DQP v Commissioner of Police, NSW Police Force

NCAT Administrative and Equal Opportunity|2019-06-17

REASONS FOR DECISION

On 22 November 2018 the applicant 'DQP' lodged an application for administrative review with the Tribunal. That application relates to an Internal Review which the applicant sought from the respondent concerning a privacy grievance with the NSW Police Force.
The matter centres around the NSW Police providing a third party with a copy of an Event Report which disclosed the applicant's residential address. The circumstances of the events and what actually occurred between the parties were not the subject of any significant dispute. However the applicant in claiming and pursuing a breach of the privacy legislative provisions, sought review by the Tribunal as he was not satisfied with the Police response.
DQP is the applicant's pseudonym, in that the Tribunal has de-identified the applicant's name from any open reasons consistent with the practice of the Tribunal in privacy reviews. An order under s- 64 (1) of the Civil and Administrative Tribunal Act 2013 (the CAT Act) was also made in respect of the applicant's identity. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act).
The Tribunal has reviewed the conduct which fell within the scope of the Internal Review and for the reasons that follow, finds that there is a breach of an Information Protection Principle (IPP) under the PPIP Act, but decides (consistent with s -55 (2) of the PPIP Act) not to take any action on the matter.

Relevant legislation

Section 53 of the PPIP Act relevantly provides in respect of the Internal Review Process, the following: 53 Internal review by public sector agencies (1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct. (1A) There is no entitlement under this section to the review of the conduct of a Minister (or a Minister's personal staff) in respect of a contravention of section 15 (Alteration of personal information). Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A). (2) The review is to be undertaken by the public sector agency concerned. (3) An application for such a review must: (a) be in writing, and (b) be addressed to the public sector agency concerned, and (c) specify an address in Australia to which a notice under subsection (8) may be sent, and (d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and (e) comply with such other requirements as may be prescribed by the regulations. (Emphasis added)
Section 18 of the PPIP Act concerns the alleged breaches identified by the applicant, that is the disclosure of his personal information to Mr 'O'. Disclosure concerns a Privacy Principle which under the PPIP Act is referred to as Information Protection Principle (IPP). In the applicant's matter the relevant IPP was IPP 11 which concerns s 18 of the PPIP Act. The applicant alleged some related provisions were breached concerning retention and security of the personal information (IPP 5). Section 18 provides: 18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless: (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. (2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
Overarching these IPP's is the definition of Personal Information provided for in section 4 of the PPIP Act. Section 4 provides: 4 Definition of "personal information" (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. (2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics. (3) Personal information does not include any of the following: (a) information about an individual who has been dead for more than 30 years, (b) information about an individual that is contained in a publicly available publication, (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act, (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth, (e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure, (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997, (g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry, (h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990, (i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009, (j) information or an opinion about an individual's suitability for appointment or employment as a public sector official, (ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000, (k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection. (4) For the purposes of this Act, personal information is held by a public sector agency if: (a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998. (5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.
The PPIP Act provides that a person who is not satisfied with the findings of an Internal Review or the action taken by the agency, may apply to the Tribunal for an administrative review. (s-55). Following administrative review by the Tribunal a suite of actions are available to the Tribunal under s 55 (2) including to take no action on the matter.
Section 55 relevantly provides: 55 Administrative review of conduct by Tribunal (1) If a person who has made an application for internal review under section 53 is not satisfied with: (a) the findings of the review, or (b) the action taken by the public sector agency in relation to the application, the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53. (1A) A person (the applicant) who is aggrieved by the conduct of a Minister (or a Minister's personal staff) constituting a contravention of section 15 (Alteration of personal information) may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct. (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders: (a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate. (3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.
There is no dispute that the applicant's residential address is personal information in accordance with s 4 of the PPIP Act. In addition to the disclosure complaint the applicant also complained that the respondent did not keep his personal information safe and secure in accordance with s-12 (c ) - IPP 5. Relevant to these proceedings that section provides: 12 Retention and security of personal information A public sector agency that holds personal information must ensure: (a) … (b) … (c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, (d)…

Internal Review by respondent

Following receipt of the Internal review request the respondent conducted an internal review. In my view the respondent correctly identified the circumstances of the alleged breach as falling outside of their general exemption from the IPP's. Under s 27(1) NSW Police are exempt from compliance with the IPP's other than when engaged in what the statute refers to as 'educative and administrative functions' (s- 27 (2) ).
Section 27 relevantly provides: 27 Specific exemptions (ICAC, ICAC Inspector and Inspector's staff, NSW Police Force, LECC, Inspector of LECC and Inspector's staff and NSW Crime Commission) (1) Despite any other provision of this Act, the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission and the New South Wales Crime Commission are not required to comply with the information protection principles. (2) However, the information protection principles do apply to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission and the New South Wales Crime Commission in connection with the exercise of their administrative and educative functions.
The circumstances of the current matter were characterised by the respondent in their review in the following way: 4.5 On 28 June 2018, Mr 'O' applied to the NSWPF Insurance Services Unit (ISU) for a copy of Event Report E 67414336. 4.6 On 3 July 2018, the ISU provided to Mr 'O' a redacted copy of E 67414336. On page 5 of the copy your name and address is visible. … 6.3 The ISU is responsible for the provision of Events on a fee for service basis to insurance companies, legal firms and members of the public. The reports provided by the ISU concern incidents which have been reported to the NSWPF and are recorded on COPS.
These circumstances concerning the provision of reports through the ISU, are consistent with the findings of the Tribunal in the case of CTU v NSW Police Force [2017] NSWCATAD 204. At [19] the Tribunal observed: 19. In my view, the provision of criminal history information to a third party for the purposes of a National Criminal History Check or a National Police Certificate, where this is done as part of a routine application, is an administrative function according to the ordinary meaning of the term. On the factual information before me, which I accept, persons may apply to the NSW Police Force for a National Police Check online and may generally receive one upon paying a fee. The processing of such an application is an administrative function, applying the ordinary meaning of "administrative" referred to above. The processing of an application for a criminal records check is also of an administrative nature. In both cases, the administrative functions of the NSW Police Force are exercised. To use the terms of s 27(2) of the PPIP Act, the processing of both is "in connection with" the administrative functions of the NSW Police Force, noting the breadth of the phrase "in connection with".
To the extent necessary I agree that the conduct in question falls within the NSW Police administrative and educative functions consistent with the principle outlined in CTU. As a result the provisions of s 27 (2) are enlivened and the conduct in scope is subject to the IPP's.
The respondent conceded that the disclosure identified at 4.6 of the Internal Review constituted a disclosure in accordance with s 18 of the PPIP Act and therefore constituted a breach of that IPP. However after conceding the breach the respondent determined that the basis of the breach was due to a mistake which they characterised as an 'inadvertent error' at 5.3 of the Internal Review.
This conclusion was based on an observation that the documents released contained an example of the personal information (the address) being redacted, and elsewhere the address was un-redacted where it appeared in the document. This in the respondent's view established an error in the processing of the document including its copying and vetting for release.
As the breach occurred in that context, the respondent (having conceded the breach) offered a formal apology for the breach and decided to review the ISU process generally and have staff undertake revision training on adherence with the PPIP Act, consistent with the Standard Operating Procedures for ISU requests (SOPS).

Administrative review before the Tribunal

The application for review was lodged on 22 November 2019 within the 28 day period provided by s 55 of the Administrative Decisions Review Act 1997 (the ADR Act).
The ADR Act provides, in s 63: 63 Determination of administrative review by Tribunal (1) In determining an application for an administrative review under this Act of an administratively reviewable decision, the Tribunal is to decide what the correct and preferable decision is having regard to the material then before it, including the following: (a) any relevant factual material, (b) any applicable written or unwritten law. (2) For this purpose, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision. (3) In determining an application for the administrative review of an administratively reviewable decision, the Tribunal may decide: (a) to affirm the administratively reviewable decision, or (b) to vary the administratively reviewable decision, or (c) set aside the decision and make a new decision in substitution for the decision.
The Tribunal is required to make a fresh determination with respect to the applicant's application. It is however an administrative review of the conduct (as alleged within scope) and the findings of the respondent following that review. It is a merits review.
In his application the applicant stated that he was: not satisfied with the response and offer from the Police following the Internal Review. This is consistent with my observation at [2] (above) where I note that there was no real factual dispute between the parties about the conduct.

Evidence and Submissions

The Parties filed evidence in the proceedings and the respondent filed written submissions. In written submissions the respondent set out their argument as to why the s 27 exemption did not apply to the conduct, raising the additional ground that the APVO was not sought by NSW Police. This was submitted as further grounds as to why the process was outside of the core or 'keeping the community safe' function, and that the process of obtaining reports through the ISU was administrative in nature.
The respondent also submitted that none of the exemptions contained within the subsections of s 18 applied to the conduct. (See [16] above).
The applicant also raised concerns that the conduct in addition to a disclosure, also constituted a breach of the retention and security principle set out at s 12 of the PPIP Act (see [20] above).
The section 12 (c ) argument was disputed by the respondent who submitted that when considering this provision the case law directs the Tribunal to consider whether the safeguards are reasonable in the circumstances. Referring to the case of XW v Department of Education and Training [2009] NSWADT 73 that the Tribunal is required to make an 'objective evaluation'. At [67] in XW: 67 Section 12(c) requires security safeguards that are reasonable in the circumstances. That is clearly an objective evaluation, and one that requires consideration of the nature of the information, which would include its sensitivity, and the consequences of loss, unauthorised access, use or disclosure. The s12(c) obligation applies in relation to information the agency has a need to hold, which is the only information an agency should hold (s12(a) PPIP Act). The issue of who in the agency needs to be able to access it, and how access is regulated, is relevant.
In addition the respondent submitted that the case of FH v Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72 built on the principle articulated in XW. At [41] of FH the Administrative Decisions Tribunal (ADT) observed: 41. …It is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.
The respondent submitted that the security safeguards in place were reasonable and continue to be reasonable under the criteria discussed in the decisions of the Tribunal in FH and XW. The respondent also referred to the case of SF v Shoalhaven City Council [2013] NSWADT 94 where the ADT observed that a policy or system that is adequate - but not routinely followed, may constitute a breach of s 12 (c ) of the PPIP Act.
At [119]-[120] of SF the Tribunal observed: 119. For the most part I disagree with that argument. It is common ground that the collected data is only available to Council staff and Police Officers. In my view, the Council has developed sufficient safeguards, as are reasonable in the circumstances, to protect the personal information collected and are therefore sufficient to meet the requirements of section 12(c). The system as designed requires that the duty officer enter a user name and password at the commencement of their shift, to log into the 'live feed' monitor. However, the evidence suggests that this process has not been followed. 120. …. There is no way of knowing whether those who are accessing the monitor have been appropriately trained. Section 12(c) provides that the agency 'must ensure' adequate protection of the collected information. While the system design would achieve this objective, the Council has not monitored compliance with the safeguards that are in place. As a consequence, the Council's CCTV program is open to unauthorised access and misuse and therefore fails to comply with section 12(c) of the PPIP Act. …. .
The respondent submitted that the inadvertent disclosure of the applicant's residential address was not indicative of any systemic problem with how the ISU managed client requests, nor did it establish that the respondent's safeguards were inadequate in accordance with the matters observed at [34] of BZX, BZY, BZZ v Western Sydney Local Health District [2015] NSWCATAD 2010. 34. HPP 5(1)(c) requires an agency to take "such security safeguards as are reasonable in the circumstances" to protect health information. This provision is, in my view, primarily directed at the systems and policies an agency has in place to protect health information. It does not necessarily follow from the loss or disclosure of information by an agency or a staff member, or the failure of a staff member to comply with a policy, that the agency's security safeguards are inadequate: XW v Department of Education and Training [2009] NSWADT 73 at [91]; BE v University of Technology, Sydney [2008] NSWADT 139 at [78]- [79].
The respondent also submitted that their understanding was that the applicant engaged in an administrative review because of his disappointment that an offer of monetary compensation was not made upon Internal Review findings.

Applicant's evidence

The applicant adopted his 98 paragraph signed statement of 4 March 2019 (exhibit 'A-1')
In cross examination the applicant was asked what address for service he nominated in the Supreme Court, and Family Court proceedings as referred to earlier, and a separate Local Court civil claims matter involving his business. The applicant advised that it was the eastern suburbs property address that he registered on those claims.
The applicant was asked when the Winston Hills address became his primary address. The applicant advised that it was just after he left the eastern suburbs address, as he separated and went to live with his Aunt. When asked what he meant by the term 'primary address' the applicant advised that some nights he stayed at friends or 'air B and B's ' but his Aunt's address was the main address from when he left the eastern suburbs property until the breach and subsequent changes to his living arrangements where he then moved to Newcastle.
The respondent question the applicant about some of his evidence attached to his statement such as a credit card bill / statement. It was put to the applicant that he was already living at the Newcastle address at the time of the breach. The applicant said that this was not the case and he moved to Winston Hills and was living there when he varied the order on 22 March 2018 and subsequently when Mr 'O' sought a copy of the police material which disclosed the Winston Hills address.
Further questions were put to the applicant about a range of addresses / locations referred to in the material. There were Bondi Beach and Bondi address nominated in some of the material. The applicant stated that he had lived in the Bondi area during the week and also lived in the Newcastle area on the weekends. This was due to having a job based in Sydney and avoiding the excessive travel.
The applicant was also questioned about what evidence he had concerning any detrimental action arising from the disclosure of the Winston Hills address. The applicant stated that he became aware of cars parked nearby to his Aunt's house in July and August 2018, between the hours of 7:00pm and 10:00pm. He also said that he noticed people (one person) in each car, and he was particularly concerned about a 'white sedan'. This was directly around the time that he became aware (on 27 July 2019) of the breach.

Respondent's further submissions

The respondent submitted at hearing that the facts of the conduct were not in dispute (but that section12 was not conceded). The Tribunal notes that the applicant still pressed that point re: security of the information until near the end of the hearing.
The respondent submitted that under s 55 (2) of the PPIP Act, the applicant bears the onus on establishing any claim to damages. The respondent submitted that there must be a causal link between the conduct and any loss and damage and that on this point the evidence shows that the applicant was always intending to move from Sydney to Newcastle and that the Winston Hills address (of his Aunt's) was only ever going to be a temporary address.
The respondent submitted that it would be difficult for the Tribunal to be reasonably satisfied as to any other conclusion in respect of the Winston Hills address, on the basis of the evidence before it. The respondent submitted that the applicant's evidence in the final paragraphs of his written statement indicate that the location of his job and his address was not sufficiently related to proceedings concerning Mr 'O' and any privacy breach. At [92] of his statement the applicant states: From the day of knowing that Mr 'O' knew my places of residence in Sydney, and from the information contained in this statement of myself, I seek financial compensation for the day to day frustration and distress of dealing with the matter, the stress in relocating from Sydney to Newcastle and the disruption to my life as well as my general safety concerns to both myself and the safety concern to my family members who reside at (address) and Winston Hills.
The respondent submitted that the applicant's own evidence tendered as an exhibit shows that he was only out of work for two days. The evidence also establishes that for some time he was living at addresses in Sydney and the Newcastle area such as the evidence before the Local Court that his weekday address was Bondi and his weekend address was Newcastle.
The respondent also submitted that the evidence establishes that the Air B and B accommodation in December indicated that he could continue to stay overnight in Sydney after having relocated to Newcastle.
The respondent submitted that the applicant has presented no evidence which the Tribunal could accept of any personal injury arising from the disclosure of his then address to Mr 'O'. There was no cogent medical or other evidence before the Tribunal that would warrant an award of damages.
The evidence and submission that he sent his son overseas does not appear to have any direct basis or link to the disclosure of the Winston Hills address. The applicant's son was (as far as the Tribunal is aware) never living at that address with or without his mother. It appears on the evidence before the Tribunal that the son was sent overseas due to the Court proceedings and the incident (characterised as the 'home invasion') in April 2017.
The respondent submitted that this is a case where the Tribunal should decline to award damages.

Applicant's submissions at hearing

After the conclusion of the evidence and the respondent's submissions, the applicant stated that he no longer pressed the s- 12 (security) principle any longer. His case is therefore solely about the disclosure, (s 18).
The applicant referred to two Federal cases determined under the Privacy Act 1988 (Cth), which he submitted were on point with his matter and supportive of his position. DK v Telstra Corporation Limited [2014] AICmr 118, and the cases of 'LB' v Comcare (Privacy) [2017] AICmr 28. In both those case there was a disclosure of personal information - (in DK it was an address), and the agency was required to provide a more expansive response (including damages in DK) than what the respondent had decided in the current matter.

Consideration

LB was a determination of the Federal Privacy Commissioner and mainly dealt with issues surrounding the nature of the apology given for a privacy breach including whether the apology had been given at the earliest possible opportunity.
LB involved a disclosure to the whole world whereby the agency (Comcare) had mistakenly published LB's sensitive health information to the whole world (by posting it on the world wide web), online on their Freedom of Information site. The nature of the information and the extent of the disclosure warranted a significant apology with a statement of regret (remorse) acknowledging the complainant's feelings. The other attributes of the apology as found by the Commissioner concerned giving the apology at the earliest possible time, an acceptance of responsibility for the actions and that it was done willingly.
In the case of DK (DK and Telstra Corporation Limited [2014] AICmr 118) the actual consequences of the privacy breach were far more significant than those of the applicant in the current matter. DK relocated himself and his family interstate as a consequence of the privacy breach. There was evidence before the Commissioner linking that action directly with the privacy breach. DK had moved far away from the address that was disclosed and because of that significant impact on his (and his family's situation) as a member of the judiciary in a context where there was a history of persons seeking to do harm (the Family Court), the Commissioner found that $18,000.00 compensation was warranted in the circumstances.
In DK the Commissioner's reasoning was as follows: "In awarding compensation, I am guided by the impact of the privacy breach on the complainant." … "His concerns for his and his partner's safety arising directly out of the privacy breach have led him to apply to move interstate away from family and friends. His application for transfer demonstrates the severity of the stress that the disclosure has caused the complainant. "I accept that Telstra's failure to take reasonable steps to notify the complainant that his personal information would be published in the White Pages has caused the complainant significant distress and anxiety associated with legitimate fears for his and his partner's physical safety,"
The respondent in the current matter offered a formal written apology (which was stated in the Internal Review correspondence). In addition the respondent determined to address any internal or systemic issues which might have contributed to the breach by reviewing the ISU process generally and have staff undertake revision training on adherence with the PPIP Act, consistent with the Standard Operating Procedures for ISU requests (SOPS). I also note that the apology was offered at the earliest possible time upon completion of the Internal Review which verified the breach.

Findings

In my view the matters outlined at [62] above are an appropriate response to the privacy breach having regard to the totality of the evidence before the Tribunal. There was no evidence detailing any basis for damages, other than the applicant's own evidence. In respect of any claim for economic loss, on my assessment of the evidence the actions taken by the applicant appear linked to matters in train as he reorganised his private and occupational affairs following his forced departure from the eastern suburbs address and the apparent breakdown of his relationship with his partner. There is no evidence that any of these matters arose as a direct result of the third party Mr 'O' obtaining knowledge of the Winston Hills address. The evidence concerning suspicious motor vehicles attending the vicinity of that address is vague and does not establish any link to the applicant or his APVO matter.
Whilst it is understandable that the applicant might lack confidence in police as a result of his experiences, I also note that no report was made concerning a potential breach of the APVO.
The matters that the applicant details in his statement at paragraphs [28] to [72] predate the breach. They concern the property dispute in the eastern suburbs, prior dealings with Mr 'O', the Family Court matters and his partners 'ex', real estate matters, property disputes, the background and basis for the APVO and his business litigation in the Local Court. Whilst they are illustrative of why the applicant felt the need to obtain the protection offered by the APVO, they of themselves add little to the matter other than to outline the troubled background. I observe that no assault charges were brought against any of the parties in the property dispute and note that there were counter allegations against the applicant concerning property damage.
The applicant raised issues concerning his civil dispute with Mr 'O' and the Statement of Claim concerning his business. However those matters are on my assessment of the evidence entirely separate to any matter arising from the disclosure of the applicant's address. The applicant stated at [72] that: 72. I currently fear that Mr 'O' may retaliate after the Statement of Claim: (file number) (Applicant - v 'O') Local Court hearing …. I completed and in particular when cost recovery actions are taken against him, in particular any garnish [sic] or wages examination summons is made. There are still personal and company possessions which Mr 'O' has and these are in the process of being recovered.'
The applicant also refers to a concern that members of his extended family would come to harm as a result of the privacy breach (at [73]) however there is no evidence before the Tribunal that any harm arose. The only direct interactions between the applicant and Mr 'O' following the issuing of the APVO occurred at Court or in public places and none of these matters involved any breach of the APVO. In addition there is no evidence that Mr 'O' ever went to the Winston Hills address.
The applicant states at [77] that : As a result of the disclosure of my residences in Sydney by Police and my increased concern of my safety, on 1st August 2018 I commenced searching for jobs in Newcastle in order to reduce my anxiety attacks and to increase the distance in which Mr 'O' would need to travel to minimise harm [sic] me. However the only evidence of any real altercation between the applicant and Mr 'O' occurred at the eastern suburbs address, being the property where at the time the applicant still occupied, and Mr 'O' was a party to a contract of sale. As previously observed, no other interactions (other than at that property) constituted any deliberate act on behalf of Mr 'O' and clearly no breach of the existing APVO. Further only one address was ever disclosed by Police, not 'residences in Sydney'.
There is no evidence that any interactions occurred other than at the eastern suburbs property, at Bondi when the applicant was with his son, and at the Court. Without delving further into the detail and circumstances of those matters for completeness I note that they did not constitute any matter which required formal police criminal action and they all occurred prior to the conceded breach.
The applicant also states at various times in his statements that 'places of residence' were disclosed to Mr 'O'. On the evidence before the Tribunal the only disclosure concerned the Winston Hills address. It is inaccurate to assert that more than one residence was disclosed.
The psychological claim by the applicant is only articulated by his own evidence. The applicant refers to his knowledge of Post Traumatic Stress Disorder (PTSD) from his time in the armed forces. However other than his own references to experiencing significant anxiety and stress from relocation, finding a job and safety concerns for his family, there is no independent or medical evidence to establish any loss or damage or pain and suffering arising from the matter.
The applicant makes the following statement in his evidence at [95] of his statement. 95. It was only in on or about 15 December 2018 that I had my son arrive back in Australia and who now resides with me. The feelings of sadness of not seeing my son earlier face to face for over a year and the feelings that Australia is a better place for my son to live compared to his living conditions in Japan made me very depressed during 2018 and were aggravated by the fact that since I was not able to have him return to Australia earlier than Dec 2018 due to my residence being compromised by Police.
It is clear that the applicant began living in Newcastle by about early November 2018 (as per [77] of applicant's statement) and it was open to him to find other accommodation (away from the Winston Hills address) at any time. On the applicant's own evidence in his statement, most of his concern arose through the period where he was dealing directly with Mr 'O', particularly while still living at the Eastern Suburbs address. Many of the matters involving the impact of the separation from his son are unrelated to the conduct of Mr 'O' post breach.
In respect of the psychological loss and damage I note that the ADT has specified the presence of medical evidence as a precondition to determining the existence of a compensable condition. Once that is present and establishes the link between the condition and the conduct (breach), damages can be examined. In JD v Medical Board (No 2) [2006] NSWADT 345 at [48] to [49] the ADT observed referencing the case of GR : 48 JD has asserted that he has suffered both financial loss and psychological harm because of the Board's conduct. The expression 'psychological harm' is not defined in the Privacy Act. 49 In GR v Department of Housing (No 2) [2005] NSWADT 301 Judicial Member Robinson recognised the applicant's depression as 'psychological harm'. He stated at paragraph 23: 23 On any view of the medical evidence, I am satisfied that the conduct of the respondent's officer, ... was a direct and relevant cause of the psychological harm (a depressive disorder - DSM IV category) that ensued, and which continues to this day. I am satisfied that the evidence established this causal connection. It is not to the point that the applicant was particularly fragile, vulnerable or even that he was pre-disposed to injury of this kind. The respondent had to take its tenant as it found him in this regard..
In the current matter no medical evidence, of the type envisaged by the Tribunal in GR, was produced.
Further in JD the Tribunal identified that some impairment of an individual's mental states and processes must be established. 53 The authorities suggest that the use of the expression 'psychological harm' in section 55(4) of the Privacy Act is intended to encompass a situation where an individual suffers some impairment of their mental states and processes. In this matter, JD has suffered from depression and anxiety. In my view, depression and anxiety fall within the scope of the expression. 54 It is therefore necessary to determine whether JD has suffered that 'psychological harm' because of the Board's conduct and if so whether an award of damages is warranted. It is also necessary to determine whether JD has suffered financial loss because of the Board's conduct and if so whether an award of damages is warranted for that loss.
In addition the Tribunal has clearly outlined the need for specific evidence to establish maters as a precondition to a payment of damages. A medical report that establishes a causal connection between an agency's conduct and any psychological harm suffered by an applicant meets the precondition in s 55(4)(b) of the PPIP Act as set out in the case of RD v Department of Education and Training [2005] NSW ADT 195 at [29] - [31]) 29 It is clear from the order-making powers given to the Tribunal that the legislature was not only concerned with providing relief that went to remedying the conduct of the Department for the future, but also was concerned to allow for personal redress being given to the applicant: see order (a) (damages); and (e) (requiring the Department to take specified steps to remedy any loss or damage suffered by the applicant). The Tribunal is also given the power to make '(g) such ancillary orders as the Tribunal thinks appropriate'. 30 In this instance the preconditions to an award of damages have been satisfactorily met. 31 The Tribunal is satisfied, in terms of the requirement of para (b) of sub-s (4) of s 55, that 'the applicant has suffered ... psychological ... harm, because of the conduct of the public sector agency'. The report of Dr Dragutinovich suffices in that regard.
On the evidence before me the applicant has not established that he is suffering any psychological or psychiatric harm or diagnosable condition within that realm. Nor is there any evidence to establish any link of any such matter to the conduct of the respondent. There is no evidence of any psychological harm arising as a direct result of the breach.
A similar issue arises for the economic loss component of the claim. The credit card statements whilst providing evidence of expenditure do not provide any evidence that the applicant was paying additional accommodation expenses on top of those set out in the credit card statements. There is no evidence that he was in effect paying two sets of accommodation charges. At it's highest the applicant's own evidence was that he stayed at various temporary accommodation locations purely because of his own belief. He offered no evidence of any threat, positive sighting or other link between Mr 'O's actions / conduct and the need to stay in temporary accommodation.
In respect of the financial claim relating to the applicant forgoing employment and quitting his job, I observe that the applicant continued in his existing job (at the time of awareness of the breach) for a further 81 days. I also note that the applicant claims for the period 15 October 2018 to 6 November 2018 (a period of approximately three weeks). However the applicant received an offer of employment on 18 October 2018 for the job he ultimately took up on 6 November 2018. The fact that he quit his employment three days before the formal offer was provided (on the new job), is in my view not capable of being compensated. When looking at the very small amount of time and the circumstances of exiting one position and receiving an offer for another I do not believe that any loss has been established. I note in particular the new position offered significantly higher remuneration.
In addition, I note that the payslip provided at annexure 'K' of 'A-1' indicates that he was paid up until 31 October 2018. The totality of the evidence about jobs indicates that the motivating factor was to secure a better job and possibly one in a different location. In any event it does not establish (on the available evidence) any loss which could be compensated under the PPIP Act.

Further consideration

On assessment of the evidence in these proceedings, a number of matters are clear. The applicant was concerned that his address had been disclosed to Mr 'O' while he was under the protection of an APVO. While it was understandable that this would be a matter of concern, there has been no evidence that any direct matter arose from the breach. In respect of what impact the breach itself may have had on the applicant, the Tribunal has not been provided with evidence which is sufficient to consider damage, and any causal link to the breach.
The cases that the applicant relied upon were from the Commonwealth jurisdiction, but irrespective of that distinction, they concerned matters relating to disclosure to the whole world. In one matter a telephone-listing directory was published which incorrectly disclosed an address. In the other matter sensitive person information was published to the whole world via the Internet. Neither of these examples (in such a context) are on point with Mr 'O' receiving the then residential address of the applicant .
These observations are not to in any way discount that the breach was of some import, but rather to place the breach in the context of the cases relied upon by the applicant.
It is clear that the breach had an impact on the applicant, and in that regard the respondent has taken direct action by way of apology and a systemic examination / review. I believe that this action is appropriate in all of the circumstances.
It is clear that there were unrelated matters occurring in the applicant's life at the time of these events which also impacted on his actions in response to the events. The breakdown of his relationship with the mother of his child sometime shortly before the breach, the background dealings with Mr 'O' prior to the breach, and the ongoing unrelated series of litigation (in addition to the APVO matter), all understandably have impacted on the applicant during this period. The evidence establishes that certain aspects of his life have been adversely impacted by these factors (including the breach).
However the privacy breach is not (on the evidence before me) the basis of the protracted period away from his son, the taking up of different employment positions, and the basis of the significant decision the applicant took in respect of deciding where to live and work. No evidence was provided, (other than the applicant's own evidence) that any of these matters were related to the breach.
Upon consideration of the evidence it appears that the applicant decided himself what steps he needed to take, without establishing that such steps were vital to preserving his safety and well being, especially whilst still under the protection of the APVO.
Consistent with the findings and observations about the economic loss, claim for damages and financial compensation, to the extent necessary I also reject the claim for the expenses arising from the out of pocket cost of these proceedings in the Tribunal. This is not a costs component but an out of pocket / expenses component.
Costs are not a matter that arises for the applicant as he has been self-represented throughout the proceedings but in any event s 60 of the NCAT Act covers such matters. I note for the applicant's benefit that this Division of NCAT is (subject to a s 60 application) a non- costs jurisdiction.

Conclusion

Having regard to the evidence and material before me, I find that there has been a breach of s 18 of the PPIP Act by the respondent.
In respect of that breach I find that the action taken by the respondent is appropriate in all of the circumstances.
To the extent that it is necessary I find that the applicant's claim for financial loss and damages, for the reasons outlined above) is not made out.
In respect of orders that flow from these findings I make the following order under s 55 (2) of the PPIP Act.:

Orders 1. Pursuant to s 55 (2) of the PPIP Act, on reviewing the conduct of the respondent public sector agency, the Tribunal decides not to take any action on the matter. 2. The decision of the respondent is affirmed.

I hereby certify that this is a true and accurate record of the reasons for decision of the New South Wales Civil and Administrative Tribunal. Registrar I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar

Amendments 27 September 2019 - Paragraph [54] 'ion' corrected to 'on' Paragraph [57] 'case' corrected to 'cases' Paragraph [58] 'o' corrected to 'of' Paragraph [60] 'that' corrected to 'than' Paragraph [62] 'as' corrected to 'was' Paragraph [82] 'action' corrected to 'evidence'. DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 27 September 2019

[2015] NSWCATAD 2010

At a glance

Court

Decision date

Source

Judgment (16 paragraphs)

Parties

Legislation Cited (1)

Cases Cited (2)