Tribunal [2001] NSWSC 494 at paragraphs [47] - [48] Barrett J observed in relation to the Administrative Decisions Tribunal Appeal Panel:
47 The Appeal Panel operates as a review body within a system of administrative law recently created by Parliament to meet a particular need in today's society. Appeal Panel decisions have, in the space of less than three years, come to occupy a position of persuasive influence within the Tribunal. Principles of importance enunciated by an Appeal Panel in Commissioner of Police v Toleafoa [1999] NSWADTAP 9 on matters unrelated to those in issue here have already been acted upon and applied in no less than seven Tribunal decisions. In Rittau v Commissioner of Police [2000] NSWADT 186, Judicial Member Robinson stated cogent reasons why members of the Tribunal should in general follow decisions of the Appeal Panel even though no principle of stare decisis requires them to do so. He said:
"The reasons why these decisions should be followed is because they are authoritative and they go some way to seeking to ensure consistency in the Tribunal's decision-making. Achieving that objective would constitute a significant step towards the Tribunal fulfilling its promotion and education role suggested in s.3(g) of the ADT Act which provides that the objects of the ADT Act are
`to provide and effect compliance by administrators with legislation enacted by Parliament for the benefit of the citizens of New South Wales'.
In my view, consistent decisions of the Tribunal go some way to promote and effect that compliance."
48 As Judicial Member Robinson noted, a similar approach is taken in the Commonwealth Administrative Appeals Tribunal: see Re Ganchov and Comcare (1990) 11 AAR 468.
In Rittau v Commissioner of Police Judicial Member Robinson stated:
"60 [F]or a number of reasons, I consider the Tribunal should ordinarily follow decisions of the Appeal Panel and decisions of the Tribunal as constituted by the President or the Deputy Presidents.
…
63 The Tribunal should only refuse to follow a decision of the Appeal Panel or the Tribunal as constituted by the President or the Deputy Presidents if it concludes that the previous decision is clearly wrong. That is the approach based upon comity adopted by some other Courts and Tribunals in Australia that are not strictly bound by their own previous decisions".
In BY v Director General, Attorney General's Department [2002] NSWADT 79 the Tribunal's President stated:
Threshold Issue: Reopening Prior, Considered Tribunal Rulings
21 The threshold question that arises before considering any further these contentions is whether the present Tribunal should revisit the prior considered rulings. Counsel for the Administering Minister acknowledged the importance of different panels of a Division of the Tribunal being seen to deal consistently with the same or like questions. He acknowledged that the view might be taken that it would not be appropriate to revisit the previous, considered rulings.
22 In my view, a later Tribunal should exercise caution in reopening prior, considered rulings of an earlier Tribunal. Ordinarily a later Tribunal should adopt the ruling of the earlier Tribunal; and leave these questions to be finally determined within the Tribunal at the Appeal Panel level. Notably in the earlier cases where the Administering Minister's submissions have been rejected, there was no appeal; but that may have been, as counsel for the Administering Minister suggested at hearing, because ultimately following full substantive consideration the determinations in issue were affirmed.
23 Normally a prior considered Tribunal ruling should only be reopened if a new, significant argument is raised before the later Tribunal. This is not such a case. Nonetheless, I consider that some discretion should be allowed to a Divisional Head sitting at first instance to revisit prior rulings, where the Divisional Head has doubts about the prior rulings or the questions involved are of great significance, such as ones raising important issues of power or jurisdiction. (Such a ruling may itself be appealed to the Appeal Panel. In that event, the Divisional Head, who would customarily preside, is ineligible. Where there is an appeal in relation to such a ruling, the Appeal Panel should, in my view, give consideration, if it regards the ruling as doubtful, to referring the controversial question to the Supreme Court for determination.)
This approach was applied consistently in the former Administrative Decisions Tribunal and has been adopted in this Tribunal. See for example Bevege v Commissioner of Police NSW Police Force [2014] NSWCATAD 22.
Accordingly, the Tribunal should only depart from the Appeal Panel decision if it is satisfied that that reasoning was plainly wrong. I agree with the Respondent's submission that ALZ has not demonstrated that to be the case in these circumstances.
[3]
The Redetermination
As noted above, I remitted the matter to the Respondent for redetermination. Ms Kim Kerr, the Respondent's Privacy Officer, issued an internal review decision pursuant to the remittal. The Respondent has provided the following reasonable summary of Ms Kerr's findings:
Collection of personal information (HPP1 / PPIP Act, s. 8)
a) The Respondent collected personal and health information from StateCover for the purpose of conducting an internal review under s. 53 of the PPIP Act in response to a complaint received from the applicant. The Respondent therefore had a lawful purpose for the collection of information from StateCover for the purposes of subparagraph (1)(a) of HPP 1 and s. 8 of the PPIP Act.
b) However, the Respondent incorrectly construed the scope of the First Internal Review as extending to the conduct of StateCover despite this not being the subject of the First Complaint. As such, collection of information from StateCover was not reasonably necessary for the purposes of the review. The collection of this information consequently breached the requirement in subparagraph (1)(b) of HPP 1 and s. 8 that collection be reasonably necessary for the purpose
Collection from the individual concerned (HPP3 / PPIP Act, s. 9)
a) The Respondent did not collect any of the information in question from the applicant.
b) There was no evidence that the applicant had authorised the collection of her personal or health information from StateCover for the purposes of s. 9(a) of the PPIP Act.
c) For the purposes of HPP 3, it was unreasonable or impracticable for the Respondent to collect the IME Report directly from the applicant as there was evidence before it that she did not hold a copy. However, there was otherwise no evidence that the Respondent had sought to obtain the information from the applicant before collecting it from StateCover.
d) No exceptions applied permitting not con-compliance with these provisions to the extent that they applied to the information in question. The Respondent had accordingly breached of HPP 3 and s. 9 of the PPIP Act.
Notification to the individual (HPP 4)
a) The Respondent breached HPP 4 by failing to take steps that were reasonable in the circumstances to inform the applicant that it had collected the relevant health information from StateCover. None of the exceptions were available.
Retention and Security (HPP 5 / PPIP Act. s. 12)
a) The Respondent did not breach HPP 5 or s. 12.
b) In respect of the information obtained from StateCover, the information was provided to or accessed by the Respondent in the process of conducting a review under the PPIP Act. As such, it was necessary that those records be maintained after the conclusion of the review in accordance with the State Records Act 1998. Applications and associated documentation in accordance of s. 53 of the PPIP Act are saved within the Respondent's records management database under a designated PPIP and HRIP Act classification. This classification is given a restricted access security level.
c) Moreover, electronic mailboxes records created for the purposes of conducting a review in accordance with the PPIP Act were saved on the Respondent's hard drives in files secured with restricted access that could only be accessed by a limited number of officers.
Disclosure (HPP 11 / PPIP Act, s. 18)
a) The Respondent did not breach HPP 11 or ss. 18-19 in providing health and/or personal information relating to the applicant to the Information and Privacy Commissioner, the NCAT and the Respondent's legal representatives.
b) Insofar as the Respondent disclosed the applicant's personal or health information to the IPC, the disclosure was authorised by s. 54 of the PPIP Act.
c) Insofar as the information was disclosed to the Tribunal, disclosure was required by s. 58 of the ADR Act.
d) Insofar as the information was provided to the Respondent's legal representatives, there was no relevant "disclosure". The legal representatives acted as an agent on behalf the Respondent, and were therefore an extension of it. There could not therefore be a "disclosure" on account of the information being passed on to the legal representatives.
Accuracy (HPP 9 / PPIP Act, s. 16) and use (HPP 10 / PPIP Act, s. 17)
a) The Respondent did not breach [any of the accuracy (section 16 of the PPIP Act and to HPP 9) and use (section 17 of the PPIP Act and HPP10)]
b) Generally, despite the reviewer's misconception of the scope of the review in the determination of the First Complaint, the use of each document was for the purpose of conducting an investigation in response to the internal review request.
c) In terms of the specific information collected:
a. Emails from StateCover to the Respondent:
As the information contained in the email was obtained directly from StateCover's claim file, the Respondent was entitled to believe that the information was relevant, accurate, up to date, and not misleading.
b. Workers compensation claim forms:
As the forms were filled out and signed by the applicant, it was reasonable to conclude that the information they contained was up to date and accurate.
c. IME Report (as obtained from StateCover):
As the report was prepared by a properly-qualified medical practitioner, the reviewer was justified in assuming that the medical report was the product of a skilled professional and contained information that was reasonably reliable, accurate, complete and not misleading.
d. First internal review decision letter:
Six pieces of personal and/or health information were identified as being contained in this letter. In each case, the source of the information permitted the Respondent to assume that the information was reliable, accurate, complete and not misleading.
e. WSMS report:
As the report was used by the Respondent to inform its understanding of the investigation conducted by Inspector Dall, and the information was entered into WSMS by persons actively involved in complaints and investigations, it was reasonable to consider that the involved officers had entered the information accurately.
In light of my decision in ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122, the Respondent now concedes that its conduct involved a breach of HPP 5 and section 12 of the PPIP Act. It submits that there has otherwise been no breach of the HPPs or IPPs in the present case.
ALZ was not satisfied with Ms Kerr's determination. When the matter again came before the Tribunal ALZ indicated that she wished to proceed with a review of the conduct.
[4]
The Remaining Issues
As noted above, the Respondent has conceded breaches of several IPPs and HPPs. It accepts that its conduct breached the following provisions of the HRIP Act and the PPIP Act:
HRIP Act HPP 1 and the PPIP Act section 8(1)(b) (collection of health/personal information);
HRIP Act HPP 3 and the PPIP Act section 9 (collection of health/personal information other than from the person concerned);
HRIP Act HPP 4 (notification).
HRIP Act HPP 5 and the PPIP Act section 12 (retention and security of information).
I agree with those concessions and find that the conceded breaches have occurred. As Ms Kerr found that HRIP Act HPP 5 and the PPIP Act section 12 were not breached I will briefly discuss these provisions later in these reasons.
The Respondent has not found breaches of any other HPPs or IPPs in the present case. It seems that the following alleged breaches of the HPPs and IPPs are now before the Tribunal:
a) HPP 5 / section 12 (retention and security of information)
b) HPP 9 / section 16 (currency of information)
c) HPP 10 / section 17 (use of information)
d) HPP 11 / section 18-19 (disclosure of information)
ALZ also challenges the basis of the conclusion in Ms Kerr's determination that the Respondent had breached HPP 1 and section 8 of the PPIP Act. She asserts that in addition to the collection of her personal and health information from StateCover breaching the requirements for reasonable necessity in subsection (1)(b) of those provisions, collection also breached the requirements of subsections 8 (1)(a) of the PPIP Act.
Each of the parties has filed written submissions on which they rely. ALZ relies on her own statement dated 7 October 2014. Leave was granted to ALZ to rely on the Statement of Susan Kelly, dated 4 August 2014, which was filed in the related Tribunal proceedings, File nos: 123291 and 133003, on the basis that the statement contains evidence relevant to an issue identified in this matter. ALZ also relies on the Statement of Craig McBride, dated 10 October 2013 filed by the Respondent in these proceedings.
[5]
HPP 1 / section 8
The Respondent collected ALZ's personal and health information from StateCover. The Respondent identified the collected information as:
a) Emails from StateCover to the Respondent, collected by the Respondent from StateCover;
b) Workers Compensation forms prepared ALZ, obtained by the Respondent from StateCover;
c) A copy of the Medical Report obtained from StateCover;
d) The First Internal Review Decision letter; and
e) An internal Workplace Safety Management System (WSMS) report on the outcome of Inspector Dall's investigation.
HPP 1 of the HRIP Act and section 8 of the PPIP Act are in similar terms. HPP 1 of the HRIP Act provides:
Purposes of collection of health information
(1) An organisation must not collect health information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the organisation, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) An organisation must not collect health information by any unlawful means.
ALZ submits that these provisions prohibited the Respondent from collecting her health information unless the information was collected for a lawful purpose that was directly related to a function or activity of the agency. ALZ submits that subsection (1)(a) was breached, insofar as collection of information in course of the review of the conduct that was the subject of her complaint, as it was not for a lawful purpose; and subsection (2) was breached, as collection was by "unlawful means" because of section 11.
The Respondent concedes that the collection of ALZ's personal and health information breached the requirement in subparagraph (1)(b) of HPP 1 and section 8 in that the collection was not reasonably necessary for the purpose of conducting an internal review under section 53 of the PPIP Act in response to a complaint received from ALZ.
However, the Respondent say that section 53 of the PPIP Act provides their lawful purpose of collection.
The Respondent points to a number of decisions of this Tribunal and the Administrative Decisions Tribunal that have considered the expression "lawful purpose" in subsection (1)(a) of HPP 1 and section 8 of the PPIP Act. Two different interpretations of "lawful purpose" have been identified:
a) "a purpose that is authorised, as opposed to not forbidden, by law"; and
b) "a purpose that is not forbidden, rather than positively authorised, by law".
I considered this issue in some detail in my decision in NX v Office of the Director of Public Prosecutions [2005] NSWADT 74. At paragraphs [19] - [26] I stated:
Section 8 - "Collection" of personal information
19 Section 8 of the PPIP Act embodies two broad prohibitions. First, by section 8(1) a public sector agency must not collect personal information unless it is collected for a "lawful purpose" that is directly related to a function or activity or the agency and the collection of the information is reasonably necessary for that purpose. Secondly, section 8(2) provides that a public sector agency must not collect personal information by "unlawful means."
20 The first limb of section 8 raises the issue of what "lawful purpose" means. The term is not defined in the PPIP Act and it has not been considered in the Tribunal in the context of section 8 of the PPIP Act.
21 The High Court in Taikato v The Queen [1996] HCA 28; (1996) 186 CLR 454 considered the meaning of the term "lawful purpose" in the context of section 545E (now renumbered as section 93FB) of the Crimes Act 1900. The issue there was whether the accused had a reasonable excuse for possessing a prohibited article or possessed it "for a lawful purpose". Brennan CJ, Toohey, McHugh and Gummow JJ said at 460:
"[L]awful purpose" in s 545E(2) should be read as a purpose that is authorised, as opposed to not forbidden, by law because that meaning best gives effect to the object of the section. The meaning of "lawful" depends on its context, as Napier J pointed out in Crafter v Kelly [1941] SASR 237 at 243. As a result, a "lawful purpose" may mean a purpose not forbidden by law or not unlawful under the statute that enacts the term: Bear v Lynch [1909] HCA 31; (1909) 8 CLR 592 at 600, 603, 606; or it can mean a purpose that is supported by a positive rule of law: Crafter [1941] SASR 237 at 243-245.
If the term has the former meaning, the defence of "lawful purpose" covers any purpose unless the legislation or the general law prohibits it. Thus, in Bear v Lynch [1909] HCA 31; (1909) 8 CLR 592 this Court held that a person who was playing cards on licensed premises with a lodger during prohibited hours was there for a "lawful purpose" because the legislation did not prohibit playing the card game. That decision can be contrasted with Windsor v Denastazi [1957] SR (NSW) 462 at 464-465 where the New South Wales Court of Criminal Appeal held that, under the Gaming and Betting Act 1912 (NSW), a person playing a lawful card game in a common gaming house was not there for a "lawful purpose" because all gaming in a common gaming house was prohibited under that Act.
As a general rule, interpreting "lawful purpose" in a legislative provision to mean a purpose that is not forbidden, rather than positively authorised, by law is the interpretation that best gives effect to the legislative purpose of the enactment. This is because statutes are interpreted in accordance with the presumption that Parliament does not take away existing rights unless it does so expressly or by necessary implication Potter v Minahan [1908] HCA 63; (1908) 7 CLR 277 at 304; Corporate Affairs Commission (NSW) v Yuill [1991] HCA 28; (1991) 172 CLR 319 at 322, 338; Coco v The Queen [1994] HCA 15; (1994) 179 CLR 427 at 436-437.
Nevertheless, the purpose, context or subject matter of a legislative provision may indicate that Parliament has used the term "lawful purpose" to mean a purpose that is positively authorised by law. That seems to be the best interpretation of the term in the present case."
22 I agree with the ODPP submission that in the context of section 8 of the PPIP Act, "lawful purpose" should be given the first of the two meanings discussed by the High Court above. In the present case, the purpose for which the criminal history record was collected was to assess NX's suitability to perform work unsupervised at the ODPP office. Such a purpose is lawful. It follows, in my view, that the ODPP has not breached section 8(1) in this case.
23 Under the second limb of section 8 of the PPIP Act, the question is whether the collection of the criminal history record was by "unlawful means". The term "unlawful means" is not defined in the PPIP Act. The Oxford English Dictionary defines "unlawful" to mean, "contrary to law; prohibited by law; illegal".
24 There has been limited consideration of the meaning of the term in the Tribunal. In GV v Office of the Director of Public Prosecutions [2003] NSWADT 177, Robinson JM did not come to a definitive conclusion. At paragraph 47 of his reasons he said:
"I do not consider that a telephone call from the DPP clerk to the doctor requesting the further medical certificate constituted an "unlawful means" within the meaning of that expression in section 8(2). It was plainly lawful for her to pick up a telephone and make a request. ..."
25 In forming this conclusion the Judicial Member appears to have adopted the dictionary definition and formed the view that the word "unlawful" should be taken as meaning a positive legal prohibition. This seems to me to be the correct approach.
26 If this approach is applied in the context of section 8(2) it follows that "unlawful means" refers to the collection of information by means that are prohibited by the law.
In WL v Randwick City Council [2001] NSWADTAP 58 the Appeal Panel stated at paragraphs [45] and [47].
45 The words 'lawful purpose' within s 8 mean 'a purpose that is authorised, as opposed to not forbidden, by law': NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at [21]- [22]. The Council, in its internal review of the privacy determination, stated that access to the property was obtained under the authority of the EPA Act.
…
47 … The word 'unlawful' in s 8(2) refers to a positive legal prohibition: NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at [25]; GV v Office of the Director of Public Prosecutions [2003] NSWADT 177 at [47]. ...
In PN v Department of Education and Training [2009] NSWADT 287 I stated at paragraph [153]:
153 Section 8(1) of the PPIP Act provides that a public sector agency must not collect personal information unless it is collected for a "lawful purpose" that is directly related to a function or activity of the Agency and the collection of the information is reasonably necessary for that purpose. Section 8(2) provides that a public sector agency must not collect personal information by "unlawful means." "Lawful purpose" as has been stated to generally mean, a purpose that is not forbidden, rather than positively authorised, by law: NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at paragraph [22]. "Unlawful means" refers to the collection of information by means that are prohibited by the law: NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at paragraph [26].
That view was endorsed by the Appeal Panel in PN v Department of Education and Training [2010] NSWADTAP 59, at paragraphs [23] and [65].
The term "purpose" itself is relevantly defined in the Oxford English Dictionary to mean:
1. That which a person sets out to do or attain; an object in view; a determined intention or aim.
The Respondent submits that the ordinary meaning of the word "purpose" directs attention to the objective that a person seeks to achieve when performing an act. It is therefore necessary to enquire as to the result that the person seeks to bring about. In this regard, it submits that Mr McBride collected information from StateCover with the object of conducting a review of conduct the subject of an application made under section 53(1) the PPIP Act. It further submits that this purpose was related to the agency's function of conducting reviews under the PPIP Act.
Furthermore this object satisfied either of the possible constructions of the term "lawful purpose". There was no positive legal prohibition in the general law against the conduct of a review, and there was a positive legal obligation on the part of the Respondent to undertake a review under section 53 following the receipt of an application.
The Respondent submits that the fact that Mr McBride misconceived the scope of the conduct the subject of the application and collected the information unnecessarily does not alter the fact that the collection was directed to the end of fulfilling a lawful, investigative purpose.
In contrast, ALZ submits that the Respondent did not have a lawful purpose to collect her information from StateCover. She contends that where a decision-maker collects information in the course of a review of conduct under section 53 that is not the subject of an application, they cannot be acting for a lawful purpose. This is because the only lawful purpose was that of investigating the specific conduct the subject of her complaint, which did not extend to the conduct of StateCover.
Adopting the approach taken by the Appeal Panel in PN v Department of Education and Training [2010] NSWADTAP 59, "lawful purpose" is to be interpreted to mean a purpose that is not forbidden, rather than positively authorised, by law. "Unlawful means" refers to the collection of information by means that are prohibited by the law.
In the circumstances of this matter, there was no positive legal prohibition in the general law against the conduct of a review.
Nevertheless, it is clear that section 8 required compliance with both subsection (1)(a) and 1(b). The Respondent has conceded that it did not comply with subsection (1)(b). I agree with that conclusion. It follows that the Respondent has contravened HPP 1 and section 8.
[6]
HPP 5 / section 12
These provisions require that a public sector agency that holds personal information must ensure ... "(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse".
Ms Laing's evidence is that copies of the Medical Report were kept in an Outlook folder on her computer which was password protected.
I have previously expressed the view that a higher level of protection than an ordinary computer password would be appropriate for a document with the sensitivity of the medical Report. The Respondent concedes that the same reasoning applies to the handling of the medical report in the course of the Internal Reviews. The Respondent therefore acknowledges that there has been a breach of HPP 5 in its handling of copies of the Medical Report.
I agree with that conclusion and find that the Respondent's conduct in respect of copies of the Medical Report breached HPP 5 and section 12.
[7]
HPP 9 / section 16
These provisions require that a public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
ALZ submits that any material collected from StateCover was irrelevant to the subject matter of the internal reviews. This is consistent with the view that I previously expressed that "There would have been simply no need for communication between the Respondent and StateCover in regard to the investigation concerning the collection of Dr Kar's report from the Council".
I remain of that view. The Respondent concedes that collection of information from StateCover was not reasonably necessary for the purposes of the review of the conduct that was the subject of the complaint. It is not in dispute that the Respondent used the information. In my view it follows that it could not be relevant to that review. It follows, in my view, that if the review of the conduct that was the subject of the complaint was the purpose for which the information was proposed to be used, then the Respondent used the information without taking reasonable steps to ensure the information was relevant. If that were the case then the Respondent's conduct would have breached HPP 9 and section 16.
However, it seems that the review of the conduct that was the subject of the complaint was not the purpose for which the information obtained from StateCover was proposed to be used. This seems to be the case because Mr McBride had wrongly concluded that the alleged conduct had not occurred. He therefore purported to undertake a review of other conduct. He proposed to use the information obtained from StateCover for that review.
It does not follow that because the information was irrelevant to the review of the conduct that was the subject of the complaint that it was also irrelevant to the review that Mr McBride proposed to undertake.
This construction is consistent with the view expressed by the Appeal Panel in the ALZ Appeal Panel decision. The "primary purpose" of collection is that of the collector of the health information in question.
Referring to the application of HPP 9 to the use of a medical report in the course of an investigation, the Appeal Panel said:
"96 Clearly, it is less than desirable that the maker of a complaint is not informed, and given the opportunity to respond to any provisional conclusions an inspector is forming in relation to the strength of their complaint, and to be informed of the data that it is being relied upon. But HPP 9 does not contain any requirement as prescriptive as that".
In my view, for the reasons argued by the Respondent, it was reasonable in the circumstances in which the information was obtained for the Respondent to accept that the information was relevant, accurate, up to date, complete and not misleading. It follows that the Respondent's conduct would not have breached HPP 9 and section 16.
[8]
HPP 10 / section 17
These provisions require that, with limited exceptions, a public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected.
As noted, the Appeal Panel considered HPP 10, and concluded that the "primary purpose" of collection is that of the collector of the health information in question. The Respondent submits that the ALZ Appeal Panel decision should be applied, to the extent that it is relevant to this proceeding.
ALZ submits that HPP 10 should be read so as to prohibit an agency from using of health information for the intended purpose without the consent of the individual involved. The applicant also submits that the Respondent's breaches of HPPs 3 and 4 resulted in a breach of HPP 10.
The Respondent submits that HPP 10 restricts use of health information for purposes other than that for which the information was collected to specific, enumerated situations. In its terms, it is silent as to the prerequisites for the use of health information for the primary purpose for which the information was collected.
It further submits that there is nothing in the words of the HPP 10 that would permit the provision to be construed so as to prevent an agency from using information for the primary purpose for which it was collected without a person's consent. Moreover, while HPP 10(1)(a)) provides that consent is a basis on which information can be used for a secondary purpose, it is but one of several, suggesting that the HRIP Act contemplates uses of health information that occur without a person's consent.
Further, to the extent that ALZ asserts that HPP 10 was breached by the Respondent on account of its breaches of HPPs 3 and 4, the Respondent submits that there is nothing in the text of HPP 10 that supports this construction. HPP 10 is concerned with the primary and secondary uses of information after collection, as opposed to the identity of the person from whom the information must be collected (HPP 3) and the information provided to the subject of the information after collection (HPP 4).
The Respondent therefore submits that ALZ's further submissions do not disclose any basis on which it could be said that the Respondent breached HPP 10 in this matter.
While I agree with ALZ that that collection of information from StateCover was not necessary for the purposes of the review of the conduct that was the subject of the complaint, it does not follow that the information was used for a purpose other than that for which it was collected. As I have noted above, Mr McBride had wrongly concluded that the alleged conduct had not occurred and undertook another review. He proposed to use the information obtained from StateCover for that review and did so.
In these circumstances I am not satisfied that the Respondent breached HPP 10 and section 17.
[9]
HPP 11 / section 18-19
ALZ complained of three separate disclosures by the Respondent of information obtained by Mr McBride in the course of the internal reviews. These disclosures were to the Privacy Commissioner ("the Commissioner"), the Tribunal and the Respondent's legal representatives.
HPP 11 and section 18 of the PPIP Act limit the circumstances in which personal and health information can be disclosed by an agency. An exception to the provision's operation applies if the agency is lawfully authorised or required not to comply with the principle concerned, or non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
It is not in dispute that the information was provided to the Commissioner, the Tribunal and the Respondent's legal representatives. However, the Respondent contends that it did not breach HPP 11 or sections 18 - 19 in doing so.
The Respondent submits that insofar as it disclosed the information to the Commissioner, the disclosure was authorised by section 54 of the PPIP Act. It argues that the section contemplates the Commissioner "overseeing" the conduct of the review. Section 54(1)(b) requires that a decision-maker "keep the Commissioner informed of the progress of an internal review". The Respondent submits that this provision should be read as extending to providing the Commissioner with material gathered in the course of the internal review investigation. It argues that to not do so would frustrate the exercise of the function conferred on the Commissioner.
The Respondent further submits that section 54 would authorise disclosure of information in this manner even where the scope of the review has exceeded what was required by the complaint. It is appropriate to read section 54(1)(b) as requiring the decision-maker to update the Commissioner as to the progress of the review in fact being conducted, as this allows the Commissioner to effectively exercise the oversight function - including that of advising the agency that a review has exceeded its appropriate scope, where necessary.
ALZ relies on comments made in JD v New South Wales Medical Board [2008] NSWADT 67 as authority for the proposition that section 54 does not permit a decision-maker to disclose information it holds to the Privacy Commissioner at any time.
The Respondent notes, correctly in my view, that the circumstances considered in JD v New South Wales Medical Board are quite different from those in this matter. That case dealt with a situation in which disclosure to the Commissioner has occurred other than in the course of a section 53 review. In the present case, disclosure to the Commissioner occurred in the course of an internal review for the purposes of informing the Commissioner of its progress.
I do not agree that JD v New South Wales Medical Board stands for a general proposition that section 54 does not permit an agency to disclose personal or health information gathered in the course of an internal review to the Commissioner. In the circumstances of this matter I agree with the Respondent that section 54 authorised disclosure of information to the Commissioner.
The Respondent submits that insofar as the information was disclosed to the Tribunal, disclosure was required by section 58 of the Administrative Decisions Review Act 1997. I agree with that submission. Section 58(1) provides:
58 Duty of administrator to lodge material documents with Tribunal where decision reviewed
(1) An administrator whose administratively reviewable decision is the subject of an application for review to the Tribunal must, within 28 days after receiving notice of the application, lodge with the Tribunal:
(a) a copy of any statement of reasons given to the applicant under section 49 (or, if no such statement was given to the applicant, a statement of reasons setting out the matters referred to in section 49 (3)), and
(a1) a copy of any statement of reasons for a decision in an internal review conducted in respect of the administratively reviewable decision, and
(b) a copy of every document or part of a document that is in the possession, or under the control, of the administrator that the administrator considers to be relevant to the determination of the application by the Tribunal.
In my view, section 58 required that the Respondent disclosed the information to the Tribunal.
I also agree that insofar as the information was provided to the Respondent's legal representatives, there was no relevant "disclosure". The legal representatives acted as an agent on behalf the Respondent. Therefore, there could not be a "disclosure" on account of the information being passed on to the Respondent's legal representatives.
[10]
Conclusion
For these reasons, I find that the Respondent's conduct has breached a number of HPPs and IPPs as I have identified. It remains to be determined what orders should be made following on from these findings.
I encourage the parties to attempt to reach an agreement in this regard. Formal mediation can be arranged through the Tribunal to assist in this process. If the parties wish to avail themselves of this mediation process, they should approach the registry to make those arrangements.
However, in the event that agreement cannot be reached, the matter is to be listed for further directions at 11.30 am on Tuesday 26 July 2016.
[11]
Orders
The matter is listed for further directions at 11.30 am on Tuesday 26 July 2016.
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 12 June 2018