These reasons concern the Tribunal's review of a complaint made by an individual, known for the purposes of this proceeding as EHG, against the Commissioner of Police, concerning an alleged breach of the privacy principles contained in the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act). In order to protect that individual's privacy, his name and other information which may cause that individual's identity to be disclosed or easily discovered, is not disclosed in these reasons.
Factual background
On 4 January 2020 EHG made an access application under the Government Information (Public Access) Act 2010 (NSW) (the GIPA Act) to the Commissioner of Police seeking certain information. A decision on that request was due on 4 February 2020. When making his access application EHG said:
In accordance with section 41(1)(d) of the Act my postal address for correspondence in connection with this application is [address], I do however request that ALL correspondence in relation to this access application be by email to [email address 1].
Please carefully note my email address provided.
EHG alleges that Police had previously sent an email, intended for him, to email address 2, in error. This differs from email address 1 by the removal of one letter in the middle of the address. Using my own name as an example: address I would be 'peterhmolony@..." and address 2, 'petermolony@...'. EHG says he requested that his email address be carefully noted to prevent such errors happening again.
On 5 February 2020 at 00:33 EHG emailed a contact person at the Infolink Unit, which deals with access applications under the GIPA Act, asking if he could follow up the access application. By an email timed at 09:13 that day the contact responded:
I found the decision. It looks like it was emailed yesterday, but obviously bounced back.
Attached to that email was a decision made by another officer with respect to EHG's access application under the GIPA Act. It found that the information was not held. The covering letter included EHG's name, address and incorrect email address, i.e., email address 2.
At 10:45 that day EHG emailed the Police address for GIPA applications about a, "Breach of the Privacy and Personal Information Protection Act 1998". In that email, having outlined what had occurred, EHG wrote:
This afternoon [name] confirmed that the notice of decision had been sent to the wrong email address.
I have repeatedly advised members of the NSW Police Force, including at the GIPA unit on many occasions, the importance of emailing me at my correct email address. The address to which the correspondence was sent is owned by another person and I have previously informed the NSW Police of this - repeatedly. My GIPA access application even noted in bold text "Please carefully note my email address provided."
I am hereby making a formal privacy complaints pursuant to section 52 of the PPIP Act that the NSW Police has breached section 12 (Information Protection Principle 5) and 18 (Information Protection Principle 11). Pursuant to section 53(3) my address for correspondence is [address]. However, please direct all correspondence to my correct email address: [email address 1].
That complaint from EHG was treated as a request for internal review of conduct under section 53 of the PPIP Act.
In the course of conducting the internal review the internal reviewer, on 17 March 2020, asked EHG's contact at the Infolink Unit for a copy of the "bounce back notification." He replied on the same day:
I just assumed it bounced back I don't know if it did.
On 6 April 2020, EHG received the internal review report which found that the Commissioner of Police, when exercising his functions under the GIPA Act, is exempted from the operation of the PPIP Act by section 27(1) of that Act. Relevantly, the internal review also found that there was no breach of any privacy principle.
[2]
Procedural background.
Being dissatisfied with that result, EHG made an application to the Tribunal seeking administrative review of the conduct on 17 April 2020.
There have been a number of case conferences held in the Tribunal with respect to EHG's administrative review application. Efforts to resolve the differences between the parties have been partially successful and the issues simplified. On 19 June 2020, the Commissioner's legal representative advised that the Commissioner:
confirms that it does not rely on s. 27 of the PPIP Act;
accepts that a letter addressed to the applicant was sent by email to the wrong email address;
does not assert that it received a "bounceback" message in response to that email.
On 8 September 2020, Principal Member Pearson made directions for the filing of submissions and materials by both parties leading up to a hearing on 16 November 2020. She also ordered at 4:
The parties' submission are to include submissions as to whether the matter can be determined on the basis of the documents provided and a hearing dispensed with. The hearing listed for 16 November 2020 will be vacated if the Tribunal determines, on considerations of the party's submissions after 3 November 2020, to dispense with a hearing.
On 10 November 2020 Principal Member Pearson made an order dispensing with a hearing in this matter and decided that it would be determined on the basis of the materials provided to the Tribunal. As a consequence, the hearing scheduled for 16 November 2020 was vacated.
The determination EHG's administrative review application has been referred to me to determine on the papers.
[3]
Material before the Tribunal.
In considering this application I have had regard to the following materials:
1. From EHG:
1. Administrative review application filed 17 April 2020 with attached internal review decision.
2. A document entitled statement and submissions dated 8 October 2020 and filed in the Tribunal on 9 October 2020 with attachments numbered A to G.
3. Email from EHG to the Tribunal dated 15 June 2020 with attachment.
1. From the Commissioner of Police:
1. Section 58 documents.
2. Letter from Norton Rose Fulbright to the Tribunal dated 19 June 2020.
3. Submissions from the Commissioner dated 10 November 2020 with two annexures.
On 20 December 2020, the Registrar wrote to the parties at my request seeking further submissions as follows:
This matter has been referred to Senior Member Molony for a decision on the papers.
One of the issues in contention is whether the emailed access decision was disclosed to a third party when sent to the wrong email address. Mr Molony notes that Division 3 of Part 2 of the Electronic Transactions Act 2000 (particularly s 13A) would appear to apply to that email, but has not been addressed by either party in submissions.
Before determining the matter Mr Molony has decided to give both parties the opportunity to make submissions on the applicability and effect of the Electronic Transactions Act 2000 in the circumstances of this case.
Any submissions either party wishes to make should be filed and served by 15 January 2021. In fixing that time limit Mr Molony has sought to allow for the Christmas and New Year break.
Both parties have subsequently filed submissions in response to that request, in which they agreed that the Electronic Transactions Act 2000 (NSW) (the ET Act) has no application in the circumstances.
Having read all the submissions and materials, I too think that this is a matter that can be readily determined without a hearing on the basis of the materials and submissions produced by the parties.
[4]
Issues.
There are a number of issues that require determination. They are:
1. The scope of EHG's privacy complaint - specifically whether, reasonably construed, EHG's internal review request raised the issue of a breach by the Commissioner of section 12 and section 16 of the PIPP Act.
2. If so:
1. whether there has been a breach of the secure storage provisions section 12 of the PIPP Act; and
2. whether there has been a breach by the Commissioner of use provisions section 16 of the PIPP Act?
1. Whether there has been an apparent breach by the Commissioner of the provisions of section 18 of the PIPP Act relating to disclosure of personal information?
2. Whether the disclosure was made to a person outside NSW?
3. If so, what effect does the provision of section 19(2) of the PIPP Act have on whether the disclosure breached section 18?
4. If there has been a breach, what is EHG's remedy?
[5]
Did the internal review raise a breach of sections 12 and 16?
In KO & KP v Commissioner of Police, New South Wales Police [2005] NSWADT 18, the Tribunal said:
'10 The Tribunal's jurisdiction is determined by a combination of sections 52, 53 and 55 of the Privacy Act. In Department of Education and Training v GA (No.3) [2004] NSWADTAP 50, the Appeal Panel held that the conduct complained of must relate to a breach or alleged breach or contravention of an IPP or Code of Practice (s52) and held (at [7]):
11 In the present case, there was no subsequent correspondence or discussion between the parties clarifying the conduct complained of in the internal review application. The respondent's internal review investigation report makes this clear.
12 In Department of Education and Training v GA (No.3) [2004] NSWADTAP 50, a number of other principles were determined in order to assist a Tribunal in determining the scope of an internal review application (at [13], [14] and [17]). In summary, the Appeal Panel held (as to contraventions of the IPPs only):
"a) the applicant does not need to identify the contravention … on which he or she relies in the application for review;
b) if an applicant does identify one or more contraventions …that information would assist the agency in identifying the underlying conduct about which the applicant is aggrieved. However, the fact that a particular provision is nominated does not mean that the conduct that is identified amounts to a contravention of that provision;
c) an agency is not confined to considering the contraventions referred to by the applicant. An agency must address any contravention … that is reasonably open on a reading of the entire application for review."
13 In the present case, the internal review application plainly related to a particular disclosure by a particular, named, officer of the respondent on a particular occasion. Indeed, it is the only relevant conduct referred to in the relevant sense. Notwithstanding that a wide spectrum of contraventions of the IPPs is later alleged in the application (by a naming of the provisions only) the scope of the application is about the disclosure of certain personal information. I accept the submission of the respondent that these applications do not concern, for example, collection or storage of the alleged personal information.'
This passage was cited with approval by the Appeal Panel in Department of Education and Training v ZR (No 2) (GD) [2009] NSWADTAP 44 at [18]. The Appeal Panel found that the scope of the internal review, reasonably construed, confined the boundaries of the external review. This is so as s 54 of the PPIP Act allows an applicant to seek review of, 'the conduct that was the subject of the application [for internal review] under section 53," not other conduct. That principle has since been followed in numerous cases such as LN v Sydney South West Area Health Service [2009] NSWADT 278; AFC v The Sydney Children's Hospital Specialty Network (Randwick and Westmead) [2012] NSWADT 189 [14], AKL v University of Western Sydney [2013] NSWADT 147; CWS v NSW Department of Education [2017] NSWCATAD 287 and DQF v Information and Privacy Commission [2020] NSWCATAD 209.
The text of EHG's complaint is set out at paragraph 6 above. Fairly read, it complains about the Commissioner's conduct in disclosing his personal information by emailing the decision under the GIPA Act to a stranger, with a similar email address. There is no suggestion that EGH's personal information contained in the decision was wrong or inaccurate. EHG also complained about the Commissioner's conduct in not ensuring that his correct email address was used but, in my view, that is at the heart of and integral to of his disclosure complaint.
In submissions, the Commissioner submitted that there had been a typographical error that resulted in an incorrect email address being used. There is no evidence before me that justifies this conclusion. The Commissioner has not produced evidence from the person who sent the email explaining why the wrong email address was used. A number of explanations suggest themselves, both innocent and otherwise. The reality is that there is no explanation of why the access decision containing EHG's personal information was emailed to a stranger. There is agreement that it was and that there was no message received indicating that the email had bounced back. There is no evidence that the person sending the email included a request for a received or read receipt. The Commissioner submitted that EHG's complaint concerned the external disclosure of personal information, not a use within the meaning of section 16 or a failure to secure and store personal information under section 12.
I do not accept that EHG's complaint raises an issue concerning how his personal information was stored and secured by the Commissioner. His complaint addressed the use of the incorrect email address and what EHG says is the resultant disclosure of his personal information to a stranger. This does not raise for consideration a breach of section 12.
The conduct EHG complains of is the disclosure of his personal information in the decision to a stranger. The use of the incorrect email address was a step taken in making that disclosure. In AFC v The Sydney Children's Hospital Specialty Network (Randwick and Westmead) [2012] NSWADT 189, I wrote:
It is important to bear in mind that giving information to an outside person or agency, as occurred here, is not a use of personal information but is to be considered under the disclosure principle in s 18: JD v Department of Health [2005] NSWADT 44 at [93]; Department of Education & Communities v VK [2011] NSWADT 61 at [20-29]. While it can be argued that the Agency's conduct in preparing and sending the ADB letter constitutes a use and then a disclosure of AFC's personal information by the Agency, I think this an artificial construct. The reality is, and I am satisfied that, writing and despatching the ADB letter should be viewed as one course of conduct that falls to be considered as a disclosure.
That reasoning was approved by the Appeal Panel in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [81].
I think the same reasoning applies here to the selection of the email address, by whatever means, and the despatching of the email. In my opinion, fairly read, EHG's complaint, which was treated as an internal review request, raised for consideration whether there had been a disclosure in breach of section 18. It did not allege a failure to store and secure in breach of section 9, or a use in breach of section 16.
It is therefore unnecessary to consider issue 2.
[6]
Has there been a disclosure?
At the heart of the dispute in this case, is whether the sending of an email to an incorrect email address constitutes a disclosure of the information contained in the email, and in its attachment, to the user of that email address.
[7]
The Electronic Transactions Act
When I first read the Tribunal file in this matter, I called for submissions as to whether section 13 of the ET act applied.
In Singh v Legal Aid New South Wales [2014] NSWIRComm 1016 Commissioner Newell considered whether an employee was notified of a decision made by his employer when it was emailed to him, or at a later time when he opened the email. If the latter, his disciplinary appeal would have been made in time. The Commission considered the application of the ET Act in determining when the information (the notice) was given.
The Commissioner explained that the object of the ET Act, at 41:
.. is to provide a regulatory framework that facilitates the use of electronic transactions, promotes business and community confidence in the use of electronic transactions, and enables business and the community to use electronic communications in their dealings with government.
Section 8 of the ET Act provides:
(1) If, under a law of this jurisdiction, a person is required to give information in writing, that requirement is taken to have been met if the person gives the information by means of an electronic communication, where -
(a) at the time the information was given, it was reasonable to expect that the information would be readily accessible so as to be useable for subsequent reference, and
(b) the person to whom the information is required to be given consents to the information being given by means of an electronic communication.
(2) If, under a law of this jurisdiction, a person is permitted to give information in writing, the person may give the information by means of an electronic communication, where -
(a) at the time the information was given, it was reasonable to expect that the information would be readily accessible so as to be useable for subsequent reference, and
(b) the person to whom the information is permitted to be given consents to the information being given by means of an electronic communication.
(3) This section does not affect the operation of any other law of this jurisdiction that makes provision for or in relation to requiring or permitting information to be given, in accordance with particular information technology requirements -
(a) on a particular kind of data storage device, or
(b) by means of a particular kind of electronic communication.
(4) This section applies to a requirement or permission to give information, whether the expression give, send or serve, or any other expression, is used.
(5) For the purposes of this section, giving information includes, but is not limited to, the following -
(a) making an application,
(b) making or lodging a claim,
(c) giving, sending or serving a notification,
(d) lodging a return,
(e) making a request,
(f) making a declaration,
(g) lodging or issuing a certificate,
(h) making, varying or cancelling an election,
(i) lodging an objection,
(j) giving a statement of reasons.
Section 57 of the GIPA Act says that agencies such as the Commissioner of Police are required to give notice of decisions with respect to access applications. This includes a decision that the information is not held by the agency under section 58(1)(b) of the GIPA Act. Notices of decision are given in writing.
A notice that information is not held under the GIPA Act is one to which section 8 of the ET Act applies, provided the recipient consents "to the information being given, by means of an electronic communication." In this case, the evidence discloses that EHG was insistent that emails be sent to his correct email address, and not to the address that had been mistakenly used in the past. In those circumstances I accept that EHG's consent required that his correct email address be used. I also accept that there is no evidence that the person associated with the email address that was used, consented to any information being given to him or her electronically.
Section 13A and 13B of the ET Act which are found in a different Division of Part 2 of the Act to section 8, are concerned with the time, dispatch and delivery of electronic communications. In this case, there is no disagreement about the time the notice of decision was electronically dispatched to the wrong address. It was timed at 16: 06:17 on the 4 February 2020.
Section 13 B of the ET Act provides:
(1) For the purposes of a law of this jurisdiction, unless otherwise agreed between the originator and the addressee of an electronic communication -
(a) the time of receipt of the electronic communication is the time when the electronic communication becomes capable of being retrieved by the addressee at an electronic address designated by the addressee, or
(b) the time of receipt of the electronic communication at another electronic address of the addressee is the time when both -
(i) the electronic communication has become capable of being retrieved by the addressee at that address, and
(ii) the addressee has become aware that the electronic communication has been sent to that address.
(2) For the purposes of subsection (1), unless otherwise agreed between the originator and the addressee of the electronic communication, it is to be assumed that the electronic communication is capable of being retrieved by the addressee when it reaches the addressee's electronic address.
(3) Subsection (1) applies even though the place where the information system supporting an electronic address is located may be different from the place where the electronic communication is taken to have been received under section 13B.
Because the emailed notice of decision was not sent to EHG's designated electronic address, I accept that section 13B of the ET Act has no operation here. If that section did apply, its effect would be to assume that the email was capable of being retrieved by the addressee, not that it was opened and read by the addressee.
In Bauen Constructions Pty Ltd v Sky General Services Pty Ltd & Anor [2012] NSWSC 1123 Sakar J considered the application of the section in circumstances where an email had been caught by a spam filter. At issue was whether the emailed, which contained a response to an adjudication application under the Building and Construction Industry Security of Payment Act 1999 [NSW], had been "lodged" under section 20 of that Act. His Honour said, at [77]:
The words "capable of being retrieved" are ample in their reach. They certainly do not require an email to be opened, let alone read. Again the Oxford dictionary defines "retrieve" in its primary sense as "to get or bring back from somewhere". In its secondary sense it is said to mean "to find or extract (information stored in a computer)". According to the evidence when an email is caught by the Adjudicate Today spam filter, it is nonetheless archived and accessible by Adjudicate Today via its external IT consultant.
In my opinion this Act enables Bauen to contend that if an email is sent, but not opened or read, but it is capable of being retrieved, it has been received by Adjudicate Today. Once received in my view it has been "lodged" on any view of that word.
[8]
Section 18 of the PIPP Act.
Section 18 provides:
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless -
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
The central thrust of the Commissioner's case is that there is no evidence in the present case, that EHG's personal information was disclosed to another person, being the recipient of the email sent to an incorrect email address. The Commissioner relied on the decisions of the Court of Appeal in Nasr v New South Wales [2007] NSWCA 101 at [127] and of the Tribunal in the following cases: DQJ v Secretary, Department of Family and Community Services [2019] NSWCATAD 138 at [22]; AIF v University of Western Sydney [2013] NSWADT 20 at [14] and [19]; and BLW v Nepean Blue Mountains Local Health District [2015] NSWCATAD 184 at [80].
In Nasr v New South Wales [2007] NSWCA 101 the Court of Appeal considered the meaning of the word "disclose" in section 13(1) of the Criminal Records Act 1991 (NSW). It provides:
(1) A person who has access to records of convictions kept by or on behalf of a public authority and who, without lawful authority, discloses to any other person any information concerning a spent conviction is guilty of an offence.
Maximum penalty - 50 penalty units or imprisonment for 6 months, or both.
At issue was whether a disclosure of a person's spent convictions (charge sheets) by a Court officer to a solicitor from the Crown Solicitors Office breached s 13(1) of the Criminal Records Act 1991 (NSW) and section 18 of the PIPP Act. The issue arose in civil proceedings. The Court of Appeal was considering, among other things, whether evidence of those prior convictions should have been admitted in the civil proceedings. Campbell JA said at [127], with respect to the criminal records provision that:
127 Section 13(1) is a section that prohibits certain types of disclosure of information. The essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know: R v Skeen & Freeman (1859) Bell 97; 169 ER 1182 ("uncovering … discovering … revealing … imparting of what was secret … [or] telling that which had been concealed"); Foster v Federal Commissioner of Taxation (1951) 82 CLR 606 at 614-5 ("... a statement of fact by way of disclosure so as to reveal or make apparent that which (so far as the "discloser" knows) was previously unknown to the person to whom the statement was made"); R v Gidlow [1983] 2 Qd R 557 at 559 ("telling that which has been kept concealed"); Dun & Bradstreet (Australia) Pty Ltd v Lyle (1977) 15 SASR 297 at 299; A-G v Associated Newspapers Ltd [1994] 2 AC 238 at 248 ("to open up to the knowledge of others"); Real Estate Opportunities Limited v Aberdeen Asset Managers Jersey Limited [2007] EWCA Civ 197 at [78] ("the revelation of information for the first time"). In my view, the provision by the keeper of the records of Waverley court of the records of the conviction would be a disclosure of information relating to a spent conviction only if the solicitor at the Crown Solicitors Office to whom that record was provided did not already know the information that was contained in it. When the conviction records were provided as a result of a request made by the relevant solicitor at the Crown Solicitors Office, I would not infer that the provision of the documents amounted to the disclosure of information relating to a spent conviction. There is simply no proof or concession concerning how much that solicitor knew about the convictions before obtaining the charge sheets, beyond the inference that is available from the conceded fact that she asked for the records that she knew enough about the content to make it worthwhile to ask for the records. Thus, in my view the appellants did not establish, even at the level of proof needed to establish an illegality for the purpose of a question of admissibility of evidence in a civil proceeding, that there was any contravention of section 13.
Later, at [139], with respect to the PIPP Act, his Honour said:
139 For the same reasons as applied in relation to the argument of illegality under the Criminal Records Act, there was no miscarriage of justice in her Honour's failure to consider the applicability of the Privacy Act in her judgment.
Beazley and Hodgson JJA agreed with Campbell JA.
The Tribunal in DQJ v Secretary, Department of Family and Community Services [2019] NSWCATAD 138 at [22] said that that making known information, not previously known to the individual to whom the disclosure is made, is the essence of disclosure. The question of whether there has been a disclosure is one of fact: e.g., see JD v New South Wales Medical Board [2008] NSWADT 67.
The facts confronting the court in Nasir were vastly different than those in EHG's case. There the disclosure was to a solicitor, who was involved in a case, concerning the person whose spent convictions were disclosed. In the circumstances, the solicitor may or may not have previously known of those spent convictions. There was therefore an obvious issue as to whether the disclosure alerted the solicitor to new information, not previously known, or whether the spent convictions were fresh information. In those circumstances the Court was not prepared to infer that there had been a disclosure.
This is to be contrasted with the situation in EHG's case. Here, the information was sent to an email address belonging to a stranger. The email included EHG's personal information, including his full name and address. There is no suggestion that the recipient may have already been aware of EHG's personal information. In those circumstances, I think it reasonably open to me to draw an inference that the personal information would be new to recipient, if she or he accessed the email. I am comfortably satisfied with that conclusion. It is not a case in which I am in a state of uncertainty: see KP v Narrandera Shire Council [2011] NSWADTAP 15 at [12]
The Commissioner then says that because there is no evidence that the recipient did access the email, the Tribunal cannot be satisfied that there has been a disclosure in breach of section 18. In doing so the Commissioner relies on two Tribunal decisions.
The first, AIF v University of Western Sydney [2013] NSWADT 20, is a decision I made some years ago. One issue concerned whether a disclosure of a student's health information had occurred, when University Security Staff spoke with him in a public area. They told him that he was being suspended under the University's Medical Assistance Policy and gave him a notice to that effect. There was conflicting evidence as to whether the conversation took place in circumstances where it could be overheard. No evidence was called from anyone who had overheard the conversation. The Privacy Commissioner, who had participated in the proceeding, successfully submitted that, even on the student's own version of events, there was no evidence that any of his personal or medical information had been disclosed. Accepting that submission, I observed, at 14, that this meant I did not have to resolve the conflicting issues of fact. I found at [19]:
The reality is that while both AIF and Ms Falloon say that the meeting with the security personal took place in a busy public area, with lots of people about, there is no evidence that any of those people heard what was said, whether or not it included Mr Byrne telling AIF that he was not right in the head. None of the persons said to be in the area of the meeting have been called to say they overheard the conversation. Mr Byrne, while he says they were only a few people about, insists that what was said was out of their hearing.
In the absence of evidence that shows that AIF's personal or health information was disclosed to any person who was not in the employ of the University on 8 April 2011, I am not satisfied that such information has been disclosed.
The second case is BLW v Nepean Blue Mountains Local Health District [2015] NSWCATAD 184, a decision of Senior Member Lucy. It concerned complaints that hospital staff had discussed and accessed health and personal information relating to a patient in their care, who was also an employee of the health service. Having heard detailed and contradictory evidence from the complainant and concerned staff, Senior Member Lucy found that, "it is more likely than not that the conversations attested to by the applicant did not occur:" at [78]. She went on to consider the issue of disclosure and said:
The possibility that someone, such as a patient, could have overheard the discussions is not sufficient for the Tribunal to make a finding of a contravention of a disclosure principle: see AIF v The University of Western Sydney [2013] NSWADT 20 at [14] and [19].
Common to both of those cases is the fact the Tribunal was not satisfied that personal or health information had been the subject of the conversations that were alleged to have contained disclosures. That is not the case here. Here, there is no doubt that the email sent to the wrong address contained EHG's personal information.
Also common to both cases were strong conflicts of evidence which were difficult to grapple with, in respect of which independent witness evidence (from other students in the case of AIF or from other patients in BLW's case) would have assisted the Tribunal.
Here there is no such conflict. The alleged disclosure occurred by email, rather than as part of a conversation. There is no doubt that the email sending EHG's access decision contained his personal information; there is no doubt about what it said; there is no doubt about what that information was. This is to be contrasted with the decisions in AIF and BLW where the Tribunal looked for independent verification of similar matters, as there were real conflicts between parties to conversations as to what was said.
In my view the requirements of verification and corroboration stated in those decisions do not apply where the disclosure is alleged to have occurred by email and the content of the email communication is certain. This is so due to the nature of email communications, which do not necessarily require an acknowledgement (although agencies might be well advised to request received and read receipts), and which are generally reliable. The danger flowing from disclosing personal information by misdirecting an email is one that the general public is well aware of. The Commissioner of Police and all of his staff are no doubt regularly alerted to the danger, as are Tribunal Members, Registry Staff and other employees of the Department of Justice and Communities.
There are real, practical difficulties confronting anybody who becomes aware that an NSW government agency has misdirected an email containing their personal or health information to the wrong email addresses and who seeks to hold the agency to account under the PIPP Act. Where the agency does not request a read or received receipt from recipients of its emails, an aggrieved person cannot look to the agency to provide evidence that a wrongly named recipient received or accessed the email concerned. If there is a bounce back notice received, the agency can demonstrate that the email was not received. If there is no such notice, then no one, apart from the recipient, will be in position to demonstrate whether the email was or was not received or accessed. Persons aggrieved may also find themselves in a position, like EHG, where the agency - who dispatched the email to an incorrect address - puts them to the near impossible task of proving that the misdirected email was received and accessed by its new recipient. As has occurred in this case, they may also be asked by the agency to demonstrate that the personal information the email contained was new to the recipient and that the recipient was in NSW.
All of these consequences flow from the very nature of email communication.
In my view, it is highly likely that the email dispatched by the Commissioner to the wrong recipient was received and accessed by that recipient. I have already indicated that I am prepared to infer in the circumstances that the personal information contained in the email was new to the recipient. I am satisfied that EHG's personal information was disclosed to the recipient. There has been an apparent breach by the Commissioner of the provisions of section 18 of the PIPP Act.
[9]
Was the disclosure made to a person outside NSW?
The Commissioner issued a summons addressed to Microsoft Proprietary Limited (Australia)) seeking personal information identifying the person to whom the email account of the recipient is registered, and a history of the account since 4 February 2020.
The response from Microsoft was essentially that the data is held offshore by another company, is out of its control, and protected by US legislation.
On that evidence, it not possible to conclude where the recipient of the email is located. As there is no evidence as to how that address came to be used by Infolink staff, it is not clear whether that email address is the address of the person known to the Commissioner or not. The Commissioner has provided no evidence as to how the address came to be used.
I am unable to say on the evidence whether or not the recipient of the wrongly addressed email was located in New South Wales or elsewhere.
[10]
What effect does the provision of section 19(2) of the PIPP Act have on whether the disclosure breached section 18?
The Commissioner submits that there has been no disclosure of EHG's personal information in this case, because, due to the effect of section 19(2) of the PIPP Act, section 18 does not apply to disclosures made to people outside New South Wales. The Commissioner relies on the decisions in GQ v Department of Education and Training (No 2) [2008] NSWCATAD 319 at [14] and Bevege v Commissioner of Police [2014] NSWCATAD 22 at [23].
The effect of those decisions was that sections 18 and 19 of the PIPP Act were to be read as separate and distinct provisions, with section 18 being a general provision and section 19 being a special provision. Section 19 dealt among other things with the disclosure of personal information to a person outside the jurisdiction, or to a Commonwealth agency. In GQ, Senior Member Handley held that section 18 of the PIPP Act did not apply, when section 19 did, applying the maxim generalia specialibus non derogant. In Bevege, which concerned a disclosure of personal information by phone to a person in the Northern Territory, I followed the decision in GQ out of comity, but was urged not to do so the Privacy Commissioner.
Following the decision in Bevege, section 19 was substantially amended by the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Act 2015, which commenced on 24 November 2015. It repealed sub-sections 19(2) to (5) and replaced them with a new sub-sections 19(2) to (4). Section 19(2) now, relevantly, provides:
(2) A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless -
(a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or
(b) the individual expressly consents to the disclosure, or
(c) …
(e) all of the following apply -
(i) the disclosure is for the benefit of the individual,
(ii) it is impracticable to obtain the consent of the individual to that disclosure,
(iii) if it were practicable to obtain such consent, the individual would be likely to give it, or
(f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or
(g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or
(h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law.
The provision at the time of the decisions in GQ and Bevege read:
(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:
(a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction or applies to that Commonwealth agency, or
(b) the disclosure is permitted under a privacy code of practice.
One problem when Bevege was decided, was that the Privacy Commissioner had not issued a relevant code of practice. Under the new provision, such a code of practice is not required.
In her second reading speech, in the Legislative Assembly, on the introduction of the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Act 2015 on 22 October 2015, the then Attorney General, Mrs Gabrielle Upton, explained:
The bill will insert new provisions regulating the disclosure of personal information outside of New South Wales and to the Commonwealth. Due to the way that the former Administrative Decisions Tribunal interpreted the relevant provisions of the Privacy and Personal Information Protection Act, in the decision of GQ v NSW Department of Education and Training, there are effectively no limits on the transfer of personal information outside of New South Wales. Such a situation is anomalous in light of the protections placed on the management of personal information within New South Wales. Consequently, the bill proposes to address this anomaly by placing some parameters on such disclosures and providing clarity to both New South Wales public sector agencies and individuals in New South Wales about when such disclosures are permitted.
Since the commencement of the amendments, the Privacy Commissioner has published guidance on the transborder disclosure principle in section 19(2). Section 36(2)(b) gives the Privacy Commissioner the function of preparing and publishing guidelines, "relating to the protection of personal information and other privacy matters, and to promote the adoption of such guidelines." The guidance states:
Transborder rules
Any disclosure must first meet the applicable standard disclosure rule (or an exemption to that rule); and then, if the disclosure is going to a recipient who is outside the NSW jurisdiction (or to a Commonwealth agency within NSW), it must also meet the additional criteria set under the applicable transborder rule (or an exemption to that rule).
Thus, the guidance states that the disclosure of personal information such as that in issue here, should satisfy the requirements of section 18 and, if the recipient is outside New South Wales or is a Commonwealth agency, it should also satisfy the requirements of section 19(2).
In my view, such an interpretation is clearly open, given the current wording of sections 18 and 19 of the PIPP Act. The substantial amendments made to section 19 mean that GQ and Bevege do not consider the section in its present form. It also means that comity no longer requires that GQ be followed.
There are strong arguments in favour of adopting the construction adopted by the Privacy Commissioner. The purpose of the amendment to section 19 was to address the consequences of the interpretation adopted in GQ and followed in Bevege. Both provisions are within the one Act. There is not a contradiction between the two in their current form, which would require the construction adopted in GQ to be followed. Indeed, the construction suggested by the Privacy Commissioner is consistent and harmonious. I think it preferable that they be read as complimentary provisions.
In the circumstances of this case, I am satisfied that the disclosure of EHG's personal information, if the recipient were indeed outside the jurisdiction, breached section 19(2) of the PIPP Act. The disclosure was not to a public sector agency. There was no consent from the recipient. There is no suggestion that it was for the benefit of EHG.
[11]
What is EHG's remedy?
Section 55(2) of the PIPP Act provides:
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders -
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
In submissions, the Commissioner has indicated that an apology has already been offered to EHG, but the Commissioner is prepared to reissue the apology and remind staff about the importance of correctly addressing email. The Commissioner says that is no need for broader systemic action.
EHG has requested a formal apology and that the Commissioner:
1. investigate and, if feasible, implement a system whereby email addresses are automatically populated from the Case Management System;
2. establish guidelines to ensure correct email addresses are entered in the Case Management System;
3. advise staff procedures to validate correct contact information; and
4. advising of the steps taken.
I propose to make an order requiring the Commissioner to:
1. formally apologised to EHG in writing for the breach of section 18 and 19 of the PIPP Act as found in these reasons;
2. to remind staff of the importance of correctly recording email addresses and of addressing emails correctly, with reference to all internal policies relevant to those actions; and
3. to advise EHG and the Tribunal of the action taken within 6 months.
I do not think it appropriate in this circumstance to make orders which look to un-costed specific system changes or modifications. However, it would seem sensible for the Commissioner to investigate whether it is possible, using existing systems and software:
1. to automatically populate email addresses from the case management system; and,
2. to request email received receipts and email read receipts when sending decisions under the GIPA Act to access applicants.
If either are possible, some problems arising from incorrect email addresses being used may be prevented, or their consequences ameliorated.
[12]
Orders
The Tribunal orders the Commissioner of Police to:
1. formally apologise to EHG in writing for the unauthorised disclosure of his personal information as found in these reasons;
2. to remind staff of the importance of correctly recording email addresses and of addressing emails correctly, with reference to all internal policies relevant to those actions; and
3. to advise EHG and the Tribunal of the actions taken within 6 months.
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 09 March 2021
Parties
Applicant/Plaintiff:
EHG
Respondent/Defendant:
Commissioner of Police
Legislation Cited (4)
Government Information (Public Access) Act 2010(NSW)