The Applicant submits that the disclosure of the word "Medical" in the context in which it was used was a disclosure of their "health information" for the purposes of the HRIP Act and that that disclosure was in breach of HPP4 and HPP11.
The Applicant further submits that the Respondent has also breached HPP5 and HPP 10.
In a number of aspects of the Applicant's statements and submissions criticism is also made of the Respondent's decision-making processes more generally. The scope of this review does not extend to the conduct of the Respondent Council at large but is limited as to whether there has been a breach of an IPP or HPP and, if so, what orders should be made in respect of any breach. Accordingly I do not address those aspects of the Applicant's submissions.
[2]
Concessions made by the Respondent
In the Respondent's submissions dated 22 December 202, the Respondent has made a number of concessions, namely:
1. the word "Medical" as a descriptor for the Applicant's reason for requesting permission to attend Council meetings remotely was non-public information about the Applicant, whose identity was apparent from the relevant item in the May Report, and therefore "personal information" about the Applicant held by the Respondent in the meaning of the PPIP Act;
2. the Respondent did not take reasonable steps to ensure that the Applicant was aware that their personal information was intended to be disclosed in the Report and such failure was in breach of ss 10(b) and (c) of the PPIP Act;
3. the Respondent disclosed the Applicant's personal information in circumstances where the Applicant had no expectation, by reason of the lack of a s 10 notice, the general terms of the OLG Circular 21-02 and the 26 April 2021 meeting report, that such information would be disclosed and such disclosure was in breach of s 18 of the PPIP Act.
The Respondent does not suggest, in these proceedings, that any non-compliance was permitted under s 25 of the PPIP Act.
At the conclusion of the hearing the Respondent undertook to provide to the Tribunal and the Applicant a document setting out the differences between the relevant HPPs and IPPs and the implications that flow from a finding that the relevant information in the proceedings is either personal or health information. That document was provided to the Tribunal and to the Applicant on 21 March 2022. In that document the Respondent notes that if the Tribunal determines that the information is considered "health information" the Respondent would concede a breach of HPP4 (1) (c) and (d) (which are in similar terms to ss 10(b) and (c) of the PPIP Act) and HPP11 (1) (which is in similar terms to s 18 of the PPIP Act. The Respondent submits that there has been no breach of any other HPPs.
While the Respondent's concessions are relevant, as the role of the Tribunal is to consider the conduct afresh, the Tribunal must review the evidence and determine whether there has been a breach of any IPPs or HPPs.
[3]
Health information
The first question to determine is whether the relevant information is "personal information" for the purposes of the PPIP Act or "health information" for the purposes of the HRIP Act. As the Respondent submits, the information cannot be both. If it is "health information" within the meaning of the HRIP Act, then by virtue of s 4A of the PPIP Act it is not "personal information" for the purposes of the PPIP Act.
As set out above, s 6(a)(i) of the HRIP Act defines health information to include personal information that is information or an opinion about the physical or mental health or a disability (at any time) of an individual.
"Personal information" includes information about an individual whose identity is apparent or can reasonably be ascertained from the information. The Respondent accepts, and it is clear, that the word "Medical" as describing the Applicant's reason for requesting permission to attend Council meetings remotely was non-public information about the Applicant, whose identity was apparent from the relevant item in the May Report, and therefore "personal information" about the Applicant held by the Respondent.
The Respondent submits that the information is not "health information", however, and submits that the position in this case is not distinguishable from the decision of the Tribunal in DQN v The University of Sydney [2019] NSWCATAD 266 where the Tribunal held that the use of the single word "illness" was not sufficient to constitute health information, the Tribunal stating at [31]:
I accept that the information in issue is personal information about the applicant. However, I am not persuaded that the information is also 'health information' about the applicant. Other than containing the word 'illness' the information does not include any information or an opinion about the physical or mental health of the applicant.
The full context of the use of the word "illness" in the material under consideration by the Tribunal in DQN is not apparent from the reasons for decision in that case, no doubt with a view to the sensitivity of the information the disclosure of which was under consideration.
The Applicant submits, and I accept, that inclusion of the word "Medical" in the context in which it was used in this case disclosed that the Applicant requested approval to be excused from the requirement to attend Council meetings in person and be permitted to attend meetings remotely for a period of five months because in-person attendance was prevented for a medical reason or reasons. The Applicant submits that that is information about the physical or mental health or a disability of an individual within the meaning of s 6(a)(i) of the HRIP Act. I accept that submission.
Accordingly, I find that the information is "health information" for the purposes of s 6(a)(i) of the HRIP Act. As such, I turn to consider whether there has been a breach by the Respondent of the HPPs under the HRIP Act. As the Tribunal noted in DQN, however, even if I am wrong about that and the information is personal information for the purposes of the PPIP Act, little ultimately turns on that because the relevant HPPs and IPPs are in substantially similar terms.
[4]
HPP4 and HPP11
It is convenient to deal with HPP4 and HPP 11 together.
HPP4 requires an organisation that collects health information from an individual to take reasonable steps to ensure that the individual is made aware of the purposes for which the information is being collected and the persons to whom the organisation usually discloses information of that kind.
HPP11 requires that an organisation that holds health information for a purpose (secondary purpose) other than the purpose for which it was collected (primary purpose) must not disclose that information unless, relevantly, with the individual's consent or where the secondary purpose is related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose.
It is not in dispute that the Applicant was not made aware that it was proposed to include the description "Medical" as the reason for their request to attend meetings remotely in the May Report. I accept the Applicant's submission that had the Respondent done so, that would have provided the Applicant with an opportunity to withdraw their request so as to avoid the disclosure. As such, as the Respondent has correctly conceded, there has been a breach of HPP4 (1) (c ) and (d).
In this case, the information was collected for the primary purpose of Council considering the Applicant's request to attend meetings remotely. It was disclosed to the public on the Council's website in the May Report amongst other papers for the May Council meeting for the secondary purpose of placing on the public record relevant information in relation to the May meeting. In the circumstances of this case where:
1. OLG Circular 21-02 dated 1 April 2021 provided:
In dealing with requests by councillors to attend meetings by audio-visual link on grounds of illness, disability or caring responsibilities, councils must ensure they comply with the Health Privacy Principles prescribed under the Health Records and Information Privacy Act 2022;
1. the suggested procedures attached to that Circular provided:
The grounds on which the councillor is being permitted to attend meetings remotely by audio-visual link [must be stated], but not where those grounds relate to illness, disability or caring responsibilities, and
The council must comply with the Health Privacy Principles prescribed under the Health Records and Information Privacy Act 2022 when collecting, holding, using and disclosing health information in connection with a request by a councillor to attend a meeting remotely by audio-visual link;
1. the 7 April 2021 Memo stated:
3.The grounds for which the Councillor is being permitted to attend remotely must be stated, but not where those grounds relate to illness, disability or caring responsibilities;
1. the Applicant's reason for requesting remote attendance was not disclosed in the April Report; and
2. the Applicant in providing the information disclosed in the May Report expressly stated:
I ask that my reasoning and this information remain confidential and that my privacy is maintained.
it is clear that the information was disclosed both without the Applicant's consent and in circumstances where the Applicant would not reasonably expect that information to be disclosed.
As such, as the Respondent has correctly conceded, there has been a breach of HPP11 (1).
The Applicant contends that the OLG Circular and suggested procedures (which the 7 April Memo made clear were adopted) alone would have given rise to a reasonable expectation that their information would not be disclosed, so that if the Respondent had adopted the same approach in the April Report that it adopted in the May Report it would also have been in breach of HPP11. I accept that contention. This, the Applicant says, is relevant to the terms of the apology which has been proffered which I discuss below.
[5]
HPP 10
HPP 10 is in similar terms to HPP 11 but relates to the use of information, rather than its disclosure. It provides that an organisation that holds health information must not use the information for a purpose (secondary purpose) other than the purpose for which it was collected unless, relevantly, the individual has consented or the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose.
The Applicant contends that the Respondent in disclosing the information in the May Report has also used it in breach of HPP10. In the Applicant's submissions the Applicant asserts that the information has been used for a "political purpose". The Applicant has not adduced any evidence to support this assertion and this was not put to Mr Goudthorp in cross-examination. I do not, therefore, accept that the information was used for a political purpose.
The Applicant also appears to contend that the disclosure of the information without their consent was also the "use" of the information without their consent in breach of HPP 10. If that is the Applicant's contention I agree with the Respondent that the Applicant's submissions in this regard conflate the two separate concepts of "use" and "disclosure" (albeit those terms are not defined in the legislation) and that it would render the statutory distinction between those concepts in HPP 10 and HPP 11 inutile to find that an agency has breached HPP10 by "using" information in disclosing it.
As noted above, in cross-examination the Applicant also said that they did not expect the Medical Certificate they provided to be provided to Councillors. This was not expressly put as an alternative basis for arguing that there has been a breach of HPP 10 by the Councillors "using" the Medical Certificate provided in considering the Applicant's request for permission to attend meetings remotely and I note that, in any event, this conduct was not identified in the request for internal review and the Tribunal's review is confined in scope to a review of the conduct that was identified in the initial request for internal review: CBL v Southern Cross University [2018] NSWCATAD 97 at [30]; EIG v North Sydney Council [2021] NSWCATAD 66 at [30] (EIG Number 1) .
I do not find there has been a separate breach of HPP 10.
[6]
HPP5
The Applicant also submits that there has been a breach of HPP5 which requires reasonable security safeguards to be taken to ensure against loss, unauthorised access, use, modification or disclosure and against all other misuse of information. The Applicant submits that the Respondent has inadequate safeguards in place and submits that the Respondent has shown a systemic disregard for its privacy obligations whether they arise under the PPIP Act, the HRIP Act or otherwise.
The Applicant points to the terms of the apology letter which has been provided which suggests that the Applicant's expectation that the information would not be disclosed arose as a result of the April Report, and not from the OLG Circular 21-02. The Applicant submits that this demonstrates that Mr Gouldthorp has difficulty complying with privacy obligations and cannot be relied upon to prevent a recurrence. This, the Applicant says, together with two previous Tribunal decisions which have found the Respondent in breach of the PPIP Act, demonstrates "systemic" non-compliance by the Respondent.
Mr Gouldthorp's evidence is that the OLG Circular did create an expectation that "health information" would not be publicly disclosed. He did turn his mind to the question of whether use of the word "Medical" would be a disclosure of health information and, after clarifying the position with his advisers, he determined that it would not. I do not accept that there was any intentional breach on the Respondent's part and find that Mr Gouldthorp made an error of judgment in an environment where these issues were being considered for the first time. I do note, however, that as Mr Goudthorp had determined that the information was not health information, it was still incumbent upon him to consider the Respondent's obligations with respect to the Applicant's personal information under the PPIP Act, which there is no evidence that he did.
The Applicant also points to two previous decisions of this Tribunal involving the Applicant which have found the Respondent in breach of the PPIP Act: EIG Number One and EIG v North Sydney Council [2021] NSWCATAD 313. I accept the Respondent's submission that the first of those decisions must be distinguished. The matter involved the deliberate leak of information held by Council by an unknown person or persons. The second decision involved the disclosure of the Applicant's name in relation to the proceedings the subject of the first decision in Legal and Planning Committee meetings and posting certain papers relating to those meetings on the Respondent's website and in an Annual Report containing a "register of appeals in Court matters" after the Applicant's name had been anonymised by the Tribunal in accordance with its usual practice but before any orders were made by the Tribunal as to non-publication of the Applicant's name.
The circumstances of those other cases are quite different from the issue which has arisen in this case and I do not consider on the evidence before me that there has been a breach by the Applicant of HPP 5 or that the Respondent's conduct evidences a systemic issue in respect of its compliance with privacy laws more generally.
[7]
Appropriate relief
The orders that the Tribunal may make under s 55(2) are set out at [16 ] above. An "ancillary order" is an order that is "incidental to or supplemental to" an order that the Tribunal is empowered to make: EIG Number 1 at [85]. As the Tribunal stands in the shoes of the agency, the actions and remedies available to the agency under s 53(7) are also available to the Tribunal.
The Applicant does not seek an order for damages by way of compensation. The Applicant sought orders that the relevant information be removed from the Respondent's website, that an unreserved apology be made and that the Respondent publish a notice on its website under the heading "Council commits further privacy breaches" detailing the orders made, such notice to remain on the Respondent's website for a period of 12 months.
Given that the information disclosed has now been removed from the Respondent's website, it is not necessary for me to make an order in that regard.
I consider it is appropriate to make orders that an appropriate formal apology should be issued to the Applicant and there should be published on the Respondent's website an appropriate anonymous notice notifying the public about the breaches the Respondent has been found to have committed.
The Respondent referred the Tribunal to the decision of Jackson v University of New South Wales [2018] NSWCATAD 271 where at [43] the Tribunal found that, given an appropriate apology had already been proffered it was not appropriate for the Tribunal to make an order that any further steps be taken in the matter. However, I agree with the Applicant that the apology letter as it currently stands is not adequate in light of the concessions now made by the Respondent and the breaches of HPP4 and HPP 11 by the Respondent which I have found. The letter does not expressly concede breach of any HPPs (or IPPs) and can be read as conceding only that it was the use of the words "not for publication" in the April Report which may have created an expectation that the Applicant's health information would not be disclosed in the May Report.
I consider that it is appropriate that a further letter should be issued addressing and apologising for the Respondent's breaches of HPP 4 and HPP 11 in respect of the health information of the Applicant as identified in these reasons and for the distress and embarrassment caused to the Applicant as a result of those breaches.
As to the notice to be published on the Respondent's website, I do not think it is necessary to include the word "further" in the heading of the notice, and I consider that it would be sufficient for the notice to remain on the Respondent's website for a period of three months.
To the extent the Applicant also seeks relief in terms of an order that the Respondent's General Manager be "stood down" or that the breaches be referred to the NSW Police Force such orders would not be appropriate on the facts before the Tribunal and, in any event, would not be "incidental to" the orders the Tribunal is empowered to make and would be beyond the power of the Tribunal to make: EIG v North Sydney Council [2021] NSWCATAD 313 at [59].
[8]
Orders
1. Pursuant to s 64 Civil and Administrative Tribunal Act the publication or broadcast of the name of the Applicant in these proceedings is prohibited. Note: A reference to the name of the Applicant includes a reference to any information, picture or other material that identifies the Applicant or is likely to lead to the identification of the Applicant.
2. Within 14 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondent's breaches of HPP 4 and HPP 11 in respect of the health information of the Applicant as identified in these Reasons for Decision and for all distress and embarrassment caused to the Applicant by such.
3. Within 14 days of the date of these Reasons for Decision the Respondent must publish an anonymous notice not identifying the Applicant (in accordance with the publication restriction) in the 'Latest News' section of the Respondent's website, under the heading "Council found to have committed privacy breaches" and noting Order 2 of the Tribunal in relation to the Respondent's breaches of HPP 4 and HPP 11 and such notice must stay up for a period of 3 months from publication.
[9]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 20 April 2022
Parties
Applicant/Plaintiff:
EIG
Respondent/Defendant:
North Sydney Council
Legislation Cited (6)
Privacy and Personal Information Act 1998(NSW)
Health Records and Information Privacy Act 2022(NSW)
The following facts emerge from the evidence before the Tribunal and, unless otherwise indicated, are not in dispute.
The Respondent's Council meetings are governed by a series of different instruments including the Local Government Act 1993 (NSW) (LGA), the Local Government (General) Regulation 2005 (LG Regulation), the Model Code of Practice for Local Councils in NSW 2018 (Model Code) and the Respondent's Code of Meeting Practice made under s 360 of the LGA (Code).
The Code provides at s 5.2 that:
A Councillor cannot participate in a meeting of the Council or a Committee of the Council unless personally present at the meeting.
Accordingly, prior to the outbreak of the Covid pandemic, the Respondent's Councillors were not permitted to participate in Council meetings remotely.
In response to the outbreak of the pandemic, the LGA was amended to allow Councils to meet remotely to assist them to manage the risk of transmission of Covid at their meetings and to ensure compliance with relevant Public Health Orders. Those amendments were initially to operate for a period of six months, but were later extended to apply until 26 March 2021.
On 22 September 2020 the Office of Local Government (OLG) issued Circular 20-37 to all Councils titled "Status of special Covid-19 measures" which relevantly stated:
Councillors and council staff may attend council and committee meetings in person. However, councils must continue to allow councillors and staff to attend and participate in meetings by audio-visual links where it is reasonably practicable to do so.
In accordance with these amendments, up until 26 March 2021 the Respondent's Councillors were permitted to attend Council meetings remotely. They were not required to request permission to do so or provide reasons.
In March 2021 the OLG issued a consultation paper seeking feedback from Councils and others on proposed amendments to the Model Code which would allow individual Councillors to attend Council meetings remotely using audio-visual links in certain circumstances.
On 9 March 2021 the OLG issued Circular 21-01 titled "Transitioning back to in-person council and committee meetings and consultation on proposed changes allowing remote attendance at meetings" which stated that, while consultation in relation to the proposed amendments to the Model Code was ongoing, amendments would be made to the LG Regulation to allow Councils to give approval to individual Councillors to attend council meetings remotely for the period up to December 2021. It noted that the decision to permit Councillors to attend remotely would be at Council's discretion and stated:
Councils should only give approval for councillors to attend meetings by audio-visual link in exceptional circumstances, for example, because the councillor is prevented from attending the meeting due to illness, disability, carer responsibilities, a natural disaster or because the councillor is away from the local area on council related business.
On 1 April 2021 OLG issued a further Circular to Councils 21-02 titled "Temporary exemption from the requirement for councillors to attend meetings in person" which stated:
As of 26 March 2021 councils are now required under section 10 of the Local Government Act 1993 to hold meetings of the council … in physical venues …
The Regulation amendment operates to exempt councils from the requirement under clause 5.2 of the Model Meeting Code for councillors to be personally present at a meeting in order to participate in it.
For the period in which the Regulation amendment is in force, councils have the option to permit councillors to attend and participate in meetings remotely by audio-visual link should councils choose to do so.
Councils are not required to amend their codes of meeting practice to allow councillors to attend meetings remotely by audio-visual link while the Regulation amendment is in force but should adopt procedures governing attendance by councillors at meetings by audio-visual link to supplement their codes of meeting practice. Suggested procedures are attached to this circular.
…
In dealing with requests by councillors to attend meetings by audio-visual link on grounds of illness, disability or caring responsibilities, councils must ensure they comply with the Health Privacy Principles prescribed under the Health Records and Information Privacy Act 2022.
The attached suggested procedures provided:
Requests by councillors to attend meetings remotely by audio-visual link must be made in writing to the General Manager…and must provide information about the meetings the councillor will be prevented from attending in person and the reason why the councillor will be prevented from attending in person.
A resolution by the council or a committee of the council permitting a councillor to attend one or more meetings by audio-visual link must provide the following information:
The grounds on which the councillor is being permitted to attend meetings remotely by audio-visual link, but not where those grounds relate to illness, disability or caring responsibilities, and
Details of the meetings the resolution applies to.
…
The council must comply with the Health Privacy Principles prescribed under the Health Records and Information Privacy Act 2022 when collecting, holding, using and disclosing health information in connection with a request by a councillor to attend a meeting remotely by audio-visual link.
Mr Ian Curry, Manager Governance and Committee Services, sent a memorandum to all Councillors on 7 April 2021 (7 April Memo) attaching OLG Circular 21-02 and stating:
In essence, this Circular advises that the Local Government Regulation has been amended to enable councils to permit Councillors to attend meetings remotely through to 31 December 2021. The procedures attached to the Circular advise that:
1.Approval to attend meetings remotely must be requested by the relevant Councillor;
2. It must be approved by resolution, either for a single or multiple meetings, for approval to be given;
3.The grounds for which the Councillor is being permitted to attend remotely must be stated, but not where those grounds relate to illness, disability or caring responsibilities.
In light of the above, it is intended to present a report to the next Ordinary Meeting recommending that approval be granted to Councillors that seek to continue to attend meetings remotely through until the conclusion of this term. To assist in the preparation of this report, Councillors who wish to attend Council Meetings or Council Committee Meetings remotely should advise Governance in writing (including email) by C.O.B on Thursday, 15 April. The advice should include whether the request is to be permitted to attend all meetings/Committee Meetings remotely or identify the specific meetings for which this is sought. Brief reasons should also be provided. In accordance with the advice from OLG, the privacy of Councillors in submitting these requests will be maintained and where the reason relates to illness, disability, or caring responsibilities, it will not be publicly disclosed.
The Applicant sent an email to Mr Curry on 15 April 2021 in response stating:
I request to attend all meetings of Council (Council meetings, briefings, reference groups etc) remotely/by audio visual link for the next 6 months in accordance with medical advice.
I ask that my reasoning and this information remain confidential and that my privacy is maintained.
On 22 April 2021 reports for the April Meeting were published on Council's website. The report titled "3.2 Remote Attendance by Councillors at Council Meetings" (April Report) noted that requests had been received from a number of Councillors to attend meetings remotely and included a table identifying those Councillors who had made such a request.
Against the Applicant's name in that table the April Report identified that the Applicant had made a request in respect of all meetings for the next 6 months and under the heading "Reason" stated "Not for public disclosure".
On 23 April 2021 Mr Curry sent a further email to all Councillors which stated:
I refer to Item 3.2 of the 26 April Ordinary Council Meeting regarding remote access by Councillors at Council meetings.
In order to make a more informed decision, Councillors have sought additional information in respect to the requests from [two Councillors including the Applicant] to attend meetings remotely.
It was put to Mr Gouldthorp in cross-examination that the statement that Councillors had sought additional information was incorrect as the Councillors at that time did not have the information that had been provided thus far by the Applicant in respect of their request. Mr Gouldthorp said that he did not know what additional information may have been requested of Mr Curry by other Councillors as he had not been a party to those discussions and was not the author of this email. I do not think anything turns on whether this statement is correct for the purposes of the issues before the Tribunal.
In the meeting on 26 April 2021 a motion that the Applicant's (and other Councillors') request be "approved for the Ordinary Meeting of the 26 April 2021 and further applications will be considered at a later meeting" was carried.
Before that motion being carried there was a motion put by one Councillor and seconded by another which was lost, which was, according to the minutes of that meeting:
THAT the request by [the Applicant] to attend meetings remotely for the balance of the term should be declined due to insufficiency of information in [the Applicant's] application on which to make an informed decision and that the Applicant has also been able to attend other external meetings
In their statement dated 15 February 2022 the Applicant annexes a transcript that they have prepared of the 26 April 2021 meeting from the recording of that meeting which is on the Respondent's website. The Applicant says that the transcript shows that it was only one Councillor who expressed the view in that meeting that the information the Applicant had provided was not sufficient to support a request for remote attendance. The Respondent does not accept that the transcript is a full and complete transcript of the meeting because, it says, there may have been discussions or comments made by Councillors present who did not have their microphones on and could not be heard on the recording. The Applicant did not accept this proposition under cross-examination. I do not, however, need to determine whether the transcript is full and complete. In my view, nothing turns on this as whether or not it was only one Councillor who had expressed such a view is not relevant to the issues before the Tribunal.
On 12 May 2021 Mr Curry sent a further email to all Councillors again referring to OLG Circular 21-02 and stating:
Those Councillors seeking to attend the 24 May 2021 Ordinary Meeting remotely must therefore lodge their request in writing by COB this Friday 14 May 2021
…
The written request must provide the reason the Councillor will be prevented from attending the meeting and sufficient substantiation to satisfy the Council that attendance in person is prevented because of illness, disability, caring responsibilities or such other reason that is acceptable for the Council Committee. Medical Certificates, Statutory Declarations or other supporting evidence may be attached to the request.
In accordance with the OLG Circular, Council must comply with health privacy principles prescribed under the Health Records Information Privacy Act 2022, when collecting, holding, using and disclosing health information in connection with the request by Councillor to attend a meeting remotely.
A number of questions were put to Mr Gouldthorp by the Applicant's representative in the course of cross-examination as to whether this amounted to a request for "more information" or merely "substantiation". I do not consider that the difference, if any, has any relevance to the issues before me.
On 14 May 2021 the Applicant sent to an email to "Governance" which stated:
I request to attend all meetings of Council, including Council meetings, briefings, reference groups etc remotely for the next 5 months in accordance with medical advice. Please find attached a Medical Certificate.
I ask that my reasoning and this information remain confidential and that my privacy is maintained.
On 19 May 2021 Mr Curry and Mr Gouldthorp reviewed the draft report to be provided at the 24 May 2021 Ordinary Meeting in relation to the requests made by Councillors including the Applicant to attend meetings remotely. It was decided to include the word "Medical" as the reason for the Applicant's request to attend remotely in the report to Council and to distribute the Medical Certificate attached to the Applicant's email to the other Councillors confidentially. Mr Gouldthorp accepted in cross-examination that he was responsible for that decision.
On 20 May 2021 reports for the May Meeting were published on Council's website including the report titled "3.01 Remote Attendance by Councillors at Council Meetings" (May Report) which notes the reason for the Applicant's request to attend meetings for the next 5 months remotely as "Medical (see separate confidential memo)."
Mr Gouldthorp says that in taking this approach he had regard to Council's obligations under the LGA and the LG Regulation to observe the principles of open and transparent government. He says he also considered that Circular 21-02 emphasised that Councils must comply with the HPPs under the HRIP Act and that in his view that Circular created the expectation that "health information" would not be publicly disclosed in the process of receiving and determining requests by Councillors to attend remotely. It was his view, however, that the word "Medical" was not "health information" and it could be included in the open report. However, he considered the Medical Certificate was health information so it was not included and was distributed confidentially to Councillors. In coming to this view he believes he would have clarified this position with his advisers.
The Applicant was not advised that it was proposed to adopt this approach. Mr Gouldthorp said in cross-examination that, having formed the view that the word "Medical" was not "health information" he did not see the need to inform the Applicant that this approach was to be adopted.
During cross-examination the Applicant also said that they had no expectation that the Medical Certificate that they had provided would be provided confidentially to other Councillors. It was the Applicant's expectation, they say, that the other Councillors would merely be informed that substantiation by way of a Medical Certificate had been provided. I note that this is not conduct that was the subject of the internal review and therefore beyond the scope of this application.
The Applicant has in both their written submissions and statements and in closing submissions at the hearing made certain submissions as to Mr Gouldthorp's alleged motives in including the word "Medical" in the May Report and taking the approach that he did. These allegations were not put to Mr Gouldthorp in cross-examination and, while the Tribunal is not bound by the rules of evidence, procedural fairness dictates that I pay no regard to them, and I do not.
The Applicant has also made reference to findings made by another court in unrelated proceedings as to the reliability of Mr Gouldthorp's evidence in those proceedings. Again, this was not put to Mr Gouldthorp and I pay no regard to those aspects of the Applicant's statements and submissions.
I accept the explanation provided by Mr Gouldthorp as to why he took the approach to the May Report that he did.
At the meeting on 24 May 2021 the Applicant's request to attend meetings for the next 5 months remotely was denied. This, however, is of no relevance to the questions before me. Nor are the reasons as to why that request was declined. I accordingly pay no regard to Mr Gouldthorp's evidence in this regard nor the Applicant's statements and submissions in relation to that issue. The Applicant has also prepared a transcript of the discussion at that meeting in relation to their application to attend meetings remotely and has annexed that transcript to their most recent statement. The Respondent does not accept the transcript is full and complete and again the Applicant did not concede that possibility under cross-examination. Again, I do not need to determine whether the transcript is full and complete. Nothing turns on this as I do not consider the discussion at the meeting to be relevant to the question of whether the inclusion of the word "Medical" in the May Report was in breach of an IPP or HPP.
The Applicant says, and I accept, that the disclosure of this information caused them significant distress. They had kept the fact of their medical condition private to themselves and their spouse only and had not wished to discuss it with anyone, including their children at this stage. The disclosure of that information has meant that they had no choice but to discuss their medical condition with their children at a time not of their choosing as well as with constituents, friends and members of the public. The Applicant was also concerned at the time that the disclosure of that information would negatively impact their re-election prospects at the local government elections last September.
The Applicant sought an internal review on 5 July 2021. The NSW Information & Privacy Commission (IPC) was requested to oversee an independent investigation. The IPC declined to do so. An internal review was undertaken with the assistance of Salinger Privacy and the Applicant was advised of the outcome of that review on 3 September 2021. Both Salinger Privacy and the internal review concluded that the information was not "health information" but was "personal information" for the purposes of the PPIP Act. Whereas Salinger Privacy concluded that the Respondent had breached the IPPs contained in s 10 and s 18 of the PPIP Act, the internal review concluded that any non-compliance was permitted under s 25 of the PPIP Act which provides that an agency is not required to comply with the IPPs if non-compliance is permitted under another Act and, here, the internal review concluded that non-compliance was permitted under the LGA.
The Applicant has made much of whether Salinger Privacy were originally tasked to carry out the review rather than assist with it and of the fact that the independent review came to a different conclusion than Salinger Privacy. However, whether Salinger Privacy were engaged to carry out the review or assist the Respondent to do so is not an issue that the Tribunal needs to determine. The Tribunal's task is not to review the internal review decision, but rather to review the conduct that was the subject of the independent review and to make the correct and preferable decision in respect of it: s 63 ADR Act, DED v Randwick City Council [2017] NSWCATAD 327 at [50].
The Applicant then filed the application for external review by this Tribunal at which time the May Report remained on the Council's website. Amongst the orders sought by the Applicant were orders that the disclosure in the May Report of the Applicant's reason for requesting to attend meetings remotely be removed from the Respondent's website and an order requiring an unreserved formal written apology to the Applicant addressing and apologising for the Respondent's breaches of the relevant privacy laws.
On 20 December 2021 the General Manager issued to the Applicant a letter which (after noting some of the procedural background) stated:
The 26 April 2021 meeting was, therefore, the first time the Council's staff had to consider the manner in which requests for remote attendance be recorded in the agenda, business papers and minutes of meetings.
I have read the review completed by Salinger Privacy in response to your request for an internal review. I have also read the findings of internal review completed by the Council's Executive Manager Governance and Privacy Contact officer. Although both Salinger Privacy and Council's Executive Manager Governance each concluded that the use of the word "medical" did not amount to a disclosure of health information, they appear to differ with respect to whether it was appropriate (in accordance with the provisions of the Privacy and Personal Information Protection Act 1998) to identify "Medical" as the reason for your request to attend meetings remotely in the agenda for the 24 May 2021 meeting.
Notwithstanding this difference of opinion, I accept that the use of the words "not for public disclosure" in the agenda for the 26 April 2021 ordinary meeting created an expectation that when you made a similar request prior to the 24 May 2021 ordinary meeting, that the information would be identified in a similar manner.
Accordingly, the Council unreservedly apologises to you for including in the published agenda of the 24 May 2021 meeting that the reason for your requested remote attendance was "Medical". The Council also apologises for any distress and embarrassment caused to you by including in the published agenda that the reason for your requested remote attendance was "Medical".
I have also instructed Council staff to remove the word "Medical" from the online versions of the published agenda of the 24 May 2021 meeting.
On that date the word "Medical" was redacted from the Report available on the Respondent's website.