The applicant is a resident of Byron Bay in New South Wales. Until recently, she owned a motor vehicle. She would park it in parking spaces designated by the Byron Shire Council in the main street of the Byron Bay township, and in three carparks operated by the Council there. The Council had provided her with a paper permit, which exempted her from parking fees when parked in these parking spaces. She told the Tribunal that this was of considerable value to her, because she lived in her car, and slept in it at night. She said that a considerable number of the residents of Byron Bay did likewise. Her permit expired on 21 September 2016.
On 13 August 2015, the Council resolved to confirm its intention to implement a 'pay by plate' parking scheme in the township. This meant a registration metered parking scheme, which required motorists to enter their licence plate numbers at the parking meters.
To implement the scheme, Council entered into a contract with Australian Parking and Revenue Control Pty Limited ('APARC'):
1. to supply and install parking meters manufactured by a French firm, PARKEON,
2. to supply handheld devices and associated printers for the use of parking officers, and
3. to supply software for use on those handheld devices, and for administering a web portal for the collection of residents' information in order to exempt them from parking fees in appropriate cases.
On 26 October 2015, the applicant applied in writing to the Council for review of its implementation of this 'pay by plate' parking scheme, exercising her rights under section 53 of the Privacy and Personal Information Protection Act 1998 ('the Act'). She complained, in summary:
1. that the scheme involved the collection of personal information, being licence plate numbers, names, addresses, credit card details and Centrelink numbers;
2. that APARC and PARKEON had access to this personal information and could disclose, or otherwise use, the data as they wished,
3. that the personal information collected was also disclosed to the State Debt Recovery Office ('SDRO') for the purpose of collecting fines, and
4. that possession of the personal information by Council enabled it, and APARC and PARKEON, to conduct surveillance by tracking the movements of Byron Bay residents who parked there.
In her application, Ms DAB warned the Council that, unless it ceased to operate the new scheme, and reverted to the former metered parking scheme, under which motorists obtained permission to park by entering coins in parking meters, she would take legal action.
On 20 November 2015, Ms DAB commenced these proceedings, seeking review by the Tribunal of Council's conduct in implementing the pay parking scheme, and other matters.
On 19 January 2016, after striking out parts of her application, the Tribunal remitted the matter to the Council for internal review pursuant to section 65(1) of the Administrative Decisions Review Act 1997.
On 23 August 2016, the Council issued a decision on internal review. The applicant had in the meantime made written submissions to Council in support of her complaints about the new parking scheme. Her submissions were addressed by Council in its reasons for decision. The Council determined - at least by implication - that it had not contravened any of the information protection principles set out in Division 1 of Part 2 of the Act.
Ms DAB is aggrieved by that decision, and applies to the Tribunal for review of the Council's conduct. Section 55(1) empowers the Tribunal to review the conduct the subject of her application for internal review dated 26 October 2015. Though Ms DAB described APARC and PARKEON as 'global' in that application, she did not complain that data was transmitted overseas. For that reason, it is not within the power of the Tribunal to review Council's conduct in transmitting information to servers in France and New Zealand, mentioned below.
The applicant set out her arguments in written submissions produced to the Tribunal (Exhibit G). These were comprised of a series of rhetorical questions, designed to demonstrate which information protection principles had been breached by Council, and how. The Tribunal has had to deduce her arguments from these questions. Doing its best, the Tribunal understands that Ms DAB argues as follows:
1. By requiring residents to enter their licence plate numbers into its parking meters for parking purposes, Council collected their 'personal information' as defined in section 4 of the Act, because that information, when compared with other information in the possession of Council, APARC or PARKEON, was capable of identifying the resident.
2. In collecting licence plate numbers in this way, Council contravened section 8(1) of the Act, because:
1. the licence plate numbers were not collected for any lawful purpose, and were in fact collected for an unlawful purpose - namely, for conducting surveillance; and
2. it was not 'reasonably necessary' for the conduct of a pay parking scheme to collect this information. She says the old scheme in which people paid for parking by placing coins in a meter was perfectly satisfactory, and did not require the collection of licence plate numbers.
3. Council collected licence plate numbers in this way by 'unlawful means' in contravention of section 8(2), because the data was made accessible to 'third parties', in circumstances where a motorist was provided with no other means of parking except by entering the data in the meter. The applicant did not identify the 'third parties' in her written submissions. As the only third parties mentioned are those referred to in her original application for review - APARC, PARKEON and SDRO - the Tribunal interprets the phrase 'third parties' wherever used in the submissions as a reference to those entities.
4. Council breached section 10(c) by failing to warn persons entering the information that it would be readily accessible by APARC, PARKEON and the SDRO. As no other information is specified, the Tribunal understands this to be a reference to the licence plate information entered into parking meters.
5. Council breached section 10(d) by failing to warn persons entering the information as to whether the entry was required by law or voluntary, and any consequences for failing to provide it. For the same reasons as above, the Tribunal understands this to be a reference to licence plate numbers entered in parking meters.
6. Council breached section 10(f) by failing to warn persons entering the data of the name of the agency by which it is being collected and by which it was to be held. For the same reasons as above, the Tribunal interprets this as a reference to licence plate numbers entered in parking meters.
7. Council breached section 12(d) by failing to do everything reasonably within its power to prevent unauthorised use or disclosure of the information (licence plate numbers) by APARC, PARKEON and the SDRO.
In summary, the respondent replied as follows:
1. Licence plate numbers entered into parking meters are not personal information, because they cannot be compared with other data held by Council to identify the individual. The parking meters merely interrogate a database of exemption holders held on a server in Paris. They do not store the licence plate numbers. If the licence plate number is not in the database, payment is required, and the licence plate number is retained on the server. The software used by Council does not compare the licence numbers on the Paris server with other identifying data held by Council.
2. Council does not use the licence plate numbers entered in parking meters for the purpose of surveillance, and does not have the capability to do so.
3. Licence plate numbers are collected for a lawful purpose - that is, for the purpose of operating a registration metered parking scheme of the kind that Council is authorised to operate. The operation of such a scheme is a function or activity of Council, and the collection of these numbers is directly related to that function, and is reasonably necessary for that purpose.
4. When a vehicle is parked without authorisation at a meter, a parking officer uses a hand held device to transmit the licence number to the SDRO. However, that number is not obtained from the individual concerned, or from the parking meter, but rather from the parking officer, who observes the licence plate in the course of his or her duties.
5. The licence plate entered into a meter is not transmitted to any third party. Transmission of that data to a server in Paris is not transmission to a third party, because that server, or that part of it on which the data is stored, is controlled by Council.
6. Council has done everything reasonably within its power to prevent unauthorised use of its data by APARC, which has access to data only for the purpose of maintenance of the parking system at Council's request.
In other written submissions, the applicant alleged breaches of section 12(a), (b) and (d), section 17(a), (b) and (c), and section 18(1)(a), (b) and (c).
The information and Privacy Commissioner provided helpful submissions on whether the information collected was personal information as defined in the Act, among other things. It is not in dispute that information collected on the Council's web page constituted personal information. At issue is whether the licence plate numbers, when entered in parking meters, constituted personal information. The Commissioner's submissions are considered below.
The issues for determination may be summarised as follows.
1. Whether, in requiring motorists to enter their licence plate numbers in a parking meter under the paid parking scheme, Council was collecting 'personal information' as defined in section 4 of the Act.
2. Whether it contravened section 8(1) by collecting that information at parking meters otherwise than for a lawful purpose, or collecting it for an unlawful purpose - namely, surveillance - and whether the collection was not reasonably necessary for the conduct of a pay parking scheme: section 8(1)(a) and (b).
3. Whether the licence plate numbers were accessible to APARC, PARKEON or the OSDR and, if so, whether this rendered the means by which the data was collected unlawful, in contravention of section 8(2).
4. Whether Council failed to inform persons entering their licence plate numbers at parking meters that the information was being collected, the purpose of its collection, and that they were entering it into APARC software, rendering it accessible to APARC, PARKEON and the OSDR, in breach of section 10(a), (b) or (c).
5. Whether Council failed to inform persons entering their licence plate numbers at parking meters as to whether the information was required by law or voluntary, and any consequences of failing to provide it, in breach of section 10(d).
6. Whether Council failed to inform persons entering their licence plate numbers into parking meters as to the name of the agency requiring the information and by which it would be held, in breach of section 10(f).
7. Whether Council kept that licence plate data longer than was necessary, failed to dispose of it securely, failed to take reasonable safeguards to protect it, or failed to do everything reasonably within its power to prevent its unauthorised use or disclosure, contrary to section 12.
8. Whether Council used that licence plate information for a purpose other than that for which it was collected, in breach of section 17.
9. Whether Council disclosed that information to a person or other body in breach of section 18(1).
[2]
Legislation
The information protection principles set out in Division 1 of Part 2 of the Act apply to public sector agencies: section 20(1). It is common ground that the respondent Council is a public sector agency.
A public sector agency 'must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency': section 21(1).
The information protection principles relied on by the applicant in her written submissions are set out below. Section 8 provides:
[3]
8 Collection of personal information for lawful purposes
(1) A public sector agency must not collect personal information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) A public sector agency must not collect personal information by any unlawful means.
Section 10 relevantly provides:
[4]
10 Requirements when collecting personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a) the fact that the information is being collected,
(b) the purposes for which the information is being collected,
(c) the intended recipients of the information,
(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e) the existence of any right of access to, and correction of, the information,
(f) the name and address of the agency that is collecting the information and the agency that is to hold the inform
Section 12 provides:
[5]
12 Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
Section 17 provides:
[6]
Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
Section 18(1) provides:
[7]
Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
[8]
Applicant's evidence
The applicant represented herself. She did not give a statement or formal oral evidence, but addressed the Tribunal by making oral and written submissions. Her advice to the Tribunal as to the nature of the pay parking scheme was consistent with the Council's more detailed evidence as to its nature, which is considered below. Except where indicated below, I have accepted Council's evidence as to the nature of the scheme as accurate.
She told the Tribunal that she had refrained from applying for exemption under the new scheme, due to concerns about the transmission of her personal information to third parties, once entered on the Council's web portal. She said the requirement to enter licence plate numbers in parking meters also raised the following concerns:
1. Residents' licence plate numbers constituted personal information, which was being made available not only to Council but also to APARC and PARKEON, which is a French firm.
2. This data, when compared with other data in the possession of Council, APARC and PARKEON, was capable of identifying the residents concerned.
3. It could be used to track the movements of residents - particularly those who, like herself, lived in their cars.
4. The data was being collected without safeguards to prevent its misuse by third parties for purposes other than conducting the pay parking scheme.
5. Collection of this information was unnecessary for the operation of a parking system. As she pointed out, paid parking systems in the past had required only the entry of coins at the meter.
[9]
Council's evidence
The Council gave evidence by way of statements made by its officers and contractors. That evidence is summarised below.
[10]
Mr Bentley
Mr Bentley was the General Manager of APARC. He gave evidence by way of affidavit. He said that APARC was an Australian company, and that PARKEON was a French corporation. APARC, he said, had contracted with PARKEON to 'supply and distribute PARKEON parking solutions which include PARKEON pay parking metres [sic] and pay parking meter programming in Australia and New Zealand'. The two companies, he said, did not have any shareholders or officers in common.
He said that APARC had contracted with Council to supply, install and implement the Council's pay parking scheme, and to maintain the parking meters and software. He said the contract included a term that APARC would not disclose to any third party any information provided to it by Council.
He said the software was comprised of three separate programs - one for enforcement, one for parking, and one for the issue of permits. He said the three programs shared only one data item - licence plate numbers. Other data was entered by persons applying for exemption from parking fees, but that data was not accessible by persons using the enforcement program or the parking system program.
He described in the following way how the three programs operated. He said the exemption program was licenced to the Council by APARC. An applicant for exemption from parking fees was required to enter their data into Council's web portal. From the evidence of Mr James (below), that data included their name, licence plate number, address, phone number, and other data. Council's web portal, said Mr Bentley, was driven by software licenced by APARC to the Council, but was managed and controlled by Council.
The data so entered would be transmitted to and stored on a secure server in New Zealand. He said the information was 'hosted' on the server by a third party.
From that evidence, it is likely that the server was owned or operated by the hosting party. From the evidence of Mr Bellamy, considered below, it seems the hosting party was A D Riley Pty Limited, a New Zealand company. Mr Bentley said the hosting party did not access, use or disclose any information on its server. He said the server was 'controlled by Byron Shire Council'.
He said that the data stored on the server is not 'seen by APARC', save for the purposes of 'support'. He said he was the only officer of APARC with access to the data, and that his access was strictly limited to that required for support and maintenance at Council's request. He noted that his access was recorded in a computerised audit trail available to Council. He said that APARC does not receive, collect, hold, see or store any personal information provided to it by Council in respect of parking exemptions.
He denied that the PARKEON meters receive any information apart from licence plate numbers.
He explained that, once a person obtains a parking exemption by entering the required personal information on Council's web portal, the licence plate number was transferred to a database held on a Parking Rights Management server in France. From Council's submissions at hearing, it seems the server was located in Paris. He did not say who owned the server. From the evidence of Mr Bellamy (below), it seems the Paris server was owned by PARKEON itself.
Mr Bentley said that APARC had 'a commercial agreement with the server to non-disclosure of any information on the server including vehicle registration numbers'. I do not accept this evidence literally. It is not possible to contract with an object. I interpret Mr Bentley to mean that APARC had contracted with PARKEON on terms that PARKEON would not disclose information on the server.
He said that, when a motorist enters a licence plate number into a parking meter in Byron Bay, the meter interrogates the Paris server to determine whether the number is on the database held there. The meter does not store the licence plate number. It follows, he says, that the meter cannot be 'hacked' to reveal the licence plate numbers entered. He says that personal information cannot be obtained from the Paris server, because it contains only licence plate numbers, and no data identifying persons associated with those numbers.
He admitted that the Paris server retains the registration numbers of vehicles which have been entered into the parking meters.
He said that APARC supplied handheld Android devices with associated printers for the use of Council's enforcement officers. He said that once an infringement was recorded by an officer on the device, the licence plate number was sent to the SDRO for enforcement purposes. It is an inescapable inference that details of the offence, including at least the penalty amount, are also sent to the SDRO. That office otherwise could not collect the penalty. It is possible that other data is transferred to SDRO as well, but the evidence is silent on that point and it is not possible to make any findings on it.
Notwithstanding Mr Bentley's evidence that APARC contracted with PARKEON to supply and distribute their parking meters and software programs, Mr Bentley said that PARKEON has not supplied any of the software licenced by APARC to Council, and has no connection with it. From the evidence of Mr Bellamy (below), it seems that the software programs were provided by A D Riley Pty Limited.
Mr Bentley's evidence was uncontradicted, except his evidence that the three software applications were licensed to Council by APARC. That was contradicted by the evidence of Mr Bellamy (below), who said it was licenced to Council by A D Riley Pty Limited. As nothing turns on it, it is sufficient to find that the A D Riley's TicketOr software was licenced by it to Council, either directly, or through APARC as intermediary. Except to the extent indicated above, I accept the remainder of Mr Bentley's evidence as accurate.
[11]
Mr Bellamy
Mr Bellamy is the Group Counsel - Corporate Strategy Advisor of APARC. He gave written evidence by way of an affirmation. He also gave oral evidence.
In his statement, he explained that Mr Bentley had left his employment with APARC on 18 August 2016, and that his ability to access Council's data had ceased on 6 July 2016. His duties have since been discharged by Mr Bellamy and others at APARC. Mr Bentley has returned his laptop computer to the company.
Since 6 July 2016, Mr Bellamy said, Council has not requested APARC's support in respect of the pay parking scheme, so it has not been necessary to authorise an alternative employee to access Council's data. That can be done if Council requests it, he said.
In oral evidence, Mr Bellamy said as follows:
1. The server in Paris was owned by PARKEON.
2. That portion of the server on which data was stored relevant to the pay parking scheme was licenced to Council.
3. No persons other than Council have access to that portion of the server which stores Council's data.
4. The licence contract obliged PARKEON not to access or disclose Council's data.
5. The PARKEON parking meters contained an operating system, but were not fitted with TicketOr software.
6. The meters and their operating systems were owned by Council.
7. Once a parking meter had collected and used a licence plate number in order to interrogate the Paris server, it deleted the number from its system.
8. The TicketOr applications, and the licence exemption software, were licensed to Council by A D Riley Pty Limited, a company registered in New Zealand.
Mr Bellamy was cross examined, but did not resile from his evidence. I accept it as accurate, save that for the reasons given, I cannot determine whether the TicketOr software applications were licenced to Council by A D Riley Pty Limited directly or through APARC as intermediary.
[12]
Mr Brodie
Mr Brodie was Council's Community Enforcement Officer. He gave evidence by way of a statement.
He explained that a parking officer who identified a vehicle bearing chalk marks could open the application on their handheld Android device, and enter the licence plate number. The application was called, 'TicketOr'. At that point, the application would reveal whether the licence plate number was associated with an exemption from parking fees, whether it was associated with a resident, or whether a parking fee had been paid and, if so, in respect of what period. If an exemption did not apply and the period in respect of which payment had been made had expired, the officer would enter the details of the parking violation in dialogue boxes displayed by the application. He or she would then print a ticket, and place it on the vehicle's windshield.
Mr Brodie's evidence was uncontradicted, and I accept it as accurate.
He did not reveal how the TicketOr application derived the information as to whether an exemption applied, or whether payment had been made and, if so, in respect of what period. In the absence of evidence that that information was stored anywhere except on the Paris server, it is likely that the TicketOr application, like the software in the parking meters, interrogated the Paris server to determine whether the licence plate number was included in the database of exempt numbers, whether payment had been made for parking and, if so, in respect of what period.
[13]
Mr James
Council's employed solicitor, Mr James, gave evidence by way of affidavit. He said that on 13 August 2015, Council had resolved to confirm its intention to implement a pay parking scheme within the Byron Bay township, and that on 1 October 2015 it awarded the tender for parking meters and a parking management system to APARC.
By letter dated 30 October 2015, Council informed residents with existing parking coupons (including the applicant) that it was introducing the new pay by plate parking system. It invited those residents to apply for exemption from payment under the new scheme by accessing Council's web page and entering the parking coupon number, licence plate number and other details. It indicated that, once the data was entered, the resident could park without charge. The letter continued:
The information you have provided to Council will be submitted to our third party suppliers who have been contracted to implement the pay parking scheme, this is required so that the pay parking machines recognises [sic] your vehicle is valid.
Mr James said that the pay parking scheme commenced operation on 23 December 2015. To obtain an exemption from payment, a resident was (and still is) required to enter their name, address and phone number onto a webpage published by the Council. They were then directed to another page and required to enter their licence plate number, and to upload a scanned copy of documents evidencing their eligibility for exemption.
In Ms DAB's case, Ms DAB said and the Tribunal accepts, that meant uploading a copy of her Centrelink card.
Mr James continued that, for any applicant not wishing or perhaps not able to access the Council's web page themselves and enter their data, Council staff would do it for them at the counter, after the applicant had provided all necessary information by filling out a form in hard copy. That information was then archived by Council.
It was not in dispute that the data entered on the web page would instantly be transmitted to New Zealand, where it was retained on a server, while the registration number was transmitted to a server in Paris, for inclusion in the database held there.
At some stage, Mr James said, the information entered by the applicant for exemption would be reviewed by Council's Pay Parking Officer. If the resident qualified for exemption, no action would be taken. If they did not, their registration number would be removed from the database in Paris.
Mr James said this 'online exemption application system is managed and controlled by the Council using software licenced by the Council from APARC'. The name, address, phone number and scanned details entered on the web page, he said, was collected solely for the purpose of assessing and approving an exemption application. Licence plate numbers were collected and retained only for the purpose of enabling Council to ascertain whether a particular vehicle was the subject of an exemption. Email addresses were obtained, he said, for the purpose of alerting exemption holders about updates and when their exemption was in need of renewal.
Where a resident entered their credit card details for the purposes of payment for the exemption, they did so on a separate web page, and those details were not received or retained by Council. No allegation is made to the contrary.
He said that the information entered by residents on Council's web page was held by Council in software called TicketOr, which was licenced to the Council by APARC. A number of authorised Council officers had access to the data.
Mr James denied that Council used any data which it collected for the purpose of surveillance, or that it had the capacity to do so. He did not explain why the Council lacked that capacity, in circumstances where it held information on the New Zealand server matching the licence plate numbers with the names of residents who had applied for exemption on Council's web page as above, but for reasons given below, I have concluded that his opinion in this respect is probably correct.
There is no evidence that Council in fact used the licence plate number to conduct surveillance, and I am not satisfied that it did.
Mr James' evidence is uncontradicted, and I accept it as accurate.
[14]
Decision on internal review
Council's internal review was dated 23 August 2016. In its reasons for decision, it explained the source of its power to operate the pay parking system in the following way.
Clause 60(1) of the Road Transport (General) Regulation 2013 provided that a parking authority (including the Council) 'may establish and operate metered parking schemes for any road within its area of operations'.
Clause 61 of the Regulation empowered the Council to 'set aside the whole or any part of a road in its area of operations as a metered parking area'. Clause 3(1) of the Regulation provided that 'metered parking area' had the same meaning as in Rule 207-1 of the Road Rules 2014, published pursuant to section 23 of the Road Transport Act 2013.
Rule 207-1 defined 'metered parking area' to mean 'an ordinary metered parking area or a registration metered parking area'. It defined a 'registration metered parking area' to mean 'a parking area designated by one or more permissive parking signs where information on or with the sign includes both the word "METER" and the word "REGISTRATION"'.
Clause 62 of the Regulation relevantly provided:
[15]
62 Parking meters (cf STM Reg, cl 99)
(1) The parking meter for a metered parking space must indicate:
…
(d) in the case of a metered parking space for a registration metered parking area - that the registration number of the vehicle must be entered for use of the parking space.
Road Rule 207-1(8) provides:
[16]
(8) Driver must enter registration number and pay relevant parking fee for registration metered parking area
A driver must not park in a metered parking space for a registration metered parking area without:
(a) entering the registration number of the vehicle into the parking meter for the space, and
(b) paying the relevant parking fee for the space for at least the minimum period of time for which parking in the space must be paid for.
There was no direct evidence as to the instructions displayed on a PARKEON meter. However, Council asserted that it would be readily apparent to any motorist required by the meter to make payment to the meter and to enter their licence plate number that the latter information was being collected for the purpose of determining whether or not they were required to pay for parking and to record the fact that they had paid, if that was the case.
In its reasons, Council said that from 14 July 2016 persons with exemptions were no longer required to enter their licence plate numbers at the meter. That assertion was unchallenged, and I accept it as accurate.
[17]
Consideration and findings
Having regard to the material above, I am satisfied of the following:
1. On 13 August 2015, the Council resolved to confirm its intention to implement a pay by plate parking scheme in the township.
2. Until then, it had operated a metered parking scheme, and had issued exemptions to eligible residents including Ms DAB, by way of a paper permit. It is a reasonable inference that Council was in possession of the names and licence plate numbers of its permit holders in order to administer their exemptions under the metered parking system, and I draw that inference.
3. For the purpose of the new pay by plate parking scheme, Council contracted with APARC to supply, install and maintain parking meters manufactured by French firm, PARKEON, to supply hand held devices and associated printers for the use of its parking officers, and to supply and implement three software programs. The software programs were licenced to Council by A D Riley Pty Limited of New Zealand, either directly or through APARC.
4. On 30 October 2015, the Council advised its existing permit holders, including Ms DAB, that it was about to commence a new pay parking system, and that if they wished to be exempt from parking fees, they must enter their names and other details into a web portal, and that this information may be disclosed to:
'our third party suppliers who have been contracted to implement the pay parking scheme, … so that the pay parking machines recognises [sic] your vehicle is valid'.
1. There is no evidence that Council similarly informed persons who did not hold a permit.
2. Ms DAB did not apply for exemption under the new scheme, because she was concerned that her personal information would be disclosed to third parties. Her exemption by way of paper permit continued until its expiry on 21 September 2016.
3. The new pay parking scheme commenced operation on 23 December 2015.
4. Under the new scheme, persons wishing to obtain exemption from parking fees were required to enter their name, address, licence number and other personal details into a web page operated by Council. The data was either entered directly by the person seeking exemption, or by a Council officer on their behalf after they had filled out a form with the information required. That form was stored by Council.
5. The software licenced to Council by A D Riley Pty Limited (either directly or through APARC) caused all the data entered into the portal to be transmitted to a server in New Zealand. The server, of at least such part of it as contained Council's data, was operated by Council, though the server itself was owned by A D Riley Pty Limited.
6. The software which powered the web page would also cause the licence plate numbers to be transmitted to a server in Paris owned by PARKEON. The server would add the numbers to a database of exempt licence plate numbers located on the server.
7. That part of the Paris server on which Council's data was stored was licenced by PARKEON to Council. PARKEON was contractually obliged not to access or disclose Council's data.
8. No persons other than Council had access to Council's data stored on the Paris server.
9. From 23 December 2015, all motorists wishing to park their cars in a registration metered parking space were required to enter their licence plate number into the PARKEON parking meters, even if they were exempt under the old or new parking schemes.
10. From 14 July 2016, exemption holders under the new system - that is, persons who had entered their data into Council's web portal - were no long required to do so.
11. Council says, and I accept, that Ms DAB, likewise, was not required to enter her licence plate number in parking meters from 14 July 2016. This implies that licence plate numbers of permit holders under the old system were included on the database of exemption holders stored on the Paris server. It is difficult to see how the new system could otherwise have catered for permit holders under the old system. As Ms DAB agreed that her exemption remained in effect until 21 September 2016, I am satisfied that Council continued to honour her exemption under the new system, and that it did so, in all likelihood, by including her licence plate number, and the licence plate numbers of all continuing permit holders under the old system, in the exemption database held on the Paris server.
12. Once a licence plate number was entered into a parking meter, the meter's operating system would interrogate the Paris server as to whether that number was included in the database of exempt numbers. If it was, the meter would not require payment. If it was not, the meter would require payment.
13. If payment was made, the meter would transmit data to the Paris server indicating the licence plate number entered, the time at which the payment was made, and in respect of what period. The evidence does not reveal whether it also transmitted the amount paid, and it is unnecessary to decide whether it did.
14. The Paris server stored data including the licence plate number, the time at which the payment was made, and in respect of what period.
15. There is no evidence that the Paris server recorded the interrogations by parking meters in respect of particular licence plate numbers. It follows that there is no evidence that the Paris server recorded when or where the cars of exemption holders were parked, or even whether interrogations had been made in respect of those cars.
16. No information was retained by, or stored in, the parking meter.
17. TicketOr software was installed on the hand-held devices which APARC supplied for use by parking officers. This software was licenced to Council by New Zealand firm, A D Riley Pty Limited, either directly or through APARC.
18. When a parking officer entered the licence plate number of a vehicle, the software would interrogate the Paris server to determine:
1. whether the number was included in the database of exempt numbers and,
2. if not, whether payment had been made, when, and in respect of what period.
1. If the licence plate number was not included in the exemptions database, and payment had not been made for parking at the time when the parking officer made the query, the officer would select the infringement type and fine on the hand held device. The TicketOr software would cause that information to be transmitted to the SDRO for enforcement. There is no evidence that data was transferred to the SDRO apart from the nature of the offence and the licence plate.
2. Clause 61 of the Road Transport (General) Regulation 2013 empowered the Council to set aside a 'registration metered parking area' as defined. It exercised this power by setting aside such an area along the main street of Byron Bay, and the three Council carparks there, and by implementing the pay by plate parking scheme in that area.
3. Council collected licence plate numbers from motorists by requiring them to enter them in parking meters. It did so solely for the purpose of operating the pay parking scheme.
4. It collected the names, addresses, licence plate numbers and other data of persons applying for exemption from parking fees solely for the purpose of issuing and administering exemptions from parking fees as part of its pay parking scheme.
5. The collection of licence plate numbers and other information, by means of parking meters and Council's web page, was reasonably necessary for the operation of the metered pay parking system implemented by Council, because the system was designed to operate by identifying plate numbers which were exempt and those which were not, and charging only the latter.
6. The collection of licence plate numbers was reasonably necessary for this purpose, even if other parking systems could or have been devised that do not require the entry of licence plate numbers into parking meters.
7. Council did not collect or use licence plate numbers, names, addresses, phone numbers or any other data in connection with the pay parking scheme for the purpose of conducting surveillance.
8. It is not in issue that the former parking scheme conducted by Council was a metered parking scheme, and that the paper permit held by Ms DAB had been issued to her when that scheme was current, though it continued in operation until September 2016.
Having regard to these findings, the issues for determination are considered below in turn.
[18]
Whether licence plate numbers were 'personal information'
'Personal information' is defined in section 4 of the Act to mean:
Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
As I have found, from 23 December 2015 to 1 April 2016, Council required all motorists (including the applicant) parking in its designated spaces to enter their licence plate numbers in its parking meters. It has continued to require motorists to do so, unless their licence plate numbers are held in the exemptions database on the Paris server.
Through the operation of its parking meters, Council has been using the licence plate data entered in this way:
1. to interrogate the exemptions database on the Paris server and,
2. if payment is made, to transmit the licence plate number for storage on the Paris server together with the time at which payment was made and the period in respect of which parking is authorised.
A person's name and address are primary forms of personal information, enabling identification of the person concerned directly: WL v Randwick City Council [2007] NSWADTAP 58.
It is common ground that the data entered into Council's web portal is personal information, because it includes the name and address of each exemption holder as well as their licence number. The issue for determination is whether the licence plate number alone, when entered in a parking meter, is 'personal information'.
Ms DAB contends that it is personal information, and that its collection by Council enables it to conduct surveillance by determining who is parking where, and when. The Information and Privacy Commissioner also submits that it is personal information, because at the times when she entered her licence plate number in the parking meters, up to April 2015, the Council held other data which enabled it to identify Ms DAB from the licence plate number.
If, together with other information known to or reasonably accessible by the recipient, information about an individual is capable of identifying the individual, it is personal information: Office of Finance and Services v APV and APW [2014] NSWCATAP 88.
Whether a vehicle registration number constitutes personal information of a motorist depends on whether it is information 'about an individual' and, if so, whether the Council holds, or has reasonable access to, other information in relation to that motorist, which together with the licence plate number enables it to identify the motorist.
As I have found, when a motorist who is not exempt makes payment at a meter, their licence plate number and other details are transmitted to and stored on the Paris server. That server also held a database containing the licence plate numbers of all exemption holders, under the new and old schemes. Council controls the Paris server and has access to the data on it. It also has access to the New Zealand server. That server stores data matching the licence plate numbers of exemption holders with their names.
The persons who entered their licence plate numbers into parking meters between 23 December 2015 and 1 April 2016 fell into three categories.
1. Persons who were not exempt, and who were required to pay.
2. Persons who held exemptions under the new scheme.
3. Persons who held 'paper permits' under the old scheme, and whose exemption continued under the new.
Since 1 April 2016, the only persons required to enter their licence plate numbers into meters are those in category (1) - non-exempt persons.
In respect of that category - non-exempt persons - there is no evidence that Council has, or ever had, access to data matching their identities with their licence plate numbers. For that reason, I am not satisfied that the licence plate numbers of persons in category (1), when entered into Council's parking meters, constitute 'personal information'.
In respect of persons in categories (2) and (3) - that is, exemption holders under the new and old schemes respectively - no payment has been required since the new scheme began on 23 December 2015. Therefore, no details of payments associated with their licence numbers can have been transmitted to the Paris server, or stored on it. The only use made by a parking meter of their licence numbers, when entered, was to interrogate the Paris server.
No data, including licence plate numbers, was stored on the meter. There is no evidence that the Paris server stored a record of the interrogations made of it by parking meters in respect of exempt persons. Even if it did keep a record, there is no evidence that it logged these interrogations in a way that enabled someone accessing the data to determine what licence plate numbers had been the subject of each interrogation. In the absence of evidence of such a record, it is unlikely that Council could compare the licence plate number the subject of the query with either the identifying data it held on the New Zealand server (in respect of exemption holders under the new scheme) or the details it undoubtedly held in respect of exemption holders under the old scheme. In those circumstances, I cannot be satisfied that the identity of an exemption holder could, as a practical matter, 'reasonably be ascertained from the information', whether by comparison with the other data held by Council or otherwise.
For those reasons, I am not satisfied that the licence plate numbers of exemption holders under the new or old schemes, or of other motorists, when entered into the Council's parking meters, constituted 'personal information' as defined in section 4.
As indicated, to fall within that definition, information must be 'about an individual'. It is not self-evident that a licence plate number, when entered into a meter without any other data, is necessarily information 'about an individual'. Because the point was not argued by the parties, it has been unnecessary to consider it, and I make no findings in respect of it.
The breaches of the privacy principles alleged by Ms DAB all rely on the proposition that licence plate numbers entered into parking meters constituted 'personal information'. As I have found that they were not, Council cannot have breached any of the privacy principles concerned by collecting licence plate numbers through its meters.
Even if, contrary to what I have found, the licence plate numbers entered into parking meters did constitute 'personal information', I would not be satisfied that it breached the privacy principles as alleged, for the reasons which follow.
[19]
Section 8(1)
Section 8(1) prohibits agencies from collecting personal information except for a lawful purpose that is directly related to a function or activity of the agency', where the collection is reasonable necessary for that purpose.
I have found that licence plate numbers were collected in parking meters for a 'lawful purpose' - namely, for the purpose of operating a 'registration metered parking area' which Council was authorised to set aside by Clause 61 of the Road Transport (General) Regulation 2013. The operation of this parking area was both a function and an activity of Council. The collection of licence plate numbers was directly related to that function and activity. It was reasonable necessary for that purpose, because the entry of the licence plate number at the meter enabled the meter, after interrogating the Paris server, to inform the motorist whether payment was required or not. It was reasonable to collect at the meter the plate numbers of persons who were not exempt, and of persons who were exempt under the old and new schemes, in order for the meter to determine whether to require payment.
As I have found, licence plate numbers were collected at the meter from exemption holders under both schemes, in order to interrogate the Paris server to determine whether their numbers were on the database there. It became unnecessary to collect that data from exemption holders after 1 April 2017. It is not clear why, though one possibility is that Council was ultimately content to rely on its parking officers' interrogation of the Paris server using their hand held devices. Whether that is so or not, for the reasons already given, the collection of that data at the meter was for a lawful purpose, and directly related to a function or activity of Council, and reasonably necessary for the purpose.
For those reasons, section 8(1) was not breached.
[20]
Section 8(2)
Section 8(2) prohibits an agency from collecting personal information by any unlawful means. Even if the data constituted personal information, there was nothing unlawful about the means by which Council obtained it. It was authorised by law to set aside a registration metered parking area and did so. It was authorised to conduct the former metered parking scheme. The allegation that Council, in requiring the entry of licence plate numbers in meters by exemption holders under the former and current schemes, or by non-exempt persons, collected this data by unlawful means is without basis. I am not satisfied that there can have been any breach of section 8(2).
[21]
Section 10(a), (b) and (c)
Section 10(a), (b) and (c) require an agency which collects personal information to make the persons from whom it is collected aware that it is being collected, the purpose of collecting, and the intended recipients of the information.
The applicant says that the intended recipients were to PARKEON, APARC and the SDRO.
Notwithstanding the terms of Council's letter to permit holders dated 30 October 2015, I am not satisfied that Council ever intended to provide licence plate numbers to PARKEON or APARC, or that it ever did so. It used PARKEON's Paris server to store some data, but ensured that PARKEON was contractually obliged not to access it. There is no evidence that PARKEON ever accessed it, or even that it possessed the applicable passwords or other security clearances needed to do so. In storing the data on the Paris server, Council was using a storage facility provided by PARKEON. PARKEON was not a 'recipient' of the data, because it had no access to it.
Similarly, APARC had no access to any of Council's data except when Council contracted with it to provide support. APARC was acting on Council's behalf whenever it accessed the data to provide support. Any such access would have been access by Council, conducted through its agent. In any event, there is no evidence that APARC accessed the licence plate data on the Paris server, which was derived from the parking meters, and I cannot be satisfied that it did.
I am not satisfied that Council ever intended to, or did, provide the licence plate numbers collected from motorists by its parking meters to the SDRO. On the evidence, it was the parking officers - not the meters - who would transmit licence plate numbers to the SDRO. The parking officers did not collect that data from the individuals concerned, but from their own observations. It follows that section 10 has no application to the actions of Council's parking officers in providing the licence plate numbers of offending vehicles to the SDRO.
Council says that the fact that the meter required the licence plate number to be entered at all constituted a disclosure to motorists that the data was being collected, and that it was being collected for the purposes of administering a parking scheme. That submission has force, and I accept it.
[22]
Section 10(d)
Section 10(d) obliges an agency collecting personal information to inform the person from whom it is collected whether the information is 'required by law or is voluntary, and any consequences of the individual if the information … is not provided'.
There is no evidence as to what instructions or warnings were given on the parking meters. In its absence, it is not possible to determine that Council failed to discharge its obligations under section 10(d).
[23]
Section 10(f)
Section 10(f) obliges an agency collecting personal information, and which intends to hold it, to provide persons from whom it is collected with the agency's name and address. As I have found, the parking meters did not store the licence plate numbers. However, those numbers were stored on the Paris server whenever payment was made.
In the absence of any evidence as to what instructions, or information, were displayed at the meter, it is not possible to determine tht Council failed to comply with its obligations under section 10(f).
[24]
Section 12
Section 12(a) requires an agency to ensure that personal information 'is kept for no longer than is necessary for the purposes for which the information may lawfully be used'. The licence plate numbers of motorists who did not hold exemptions were stored on the Paris server, for parking officers to check at the appropriate time. So, too, were the licence plate numbers of exemption holders, for the same purpose. Even if that was 'personal information', there is no evidence as to how long the data was kept on the Paris server, and it is not possible to make a finding that it was kept for longer than was necessary for the purpose of collecting and enforcing parking fees.
Section 12(b) requires an agency to ensure 'that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information'. Even if the licence plate numbers were personal information, there is no evidence as to whether, how or when they were disposed of. It is not possible to make a finding that they were disposed of in breach of section 12(b).
Section 12(c) requires an agency to ensure 'that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse'. I have found that no one but Council had access to the data on the Paris server, and no data was stored on the parking meters. There is no evidence that APARC accessed the data on the Paris server. If it did, it did so as agent for the Council, and at Council's request, for the purposes of maintenance. There is no evidence that there were any reasonable security safeguards that Council failed to take, in circumstances where it controlled who accessed its data and when. In those circumstances, I cannot be satisfied that it failed to take reasonable safeguards in breach of section 12(c).
Section 12(d) obliges an agency to do 'everything reasonably within the power of the agency … to prevent unauthorised use or disclosure' of personal information it collects, 'if it is necessary for the information to be given to a person in connection with the provision of a service to the agency'. The evidence establishes that APARC, through Mr Bentley, had access to Council's data in connection with the provision of a service - namely, maintenance. There is no issue that the maintenance was 'necessary'. In that circumstance, Council was obliged to everything reasonably within its power to prevent unauthorised use or disclosure of the information.
Mr Bentley gave evidence, and I accept, that APARC was contractually bound not to disclose any information give to it by Council. There is no evidence of any other measures that Council could or should have taken in addition to this strict contractual obligation to protect the security of its data with reference to licence plate numbers. In the circumstances, I could not be satisfied that Council had failed to comply with section 12(d) even if, contrary to my finding, the licence plate data when stored on the Paris server constituted personal information.
[25]
Section 17
Section 17 provides that an 'agency that holds personal information must not use the information for a purpose other than that for which it was collected', except in particular circumstances set out in the section. Even if, contrary to what I have found, the licence plate numbers held on the Paris server constituted personal information, the only use made of that data was for the purpose of administering a metered parking scheme. That was the very use for which the data was collected. It follows that there can have been no breach of section 17.
[26]
Section 18(1)
Section 18(1) provides that an agency which holds personal information 'must not disclose the information to a person (other than the individual to whom the information relates) or other body', except in the circumstances set out in the section. I have found that the licence plate numbers on the Paris server were accessible only to Council. It was not disclosed to PARKEON as owner of the Paris server. Council merely used a storage facility provided by PARKEON. There is no evidence that it was accessed by APARC. Even if it was, APARC was conducting maintenance at the request of Council and as its agent, and its access was strictly logged and under Council's control.
I am not satisfied that Council 'disclosed' the information, in the sense proscribed by section 18, to any person or other body in contravention of that section.
[27]
Section 19(2)
As indicated, the issue as to whether the Council breached section 19(2) -as it stood prior to 1 April 2016 - by transmitting licence plate data to the servers overseas is not properly before the Tribunal, because it was not conduct the subject of the applicant's original application. If it were an issue for determination, I would find that Council did not 'disclose' any data 'to any person or body who is in a jurisdiction outside New South Wales' within the meaning of section 19(2). It did not 'disclose' the data to the owners of the servers, namely PARKEON or A D Riley Pty Limited. It merely stored the data in storage facilities provided by them.
[28]
Findings
For the reasons given, I find as follows in respect of each of the issues for determination:
1. In requiring motorists to enter their licence plate number in parking meters, the Council was not collecting 'personal information' as defined. It follows that the remaining issues need not be determined, but if the situation were otherwise, those issues would be determined as follows.
2. The collection of licence plate numbers at the parking meter by Council:
1. was made for a lawful purpose - namely, the operation of a registration metered parking scheme - and not for surveillance purposes, and
2. was reasonably necessary for the operation of the registration metered parking scheme, including the administration of exemptions held by residents under the old metered parking scheme.
1. The collection of licence plate data at the meters was not done by unlawful means, whether because the data was to be disclosed to third parties or otherwise. The licence plate numbers entered into the meters were not accessible to APARC, PARKEON or the OSDR. On the occasions that APARC accessed Council data, it did so at the request of and as agent for Council. There is no evidence that it accessed data on the Paris server. It cannot have accessed data on the meters, because they did not store data.
2. The requirement by a parking meter that a motorist enter their licence plate number is itself disclosure that the information is being collected for the purpose of administering a parking scheme. For the reasons given, I am not satisfied that Council ever intended to transmit the data to any persons outside the Council. In any event, in the absence of evidence as to what information was given to motorists at the meters, I could not be satisfied that Council failed to inform persons entering the data of the intended recipients.
3. As there is no evidence as to what information was given at the meter, I am not satisfied that the Council failed to inform motorists whether the entering of licence plate numbers was required by law or voluntary, or any consequences of not doing so.
4. For the same reason, I cannot be satisfied that Council failed to provide its name and address at the meter.
5. In the absence of evidence as to when or how the licence plate data was disposed of, I am not satisfied there was a breach of section 12(a) or (b). PARKEON was contractually obliged not to access the licence plate numbers and other data on its Paris server. There is no evidence that APARC accessed that data, but even if it did, on the evidence of Mr Bentley, all such access was logged in such a way to allow Council to audit it. There is no evidence that Council failed to take reasonable safeguards to protect it, or failed to do everything reasonable within its power to prevent unauthorised access, contrary to sections 12(c) or (d).
6. I am satisfied that Council did not use the data for any purpose other than the proper administration of its parking scheme.
7. For the reasons given, I am not satisfied that Council disclosed the licence plate numbers on the Paris server to any third party.
In summary, I have found that the collection of licence plate numbers by the Council at its parking meters in Byron Bay did not attract the operation of the privacy protection principles in sections 8(1), 8(2), 10(a), (b), (c), (d) or (f), 12, 17 or 18 of the Act, because that information did not constitute 'personal information' as defined in the Act.
Even if it did constitute personal information, for the reasons given I could not be satisfied that any of those provisions has been breached by Council.
[29]
Decision
In accordance with the above reasons and findings the decision in this matter is:
1. By requiring motorists to enter their licence plate numbers at its parking meters, the respondent Council did not collect 'personal information'.
2. Even if the licence plate numbers constituted personal information, the collection of that data did not breach the relevant privacy protection principles in sections 8, 10, 12, 17 or 18 of the Privacy and Personal Information Protection Act 1998.
3. The Tribunal determines to take no further action.
[30]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 03 April 2017