CBL v Southern Cross University

NCAT Appeal Panel|2018-10-09|Before: Dr J

Overview

In October 2011, a rule was set up in Southern Cross University's email system so that any emails received from CBL's email addresses were automatically redirected to the University's Legal Office email address. We will refer to this conduct as the "email redirection". The University's Privacy and Information Officer conducted a review of the email redirection and found that none of the information protection principles in the Privacy and Personal Information Protection Act 1998 (NSW) (Privacy Act) had been breached. The University decided to take no further action.
CBL applied to the Tribunal for a review of the University's conduct: Privacy Act, s 55(1). The Tribunal agreed with the University's decisions that the email redirection had not contravened an information protection principle and that no further action should be taken.
CBL appealed to the Appeal Panel from the Tribunal's decision. He has not sought permission to appeal on grounds other than a question of law: Civil and Administrative Tribunal Act 2013 (NSW), s 80(2). Consequently, the broad issue in these proceedings is whether the Tribunal has made any of the errors of law identified by CBL.
In determining this appeal, we ask the following questions and address each issue of appeal as it arises when answering those questions: 1. What is the conduct about which CBL is aggrieved? 2. Which information protection principles is it alleged that the email redirection contravened? 3. Did the conduct contravene the information protection principles relating to collection of personal information? 4. Did the conduct contravene the information protection principle relating to disclosure of personal information? 5. Did the conduct contravene the information protection principle relating to use of personal information?

Which information protection principles is it alleged that the email redirection contravened?

Section 52 of the Privacy Act sets out the "conduct" to which Part 5 of the Act applies. Part 5 is headed "Review of certain conduct". Section 52(1) provides that: 52 Application of Part (1) This Part applies to the following conduct: (a) the contravention by a public sector agency of an information protection principle that applies to the agency, (b) the contravention by a public sector agency of a privacy code of practice that applies to the agency, (c) the disclosure by a public sector agency of personal information kept in a public register. (1) This Part applies to the following conduct:
CBL alleged that by redirecting his emails, the University had contravened information protection principles that apply to it: s 52(1)(a). Consequently, the issue for both the University and the Tribunal on review, was whether the email redirection contravened an information protection principle that applies to the University. As the Appeal Panel stated in CYL v YZA [2017] NSWCATAP 105 at [58]: 'Conduct' is the expression used in this area of the law to describe action by the agency or circumstances involving the agency that might amount to a possible contravention of an information protection principle ... There needs to be material that can be understood by the agency, fairly read, as connecting the action or circumstances of concern to a principle, whether or not the principle itself is actually specified by the application.
The information protection principles identified by the University as being potentially applicable were the principles in sections 8, 10, 11 and 18 of the Privacy Act. Those information protection principles relate to the collection of personal information for lawful purposes, the requirements when collecting personal information and limits on disclosure of personal information. The Tribunal noted that no specific submissions were made about improper use of CBL's personal information outlined in s 17.

Did the email redirection contravene the information protection principles relating to collection?

Several of CBL's grounds of appeal focused on the Tribunal's conclusions as to whether the email redirection contravened either of the information protection principles relating to the collection of information. Section 8 provides that: 8 Collection of personal information for lawful purposes (1) A public sector agency must not collect personal information unless: (a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and (b) the collection of the information is reasonably necessary for that purpose. (2) A public sector agency must not collect personal information by any unlawful means.
Section 10 states that: 10 Requirements when collecting personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following: (a) the fact that the information is being collected, (b) the purposes for which the information is being collected, (c) the intended recipients of the information, (d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided, (e) the existence of any right of access to, and correction of, the information, (f) the name and address of the agency that is collecting the information and the agency that is to hold the information.
At [20], the Tribunal articulated the issue in relation to the principle in s 8 as being: … whether the automatic redirection of the solicited emails from the intended recipients in the respondent's email system to the respondent's legal unit email address legal@scu.edu.au makes any difference to the collection being lawful.
The Tribunal was asking whether the email redirection contravened the information protection principle relating to collection in s 8. The Tribunal found at [21], that the University did not, by the implementation of the email redirection, "collect" CBL's personal information. At [24], the Tribunal re-iterated that the email redirection made no difference to whether or not the receipt of CBL's emails resulted in collection of his personal information. The Tribunal went on to find that: … It does not matter who within the respondent agency received the applicant's emails - whether they were received by the intended recipients, whether they were automatically redirected and received by another individual or individuals within the respondent agency, or whether they were intentionally or unintentionally forwarded from one recipient to another within the respondent agency.
That finding was repeated in different words at [28] where the Tribunal held that, "[T]he redirection is distinct from the Respondent Agency's collection of the personal information".
CBL challenged these findings by relying on the definition of the collection of personal information in the University's Privacy Plan. In section 2, paragraph 5 of that document the following definition is provided: Collection (of personal information) means the way the University acquires the information.
CBL submitted that, based on this definition, the "collection" of personal information means the "way the University acquires the information". The way the University acquired the personal information in the emails was that these emails were redirected to the email address of the Legal Unit. It follows, according to CBL, that the University has contravened s 10(b) of the Privacy Act because it has not informed him of the lawful purpose for the collection of his personal information.
We do not know whether CBL put this argument to the Tribunal below. There is no reference to it in the Tribunal's reasons. Even if CBL did put this argument to the Tribunal, the Tribunal was correct to conclude that the email redirection itself did not contravene either of the information protection principles relating to collection. Sections 8 and 10 both refer to collection by a public sector agency. The collection of the information is collection by the University, not by the individual to whom the email is redirected. Consequently, the email redirection was not conduct which collected CBL's information. The wording of a definition in the University's Privacy Policy cannot change the fact that collection is collection by the agency, not an individual or unit within an agency.
Once the Tribunal had made these findings, it did not need to go on to consider whether any other conduct involved in the collection of the information contravened s 8 or s 10 of the Privacy Act. That is because CBL was aggrieved only about the email redirection and any consequent breach of an information protection principle.
All the Tribunal's findings and conclusions about the collection of information, other than the finding that the email redirection itself did not contravene the information protection principles about collection, were obiter dicta. That means that those findings do not form a necessary part of the Tribunal's reasoning or decision. For that reason, we have not addressed CBL's grounds of appeal that relate to these findings and conclusions including grounds about adequacy of reasons.

Did the conduct contravene the information protection principle relating to use?

Section 17 provides that: 17 Limits on use of personal information A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless: (a) the individual to whom the information relates has consented to the use of the information for that other purpose, or (b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or (c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
At [29], the Tribunal made the following observations and findings about the information protection principle relating to the "use" of personal information: "[T]here were no specific submissions made about improper use of the applicant's personal information and no findings in the reviewable decision relevant to use. To the extent necessary, I accept the respondent's undisputed evidence that the only use made of the solicited emails was to arrange the meetings which were the subject of the emails, and for the respondent to clarify and deal with the applicant's complaints and PID (protected interest disclosure) statements." (words in brackets added).
CBL alleged that the Tribunal erred when making these statements. He did not challenge the Tribunal's finding that he made no submissions about improper use of his personal information. But, he submitted that s 17 of the Privacy Act "stipulates that the information must not be used for a purpose other than that for which it was collected" and that "in order to make a judgement about whether there was a breach of [s] 17, one logically needs to know the purpose for the collection of the emails".
When applying for internal review, an applicant does not have to identify which information protection principle has been breached: GL v Department of Education and Training [2003] NSWADT 166 at [26]; JD v Department of Health [2004] NSWADT 7 at [26]. It is the Tribunal's role to determine whether the conduct is conduct that contravenes an information protection principle: GL v Department of Education and Training [2003] NSWADT 166 at [23]; JD v Department of Health [2004] NSWADT 7 at [38]. The Tribunal addressed the possibility that the conduct contravened s 17 and found that it did not.
The Tribunal accepted the University's evidence that there was only one use of the information in the emails. That use was to arrange the meetings which were the subject of the emails and for the University to clarify and deal with the applicant's complaints and PID (public interest disclosure) statements. CBL did not challenge that factual finding on appeal. Rather, he asserted that when considering whether s 17 had been breached, the Tribunal must first identify the purpose for the collection of the emails.
The threshold question when determining whether there has been a contravention of s 17, is whether the email redirection constitutes a "use" of the information. The Tribunal impliedly found that it did not. In our view, that conclusion is correct. The email redirection merely redirected the personal information in the emails from the addressee to another unit within the agency. Having found that the email redirection did not constitute a "use", the Tribunal did not need to go on to consider whether any use of the information was for a purpose other than that for which it was collected. For that reason, this ground of appeal fails.

Did the conduct contravene the information protection principles relating to disclosure?

Section 18 provides that: 18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless: (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. (2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
The Tribunal addressed the issue of whether the email redirection contravened this provision at [30]-[36]. At [36] the Tribunal's appears to have accepted that the email redirection constitutes an internal disclosure because "... anything he (CBL) sent to the Respondent's email addresses would be diverted and therefore disclosed to the Legal Unit's email address". Although CBL did not expressly articulate any ground of appeal in respect of the Tribunal's reasons at [30]-[36], we agree with him that there was no evidence for this finding. The Tribunal made an error of law because it made this finding without any evidence to support it: Azzopardi v Tasman UEB Industries Ltd (1985) 4 NSWLR 139 at 156-157.
But this error made no difference to the Tribunal's decision: Australian Broadcasting Tribunal v Bond [1990] HCA 33 at [80]; 170 CLR 321. The evidence was that the email redirection meant that the emails went directly from the sender to the Legal Unit. If the Tribunal had made a finding based on that evidence, it would have concluded that there was no 'internal movement' of personal information and no contravention of s 18 because CBL's personal information was not "disclosed" to any person by the email redirection. While the question does not arise on this appeal, we doubt that any internal movement of information within an agency could constitute a disclosure.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 09 October 2018

At a glance

Court

Decision date

Before

Source

Judgment (7 paragraphs)

Parties

Legislation Cited (3)

Cases Cited (4)

Cited By (5)