At the time of the IR Request the Applicant was, and remained as at the date of the Hearing, a Councillor of the Respondent.
The conduct of concern in these proceedings arises from the proceedings before the Tribunal in EIG v North Sydney Council [2021] NSWCATAD 66 which was published on 17 March 2021 (Decision). The Decision, however, related to a different internal review request relating to different conduct of concern to those in these proceedings.
The conduct of concern in these proceedings relates to the use, disclosure and publication of the Applicant's name by the Respondent in relation to the Decision proceedings (i.e. before the Decision was published) in two Legal and Planning Committee (LPC) meetings of the Respondent and the posting of certain LPC papers and recordings relating to those meetings on the Respondent's public website. Such uses, disclosures and postings occurred notwithstanding the anonymisation of the Applicant's name by the Tribunal from the commencement of the Decision proceedings in accordance with the Tribunal's practice in privacy matters, as per the NCAT Administrative and Equal Opportunity Division Guideline entitled "Confidentiality Privacy and Publication" dated August 2017 (Guideline).
The IR Request specifically alleged that the following conduct of concern of the Respondent (Conduct of Concern) was in breach of the Information Privacy Principles (IPPs) related to the "security of storage" (IPP 5), "use" (IPP 10) and "disclosure"(IPP 11):
1. identifying (i.e. using) the Applicant's name in relation to the Decision proceedings in the "Current Appeals and Results Report" (Report) and including the Report in the agenda papers for the LPC meeting of 15 June 2020 and posting such to (i.e. disclosing such on) the Respondent's website prior to that meeting;
2. openly discussing the Decision proceedings (with the Applicant having been identified in the Report) at the 15 June 2020 LPC meeting and posting the recording of the June 2020 LPC meeting on the Respondent's website on or about 16 June 2020; and
3. identifying (i.e. using) the Applicant's name in relation to the Decision proceedings in the October 2020 Report and including such in the agenda papers for the LPC meeting of 12 October 2020 and posting such to (i.e. disclosing such on) the Respondent's website prior to that meeting.
The uses and disclosures noted in [11] above (i.e. the Reports, minutes and recordings) remained on the Respondent's website until 30 October 2020, being removed/anonymised after the hearing in the Decision proceedings of 30 October 2020.
On or around 14 May 2020 the Respondent had been served with the commencement of proceedings notice for the Decision proceedings which notice advised the parties of the Tribunal's anonymisation practice (i.e. the use of the initials "EIG" for the Applicant) under the Guideline.
On 21 July 2020 when the Applicant became aware of the uses, disclosures and postings referred to in [11(1) and (2)] above (June 2020 Incidents) the Applicant notified the Respondent of its "breach" of the PPIP Act and the Tribunal's anonymisation practice.
The "breaches" of the PPIP Act and the Tribunal's anonymisation practice arising from the June 2020 Incidents were further raised with the Respondent by the Applicant in its submissions and evidence filed with the Tribunal in the Decision proceedings and provided to the Respondent on 15 September 2020.
Subsequent to the 'notifications' by the Applicant to the Respondent referred to in [14] and [15] above, the uses, disclosures and postings referred to in [11(3)] above (October 2020 Incidents) occurred.
During the hearing in the Decision proceedings on 30 October 2020 the June 2020 Incidents and October 2020 Incidents were brought to the attention of the Senior Member and, in an exchange with the Respondent's Counsel, the Respondent undertook to the Tribunal:
"… I am instructed, … that Council was aware of the concern raised by the applicant, but not aware that it was in breach of an order. What the Council does now undertake to do is to abide by any continued anonymisation ordered by the Tribunal and to remove any and all material that identifies the Applicant in connection with [their] complaint and substitute the initials EIG."
The Decision, published on 17 March 2021, included a s 64 CAT Act order prohibiting the publication or broadcast of the Applicant's name or any information that identifies (or is likely to lead to the identification of) the Applicant.
After the date when the IR Request was submitted by the Applicant, it came to the Applicant's attention that the following further conduct of the Respondent had occurred (Subsequent Conduct):
1. after the 30 October 2020 undertaking of the Respondent when, on 30 November 2020, the Respondent posted its 2019/2020 Annual Report to its website and also subsequently distributed hard copies of that Annual Report. That Annual Report contained a "Register of appeals in court matters" and included the NCAT case number of the Decision and identified the Applicant by name rather than the initials "EIG". This conduct continued until 29 June 2021, as noted in (2) below;
2. after the Decision (including the s 64 CAT Act order) was published on 17 March 2021, on becoming aware of the conduct in [19(1)] above, the Applicant brought this conduct to the attention of the Respondent on 25 June 2021 and the Respondent confirmed to the Applicant on 29 June 2021 that it had taken steps to remove the Applicant's name from the Annual Report posted on its website;
3. while on 29 June 2021 the Respondent did remove the Applicant's name from the version of that Annual Report that it had posted on its website as referred to in [19(2)] above, the Applicant later found another place on the Respondent's website where an unaltered version of that Annual Report (i.e. naming the Applicant) had been posted and maintained by the Respondent. That is, the Applicant was identified by name in relation to the Decision proceedings in the Annual Report included in the Respondent's agenda papers published and maintained on the Respondent's website until after 29 June 2021; and
4. there is no information as to what steps were taken (if any) by the Respondent to redact the Applicant's name from the hardcopy versions of that Annual Report which had been distributed or if the Annual Report referred to in (3) above has now been anonymised.
[2]
Issues for Determination
As a result of the Respondent's concession that the naming of the Applicant in relation to the June 2020 Incidents and October 2020 Incidents is the Applicant's personal information (see [31(1)] below), the Conduct of Concern, the submissions and evidence of the parties before the Tribunal, the following issues arise for determination by the Tribunal:
1. in the absence of any objection from the Respondent, does the Tribunal exercise its discretion to grant an extension of time to the Applicant to lodge the AR Application;
2. what is the Applicant's personal information involved in the Conduct of Concern and allegedly resulting in breaches of IPPs 5, 10and 11 by the Respondent;
3. what is the effect of the Tribunal's anonymisation practice under the Guideline and what, if any, are the consequences of the Respondent's failure to comply with such;
4. what, if any, are the consequences (if established) of any breaches of ss 53 and/or 54 PPIP Act by the Respondent;
5. what, if any, are the consequences of the Subsequent Conduct in relation to these proceedings;
6. did the Respondent breach s 12 PPIP Act/IPP 5 in relation to any of the Conduct of Concern;
7. did the Respondent breach s 17 PPIP Act/IPP 10 in relation to the June 2020 Incidents;
8. did the Respondent breach s 18 PPIP Act/IPP 11 in relation to the June 2020 Incidents;
9. did the Respondent breach s 17 PPIP Act/IPP 10 in relation to the October 2020 Incidents;
10. did the Respondent breach s 18 PPIP Act/IPP 11 in relation to the October 2020 Incidents; and
11. if the Tribunal finds the Conduct of Concern resulted in any breaches of the IPPs what, if any, orders should the Tribunal make?
I will deal with the issues noted in [20(1), (2), (3), (4) and (5)] as 'preliminary issues' and address these first below in [33] before moving to the submissions and evidence of the parties and the "Considerations and findings" in respect of the other issues listed in paragraph [20].
[3]
Powers of the Tribunal
As summarised in the Decision:
25 A person who is aggrieved by an alleged contravention of the PPIP Act by the conduct of a public sector agency can seek internal review of the conduct of concern by that agency under s 53 PPIP Act.
26 Under s 53(6) PPIP Act the Applicant (in this case) is entitled to make an application pursuant to s 55 PPIP Act for administrative review of the conduct of concern if the requested internal review is not completed by the Respondent within 60 days of the date of receipt of the Applicant's internal review application (the IR Request in this case). Also, where an internal review decision has been issued by the agency, s 55 PPIP Act most relevantly provides:
(1) If a person who has made an application for internal review under section 53 is not satisfied with:
(a) the findings of the review, or
(b) the action taken by the public sector agency in relation to the application,
the person may apply to the Civil and Administrative Tribunal for administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under s 53.
27 On reviewing the conduct of an agency, ss 55(2) and (3) PPIP Act provide that the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following, most relevant, orders:
…
(c) an order requiring the performance of an information protection principle or a privacy code of practice, …
(g) such ancillary orders as the Tribunal thinks appropriate. …
(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997.
28 However, the powers under s 55(2) PPIP Act are not the limit of the Tribunal's powers when determining what action (if any) to take arising from an administrative review of the conduct of concern. In examining whether to take specific action under s 55(2) of the PPIP Act, the Appeal Panel of the former Administrative Decisions Tribunal observed the following in the case of Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP 37:
[59] Our powers are not restricted to those given by s 55(2). Sub-section (3) leaves open to the Tribunal to be exercised the powers contained in the Administrative Decisions Tribunal Act 1997 (the Tribunal Act).
29 It is not in dispute that the Tribunal has jurisdiction to determine this matter pursuant to s55 PPIP Act, s 30 Civil and Administrative Tribunal Act 2013 (CAT Act) and s 63 Administrative Decisions Review Act 1997 (ADR Act).
The powers of the Tribunal to make orders in relation to systemic matters that become evident when reviewing the Conduct of Concern in an external administrative review are summarised in paragraphs [80] to [85] of the Decision.
[4]
Scope of administrative review proceedings under the PPIP Act
The scope of the Tribunal's administrative review proceedings under the PPIP Act were summarised in the Decision as follows:
30 The scope of the request for internal review (i.e. IR Request in this case) limits the scope of the AR Application (in this case) before the Tribunal, without the agreement of the Respondent to expand the scope of the AR Review. The scope of the IR Request (i.e. the conduct of concern) is a matter of fact to be determined by objectively and reasonably construing the IR Request.
31 The Tribunal's role is to review the conduct of concern in issue and to consider the action proposed to be taken by the agency (i.e. the Respondent in this case), not to review the findings of the internal review report (i.e. the IR Decision in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [50]. The Tribunal considers the conduct of concern afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and, KT v Sydney Local Health Network [2011] NSWADT 171 at [64].
32 Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed by the ADR Act or enabling legislation in connection with the conduct or resolution of the proceedings. By s 63(2) of the ADR Act, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.
It is not in dispute that the AR Application, the Conduct of Concern and the alleged breaches of the IPPs resulting from such are within the scope of the IR Request and thus the Tribunal has jurisdiction in respect of such under s 55 PPIP Act.
[5]
The relevant legislation
Some of the key legislation applicable to these proceeding was also relevant to and summarised in the Decision as follows:
52 'Personal information' is defined by s4(1) PPIP Act as:
"personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
53 Section 4(3) PPIP Act sets out information that is excluded from the definition of 'personal information' including, most relevantly in this case, information about an individual that is contained in a 'publicly available publication' (s 4(3)(b) PPIP Act).
54 As noted in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [112], the definition of 'personal information' in the PPIP Act is broad and is to be interpreted broadly.
55 The Full Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 found at [63], in applying the then very similar definition of 'personal information' in the Privacy Act 1988 (Cth):
The words 'about an individual' direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not 'about an individual' it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.
56 The various IPPs are set out in Part 2 of the PPIP Act (ss 8-19) which include, most relevantly in this case, in relation to the security (IPP 5) and disclosure (IPP 11) of personal information.
57 IPP 11 (s18 PPIP Act) provides that an agency must not disclose personal information to other than the individual to whom the information relates unless, in summary:
(1) the disclosure is directly related to the purpose for which it was collected and there is no reason to believe the individual concerned would object;
(2) the individual is reasonably likely to have been made aware that such information is usually disclosed to that other person; or
(3) the agency believes on reasonable grounds disclosure is necessary to prevent or lessen a serious or imminent threat to life or health of any person.
58 In this context the 'essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know' (Nasr v State of New South Wales (2007) NSWCA 101 at [127]).
59 Section 12 PPIP Act (IPP 5) relates to the security of personal information. A public sector agency that holds personal information must ensure, most relevantly:
…
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and…
60 The Applicant bears the burden of adducing some evidence to suggest that their personal information was not securely stored as required by s12 PPIP Act/IPP 5. However, the standard is not high because the knowledge of how the information is stored and the security safeguards in place is held by the agency (i.e. the Respondent in this case) …
In addition, s 17 PIPP Act (IPP 10) is also alleged by the Applicant to have been breached by the Conduct of Concern. IPP 10 provides as follows:
17 Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless -
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
[6]
The submissions and evidence before the Tribunal
The submissions and evidence submitted and relied on by the Applicant were as follows:
1. the "Submissions of the Applicant" (Applicant Submissions) and the attached "Statement of the Applicant" (Applicant Statement) and attached documents filed on 2 June 2021; and
2. the Applicant's "Submissions in reply of the Applicant" (Applicant Reply Submissions) and attached "Statement in Reply of the Applicant" (Applicant Reply Statement) and attached documents filed on 13 July 2021.
The submissions and evidence submitted and relied on by the Respondent were as follows:
1. the "Respondent's Submissions" filed 1 July 2021 (Respondent Submissions);
2. the "Statement of Craig Alan Winn" (and attached documents) filed on 24 June 2021 (Mr Winn Statement);
3. the further "Statement of Craig Alan Winn" (and attached documents) filed on 13 July 2021 (Mr Winn Further Statement);
4. the "Statement of Ian Michael Curry" (and attached documents) filed on 24 June 2021 (Mr Curry Statement); and
5. the "Statement of Michael James Winram" (and attached documents) filed on 24 June 2021 (Mr Winram Statement).
During the Hearing both parties also presented oral submissions.
[7]
Concession of the Respondent and agreed key facts
Except for [31(1)] which was conceded by the Respondent, while not expressly submitted by either party as "agreed facts", from the submissions and evidence of the parties the following are uncontentious/uncontested:
1. The personal information of the Applicant in question in relation to the Conduct of Concern is the name of the Applicant attached to the details of the Decision proceedings (Relevant Personal Information).
2. The LPC "Agenda and Report" are published to the Respondent's website on the Thursday before each LPC meeting including in relation to both of the June 2020 Incidents and the October 2020 Incidents. The minutes of each LPC meeting are included as part of the business papers of the following ordinary Council meeting and are subsequently published to the Respondent's website including in relation to both the June 2020 Incidents and the October 2020 Incidents. A recording of each LPC meeting is also made available online (i.e. on the website). The Respondent disclosed (i.e. externally published) the personal information of the Applicant contained in the June 2020 and October 2020 LPC reports when the respective LPC papers were posted online.
3. On 11 June 2020 the LPC meeting papers, including the Report, were made available on the Respondent's document hosting system for Councillors. The Applicant advised the Respondent they would be attending the meeting remotely via Zoom but, in the event, did not attend the meeting.
4. The Report for the 15 June 2020 LPC meeting included, under the "NCAT Matters List", one line item identifying an "NCAT Privacy Complaint" with an application date of 13 May 2020, proceeding number and the name of the Applicant (i.e. rather than "EIG"). The "nature of the appeal" in the Report was identified as "Request for review of privacy complaint". The Report was published on the Respondent's website on or about 11 June 2020.
5. On or about 30 September 2020, in advance of the October LPC meeting, Mr Winn of the Respondent settled the form of the Report to be provided for compilation and distribution. The Report was an update of the Report prepared for the June 2020 LPC meeting.
6. On 8 October 2020 the LPC papers, including the Report, were made available on the Respondent's document hosting system for Councillors. It was also uploaded to the Respondent's website on the same day.
7. The Respondent did not undertake an internal review in response to the IR Request and therefore has not provided an internal review decision to the Applicant or update the Information and Privacy Commission (IPC) as to the results of such review.
[8]
Consideration of preliminary issues
After considering the submissions and evidence submitted by the parties and reviewing the relevant law, including the guiding principles in s 36 CAT Act, as regards the preliminary issues listed in [20(1), (2), (3) (4) and (5)], I find as follows:
1. In exercising the Tribunal's discretion under s 41 CAT Act I am satisfied that the Applicant's delay of some 45 days in filing the AR Application is not an inordinate delay, has been appropriately explained by the Applicant and caused no detriment to the Respondent: Jackson v NSW Land and Housing Corporation [2014] NSWCATAP 22 and EEC v Federation Council [2020] NSW CATAP 169. I therefore extend the time for lodgement of the AR Application to 22 March 2021.
2. I agree with the Respondent's concession as to the Relevant Personal Information. However, while any unauthorised disclosure may 'only' be the Relevant Personal Information as the Respondent submits, the potential ramifications of any such unauthorised disclosure in this case are significant. That is, by knowing the Relevant Personal Information anyone can re-identify any anonymised materials released by the Tribunal in relation to the Decision proceedings, thus undermining the Tribunal's anonymisation practice and any subsequent s64 CAT Act order. Also, once the Decision is published, knowing the case reference number (as disclosed in the Relevant Personal Information) the Decision can be easily found, the anonymised information re-identified and linked back to the Applicant thus re-identifying (i.e. disclosing) additional personal information of the Applicant included in the Decision, even after a s 64 CAT Act non-publication/non-disclosure order has been made.
3. Notwithstanding (2) above, I accept the Respondent's submissions as regards the effect and status of the Tribunal's anonymisation practices pursuant to the Guideline. That is, while a practice of the Tribunal and perhaps even an expectation of the Tribunal that the parties will comply with the anonymisation practice, until such time as a s 64 CAT Act order is made the practice is not an order or direction of the Tribunal and does not itself legally bind the parties. Thus, in this case, there is no mandatory non-publication or non-disclosure obligation on the Respondent until the s 64 CAT Act order was made.
4. As noted in [24] above, only the Conduct of Concern is within the scope of the Tribunal's external review in these proceedings. Even though no internal review was undertaken (or a related decision made) by the Respondent in relation to the IR Request, it is not within the scope of these proceedings for the Tribunal (or likely any interval review request) to consider the alleged breaches of ss 53 and/or 54 PIPA Act.
5. For reasons similar to those detailed in [32(4)] above, the Subsequent Conduct and the alleged breaches of the s 64 CAT Act Order of the Decision are also not within the scope of the IR Request or the Conduct of Concern and thus are not within the jurisdiction of these external review proceedings before the Tribunal. Of course that is not to say that, if the alleged Subsequent Conduct is established and breached the s 64 CAT Act Order of the Decision, this is not a serious matter that the Applicant may wish to pursue further.
[9]
Applicant's submissions
The Applicant submitted in the Applicant Submissions and orally at the Hearing, in summary and most relevantly, as follows:
1. The present matter involves similar questions to those in the Decision as to the capacity and willingness of the Respondent to meet its privacy obligations. Beyond the disclosure of the Relevant Personal Information, the present matter also involves ancillary failures to comply with the PPIP Act including a failure to advise the IPC of the request for an internal review pursuant to s 54 PPIP Act and a failure to report the findings of an internal review and keep the IPC informed of progress and findings pursuant to s 53 PPIP Act.
2. Moreover, the present matter brings into question the willingness of the Respondent's most senior officer (i.e. the General Manager) to comply with the privacy law generally. In reporting on the Tribunal's requirement that the Applicant's name be removed or redacted from or anonymised in the Respondent's public records, the Respondent's General Manager openly noted in writing that "it is not proposed to change this reporting practise, unless otherwise ordered to do so by the relevant Court of competent jurisdiction in the relevant proceedings".
3. The Relevant Personal Information does not fall within any of the exclusions listed in s 4(3) PPIP Act. Specifically, the fact that the Tribunal anonymised the Applicant's name with the initials "EIG" in accordance with paragraph 17(b) of the Guideline means that the information did not attract the exclusion in s 4(3)(b) PPIP Act because the information was not contained in a publicly available publication. Any reference to the matter contained in that publicly available publication, such as a Tribunal list, only referred to the anonymised initials "EIG".
4. In each instance (i.e. the June 2020 Incidents and the October 2020 Incidents) the Relevant Personal Information was used in the Reports and disclosed by the Respondent on its website. Each such use and disclosure amounted to a breach of s 17 PPIP Act/IPP 10 and s 18 PPIP Act/IPP 11.
5. Even after the Respondent's Chief Legal Officer was made aware of the Applicant's concerns regarding the June 2020 Incidents, the Respondent continued the Conduct of Concern in relation to the October 2020 Incidents.
6. The facts in this matter support a finding of intentional disclosure of the Applicant's personal information pursuant to s 62(1) PPIP Act against two of the Respondent's most senior officials.
7. Collectively, the scope and intentional nature of the breaches of the PPIP Act by the Respondent by its most senior officials suggest a systematic disregard for the Respondent's obligations under the PPIP Act. This systematic disregard constitutes a failure to maintain reasonable safeguards in accordance with s 12 PPIP Act.
The orders sought by the Applicant, in summary and most relevantly, are:
1. An unreserved formal written apology to the Applicant addressing and apologising for the Respondent's breaches of the IPPs and all distress and embarrassment caused to the Applicant by such breaches.
2. Requiring that the Respondent report the conduct of Mr Winn and Mr Gouldthorp to the NSW Police and the Department of Public Prosecutions to investigate the commencement of actions under s 62 PPIP Act.
3. Requiring the Respondent to stand down Mr Gouldthorp and Mr Winn from their employment with the Respondent pending the outcome of any investigation or proceedings initiated by NSW Police or the Department of Public Prosecutions.
4. That the Respondent's compliance with all requirements of the PPIP Act is reviewed by an independent third party under the direction of the NSW Ombudsman and that the findings of such review are made publicly available as soon as finalised.
5. The Respondent publish an anonymous notice, not identifying the Applicant, in the 'Latest News' section of the Respondent's website under the heading "Council commits further privacy breaches" identifying all orders made in these proceedings which notice is to remain on the website until the findings of the independent third party are made publicly available. The findings of the third party review must be published on the Respondent's website with a dedicated page titled "Privacy Remediation" with monthly updates showing the status of each recommended remediation action specified in that independent review.
The Applicant's evidence from the Applicant Statement, in summary and most relevantly, is that:
1. On 14 May 2020, in respect of the Decision proceedings, the Applicant received a notice from the Tribunal which the Applicant understands was also provided to the Respondent and contained the following notification:
"** It is the practise of the Tribunal to anonymise the name of Applicant in these matters. The Applicant will be identified by the initials as shown above."
1. Despite the prior 'notifications' to the Respondent by the Applicant, the June 2020 Incidents were subsequently repeated on or around 8 October 2020 when the agenda papers for the LPC meeting of 12 October 2020 were posted on the Respondent's website.
2. On page 43 of the published agenda papers for the Respondent's meeting of Council on 26 November 2020 the Respondent's General Manager referred to the undertaking elicited from the Respondent by the Tribunal in the Decision proceedings and noted:
"The Current Matters Lists are provided as part of the open agenda. The practice of identifying the Applicant/other party [from appearing] in Council's Legal and Planning Committee Report has recently been contended. However, it is not proposed to change this reporting practice, unless otherwise ordered to do so by the relevant Court of competent jurisdiction in the relevant proceedings. This is in line with the Council's open transparent government obligations."
1. As part of preparing for the Hearing in these proceedings the Applicant made contact with the IPC and enquired as to whether the Respondent had advised the IPC of the IR Request in accordance with the Respondent's obligation under s 54 PPIP Act. The IPC indicated that it had not received any advice from the Respondent in relation to the IR Request.
The Applicant submitted in its Applicant Reply Submissions and orally at the Hearing, in summary and most relevantly, that:
1. The LPC is "not the organ responsible for reviewing the conduct of legal proceedings and making recommendations as to decisions in respect of those proceedings to Council". The LPC's Charter discloses three separate aims:
1. To consider Council's involvement in legal proceedings, particularly those heard in the Land and Environment Court.
2. To consider and inform Council of relevant legislative changes.
3. To consider strategic planning issues.
1. The Charter does not require that the LPC consider all legal proceedings and the listing provided to the LPC is not an exhaustive listing of all proceedings but is focussed on "appeals" from Council decisions under the self‑explanatory agenda item containing the list of "Current Appeals and Results".
2. The LPC does not ordinarily make decisions or recommendations on "legal fees, the conduct of proceedings, or the settlement of proceedings". The LPC's role is one of policy development and oversight, rather than one making recommendations or decisions on individual legal proceedings. Individual proceedings are listed in the Report for information rather than action and the status of each matter was almost always reported on an "after the fact" basis, describing what had occurred rather than describing prospective alternatives under consideration that might be available for decision by the LPC.
3. Prior to 15 June 2020 there was no consistent reporting of NCAT matters. There was no reporting of any NCAT matters for the four meetings prior to the 15 June 2020 meeting, despite such matters being on foot during the relevant period of these meetings. Commencement of a consistent practice of reporting NCAT matters coincided with lodgement of the Applicant's matter (i.e. the Decision proceedings).
4. The Applicant's NCAT matter (i.e. the Decision proceedings) was not an appeal but a privacy complaint and a request for administrative review by the Tribunal of the conduct of concern relating to that privacy complaint. Unlike most matters contained in the "Current Appeals and Results" listing prior to 15 June 2020, the AR Application and these proceedings are not an appeal from a decision of the Council but a request for administrative review of the conduct of concern of the Council. The matter was described in the agenda paper listings for both the June and October 2020 meetings as "NCAT privacy complaint" and "request for review of privacy complaint". In addition Mr Winn, in his evidence in the Decision proceedings, expressly considered that the NCAT matter was part of an ongoing complaint investigation notwithstanding that he had completed his initial internal review (i.e. related to the Decision proceedings) on 4 May 2020.
5. As a complaint the Applicant's request for both internal review and review by the Tribunal fall within the scope of the Respondent's "Complaints Handling Policy" (CH Policy). At paragraph 3.2 of the CH Policy a complaint is defined as "an expression of dissatisfaction with Council's policies, procedures, charges, staff, agents or quality of service". There is nothing in the CH Policy which excludes a privacy complaint from its scope, regardless of whether it has progressed to administrative review by the Tribunal. In addition, the CH Policy provides for various privacy protections which must be adhered to in the handling of all complaints:
1. At paragraph 4.1.6 the CH Policy provides:
"Confidentiality - Personally identifiable complainant information will be actively protected from disclosure and only used for the purposes of addressing the complaint within the Council."
1. At paragraph 4.5 the CH Policy provides:
"Confidentiality - Council will ensure that confidentiality is maintained in regards to the complaints received. Personally identifiable information of the complainant will be used for the purposes of addressing and resolving the complaint only …"
1. At paragraph 4.9 the CH Policy specifically provides as regards 'privacy complaints', that:
"Privacy Complaints - Complaints relating to privacy and breaches should be referred to the Public Officer and will be managed in accordance with the requirements of the Privacy and Personal Information Protection Act 1998 and Council's Privacy Management Plan."
1. The Respondent's submissions consider s 11 of the Local Government Act 1993 (LGA) in isolation from other obligations under the LGA. In particular, the Respondent ignores s 440(5) LGA and the operation of the Respondent's Code of Conduct and its policies. Compliance with the Respondent's Code of Conduct is mandated under s 440(5) LGA as follows:
"Councillors, members of staff and delegates of a council must comply with the applicable provisions of -
(a) the council's adopted code, except to the extent of any inconsistency with the model code as in force for the time being; and
(b) the model code as in force for the time being, to the extent that -
(i) the council has not adopted a code of conduct; or
(ii) the adopted code is inconsistent with the model code; or
(iii) the model code contains provisions or requirements not included in the adopted code."
1. Paragraph 3.1(b) of the Respondent's Code of Conduct - "Councillors and Staff" specifically provides that:
"You must not conduct yourself in a manner that:
…
(b) is contrary to statutory requirements or Council's administrative requirements or policies."
1. Accordingly, adherence to the Council's policies is mandatory for all Councillors and staff. This includes adherence to the CH Policy and all other policies, including the Respondent's "Access to Information Policy" (Access Policy). The Access Policy is relevant because it explicitly balances the disclosure of information to promote open and transparent government with concepts such as respect for the privacy of individuals and overriding public interest. Any commitment to open and transparent government is not unfettered but is subject to the considerations such as the protection of individuals' privacy and the public interest in ensuring that complainants are not discouraged from lodging complaints due to the potential for vilification, embarrassment and harm by having their identity disclosed when they lodge a legitimate and serious complaint about the conduct of Council.
2. Contrary to the Respondent's arguments that s 17 PPIP Act/IPP 10 does not apply because the relevant personal information is unsolicited, the evidence clearly shows that the Respondent solicited the Applicant's personal information. Through its website and the existence of the CH Policy on its website, the Respondent actively solicits complaints which incorporate personal information and the identity of the complainant. The active solicitation of complaints is part of the Respondent's stated commitment to accountable government.
3. The Relevant Personal Information of the Applicant was not used for the purpose for which it was collected or a directly related purpose in accordance with s 17 PPIP Act/IPP 10 when it was provided to the LPC. The Applicant provided their identity as the complainant for the purpose of having their complaint resolved, initially through internal review and subsequently through administrative review by the Tribunal. Providing the Applicant's Relevant Personal Information to the LPC was not in accordance with this purpose because the LPC has no function in the resolution of individual complaints and there was no directly related purpose which would require its use of the Applicant's identity. That is, even if there was a requirement to provide certain information to the LPC such requirement would have been met by complying with the anonymisation practice and only providing the details in respect of "EIG".
4. The Respondent's arguments with respect to s 11 LGA are also incorrect because there is an option to have a closed meeting with respect to such, there is no obligation to disclose such matters and, even if there was, there is no obligation to identify the Applicant other than by the pseudonym "EIG". Also s 11 LGA must be read in conjunction with other provisions of the LGA including, as noted, s 440(5) LGA. Finally, if the Respondent's arguments about the operation of s 11 LGA and its interaction with s 25 PPIP Act are accepted they would provide Council with the ability to publish a wide variety of personal information held by Council with impunity.
5. Even without intention, the circumstances of the matter provide a clear indication of the existence of a failure to exercise an appropriate standard of care and diligence over the management of the disclosure of personal information. There is no evidence to suggest that Council's own privacy policies are consulted or referenced in the preparation of material to be published on the Respondent's website. There are no controls, checks or reviews over information identifying named individuals prior to publication by the Respondent for privacy consideration, despite evidence suggesting that a typographical review is undertaken. None of the measures detailed in the Respondent's evidence of an action plan disclosed any controls over information to be published by the Respondent and thus the Respondent's conduct is in breach of s 12 PPIP Act/IPP 5.
The Applicant's evidence in the Applicant Reply Statement, in summary and most relevantly, is that:
1. When the Applicant lodged their application for administrative review on 4 May 2020 they had no expectation that the Relevant Personal Information would be publicly disclosed in any reporting which identified the Applicant as the applicant. The Applicant had no expectation that NCAT matters and Relevant Personal Information in particular would be reported by the Respondent in the Reports and expected that their privacy would be protected in accordance with the CH Policy and the provision for protection of privacy in the LPC Charter.
2. In relation to the Subsequent Conduct and the correspondence with the Respondent and its solicitors in late June 2021 with respect to such, the Respondent's solicitors and the Respondent did not address the fact that the subsequent disclosures and publications were breaches of both the undertaking made to the Tribunal on 30 October 2020 and the subsequent s 64 CAT Act order made in the Decision.
[10]
Respondent's submissions and evidence
In the Respondent Submissions and orally at the Hearing the Respondent submitted, in summary and most relevantly, as follows:
1. The purpose of the LPC is to "consider Council's involvement in legal proceedings". Its functions include the "review of legal advice received by Council as requested by the Committee", consideration of Council's response following receipt of legal advice; and "analysis of Council's involvement in legal proceedings …".
2. By way of example of operation of the LPC in practice, the minutes of the 15 June 2020 record the LPC discussing, among other things, legal fees incurred, recovered and budgeted for the financial year by reference to active matters, consideration of settlement offers in litigation, consideration of development applications and variations to develop standards and consideration of amendments to the North Sydney Local Environment Plan 2013.
3. On or about 4 June 2020 Mr Winn of the Respondent settled the form of the Report to be provided to the LPC. Mr Winn had by then received the Tribunal's notice (as regards the Decision proceedings) which included the handwritten party names. Mr Winn does not recall reading the correspondence attached to that notice and was not aware of the Tribunal's anonymisation practice as set out in the Guideline.
4. Mr Winn only became aware of the terms of the Tribunal's anonymisation practice and the Guideline on the day of the hearing in relation to the Decision proceedings. On that day, 30 October 2020, Mr Winn communicated the undertaking made to Mr Curry of the Respondent and subsequent Reports have identified the Applicant only by their allocated pseudonym.
5. The precise "personal information" that the Respondent concedes was contained in the June 2020 Incidents and October 2020 Incidents is that the Applicant's name was the applicant in a "referenced NCAT privacy complaint against the Council" (i.e. the Relevant Personal Information). There was no disclosure by the Respondent of the substance or even the gist of that complaint. The Applicant's information was non‑public by reason of the application of the Tribunal practice of anonymisation to its own file.
6. These proceedings highlight the potential problems under the PPIP Act involved in the default application of the Tribunal's anonymisation practice under the Guideline (until such time as a s 64 CAT Act order is made) for the decision‑making processes of public sector agencies subject to open‑government laws in relation to litigation against them. Paragraph 17(b) of the Guideline explains that the Tribunal usually anonymises the Applicant's name "in hearing lists and decisions" relating to PPIP Act proceedings but does not provide that a formal order is made which is binding on the parties in accordance with that practice. No actual order was made to that effect until the date of the Decision (17 March 2021).
7. The Respondent does not accept, as between itself and the Applicant, that it contravened the PPIP Act.
8. As regards s 17 PPIP Act the Respondent first used the personal information in preparing and submitting the June 2020 Report (and ultimately the October 2020 Report) to the relevant LPC meetings and in considering those Reports in those LPC meetings. That was for the purpose of an internal meeting constituted by Councillors (i.e. the elected officials comprising the Council) and senior staff. This use was not a contravention of the PPIP Act.
9. The Respondent also submits that s 17 PPIP Act, on its proper construction, does not apply to unsolicited information and relies on KDV Registrar, NSW Medical Board [2004] NSWADT 5 at [29]. The Respondent held the information on receipt but personal information is not "collected" by a public sector agency if it is unsolicited (s 4(5) PPIP Act). The personal information was not solicited by Council - it was contained in an application prepared by the Applicant and served on the Respondent by the Tribunal. Section 17 is a prohibition on using information for "a purpose other than for which it was collected". The provision is confined to information that has been collected.
10. Alternatively, if s 17 PPIP Act does apply, the information was used for the purpose for which it was collected or a directly related purpose (s 17(b) PPIP Act). The personal information was used to prepare an internal report for the consideration of the LPC, the organ of Council responsible for reviewing the conduct of legal proceedings and making recommendations as to decisions in respect of those proceedings to Council. It cannot be the case the public sector agency is prohibited from using personal information connected to legal proceedings (which as the term is defined, could include the name of any applicant in a proceeding that has been served but is not yet before Court) for the purpose of making decisions in that proceeding. The LPC is an aspect of how the Respondent discharged that function. Indeed, the preparation of a report in a similar format is unsurprisingly a common feature in other councils.
11. In this particular case, had the Applicant actually attended either of the 15 June 2020 or 12 October 2020 LPC meetings, as they had indicated they would, they would have been obliged to declare a conflict of interest, however their previous proceeding was identified.
12. The recordings of LPC meetings of June and October 2020 did not include any mention of the Applicant's personal information in question.
13. The Respondent submits that none of the disclosures in relation to the June 2020 Incidents and October 2020 Incidents were in breach of s 18 PPIP Act/IPP 11. The Applicant was reasonably likely to have been aware that the information of that kind (i.e. names of parties to litigation involving the Respondent) was usually disclosed to the public through the publication of the agenda of the LPC meetings and thus such disclosure was permitted under s 18(1)(b) PPIP Act. The Applicant was a member of the LPC and was sent the minutes in advance of the relevant LPC meetings and therefore it must be concluded that the Applicant was reasonably likely to have been aware of the names of parties to litigation involving the Respondent were contained in the Reports and consequently would be disclosed by being published on the Respondent's website.
14. Alternatively, the disclosure was not a prohibited disclosure in that the Respondent was obliged to make available the Report to the public under s 11 LGA such that the personal information was publicly available in the meaning of the PPIP Act and/or s 25 of the PPIP Act provides for non‑compliance where "necessarily implied or reasonably contemplated". The Respondent chooses to give effect to the obligation in s 11 LGA by routinely publishing such materials on its website.
15. If the Tribunal accepts that the use of the Relevant Personal Information in the June 2020 Report was not in breach of the PPIP Act, that information was then contained in a publicly available publication and no longer personal information by operation of s 4(3)(b) PPIP Act. Thus, subsequent publication in October 2020 was not therefore subject to the provisions of the IPPs.
The evidence of Mr Winn, Mr Curry and Mr Winram, in summary and most relevantly, is as follows:
1. The Charter of the LPC provides that the aim of the LPC is "To consider Council's involvement in legal proceedings …" and the functions of the LPC include:
"Review of legal advice received by the Council as requested by the Committee (i.e. the LPC);
Consideration of Council's response following receipt of legal advice;
Analysis of Council's involvement in legal proceedings …" (Mr Winn Statement paragraphs 10 and 11).
1. Outlining the prior and current processes followed by Mr Winn in preparing the Reports (Mr Winn Statement paragraphs 15 and 17).
2. Mr Winn was not aware of the Tribunal's anonymisation practice prior to the June 2020 Incidents and before the October 2020 Incidents was not aware of any Order made by the Tribunal to anonymise the Applicant's name and did not consider the submissions or statements of the Applicant dated September 2020 and 28 October 2020 in the Decision proceedings when preparing the October 2020 Report (Mr Winn Statement paragraphs 22, 33 and 37).
3. Since the hearing in the Decision proceedings Mr Winn has anonymised the name of the Applicant in the Reports (Mr Winn Statement paragraph 42).
4. The Respondent did notify the IPC of the IR Request and Mr Winn attached a copy of the Respondent's 18 November 2020 letter to the IPC (Mr Winn Statement paragraph 47).
5. The Respondent did not complete an internal review in response to the IR Request (Mr Winn Statement paragraph 48).
6. Mr Winn updated the progress of the privacy review and implementation of measures being made by the Respondent in response to the orders made in the Decision and attached the revised Privacy Management Plan and "Guide to conducting internal reviews" (Mr Winn Further Statement).
7. Mr Curry detailed the current process for preparation of the papers for LPC meetings and his organisation of and attendance at the June and October 2020 meetings (Mr Curry Statement).
8. Mr Winram attached (a) a complete set of the Orders made by the Tribunal during the Decision proceedings up to the publication of the Decision and (b) the transcript of the hearing from the Decision proceedings.
[11]
s 12 PPIP Act/IPP 5
As regards the Applicant's submissions and evidence that the Conduct of Concern breached s 12 PPIP Act/IPP 5, having reviewed all the material before the Tribunal I am satisfied that there is no breach of IPP 5 by the Respondent arising from the Conduct of Concern. The evidence presented by the Applicant did not raise the likelihood that the Conduct of Concern resulted in either the breach by the Respondent of the retention or security obligations under IPP 5 in relation to the Relevant Personal Information.
[12]
s 17 PPIP Act/IPP 10
As regards the Respondent's submission that s 17 PPIP Act/IPP 10 does not apply because the Personal Information was unsolicited, I note the Tribunal's findings in EMF v Cessnock City Council [2021] NSWCATAD 219 (EMF):
45 As regards [32(2)], I have followed the reasoning in the Appeal Panel decision in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 (ZR) which held, in particular at [58]:
"As to the text authored by the complainant in relation to the matter of concern, we are inclined to the view that, insofar as the information provided is relevant to the purposes of the agency, it ought be regarded as collected, and not treated as unsolicited. It is not, as we see it, a mere instance of passive receipt. This is a situation where the practice of the agency is to get the complaint in writing and create a record. It is requesting the information to that extent."
46 Also the IPC has warned agencies, in its "A Guide to the Information Protection Principles", against treating complaints as unsolicited information if the agency holds itself out as the agency to contact as regards such complaints.
47 In applying the quoted text in [45] to the facts of this case, I am satisfied that the Respondent sought or 'solicited' code of conduct complaints by having a policy relating to how such complaints may be made, will be handled and providing details of to whom one can make such a complaint. Thus, any personal information contained in or related to such a complaint made on this basis will prima facie be solicited information.
48 However, even if I am wrong on this, in accordance with the Appeal Panel decision in ZR at [71] "once taken under the control of the agency for one of its administrative purposes" the personal information is taken as collected. That is, the moment the Respondent keeps, assesses, deals with and/or processes the Complaint (in this case) then, even if it is originally considered unsolicited personal information, it will then become personal information collected and held by the Respondent. As such (as is the case for all solicited personal information) it is then subject to all the IPPs as amended by the Privacy Code of Practice for Local Government published in the Government Gazette Number 179 on 20 December 2019 (LG Privacy Code).
I am satisfied that the Relevant Personal Information was included in the information sought or 'solicited' as part of the Respondent providing guidance on its website and in publicly available polices around how to make complaints, including privacy complaints, and generally the Applicant's legislative right to seek an internal review by the Respondent and, ultimately, external review by the Tribunal under the PPIP Act. However, as noted EMF, even if the information was not solicited on this basis, once the information is taken under the control of the Respondent for its administrative purposes (e.g. to address the internal review request and, later, to participate in/defend the external review Decision proceedings before the Tribunal) the Respondent is taken to have collected the Relevant Personal Information.
Given my finding that the Relevant Personal Information was solicited (or otherwise collected by the Respondent) I will now deal with the issue raised in [20(7) and (9)] together, whether the Code of Conduct breached s 17 PPIP Act/IPP 10. We can rule out the ss 17(a) and (c) PPIP Act exemptions as there was no consent from the Applicant for use for any other purpose (given the notifications made by the Applicant to the Respondent about their concerns about this use) and there were no submissions that this use was necessary to prevent or lessen an imminent threat to anyone's life or health. It falls then for the Tribunal to consider the 'purpose' for which the Relevant Personal Information was collected by the Respondent and, under s 17(b) PPIP Act, if that information was used for another purpose whether that other purpose was directly related to the purpose for which it was collected and therefore exempt from the prohibition in IPP 10.
I am satisfied from the materials before me that the Respondent's purpose for collection of the Relevant Personal Information was, along with other personal information of the Applicant collected in relation to the internal review request and the Decision proceedings, to respond to, deal with and prosecute the Applicant's 'privacy complaint', any internal review and subsequent external review of that complaint by the Tribunal. That is, use (and sharing) of the Relevant Personal Information within the Respondent and its advisors directly related to the investigation, review, assessment and, ultimately, prosecution of the defence of the Respondent to that 'privacy complaint' (i.e. external review) before the Tribunal is the purpose or a purpose directly related to that for which the Relevant Personal Information was collected.
From the evidence before the Tribunal, I am satisfied that the LPC was not an organ of the Respondent involved in the day-to-day running (i.e investigation, review and/or prosecution) of the Decision proceedings. I prefer the Applicant's submissions and evidence that the LPC has an 'after the fact' role in relation to NCAT matters at a much higher level or less 'hands on' basis relating more to cumulative information and input in to overarching strategy and approach to litigation in general (see [36] above).
After setting out the generally applicable confidentiality obligations relating to the complaints, paragraph 4.9 of the CH Policy (see [36(6)(c)] above) expressly states that privacy complaints are to be handled by the Public Officer and managed in accordance with the Respondent's Privacy Management Plan (PMP) There is no mention of privacy complaints or external reviews being handled by the LPC in either the CH Policy or the PMP.
Based on my findings above and without express evidence to the contrary (e.g. provision of a privacy collection statement to the Applicant at or before collection of the Relevant Personal Information which clearly referred to use of it in the Reports), the use of the Relevant Personal Information in the Reports for the LPC was not for the purpose for which that information was collected or a directly related purpose. I am therefore satisfied that the Conduct of Concern resulted in the Respondent breaching IPP 10 in relation to using the Relevant Personal Information in both the June 2020 Incidents and the October 2020 Incidents.
[13]
s 18 PPIP Act/IPP 11
I will deal with the issues raised in [20(8) and (10)] together, whether the Conduct of Concern breached s 18 PPIP Act/IPP 11. There is no dispute that the disclosures/publications of the Relevant Personal Information were made by the Respondent as part of the Conduct of Concern. The Respondent submitted, however, that such were not in breach of IPP 11 as they were exempt disclosures/publications under ss 18(1)(b) and 25 PPIP Act.
Section 18(1)(b) exempts disclosure (and publication as a subset of disclosure) to third parties where the Applicant (in this case) is likely to have been aware that the Relevant Personal Information is of a kind usually disclosed to such third parties. In the absence, as in this case, of an express notification by the Respondent of such disclosures in a privacy collection statement (for example) provided to the Applicant at or prior to collection of the information (a practice recommended by the IPC since 1999), the Respondent has to establish the other basis on which or how the Applicant was "reasonably likely" to have been aware of such 'usual disclosures'.
As to the likely awareness of the Applicant that the Relevant Personal Information is usually disclosed via the Reports to the public at large by publication on the Respondent's website, I prefer the Applicant's detailed evidence. That is, that personal information such as the Relevant Personal Information in relation to NCAT privacy matters was not included in the equivalent Reports of the four prior meetings of the LPC, even though there were NCAT privacy matters on foot during this period. In addition, and contrary to any reasonable likelihood of the Applicant being aware of the usual disclosure of the Relevant Personal Information, I note the Applicant's detailed submissions on and evidence in respect of the CH Policy requirements, among others, to keep complaints (including privacy complaints) confidential. In my view the obligations under the CH Policy and Access Policy, well known to the Applicant as a Councillor, evidence a contrary expectation as regards disclosure of the Relevant Personal Information than that submitted by the Respondent. I am satisfied that it is not reasonably likely, even if it was actually done, that the Applicant was aware that the Relevant Personal Information (or information of its kind) was usually included in the Reports and disclosed to the public by the Respondent.
The Respondent noted that s 25(b) PPIP Act provides an exemption from compliance with, most relevantly, IPP 11/s 18 PPIP Act where such non-compliance is "necessarily implied or reasonably contemplated" by another law. The Respondent submitted that s 11 LGA requires the Respondent to give reasonable access to inspect any reports submitted to the LPC (i.e. the Reports in this case). Further, the Respondent noted that it gives effect to s 11 LGA by publishing the agenda, minutes and Reports of the LPC meetings on its website.
While I agree that the Reports tabled at an LPC meeting are generally required to be disclosed under s 11 LGA, the issue here is whether the Relevant Personal Information was 'necessarily implied or reasonably contemplated' by s 11 LGA to be disclosed. That is, is the Relevant Personal Information required by s 11 LGA to be (a) included in the Reports and/or (b) published? I see no requirement in s 11 LGA to include the Relevant Personal Information in the Reports or otherwise to publish it. In fact, as found above, the use of the Relevant Personal Information in the Reports was in breach of IPP 10. Therefore, while the reports tabled at an LPC meeting need to be published under s 11 LGA, the Relevant Personal Information did not need to be (and should not have been) included in those Reports in the first place or otherwise published.
Finally and for completeness, as noted above, reference to the anonymised Decision proceedings and the Decision (i.e. the official Tribunal details/reference) could be included in the Report and, in any event, is the preferable and official reference to the Decision proceedings and the Decision for inclusion in public documents such as the Reports.
Based on the above, I am satisfied that s 11 LGA does not reasonably imply or contemplate the disclosure/publication of the Relevant Personal Information and that disclosure of such by publishing the Reports is therefore not excused or exempted under s 25(b) PPIP Act and the Conduct of Concern is in breach of IPP 11.
[14]
Not considered
I have not considered or decided the impact of the Respondent's submission that that the Applicant would have had to disclose their 'interest' in relation to the Decision proceedings if they had attended either of the relevant LPC meetings because they did not attend these LPC meetings and this is therefore only hypothetical.
[15]
No systemic issue
While there have been a number of incidents impacting on the Applicant's privacy within a short period of each other (i.e. as identified in the Decision and in these proceedings), I am not satisfied from the materials before me that this activity evidences a systemic issue in respect of the Respondent's compliance with IPPs 10 or 11 in this case.
[16]
s 62 PPIP Act allegations
In accordance with my comments at [32(4)], I note that s 62 PPIP Act requests and allegations of the Applicant are not within the jurisdiction of the Tribunal in these proceedings.
[17]
Available remedies
The Tribunal reviews the Conduct of Concern afresh and is not reviewing the internal review decision of the Respondent. However, the Tribunal stands in the shoes of the "administrator" (i.e. the Respondent's internal reviewer) and the actions and remedies available to "administrator" under s 53(7) PPIP Act are also available to the Tribunal in an external review, even though in this case no internal review was actually conducted by the Respondent. The remedies available to the Tribunal are therefore, in this case where breaches of IPPs 10 and 11 have been found, those set out in ss 53(7) and 55(2) PPIP Act.
[18]
Appropriate Remedies
In determining the orders to make in these proceedings I have considered both the evidence of the Respondent as regards its progress on the work being done resulting from the Decision and also that many of the orders specifically sought by the Applicant (see [34] above) are beyond the powers of the Tribunal under ss 53 and 55 PPIP Act.
For the reasons similar to those noted in paragraphs [41], [42], [89] and [90] of the Decision, I am satisfied that in this case both a formal apology to the Applicant and publication of an appropriate anonymous notice on the Respondent's website notifying the public of what the Respondent has been ordered to do by this Tribunal, as regards its breaches of IPPs 10 and 11, are appropriate.
Given the findings above and in order to remedy the breaches of IPPs 10 and 11 by the Respondent found in these proceedings, I am satisfied that additional orders addressing the following are also appropriate in this case:
1. Anonymising all publicly available digital material of the Respondent and making reasonable efforts in relation to all printed or hardcopy materials previously distributed by or on behalf of the Respondent referring to the Applicant in relation to the Decision proceedings or the Decision.
2. Not to use or disclose any of the Applicant's personal information relating to future reviews of the Applicant under ss 53 and 55 PPIP Act in breach of IPPs 10 or 11.
[19]
Orders
1. Time is extended under s 41 Civil and Administrative Tribunal Act for the Applicant to lodge the application for external review by this Tribunal to 22 March 2021.
2. Pursuant to s 64 Civil and Administrative Tribunal Act the publication or broadcast of the name of the Applicant in these proceedings or reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person is prohibited.
3. Pursuant to s 55(2)(b) Privacy and Personal Information Protection Act, in relation to all future applications of the Applicant under ss 53 and 55 Privacy and Personal Information Protection Act the Respondent is to refrain from:
1. any use of the Applicant's personal information relating to such applications in contravention of s 17 Privacy and Personal Information Protection Act/IPP 10; and
2. any disclosure of the Applicant's personal information relating to such application in contravention of s 18 Privacy and Personal Information Protection Act/ IPP 11.
1. Within 14 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondent's breaches of IPPs 10 and 11 in respect of the personal information of the Applicant as identified in these Reasons for Decision and for all distress and embarrassment caused to the Applicant by such.
2. Within 14 days of the date of these Reasons for Decision the Respondent must publish an anonymous notice not identifying the Applicant (in accordance with the publication restriction) in the 'Latest News' section of the Respondent's website, under the heading "Council found to have committed privacy breaches" and noting Orders (3) and (6) of the Tribunal in relation to the Respondent's breaches of IPPs 10 and 11 and such notice must stay up for 2 months from publication.
3. Within 30 days of the date of these Reasons for Decision the Respondent must (a) anonymise the Applicant's name in all publicly available digital publications of the Respondent (including on the Respondent's website) in relation to any reference to the Decision proceedings or the Decision; and (b) make reasonable efforts to recover and destroy or anonymise the Applicant's name in all printed and hardcopy materials in relation to any reference to the Decision proceedings or the Decision.
[20]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 27 October 2021
WCATAD 66
EMF v Cessnock City Council [2021] NSWCATAD 219
Jackson v NSW Land and Housing Corporation [2014] NSWCATAP 22
KDV Registrar, NSW Medical Board [2004] NSWADT 5
KT v Sydney Local Health Network [2011] NSWADT 171
Nasr v State of New South Wales (2007) NSWCA 101
Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4
Vice-Chancellor Macquarie University v FM (No 2) [2004] NSWADTAP 37
ZR v Department of Education and Training (GD) [2010] NSWADTAP 75
Texts Cited: Nil
Category: Principal judgment
Parties: EIG (Applicant)
North Sydney Council (Respondent)
Representation: Counsel:
B Walker SC assisted by A Edwards (Respondent)