On 17 October 2016 the applicant 'CTH' lodged an application for administrative review with the Tribunal. That application relates to an Internal Review which the applicant sought in relation to a privacy grievance between herself and her former employer the University of New South Wales.
CTH is the applicant's pseudonym, in that the Tribunal has de-identified the applicant's name from any open reasons consistent with the practice of the Tribunal in privacy reviews. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act).
The Tribunal has reviewed the conduct which fell within the scope of the Internal Review and for the reasons that follow, finds that there is no breach of an Information Protection Principle (IPP) under the PPIP Act.
[2]
Background
The applicant was employed at the respondent University for approximately 6 months in 2015. The respondent is a public sector agency for the purposes of the PPIP Act, and is therefore (subject to that Act) bound by the provisions of the Act including the I.P.P.'s. The applicant alleges that a number of breaches of her privacy occurred in both the circumstances of her initiation of employment, and the cessation of her employment.
The concerns related to the respondent's contact with the applicant whilst on sick leave. The agreed facts identify that during the period of sick leave in November 2015 the respondent contacted the applicant by post at her residential address. The correspondence was delivered by courier to that supplied address.
The applicant's initial internal review request focused on two specific types of conduct which were in the applicant's view, contrary to the relevant information protection principles in the PPIP Act.
One instance concerned disclosure. That disclosure involved the HR Manager providing the residential address to the applicant's direct supervisor/manager as well as the Director of HR copying the applicant's supervisor in on a letter sent to the applicant (which included the residential address).
The other instance related to collection whereby the applicant's residential address was added to the applicant's HR record. It was submitted that this was a collection and a use beyond the scope of the initial basis for the collection. General complaints concerning contacting former employers and failing to address the complaints were also raised.
The general compass of the applicant's grievance relates to her probationary period of employment at the respondent and the alleged unprofessional and inappropriate conduct by her immediate supervisor. Setting out the grievance as submitted by the applicant provides the following background: The applicant broadly alleges that the supervisor bullied her and was overly critical of her performance generally. As a result it was alleged that the supervisor used material from the applicant's C.V. to contact previous employers to obtain adverse information and spread it to damage the applicant's standing. In addition the subsequent provision of her residential address to the supervisor (in the alleged poor relationship) elevated the applicant's concerns.
In reply to this the respondent considered that the applicant's complaint raised six privacy grievances or instances of conduct. They are identified in summary as follows:
1. HR disclosure of personal information: provision of home address to supervisor around 23/24 November 2015.
2. HR disclosure of personal information: inclusion of applicant's home address on correspondence sent to applicant around 2 December 2015 but cc'ed to supervisor. (further disclosure to supervisor).
3. Allegation of HR disclosure to supervisor of applicant's Hurt on Duty form around June 2015.
4. Incorrect/unnecessary use by HR of applicant's home address by adding it to the Hurt on Duty information/record around June 2015 and subsequent use.
5. Allegation of inappropriate access to applicant's personal information in job application to contact former employers (retrospectively) to seek adverse information about applicant.
6. Alleged failure to act on privacy complaints concerning allegation 5 (above) and privacy breaches generally (1-4).
The respondent determined that items 3, 5 and 6 were known to the applicant more than six months prior to her making the application for internal review. The PPIP Act provides for an application for internal review to be made within 6 months of becoming aware of the relevant conduct (constituting the alleged breach). Section 53 of the PPIP Act relevantly provides in respect of the Internal Review Process, the following:
53 Internal review by public sector agencies
(1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.
(1A) There is no entitlement under this section to the review of the conduct of a Minister (or a Minister's personal staff) in respect of a contravention of section 15 (Alteration of personal information).
Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A).
(2) The review is to be undertaken by the public sector agency concerned.
(3) An application for such a review must:
(a) be in writing, and
(b) be addressed to the public sector agency concerned, and
(c) specify an address in Australia to which a notice under subsection (8) may be sent, and
(d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and
(e) comply with such other requirements as may be prescribed by the regulations.
(Emphasis added)
The respondent determined that Items 3, 5 and 6 were out of time in the application dated 6 June 2016. Item 3 was six months beyond the period referred to in section 53 (1) (d), Item 5 between four months and one month out of time, and Item 6 was one to two months out of time.
Notwithstanding the discretion provided for in the text of the Section, (to allow a matter out of time), the respondent determined to exclude those Items. Annexure DWN 30 to the signed statement of Douglas William Narin (which was received in evidence in the proceedings and marked as Exhibit 'R - 1') is a copy of correspondence to the applicant about her complaints / internal review dated 11 July 2016. It records the following:
Section 53 (3) of the Act requires complaints to be lodged within six months from the time that you first became aware of that conduct that is the subject of the complaint. Therefore, three of your complaints (numbers 3, 5 and 6) will be excluded from the internal review.
Based on the fact that the respondent ultimately did not address these three grounds in it's review, and the fact that the inclusion of these issues formed a preliminary issue at hearing, it seems clear that in the absence of any evidence of considering whether to extend time, then the provision was applied strictly without benefit to the applicant. This much is clear from the eventual scope of the internal review. The Tribunal notes that the PPIP Act is a rights regime (noting the long title), and rather than exercise the discretion (and benefit of the right), the respondent without engagement or any provision of reasons has determined (as permitted by the drafting), to dispense with that consideration to extend time.
However, notwithstanding that observation, it is also apparent from the 11 July 2016 correspondence that the respondent believed that the excluded matters could be dealt with less formally under the UNSW Staff Complaints Procedure. No evidence was before the Tribunal as to how these matters were ultimately addressed in the context of good administrative conduct and any outcome for the applicant.
The issue of whether the scope of the conduct before the Tribunal extended to all 6 privacy grievances had not been resolved prior to hearing so as a preliminary issue the Tribunal considered an application on this point on the day of the hearing. It was submitted by the respondent however that the jurisdictional issue on three of the grievances was raised with the Tribunal at the initial Case Conference on 29 November 2016.
[3]
Jurisdiction Hearing
The respondent submitted that there was a great deal of speculation in the applicant's Internal Review application which implied some awareness of the issues at play.
The Privacy Commissioner submitted that whilst three allegations were addressed in the Internal Review (and three were not accepted), there was no positive comment by the applicant in respect of her knowledge. In their submission the applicant did not engage with the 'two step test', namely to identify the issue, and then to identify that a privacy right (and or remedy) arose or was enlivened by that identification of the issue.
The respondent submitted that the Tribunal does not have jurisdiction and the parties were on notice of this since the first return of the application. Grievances 1 and 2 go to the address being provided (in different forms) to the supervisor, and instance 4 goes to where the University recorded the home address.
The applicant made submissions on this issue prior to giving evidence. The applicant submitted that she was employed at the University for 5 months and her workplace problems escalated during that time. She hoped that her 'suspicions' were unfounded (in respect of gossip and rumours arising from privacy issues). However at a later time she formed the view that these issues were well grounded and as a result made out.
During the period (of delay) the applicant submitted that there was a possibility that things had become a real problem, and that whilst she never (at the time) knew whether the respondent sent out the personal information, she held a vague suspicion that was the case. In respect of grievance 5 the applicant submitted that she inferred that this was the reason for the workplace problems developing (as false information was circulating in her current workplace). When the Internal Review was lodged on 6 June 2016, only then did an investigation of the problems relating to her employment commence.
The applicant was examined on the jurisdiction issue and gave evidence-in-chief that she took some time to locate the Privacy and Compliance Officer. Only then did she become aware of the various privacy issues in a legal sense. The applicant's evidence-in-chief was categorically that she only became aware of the 6 month 'cut off' after contact with the Privacy Officer in May/June 2016.
The Tribunal inquired as to whether the applicant tried to raise issues during her term of employment with the respondent's staff. The applicant gave evidence that she did but that staff did not 'seem to take them up'. In addition her evidence was that she 'had a bad response from the Head of School'. The applicant noted the options listed on the Internal Review about administrative review by the Tribunal and as a result knew how to progress that aspect.
Under cross-examination the applicant was asked whether she saw any other information about privacy rights. The applicant advised that she was generally probably aware of those complaint rights in June 2016. In response to a question on behalf of the Privacy Commissioner the applicant advised that she was not aware of the existence of a Privacy Officer initially.
The Tribunal delivered an Ex Tempore decision on this issue concluding that grievances 3,5 and 6 (as set out in paragraph 10 above), were not within jurisdiction due to the delay in seeking an internal review both on the basis of the timing of the alleged breaches, and becoming aware of the legal import of that conduct.
Whilst the evidence established that the applicant only became aware of the 6 month 'requirement' after locating the Privacy Officer in May or June 2016, the applicant was aware and had formed a view (from the evidence and material before the Tribunal) that the conduct was (on her assessment) contrary to privacy requirements some months prior.
The Tribunal then proceeded to hear the three grievances at items 1,2 and 4 (as set out in paragraph 10 - above). In doing so on the application of the parties I made an order under section 64(1) of the Civil and Administrative Tribunal Act 2013 in respect of the applicant's identity and the identity of the supervisor.
64 Tribunal may restrict disclosures concerning proceedings
(1) If the Tribunal is satisfied that it is desirable to do so by reason of the confidential nature of any evidence or matter or for any other reason, it may (of its own motion or on the application of a party) make any one or more of the following orders:
(a) an order prohibiting or restricting the disclosure of the name of any person (whether or not a party to proceedings in the Tribunal or a witness summoned by, or appearing before, the Tribunal),
The procedure for the hearing was agreed between the parties with the respondent departing from the usual course and giving their evidence and submissions first, in part to assist the unrepresented applicant in addressing her concerns by way of a rebuttal of the respondent's argument.
[4]
Relevant Legislative Provisions
Section 18 of the PPIP Act concerns the alleged breaches identified in grievances 1 and 2. (Disclosure IPP 11) Section 18 provides:
18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
Section 17 of the PPIP Act concerns the alleged breach constituting grievance 4. (Use IPP 10) Section 17 provides:
17 Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
Overarching these IPP's is the definition of Personal Information provided for in section 4 of the PPIP Act. Relevantly section 4 provides:
4 Definition of "personal information"
(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2)….. .
(3) Personal information does not include any of the following:
….
(b) information about an individual that is contained in a publicly available publication,
…..
(e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure,
….
(j) information or an opinion about an individual's suitability for appointment or employment as a public sector official,
(ja) (N/A at time of conduct),
(k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.
There is no suggestion that the applicant's complaints about her supervisor constituted a Public Interest Disclosure nor is there any suggestion that the personal information cited (whilst in the context of suitability for appointment - permanently), is about her suitability. That is because the information complained of (in these two grievances) - is the applicant's residential address . No arguments were run that the information was not personal information of the applicant.
[5]
Respondent's Evidence and Submissions
In written submissions the respondent identified the conduct as two instances of the provision of the applicant's home address to her immediate supervisor, and one instance of adding the home address to the Human Resources (HR) record.
Factually the respondent submitted that the applicant's employment commenced on a day in June 2015 and the probationary period was due to conclude on the same day in the month of December (six months later). In early November 2015 the applicant spoke to and e-mailed a HR officer making allegations/complaints of bullying against her supervisor. In late November 2015 the applicant's supervisor sent the applicant a letter concerning her work performance and progress in the role. Whilst it was e-mailed to the applicant's work e-mail address, as she was on sick leave it was couriered to the applicant's home address.
In early December 2015 (prior to the expiry of her probationary period) the Vice President of HR sent the applicant a letter informing her of the termination of her employment. (The basis for the termination does not concern the matters to be addressed by the Tribunal). Whilst the letter was handed to the applicant her residential address appeared on the formal letter, and a copy of the letter was provided by way of cc. to the direct supervisor.
Instance 1 involves the provision by the University of the applicant's residential address to the supervisor to send the late November 2015 'performance progress' letter. Instance 2 involves the provision of the early December 2015 HR letter to the supervisor (including the applicant's residential address).
In respect of these two instances the respondent submitted that the relationship between the applicant and the supervisor was one whereby unless the disclosure was outside of that relationship, then no breach would arise. The respondent relied upon the evidence tendered in the proceedings, being the statement (Exhibit 'R 1') (Annexure DWN 15) which set out the responsibilities of the applicant's supervisor towards the applicant. At paragraph 51 and 52 of Exhibit 'R 1' the respondent's evidence stated:
51. In my experience, it is common practice for an employee's supervisor to be copied on important correspondence that is sent to an employee by Human Resources, including letters which advise that the employee's employment has been terminated. I also note the penultimate paragraph of the Termination Letter states "You are required to immediately return UNSW property currently in your possession, including your UNSW ID Card to Ms 'X' (supervisor)".
52. As (CTH's) supervisor, it was necessary for Ms 'X' to receive a copy of the Termination Letter, so that she was aware that (CTH) had been given notice of termination and she had been informed that she was to return certain items to Ms 'X'.
In this regard the respondent relied upon a line of privacy cases in the Tribunal and the former Administrative Decisions Tribunal (ADT), starting with the appeal case of Director General Department of Education and Training v MT (GD) [2005] NSWADTAP 77 and continuing to CEU v University of Technology Sydney [2017] NSWCATAD 79. At paragraph [125]-[127] of CEU the following authority was relied upon by the respondent.
125. The University says that the provision of the letter was not a 'disclosure' by the agency in any event, because the information was provided by the agency to itself - that is, by one administrative unit of the agency to another.
126. The distinction between "disclosure" and "use", as those terms are used in the Health Privacy Principles, was discussed by the Appeal Panel of the Administrative Decisions Tribunal in AF v Minister for Health [2012] NSWADTAP 61 [at 102]:
'Use' and 'disclosure' have usually been presented as discrete concepts in data protection law, and that distinction is drawn in this law. 'Use' is generally seen as referring to the internal use made of personal information by the collecting agency, whereas 'disclosure' is used to describe the act of supplying the information to a third party external to the agency.
127. The reasoning in AF has been applied in this Tribunal: BVS v Sydney Local Health District [2015] NSW CATAD 171. By providing his letter to the Special Needs Service, Dr Cai was not providing it to a third party external to the university. For those reasons, the provision of the letter to the Special Needs Service was not a 'disclosure' within the meaning of Health Privacy Principle 11.
I observe that this is an often relied upon provision in that it is generally agreed on basic facts that there cannot be a disclosure within a public sector agency, and if such conduct was to offend the IPP's then it would more likely offend the use provisions.
In AQK v Commissioner of Police NSW Police Force [2014] NSWCATAD 55 the Tribunal also observed that contentions of disclosure within an agency can be problematic. At paragraph [46] and [47] the following was observed.
Section 18 - Limits on disclosure of personal information
46. The Applicant alleged that there has been a contravention of s.18 of the PPIP Act, which imposes restrictions on an agency and its ability to disclose personal information to any other person or body. The Applicant contended that his personal information was disclosed, in contravention of s.18, through the publication of the Minutes. The Respondent, in its Internal Review, concluded that there had been a contravention of s.18 of the PPIP Act in the publication of the Minutes on the Intranet, but now resiles from that position.
47. Section 18 is concerned with an agency's disclosure of an individual's personal information to a person or body outside the agency. Internal disclosures are not generally unlawful, and do not constitute a contravention of s.18 of the PPIP Act: NZ v Department of Housing [2005] NSWADT 58 at [69]; Director General Department of Education and Training v MT (GD) [2005] NSWADTAP 77 at [39]; and AOB v Commissioner of Police [2013] NSWADT 138 at [18]. Mr Beatson's evidence was that the Minutes were published on the Intranet, which can only be accessed by employees of the NSW Police Force and requiring some dedication to the task of making that access. The Respondent has, essentially, only disclosed the information to itself.
The submission being that there cannot be disclosure within an agency and for that reasons the provision of the applicant's personal information to the supervisor (it was submitted) was not a breach of section 18 of the PPIP Act.
The respondent made various submissions concerning the circumstances and basis of the collection of this personal information from the applicant, centrally the application of the Human Resources Privacy Statement to the applicant when she signed on as an employee of the respondent. In addition the respondent submitted that the applicant applied for her position with the respondent 'on-line' and as a result would have been required to consent to ( by reading and accepting) the Privacy Statement.
The respondent submitted that the use of the applicant's personal information in these two instances was for the same purpose for which it was collected, and as a result there was conformity with the provisions of section 17 (in respect of use). Whilst this information (the residential address) it was submitted was not provided by the applicant to the respondent during the recruitment/application process, the fact that the Privacy Statement advised that the information may also be used for employment purposes, put the applicant on notice that this was the type of use to which the information could be applied.
In summary the respondent submitted (by reference to the evidence annexed to Exhibit 'R-1'), that the information (address) was collected for employment basis and used from time to time for that purpose.
In respect of Instance 4 (the placing of the home address in the HR Record), the respondent submitted that there is nothing in the PPIP Act which provides that an agency must store information in a particular location, over another location which meets the security requirements under the PPIP Act. The respondent submitted that the collection of the home address on the Tax File Number (TFN) declaration form and then the HR2 (Entry on Duty) form, was as part of their ongoing employment related function.
The respondent submitted that the storage of that information on the respondent's database was for a purpose directly related or connected with one of the purposes for which it was collected and as a result there is no breach of section 17 of the PPIP Act.
Additionally the respondent submitted that there was no breach of section 12 of the PPIP Act due to the limitations placed in the system on how HR staff may access the HR databases. Section 12 provides:
12 Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
The respondent submitted that the information had been stored in a way which was appropriate for the purpose for which it had been collected. The respondent relied upon the following evidence from the Statement of Douglas William Nairn head of Employee relations UNSW (Exhibit 'R-1').
23. In my experience, it can be necessary for UNSW to have an employee's residential address in the following circumstances, among others:
(a) If an employee is not at work and is not available by email and it is necessary to contact them urgently, including in writing; or
(b) If an employee is at risk and it is necessary for another agency to intervene, it can be essential to have the employee's residential address in order to provide to the relevant agency.
The respondent also referred to the reference to the applicant's supervisor in correspondence dated 5 June 2015 offering the position (pg 27/28 Exhibit 'R 1') in support of an argument that the applicant would reasonably expect such information to be provided to the supervisor.
[6]
Applicant's Evidence and Submissions
The applicant filed a detailed signed statement on 2 May 2017. (Exhibit 'A-2'). The statement sets out what forms the applicant submitted in June 2015 in respect of taking up her offer of employment. These forms were the HR2 Entry on Duty form, the TFN Declaration Form and a Standard Choice Form re: superannuation elections.
The statement goes on to detail the beginning and ongoing problems with her employment, arising from her working relationship with her supervisor. Steps taken to report these problems and her ensuing periods of sick leave are also detailed. Meetings of 24 November 2015 and 26 November 2015 (whilst on sick leave) with HR officers are also outlined in detail. These meetings related to the applicant's complaints about her supervisor.
The applicant's submissions set out a view that her consent was required prior to HR providing any information directly to the supervisor. The applicant submits that the respondent's evidence that certain things were done (e.g. retrieving the home address off payroll records and providing it to the supervisor, or the copying to the supervisor of a letter containing the home address of the applicant, are indicative of a lack of direct consent and therefore illustrate a privacy breach.
Various policy principles (about access to records) and views about such records are put forth in submissions. (E.g. I think the information on human resources or payroll records should only be accessible to human resources staff ('authorised personnel')not to other employees in the wider organisation.' (Para 12 submissions dated 2 May 2016).
The applicant in her written submissions set out how she understood the application of the respondent's policies and procedures concerning personal information to the privacy legislation.
The applicant submitted that the TFN form asks for or requires a home address as well as a postal address, but on the University Form she only nominated a Post Office Box as her address.
In submissions at hearing the applicant submitted that the TFN form asks for a home address, however she nominated to the University that she wanted her Post Office Box address on file. The applicant submitted that the respondent had never addressed why they had decided to utilise her home address rather than use the postal address for the dispatch of correspondence. However the Internal Review provided an explanation of sorts following submissions by the Privacy Commissioner on this issue.
Much of the primary evidence of the communications between the parties is contained within the annexures to the statement Exhibit 'R-1'. However the applicant's own statement dated 2 May 2017 (Exhibit 'A-2') also provides significant material to assist in establishing the facts.
[7]
Privacy Commissioner's Submissions
The Privacy Commissioner provided submissions consistent with their role under section 55 (6) of the PPIP Act. Much of the written and oral submissions at hearing concerned the scope of the conduct/jurisdiction of the Tribunal to the facts. Both parties had notice of written submissions and were afforded a right to respond. The Privacy Commissioner addressed the issue of the 'use' of the applicant's home address.
The Privacy Commissioner submitted that the relationship between the applicant and the supervisor would amount to a use principle rather than a disclosure principle. However it remains somewhat unclear as to when the applicant requested that her address be removed from the records, other than the final (post termination) request sometime in December 2015.
In oral submissions the Privacy Commissioner submitted that the Tribunal needed to ascertain what was the purpose of the use of the information and then determine whether that purpose married up with the collection basis.
In addition the Privacy Commissioner referred the Tribunal to the case of KJ v Wentworth Area Health Service [2004] NSWADT 84, which addressed the discrete circumstances of when 'disclosure' within an agency might amount to disclosure for the purposes of the IPP's. At paragraphs [48] to [51] the ADT observed:
48 The Privacy Commissioner has submitted that there may be instances where a dissemination of information within an agency amounts to disclosure, either because the agency concerned consists of a number of discrete units, or the information is of such a confidential nature that it is reasonable to describe the manner in which it is disseminated as disclosure, or because of a combination of such factors. It is further submitted that an artificial distinction between use within an agency and disclosure outside may not be consistent with an individual's reasonable expectations of how their personal information, particularly sensitive personal information as defined in section 19, will be handled by an agency.
Finding in relation to IPP 12
49 Again I am in general agreement with the views expressed by the Privacy Commissioner. The Privacy Act does not clearly define what is meant by a public sector agency. In my view, the expression should be given a broad interpretation, consistent with the principle that personal information should be dealt with in an open and accountable manner. For example a statutory body that is administratively part of a larger public sector agency can constitute an agency in its own right. What constitutes a public sector agency will be a question of fact to be determined on a case by case basis.
50 While generally speaking the expression "disclosure" refers to making personal information available to people outside an agency, in the case of large public sector agencies consisting of specialised units, the exchange of personal information between units may constitute disclosure.
51 In the circumstances of this matter, I am satisfied that the Agency disclosed KJ's personal information in contravention of the requirements of section 19 of the Privacy Act as KJ has alleged. The exceptions provided by sections 26 and 28 of the Privacy Act are not applicable. I have no evidence on which I can determine whether this contravention of section 19 was wider than the Psychiatrist's sending letters to two outside doctors. Nevertheless, it is my view that by placing the sensitive information on KJ's general medical file, the Agency was at risk of disclosing that information. The exchange of the information between units within the Agency could, in my view, constitute disclosure. The Agency has acted prudently in separating the information from KJ's general file. The Agency should ensure that there is not further disclosure of the psychological information in contravention of IPP 12.
In AQK the Tribunal referred to the 'disclosure within an agency' issue as set out at paragraph 40 above. AQK also referred to KJ at paragraph 48.
48. The Respondent conceded that in the case of large public sector agencies consisting of specialised units, the exchange of personal information between units may constitute disclosure: KJ v Wentworth area Health Service [2004] NSWADT 84 at [48] -[50]. I do not accept that in this matter the information was of such a confidential nature that it is reasonable to describe the manner in which it was disseminated as disclosure for the purposes of s.18.
The question being whether the nature of the information being internally disclosed was sufficiently of such a confidential nature so as to depart from the collection and use principles to the extent that it amounted to disclosure for the purpose of section 18.
[8]
Consideration
In determining the basis of the use of the personal information, an agency needs to examine the basis for the collection of that personal information. JD v NSW Department of Health [2006] NSWADT 353 observed the following:
Purpose for which the information was proposed to be used
50 At [45] of its decision, the Appeal Panel pointed out that the concept of 'purpose' is 'an overarching consideration in the scheme of [the PPIP Act] ...'. In this regard the Appeal Panel went on to state that '"purpose limitation" and "purpose specification" are key concepts' in the PPIP Act legislative scheme and went on to specifically refer to the importance of ss.8 and 10 in that scheme. Section 8 provides that a public sector agency must not collect personal information unless it is for a lawful purpose that is directly related to the agency's functions or activities and the collection of that information is reasonably necessary for that purpose and section 10 requiring 'an individual affected by a collection of personal information be made aware, to the extent practicable, of "the purpose for which the information was collected."': see at [46].
51 In respect to s.16 of the PPIP Act, the Appeal Panel said that the requirement of this section focused on the 'purpose' for which the information was proposed to be used and held that in determining what those purposes might be, s.17 was relevant: see at [47]. After referring to the requirements of s.17 and the exceptions thereto as set out in that section and ss.23(4) and 24, the Appeal Panel stated the following at [51]:
52 Read together, s 16 must refer to the same principal purpose that s 17 refers to (i.e. the purpose of collection), and covers any other purpose permitted by the exceptions to s 17 (or granted elsewhere in the scheme of the Act, which could include directions approved by the Privacy Commissioner).
53 As I understand the decision of the Appeal Panel, when considering the 'purpose' for which personal information was proposed to be used, regard must be had to the purpose for which the information was collected and whether it was a lawful purpose as this will also prescribe the 'proposed use' of personal information held by a public sector agency. That proposed use also being subject to the exceptions set out in ss.17, 23(4) and 24 of the PPIP Act.
One of the exemptions cited by the respondent was that the use of the personal information was for a purpose directly related to the purpose for which the information was collected. (s-17 (b) PPIP Act). The case of KT v Sydney Local Health Network [2011] NSWADT 292 looked at 17 (b). At paragraphs 96 and 97 the Tribunal observed:
96. Section 17 provides -
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
...
97. In my opinion Mr Hughes's use of KD's photographic ID in a statement he made for an internal investigation, into an alleged assault involving KT and another employee of the agency, as a means of identifying KT and the other staff members involved, represents a use of the photographic ID for a purpose directly related to the primary purpose for which it was collected: i.e. the management, supervision and identification by the agency of its staff. That being the case I find no breach of s 17 in the use of the photographic ID for the purposes of the internal investigation.
The case of KD in my view provides a broad interpretation of the provisions when having regard to the scope of the purpose of collection and therefore use. The other examples from the cases above provide a somewhat narrower construction.
The respondent did engage with the request to explain why the applicant's home address (rather than mailing address) was used in respect of the correspondence. In the first correspondence (couriered) the respondent submitted that it was common practice to send important information initially to the official UNSW e-mail address and then to the relevant residential address. As the applicant was on sick leave for much of the relevant period whereby the matter of her performance was under consideration, the respondent submitted that access to the UNSW e-mail was probably not available to the applicant.
In addition as the probationary period was soon to expire, there was some urgency in ensuring that the correspondence was promptly brought to the applicant's attention due to the terms and provisions of the relevant Enterprise Agreement relating to the employment of the applicant.
In my view, even though the residential address was initially only recorded on the TFN declaration document, normal HR policies would envisage some means of physically locating an employee in order to check on their welfare/wellbeing in relevant exigent circumstances. Notwithstanding the applicant's understandable and stated reluctance for providing her employer with a residential address, in any event the respondent had collected that residential address (albeit through the TFN Form). The employer had retained all of the information collected through the TFN Form for the purpose of managing their obligations under the Privacy Act 1988 (Cth) and processing the applicant's employment with the University and maintaining the ongoing employment related functions between the parties.
I have considered all of the material and evidence in the current matter, even if not every aspect is referred to in these reasons. The central premise of the respondent is that there was no disclosure for the purposes of the PPIP Act. In addition the respondent submits that the information was used in a manner which does not contravene the purpose for which it was collected, and therefore section 17 of the PPIP Act.
On the contrary, the applicant's position appears to be based on a view that the relevant University staff would have or should have known that she would have objected to the provision of the home address to her supervisor, a person who the applicant was involved in an ongoing work issue/dispute. However whether this was the case or not, I note that on the issue of the HR decision to terminate employment prior to the end of the probationary period, there is some clear operational, practical or industrial basis as to why the immediate supervisor should be across any decision made in respect of one of the staff that they were responsible for.
This basis is set out in the evidence of the respondent at Exhibits 'R -1' and 'R -2' and annexures. The fact that an employee of HR provides personal information to an officer outside of HR does not automatically constitute some breach of policy. Most agencies have policies to keep sensitive information (such as medical records, disciplinary findings and outcomes, and performance appraisals etc.) quarantined from the general workplace.
However in certain instances, some sensitive information would ordinarily be received directly in the business centre or workplace where the employee is based. Medical Certificates are an example of such information that is routinely provided directly by staff to their manager/supervisor in the first instance depending on the structure and size of the agency. Various agencies have policies that every 12 months etc. such certificates are forwarded to HR or the central secure repository within the agency.
The views of the applicant and her evidence concerning her belief that the respondent's officers ought to have known that there would be an objection to the provision of the address to the supervisor, does not in my view constitute a breach of section 17 of the PPIP Act. Nowhere in the evidence is the issue of using the information for another purpose established such as to breach section 17. The respondent's case is that the information is used for the purpose for which it was collected, and it's 'back up' position is that it is used for a purpose that is directly related to that (primary) purpose. Neither proposition on my assessment offends section 17.
The issue concerning the respondent's officers being aware of the applicant's views might enliven section 18 (1) (a) if that were applicable. In order for that view to be relevant the Tribunal is required to find that there was a 'disclosure' for the purposes of the PPIP Act.
In the current matter, HR provided one item of personal information (on two occasions) to the applicant's supervisor for stated business reasons. It is both the context and basis of providing that address, and the circumstances of what the respondent employer was trying to achieve, which in my view sanction that use of the information, when one has regard to the relevant legislative provisions, and I so find. I also find that on the basis of the cases outlined above, and an analysis of the facts in the current case, for the reasons outlined above that there has been no disclosure, even of the type contemplated in the case of KJ.
[9]
Conclusion
It therefore follows that on the use and disclosure IPP's there has been no breach of the PPIP Act in respect of the respondent's use of the applicant's personal information.
It also follows that the correct and preferable decision is to affirm the decision of the respondent and to take no further action on the matter.
[10]
Orders
1. The respondent's decision of 19 September 2016 is affirmed.
[11]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 09 August 2017