EML provides claims management services as a "Claims Manager" on behalf of the Respondent for claims covered by the Treasury Managed Fund which is a self-insurance scheme in respect of NSW Government agencies, including the NSW Police Force (NSWPF). EML's services, on behalf of the Respondent, include managing claims for work injury damages related to workplace injuries within agencies (including, in this case, claim 770519005169 of the Applicant).
On 22 November 2011, as the result of settlement negotiations in relation to a number of claims by the Applicant against the NSWPF and in accordance with the terms of a confidential Deed of Release dated 22 November 2011 between the Applicant and the NSWPF (Deed), the Applicant signed a letter addressed to EML formally requesting that claim 770519005169 "be finalised and closed" and stating that "I [the Applicant] acknowledge and undertake not to take any further action in respect of that claim" (22/11/2011 Letter).
Sometime after the Deed was executed and received by (EML on behalf of) the Respondent, the PN was prepared (or updated) by EML as agents of the Respondent to include wording in respect of, among others, claim 770519005163 as follows:
All claims settled 22/11/2011 …
On 3 May 2016 the Applicant emailed EML seeking confirmation of whether the Applicant was entitled to workers compensation in respect of an injury to their right thumb under claim 770519005169 and/or their psychological injury under claim 770519057272 (3/5/2016 Email).
On 6 May 2016 the EM Email was sent on behalf of the Respondent stating that claim 770519005169 was "settled via Deed of Release in 2011".
On 19 July 2019 the Applicant applied to the Respondent under the Government Information (Public Access) Act 2009 (GIPA Act) for access to all documents held by the Respondent in relation to claim 770519005169 (GIPA Application). On 13 August 2019 the Respondent provided the Applicant with a number of documents in response to the GIPA Application, including the PN which contained the following personal information of the Applicant which is the subject of these proceedings (PI):
All claims settled 22/11/2011…
On 29 August 2019 the Applicant sent an email to the Respondent (29/18/2019 Email) requesting, among other things, that the Respondent provide the Applicant with all documents containing the Applicant's personal information "All claims settled 22/11/2011".
On 20 September 2019 the Respondent responded to the 29/8/2019 Email noting, most relevantly:
There are no associated documents.
By email dated 20 September 2019 the Applicant sought correction of their personal information contained in the PN, as detailed in paragraphs [8] and [11] above, to read as follows:
Claim number 770519005169 has not been settled.
By email dated 2 October 2019 the Respondent notified the Applicant that it had changed the wording in the PN to read as follows:
All claims closed 22/11/2011…
In the IR Request the Applicant alleges, as regards the breach of s16 PPIP Act (IPP 9) (i.e the Conduct of Concern):
[The Respondent] used my personal information in the document entitled "Plan Notes for 770519005169" and email from Daniel Campbell on 6 May 2016 without taking such steps as are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate and not misleading.
In the IR Decision the Respondent concluded, most relevantly, at [4.6] that:
… external disclosure of information should be distinguished from its internal "use" when assessing whether an agency has breached s16…
On the basis of either description, the claim remained finalised for practical purposes.
On balance, given the information provided, I do not consider that [the Respondent] has breached s16 of the PPIP Act.
The Applicant contends that they were aggrieved by the Conduct of Concern which they allege was in breach of s16 PPIP Act (IPP 9), being that the Respondent used the PI without taking such steps as were reasonable in the circumstances to ensure that, having regard to the purpose of using the PI to inform the Respondent's decision on and response to the Applicant's query and to create and send the EM Email to convey that decision/response, the PI was accurate, up to date, complete and not misleading.
On 5 September 2020 the Applicant lodged an application for leave to issue a summons in respect of documents sought under 4 paragraphs set out in the schedule to that application. At the time of the Hearing only paragraph 4 of the schedule to that summons application was being pressed by the Applicant, being (Summons Issue):
In respect to the email from Daniel Campbell to [EEH] dated 6 May 2016:
1. copy of that email forwarded to any person between 6 May 2016 and 10 January 2020;
2. copy of that email scanned to the "edocs" electronic document management system.
[2]
The Hearing
The Hearing took place by telephone on 16 September 2020.
During the Hearing the parties (i) referred to their submissions (Applicant: Submissions filed on 10 August 2020 (AS) and Submissions in Reply date 15 September 2020 (ASR) and Respondent: Submissions dated 26 August 2020 (RS), (ii) referred to their evidence (Applicant: Statement of the Applicant dated 3 August 2020 (A Statement) and Statement of the Applicant dated 14 September 2020 (A Supplementary Statement) and Respondent: Statement of Mr Greg Waddington dated 25 August 2020 (GW), the s58 ADR Act bundles of documents submitted on 5 June 2020 and 26 August 2020 (s58 Documents); and (iii) made oral arguments and submissions.
The parties also presented arguments and submissions on the Summons Issue during the Hearing and I determined, for reasons given during the Hearing, that the documents sought under paragraph 4 of the schedule to the Applicant's summons application were outside the scope of the jurisdiction of the Tribunal in relation to the issues to be considered in these proceedings. That is, in respect of the Summons Issue, I refused to grant the summons requested by the Applicant.
Also during the Hearing the parties raised and discussed the issue of a summons by the Respondent to produce a copy of the Deed executed by the NSWPF (NSWPF Deed). The parties consented to the Tribunal making an order for the Respondent to submit an application for the issue of a summons to obtain the NSWPF Deed.
[3]
Since the hearing
In accordance with the Orders of the Tribunal made on 18 September 2020 the Respondent submitted its application for the issue of a summons to obtain the NSWPF Deed. After some correspondence from the parties the Tribunal approved the issue of the summons which was returned on 12 October 2020.
In accordance with the Orders of the Tribunal dated 18 September 2020 and in respect of the impact of the NSWPF Deed on these proceedings the Applicant submitted their written closing submissions as Supplementary Submissions dated 9 November 2020 (A Supplementary Submissions) and the Respondent filed its written closing submissions dated 16 November 2020 (R Closing Submissions).
[4]
Non-publication order
In the Tribunal's Orders dated 7 April 2020, the Tribunal ordered that:
The publication or broadcast of the name of [the Applicant], and evidence in the proceedings which identifies the Applicant is prohibited. This order is made under section 64(1)(a) and (c) of the Civil and Administrative Tribunal Act 2013. [(s64(1)(a) and (c) Order)]
While no written submissions were made as regards the s64(1)(a) and (c) Order, during the Hearing the parties did question whether the reference to s64(1)(c) Civil and Administrative Tribunal Act 2013 (CAT Act) was made in error and/or if, instead, the Tribunal had intended s64(1)(b) CAT Act should apply.
For the avoidance of any doubt, having considered the law and the Tribunal's guidelines on confidentiality in privacy proceedings and given the confidentiality of the Deed which is accepted by both parties, I confirm the Tribunal's s64(1)(a) and (c) Order as made on 7 April 2020.
[5]
Legislative scheme for review
Part 5 of the PPIP Act provides for the review of certain specified conduct of a public sector agency such as the Respondent. Most relevantly in this case, the conduct as set out in s52 PPIP Act is:
(1) This Part applies to the following conduct-
(a) the contravention by a public sector agency of an information protection principle that applies to the agency…
Section 53 PPIP Act, under which the Applicant made the IR Request, most relevantly provides:
(1) A person ("the applicant") who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct…
(7) Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following--
(a) take no further action on the matter,
(b) make a formal apology to the applicant,
(c) take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),
(d) provide undertakings that the conduct will not occur again,
(e) implement administrative measures to ensure that the conduct will not occur again…
The purpose of an internal review by an agency (i.e. the Respondent in this case) is to determine whether any of the alleged conduct by that agency raised in the IR Request (i.e. the Conduct of Concern) amounted to a contravention of one or more of the IPPs or any applicable privacy codes: Department of Education and Training v GA (No 3) [2004] NSWADTAP 50.
Section 55(1) PPIP Act provides that a person dissatisfied with the findings of or actions proposed by an internal review (in this case the IR Decision) may request the Tribunal to review that agency's conduct which was the subject of the internal review and ss55(2) and (3) provides the actions and orders the Tribunal may make:
(1) If a person who has made an application for internal review under section 53 is not satisfied with--
(a) the findings of the review, or
(b) the action taken by the public sector agency in relation to the application,
the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders--
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.
Several decisions of the Appeal Panel have set out of some fundamental principles that govern the scope of a review of an agency's conduct under the PPIP Act by this Tribunal. In an application for administrative review of an agency's conduct under s55(1) PPIP Act (i.e. the AR Application in this case), where the Applicant is dissatisfied with the findings of or action proposed in the IR Decision, the Tribunal is limited to reviewing the scope of the conduct the subject of the original application for the internal review (i.e. in this case the IR Request). The Tribunal does not have jurisdiction to review conduct that was not the subject of the application for internal review to the agency: Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at [7]; Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44 at [17] (also see CEU v University of Technology Sydney [2018] NSWCATAD 13 at [76]).
It is not in dispute that the Tribunal has jurisdiction to determine this matter pursuant to s55(1) PPIP Act, s30 CAT Act and s63 Administrative Decisions Review Act 1997 (ADR Act). In fact there is no question in this case that the Conduct of Concern is within the scope of the alleged conduct set out in the IR Request and thus the Tribunal has the jurisdiction to undertake an administrative review of the Conduct of Concern.
The Tribunal held in DSG v Department of Education [2019] NSWCATAD 182, at [73], that:
When reviewing conduct that is the subject of an internal review under the PPIP Act, the Tribunal is exercising its administrative review jurisdiction.
In the case of an administrative review the Tribunal is not reviewing the IR Decision (in this case) but the original conduct of concern of the agency (in this case the Conduct of Concern) which the Applicant complained about in the IR Request (in this case): see AEC v Commissioner of Police (NSW) [2013] NSWADTAP 30 at [34].
The powers under s55(2) PPIP Act are not the limit of the Tribunal's powers when determining what action (if any) to take arising from an administrative review of the Conduct of Concern. In examining whether to take specific action or give specific relief under s55(2) of the PPIP Act, the Appeal Panel of the former Administrative Decisions Tribunal observed the following in the case of Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP 37:
[59] Our powers are not restricted to those given by s 55(2). Sub-section (3) leaves open to the Tribunal to be exercised the powers contained in the Administrative Decisions Tribunal Act 1997 (the Tribunal Act).
The Tribunal has a range of powers, including the power to make an order under s55(2)(c) requiring an agency to perform an IPP.
As held by the Appeal Panel in DTN v Commissioner of Police [2020] NSWCATAP 73 (DTN):
[99] In our view, and given that the CAT Act postdates the PPIP Act, the Tribunal may either exercise the functions conferred or imposed upon the public sector agency pursuant to s53(7) as well as make any of the orders provided for in s 55(2) of the PPIP Act…
[105] Under s53(7)(e) of the PPIP Act, following the completion of the review, the public sector agency whose conduct was the subject of the application may "implement administrative measures to ensure that the conduct will not occur again". As discussed above, by s63(2) of the Administrative Decisions Review Act 1997 and s30(2)(b) of the CAT Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision in connection with the conduct or resolution of the proceedings. This would include the making of a decision as to whether or not the public sector agency should implement administrative measures to ensure that the conduct will not occur again. Orders of that kind have been made by the Tribunal, including for example in BVS v Sydney Local Health District [2015] NSWCATAD 171.
Section 55(2)(g) PPIP Act also permits the Tribunal to make an "ancillary order". An ancillary order is an order that is "incidental or supplemental to" an order the Tribunal is empowered to make (see for example, New South Wales Crime Commission v Ollis [2006] NSWCA 76 at [28] and Housing NSW v Hamilton [2015] NSWCATAP 136 at [39]).
[6]
The PPIP Act and IPPs in question
The PPIP Act regulates the manner in which NSW Government agencies, including the Respondent, and certain other entities deal with and manage personal information. "Personal information" is defined in s4 PPIP Act as:
(1) In this Act, "personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.
Section 4(4) PPIP Act further provides:
For the purposes of this Act, personal information is "held" by a public sector agency if-
(a) the agency is in possession or control of the information, or
(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or
(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
Sections 8 to 19 PPIP Act set out the twelve IPPs that govern the way in which an agency (in this case the Respondent) must collect, store, access, use and disclose personal information. Relevantly, for the purposes of the present proceedings before the Tribunal, s16 PPIP Act (IPP 9) provides:
A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading. [emphasis added]
Section 16 PPIP Act was described in PN v Department of Education and Training [2010] NSWADTAP 59 at [30] as:
… the most important provision in the [PPIP] Act. [Section 16 (and IPP 9)] entrench the principle that agencies will take reasonable steps to ensure that before information held by them about individuals is used for an administrative purpose it is checked to ensure that it is appropriate to rely upon it. The agency is expected to satisfy itself that the information is relevant, accurate, up to date, complete and not misleading. [emphasis added]
Having regard to the analogous provision in the Health Records and Information Privacy Act 2002 (HRIP Act) and the analogous Health Protection Principles (HPPs), in particular HPP 9, the Appeal Panel in ALZ v WorkCover NSW [2015] NSWCATAP 138 held at [89] that agencies are required to:
… fairly use the information they hold at the point they are taking actions or making decisions based on it. It is especially directed to old information and seeks to encourage care in relation to use of information collected indirectly. [emphasis added]
The Tribunal held in JD v Director General, NSW Department of Health (No 2) [2004] NSWADT 227 (JD) at [66] that:
… where personal information held by an agency is to be used for a purpose that is adverse to the interests of the person concerned, then section 16 of the PPIP Act [i.e. IPP 9] places a higher threshold on an agency to ensure that the information is relevant, accurate, up to date, complete and not misleading.
Further, the Tribunal also held in JD at [67] that reasonable steps must be determined:
…not only in the context of the purpose for which the information was to be used, but also in the context of those matters [where] the applicant alleges the information was not relevant, inaccurate, out of date, incomplete or misleading.
In JD v Department of Health (GD) [2005] NSWADTAP 44 (GD), the Tribunal held at [69]:
What is reasonable in the circumstances will vary with the significance of the purpose to which the information is to be put, and may be affected by the urgency of the situation. It may be that no additional steps are necessary.
[7]
Applicant's submissions
The Applicant contends in the IR Request and the AR Application that the Conduct of Concern breached s16 PPIP Act because, contrary to IPP 9, the Respondent failed to take reasonable steps in the circumstances to ensure the PI it used was accurate and not misleading having regard to the proposed use it was to be used for.
In support of the AR Application, the Applicant attached copies of the IR Request and a copy of the IR Decision.
The Applicant submitted, most relevantly, in the AS that the IR Decision incorrectly applied s16 PPIP Act:
[29] In any event, there is an inference that the Plan Notes were in fact read by EML staff when printed from EMICS on 26 July 2019 and/or by the Respondent's staff when considered for production under the PPIP Act. …
[31] A letter from an agency to the affected person amounts to a 'use' of that information (ZR at [63]). By analogy, an email from an agency to the affected person also amounts to a 'use' of the information. …
[35] The act of searching for documents associated with specific information contained in an agency's records and reporting back to the affected person on the outcome of those searches is a 'use' of that information.
The Applicant stated the Conduct of Concern had the following effect on the Applicant at ([30] of the A Statement):
… I accepted the statement [in the EML Email] at face value and did not press EML for medical treatment.
In the IR Request, the AR Application and the AS the Applicant raised the following two inaccuracies relating to the Applicant's personal information in question for the Tribunal's consideration:
1. that the 'admin warning' in the PN was inaccurate and misleading because the claim number 770519005169 has not been settled; and
2. that the EML Email stating that claim 770519005169 was settled via Deed of Release in 2011 was also inaccurate and misleading because that claim has not been settled.
In the A Supplementary Submissions the Applicant submitted that (in summary) (Validity of Deed Issues):
1. the Deed was invalid as the NSWPF are not a separate legal person and thus cannot contract (i.e. enter the Deed) in their own right;
2. section 234 of the Workplace Injury Management and Workers Compensation Act 1988 (WIMWC Act) does not permit contracting out of a workers rights under that and related acts; and
3. no compensation is specified or specifically allocated in in the Deed for claim number 770519005169 so it is not settled by the Deed.
The Applicant seeks orders (AS [46]) that the Respondent refrain from further use of the inaccurate and misleading personal information, amend the PN to reflect that claim 770519005169 was voluntarily closed by the Applicant and any further order the Tribunal "thinks appropriate".
[8]
Respondent's submissions
The Respondent submitted that the substantive issues for determination under s16 PPIP Act/IPP 9 were whether (i) the Applicant's personal information was used and (ii) if it was used, it was inaccurate and misleading.
The Respondent submitted at [19 to 22] of the RS that there was no use of the PI and, at most, that information was retrieved and/or disclosed but not used and, in support of this submission, cited JD v Department of Health (NSW) [2006] NSWADT 44 at [44]; GD at [93] and Department of Education and Communities v VK [2011] NSWADTAP 61 (VK) at [20-21].
In the R Closing Submissions the Respondent submitted, including in relation to the Validity of Deed Issues, that (in summary):
1. the NSWPF signed as an agent of the Crown in the right of the State of NSW and this is clearly stated in the Deed;
2. due to the Applicant's evidence under cross-examination the Tribunal need not consider s234 of the WIMWC Act. That is, that the Applicant:
3. did not dispute in principle agreement was reached at the mediation;
4. believed they were entering into an agreement;
5. signed the letter to EML requesting the claim in question be closed, as required as a pre-condition to receiving money under the Deed; and
6. agreed they received payment under the Deed; and
7. considering the evidence and the terms of the Deed, the claim in question was 'settled' in the sense that it was resolved by agreement between the parties and that was recorded in the Deed.
[9]
Consideration and findings
Having regard to the authorities set out above at paragraph [33], I find that the Tribunal does not have jurisdiction to consider conduct which is outside the scope of the IR Request (i.e. the Conduct of Concern) giving rise to the IR Decision: KO and KP v Commissioner of Police, NSW Police Force (GD) [2005] NSWADTAP 56 at [13]. While the Conduct of Concern is clearly within the ambit of the IR Request in relation to the s16 PPIP Act/IPP 9 issue raised by the Applicant, the Validity of Deed Issues are not within the scope of or canvassed in the IR Request and therefore the Tribunal has, in these proceedings, no jurisdiction to consider the Validity of Deed Issues.
Even if the Tribunal did have jurisdiction in these proceedings to decide the Validity of Deed Issues (i.e. if they were raised in the IR Request), as regards the Respondent's compliance with IPP 9 in the current circumstances I am of the view the Applicant's arguments in relation to the Validity of Deed Issues are misconceived. The implication resulting from the Applicant's arguments is that the Respondent should have obtained legal advice on the validity/enforceability of the Deed before (a) entering the PI into the PN and/or (b) responding to the Applicant's query in the 3/5/2016 Email. In my opinion, in the current circumstances, such actions are not the reasonable steps required of the Respondent under IPP 9 before the use of the PI. This is because, being complete on its face, the contents of the Deed may for all intents and purposes be assumed by the Respondent to be valid in the absence of any indication (on checking to ensure that it is still appropriate to rely on the Deed when responding to the 3/5/2016 Email) that it may not be valid, accurate or complete and may be misleading.
For the Tribunal to find that the Respondent breached s16 PPIP Act/IPP 9 in relation to the PI in question the Respondent must (see JD at [65]):
1. hold the PI;
2. use the PI; and
3. fail to take steps as were reasonable in the circumstances to ensure that, having regard to the proposed purpose of its use, the PI was relevant, accurate, up to date, complete and not misleading (collectively it was accurate).
No issue was raised by the Respondent that the information in question was not the personal information of the Applicant held by the Respondent and, after considering these issues under the principles noted in paragraphs [41] and [42] above and based on the evidence and submissions before me, I am satisfied that the PI is both the personal information of the Applicant and held by (or on behalf of) the Respondent.
Having established that the PI is the Applicant's personal information and that such was held by (or on behalf of) the Respondent, there are then three further questions to consider in respect of the Conduct of Concern. The first question is whether the Respondent relevantly used the PI for the purposes of IPP 9. If yes, the second question is whether the Respondent failed to take reasonable steps to ensure that the PI was accurate (not whether or not the PI was in fact accurate but rather what steps were taken to check if it was). Finally, if the answer to the second question is yes (i.e. the Respondent failed to take reasonable steps), the third question is whether the PI was actually inaccurate, incomplete and misleading, the answer to which may impact on the relief ordered by the Tribunal (but not whether or not the Respondent breached IPP 9).
[10]
"Use" of the personal information
The Tribunal held in FM v Macquarie University [2003] NSWADT 78 at [42] that the plain and ordinary meaning of the word 'use' in this context is 'to avail oneself of; apply to one's own purposes;' (The Macquarie Dictionary, 3rd edition, The Macquarie Library). Also see MT v Director General, NSW Department of Education and Training [2004] NSWADT 194 (MT) and VK.
The Tribunal has found that the mere placing of a letter on a file cannot amount to use: ZR v NSW Department of Education and Training [2008] NSWADT 199 at [168]. Also, mere access or retrieval would not normally be enough to constitute a use. In GD the Appeal Panel at [41 and 42] noted:
41. In the Act 'use' is differentiated from other activities such as 'collection', 'access' and 'disclosure'. Importantly the standards which apply to the 'use' of information are separated from the standards that apply to the 'disclosure' of the information.
42. We agree with the Tribunal that 'use' normally bears the connotation of employing information for a purpose. Mere access or retrieval would normally not be enough: see further, R v Brown [1996] 1 AC 543 (dealing with the term 'use' as found in the UK data protection statute). In our view, if an agency merely retrieves information in its possession and discloses that to an external person or body, there is no 'use' involved.
In MT at [162] the Tribunal held that any consideration of s16 PPIP Act requires that an agency applied the information to its own purposes, not just any purpose. Also see OD v Department of Education and Training [2006] NSWADT 312. It is only possible to give effect to IPP 9 if 'use' is interpreted as the process of considering, assessing or weighing up personal information so as to make a decision or adopt a further course of action: GD at [44]).
In the present circumstances under consideration, I do not see the sending of the EM Email in and of itself is a use of the PI by the Respondent (as this may be considered more a disclosure). However, the strong inference from the evidence before me is that the Respondent used the PI to consider and decide the answer the Applicant's query in the 3/5/2016 Email and that the decision on such (i.e. embodied in the response to the Applicant's query) was set out in the EM Email. That is, the Respondent used the PI for its own administrative purpose to assess and decide the status of the Applicant's workers compensation claim 770519005169 (i.e. whether it was settled, finalised or not) in order to respond to the Applicant's query (i.e. the Applicant's right to workers compensation under claim 770519005169) as notified in the EM Email.
I am therefore satisfied that the conduct of the Respondent in considering the PI in order to answer the Applicant's query (and thus the Applicant's right to further compensation) did constitute a relevant use of the PI by the Respondent sufficient to trigger the operation of s16 PPIP Act (IPP 9).
[11]
Did the Respondent fail to take reasonable steps to ensure the personal information was accurate, up to date, complete and not misleading
I find that the purpose of the use of the PI was to make a determination of or form a view as to the Applicant's right to further workers' compensation in relation to claim 770519005169. This purpose, potentially adverse to the Applicant, and given the age of the information at the time (some five years' old), imposes a high threshold on the Respondent (and its agents) as regards the steps needed to be taken to check if the information is accurate.
The Tribunal commented in MT at [185] that:
… there is merit in the argument that if there is in fact an onus, the initial onus should rest on [the Applicant] to show that there was a use which involved irrelevant, inaccurate, out of date, incomplete or misleading information, whereupon the onus would shift to [the Respondent] to show that it took reasonable steps to check the information.
However, given the wording of IPP 9 (and the emphasised parts of prior decisions in paragraphs [43] to [45] above), it is the action of taking reasonable steps to check the accuracy of the PI under IPP 9, rather than the actual accuracy of the PI, that is the focus of IPP 9. That is, if reasonable steps were taken but the PI nonetheless turned out to be inaccurate and misleading then there may be no breach of IPP 9. However, even if the PI turned out to be accurate, if no reasonable steps were taken by the agency in the circumstances having regard to the purpose of the proposed use then there is a breach of IPP 9, irrespective of the accuracy of the information: see ALZ v SafeWork [2017] NSWCATAD 52 at [108 to110]. If IPP 9 is breached and the PI turns out to be inaccurate, irrelevant, incomplete or out of date and misleading, then this will factor into the relief to be granted by the Tribunal.
Once a relevant use of the PI has been established (as in this case) IPP 9 is triggered and the Respondent then has the onus to show that it took such reasonable steps in the circumstances to check the accuracy of the information before using it. Given my finding that, for the purposes of IPP 9, the Respondent relevantly used the PI, the Respondent was required to take reasonable steps having regard to the purpose of use, to check the accuracy of the PI before using it.
If the Respondent cannot or does not show that such reasonable steps in the circumstances were taken then the clear inference is that it has not taken any such steps. The question then is whether the taking of no steps was reasonable in the circumstances having regard to the purpose of use of the PI: see JD at [67].
In this case, given the age of the personal information in question and the purpose for which it was being used, the Respondent (or EML on behalf of the Respondent) should have taken steps to investigate, at least from the agency signatory to the Deed (i.e. the NSWPF), whether the Deed was still in force/could still be relied on and that there was no known current challenge to its validity: see GD at [44 and 70]. That is, it was not reasonable to take no steps to check the accuracy of the PI. However, as noted at paragraph [60], in this case reasonable steps do not require the taking of legal advice on the contents of the Deed where, after checking, there was no evidence of any current challenge to its validity or its continuing operation.
No evidence was presented or submissions made by the Respondent as to what steps were actually taken by or on behalf of the Respondent to check the accuracy of the PI prior to its use.
Based on the lack of submissions and evidence that any reasonable steps were taken by the Respondent in this case to check the accuracy of the PI and my findings above, I am satisfied that the Respondent (or EML on behalf of the Respondent) breached IPP 9 in respect of the use of the PI.
[12]
Was the personal information inaccurate or misleading?
In BFP v NSW Ambulance Service [2015] NSWCATAD 39 the Tribunal held at [34] that the onus is on an Applicant to demonstrate how the PI is inaccurate, irrelevant, incomplete or not up-to-date and misleading.
On this question the Applicant relied on a recent correction by the Respondent of the personal information as recorded in the PN to read:
All claims closed 22/11/2011.
Subject to my comments in paragraph [74] about checking if the Deed could still be relied on, I am satisfied that until such time as the Deed is overturned, challenged or terminated/waived by the parties in accordance with its provisions, the contents of the Deed represent a reasonable position on which the Respondent may rely, as long as the PI does not misrepresent the practical consequences of the contents of the Deed and is used by the Respondent in a way that is not inaccurate and misleading.
I find that the Applicant's personal information in the PN (i.e. the PI) is accurate having regard to the purpose for which the Respondent was using it, both prior to and after the change to the PN wording made in October 2019. While perhaps not the precise technical legal position under the Deed, for the purpose of its use in this case, the PI is not inaccurate and misleading of the Applicant's position with respect to claim 770519005163.
[13]
In conclusion
Having regard to my findings above I find that the Respondent (or EML on its behalf) failed to take reasonable steps, in the circumstances and having regard to the purpose for which the PI was to be used, to ensure the accuracy of the PI before it was used and thus the Respondent breached IPP 9. However, I also find the PI was not, in fact, inaccurate and misleading which I have taken into account in determining the relief to be granted to the Applicant.
[14]
What is the appropriate relief?
As I have found that the PI was not inaccurate or misleading the specific relief requested by the Applicant (for the Respondent to refrain from further use of the inaccurate and misleading personal information and amend the PN to reflect that claim 770519005169 was voluntarily closed by the Applicant, see paragraph [55] above) is therefore inappropriate.
However, s55(2)(c) of the PPIP Act empowers the Tribunal to make an order requiring the performance of an IPP. I am of the view that, in the current case, s55(2)(c) of the PPIP Act empowers the Tribunal to order the performance of IPP 9 (as provided for in s16 PPIP Act) by the Respondent. This is because such a course of conduct is clearly related to the found contravention of IPP 9.
In my view the orders available to the Tribunal in this case also include what may be described as requiring the implementation of administrative measures to ensure that conduct of the nature of the Conduct of Concern will not occur again. In support of this, as noted in DTN at [105], the Appeal Panel found that:
… If the conduct was to be too narrowly construed, there would be no or little role for any decision to put in place administrative measures to ensure that the "conduct" will not occur again. Any such decision is of course a discretionary remedy depending on all of the circumstances and the submissions of the parties.
[15]
Orders
The following orders are made:
1. Within 120 days of the date of these Reasons for Decisions the Respondent is to (i) perform IPP 9 including by specifying in a procedures document and implementing those steps as are reasonable in the circumstances, having regard to the purpose for which personal information is to be used, which are to be taken by the Respondent and it's agents to ensure that the personal information is relevant, accurate, up to date, complete and not misleading before it is used and (ii) implement such administrative measures necessary to ensure the Respondent and it's agents will not again fail to take steps as are reasonable in the circumstances, having regard to the purpose for which personal information is to be used, to ensure that the personal information to be used is relevant, accurate, up to date, complete and not misleading before it is used.
2. The Respondent is to amend its Privacy Management Plan to explain how the Respondent and its agents will check the accuracy of personal information (i.e. the reasonable steps that will be taken) before using it, in accordance with the steps determined and to be implemented in complying with Order (1) above.
[16]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
[17]
Amendments
13 May 2021 - Catchword spelling error amended
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 13 May 2021
Parties
Applicant/Plaintiff:
EEH
Respondent/Defendant:
Insurance and Care NSW
Cases Cited (10)
ing [2006] NSWADT 312
PN v Department of Education and Training [2010] NSWADTAP 59
Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP 37
ZR v NSW Department of Education and Training [2008] NSWADT 199
Category: Principal judgment
Parties: EEH (Applicant)
Insurance and Care NSW (Respondent)
Representation: Counsel:
J Curtin (Respondent)