This is an application pursuant to s55 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) for review under the Administrative Decisions Review Act 1997 of the conduct of the Blacktown City Council (the Council).
The PPIP Act obliges public sector agencies to collect, store, use, and disclose personal information in accordance with certain principles called Information Protection Principles (IPPs). These principles are set out in Division 1 of Part 2 of the PPIP Act, ss 8-19.
Pursuant to s53 of the PPIP Act a person may apply to a public sector agency for the review of any conduct said to be in breach of an IPP. If a person who has sought internal review of the conduct of an agency is not satisfied with the internal review decision, he or she may apply to the Tribunal for administrative review of the "conduct that was the subject of the application under section 53" pursuant to s55 of the PPIP Act and ss 7 and 9 of the Administrative Decisions Review Act 1997 (NSW) (ADR Act).
Pursuant to s63(1) of the ADR Act, the Tribunal's role when conducting an administrative review is "to decide what the correct and preferable decision is having regard to the material then before it". That material includes "any relevant factual material" and "any applicable written or unwritten law". In the context of the PPIP Act, "decision" refers to the conduct in which the administrator is alleged to have engaged and which is the subject of a request for internal review (see s7 of the ADR Act).
Section 55 of the PPIP Act provides that, after the Tribunal has reviewed the conduct of the agency, it may decide not to take any action on the matter, or it may make orders which include orders for the payment of damages and orders directing the agency to take or not to take specified actions.
At the hearing the applicant appeared in person. Blacktown City Council was represented by Ms C Tipene, Solicitor. As permitted by s55(6) of the PPIP Act, the Privacy Commissioner filed written submissions and appeared at the hearing represented by Mr N Yetzotis, Solicitor.
The evidence tendered by the parties included the applicant's application and the decision under review which became Exhibit 1; a bundle of emails and correspondence tendered by the applicant which became Exhibit 2; the applicant's outline of alleged privacy breaches and further documents which became Exhibit 3; the applicant's reply to the submissions of the Privacy Commissioner which became Exhibit 4; and the submissions of the Privacy Commissioner which became Exhibit 5. I also received some oral evidence from the applicant.
The Council had not filed any documents or submissions; however I heard oral submissions from Ms Tipene. As the applicant objected that he had not had an opportunity to consider the submissions of the Council and stated that he was not able to respond immediately, I gave him leave to file written submissions in reply. The applicant filed those submissions which were received by the Tribunal on 10 July 2017.
The conduct of the Council of which the applicant complains relates to a letter dated 4 February 2016 (the 4 February letter) sent by the Council to a principal certifying authority ("the PCA") responsible, pursuant to the Environmental Planning & Assessment Act 1979, for the certification of a development on land adjoining the applicant's property. The applicant had complained to the Council that:
No notification of the proposed development or commencement of construction was received (CDC Schedule 2, Section A, condition 7);
Building work is being conducted outside the allowable work hours (CDC Schedule 2, Section B, Part 2, condition 7); and
Privacy is compromised (refer Clause 15 of Schedule 1 of the State Environmental Planning Policy (Affordable Rental Housing) 2009).
By the 4 February letter the Council referred the applicant's complaint to the PCA. The letter included the applicant's name and contact details which included a street address and a telephone number.
The applicant alleged that by disclosing his personal information to the PCA the Council had contravened the privacy principles set out in the PPIP Act.
The applicant complained of the disclosure in email correspondence with officers of the Council and sought an internal review of the conduct of the Council pursuant to s53 of the PPIP Act.
It was common ground that the application for the internal review was constituted by an email from the applicant to the General Manager of the Council sent on 4 April 2016 at 9.47 am and the attachments to that email.
The applicant's email of 4 April 2016 was in the following terms:
Firstly, find attached my initial email to you with the attachments that form the basis of my accusations.
In addition, I have attached the email from [RW] that contained the letter to the PCA that contained my personal information.
I still need to know where you acquired my telephone number that you gave to [Ms L] as I corrected you by stating that I hadn't given it to [TT] as you wrote in a below email.
This email chain will show that you arranged for me to have the meeting as you thought that it would assist me. The meeting was to explain to me why my personal details were given to the PCA and for the BCC [Blacktown City Council] to present its roles and responsibilities regarding privately certified matters. I asked for the documentation that would support the details that the BCC would have given me during the above meeting. You refuse to give me any documentation or give me its reference on the BCC website.
Be advised that I find your refusal indicates to me that you are NOT to be trusted and that I can expect the BCC to AGAIN try to cover up my complaints, as follows:
- I trust the written word more than the verbal word
[TT] pretending to act on request of the General Manager tried to cover up my complaints
- what was the BCC going to tell me at the meeting that they refuse to support via any documentation?
- your breaches of the Customer Service Charter
- your breaches of the BCC Code of Conduct and the Model Code of Conduct
- the documentation could save me a lot of time and effort if its details can explain that the forwarding of my personal details without my knowledge and/or consent was indeed in line with BCC and government Privacy regulations
Based upon all of the above I don't feel that I can trust the BCC. As such, I will NOT be providing the BCC with the detailed report as originally advised.
I will however, warn the BCC that its investigation and subsequent findings MUST include all of the following:
- an impartial review of all the attachments and this email chain
- proper emphasis on the dates and detail in the content of all of the above
- proper consideration of the above dates and details against all the regulations that the BCC must comply with and of course all relevant government legislations and regulations.
I also warn the BCC that it may not miss any breaches as that may be construed as another cover up given that the investigation is carried out by a person that has the required expertise for such an investigation. I base this on the terminology of Professional Negligence.
I have redacted the names of council officers mentioned in the email as it seems unnecessary to identify them specifically.
The attachments to that email included the letter from the Council to the PCA, lengthy email exchanges between the applicant and various officers of the Council, and other correspondence. The significant elements of the attachments appear to be:
1. An email dated 8 March 2016 sent at 10.42 am which included the following:
My biggest complaint is that [RW] breached my privacy as follows:
without any advice of intent [RW] gave out my personal information to a party that I was complaining about
without my knowledge, [RW] gave out my personal information that Blacktown City Council had on record from at least 5 years ago
[BM] signed the letter that contained my personal information that was sent to the above party;
1. An email dated 19 February 2016 sent at 8.22 am in the following terms:
Why did you give my private details to the certifier? Why didn't you advise/ask me before doing so. Under what authority have you done so.
The Council referred the review of the applicant's application to an external reviewer. The Council informed the applicant at the time, that it was doing so because of "concerns regarding impartiality in Council reviewing the complaint you have raised", which Ms Tipene stated, and I would have inferred in any event, was a reference to the applicant's statements in the email of 4 April 2016 that "you are not to be trusted and…I can expect the [Council] to again try to cover up my complaints" and "I don't feel that I can trust the [Council]."
It is appropriate to set out details of some of the communications between the applicant and the Council in April and May 2016.
On 5 April 2016 at 5.50 pm Ms Kenny, the Right to Information Officer of the Council, emailed the applicant, noting that the applicant had expressed concerns regarding impartiality and Council reviewing the complaint, and stating that:
"Given your stated concerns I would recommend that a review of this matter be conducted by an independent privacy practitioner, who is not employed by Council".
The email also stated:
"If you consent, your email details would be referred to the reviewer should they wish to put forward any questions to you. Alternatively if you do not consent to your email being released, I can redact your email address and copies of correspondences before referring them onto the reviewer."
At 9 pm on 5 April 2016 the applicant responded to Ms Kenny stating inter alia:
"I want the BCC to properly investigate my complaints and act accordingly. I will determine if any further action is required based upon the findings of the BCC".
On 7 April 2016 at 5.48 pm Ms Kenny sent an email to the applicant:
"Do you consent to your email address being provided to the reviewer. The reviewer will conduct a full review of your complaint."
The applicant responded at 8.39 pm on 7 April 2016:
"My email dated 5/4/16 below is very explicit. I want BCC to investigate my complaints."
The applicant followed up that email on 18 April 2016 and at 8.29 am on 18 April 2016, Ms Kenny wrote to the applicant:
"I am currently in the process of organizing an external reviewer. Once the selection of the reviewer has been confirmed. I will email you with their details including a proposed time frame to complete the review".
On 18 April 2016 at 9.24 am the applicant emailed Ms Kenny:
"You are acting contrary to my explicit instructions. Under what authority are you taking this action? Why haven't you informed me of this earlier?
On 19 April 2016 at 8.11 am Ms Kenny emailed the applicant:
"The intent of an external reviewer is to provide independence in the review process. In your email of 4 April 2016 to the General Manager the following statement was made: 'Based on all of the above I don't feel that I can trust the BCC'. In order to address your concerns of impartiality, it would be prudent to engage an external reviewer with experience in the application of privacy legislation."
At 8.35 am on 19 April 2016 the applicant emailed the General Manager of the Council:
"I will not continue to reiterate my instructions. I want BCC to investigate my complaints."
At 5.13 pm on 19 April 2016 Ms Kenny emailed the applicant:
"The General Manager has requested that an external independent review be conducted. Once the appointment of the reviewer has been finalized I will email you back with information relating to who will be conducting the review and the expected completion date."
On 13 May 2016 at 10.59 am Ms Kenny emailed the applicant:
"We have notified the Privacy Commissioner that we have received your complaint and that we intend to undertake an agency review. The process under Section 53 of the Privacy Act requires agencies to receive formal acknowledgment of the complaint, and the intended review process, from the Commissioner's office. In the interim, they have been in contact with us requesting further information. We are expecting formal notification from them early next week to proceed with the review. We are then required to conduct the review, inform the applicant (yourself) and the Commissioner of the review findings."
The applicant responded at 11 am on 13 May 2016:
"When was all this done. I want dates. What about the external impartial independent reviewer that you referred to and tried forcing me into accepting?"
On 18 May 2016 Ms Kathy Thane of Train Reaction Pty Ltd emailed the applicant introducing herself and her consultancy and stating:
"I have recently been engaged by Council to undertake an internal review (under Section 53 of the Privacy and Personal Information Protection Act 1998) of the circumstances giving rise to your contact details being provided by Council to [the PCA], an accredited private certifier, on 4 February 2016. …
Since being formally engaged on 13 May 2016 I have obtained all Council correspondence and records pertaining to the matter and I am now in a position to commence my review.
I am writing to afford you the opportunity to make a written submission in relation to the matter, should you wish to do so. I am also happy for you to address me in person should this be your preference. This could be done over the phone or in person. Please advise me at your earliest convenience, whether you wish to make further submissions that I can into account as part of my review and if so, whether you would like submissions in writing, in person or on the phone."
On 19 May 2016 the applicant emailed Ms Kenny:
"Why have you forwarded my personal details and presumably all my correspondence to BCC to an external party called Train Reaction?"
On 23 May 2016 Ms Kenny responded:
"The review is being conducted by an external reviewer independent of Council, as we have previously indicated. The reviewer is providing you with an opportunity to provide/present any further information from your perspective."
The applicant responded at 10.20 am on 23 May 2016:
"Firstly, I have consistently advised that I wanted Blacktown City Council to do the review. In addition in your email below dated 13 May 2016 you advised that you would do the review. I want you to provide me with evidence of any legislation that allows you to provide my personal details and correspondence to another party without my knowledge or consent!!! Under what authority have you engaged an external party to do the review?"
On 26 May 2016 at 9.45 am Ms Kenny emailed the applicant:
"The independent reviewer has now completed their draft report.
As your complaint was referred to the New South Wales Privacy Commissioner, according to the provisions of Section 53 of the Privacy and Personal Information Protection Act 1998 the following steps are now required as set out in the legislation
The Reviewer will submit their report to the New South Wales Privacy Commissioner
Following the completion of the review by the Privacy Commissioner, Blacktown Council is then required to notify you in writing of:
the findings of the review (and the reasons for those findings)
actions proposed to be taken by Council (and the reasons for taking that action).
As soon as the Privacy Commissioner has finalized their review we will write to you providing a copy of the report findings and recommendations."
It is also necessary to note an email from the applicant to Ms Kenny sent at 11.18 am that day which stated inter alia:
"I believe that you all know that I have been contacted by Kathy Thane from Train Reaction and Ms Thane has advised that BCC engaged her to do an external review of your privacy breaches of my personal information. Hence you are in breach of PPIPA.
I want your response. Did you engage Train Reaction to do a review of the above privacy breaches?"
This correspondence is significant because the applicant maintained that he had not been given an opportunity to participate in the review. He argued that he had never been told that Ms Thane was conducting the review and suggested that her email could have come from anyone and that he had had no confirmation from Council that she was the reviewer.
As noted above, the applicant gave evidence under oath. The question was put to him quite directly that he must have been aware that Ms Thane was the reviewer appointed by the Council. The applicant avoided directly answering that question.
That Ms Thane was the reviewer appointed by the Council was in my view the only conclusion that could have been drawn from Ms Thane's letter and was confirmed by Ms Kenny's email of 23 May 2016. I find that the applicant was aware that Ms Thane had been appointed to conduct the review and deliberately chose not to participate in the review.
Ms Thane's review dated 8 June 2016, which was attached to the applicant's application to the Tribunal, found that Information Protection Principle 11 (which reflects s18 of the PPIP Act) had been breached by the Council. Ms Thane stated:
4.1 There is no dispute that [the applicant's] personal details were released by Council officers to [the PCA] on 4 February 2016. Whilst it is clear that [the applicant] was informed by [Mr W] (and other Council officers) that [Mr C] was the Principal Certifying Authority (PCA) for the site and that his complaint should be referred to [Mr C] on that basis, at no time was [the applicant] advised that his personal details would in fact be released to [Mr C].
4.2 The reviewer considers that [the applicant] would not have been reasonably likely to have been aware that it as usual for a complaint such as his (and his personal details) to be provided to a PCA. The reviewer has reached this conclusion because it is apparent from [the applicant's] exchange of emails with [Mr W] that he did not know what a PCA was and how the system operated under the Environmental Planning and Assessment Act 1979.
4.3 The reviewer also notes that, based on a search of Council's website, there is no policy or information alerting customers to the fact that in the case of complaints being made about developments subject to approval by PCAs, it is the protocol of Council officers to refer a complaint's contact details to that PCA without notice.
4.4 Further, in the light of [the applicant's] lack of knowledge as evidenced by his email exchange with [Mr W] and the fact that the information was not detailed in a Council policy or its website, the reviewer is of the opinion that [Mr W] (and other Council officers) could not have reasonably assumed that [the applicant] would not have objected to the disclosure in the circumstances.
4.5 Accordingly, the reviewer is satisfied that Council officers have failed to observe Information Protection Principle 11 when disclosing [the applicant's] personal information and in the circumstances an exception under section 18 of the PPIP Act does not apply. It follows therefore that Council is also in breach of its own Privacy Management Plan.
4.6 However, the reviewer acknowledges that [Mr W] and other Council officers acted in good faith and under the belief that [Mr C] as PCA, was entitled to details of [the applicant's] complaint about the development and his contact details, to enable [Mr C] to address [the applicant's] concerns directly with him. It would also appear that it was Council's usual practice to refer a Complainant's details to a PCA under these circumstances.
4.7 A PCA is empowered by the Environmental Planning and Assessment Act 1979 to ensure that a particular development is carried out in accordance with the approved plans and legislative requirements. Therefore, when a complaint is made about a particular development, it is the PCA (and not Council) who is responsible for addressing that complaint.
Ms Thane referred to the fact that a PCA is a public official bound by a Code of Conduct and specifically referred to clause 8 of the Building Professionals Board Code of Conduct which requires accredited certifiers to take care to maintain the integrity and security of confidential documents and not to use confidential information for inappropriate purposes.
Ms Thane continued:
4.10 On this basis, it is considered that Council officers are entitled to presume that there should not be any privacy concerns, when disclosing a Complainant's details to a PCA and as already stated, there is apparently no provision in the GIPA Act that would prevent a Complainant's details being provided to a PCA in an application for access. However, Council would still be obliged to apply the public interest test before disclosing a complainant's details to the PCA. This was not done in [the applicant's] case.
4.11 It follows therefore that as a PCA is entitled to a Complainant's contact details and if it is in the public interest to release that information to a PCA in any given circumstance, Council must either:
Seek and obtain the Complainant's consent prior to making the disclosure of the Complainant's personal information to the PCA; or
Publish information on Council's website and/or enact a policy that clearly explains that where a development is subject to certification by a PCA, the circumstances where complaints made in respect of that development will be referred to the PCA, together with the Complainant's contact details to enable the PCA to address the concerns.
The reviewer made the following recommendations:
6.2.1 It is recommended that Council give consideration to affording the applicant an apology for the breach to his privacy by Council officials.
6.2.2 It is recommended that Council give consideration to the provision of training in privacy issues for all staff. The training may be delivered as part of an ongoing professional development program for Council staff.
6.2.3 It is recommended that Governance give consideration to developing policies and procedures for dealing with complaints about building developments in circumstances where those developments are managed by a Principal Certifying Authority (PCA); and in particular detailing the circumstances where a Complainant's personal details may be provided to a PCA without their prior consent (or if considered appropriate by Council, that the procedure require that consent be first obtained).
6.2.4 It is recommended that Council give consideration to updating its advice to customers and Council's website to inform them of the potential for contact details to be provided to a PCA (or if considered appropriate by Council, that the procedure require that consent be first obtained).
By his application to the Tribunal the applicant sought administrative review of the Reviewer's Decision on the following grounds:
BCC committed multiple privacy breaches while the review only dealt with one of them. BCC attempted to cover up the privacy breaches. BCC did not invoke an Internal Review, but rather, invoked a review by an external party of the BCC even after multiple objections from me. BCC deliberately didn't provide me with the contact details of the reviewer and deliberately wouldn't confirm the identity of the reviewer. Hence, the BCC deliberately interfered with my ability to participate in the review process. BCC, by providing my details to an external party of the BCC for the Internal Review, committed another privacy breach. The review does not truly reflect the circumstances of the one privacy breach that it reviewed and demonstrates a distinct lack of objectivity and due diligence.
The applicant's submissions, written and oral, were convoluted and imprecise. They traversed issues well beyond the matters identified in the application for review.
The applicant asserted that the conduct of the Council in sending the 4 February 2016 letter had breached the information protection principles set out in Division 1 of Part 2 of the PPIP Act including principles relating to the collection, accuracy and storage of his personal information, as set out in ss 11, 12, 13, 15 and 16 of the PPIP Act, as well as the principle set out in s18 of the PPIP Act which the Reviewer found had been breached. Section 18 of the PPIP Act provides:
18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
The applicant's complaints relating to the collection of information related to the fact that the applicant had not been informed of the possible distribution of the information to the relevant PCA. That fact was found by the Reviewer to have involved a breach of s18 of the PPIP Act. It is not apparent from the applicant's submissions how it could also constitute a breach of the information protection principles relating to the collection of information. By virtue of s4(5) of the PPIP Act, personal information is not "collected" by an agency if "the receipt of the information by the agency is unsolicited". That is clearly the case here. The only personal information of the applicant shown to have been held by the Council came from two complaints forwarded to the Council by the applicant.
The applicant's complaints relating to the accuracy and storage of his personal information related to the fact that the 4 February letter disclosed a telephone number for the applicant that was no longer current, being an old work number that had not been in use for 7 years. The applicant asserted that this demonstrated that the Council did not ensure that the personal information it kept was accurate and that it retained information for longer than was necessary, as the old telephone number had been provided in relation to a previous issue that had caused the applicant to correspond with the Council.
The applicant also:
1. Asserted that the Council had infringed the Government Information (Public Access) Act 2009 (NSW) (GIPA Act)
2. Criticised the Council's response to his complaints;
3. Asserted that the referral to an external reviewer was itself a breach of the PPIP Act;
4. Complained that he had not been given an opportunity to participate in the internal review;
5. Stated that the was not satisfied with the remedies proposed by the internal review; and
6. Sought monetary compensation.
The jurisdiction conferred on the Tribunal by s55 of the PPIP Act is to conduct "an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under s53" [that is the application for internal review]. It is clear from authority that the Tribunal has no jurisdiction to consider allegations of breach of information protection principles that are not raised by the application for internal review (see AQK v Commissioner of Police, NSW Police Force [2014] NSWCATAD 55 at [10] to [12]; KO & KP v Commissioner of Police, NSW Police (GD) [2005] NSWADTAP 56 at [10] to [14].
The question is what issues are raised by the application for internal review "reasonably construed" (see KO & KP v Commissioner of Police at [13]; BXK v Western Sydney University [2016] NSWCATAD 235 at [13]).
[2]
Accuracy and storage of information
A number of the allegations made by the applicant were not raised by the application for internal review. The applicant's complaints relating to the accuracy and storage of information (being the alleged contraventions of the information protection principles set out in ss 12, 13, 15 and 16 of the PPIP Act) were not raised by the application for internal review, reasonably construed. There is reference, in the email of 8 March 2016 attached to the application, to the Council disclosing information "that BCC had on record from at least 5 years ago" but there is no suggestion in the application or the attachments that the information had been retained for an inappropriate period or for inappropriate reasons. Nor is it suggested in the application or the attachments that the information was not accurate.
Even if the email of 8 March 2016 is construed as raising a complaint that the Council had retained the applicant's personal information for a period "longer than is necessary for the purposes for which the information may lawfully be used" (in contravention of the principle laid down in s12(a) of the PPIP Act), I do not find that the Council did breach that principle.
The applicant asserted that the telephone number provided to the PCA must have come from "a previous and totally unrelated complaint" which he had lodged at least seven years before 2016. No further information concerning that complaint was put before the Tribunal either by the applicant or by the Council.
In those circumstances the only information from the earlier complaint which I can conclude the Council had retained, was a telephone number. I do not consider that the retention, for a period of seven years, of a telephone number for a person who had communicated with the Council, would constitute a breach of the information protection principle set out in s12(a) of the PPIP Act. As the applicant himself pointed out, a PCA is required by Regulation 267A of the Environmental Planning and Assessment Regulations 2000 (NSW) to keep a written record of each complaint received in relation to a development for at least 10 years.
[3]
Alleged breach of the GIPA Act
The applicant's assertion that the Council breached the GIPA Act is also not a matter raised by the application for internal review and is not within the jurisdiction of the Tribunal. In any event the allegation is founded a misconception of the operation of the GIPA Act. The allegation proceeds on the assumption that the provision of the applicant's complaint to the PCA occurred pursuant to the GIPA Act. That is clearly not correct.
[4]
Criticism of Council's response to the applicant's complaints
The assessment of the Council's response to the applicant's complaints is not a matter within the jurisdiction of the Tribunal. As noted, the jurisdiction of the Tribunal is to review the allegations of breach of the PPIP Act. The application for internal review is made to the agency for the review of conduct said to be in breach of an information protection principle. The manner in which the Council responded to the applicant's complaints cannot be said to involve a breach of an information protection principle.
[5]
The disclosure of the applicant's information to the external reviewer
The disclosure of the applicant's personal information to the external reviewer could not be the subject of a review of the conduct of Council in relation to the complaint referred to the reviewer. If there was a breach of information protection principles in the referral to the external reviewer, I have no jurisdiction to consider that breach.
In any event, I note that in CNC v NSW Police Force [2017] NSWCATAD 95 at [22]-[27], a Senior Member of the Tribunal referred to decisions relating to the Health Records and Information Privacy Act 2002 (NSW) and held that the provision of personal information to a solicitor or agent retained by an agency was not a disclosure of information for the purposes of the PPIP Act, where the information was provided to the solicitor or agent in the course of their engagement. Thus, the provision of the applicant's contact details to the external reviewer for the purposes of the external reviewer's engagement did not constitute a disclosure of information for the purposes of the PPIP Act.
[6]
Alleged denial of the opportunity to participate in the internal review
I do not accept that the applicant was not given an opportunity to participate in the internal review. As noted above, I find that the applicant was aware of the appointment of the reviewer and chose not to participate in the review being conducted by the reviewer.
[7]
Financial Compensation
To the extent that the applicant sought financial compensation, s55(4)(b) of the PPIP Act provides that the Tribunal may only make an order pursuant to s55(2)(a) of the PPIP Act for payment of compensation if "the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency".
There is no evidence before me that the applicant has suffered any financial loss or physical or psychological harm arising by reason of the conduct of the Council. I therefore cannot be satisfied of the necessary conditions for an award of compensation.
[8]
Disclosure of Personal Information without consent - s18 of the PPIP Act
I do not find any ground for criticism of the reviewer's findings in relation to section 18 of the PPIP Act. The reviewer found there had been a breach of that principle and recommended an apology, changes in the Council's policies and procedures and the publishing of information concerning the likelihood of disclosure of personal details to a PCA.
Apart from the fact that the reviewer did not recommend compensation, the applicant has not identified any particular respect in which the reviewer's recommendations in relation to Council's failure to observe the information protection principle set out in s18 of the PPIP Act were incorrect or inadequate.
[9]
Identity of the Internal Reviewer
One other issue raised by the applicant requires consideration. The applicant suggested that the PPIP Act did not authorise the referral of the application for internal review to Ms Thane who was not an employee or officer of the Council.
Section 53 of the PPIP Act relevantly provides:
53 Internal review by public sector agencies
(1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.
…
(2) The review is to be undertaken by the public sector agency concerned.
(3) An application for such a review must:
(a) be in writing, and.
(b) be addressed to the public sector agency concerned, and
(c) specify an address in Australia to which a notice under subsection (8) may be sent, and
(d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and
(e) comply with such other requirements as may be prescribed by the regulations.
(4) Except as provided by section 54 (3) [1] , the application must be dealt with by an individual within the public sector agency who is directed by the agency to deal with the application. That individual must be, as far as is practicable, a person:
(a) who was not substantially involved in any matter relating to the conduct the subject of the application, and
(b) who is an employee or officer of the agency, and
(c) who is otherwise suitably qualified to deal with the matters raised by the application.
…
(6) The review must be completed as soon as is reasonably practicable in the circumstances. However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for an administrative review of the conduct concerned.
The applicant submitted that the appointment of Ms Thane to conduct the internal review was not consistent with the requirements of sub-section (4) that the application for review must be dealt with by an individual "within the public sector agency" and that "that individual must be, as far as practicable, a person…(b) who is an employee or officer of the agency".
As the Information Commissioner submitted, the requirement that the individual must be "as far as practicable" a person who is an employee or officer of the agency, implicitly recognises that, where it is not practicable, the person conducting the review need not be an employee or officer of the agency but may be, as in this case, a consultant retained by the agency to carry out the review. In this case, it was not practicable for the review to be conducted by an employee or officer of the Council.
I consider that the concept of "practicability" extends to the likelihood that any internal review conducted by an employee or officer of the Council would have been subjected to challenge by the applicant on the basis that the relevant individual was not impartial and was biased against the applicant. In those circumstances, given the applicant's expressed concerns as to the independence of any reviewer appointed from the staff of the Council, I consider that it was not practicable for the internal review to be conducted by an officer or employee of the Council. Accordingly, I find that the review conducted by Ms Thane was carried out in conformity with the requirements of s53 of the Act.
The Information Commissioner's submissions referred to authorities including Robertson v HWE Mining Pty Ltd [2014] WASC 11 at [24]; HWE Mining Pty Ltd v Robertson [2015] WACA 26 and NATB & Ors v Minister for Immigration and Multicultural and Indigenous Affairs (2003) FCR 506; [2003] FCAFC 292 at [51]-[52]. Those decisions relate to the meaning of the term "reasonably practicable" and are not strictly relevant to the issue arising in this case but reinforce my view that the concept of practicability extends to the likelihood of allegations of bias or impartiality against any employee or officer of the Council.
Were I to be incorrect in this conclusion, with the result that the review by Ms Thane did not constitute an internal review for the purposes of s53, the result would be that there had been no internal review. In those circumstances the review required by s53 of the PPIP Act would not have been completed within 60 days of the receipt of the application and the applicant would have been entitled to make his application to the Tribunal pursuant to s53(6) of the PPIP Act.
I have read Ms Thane's report and I am satisfied that her conclusions are correct. On that basis, even if Ms Thane's review was not a valid internal review, I would nevertheless decide to take no action on the matter on the basis that the recommendations made by Ms Thane are the correct and preferable outcome of the internal review which the Council was required to effectuate.
Accordingly none of the grounds relied upon by the applicant for challenging the findings of the internal review and the conduct which was the subject of the applicant's application for internal review are made out, and there is no justification for the Tribunal to take any action on the matter.
[10]
Order
1. The Tribunal decides, pursuant to s55(2) of the PIPP Act, to take no action in this matter
[11]
Endnote
Section 54(3) provides that where appropriate the Privacy Commissioner may undertake the internal review on behalf of the agency at the request of the agency concerned.
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 19 October 2017
Parties
Applicant/Plaintiff:
CRE
Respondent/Defendant:
Blacktown City Council
Legislation Cited (5)
Environmental Planning and Assessment Regulations 2000(NSW)