On 25 October 2016, CBL ("the Applicant") applied to the Tribunal for a review under the Privacy and Personal Information Protection Act 1998 (NSW) ("PPIP Act") of certain conduct by the employees and officers of Southern Cross University ("the Respondent").
CBL is the applicant's pseudonym, in that the Tribunal has de-identified the applicant's name from any open reasons consistent with the practice of the Tribunal in privacy reviews. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the PPIP Act.
The Tribunal has reviewed the conduct which fell within the scope of the Internal Review and for the reasons that follow, finds that there is no breach of an Information Protection Principle (IPP) under the PPIP Act.
[2]
Background
In October 2011 an electronic rule was set up within the Respondent's email system, by which any emails from the Applicant's known email addresses were automatically redirected to the Respondent's Legal Unit at legal@scu.edu.au. This rule was set up at the request of the then Vice Chancellor.
On 15 August 2016, the Applicant requested an internal review pursuant to s. 53 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act). The Applicant's complaint was in the following terms:
The conduct of the University about which I am complaining is the interception of emails from me to specific persons within the University, and the redirection of these emails, without my consent, from the intended recipient, to the University Legal Unit.
The emails I am referring to in particular are emails from me to the Vice-Chancellor dated 17/2/16, 15/3/16, 12/4/16, 3/3/16, and 24/6/16, as well as an email from me to the SCU Further Studies Team dated 29/5/16.
I am aware that a recent NCAT decision, in principle, cleared the University of any breach of privacy principles in the interception of my emails. However it is relevant that in the above matter the University successfully argued that the emails from me were not solicited.
With each of the above emails, however, I believe it is demonstrable that the emails from me were solicited, in that these emails were either a) a response to an invitation from a University Officer to forward further information, or b) in response to the general urgings within the SCU Public Interest Disclosure Policy for a would-be reporter to lodge a report.
I therefore contend the findings in the recent NCAT decision are not relevant to this complaint.
On 4 October 2016, the Respondent's Privacy and Information Officer, Elizabeth Kelleher, notified the Applicant of her review of the complaint in accordance with section 53 of the PPIP Act ("the reviewable decision"). The reviewable decision contained the following findings:
In relation to the emails dated 17 February 2016; 15 March 2016; 12 April 2016; 3 June 2016 and 29 May 2016 - the Information Protection Principles has not been breached.
In relation to the email dated 24 June 2016 - no record of the email was found.
On 20 October 2016, the Applicant lodged an Application for Administrative Review with this Tribunal, on the following grounds:
The University is in breach of the principles set down in the PPIP Act 1998.
On 3 July 2017, the Applicant gave the Respondent a copy of his email of 24 June 2016. The Respondent agreed to conduct a review under section 53 of the PPIP Act in respect of this email, in accordance with the Applicant's initial request for internal review of 15 August 2016.
During case management of the proceedings, the Applicant sought determinations on a number of procedural and evidential issues, submitted to be relevant to the Tribunal's review. Deputy President Hennessy addressed some of these issues in her interlocutory decision of 26 October 2017 in which she identified as the "real issues in dispute in the proceedings" the following:
The identification of the conduct that was the subject of the application under s53 of the PPIP Act;
Whether, pursuant to s52(1) of the PPIP Act, that conduct is a contravention by the University of an information protection principle or a privacy code of practice that applies to the University; and
If it is, whether the Tribunal should take any of the action set out in s55(2) of the PPIP Act.
At hearing on 30 October 2017, the Applicant relied on his written submissions dated 15 August 2017, 19 September 2017, and 26 October 2017, evidence and submissions regarding each of the emails in question, and provided a number of contextual documents including chronologies and extracts from the Respondent's policies. The Respondent relied on its submissions dated 30 August 2017, the affidavit evidence of Elizabeth Ann Kelleher dated 30 August 2017, and documents filed pursuant to s58 of the Administrative Decisions Review Act 1997 (the ADR Act). There were no submissions made in relation to the Respondent's privacy code of practice.
Applicable legislation
The Tribunal's jurisdiction is governed by section 55 of the PPIP Act.
Information Protection Principles 1, 3, 4 and 11 relate to sections 8, 10, 11 and 18 of the PPIP Act respectively and provide as follows:
8 COLLECTION OF PERSONAL INFORMATION FOR LAWFUL PURPOSES
(1) A public sector agency must not collect personal information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) A public sector agency must not collect personal information by any unlawful means
10 REQUIREMENTS WHEN COLLECTING PERSONAL INFORMATION
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a) the fact that the information is being collected,
(b) the purposes for which the information is being collected,
(c) the intended recipients of the information,
(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e) the existence of any right of access to, and correction of, the information,
(f) the name and address of the agency that is collecting the information and the agency that is to hold the information.
11 OTHER REQUIREMENTS RELATING TO COLLECTION OF PERSONAL INFORMATION
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:
(a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
18 LIMITS ON DISCLOSURE OF PERSONAL INFORMATION
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
[3]
Collection and disclosure
The Applicant submitted that the interception and redirection of his emails to the Legal Unit, the failure to provide a lawful purpose for the collection of his emails by the Legal Unit, and failure to inform him of the purpose for the collection of his emails by the Legal Unit, was the conduct subject to the application under s53 of the PPIP Act by the Applicant.
Having identified the conduct, the Tribunal is to determine whether, pursuant to s52(1) of the PPIP Act, that conduct is a contravention by the Respondent of an information protection principle. The Applicant submitted, with respect to the alleged contraventions of the PPIP Act:
42. With regard to the privacy principle set down in PPIP Act Section 8, that is, Principle #1,1 contend that the University has yet to articulate what the lawful purpose is for which my personal information is being collected by the SCU Legal Unit, how this supposedly is directly related to a function or activity of the University, and how the collection of the information is reasonably necessary for that purpose.
43. I therefore contend that the University is in breach of PPIP Act Section 8, that is, Principle #1.
44. If I am correct in my own view as to the purpose of the action of the Vice-Chancellor, then I contend this was not and is not a lawful purpose, as this involves a breach of the PID Act Sections 6E(l)(c), 21 and 22, in that:
a) The purpose or object of the action was/is to avoid the statutory responsibility of the Vice-Chancellor to assess PID reports which have been forwarded to him;
b) The purpose or object of the action is contrary to the statutory responsibility of the Vice-Chancellor (and the University) not to take any action against a person for making a PID;
c) The purpose or object of the action is contrary to the statutory responsibility of the Vice-Chancellor (and the University) to maintain confidentiality regarding PIDs.
45. With regard to the privacy principle set down in PPIP Act Section 10, that is, Principle #3, I re-iterate that the University has yet to articulate what the purposes for which the information is being collected, that is, the purposes for which the information is being sent to and thus collected by the SCU Legal Unit.
46. With regard to the privacy principle set down in PPIP Act Section 11 (a), that is, Principle #4, I contend that it is difficult to determine with certainty whether the collection of information is relevant to the supposed purpose, as the University has yet to identify with certainty the purpose for the collection of the information.
47. With regard to the privacy principle set down in PPIP Act Section 11 (b), that is, Principle #4, I contend that the collection of the information does intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates, in that the emails often contain confidential information, and, in the case of the Designated Emails, these emails contain confidential information about PIDs and confidential information about a meeting between the Vice-Chancellor and CBL.
48. With regard to the privacy principles set down in PPIP Act Section 18, that is, Principle #11, I contend the action of the University in automatically sending PID reports to the SCU Legal Unit may be in breach of PID Act, as explained above.
The Applicant contends that the University may be in breach of NSW Information Protection Principles 1, 3 and 4 in relation to the collection of the information by the University's Legal Unit. The Applicant also contends that the University may be in breach of NSW Information Protection Principle 11 by automatically sending Public Interest Disclosure ("PID") reports to the University's Legal Unit, in contravention of the Public Interest Disclosures Act 1994 ("PID Act"). He submitted that the decision to redirect his emails was done for an unlawful purpose, to ostracise him because he was a whistleblower.
The Applicant's complaints rely on an interpretation of the PPIP Act whereby the collection principles apply to each internal movement of personal information within an agency. The respondent submitted that this interpretation of the PPIP Act would be unworkable in practice.
Sections 8, 10 and 11 of the PPIP Act relate to the collection of personal information by an agency. In ZR v NSW Department of Education and Training (GD) [2009] NSWADTAP 69 ("ZR") the Appeal Panel at [64] - [65] held:
64 Sections 8 to 11 apply, in our view, to a planned process of collection relating to what the agency sees as the exercise of its official functions. The opposite party to the relationship must be an 'individual', and, normally that would be an individual belonging to the ordinary community - a 'citizen', using that term broadly. These provisions are not concerned with internal movements of personal information within agencies. The position is different where the agency is collecting information from its own personnel for administrative purposes connected with, for example, the employment relationship. In that circumstance, while it might be said that this in an 'internal' activity, the personnel are entitled to the usual protections other members of the community have in relation to compliance with the Collection Principles.
65 What happened in this case was that officers of the agency briefed a relevant senior officer in relation to the matters raised at the meeting. They referred to concerns they had as to the appropriateness of the way the matters had been raised, and the impact on them of what had occurred. The senior officer took notes and composed a letter of reply. Circumstances like this will often give rise to the creation of records containing personal information that, thereby, attract the obligations imposed by the Privacy Act. In our view, the Tribunal was correct in approaching the issues that arose by reference to the Use and Disclosure principles. It would be artificial in the extreme to apply the Collection Principles to the internal recording process that took place.
Section 4(5) of the PPIP Act states that personal information is not collected if the receipt of the information is unsolicited. Whether and to what extent the Applicant's emails were generally "solicited" or "collected" by the respondent was the subject of findings by Senior Member Lucy in proceedings 1510350, between the same parties. However in those proceedings, the Tribunal had no evidence, for the reasons expressed in Senior Member Lucy's decision, that any of the emails were solicited:
One of the difficulties in these proceedings was there was very little evidence put on by [CBL]. [CBL] did not file any evidence of any direct invitations sent to him by the University to provide information, nor did he provide any of the emails in which he said his personal information had been mis-used, or collected wrongfully, or anything similar, despite the Tribunal having made orders giving him an opportunity to do that.
I am not satisfied that [CBL]'s personal information was collected by the University when he sent emails to persons other than persons in the legal office in circumstances where the University had directed him only to contact the legal office if he contacted the University at all. For those reasons, I do not accept that the collection principles apply.
In these proceedings, the Respondent accepted that the Applicant's emails dated 17 February 2016, 12 April 2016, 29 May 2016 and 3 June 2016 were solicited, and in evidence accepted that the email of 24 June 2016 was solicited, but maintained that the email of 15 March 2016 was not solicited. The Applicant submitted that the email of 15 March 2016 was sent by him in response to an email from the Respondent's Vice Chancellor of 21 February 2016 requesting him to "Please provide me with possible meeting dates". On review of the evidence I accept that submission and find that the email of 15 March 2016 was also solicited by the Respondent in a similar manner to the emails of 17 February 2016, 12 April 2016, 29 May 2016, and 3 June 2016.
It is not disputed that the solicited emails contained personal information of the Applicant, as the respondent accepted in the internal review decision that each of the solicited emails constituted the collection of the Applicant's personal information by the Respondent. The difference between the Applicant and the Respondent's position in these proceedings is whether the automatic redirection of the solicited emails from the intended recipients in the Respondent's email system to the Respondent's Legal Unit email address legal@scu.edu.au makes any difference to the collection being lawful.
The Applicant submitted that the evidence filed by him, in concert with the factual chronology in this case, supported a reasonable inference that the decision of October 2011 to send all emails from him to legal@scu.edu.au "was not a proper and lawful one". It was common ground that the redirection of his emails to legal@scu.edu.au was made at the instruction of the Respondent's Vice Chancellor. The Applicant filed extensive evidence which, broadly speaking, includes chronologies and summaries of his allegations of wrongdoing, misconduct, conflict of interest and corruption against the Respondent and various officers of the Respondent, including the Vice Chancellor, regarding the Respondent's negotiation and application of casual academic contracts, investigation of complaints, and handling of the Applicant's PID reports over a period of more than ten years. I find that his evidence does not demonstrate any impropriety or unlawfulness in the Respondent's decision to implement the subject email redirection. The Applicant has fundamentally misconceived the application of the "lawful purpose" requirement for collection of personal information under the PPIP Act. Further, the decision to implement the email redirection did not "solicit" or "collect" the Respondent's personal information. The solicitation was done by the particular employees or officers of the Respondent who requested a response or information from the Applicant, regarding his allegations and complaints against the Respondent. The collection was done by the Respondent agency.
In these proceedings the Tribunal does not have jurisdiction to make findings regarding the conduct of the Respondent at large, only whether its conduct in dealing with the solicited emails breached the PPIP Act. The evidence relevant to the determination of whether there was a lawful purpose for the Respondent's collection of the Applicant's personal information via the solicited emails, is the undisputed fact that the Applicant made a complaint to or allegation against the Respondent or its employees. The Applicant has not provided any evidence or submissions which suggest that there is any unlawfulness in the Respondent's employees or officers seeking written clarification or meetings with the Applicant to discuss those complaints or allegations, which comprised the solicitation under the PPIP Act. In the circumstances, I find that there is a lawful purpose for the Respondent's solicitation of the subject personal information.
The requirements for lawful purpose and lawful means of collection in section 8 of the PPIP Act are applicable to the Agency's functions or activities. Here, the solicited emails constituting the applicant's personal information were collected by the Respondent Agency for the purpose of arranging a meeting between the Applicant and an employee of the Respondent, or for the purpose of an employee or officer of the Respondent considering the Applicant's allegations of wrongdoing against the Respondent, both of which were in the context of the Applicant's allegations against the Respondent. I find there is nothing unlawful in the purpose for collection or in the means of collection of the Applicant's responses, which comprise and contain the personal information collected.
The Applicant submitted that the automatic redirection of emails distinguished it from cases involving an "internal movement" of information, such as ZR, and submitted that the final sentence in ZR at [64], to the effect that an agency collecting information from personnel for administrative purposes connected with the employment relationship is still required to comply with the Collection Principles, could apply to former personnel such as himself. I disagree that the internal, automatic redirection of the solicited emails makes any difference to whether or not the receipt of those emails resulted in collection of the Applicant's personal information by the Respondent Agency. In the circumstances, it does not matter who within the Respondent Agency received the Applicant's emails - whether they were received by the intended recipients, whether they were automatically redirected and received by another individual or individual within the Respondent Agency, or whether they were intentionally or unintentionally forwarded from one recipient to another within the Respondent Agency. They were solicited, and they were lawfully collected by the Respondent as an Agency. They therefore attract the obligations imposed by the PPIP Act.
Applying the requirements of the PPIP Act Collection Principles at sections 8, 10 and 11 of the PPIP Act, I find that the Respondent has not breached any of those provisions in its collection of the solicited emails:
1. Section 8(1)(a): as discussed above, the information was collected for a lawful purpose that is directly related to a function or activity of the agency, being the organisation of meetings with the Applicant and investigations into his allegations against the Respondent and its employees and officers.
2. Section 8(1)(b): there is no evidence or submissions before the Tribunal which suggest that the solicited emails and their collection requested excessive or irrelevant information. The collection of the information from the Applicant is reasonably necessary for the purpose of organising meetings with the Applicant and investigating his allegations against the Respondent and its employees and officers.
3. Section 8(2): there is no basis on which the Tribunal could find that the Respondent has collected the personal information from the Applicant by any unlawful means, and therefore no such finding is made.
4. Section 10(a): The Applicant was aware that the personal information contained in his emails was collected by the Respondent, because he sent the email to the Respondent's employees or officers. He was also aware by 2015 that the Respondent's Vice Chancellor placed an automatic redirection on his emails to the Respondent's Legal Unit. I accept the Respondent's submission that "The Applicant was aware at the time the emails were sent they would be redirected to the Respondent's Legal Office", on the basis of the Applicant's chronology:
4 October 2011. At 4:29pm, the Personal Assistant to Professor Lee emails Ms Emma Fountain, of the SCU Legal Unit, with a copy to the IT Head at SCU: "Can you work with IT to set up filters so that any email from [CBL] is diverted solely to Legal, and not received by other staff members (including VC)."
2 November 2011. SCU Legal Office confirms to CBL that a direction to request University Officers not to communicate with CBL came from the Vice-Chancellor.
…
6 March 2013. 4.36pm. SCU Legal Office emails Professor Evans, Head of Social Sciences: "Due to a longstanding matter, on the direction of the Vice-Chancellor, all emails from [CBL] to SCU recipients are diverted to the SCU Legal Office". This email and the following was part of an email exchange which was disclosed by the University on 1 October 2015.
1. Section 10(b): The Applicant was aware that the personal information contained in his emails was being collected by the Respondent for the purpose of arranging meetings with him and investigating his allegations.
2. Section 10(c): The Applicant was aware of who would receive the emails he sent the Respondent, as he was informed by 1 October 2015 that there had been a diversion of his emails to the Respondent's Legal Unit.
3. Section 10(d): The supply of the information by the Applicant was voluntary and there is no evidence of any consequences which would arise if the Applicant had not responded to the requests for information or confirmation by the Respondent's employees and officers which resulted in the solicited emails.
4. Section 10(e): There was no submission made by the Applicant that he required or desired any access to or correction of the information he sent the Respondent, and there is no suggestion that he could not do so.
5. Section 10(f): There is no suggestion that the Applicant was unaware of the Respondent Agency's name and address.
6. Section 11(a): There is no basis on which the Tribunal could find that the information collected was not relevant to the purpose of organising meetings with the Applicant and investigating his allegations against the Respondent and its employees and officers, that it was excessive, inaccurate, out of date, or incomplete.
7. Section 11(b): There is no basis for the Tribunal to find that the collection of the information intruded to an unreasonable extent on the personal affairs of the Applicant. The Applicant submitted that "the emails often contain confidential information, and, in the case of the Designated Emails, these emails contain confidential information about PIDs and confidential information about a meeting between the Vice-Chancellor and CBL" but this does not amount to intrusion in the applicant's personal affairs by the collection of the information, only that the Applicant seeks to ascribe confidentiality to its content. Section 11(b) is concerned with the method of collection intruding into the Applicant's personal affairs, not the content of the information.
As discussed in ZR at [65], the findings at 21 above demonstrate the artificiality in applying the Collection Principles to the collection of the Applicant's solicited emails by the Respondent:
65 …Circumstances like this will often give rise to the creation of records containing personal information that, thereby, attract the obligations imposed by the Privacy Act. In our view, the Tribunal was correct in approaching the issues that arose by reference to the Use and Disclosure principles. It would be artificial in the extreme to apply the Collection Principles to the internal recording process that took place.
The Applicant submitted that the purpose for the redirection of his emails was:
…in part, to limit the capacity of CBL to raise questions about irregularities within the 2008 investigation process, to limit the capacity of CBL to uncover that the 2008 investigation was a corrupt and dishonest one, and ultimately to limit public scrutiny of the 2008 investigation.
…
…in part, to limit the capacity of CBL to communicate directly with the University Chancellor, the Hon. Justice John Dowd, given that, due to Justice Dowd's experience as an eminent jurist, there was a possibility he would discern that senior officers of the University had been involved in corrupt and dishonest conduct.
I agree with the Respondent's submission that there is no requirement under the PPIP Act for the Respondent to articulate a lawful purpose for the internal redirection of the emails to the Respondent's Legal Unit. The "lawful purpose" requirement attaches to the collection of the emails by the Respondent Agency, as discussed above. The redirection is distinct from the Respondent Agency's collection of the personal information, for which I have found there is a lawful purpose. The reason or purpose for the redirection is more relevant to the question of whether, once collected by the Respondent, there was any breach of the PPIP Act requirements for use and disclosure.
The Use and Disclosure Principles are those contained in sections 16 to 18 of the PPIP Act. There were no specific submissions made about improper use of the Applicant's personal information and no findings in the reviewable decision relevant to use. To the extent necessary, I accept the Respondent's undisputed evidence that the only use made of the solicited emails was to arrange the meetings which were the subject of the emails, and for the Respondent to clarify and deal with the Applicant's complaints and PID statements.
The Applicant submitted that the redirection of his emails resulted in a breach of section 18 of the PPIP Act on the basis that his PID reports went automatically to the Respondent's Legal Unit, instead of the intended recipient. He therefore also sought review by the Tribunal of whether the redirection constituted any breaches of the PID Act. The respondent submitted that any reviews of alleged breaches of the PID Act are outside the Tribunal's jurisdiction in the current proceedings. I accept the Respondent's submissions that the Tribunal's review in these proceedings is confined in its scope by the initial request for internal review, reasonably construed, as expressed in VZ v University of Newcastle [2011] NSWADT 245 at [4], Department of Education and Training v GA (No.3) [2004] NSWADTAP 50, 'KO' & 'KP' v Commissioner of Police, New South Wales Police [2005] NSWADT 18 and Department of Education and Training v ZR (No 2) (GD) [2009] NSWADTAP 44. The Tribunal will not determine in these proceedings whether there has been a breach of the PID Act, but whether the conduct constituted a breach of section 18 of the PPIP Act.
Internal disclosures are not generally unlawful: AQK v Commissioner of Police NSW Police Force [2014] NSWCATAD 55 at [47]; but in certain circumstances may be. In CTH v The University of New South Wales [2017] NSWCATAD 244 (CTH) this Tribunal recently considered internal disclosures with regard to the decision in KJ v Wentworth Area Health Service [2004] NSWADT 84 (KJ) which addressed the discrete circumstances of when 'disclosure' within an agency might amount to disclosure of the purposes of the IPPs. At paragraphs [48] to [51] of KJ the Administrative Decisions Tribunal observed:
48 The Privacy Commissioner has submitted that there may be instances where a dissemination of information within an agency amounts to disclosure, either because the agency concerned consists of a number of discrete units, or the information is of such a confidential nature that it is reasonable to describe the manner in which it is disseminated as disclosure, or because of a combination of such factors. It is further submitted that an artificial distinction between use within an agency and disclosure outside may not be consistent with an individual's reasonable expectations of how their personal information, particularly sensitive personal information as defined in section 19, will be handled by an agency.
Finding in relation to IPP 12
49 Again I am in general agreement with the views expressed by the Privacy Commissioner. The Privacy Act does not clearly define what is meant by a public sector agency. In my view, the expression should be given a broad interpretation, consistent with the principle that personal information should be dealt with in an open and accountable manner. For example a statutory body that is administratively part of a larger public sector agency can constitute an agency in its own right. What constitutes a public sector agency will be a question of fact to be determined on a case by case basis.
50 While generally speaking the expression "disclosure" refers to making personal information available to people outside an agency, in the case of large public sector agencies consisting of specialised units, the exchange of personal information between units may constitute disclosure.
51 In the circumstances of this matter, I am satisfied that the Agency disclosed KJ's personal information in contravention of the requirements of section 19 of the Privacy Act as KJ has alleged. The exceptions provided by sections 26 and 28 of the Privacy Act are not applicable. I have no evidence on which I can determine whether this contravention of section 19 was wider than the Psychiatrist's sending letters to two outside doctors. Nevertheless, it is my view that by placing the sensitive information on KJ's general medical file, the Agency was at risk of disclosing that information. The exchange of the information between units within the Agency could, in my view, constitute disclosure. The Agency has acted prudently in separating the information from KJ's general file. The Agency should ensure that there is not further disclosure of the psychological information in contravention of IPP 12.
In KJ the Tribunal generally agreed with the Privacy Commissioner's submission that dissemination of information within an agency may amount to disclosure, either because the agency concerned consists of a number of discrete units, or the information is of such a confidential nature that it is reasonable to describe the manner in which it is disseminated as disclosure, or because of a combination of such factors.
The respondent submitted that these proceedings followed the decision in CTH, where the Tribunal found on the facts of that case that there was no disclosure. In CTH the Tribunal found:
In the current matter, HR provided one item of personal information (on two occasions) to the applicant's supervisor for stated business reasons. It is both the context and basis of providing that address, and the circumstances of what the respondent employer was trying to achieve, which in my view sanction that use of the information, when one has regard to the relevant legislative provisions, and I so find. I also find that on the basis of the cases outlined above, and an analysis of the facts in the current case, for the reasons outlined above that there has been no disclosure, even of the type contemplated in the case of KJ.
I disagree with the respondent's submissions that these proceedings are analogous to those in CTH. Although both concern Universities as Respondent Agencies, the similarities end there. However the Respondent Agency is not a large public sector agency with discrete units comparable to the Respondent Agency in KJ. As noted in CTH at [63]:
63. The question being whether the nature of the information being internally disclosed was sufficiently of such a confidential nature so as to depart from the collection and use principles to the extent that it amounted to disclosure for the purpose of section 18.
The personal information in these proceedings comprises the Applicant's name, contact details, and responses to the questions asked by the Respondent Agency's employees and officers for the purpose of clarifying and dealing with the Applicant's complaints and allegations against the Respondent Agency. I find that this information is not of a sufficiently confidential nature so as to consider their diversion to the Legal Unit's email address a disclosure for the purposes of section 18 of the PPIP Act.
Even if it was a disclosure under the PPIP Act, section 18(1)(b) provides an exception on the basis that the Applicant was aware that a diversion had been placed on his email address in the respondent's email system so that anything he sent to the Respondent's email addresses would be diverted and therefore disclosed to the Legal Unit's email address. Accordingly I find that there has been no breach of section 18 of the PPIP Act.
[4]
Conclusion
It therefore follows that there has been no breach of the PPIP Act in respect of the Respondent's collection, use or disclosure of the applicant's personal information contained in or comprising the solicited emails.
It also follows that the correct and preferable decision is to affirm the decision of the respondent and to take no further action on the matter.
[5]
Orders
(1) The respondent's decision of 4 October 2016 is affirmed.
[6]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 14 May 2018