DSG v Department of Education

DSG v Department of Education - [2019] NSWCATAD 182 - NSWCATAD 2019 case summary — Zoe

[7]

The 8 May 2017 submissions of CWS and CWT

In the document entitled "Materials Supplied by The Applicants" dated 8 May 2017 (the 8 May 2017 submissions of CWS and CWT) CWS and CWT relevantly made the following claim for financial compensation: 11 General Remedies Observations 11.1 The applicant needed to bear the cost of supply of two BYOD computer notebooks for their children, to eliminate the risk of privacy leaks so that their children could continue to use IT technology on an educationally equitable basis at the school. … 11.1.1 The applicant also needed to bear the cost of maintenance of these devices because the respondent's local IT department was unable to provide support, not even for WiFi connection issues because they apparently did not understand, or approve of, the supplied devices. 11.2 The applicant eventually needed to withdraw their children from [the Subject School] and send them to be educated in [name of place] to prevent the risk of continued privacy leaks, social and educational harm to their children by the respondent, given there was little prospect of any reasonable or timely resolution. … 11.5 The formerly available school bus service stopped at the applicants front door. The alternate bus service to … schools is five kilometres away. The applicants now incur costs, loss of amenity, and loss of income because one parent must be at home twice each day to transport their children to/from the … bus stop, a daily distance of 20Km. Additionally this places the children at risk should the parent be unable to arrive on time for some reason and it effectively prevents one parent the ability to participate in the work force. The applicant will continue to suffer these losses until the applicant's children leave school in 2023 and 2024. 11.6 The applicants incur additional costs, loss of amenity, and convenience due to the children's school now being in [name of place]. Travel distance to attend school functions, interviews and so on, formerly 34Km return, is now 70Km return. School fees are much higher, being $320 at the public school attended by the younger child, whereas in [name of jurisdiction] fees are considered voluntary and were only about $70 at [the Subject School]. The applicant will continue to suffer these losses until the applicant's children leave school in 2023 and 2024. 11.7 Combined Damage to the applicants and their children by 2024 far exceeds the maximum $40000 claimable within NCAT. The applicants will need to accept the maximum amount of $40000. SCHEDULE OF LOSSES/DAMAGE For Award of Special Damages Computer Supply Costs and Maintenance (once off loss) $500 Loss of Door to Door Bus Service (over a period of 8 years) $59040 Loss of Income (1 hour a day at $36, 5 days a week for 41 weeks a year) Loss of Access to Local School (over a period of 8 years) $4000 Additional Fees (2 x ($320 - $70) x 8) For Award of Aggravated Damages Applicants' Children (2) $10000 Educational and Social Inequity and Distress and Anxiety Applicants (2) $4000 Distress and Anxiety Loss of Door to Door Bus Service (over a period of 8 years) $800000 Loss of Amenity (Loss of child safety, loss of parent work opportunity) Loss of Access to Local School ( over a period of 8 years) $2000 Loss of Amenity (inconvenience and additional costs) TOTAL $879540

[9]

The 16 November 2017 Deed of Release

On 16 November 2017, the respondent and CWS and CWT entered into a Deed of Release (the 16 November 2017 Deed of Release) in which: 1. the respondent is referred to as "the Department"; 2. CWS and CWT on their own behalf and on behalf of their children, DVD and DVE, are referred to as "the Applicants"; 3. the respondent, CWS and CWT are together referred to as "the Parties"; 4. the 2016 proceedings are together referred to as "the Proceedings"; 5. the Subject School is referred to as "the School"; and which relevantly provides: RECITALS … C. The conduct that is the subject of the Proceedings ("the Conduct") is: (a) In early 2015, staff at the … the School registered DVD and DVE to use the educational program called Mathletics. (b) In February 2016, a teacher at the School directed DVD to enter her name into the educational program called Edmodo. (c) In February 2016, the Principal of the School sent a letter to parents and carers of students enrolled at the School. The letter explained that the School would be participating in the "Tell Them From Me" survey in term 1 of 2016 and attached a "non-consent form". The letter directed parents and carers to return the form if they did not consent to their child participating in the survey. D. On 6 October 2017, the Parties agreed to settle the Proceedings on the terms set out in the operative provisions of this Deed. AGREEMENT … 2 OPERATIVE PROVISIONS 2.1 The Proceedings are settled on the following terms: (a) The Department agrees to pay the Applicants the sum of $10,000 within 14 days from the date that the Department receives this Deed signed, sealed and delivered by the Applicants. … 3. RELEASE AND INDEMNITY 3.1 The Applicants acknowledge that the actions of the Department identified in the operative provisions of this Deed are in full and final settlement of all claims and entitlements that the Applicants or their children have or may have against the Department, its past or present employees, servants or agents, arising out of or in connection with the Conduct. 3.2 The Parties agree that, in consideration of the actions identified in the operative provisions of this Deed, the Applicants and their children release the Department, its past and present officers, employees, servants and agents, from any and all claims, actions, suits, demand, causes of action, claims for costs, losses, damages or expenses whatsoever now or at any time in the future arising out of or in connection with the Conduct.

[11]

The 2018 internal review decision

On 16 March 2018, Ms Bessie Fainuu, (Ms Fainuu) R/Senior Legal Officer of the respondent, completed a report in relation to the internal review application (the 2018 internal review report) which relevantly states: 4.1 What conduct if the subject of the application and does it involve an individual's personal information? 4.1.1 The applicants state the conduct relates to the school entering the children's personal information on ClassDojo, StudyLadder and other internet applications without their permission. 4.1.2 The School confirmed that although there was information sent out to parents indicating StudyLadder was an application that would be used in the classroom, StudyLadder was never used in the classroom. There was also no the third party applications use in the classroom - outside of those dealt with in an earlier internal review application. 4.1.3 The classroom teacher, [DVE"s teacher], entered the name, DVE, into the ClassDojo application under a class list in her ClassDojo account. 4.1.4 I am satisfied the information entered onto ClassDojo is information from which the student's identity is apparent or can reasonably be ascertained and is their personal information. 4.1.5 Although the application for internal review is made on behalf of the applicants and both children, there is no evidence the conduct involves the personal information of the child, DVD, or the applicants, DSG and DSH. 4.2 Was the information collected and if so, was it collected in contravention of the collection IPPs? 4.2.1 The meaning of collection for the purposes of sections 8-11 of the PPIP Act (IPPs 1-4) is taken to be the planned process of collection relating to what the agency sees as the exercise of its official functions and not the internal movements of personal information within agencies (ZR v NSW Department of Education and Training (GD) [2009) NSWADTAP 69 (25 November 2009) [64]). 4.2.2 The Tribunal has held that where personal information was not collected but is held by a public sector agency, "collected" in sections 17 and 18 takes on the meaning of obtained. 4.2.3 The Department's conduct, the subject of the internal review, did not involve collection of the students' personal information. … … 4.4 Retention and security: Was the personal information held for longer than is necessary, disposed of securely, protected against loss, unauthorised use and misuse? … 4.4.4 The facts indicate [DVE's] personal information was entered onto the ClassDojo system without the applicant's consent. 4.4.5 [DVE's] personal information was also removed at the applicant's request and there is no evidence to suggest the information once collected by ClassDojo was handled contrary to the companies' privacy policy. 4.4.3 However, I am satisfied the School did not take reasonable security safeguards, in the circumstances, to protect the student's personal information against unauthorised disclosure when the classroom teacher entered [DVE's] name into the system, thus resulting in a breach of s12(c) of the PPIP Act. 4.5 Did the Department disclose the students' personal information contrary to IPPs11 and/or 12? … 4.5.3 The ClassDojo privacy policy confirms ClassDojo is hosted and operated in the United States and information collected is stored at a third-party facility with whom ClassDojo have a contract to provide enhanced security measures. 4.5.4 When the classroom teacher entered [DVE's] personal information into her ClassDojo account she disclosed the child's personal information to a third party outside of NSW. 4.5.5 The children's personal information could be said to have been disclosed for purposes directly related to the purpose for which it was obtained (…), however, the permission slip provided by the applicant's to the School in relation to the use of third-party applications clearly stipulated the child's personal information was not to be entered onto any of the nominated systems. 4.5.6 It is likely the classroom teacher was not aware of ClassDojo's privacy policy or that by entering the child's personal information on her own account, the information would be collected and held on an offshore facility operated by another third party, contracted to provide data storage to Class Twist, Incorporated, operating as ClassDojo. 4.5.7 It is also evident the classroom teacher mistakenly believes the parent provided consent to the child using the programs on the permission slip. However, the permission slip very clearly states consent is provided only on the condition there was a strict nil entry of any personal information of the child on any system identified in the form. 4.5.8 I am satisfied the conduct amounts to a breach of ss 18 & 19 of the PPIP Act.
Ms Hargans in her letter dated 24 December 2018 to DSG (the 2018 internal review decision) relevantly: 1. advised that concerns raised by DSG have been investigated by Ms Fainuu, and that a draft of Ms Fainuu's report was provided to the Privacy Commissioner for comment; 2. attached both a copy of the comments made by the Privacy Commissioner and the 2018 internal review report; 3. notified her findings; 4. made a formal apology to DSG; 5. notified the action she proposed would be taken by the respondent.
As to her findings, Ms Hargans stated: I accept the findings in Ms Fainuu's report and have determined that there was a breach of IPP 5, 11 and 12 when your child's name (DVE) was entered into the ClassDojo program. I note that you specifically indicated that your child could access ClassDojo so long as no personal information was entered into the system.
Ms Hargans made the following formal apology to DSG: On behalf of the Department of Education I wish to offer you my sincere apology that your child's name, DVE, was entered into the ClassDojo program against your clear and identified wishes. This should not have occurred. I acknowledge the concerns you hold to ensure that your children's personal information is protected and used only for lawful purposes.
As the action she proposed would be taken by the respondent, Ms Hargans stated: I have asked the Legal Services Directorate to undertake a review and refresh of all Legal Services Directorate privacy bulletins by internal and external lawyers. That review will be complete in Term 1 2019 and schools will be informed when the new privacy bulletins are available online. I have also asked the Legal Services Directorate to implement an online training package on personal information and the PPIP Act, to also be available to all school staff in Term 1 2019. In relation to the School, I will ask the principal to review permission forms in relation to third party applications and to ensure all staff are aware of the department's obligations under privacy legislation, and in particular that staff are aware of the online resources to be available in Term 1 2019.

[12]

Procedural history

On 31 January 2019, the applicants commenced proceedings 2019/00033237 in the Tribunal against the respondent by lodging the application in which they set out the following three grounds: 1. To Establish Extent of Liability - The Privacy Internal Review Report returned by NSW Education is dated 16/03/2018 by Bessie Fainuu; however the notification of review with findings, action and review rights, by Sarah Hargans, is dated 24/12/2018, 9 full months and 8 days later, in breach of s.53(8) which prescribes a maximum period of 14 days. The applicants have been severely disadvantaged because of this extremely excessive delay. NSW Education accepts a breach of IPP 5, 11 & 12, in the case of DVD but does not acknowledge any breaches in respect of DVE. The applicants assert that breaches of these principles apply to DVE as well, and that several other principles have been breached in relation to both DVD and DVE. 2. To Define & Enforce Corrective Action - The cursory corrective action proposed by NSW Education to remedy their identified breaches of the IPP act is totally inadequate. It is not consistent with the applicant's requests, nor does it acknowledge the full extent of breaches. It is incapable of serving the needs of the applicants and of preventing continuing breaches of the act by NSW Education. The applicants have made very reasonable requests for remedy which they would like to see enforced. 3. To Claim Financial Compensation - The applicants were forced to remove their children from the school to attend school interstate, to mitigate privacy breach risks which to date have still not been addressed by adequate corrective action. The applicants wish to claim financial compensation for damages resulting from the unreasonable delay and for the lack of reasonable corrective action; for harm as a consequence of the acknowledged breaches, breaches to be ascertained, and, ongoing harm resulting from educational deficiencies, lack of equity, and psychological damage to their children, being consequences directly relating to the privacy breaches that occurred combined with lack of policies and corrective action; and for applicant's costs in undertaking research, dealing with an unwilling education department, in providing and maintaining resources necessary to help limit their children's privacy risks, and in loss of service resulting in massive costs of disruption and relocation of their children to an interstate school.

[13]

The hearing

The hearing was held on 12 July 2019.
The applicants tendered the documents attached to "Materials Supplied by The Applicants" dated 3 May 2019 (the 3 May 2019 applicants' submissions) and "Addendum - Materials Supplied by The Applicants" dated 3 May 2019 which include the following unsigned statements prepared for the 2016 proceedings: 1. the statement of DSG dated 7 August 2017; 2. the statement of DSH dated 7 August 2017; 3. the statement of DVE dated 7 August 2017; 4. the statement of DVD dated 7 August 2017.
The respondent tendered the following evidence: 1. the statement dated 27 May 2019 of Philip Sherwin (Mr Sherwin), who is the Group Director for Information Technology, Strategy and Architecture in the Information Technology Directorate (ITD) of the respondent; 2. the statement dated 24 May 2019 of Troy Mott (Mr Mott), who is the Director, Educational Leadership for the Narrandera Network of the respondent, and who from 17 January 2016 to 29 April 2018 held the same position, then called Director of Public Schools, for another region; 3. the 16 November 2017 Deed of Release; 4. a bundle of documents comprising the 2018 internal review report and the 2018 internal review decision; 5. a bundle of documents relating to the 2016 proceedings comprising the 2016 internal review application and the 2016 internal review decision; 6. the 8 May 2017 submissions of CWS and CWT.
DSG, DSH, Mr Sherwin and Mr Mott gave oral evidence.
The applicants rely on the following written submissions: 1. the 3 May 2019 applicants' submissions; 2. "Materials supplied by the Applicants in Reply Amended and Completed" dated 24 June 2019 (the 24 June 2019 applicants' submissions in reply); 3. "Submission by The Applicants, re Scope" dated 23 July 2019 (the 23 July 2019 applicants' scope submissions).
DSG also made oral submissions.
The respondent relies on its written submissions received by the Tribunal on 27 May 2019 (the 27 May 2019 respondent's submissions).
The respondent also made oral submissions.

[18]

The Statement of DVD dated 7 August 2017

In her Statement dated 7 August 2017, DVD has relevantly made the following statements: What happened with my Personal Information at [the Subject School] … 13. About the middle of the year we used Study Ladder most days after we finished our maths sheets. At first my teacher had my real name in there, but I told him that wasn't allowed and he changed it to a made up name. 14. Later, when I wasn't able to go to the school camp in term 3, I had to go to the same class as my brother because nearly all my class went including my teacher. 15. My brother's teacher entered my name into ClassDojo without asking me. 16. When ClassDojo was up on the class digital interactive screen it listed my name DVD and my behaviour ticks. I had 10 out of ten. That was in year 5. 17. When I got home I told my parents, and that DVE's name was on there too. My dad got so angry that I thought that I was going to really get into big trouble. I was really worried that it was my fault because I knew the teacher shouldn't have done that. How I feel about what happened 18. All my friends asked me why I couldn't use the Internet. I tried to explain why I couldn't but they all didn't understand. 1 could feel that everyone thought I was lying. 19. I was often teased by a student about being special when I had to use a made up name. I felt a bit upset because it kept on happening and I was afraid that if I told the teacher he would do it more. 20. When I had to leave [the Subject School] I felt sad about leaving my friends and I was afraid I would have trouble making new friends. I was really anxious about that. 21. I used to get a lot of tummy pain when all this stuff was happening. Often I couldn't eat. It was so bad that sometimes I couldn't go to school. Mum and Dad were really worried and got me an appointment at the … Hospital, I think that was in the middle of year 5, because they couldn't work out what was wrong with me at the doctor here. They couldn't find much there either and I had to go back for more tests but in the end when I left and went to [the Current School] it started to happen less often and now it hardly ever happens so Mum cancelled the next visit. 22. I feel really good and happy now, but I didn't then.

[30]

The complaints of the applicants

The applicants in the 3 May 2019 applicants' submissions make the following 6 complaints about the conduct of the respondent: 1. the entry of DVE's name into ClassDojo by DVE's teacher from about the beginning of school year 2016; 2. the entry of DVD's name into ClassDojo by DVE's teacher for the duration of the August 2016 year 5 camp; 3. the entry of DVD's name into StudyLadder by DVD's teacher at some time during the middle of 2016; which each constituted a breach of ss 12(c) and (d), 18 and 19 of the PPIP Act and which in relation to entry of DVD's name into ClassDojo and StudyLadder relies on the Statements of DSH and DVD each dated 7 August 2017; 1. the use of a permission form for third party software which, because of the failure to provide any other option but to hand over the child's personal information to an unknown foreign entity in order to receive the service, breaches ss 8(1)(b) and (2), 10(a), (d) and (f), 19(2)(a), (b) and (e) of the PPIP Act; 2. the failure of The Secretary, NSW Education, to administer the respondent in a manner compliant with s 12(a), (b), (c) and (d) of the PPIP Act; 3. the failure of The Secretary, NSW Education in relation to the PPIP Act, failed to administer the respondent in a manner which prevented maladministration, leading to maladministration, particularly by but not limited to its Legal Services Directorate and IT Department.
The complaint about the failure of The Secretary, NSW Education, to administer the respondent in a manner compliant with s 12(a), (b), (c) and (d) of the PPIP Act is summarised in the following terms: 2. The Secretary, NSW Education, failed to administer NSW Education in a manner compliant with ss. 12(a), 12(b), 12(c) and s.12(d) of the PPIP Act 1998, because systemic policies, procedures, and training were, and are, ineffective and/or inappropriate; leading directly to the unauthorised personal information disclosures of both DVD and DVE to third parties, and by unnecessarily placing at risk the personal information of up to 750,000 other students by permitting unregulated ad hoc disclosures to third party software companies and by negligently leaving the department's WiFi Network at high risk of unauthorised access for a period of many years.

[31]

The remedies sought by the applicants

The applicants in the 3 May 2019 applicants' submissions seek the following 3 remedies: 1. official apologies to each of the applicants from the Subject School Principal and the Secretary NSW Education; 2. orders for the respondent to fully comply with the PPIP Act; 3. financial damages.
As to apologies, the applicants claim that the Subject School Principal, and the Secretary NSW Education, should make official apologies because they are the persons responsible for the respondent's failings.
As to orders for the respondent to fully comply with the PPIP Act, the applicants seek the following orders: 12.1 Therefore, the Applicants seek Orders requiring the Respondent to develop procedures and training, at a level of industry best practice applicable to its large scale and very significant responsibilities in duty of care to minors, that will ensure that at all times that the Respondent, its staff, and all its procedures, processes, and activities fully comply with the PPIP Act 1998. … The Applicants are therefore seeking orders for the Respondent to fully comply with the PPIP Act 1998 in relation to the Respondent's use of all third party software applications in at least the following ways. … 13.1 Compliance would be best and most reliably achieved by the mandatory use of pseudonyms in all cases, and by forbidding students to enter any of their personal information of any kind, especially not their name and date of birth. The method has a secondary benefit of educating students in keeping themselves safe on the Internet. … 13.2 There are uses of third party applications that may have educational benefits but where it is impossible to ensure that students will not enter personally identifying information because the nature of the application's use engenders open discussion. In such cases, the Respondent must be required to enter into an enforceable contract with the vendor of the application, which requires the vendor to comply with the PPIP Act 1998; any such contract must be enforceable in NSW, and any personal information stored in NSW to ensure no out of jurisdiction legal barriers to students or the Respondent should a need arise to legally seek compliance and enforcement. With this type of application, the Respondent must also obtain parental permission using a permission format that fully complies with the PPIP Act 1998, … Where a parent does not give permission, alternative equivalent educational activities must be delivered to the affected student in an equitable way such that it does not disadvantage the student socially, economically or educationally. 13.3 … The Applicant seeks Orders that prohibit the Respondent from entering student personal information into any third party software application which is not educational or the benefits of which it cannot demonstrate are significantly educational at a level similar to or above that which would otherwise be typically provided if such third party software applications did not exist. 13.4 Where the Respondent wishes to use third party file storage or other similar services, all information must be fully encrypted using current industry standard secure protocols, and the private key portion of the encryption key must be securely held by the Respondent alone and not be accessible or available to any third party. … 14.1 The Applicants seek Orders requiring the Respondent to immediately audit and secure affected networks to an industry standard in keeping with the scale and size of the Respondent's operations, and its widespread geographical coverage. 14.1.1 In particular, the Order should prioritise security over convenience, should their be any mutual exclusivity, because of the highly sensitive nature of personal information including network login access which could be accessed by an attacker. 14.1.2 The Order should also require the Respondent to reflect upon how it was ever able to implement such a lax and unprofessional Wifi configuration, and to implement such professional standards, procedures and ongoing evalm1tions to keep pace with current and emerging practice and security threats, so that the Respondent is never again in such an exposed position. … 15.1 The Applicants seek Orders requiring the Respondent to develop all their policies and procedures in relation to the the PPIP Act 1998 at a sufficiently centralised level to ensure consistent application across schools. … 16.1 The Applicants seek Orders that require the Respondent to fully communicate in good faith with complainants upon lodgement of Privacy Internal Reviews and again before completion, and to fully consider information and evidence tendered by the complainant during any such communications; all in good faith. 16.2 The Applicants seek Orders that require the Respondent's Legal Services Directorate to put complainants in communication with independent senior officers of the department in any case where the Legal Services Directorate acknowledges or suspect that the department has not complied with the law, upon request of the complainant, and that such senior independent officer always be notified of any unlawful conduct. 16.3 The Applicants have been the subject of so much unnecessary harm by the Respondent, that they request that the Tribunal exercise its power to notify the Minister, under s. 55(5) of the PPIP Act 1998.
As to financial damages, each the applicants claim damages of $40,000 on the basis of a schedule which claims specific amounts for the following items: 1. as for "financial losses", each of DSG and DSH claim amounts for "BYOD computers and support", "Trips to Children's Hospital, Melbourne", "Extra Costs of Victorian schooling", "Extra Costs of School Bus Access" and "Financial Losses, Unable to Farm or Work - Bus Bound"; 2. as for "psychological harm": 1. each of DSG and DSH claim amounts for "Depression, Vexation, Anger - Loss of Lifestyle and Amenity" and "Humiliation, Social Isolation, Anxiety, Anger Damage to Local Friendships"; 2. DSG claims an amount for "Depression, Anger, Worry, Feelings of Self Harm due to Being Stuck at Home, Unable to Farm or Work, or Visit Family or Old Friends - Bus Bound"; 3. DVD claims an amount for "Social Taunt, Trust Conflict, Extreme Stress and Anxiety Causing Physical Pain and Weight Loss, Loss of Friendships"; 4. DVE claims an amount for "Social Taunt, Trust Conflict, Extreme Stress and Anxiety Causing Sleeplessness, Loss of Friendships, Relocation Anxiety"; 1. as for "aggravated damages" for "psychological harm", each of DSG, DSH, DVD and DVE claim amounts for "All of the Above …, Magnified, by Extreme Tardiness, Spitefulness and Maladministration of the Respondent".
The applicants in the 24 June 2019 applicants' submissions in reply claim damages of $40,000 each on the basis of the following amended schedule of financial losses: Amended Schedule of Financial Losses …
Schedule of Financial Losses - Schooling DSH DVD DVE DSG Schooling costs shared between DSH and DSG 1.1 BYOD computers and support Purchase Used Notebooks & Setup $250 $250 No receipts available, but there is ample evidence that the applicants provided the items and setup. The amount claimed is a fair estimate. 1.2 Trip to Children's Hospital, Melbourne Second trip was mistaken, booked but cancelled $242 $242 Meal/Accommodation dropped, no receipts Reduced to one trip, 734Km return (by google maps) @ 0.66c Km standard tax rate. 1.3 Extra Costs of Victorian schooling Netbook, … DVD $150 $150 Netbook not optional … Primary School Fees 2016 (DVD, DVE) $324 $324 … Primary School Fees 2017 (DVD) $340 $340 Netbook, … DVD $75 $75 Netbook not optional … Primary School Fees 2018 (DVE) $170 $170 … Notebook PC, …, 2018, DVD $225 $225 Notebook not optional Notebook PC, …, 2018, DVE $225 $225 Notebook not optional Notebook PC, …, 2018, DVD $225 $225 Notebook not optional … School Fees 2018 DVD $282 $282 … School Fees 2019 DVD, DVE $875 $875 School Costs Projected to Year 12 4 more years, DVD @ $875 $1750 $1750 5 more years, DVE @ $875 $2187 $2187 TOTAL School Financial Losses $7255 $7255 Other Financial Losses
Schedule of Financial Losses - School Bus Access Calculation based on DVE completing year 12, which is 8.25 years bus travel after loss of front door school bus. 2.1 Costs of School Bus Access - Vehicle Costs 100Km x 41 weeks school x 8.25 years @ 0.66c Km $11,162 $11,162 Increased, mistaken, claim is 8.25 years, not 7 2.2 Time Losses, Unable to Farm or Work - Bus Bound 7.5 Hours Labour for 41 weeks for 8.25 years@ $25 Hr $63,421 Increased, mistaken, claim is 8.25 years, not 7 or 7.5 Hours Labour for 41 weeks for 8.25 years @ $25 Hr $74,522 Plus loss of nearly 2 Years Farm Household Allowance Lifestyle and Harm Compensation
Compensation, Loss of Amenity, Simple Enjoyable Lifestyle 3.1 Loss of Amenity, Simple Enjoyable Lifestyle $40,000 $10,000 $10,000 $40,000 Children included because they have lost hours of access to their parents, now little quality time
Schedule of Compensation, Psychological Harm 4.1 Depression, Vexation, Anger - Loss of Lifestyle and Amenity, DSH - DSG $20,000 $20,000 4.2 Depression, Anger, Worry, Feelings of Self Harm due to Being Stuck at Home, Unable to Farm or Work, or Visit Family or Old Friends - Bus Bound, DSG $100,000 4.3 Humiliation, Social Isolation, Anxiety, Anger Damage to Local Friendships, DSH - DSG $10,000 $10,000 4.4 Social Taunt, Trust Conflict, Extreme Stress and Anxiety Causing Physical Pain and Weight Loss $10,000 Loss of Friendships, DVD 4.5 Social Taunt, Trust Conflict, Extreme Stress and Anxiety Causing Sleeplessness, Loss of Friendships, Relocation Anxiety, DVE $10,000
Schedule of Compensation, Psychological Harm - Aggravated Damages 5.1 All of the Above at 3, Magnified, by Extreme Tardiness, Spitefulness and Maladministration of the Respondent, All Applicants $20,000 $20,000 $20,000 $20,000 5.2 Anguish, fear, anger, respondent false evidence $5,000 $10,000

[35]

PPIP Act

The PPIP Act, which regulates the manner in which public sector agencies collect, use, store and disclose personal information, contains 12 information protection principles set out in Part 2 Division 1 (ss 8-19).
"Personal information" is defined in s 4(1) as: … information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Section 8, which deals with "Collection of personal information for lawful purposes", provides: 8 Collection of personal information for lawful purposes (1) A public sector agency must not collect personal information unless: (a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and (b) the collection of the information is reasonably necessary for that purpose. (2) A public sector agency must not collect personal information by any unlawful means.
Section 10, which deals with "Requirements when collecting personal information", provides: 10 Requirements when collecting personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following: (a) the fact that the information is being collected, (b) the purposes for which the information is being collected, (c) the intended recipients of the information, (d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided, (e) the existence of any right of access to, and correction of, the information, (f) the name and address of the agency that is collecting the information and the agency that is to hold the information.
Section 12, which deals with "Retention and security of personal information", relevantly provides: 12 Retention and security of personal information A public sector agency that holds personal information must ensure: (a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and (b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and … (d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
Section 18, which deals with "Limits on disclosure of personal information", relevantly provides: 18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless: (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
Section 19, which deals with "Special restrictions on disclosure of personal information", relevantly provides: 19 Special restrictions on disclosure of personal information … (2) A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless: (a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or (b) the individual expressly consents to the disclosure, or
Part 5 (ss 52-55) deals with "Review of certain conduct". Section 52, which deals with the application of Part 5, relevantly provides: 52 Application of Part (1) This Part applies to the following conduct: (a) the contravention by a public sector agency of an information protection principle that applies to the agency, … (2) A reference in this Part to conduct includes a reference to alleged conduct.
Section 53, which deals with "Internal review by public sector agencies", relevantly provides: 53 Internal review by public sector agencies (1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct. (2) The review is to be undertaken by the public sector agency concerned. (3) An application for such a review must: (a) be in writing, and (b) be addressed to the public sector agency concerned, and (c) specify an address in Australia to which a notice under subsection (8) may be sent, and (d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and (e) comply with such other requirements as may be prescribed by the regulations. … (5) In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by: (a) the applicant, and (b) the Privacy Commissioner. (6) The review must be completed as soon as is reasonably practicable in the circumstances. However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for an administrative review of the conduct concerned. (7) Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following: (a) take no further action on the matter, (b) make a formal apology to the applicant, (c) take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant), (d) provide undertakings that the conduct will not occur again, (e) implement administrative measures to ensure that the conduct will not occur again.
Section 55, which deals with "Administrative review of conduct by Tribunal", relevantly provides: 55 Administrative review of conduct by Tribunal (1) If a person who has made an application for internal review under section 53 is not satisfied with: (a) the findings of the review, or (b) the action taken by the public sector agency in relation to the application, the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53. … (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders: (a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate. (3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997. (4) The Tribunal may make an order under subsection (2) (a) only if: (a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and (b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency. (5) If, in the course of an administrative review, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.

[43]

The submissions of the applicants

The applicants in the 24 June 2019 applicants' submissions in reply make the following submissions in response to the 27 May 2019 respondent's submissions: 1. that the second sentence of the "specific conduct" the subject of the 2018 internal review application is not a request to review conduct, the Tribunal can review this conduct; 2. that their Facebook complaint is "misconceived", the conduct consists of the respondent unlawfully and materially harming children as a direct result of the respondent collecting personal student information containing refusal of permission to disclose the children's personal information to a third party, being Facebook; 3. that the only Wi-Fi connection relevant to the administrative review proceeding is the connection at the Subject School and they have provided no evidence to support the assertion that the Subject School's security certificate had expired in 2016, they have given a very detailed account of the Wi-Fi issue with supporting evidence containing examples of misconfiguration instructions provided by the respondent and that it is not primarily a certificate expiration issue; 4. that s 55(2) does not authorise orders relating to the encryption of information by third party file storage providers, to ensure security, encryption must be performed by the respondent before the data ever leaves NSW or reaches the third party.
The applicants in the 23 July 2019 applicants' scope submissions make the following submissions as to the scope of the conduct the subject of an administrative review under s 55 of the PPIP Act: 1. there was probably an error of law in KO & KP v Commissioner of Police (GD) [2005] NSWADTAP 56 at [14], and it should not be relied upon, because it fails to take into account the definition of conduct, or the limitations of the review application form, which does not advise the applicant to ensure that every possible instance of conduct is precisely defined, nor does it warn that legal advice should be obtained to ensure that an applicant does not lose a case due for technical reasons of scope related to inadequate form filling; 2. KO & KP v Commissioner of Police also apparently failed to take into account the objects in s 3(c) and (d) of the ADR Act under which the Tribunal's review of privacy conduct falls, and that all decisions by the Tribunal, including decisions on scope, should align with the objects of the ADR Act; 3. the preferable decision regarding scope would be based on the full circumstances of the 2018 internal review v, and the definition of "conduct" in the 2018 internal review application, and accordingly nothing can be ruled out of scope in these proceedings, because they intended the conduct of the inaction of the respondent to be addressed.

[44]

Consideration

The Appeal Panel of the Tribunal has decided that the following principles are applicable in determining the scope of an administrative review under s 55 of the PPIP Act: 1. the scope of the application for internal review, reasonably construed, provides the scope for the agency's examination of the application. Unless there is some widening of the application within that process which is accepted by the agency, the application for internal review, reasonably construed, sets the scope for the application for review of the conduct by the Tribunal. The question of what is the scope of the application, reasonably construed, is one of fact that affects jurisdiction. Its determination is not driven, in any significant way, by any recitation of information protection principles that may appear in the applicant's application. The key question is what facts and circumstances has the applicant referred to which might give rise to questions of compliance with the information protection principles, and to identify the relevant principles: KO & KP v Commissioner of Police (GD) at [13]-[14]; 2. the focus is the conduct of which the applicant complains. 'Conduct' is the expression used in this area of the law to describe action by the agency or circumstances involving the agency that might amount to a possible contravention of an information protection principle: see PPIP Act, s 52. There needs to be material that can be understood by the agency, fairly read, as connecting the action or circumstances of concern to a principle, whether or not the principle itself is actually specified by the application: CYL v YZA [2017] NSWCATAP 105 at [58]; 3. the applicant cannot, after the application has been dealt with by the agency, widen the scope of the process. It is a fundamental premise of the PPIP Act that the agency first be given an opportunity to review the conduct of concern to the applicant. Therefore it would be wrong to allow proceedings in the Tribunal to be changed in scope so as to allow the applicant to put in issue new items of conduct or new bodies of information if they were not able to be identified (by the agency considering the complaint reasonably) at the initial stage. It is therefore critical that the agency and subsequently the Tribunal delineate with care and precision the actual information that is the subject of the internal review application and any subsequent application to the Tribunal: OD v Department of Education and Training (GD) [2005] NSWADTAP 74 at [13]-[14].
The Tribunal has held that wider systemic issues within the agency may form part of the background or context in which the conduct complained of occurred. They are not of themselves the conduct about the applicant is aggrieved, but form part of the organizational environment in which the conduct occurred. They do not fall within the scope of his internal review, reasonably construed, because they do not directly relate to the conduct complained of. They do not relate to specific breaches of the information protection principles or of a privacy code of conduct, but embrace wider issues concerning compliance with the PPIP Act and the agency's culture with respect to privacy issues. They are, nonetheless, relevant to the Tribunal's consideration of the conduct in issue, as they set, in part, the context in which the conduct occurred, and inform decision making accordingly. Addressing systemic issues which contribute to a finding of conduct in breach of the information protection principles may be a relevant factor for the Tribunal when considering what orders should be made under s 55(2): MH v NSW Maritime [2011] NSWADT 248 at [25].
Conduct that can be the subject of an internal review must be conduct that falls within s 52(a), (b) or (c) of the PPIP Act. The contravention by a public sector agency of an information protection principle that applies to the agency within s 52(a) is a reference to a contravention of one or more information protection principles in ss 8-19 of the PPIP Act. Each of these information protection principles relates to conduct in relation to personal information.
I reject the submissions of the applicants that the meaning of conduct in s 53 of the PPIP Act can be determined by reference the objects of the ADR Act or that KO & KP v Commissioner of Police (GD) so far it deals with the scope of an application for internal review probably contains an error of law and should not be relied upon.
I am satisfied that the conduct in the 2018 internal review application was limited to the entry of personal information of DVD and DVE into ClassDojo and StudyLadder. While the 2018 internal review application refers to "other Internet applications" no such application was identified by the applicants. The reference to "failed to protect our children's personal information" in section 5 of the 2018 internal review application should be understood as referring to the entry of personal information of DVD and DVE into ClassDojo and StudyLadder. As is clear from the 2018 internal review report, the scope of this conduct was not expanded during the process of the internal review.
I am satisfied that the reference to "NSW Education appears to have no functional policies in place to protect student privacy, and appears to be in ongoing breach of many privacy provisions related to the disclosing and holding of personal student information" in section 5 of the 2018 internal review application did not identify any contravention or alleged contravention by the respondent of an information protection principle relating to the personal information of DVD and DVE, and accordingly did not constitute conduct within s 53 of the PPIP Act. As is clear from the 2018 internal review report, this generalised complaint was not narrowed to allege any such contravention.
Further, I am not satisfied that the wider systemic issues within the respondent raised by the applicants form part of the background or context in which the conduct complained of occurred. It needs to be remembered that the entry of personal information of DVE into ClassDojo, and StudyLadder if found to have happened, occurred because DVE's teacher failed to comply with the 31 March 2016 DVE consent form, not because of any lack of privacy policies.
The Tribunal does not have jurisdiction to consider upon the administrative review of the conduct of the respondent the following conduct that was not identified in the 2018 internal review application and is raised in the 3 May 2019 applicants' submissions: 1. the exclusion of DVD and DVE from a Facebook photograph; 2. the Wi-Fi configurations in NSW public schools; 3. the use of "non-educational" programs by NSW public schools; 4. the encryption of information by third party "file storage" providers; 5. the handling of the 2018 internal review application by the Legal Services Directorate of the respondent.

[48]

Consideration

The Appeal Panel of the Tribunal has decided that, given the nature of the review under the PPIP Act, and the absence of any provisions attributing onus to either party, if left in a state of uncertainty in relation to a fact in issue, the Tribunal should decide that fact against the applicant: KP v Narrandera Shire Council [2011] NSWADTAP 15 at [27]-[31].
The 2018 internal review application did not clearly identify the conduct complained of as including the entry of DVD's name into ClassDojo by DVE's teacher and whether the entries into StudyLadder involved DVD or DVE or both of them. The 2018 internal review report appears to have been prepared on the basis that the complaint about ClassDojo and StudyLadder only involved DVE. Accordingly, the 2018 internal review decision does not contain findings about ClassDojo and StudyLadder with respect to DVD.
The evidence of the applicants on this issue was unsatisfactory for the following reasons: 1. the statements of DVD, DVE and DSH were unsigned; 2. the statement of DVE does not deal with the entry of DVD's name into ClassDojo by DVE's teacher, and does not contain any reference to StudyLadder; 3. the statement of DSH does not contain any reference to StudyLadder, and contains hearsay evidence about the entry of DVD's name into ClassDojo by DVE's teacher; 4. DVD and DVE did not give oral evidence; 5. while DSH gave oral evidence, she did not give any evidence about ClassDojo or StudyLadder.
The evidence of the respondent on this issue was unsatisfactory for the following reasons: 1. the evidence of Mr Mott of the denial by DVD's teacher of using StudyLadder in 2016, and the denial of DVE's teacher of using StudyLadder in 2016 and entering DVD's name into ClassDojo is double hearsay; 2. except that each of DVD's teacher in 2016 and DVE's teacher in 2016 are no longer at the Subject School, there is no explanation as to why evidence was not adduced from each of them.
In the circumstances of unsatisfactory evidence having been adduced by each of the applicants and the respondent I am left in a state of uncertainty in relation to this issue. In accordance with the principles in KP v Narrandera Shire Council at [27]-[31] I am not satisfied that DVD's name was entered into ClassDojo and/or StudyLadder and that DVE's name was entered into StudyLadder.

[54]

The submissions of the respondent

The respondent in the 27 May 2019 respondent's submissions makes the following submissions: 1. the applicants have already received compensation for their asserted loss and harm as part of the resolution of 2016 proceedings and accordingly are not entitled to "double dip" in these proceedings; 2. the applicants have not substantiated any of their claimed loss or harm, but rely solely on their own assertions as follows: 1. there is no evidence to support the items claimed as financial loss; 2. there is no evidence to support the psychological harm alleged to have been suffered. The expression "psychological harm" in s 55(4)(b) of the PPIP Act "is intended to encompass a situation where an individual suffers some impairment of their mental states and processes", including depression and anxiety: JD v NSW Medical Health Board (No 2) [2006] NSWADT 345 at [53]; 3. there is no evidence of "spitefulness" or "maladministration" said to give rise to the aggravated damages claimed; 1. the Tribunal does not have the power to award damages for future loss under s 55(2)(a) and (4)(b) of the PPIP Act; 2. in circumstances where the applicants have not provided evidence to substantiate financial loss and psychological harm, the damages they are seeking are properly characterised as punitive or exemplary damages, and the Tribunal does not have power to award punitive damages; 3. the applicants have not discharged their onus to prove that their asserted financial loss and psychological harm was caused by the respondent's conduct for the following reasons: 1. the causal link between the entry of DVE's name into ClassDojo, which was promptly deleted at the applicants' request, and the financial loss and psychological harm asserted by the applicants, is inherently implausible; 2. the applicants' own evidence does not support a direct causal link between the ClassDojo disclosure and the asserted loss or harm as the statements of DSG and DSH deal, in large part, with matters other than the ClassDojo conduct, including disclosures to Mathletics and Edmodo, the Subject School's use of pseudonyms in Mathletics, and the Subject School's efforts to facilitate the connection of the applicants' own private devices to the Subject School's systems; 1. the award of damages is discretionary and there are multiple instances in which the Tribunal has declined to award damages despite finding that the agency's conduct caused damage. It is inconceivable that, in the absence of any proper, reliable and credible evidence that substantiates the asserted financial losses and psychological harm, the applicants could be entitled to anything more a nominal award of damages. However, as the applicants have already been compensated for the damage now claimed, no further order for compensation should be made by the Tribunal.

[55]

The submissions of the applicants

The applicants in the 24 June 2019 applicants' submissions in reply make the following submissions in response to the 27 May 2019 respondent's submissions: 1. that the applicants have already received compensation for their asserted loss and harm as part of the resolution of the 2016 proceedings and accordingly are not entitled to "double dip" in these proceedings, the "BYOD interim measure" was adopted as a result of the conduct the subject of the 2018 internal review application, and has therefore not been the subject of prior compensation, and that this is false information; 2. that they have not provided any evidence to support the items claimed as financial loss: 1. the amounts claimed for "BYOD computers and support" are based on their best estimate because receipts are not available as the items were purchased online at eBay, and the transaction history has expired; 2. the amounts claimed for "Trips to Children's Hospital, Melbourne" are based on the widely accepted standard ATO tax rates for known distances travelled, plus a lowest price meal and accommodation estimate; 3. the amounts claimed for "Extra Costs of Victorian schooling" will be established by receipts provided at the hearing; 4. the amounts claimed for "Extra Costs of School Bus Access" and "Financial Losses, Unable to Farm or Work - Bus Bound" are based on the widely accepted standard ATO tax rates for known distances travelled, while labourers typical rates are used for known hours lost; 1. that they have not provided any evidence to support the psychological harm alleged to have been suffered, and further have not discharged their onus to prove that the asserted psychological harm was caused by the respondent's conduct: 1. there is no requirement that "psychological harm" in s 55(4)(b) of the PPIP Act must constitute a medical condition. Psychological distress resulting from a known cause is not a medical condition, but nevertheless constitutes harm; 2. their evidence demonstrates psychological harm occurred, using the definition in JD v Medical Board (No 2); 1. that the Tribunal does not have the power to award damages for future loss under s 55(2)(a) or s 55(4)(b) of the PPIP Act, the Tribunal has such a power under s 55(2)(e) of the PPIP Act; 2. that the damages they are seeking are properly characterised as punitive or exemplary damages, and the Tribunal does not have power to award punitive damages: 1. the respondent breached s 53(4)(a) of the PPIP Act by reason of Ms Hargans undertaking the internal review when she was substantially involved in matters relating to the conduct the subject of the application in circumstances where the conduct had been the subject of the 2016 internal review application, the respondent had obtained relief in CWS v NSW Department of Education and the respondent is falsely relying on the 16 November 2017 Deed of Release, and that as a result, the respondent maliciously and oppressively prejudiced the result of the 2018 internal review application, causing the applicants additional extreme frustration resulting in stress and anxiety, hurt and depression that otherwise would not have happened; 2. the respondent breached s 53(4)(c) of the PPIP Act by reason of Ms Hargans undertaking the internal review when she was not suitably qualified to deal with the matters the subject of the 2018 internal review application in circumstances where she did not act in a professional manner by communicating with the applicants, she was not professional and precipitous by pushing the internal review immediately without any proper attempt at resolution, to the legal domain, her claims relating to the issue of Wi-Fi security are so wrong that she was either intentionally mischievous, or so lacking in basic technical knowledge as to demonstrate incompetence, she purposely misrepresented the additional information presented by the applicants, or lacked the skills to understand the significance of that information, and that as a result, the respondent maliciously and oppressively prejudiced the result of the internal review, causing the applicants additional extreme frustration resulting in stress and anxiety, hurt and depression that otherwise would not have happened; 3. the principles in HW v Freelancer International Pty Limited [2015] AICmr 86 (18 December 2015) are directly applicable; 4. the principles in ALZ v SafeWork NSW (No 4) [2017] NSWCATAD 1 at [25] are directly applicable; 1. that their evidence lacks demonstration of causation: 1. the ClassDojo conduct did not only involve DVE, but DVD as well. There was also the Study Ladder conduct affecting DVD, along with all the other conduct, the subject of the administrative review, which the respondent was and is clearly not doing anything about; 2. the discovery of the ClassDojo and Study Ladder conduct was the point when the "last straw breaks the camel's back"; 3. the Mathletics and Edmodo conduct demonstrates that nothing was done to correct the causes of the conduct; 4. continued distress, anxiety, depression, and other painful psychological effects were principally a result of the economic and lifestyle stress brought about by the necessary removal of DVD and DVD from the Subject School, as were damaging economic impacts; 5. the loss of the amenity of their siEple enjoyable lifestyle was shattered by the need to create considerably more income because of the extra expenses, caused by bus access and school fees, which had in tum been brought about because DSG and DSH had no option but to move DVD and DVE to another school to ensure reasonable safety of their personal information.

[56]

The effect of the 16 November 2017 Deed of Release

As can be seen from a comparison between the schedule of losses/damage of the applicants in the 2016 proceedings and the amended schedule of financial losses of the applicants in these proceedings, the applicants are in substance claiming the following losses in these proceedings as they claimed in the 2016 proceedings: 1. "BYOD computers and support": $250 for each of DSG and DSH in these proceedings, and $500 in the 2016 proceedings; 2. "Time Losses, Unable to Farm or Work - Bus Bound": $63,421 or $74,522 for DSG in these proceedings, and $59040 in the 2016 proceedings; 3. "Extra Costs of Victorian schooling": $7255 for each of DSG and DSH in these proceedings, and $4,000 in the 2016 proceedings; 4. "Psychological Harm - Aggravated Damages": $20,000 for each of DSG, DSH, DVD and DVE in these proceedings, and $2,000 for each of DSG and DSH and $5,000 for each of DVD and DVE in the 2016 proceedings.
The following losses claimed by the applicants in these proceedings which they did not claim in the 2016 proceedings arose from the withdrawal of DVD and DVE from the Subject School and their enrolment at a school in Victoria which DSG and DSH alleged in the 2016 proceedings were a consequence of the entry of the names of DVD and DVE into Mathletics and the entry of the name of DVD into Edmodo as well as the Tell Them From Me survey form: 1. "Trip to Children's Hospital, Melbourne": $242 for each of DSG and DSH; 2. "Costs of School Bus Access - Vehicle Costs": $11,162 for each of DSG and DSH; 3. "Loss of Amenity, Simple Enjoyable Lifestyle": $40,000 for each of DSG and DSH and $10,000 for each of DVD and DVE.
Leaving aside the claim in these proceedings for "Psychological Harm - Aggravated Damages" for "respondent false evidence" which is alleged to be reliance by the respondent on the 16 November 2017 Deed of Release, all the other claims in these proceedings were also a consequence of the entry of the names of DVD and DVE into Mathletics and the entry of the name of DVD into Edmodo as well as the Tell Them From Me survey form.
Clause 3.1 of the 16 November 2017 Deed of Release on its proper interpretation operates as a release by DSG, DSH, DVD and DVE of all their claims in the 2016 proceedings as well as all claims they may have against the respondent arising out of or in connection with this conduct. Clause 11 on its proper interpretation permits the respondent to rely on the 16 November 2017 Deed of Release as a defence to the claims of the applicants in these proceedings because are properly characterised as a consequence of the entry of the names of DVD and DVE into Mathletics and the entry of the name of DVD into Edmodo as well as the Tell Them From Me survey form.
I am satisfied that the claims for damages of the applicants in these proceedings, other than the claim for "Psychological Harm - Aggravated Damages" for "respondent false evidence" are barred by the 16 November 2017 Deed of Release, and on this basis alone I would not award any damages under s 55(2)(a) and (4)(b) of the PPIP Act for these claims.

[59]

No substantiation of loss or harm

The Appeal Panel of the Tribunal has decided that the following principles are applicable in determining whether damages should be awarded for financial loss, or psychological or physical harm, under s 55(2)(a) and (4)(b) of the PPIP Act: 1. the applicant has a responsibility to place material before the Tribunal in support of such a claim. The agency must have the opportunity to test that material: GR v Director-General, Department of Housing [2004] NSWADTAP 26 at [38]; 2. damages may be awarded for distress in the absence of independent evidence of psychological harm, where there was acceptance from the submissions and material filed by the applicant, and an assessment of the applicant when she participated in the main appeal hearing, that she has suffered emotional distress and harm, along the lines that she has asserted, because of the aspect of the conduct of respondent in relation to which there was a finding of contravention: AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 at [20] and [30].
The Tribunal has decided that an award of damages for distress should be at the lower end of the scale because of the absence of evidence as to the consequential impact of the distress upon the applicant, and determined the amount should be $1,000: CJU v SafeWork NSW [2018] NSWCATAD 300 at [135], [138].
The Tribunal has decided that the award of statutory damages in PPIP Act matters remains a discretionary one even where a causal link sufficient to satisfy s 55(4)(b): NW v New South Wales Fire Brigades (No 2) [2006] NSWADT 61 at [23]-[24]. The discretion not to make an award of compensation has been exercised where the Tribunal has been satisfied that the applicant has already been granted an award of damages in respect to the disclosure of the personal information: JD v Director General, NSW Department of Health (No 2) [2007] NSWADT 256 at [27].
I am not satisfied that the applicants have adduced any evidence that any of them have suffered any financial loss. The applicants in the 24 June 2019 applicants' submissions in reply make a series of assertions as to the quantum of their loss. They adduced no evidence of "the widely accepted standard ATO tax rates for known distances travelled", or "labourers typical rates", or any of the expenditure claimed. I would not award the applicants any damages for financial loss under s 55(2)(a) and (4)(b) of the PPIP Act because of the lack of evidence establishing any such loss.
I do not accept the respondent's submission that the expression "psychological harm" in s 55(4)(b) of the PPIP Act is limited to " a situation where an individual suffers some impairment of their mental states and processes", including depression and anxiety.
The applicants adduced no independent evidence by way of medical reports of any specific diagnosis or prognosis in respect of any psychological harm they claim to have suffered. DSG in his unsigned statement refers to his "depression and anger" and says DSH "has been angry too". DVD in her unsigned statement says "I was really anxious about [making new friends]" and "I used to get a lot of tummy pain when all this stuff was happening. Often I couldn't eat. It was so bad that sometimes I couldn't go to school"." DVE in his unsigned statement says "Just before I left [the Subject School] I began to have a lot of trouble sleeping" and "I felt really bad about leaving all my friends and then I was sad most of the time I was at [the New School]." While I made an assessment from DSG making submissions and giving evidence at the hearing, and from DSH giving evidence at the hearing, that they were distressed, it was clear that this distress related to many other matters than the entry of DVE's name into ClassDojo, and the alleged entry of DVD's name into ClassDojo and/or StudyLadder and DVE's into StudyLadder. I am satisfied that each of the applicants have suffered psychological harm by reason of their distress.
If otherwise entitled to damages by way of compensation for the loss or damage suffered because of the conduct of the respondent, I would award each of DSG, DSH and DVE damages of $1,000 under s 55(2)(a) and (4)(b) of the PPIP Act for the distress he suffered from the entry of his name into ClassDojo. I would not award damages to DVD as I am not satisfied her distress arose from the entry of DVE's name into ClassDojo. I would not exercise my discretion not to make such an award of damages.

At a glance

Court

Decision date

Before

Source

Judgment (72 paragraphs)

Parties

Legislation Cited (4)

Cases Cited (7)

Cited By (6)