EJX v University of Newcastle - [2023] NSWCATAD 53 - NSWCATAD 2022 case summary — Zoe

NSWNSWCATAD

EJX v University of Newcastle

[2023] NSWCATAD 53

NCAT Administrative and Equal Opportunity|2022-10-06

View original source

At a glance

Source facts

Court

NCAT Administrative and Equal Opportunity

Decision date

2022-10-06

Source

Original judgment source is linked above.

Judgment (34 paragraphs)

[1]

Background

Around 25 June 2020 the Respondent established the Dedicated Email and used the Applicant's student ID number to create the associated email address to be used with the Dedicated Email. The Dedicated Email was established and is managed and operated solely by the Respondent and all information held in the Dedicated Email is accessible 'only' to the Respondent's Users but is accessible to all of them at all times. That is, each of the Respondent's Users can access all information held in the Dedicated Email, send emails and amend or modify the content of received emails or create new content before sending/forwarding such on within the Respondent or to the Applicant (uses) or to others outside the Respondent (disclosures). The Applicant has no access to the contents or functionality of the Dedicated Email.
The associated email address (also established and controlled by the Respondent) used with the Dedicated Email is similar to the email account/address previously established by the Respondent on behalf of the Applicant for the Applicant's use and which email account is 'controlled' by the Applicant as a student of the Respondent. This Applicant controlled email address is "[Applicant's student ID number]@uon.edu.au" (rather than the Dedicated Email associated email address which is "student [Applicant's student ID number]@newcastle.edu.au"). "UON" is an abbreviation of the University of Newcastle.
By email dated 7 July 2020, some two weeks after the creation of the Dedicated Email, the Vice‑Chancellor of the Respondent informed the Applicant that an unattributed (to an individual author)/anonymous email sent from the Dedicated Email dated 26 June 2022 to the Applicant was, in fact, a legitimate email from the Respondent. That unattributed 26 June 2022 email notified the Applicant of the establishment of the Dedicated Email (and its associated email address) and required that the Applicant use (with only two limited exceptions) the Dedicated Email (i.e. the associated email address) for all correspondence and interactions with/to all staff, employees and parts or Units of the Respondent (i.e. all of the Applicant's correspondence must be routed via the Dedicated Email and one or more of the Respondent's Users would then consider whether or not to send it on and whether in its original form or after modifying it to the relevant addressees and/or any one else). The Applicant was informed in that 26 June 2022 email that the Dedicated Email and the associated email address will also be used exclusively for all communications from the Respondent (i.e. from all staff, employees, Units or parts of the University) to the Applicant. That is, all of the Respondent's correspondence to the Applicant will also be routed via the Dedicated Email.

[2]

The IR Request

In summary and most relevantly, the conduct of concern of the Respondent raised by the Applicant in the IR Request for the Respondent's internal review (Conduct of Concern) is that: 1. The Respondent used the Applicant's student identity number (i.e. their personal information) to create the Dedicated Email and the associated email address without the Applicant's consent. 2. The Applicant's personal information and health information has been misused in both the establishment and ongoing use of the Dedicated Email. 3. The Applicant was forced to send all correspondence to and receive all correspondence from the Respondent (all staff, employees, parts and Units of the Respondent) using (i.e. via) the Dedicated Email, with only two limited exceptions. 4. The Applicant was not informed of what of their personal or health information was being collected and held or who could access and use such information held in the Dedicated Email or how they could use it and who could use what other functionality of the Dedicated Email. That is, the Applicant was not informed of who could access, modify, create new content, delete, share, send emails, copy, print out or forward the Applicant's personal information and health information using the Dedicated Email. The Applicant also has no access to the contents or functionality of the Dedicated Email. That is, no 'transparency' (i.e. awareness) as to (a) what of the Applicant's personal and health information is collected and held by the Respondent using the Dedicated Email and (b) who their personal and health information is accessed by, sent to or what else is done with it. 5. All staff, employees, Units and parts of the Respondent using the Dedicated Email including the associated email address (i.e. in addition to the Respondent's Users) breach the confidentiality and privacy of the Applicant's personal and health information by sharing it with all of the Respondent's Users (i.e. those who have access to all of the information held in the Dedicated Email), irrespective of the need for each of the Respondent's User to access it to perform their specific duties. 6. Soon after the creation of the Dedicated Email, on 25 June 2020, the Respondent's IT service confirmed to the Applicant that the Dedicated Email did not exist in the Respondent's 'secure portal' (i.e. it was not a secure email account of the Respondent) and yet the Respondent insisted on using the Dedicated Email. 7. The Respondent has failed to assure the Applicant (through a valid resource - i.e. the Respondent's IT service) of the security of the Dedicated Email and, despite repeated requests, certain of the Respondent's employees have not confirmed the validity of certain unattributed/anonymous emails and information provided to the Applicant using the Dedicated Email. 8. The Respondent, as controller of the Dedicated Email, the Respondent's Users and any other receivers and senders of emails using the Dedicated Email and the associated email address are often unidentified in the emails sent and received using the Dedicated Email. 9. Given the closeness of the Dedicated Email's associated email address to the Applicant controlled official University of Newcastle student email address, the Applicant is concerned that it may not be clear to recipients of an email sent using the Dedicated Email's associated email address whether the Applicant's personal information being shared by email actually comes from the Respondent (and which of the Respondent's staff) or if they assume that it comes from the Applicant. 10. There has been no transparency (i.e. notice) from the Respondent as to what of the Applicant's personal information and health information is collected, used and/or disclosed by the Respondent using the Dedicated Email and with who it is shared. 11. Use of the Dedicated Email restricted the Applicant's knowledge of and access to their personal and health information held by the Respondent because relevant parts/Units of the Respondent refused to provide the Applicant with any information when the Applicant communicated directly with them (i.e. when not using the Dedicated Email) and the Applicant has no access to the contents or functionality of the Dedicated Email.
Despite [13(10)] the Applicant is aware that the Applicant's personal and health information collected and held by the Respondent using the Dedicated Email includes, at least, the following: 1. the Applicant's confidential complaints and allegations against another student in respect of plagiarism; 2. the Applicant's confidential thesis examination reports sent to/accessed by unidentified users of the Dedicated Email (which the Applicant suspects had no reason to access such); 3. the Dedicated Email has also been used to disclose the Applicant's personal information (in particular the thesis reports) to parties external to the Respondent; and 4. the Applicant received an anonymous/unattributed email from the Dedicated Email (i.e. with no indication as to who the email was authored by) disclosing information about a private face‑to‑face meeting offer from the Dean of Graduate Research. However, the Applicant's enquiries as to whether this was really from the Dean of Graduate Research and was a real offer of a meeting were not answered by the Dean of Graduate Research.
In the IR Request the Applicant alleges that the Conduct of Concern results in contraventions of the IPPs and HPPs by the Respondent related to the use, collection, disclosure, accuracy, security and transparency of and their access to their personal information and health information. The Applicant also alleges that the Conduct of Concern breaches the Respondent's obligations of confidentiality to the Applicant and certain of the Respondent's IT policies. In summary and most relevantly, in section 6 of the internal review application form used for the IR Request, the Applicant alleges, under the heading "[what] … describes your complaint", that the Conduct of Concern results in contraventions by the Respondent of the IPPs and HPPs relevant to the following: 1. the collection of the Applicant's personal or health information; 2. the security or storage of the Applicant's personal or health information; 3. the refusal to let the Applicant access or find out about the Applicant's personal or health information; 4. the accuracy of the Applicant's personal or health information; 5. the use of the Applicant's personal or health information; 6. the disclosure of the Applicant's personal or health information; and 7. "other".
In an email to the Applicant dated 8 December 2020 (8 December 2020 Email) the Respondent acknowledges receipt of the IR Request and confirms its understanding that the IR Request relates to (and thus that the Respondent's internal review will consider) the specifically alleged breaches of IPPs 3, 5, 6, 7, 10 and 11 and HPPs 4, 5, 6, 7, 10 and 11 resulting from the Conduct of Concern and notes specifically: "It is my understanding from the privacy complaint … that you are seeking an internal review in relation to various alleged breaches of the [IPPs] and potentially the [HPPs] that are associated with the establishment of a "dedicated email address". These alleged breaches include, but are not limited to allegations concerning the use of your personal information without consent and the unauthorised disclosure of your personal information, including your Student ID and email. You also raise a specific concern that you have been prevented from making a privacy complaint by the establishment of the "dedicated email address". You also make reference to concerns around the potential for disclosure of your health information." [emphasis added]

[3]

The IR Decision

The IR Decision notes the Respondent's findings, in summary and most relevantly, as follows: 1. On 7 July 2020 the University Vice‑Chancellor sent an email from the Dedicated Email, in response to a letter from the Applicant raising concerns about the Respondent's use of the Dedicated Email, and the Vice‑Chancellor informed the Applicant: "I confirm that the email address - student [student ID number]@newcastle.edu.au - is a valid University of Newcastle account. As outlined in the email to you of 26 June 2020, this email account has been established as a dedicated central point for all contact between you and the University, with the following two exceptions: 1. Any correspondence from you or any solicitor who represents you, directly concerning your proceedings in NCAT. … 2. Any correspondence between you and unit of the University for the purpose of communicating with medical or allied health practitioners. To ensure your enquiries are dealt with as efficiently as possible, I confirm that you should please use the dedicated email address student [student ID number]@newcastle.edu.au to correspond with the University." 1. On 8 July 2020 the Respondent sent the Applicant an email from the Dedicated Email (with no individual sender or author attributed) which informed the Applicant as follows: "Clause 42 of the Information Technology Conditions of Use Policy permits us to create and direct you to this account. ● In accordance with clause 39 of the Information Technology Conditions of Use Policy, access to this email account is limited to those who need to know. ● The email account is no different to any other standard student email account in terms of security. ● The University conducts itself in accordance with its Privacy Management Plan and its Code of Conduct. … We confirm that we expect you to correspond to the University using this email address only. … We consider that we have made a reasonable request to you to direct your communication to this account. Please ensure you comply with this request as any correspondence directed outside of this will no longer be responded to." 1. The Respondent's Information Technology Conditions of Use Policy (IT Policy) and Privacy Management Plan (PMP) are relevant to the Applicant's IR Request/complaint as follows: 1. Section 7 of the IT Policy gives the University broad powers to monitor its information assets, including email. This includes "… the right to view, modify, copy, move, delete or otherwise handle as it sees fit the data and information assets stored on and accessed through the University's ICT Resources, irrespective of any ownership or other rights claimed over the data or information assets (clause 49)". 2. Section 9 of the IT Policy outlines that "the University's ICT Resources are electronically safeguarded and maintained in accordance with current best practice, [however], no guarantee can be given regarding the confidentiality, integrity and availability of any information …". 3. The PMP is relevant to your complaint. In particular, section 5 of the PMP states that the Respondent collects personal or health information for particular purposes relating to its functions, including "Set‑up of accounts and systems (i.e. email account), communication with students (including via email), complaints or investigations". 4. Section 6 of the IR Request indicated that the following IPPs are relevant to the Applicant's complaint: 1. collection of your information - IPPs 1‑4; 2. security or storage of your personal information - IPP 5; 3. accuracy of your personal information - IPP 6 (although this was likely intended to be IPP 9 given its related to accuracy not transparency); 4. refusal to let you access your personal information - IPP 7; 5. use of your personal information - IPP 9 (although the reference is to s 17 and use and therefore is likely meant to be IPP 10); and 6. disclosure of your personal information - IPP 11.
The IR Decision then proceeds, after repeating (except for IPP 6) the relevant IPPs identified in the 8 December 2020 email (see [16] above) and the IR Request plus IPP 9, to only consider IPPs 3, 5, 7, 9, 10 and 11 (Limited IPPs) and primarily only in respect of the creation of the associated email address for the Dedicated Email using the Applicant's student ID which is only a small part of the Conduct of Concern (Limited Scope Conduct of Concern). The IR Decision finds in each case, occasionally noting the lack of information or evidence presented by the Applicant as a basis for such findings, that there was no breach of the Limited IPPs resulting from the Limited Scope Conduct of Concern.
Despite the Respondent's acknowledgment in the 8 December 2020 (see [16] above), there was no consideration or discussion in the IR Decision of the Conduct of Concern in relation to IPP 6 or any HPPs, let alone HPPs 4, 5, 6, 7, 10 or 11 identified in the IR Request and acknowledged by the Respondent in the 8 December 2020 Email as relevant to the IR Request.
In response to a draft of the Respondent's internal review decision provided by the Respondent to the Information Privacy Commission (IPC), the IPC recommended to the Respondent in its letter dated 11 February 2021 that: "The internal review [ie as detailed in the Respondent's draft IR Decision] would benefit from addressing: ● whether the agency's collection of the Applicant's personal information via the dedicated email address amounts to a collection under the principles; ● how the collection principles apply to information sent to the dedicated email. In particular, who has access to the correspondence sent to the dedicated email address. IPP 3(c) is relevant in requiring agencies to make individuals aware of the intended recipients of any personal information collected; and ● compliance with any collection principles that apply in relation to any personal information sent to the dedicated email address."
The IR Decision (i.e. the final version provided to the Applicant on 15 February 2022) does not specifically address (a) the matters raised by the IPC (noted in [20] above), (b) despite the acknowledgement in the 8 December 2020 Email, the use of the Dedicated Email to collect and hold the Applicant's personal and health information, (c) IPP 6 or (d) any potentially applicable HPPs. Also, the IR Decision does not detail any consideration of or conclusion as to what personal and health information of the Applicant is collected/held by the Respondent by its use of the Dedicated Email. Despite the IR Request, the Respondent's acknowledgement in the 8 December 2020 Email and the IPC's letter dated 11 February 2021, the IR Decision is almost exclusively focused on (a) the use of the Applicant's student ID number to establish the associated email address of the Dedicated Email and (b) the fact that the Respondent notified the Applicant of the Dedicated Email and required them to use it in accordance with various policies of the Respondent and the directions of the Vice‑Chancellor. The IR Decision does not address the use, disclosure, transparency, security, accuracy or other aspects of any (and what types of) personal information and health information of the Applicant that is collected or held by the Respondent by the use of the Dedicated Email.

[5]

Scope of administrative review proceedings under the PPIP Act and the HRIP Act

It is not in dispute that the Tribunal has administrative review jurisdiction to determine these matters pursuant to ss 53(6) and 55 PPIP Act, s 30 Civil and Administrative Tribunal Act 2013 (CAT Act) and s 63 ADR Act. Also, as regards any health information the subject of the Conduct of Concern and the AR Proceedings, s 21 HRIP Act provides that Part 5 PPIP Act applies to the conduct of an agency that is in contravention of any HPPs that apply to the agency and, for that purpose, a reference to personal information in Part 5 PPIP Act is taken to include health information (see DTN v Commissioner of Police (No. 3) [2020] NSWATAP 73 at [108]).
Several decisions of the Appeal Panel have set out some principles that govern the scope of a review of an agency's conduct under the PPIP Act (and thus the HRIP Act) by this Tribunal. In an application for administrative review of an agency's (i.e. in this case the Respondent's) conduct under s 55 PPIP Act the Tribunal is limited to reviewing the conduct of concern the subject of the original application for the internal review (in this case the IR Request) in relation to the potential resulting breaches of any IPPs and/or HPPs (as relevant). Therefore, in this case, the IR Request (not the IR Decision or the AR Application) frames the scope of the external administrative review by the Tribunal, in this case in the AR Proceedings. The 'conduct of concern' to be considered is a matter of fact to be determined by objectively and reasonably construing the IR Request, irrespective of the IR Decision or what it focussed on.
In administrative review proceedings the Tribunal does not have jurisdiction to review conduct of the Respondent that is not the subject of the application for internal review (i.e. the IR Request in this case): Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at [7]; Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44 at [17]; and CEU v University of Technology Sydney [2018] NSWCATAD 13 at [77]. Nor does the Tribunal have jurisdiction under ss 52, 53 and 55 PPIP Act and s 21 HRIP Act to consider breaches by the Respondent (in this case) of any law, codes of conduct or policies other than of the IPPs, the HPPs and any applicable privacy codes of practice.
The application for internal review (i.e. the IR Request in this case) requires the Applicant to identify the conduct of concern in sufficient detail to allow the Respondent to determine whether such conduct results in any breaches of the IPPs and/or HPPs, as the case may be (see paragraph [7] of GA v Commissioner of Police, NSW Police Force [2004] NSWADT 254). However, as noted by the Tribunal in BVV v Commissioner of Police [2020] NSWCATAD 182, as regards the detail required in internal review requests: [36] In cases where there is doubt as to whether the particularisation of the conduct is sufficient the applicant should have the benefit of the doubt. … [46] The applicant is not required to provide evidence. It is sufficient for the applicant to have alleged conduct (being action by an agency or circumstances involving the agency) which might amount to a possible contravention of an information privacy principle.
The Tribunal's role is to review the conduct of concern in issue (in this case the Conduct of Concern) and, based on the material before the Tribunal, to consider whether such Conduct of Concern results in a contravention of any IPPs and/or HPPs by the Respondent and, if so, what if any action(s) should be taken by the Respondent. That is, in order for the Tribunal to make the correct and preferable decision in respect of the IR Request (in this case) in the circumstances and based on the material before the Tribunal.
The Tribunal's role is not to review (and its review is not limited to the findings of) the internal review report (i.e. the IR Decision in this case): DED v Randwick City Council [2017] NSWCATAD 327 at [51]. Often the internal review decision of an agency can assist the Tribunal's considerations but, in each case, the Tribunal must consider the conduct of concern afresh and, based on the evidence and other material before it at the time of the hearing(s), make the correct and preferable decision in the circumstances: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171.
It is the responsibility and obligation of the parties to administrative reviews by the Tribunal to ensure (and the Tribunal is entitled to assume) that the parties present all relevant evidence and make all relevant submissions on all matters in issue in the AR Proceedings (in this case) in order to assist the Tribunal to make the correct and preferable decision (see Insurance and Care NSW v EEH [2021] NSWCATAP 350 (iCare) at [27] and [61]). In this case, this includes submitting all relevant evidence and making all relevant submissions as regards all of the Conduct of Concern and alleged resulting contraventions of the IPPs and HPPs referred to in (or reasonably understood from) the IR Request so that the Tribunal may make the correct and preferable decision in the AR Proceedings on all of the matters within the Tribunal's administrative review jurisdiction.
As to the onus and standard of proof in administrative reviews by the Tribunal, the predecessor of the Tribunal explained in GV v Office of the Director of Public Prosecutions [2003] NSWADT 177 that: [36] … concepts relating to the onus of proof and standard of proof, in the absence of my legislative assistance, are not applicable in the Tribunal's [PPIP Act] reviews … The primary reason for this is that even if a 'contravention' of the information protection principles is found to have occurred, the Tribunal's power to make orders, including damages orders, is entirely discretionary …
In addition, the Tribunal noted in NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at [33] that: "… a person who has relevant material in their possession should put that material before the Tribunal. If facts are peculiarly within the knowledge of one party to an issue, a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn."
Section 30(2)(b) CAT Act confirms that the Tribunal may exercise the functions that are conferred or imposed on it by the CAT Act, the ADR Act and the enabling legislation (i.e. PPIP Act and HRIP Act in this case) in connection with the conduct and resolution of the AR Proceedings (in this case). By s 63(2) ADR Act, in an administrative review the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the 'administrator' who made the relevant decision. In this case the relevant administrator is the person making the IR Decision, even though the IR Decision itself is not per se the subject of the review by the Tribunal.

[6]

PPIP Act

'Personal information' is defined by s 4(1) PPIP Act as: "personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Section 4 PPIP Act also provides a clarification as regards the collection and holding of personal information by agencies as follows: … (4) For the purposes of this Act, personal information is held by a public sector agency if: (a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed … by the agency in the course of such employment … (5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.
As noted in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 at [112], the definition of 'personal information' in the PPIP Act is broad and is to be interpreted broadly. The Full Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 found at [64], in applying the then very similar definition of 'personal information' in the Privacy Act 1988 (Cth), that: The words 'about an individual' direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not 'about an individual' it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion. [emphasis added]
The IPPs are set out in Part 2 of the PPIP Act (ss 8‑19) which, most relevantly in this case, include IPPs 3, 5, 6, 7, 9, 10 and 11 in relation to the collection, use, disclosure, accuracy, security and transparency of and access to the Applicant's relevant personal information the subject of the Conduct of Concern.
Section 10 PPIP Act (IPP 3) provides as follows: 10 Requirements when collecting personal information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following - (a) the fact that the information is being collected, (b) the purposes for which the information is being collected, (c) the intended recipients of the information, (d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided, (e) the existence of any right of access to, and correction of, the information, (f) the name and address of the agency that is collecting the information and the agency that is to hold the information.
Section 12 PPIP Act (IPP 5) relates to the security of personal information. A public sector agency that holds personal information must ensure, most relevantly: … (c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and …
The Applicant bears the burden of adducing some evidence to suggest that appropriate measures not have been taken to protect their personal information as required by IPP 5. However, this burden is not high because the knowledge of how the information in question is protected and what security safeguards were considered and are actually in place is held by the Respondent (in this case). Common sense therefore dictates that the party which has relevant information in their possession should put that information before the Tribunal. Further, as noted in [32], if facts are mostly within the knowledge of one party to an issue a failure by that party to produce evidence as to those facts may lead to an unfavourable inference being drawn by the Tribunal.
The Privacy Commissioner in 'Privacy NSW, A Guide to the Information Protection Principles, 1999' (Guide) states that the appropriate level of security required will depend on both the nature of the information and the medium in which it is stored. At page 17 of the Guide it is noted that "if information is extremely sensitive or likely to find an illicit market it should receive more comprehensive protection". The Tribunal followed this approach in ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122 at [32] and has since continued to apply it.
Section 13 PPIP Act (IPP 6) provides: 13 Information about personal information held by agencies A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain - (a) whether the agency holds personal information, and (b) whether the agency holds personal information relating to that person, and (c) if the agency holds personal information relating to that person - (i) the nature of that information, and (ii) the main purposes for which the information is used, and (iii) that person's entitlement to gain access to the information.
Section 14 PPIP Act (IPP 7) provides: 14 Access to personal information held by agencies A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.
Section 16 PPIP Act (IPP 9) provides: 16 Agency must check accuracy of personal information before use A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
Section 17 PPIP Act (IPP 10) provides as follows: 17 Limits on use of personal information A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless - (a) the individual to whom the information relates has consented to the use of the information for that other purpose, or (b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or (c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
Section 18 PPIP Act (IPP 11) provides that an agency must not disclose (e.g. outside of the agency) personal information to other than the individual to whom the information relates (i.e. the Applicant in this case) unless, in summary and most relevantly: 1. the disclosure is directly related to the purpose for which it was collected and there is no reason to believe the individual concerned would object (s 18(1)(a) PPIP Act); 2. the individual concerned (i.e. the Applicant in this case) is reasonably likely to have been made aware that such information is usually disclosed to that other person (s 18(1)(b) PPIP Act); or 3. the agency believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious or imminent threat to life or health of any person (s 18(1)(c) PPIP Act).
Sections 20 and 21 PPIP Act deal with the application of the IPPs to agencies and the obligation on agencies to comply with the IPPs and provide, most relevantly: 20 General application of information protection principles to public sector agencies (1) The information protection principles apply to public sector agencies. … 21 Agencies to comply with principles (1) A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency. …

[7]

HRIP Act

The HRIP Act regulates the manner in which public sector agencies collect, use, store and disclose health information and contains 15 health privacy principles (i.e. the HPPs) set out in Schedule 1 of the HRIP Act.
'Personal information' is defined in s 5(1) HRIP Act in the same terms as in the PPIP Act (see [34] above).
'Health information' is defined in s 6(1) HRIP Act as, most relevantly: 6 Definition of "health information" In this Act, health information means: (a) personal information that is information or an opinion about: (i) the physical or mental health or a disability (at any time) of an individual, or …
Section 9 HRIP Act details "what constitutes 'holding' information", most relevantly in the same terms as the PPIP Act, as follows: For the purposes of this Act health information is held by an organisation if: (a) the organisation is in possession or control of the information …, or (b) the information is in the possession or control of a person employed … by the organisation in the course of such employment …
Section 11 HRIP Act deals with the application of the HPPs to agencies and the obligation of agencies to comply with the HPPs and provides, most relevantly: 11 How this Act applies to organisations (1) This Act applies to every organisation … that collects, holds or uses health information. Note. The term organisation means a public sector agency or a private sector person. (2) An organisation to whom or to which this Act applies is required to comply with the Health Privacy Principles …. (3) An organisation must not do any thing, or engage in any practice, that contravenes a Health Privacy Principle ….
Section 21 HRIP Act deals with complaints against public sector agencies and provides, most relevantly: 21 Complaints against public sector agencies (1) The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies: (a) the contravention of a Health Privacy Principle that applies to the agency … (2) For that purpose, a reference in that Part: (a) to personal information is taken to include health information, and …
Schedule 1 HRIP Act includes, most relevantly, the following HPPs: 1. HPP 4: 4 Individual to be made aware of certain matters (1) An organisation that collects health information about an individual from the individual must … take steps that are reasonable in the circumstances to ensure that the individual is aware of the following: … (c) the purposes for which the information is collected, (d) the persons to whom (or types of persons to whom) the organisation usually discloses information of that kind, … 1. HPP 5: 5 Retention and security (1) An organisation that holds health information must ensure that - … (c) the information is protected by such security safeguards as a reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and … 1. HPP 6: 6 Information about health information held by organisations (1) An organisation that holds health information must take such steps as are, in the circumstances, reasonable to enable any individual to ascertain - (a) whether the organisation holds health information, and (b) whether the organisation holds health information relating to that individual, and (c) if the organisation holds health information relating to that individual - (i) the nature of that information, and (ii) the main purposes for which the information is used, and (iii) that person's entitlement to request access to the information. … 1. HPP 7: 7 Access to health information (1) An organisation that holds health information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information. … 1. HPP 9: 9 Accuracy An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading. 1. HPP 10: 10 Limits on use of health information (1) An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless - (a) Consent the individual to whom the information relates has consented to the use of the information for that secondary purpose, or (b) Direct relation the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or … Note - For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose. … 1. HPP 11: 11 Limits on disclosure of health information (1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless - (a) Consent the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or (b) Direct relation the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or … Note - For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose. …

[9]

An order for damages

An order requiring the Respondent to pay the Applicant damages by way of compensation for any alleged loss or damage suffered because of the Conduct of Concern (in this case) can only be made if the Tribunal is satisfied that the Applicant has suffered financial loss, psychological or physical harm because of the Conduct of Concern (s 55(4) PPIP Act).
The Deputy President of the Tribunal in CPJ v The University of Newcastle [2017] NSWCATAD 350 (CPJ) at [26] and [28], in favouring the 'material contribution' test, followed the AAT decision in EQ v Office of the Australian Information Commissioner (Freedom of Information) [2016] AATA 785 (EQ) at [48] interpreting the equivalent provision under the Federal Privacy Act and relied, to some extent, on the common law principles in March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506. In CPJ at [25] the Deputy President, quoting from EQ, stated: "… in law, causation is a question identifying where legal responsibility should lie, rather than examine the cause of event from a scientific or philosophical viewpoint, policy issues and value judgments have a role to play in determining whether for legal purposes, a circumstance we found to be causative of loss."
In order to persuade the Tribunal to the level of satisfaction required by s 55(4) PPIP Act, evidence is required that the conduct of the agency that is the subject of the complaint (i.e. the Conduct of Concern in this case) caused the alleged loss or harm (see GR v Department of Housing [2003] NSWADT 268 at [47]).
As noted in JD v NSW Medical Board (No. 2) [2006] NSWADT 345 at [54], psychological harm "is intended to encompass a situation where an individual suffers some impairment of their mental state and processes". This can include "conditions such as depression and anxiety" as held in WT v Auburn Council [2007] NSWADT 253 at [27].
In CJU v SafeWork NSW [2018] NSWCATAD 300 (CJU) at [117] the Tribunal, following the Appeal Panel's decision in AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 (AOZ), accepted that "mere distress" is a recoverable psychological harm and added the following commentary at [124]: (1) It seems to me the expression "psychological harm" in the section is of wide import. … "Psychological", and not the word "psychiatric", is the chosen term. No degree of such harm has been imposed such as a requirement for "serious" psychological harm." (2) …it could readily be foreseen by the legislature that a breach such as unlawful release of personal information could produce a range of justifiable reactions such as distress, worry, humiliation or fear of some real significance. … (4) …it does not seem to me that the legislature would have expected "psychological harm" to be limited to a mental condition that is only capable of identification by diagnosis from a doctor or psychologist. …
As regards whether independent evidence of psychological harm is required, the Appeal Panel in AOZ held: [30] In this case, while we have no independent evidence of psychological harm, we are prepared to accept from the submissions, the material filed by the Applicant and our assessment of her when she participated in the main appeal hearing, that she has suffered emotional distress and harm, along the lines that she has asserted, because of the aspect of the conduct of RailCorp in relation to which we have made a finding of contravention. …

[10]

Aggravated damages

An award of aggravated damages as part of the compensation awarded for any loss or damage suffered by the Applicant arising from the Conduct of Concern, if justified in the circumstances, is possible under the power to award damages in s 55 PPIP Act. As summarised and held by then Judicial Member Montgomery of the predecessor to this Tribunal in NK v Northern Sydney Central Coast Area Health Service (No. 2) [2011] NSWADT 81 (NK): [35] … damages "by way of compensation" include general damages and aggravated damages: re Rummery and Federal Privacy Commissioner (204) 85 ALD 386; Hall v A & A Sheiban Pty Ltd (1989) 20 FCR 217. [36] In Hall, Lockhart J said at 239-40: … It is fundamental that an award of a larger amount of damages by way of aggravated damages serves to compensate the victim for damage occasioned by the defendant's conduct with an element of aggravation as involved in that conduct, and not to punish the defendant: … In so far as damages offer compensation to the plaintiff, reflecting a recognition of the nature of the defendant's conduct and of its consequences for the plaintiff, then they appear to fall properly within the scope of [citing the relevant Act]. … [37] In Rummery the Tribunal said: [31] In [Hall], the Federal Court gave detailed consideration to the determination of the entitlement to compensation and assessment of that compensation, under s 81 of Sex Discrimination Act. We are of the view that these principles are applicable to the issues we have decided in relation to s 52 of Privacy Act [Commonwealth]. [32] The principles which are relevant to this matter are: … (d) In an appropriate case, aggravated damages may be awarded; (e) Compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction with a majority of the community or other reasonable person in similar circumstances. … [38] These authorities suggest that aggravated damages are compensatory and therefore permissible whereas exemplary damages are punitive and not compensatory. …
In concluding that the Tribunal would have awarded aggravated damages in NK to the applicant (if the maximum damages award and amount had not already been reached), then Judicial Member Montgomery found as follows: [60] In my view, the Respondent's conduct amounted to an oppressive disregard of NK's rights and its own privacy duties. It has not only breached the privacy legislation, but punished NK for its own breaches, based on inaccurate information and without checking its validity. …
In the more recent decision of CJU the Tribunal confirmed and applied the reasoning in NK and concluded: [129] In my opinion, an award of aggravated damages falls within the expression in s 55(2)(a) "… by way of compensation for any loss or damage suffered".

[17]

Preliminary issues - consideration and findings

Despite the IR Request, the 8 December 2020 Email and the recommendations of the IPC in its 11 February 2021 letter, in the IR Decision the Respondent focused almost exclusively on the use of the Applicant's student ID number in and as part of the email address associated with the Dedicated Email and did not address (a) what personal or health information was collected by and is held in the Dedicated Email or (b) the use, disclosure, accuracy, security or transparency of that personal and health information collected and held as a result of the Respondent's use of the Dedicated Email.
The Respondent's officer who undertook the internal review and authored the IR Decision noted that their investigation and the review was negatively impacted both by the legislative time constraints and the lack of availability of relevant personnel of the Respondent over the 2020‑2021 Christmas break. This may explain why the Respondent's internal review did not address all of the Conduct of Concern and all of the alleged (or potentially) resulting contraventions of the IPPs and HPPs (i.e. as set out in the IR Request and acknowledged by the Respondent in its 8 December 2020 Email).
In the circumstances noted in [73] and [74] above the Tribunal has the option of referring the IR Decision (or any part of it) back to the Respondent to reconsider any specific areas of the Conduct of Concern not satisfactorily addressed in the IR Decision and/or to document its internal review decision in accordance with the requirements of ss 53(5) and (8) PPIP Act, as discussed in EEC v Federation Council [2020] NSW CATAD 169 at [32]. However, given that the IR Request was submitted over two years ago by the Applicant and raised the Conduct of Concern and the alleged resulting contraventions of the IPPs and HPPs by the Respondent, applying the guiding principle in s 36 CAT Act I have decided not to refer any of the IR Decision back to the Respondent and further delay the Tribunal's determination of the correct and preferable decision in this case. That is, I have decided to proceed to consider the materials placed before the Tribunal by the parties in order to make the correct and preferable decision in the AR Proceedings.
In support of my determinations above and below, I also note the words of the Appeal Panel in iCare regarding the materials which the Tribunal is entitled to expect to be (and may assume have been) placed before it in an administrative review proceeding (i.e. in this case in the AR Proceedings): "[22] … The Tribunal at first instance was conducting an administrative review. It was entitled to assume that the agency, which was under an obligation to cooperate with the Tribunal to give effect to the guiding principle of the Civil and Administrative Tribunal Act 2013 that the just, quick and cheap resolution of real issues in the proceedings be facilitated, had placed all relevant material before it … [61] …Parties, particularly agencies, should come to the hearing of a matter prepared to adduce all of their evidence and make all of their submissions in relation to the matters in issue in the proceedings."
As noted in [13] above, the IR Request details the alleged conduct of concern of the Respondent (i.e. the Conduct of Concern). From the Tribunal's consideration of the Conduct of Concern and those areas (i.e. related to the IPPs and HPPs) indicated in the IR Request form which "describes the complaint" and the "specific conduct you are complaining about" (see [15] above), I am satisfied that the relevant IPPs and HPPs allegedly contravened by the Respondent resulting from the Conduct of Concern are those that relate to the collection, use, disclosure, accuracy, security and transparency of and the Applicant's access to the Applicant's personal information and health information and are adequately identified in (or can reasonably be inferred from) the IR Request. I am also satisfied that the Applicant's relevant personal and health information subject to the Conduct of Concern includes that (a) used by the Respondent to create the Dedicated Email and in the associated email address (i.e. the Applicant's student ID) and (b) collected, used, modified, created and disclosed as part of the Respondent's use of the Dedicated Email (i.e. in the emails sent and received using the Dedicated Email). The relevant IPPs and HPPs the Applicant alleges are contravened by the Respondent resulting from the Conduct of Concern, as raised in the IR Request, acknowledged by the Respondent in its 8 December 2020 Email or the IR Decision, are IPPs 3, 5, 6, 7, 9, 10 and 11 and HPPs 4, 5, 6, 7, 9, 10 and 11.
As regards [72(a) and (c)] above, as noted in [13] and [15] above, I am satisfied that the Conduct of Concern and the alleged resulting contraventions of IPPs 3, 5, 6, 7, 9, 10 and 11 and HPPs 4, 5, 6, 7, 9, 10 and 11 are sufficiently identified in (or can reasonably be inferred from) the IR Request and must therefore be considered by the Tribunal in the AR Proceedings in order for the Tribunal to make the correct and preferable decision in this case.
The Applicant also submitted that certain obligations of confidentiality owed to the Applicant by the Respondent and the IT Policy were breached (Other Matters). However, as noted in [26] above, only alleged contraventions of the IPPs and HPPs resulting from the Conduct of Concern are within the Tribunal's jurisdiction in relation to the AR Proceedings, as an administrative review by the Tribunal. The Tribunal therefore has not considered in and of themselves and does not address in these Reasons for Decision the Other Matters, unless and except (and then only to the extent that) those Other Matters directly relate to or impact on the matters that are within the scope of the AR Proceedings and in order for the Tribunal to make the correct and preferable decision in the AR Proceedings.
In summary, the scope of the AR Proceedings (i.e. the Tribunal's administrative review jurisdiction in this case) is to review the Conduct of Concern (see [13] above) and the alleged resulting contraventions of IPPs 3, 5, 6, 7, 9, 10 and 11 and/or HPPs 4, 5, 6, 7, 9, 10 and 11 (see [15] above) in respect of the Applicant's personal and health information collected and held by the Respondent using/in the Dedicated Email and, based on the material before the Tribunal, to make the correct and preferable decision in this case.

[19]

Applicant's submissions and evidence

In the APOC, the Applicant Submissions and the Reply Submissions the Applicant submits, most relevantly and in summary, that: 1. The Respondent holds and has collected, used and shared the Applicant's education (i.e. personal) and health information without their consent. 2. The Respondent continued using and disclosing the Applicant's personal information using the Dedicated Email even after the Applicant complained to the Respondent several times about the creation and use of the Dedicated Email. 3. The Respondent did not inform the Applicant of what personal or health information it was collecting, using or disclosing by using the Dedicated Email and the Applicant has no access to or visibility of ('transparency' as to) the contents of the Dedicated Email. 4. The Respondent terminated the Applicant's PhD candidature because the Applicant refused to accept the Respondent's breaches of the Applicant's privacy in relation to the Respondent's use of the Dedicated Email. 5. Around August 2020 the Applicant's psychologist notified the Respondent of the impact of the Conduct of Concern on the Applicant's wellbeing but the Respondent continued demanding that the Dedicated Email be used. 6. The Respondent's internal review failed to meet the requirements of s 53(4) PPIP Act and some of the Respondent's findings in the IR Decision are unclear, unreasonable and irrelevant. The Respondent did not understand or address all of the conduct of concern complained of in the IR Request (i.e. the Conduct of Concern) and did not seek clarification from the Applicant. 7. On 3 December 2020 (the day before the IR Request was submitted), in an email sent using the Dedicated Email, the Respondent referred to the Applicant's prior medical certificates and being "unfit for work" (i.e. health information) and directed and insisted that, despite the Applicant's protests, the Applicant send their medical certificates (i.e. health information) to the Respondent using the Dedicated Email. In this email the Respondent also threatened the Applicant with the termination of the Applicant's PhD candidature if the Applicant did not comply with this (and earlier) directions of the Respondent to use the Dedicated Email. 8. As a result of the Conduct of Concern breaching the relevant IPPs and HPPs the Applicant suffered: 1. a great deal of stress causing anxiety, panic attacks and further back pain; and 2. disruption to their PhD candidature and, ultimately, termination of their candidature. 1. The Applicant seeks the following orders and remedies: 1. an apology from the Respondent for breaching the Applicant's privacy; 2. damages for hurt, distress and humiliation and economic loss suffered by the Applicant; 3. compensation for expenses incurred by the Applicant in respect of the AR Proceedings and for their therapy; 4. an order requiring the removal of the Dedicated Email and the ceasing of its use by the Respondent and assurance that such conduct will not occur again to the Applicant; 5. an order requiring the Respondent to refrain from any further conduct or action in contravention of an IPP; 6. an order requiring the Respondent to identify those who have/had access the Dedicated Email and all email addressees to whom emails containing the personal or health information of the Applicant were sent using the email address of the Dedicated Email; and 7. an order requiring the Respondent to pay the Applicant damages of $40,000 by way of compensation for the loss and damage suffered because of the Respondent's conduct.
In addition to providing evidence supporting the APOC, the Applicant Submissions and the Reply Submissions, in the EJX Affidavit and Second EJX Affidavit the Applicant provides evidence, most relevantly and in summary, that: 1. Despite the claims in the Kelly Affidavit that the IR Request was only related to the use of the Applicant's student ID number to create the Dedicated Email and in the associated email address, the IR Request (including the attachment to it and forming part of it) clearly indicates that: 1. the Conduct of Concern impacted the Applicant's personal and health information collected, used disclosed and/or held by the Respondent as part of the Respondent's use of the Dedicated Email; 2. the Conduct of Concern was done without the Applicant's consent; 3. the Conduct of Concern continued after (and despite) the several written objections and complaints of the Applicant up to the date of the submission of the IR Request; and 4. in the 8 December 2020 Email the Respondent acknowledges the scope of the IR Request (as understood by the Respondent) and confirms the proposed scope of the Respondent's internal review. However, without any reason as to why, the scope of the internal review and the IR Decision are significantly more limited than that acknowledged and proposed by the Respondent in the 8 December 2020 Email. 1. The IR Decision does not address the IPC recommendations set out in the IPC's 11 February 2021 letter. The reasons these IPC recommendations were not actioned are not explained in the Kelly Affidavit or the other evidence of the Respondent. 2. The evidence of the Respondent's extensive use of the Dedicated Email, including the sending and receiving of emails about EJX to/from others, is shown in the "email audit logs" applicable to a part of the period of the Respondent's use of the Dedicated Email attached as "[EJX]‑3" to the EJX Affidavit. 3. Section 5 "Information and Collection" of the PMP is not as quoted in the Kelly Affidavit. The actual paragraphs 17, 18, 20 and 22 of Section 5 of the PMP (under the sub-headings "Direct Collection", "Open Collection" and "Relevance of Collection") support the Applicant's submissions as to the Respondent's breaches of the relevant IPPs and HPPs resulting from the Conduct of Concern and that the Conduct of Concern also breaches the requirements of the PMP. 4. The EJX Affidavit refers to and attaches [EJX]‑9, a letter purportedly from the Interim Dean of Graduate Research but sent using the Dedicated Email's associated email address to the Applicant dated 3 December 2020 which, after noting: "It is reasonable for the University to direct you to inform us in writing via the Designated Email address whether you intend to re‑enrol to revise and resubmit your thesis …." referred to two rules of the Respondent allowing it to terminate the Applicant's PhD candidature and stated: "If you do not comply with our reasonable directions, the University will consider the appropriate next steps to take, which may include termination of your candidature."

[20]

Respondent's submissions and evidence

In the APOD and Respondent Submissions the Respondent admits and submits, most relevantly and in summary, that: 1. The Respondent admits it created and operated the Dedicated Email, that the associated email address for the Dedicated Email was created by the Respondent using the Applicant's student ID number and that the student ID number is the Applicant's personal information. 2. The Respondent admits it has not provided the Applicant with the identity of the individuals who have access to (and use of) the Dedicated Email and thus the Applicant's personal and health information (i.e. the Respondent's Users) but submits that this is due to concerns about the 'health and safety' of such individuals. In addition, the Respondent submits that the identity of the Respondent's Users is their personal information and their identities are also subject to an interlocutory non‑publication order made by the Tribunal on 13 May 2022 under s 64(1)(a) CAT Act until the Tribunal's decision on the substantive matters (i.e. in the AR Proceedings) and any further orders are made by the Tribunal. 3. The Respondent denies it breached the Applicant's privacy and submits that any complaints about the Respondent's conduct made after 15 February 2021 (the date of the IR Decision), which the Respondent submits is the case in respect of most instances of the Conduct of Concern claimed in the APOC and evidenced by the Applicant, have 'not been subject to an internal review by the Respondent' and are therefore not within the jurisdiction of the Tribunal under the AR Proceedings. That is, most of the Applicant's claimed instances or details of the Conduct of Concern in the APOC are made/described after 15 February 2021 and are thus out of scope and not within the jurisdiction of the Tribunal as they are 'new complaints' for which the Respondent has not been given the opportunity to undertake an internal review. The Respondent submits that these post‑15 February 2021 'new complaints' include, at a high level, the unlawful collection of health information, the continued use and disclosure of the Applicant's personal information, the Applicant's withdrawal of consent to the use of the Dedicated Email, the threats made by the Respondent about terminating the Applicant's candidature and the Respondent's use of the Applicant's personal information for reasons not consented to by the Applicant. 4. Further, the following claims of the Applicant in the APOC are also submitted by the Respondent not to be within the jurisdiction of the Tribunal in the AR Proceedings because the details of the instances of the Conduct of Concern raised in the APOC are not exactly as set out in the IR Request or as provided to the Respondent before 15 February 2021 (and, in the alternative, are simply denied or not admitted): 1. paragraph 3(d) APOC about the Associate‑Professor named and their failure to confirm authorship of an email sent using the Dedicated Email and the validity of the thesis examination report sent to EJX and external institutes using the Dedicated Email and occurring before 4 December 2020; 2. paragraph 3(e) APOC as regards the examples of the 're‑sharing' (i.e. using) of the Applicant's personal information using the Dedicated Email occurring before 4 December 2020; 3. paragraphs 3(f) and (g) APOC being further examples of the sharing/using of the Applicant's personal information in relation to the Respondent's use of the Dedicated Email occurring before 4 December 2020; 4. paragraph 3(j) APOC as regards the sharing of the Applicant's personal information with the 'Units' and named areas of the Respondent using the Dedicated Email occurring prior to 4 December 2020; 5. paragraphs 3(r) APOC the academic misconduct threat, 3(u) APOC the 9 December 2020 sharing of confidential information, 3(v) APOC the 20 occasions personal information was shared between 28 October 2020 and 4 December 2022 and 3(w) APOC the refusal to disclose the addressees of emails using the Dedicated Email; and 6. paragraph 3(s) APOC as regards the Respondent's direction by email dated 3 December 2020 to the Applicant to lodge their medical certificate(s) and health information with the Respondent using the Dedicated Email. 1. The Respondent either 'denies' or 'does not admit' the claims of the Applicant set out in the APOC as regards the security of the Dedicated Email, the Respondent's refusal to provide the Applicant access to the Applicant's personal information collected or held by the Respondent in the Dedicated Email and the lack of information (i.e. transparency) provided to the Applicant as to what of their personal information was collected, used and disclosed through or held by the Respondent's use of the Dedicated Email. 2. "The Respondent advised the [Applicant] of its decision to utilise [the Applicant's personal and health] information in the proposed manner and gave the option for [the Applicant] to provide [their] informed consent to the ongoing use of the [Dedicated Email]", which the Applicant did not give. 3. The Respondent did not contravene ss 8, 9, 10 and 11 PPIP Act in the collection of the Applicant's personal information. "The respondent collected the Applicant's personal information for the lawful purpose of creating the dedicated email address to manage the applicant's inquiries and concerns. The respondent took reasonable steps in the circumstances and advised the applicant of the purposes of the dedicated email address and how information sent to it would be used for a lawful purpose." 4. The Respondent did not breach s 12 PPIP Act because "the applicant's personal information was stored securely and … all reasonable security safeguards were implemented in the circumstances." 5. The Respondent did not contravene s 14 PPIP Act as "there is no evidence … that the applicant was refused access to the personal information used by the respondent." 6. The Respondent did not contravene s 16 PPIP Act "as there is no evidence … that the applicant's student number is inaccurate." 7. The Respondent did not contravene s 17 PPIP Act as the Applicant's personal information was used for a lawful purpose. 8. The Respondent did not contravene s 18 PPIP Act "absent evidence of the applicant's personal information being disclosed to any external entity …". 9. The Respondent seeks that the application (i.e. the AR Proceedings) be dismissed and costs be awarded to the Respondent in accordance with s 60 CAT Act.
The Kelly Affidavit provides background to the internal review investigations, how they were conducted and Ms Kelly's approach to undertaking the internal review and provides detail (much of which is already addressed in the IR Decision) on her findings in the IR Decision, addressing the delay in responding to the IR Request and, finally, providing her responses to the Applicant's submissions. Most relevantly and in summary, Ms Kelly's evidence is that: 1. The delay in providing the Applicant with the IR Decision was "due to the Christmas break and staff absences during that time". Ms Kelly also noted that "[a] shutdown period was in effect for all University staff from 5:00 pm 18 December 2020 to 9:00 am on 11 January 2021. Staff were directed to take leave during this period as the University campus for staff and students". 2. Ms Kelly wrote to several of the Respondent's staff members requesting information but it appears from her evidence that at no time was she provided access to the Dedicated Email (i.e. its contents/the personal and health information of the Applicant held in the Dedicated Email). In fact, Ms Kelly notes that the internal review and ultimately the IR Decision were based on the materials before her (which appear to be solely information provided by various staff of the Respondent to her rather than her having been provided with access to the Dedicated Email and other information sources directly). After repeating the conclusions in the IR Decision (occasionally with some additional commentary), Ms Kelly notes in response to the Applicant's Submissions, most relevantly and in summary: 1. "It is unclear what personal information the applicant was referring to although I assume she means [their] student ID. In [their] Application [i.e. the IR Request] which was reviewed by me, I understand [their] complaint to involve [their] disagreement with the University's direction for [them] to use the Dedicated Email address …"; 2. "Collection of the Applicant's health information was not an issue raised by the Applicant in the [IR Request]. I was not aware of this issue at the time I determined the Application on February 15, 2021"; and 3. the issues the Applicant raised in subparagraphs (9)(f), (i), (j), (m) and (n) of the Applicant Submissions were not raised in the IR Request and "I was not aware of [these] issue[s] at the time I determined the Application [i.e. made the IR Decision] on 15 February 2021". 1. In response to the POC Ms Kelly notes, among other things, that "the dedicated email was created for the purpose of enabling the University to officially manage and respond to the applicant's concerns and complaints".

[21]

Consideration and findings

In the absence of specific submissions of any detail and the minimal evidence of the Respondent in respect of a particular matter I have, on the basis noted in [32], [40] and [76] above, and in the face of the Applicant's detailed evidence and submissions in certain cases as noted below drawn an unfavourable inference against the Respondent as to those matters. In particular, in summary and most relevantly, I note the following: 1. Apart from addressing the use of the Applicant's student ID number in the associated email address of the Dedicated Email, the Respondent does not provide any submissions or evidence on what personal and health information of the Applicant is collected and held by the Respondent in the Dedicated Email. 2. The Respondent chose not to respond in detail to the Applicant's submissions and evidence of specific instances of the Conduct of Concern as raised in the IR Request. Rather, and despite the clear wording of the IR Request, the Respondent in effect submitted that, as the precise details of the instances and evidence of the Conduct of Concern detailed by the Applicant in the APOC were not exactly the same as set out in the IR Request, the claims as set out in the APOC were therefore not within the scope of the AR Proceedings (i.e. the jurisdiction of the Tribunal). In the alternative, the Respondent simply 'denied' or 'did not admit' the Applicant's submissions and evidence of the Conduct of Concern. Little, if any, evidence was placed before (or detailed submissions made to) the Tribunal by the Respondent to refute the Applicant's evidence of the instances of the relevant Conduct of Concern, that these instances occurred, that they are instances of the relevant Conduct of Concern or otherwise detailing why the Applicant's interpretation of those instances as regards the alleged resulting contraventions of the IPPs and HPPs was incorrect. 3. After admitting the Applicant's claim that the Respondent did not disclose to them the names of the Respondent's Users (i.e. those who had access to/use of the Dedicated Email) the Respondent's limited submissions on this matter are, in essence, that the disclosure of the names of the Respondent's Users would impact their health and safety. However the Respondent provided little, if any, detail or evidence as to how or why such would occur.
Apart from the emails sent to the Applicant by the Respondent using the Dedicated Email and the associated email address, which are available to the Applicant, no other emails sent or received using the Dedicated Email or the associated email address from 25 June 2020 to 4 December 2020 were included by the Respondent in the s 58 ADR Act documents. This is despite the Appeal Tribunal's apparent expectation in paragraphs [27], [54] and [70] of the EJX Appeal, in denying the Applicant's summons appeal, that all emails sent and received by or held in the Dedicated Email would be in the s 58 ADR Act documents (which had not, at that date, been filed by the Respondent) or separately available to the Applicant pursuant to IPP 7/HPP 7. Nor did the Respondent make any detailed submissions or provide evidence as to the contents of (i.e. the personal and health information collected by/held in) the Dedicated Email. After considering the material before me, I am satisfied that the Applicant's personal and health information contained in all emails (and any attachments to them) sent or received by or using the Dedicated Email (e.g. using the associated email address) from and to whomever are collected and held by the Respondent in the Dedicated Email.

[22]

Application of PPIP Act and HRIP Act

The Respondent's submissions and evidence focus on the policies and procedures of the Respondent, in particular the IT Policy and PMP as noted in [17(2) and (3)] above. In essence the Respondent's submissions are that (a) its IT Policy (and the PMP and other policies) give it wide powers (and therefore permitted the Respondent) to establish and operate the Dedicated Email and (b) as a student the Applicant was subject to those policies of the Respondent and therefore the Respondent's obligations and the Applicant's rights under the PPIP Act and HRIP Act are diminished or waived by the Applicant.
The terms of the IT Policy, in particular, do not actually support much of what the Respondent submitted in this regard. Even if it did, the Respondent's policies (including the IT Policy) and reasons for establishing the Dedicated Email do not modify the requirements of the PPIP Act or HRIP Act or make the Respondent's actions above the law. In particular in this case, any powers under the Respondent's policy (e.g. the IT Policy) and simply stating the reason(s) for establishing the Dedicated Email do not void the Respondent's obligations under the PPIP Act and HRIP Act (see [47] and [52] above). Agencies cannot, simply by adopting policies with provisions contrary to the PPIP Act or the HRIP Act, avoid or limit their obligations (or an individual's rights) under that legislation, other than as expressly provided for in the PPIP Act, the HRIP Act or another law.
As noted in [47] and [52] above, the PPIP Act and the HRIP Act apply to and must be complied with by the Respondent, except as expressly excused or exempted by the provisions of those Acts or any other law. Therefore, in this case, in any application of or reliance on the IT Policy (or other policies) by the Respondent to justify a course of action (or the not taking of any action) or to deny an individual their rights under these laws, the Respondent must always consider whether such action, inaction or denial contravenes the PPIP Act/HRIP Act (as applicable) as regards all relevant personal and health information.

[23]

The Applicant's instances of the Conduct of Concern

Many of the Respondent's submissions are effectively that the instances of the Conduct of Concern or claims detailed in the APOC were not exactly as detailed in the IR Request (see [84(4)] and [86(2)] above) and were therefore not subject to a request for an internal review by the Respondent. However, it is clear from a plain reading of the IR Request that the instances of the Conduct of Concern noted as 'particulars' in paragraphs 3(a) to (g) and (t) of the APOC were, in fact, expressly raised in the IR Request. Further paragraphs 3(r), (s), (u), (v) and (w) of the APOC, while not expressly raised, are examples of the type of Conduct of Concern inferred in the IR Request or are of a nature that are not relevant to the scope of the Tribunal's administrative review in the AR Proceedings as they do not relate per se to an alleged contravention of any IPPs or HPPs by the Respondent resulting from the Conduct of Concern. In the latter case, as noted earlier, these will not therefore be considered by the Tribunal in the AR Proceedings.
I am satisfied that the instances (or particulars) of the Conduct of Concern raised in the APOC were, except for those clearly relevant only to the Other Matters (i.e. other than alleged contraventions of the IPPs and HPPs resulting from the Conduct of Concern), all raised in or can be reasonably inferred from the IR Request (see [91] above) and therefore (a) should have been the subject of the Respondent's internal review and (b) are the subject of the AR Proceedings. The fact that the Respondent chose not to engage with or address these matters (a) in its internal review (i.e. as evidenced in the IR Decision) or (b) in its submissions made and evidence provided to the Tribunal in the AR Proceedings does not alter the fact that the Conduct of Concern (and the relevant instances of the Conduct of Concern) are reasonably part of the Applicant's request for an internal review (i.e. the IR Request) and are therefore clearly within the Tribunal's administrative review jurisdiction and must be addressed in the AR Proceedings.

[24]

IPP 3/HPP 4

The Respondent's obligations under IPP 3 and HPP 4(1) are clear. When collecting personal or health information from the Applicant the Respondent must take reasonable steps in the circumstances to ensure that the Applicant is notified of the matters listed in IPP 3 and HPP 4(1) before, or as soon as practicable after, the Respondent's collection of personal and health information from the Applicant.
It is not a question of whether or not the Applicant was (or should have been) otherwise aware of the matters in IPP 3 and HPP 4(1) or that they were told some of those matters in the Respondent's correspondence directing the Applicant to use the Dedicated Email. The questions are simply, in respect of the collection (or proposed collection) of personal and health information from the Applicant using the Dedicated Email, (a) what steps did the Respondent take to ensure that the Applicant was notified/made aware of all of the mandatory IPP 3 and HPP 4(1) matters and (b) were those steps reasonable in the circumstances?
The unattributed and later Vice-Chancellor's correspondence from the Dedicated Email dated 26 June 2020 and 7 July 2020, respectively, were, in the absence of any other evidence, the closest documents to an IPP 3/HPP 4(1) notice. However, this correspondence is not sufficient to meet the requirements of IPP 3 or HPP 4(1) as only a few of the mandatory matters are addressed in them. Most notably, the correspondence does not detail 'what specific personal and health information was being collected', 'who would have access to it' or 'who it would be shared with'.
On the basis of the submissions and evidence of the Applicant and, in the absence of any persuasive submissions or evidence of the Respondent as to (a) what steps it actually took in relation to IPP 3 and HPP 4(1) and (b) why those steps (or no steps) were reasonable in the circumstances (see [32] above), I am satisfied on the material before the Tribunal that the relevant Conduct of Concern resulted in the Respondent contravening IPP 3 and HPP 4(1).

[25]

IPP 5/HPP 5

I am satisfied that the Applicant's submissions and evidence (mainly the response from the Respondent's IT service to the Applicant that the Dedicated Email was not opened in the Respondent's secure email system) and the fact that the Applicant's personal and/or health information is stored in a 'standard ordinary email account' of the Respondent raised legitimate concerns as to the security of the Applicant's personal and health information held in the Dedicated Email. That is, the evidence presented by the Applicant and the admission of the Respondent raised the likelihood that the Respondent may not have considered or taken any reasonable security safeguards to protect the Applicant's personal and health information in the Dedicated Email. As a result, the relevant Conduct of Concern may result in the Respondent contravening, as relevant, IPP 5 and/or HPP 5 (i.e. the security obligation) and must be considered by the Tribunal.
The Respondent's very limited submissions and little evidence in relation to this issue were focussed predominantly on the fact the Dedicated Email was a standard email of (and set up by) the Respondent and therefore subject to the usual security of its email accounts, without any evidence as to what those security safeguards actually were or how they are reasonable in the circumstances (i.e. where the Dedicated Email was being used in a different way and for a different purpose than the Respondent's standard email accounts). In essence the Respondent's submission is that, in the circumstances, the fact the Dedicated Email was set up as a standard email account of the Respondent in the Respondent's email system is sufficient (without evidence of what security safeguards were considered or taken as regards such or in relation to the Respondent's Users and how these were reasonable in the circumstances) to protect the Applicant's information from misuse. Therefore, the submission of the Respondent is in effect that no further safeguards are needed or reasonable in the circumstances. No evidence was provided by the Respondent of its consideration of whether any specific safeguards were required contemporaneous with the establishment of the Dedicated Email and the holding, access and/or use (including by the Respondent's Users) of/to the Applicant's personal and health information held in the Dedicated Email. The submissions and evidence of the Respondent on point are limited to the IT Policy, as also referred to in the IR Decision, which expressly noted as regards the Dedicated Email: The email account is no different to any other standard student email account in terms of security. Section 9 of this [IT Policy] outlines that "the University's ICT resources are electronically safeguarded … [however] no guarantee can be given regarding the confidentiality, integrity … of any information.
In this case, unlike a 'standard student email account', the 'controller' of the email account - the person who sends and receives emails and controls the use of the Dedicated Email, its contents and the related email address is not the student (i.e. the Applicant) but the Respondent. Also, given the inability of the Respondent to 'guarantee the confidentiality or integrity' of the information in its email system (i.e. the Dedicated Email), this should have raised for the Respondent's consideration of whether the Dedicated Email and access of the Respondent's Users in the specific circumstances of this usage were a reasonable, appropriate and PPIP Act and HRIP Act compliant way of implementing its stated purpose and if, pursuant to IPP 5 and HPP 5, additional security safeguards against loss, unauthorised access, use, modification, disclosure or other misuse of the information were reasonably necessary in the circumstances.
Based on the materials before me and the analysis in [97], [98] and [99] above and given the sensitivity of the relevant health and personal information of the Applicant in this case, I am satisfied that not considering if any additional or specific security safeguards were reasonably necessary in the circumstances, including in relation to the providing access to the Applicant's personal and health information held in the Dedicated Email to all of the Respondent's Users at all times, was not in accordance with the requirements of IPP 5 or HPP 5. The failure of the Respondent to consider if any reasonable security safeguards were required in these specific circumstances to prevent any unauthorised use, modification, disclosure or other misuse of the Applicant's personal and health information in the Dedicated Email (i.e. the relevant Conduct of Concern) resulted in the Respondent's contravention of IPP 5 and HPP 5.

[26]

IPP 6/HPP 6

While IPP 3 and HPP 4 relate to the personal and health information collected by the Respondent directly from the Applicant, similar obligations apply under IPP 6 and HPP 6 in relation to the personal and health information held by the Respondent (i.e. whether or not collected by the Respondent directly from the Applicant). Under IPP 6 and HPP 6 the Respondent is required to take reasonable steps in the circumstances to enable the Applicant to ascertain (i.e. to notify them of), most relevantly in this case, (a) the nature of their personal/health information held by the Respondent, (b) the main purposes for which that information is used and (c) the individual's entitlement to gain access to that information.
In this case IPP 6 and HPP 6 relate to all of the Applicant's personal and health information (respectively) held by the Respondent resulting from its use of the Dedicated Email. Given the somewhat overlapping obligations of IPP 3 and HPP 4 relating to the information collected directly from the Applicant (see [93] to [96] above), I have limited my consideration in this case to the IPP 6 and HPP 6 obligations relating primarily to the personal and health information 'collected' or received other than directly from the Applicant using or otherwise held by the Respondent in the Dedicated Email: that is, the emails (i.e. personal and health information of the Applicant) sent to other than the Applicant or received by the Respondent from all persons other than the Applicant using the Dedicated Email and the associated email address. This includes any comments, modifications, sharing, notes or created information about the Applicant made by the Respondent, the Respondent's Users or any others on or of any of the Applicant's personal and health information (e.g. when using the Dedicated Email to receive from or send to other than from/to the Applicant or comment on the Applicant's personnel or health information in the Dedicated Email).
All staff, employees, Units and parts of the Respondent were to communicate with the Applicant via the Dedicated Email (i.e. sending personal and health information about the Applicant to the associated email address of the Dedicated Email) and all of the Respondent's Users were able to comment on, modify, create and/or send the Applicant's personal and health information held by the Respondent in the Dedicated Email. In the absence of any persuasive submissions and evidence of the Respondent to refute the Applicant's submissions and evidence, based on the Applicant's evidence and submissions, then at least some of those emails to others or by others responding to the inquiries or concerns of the Applicant held by the Respondent in the Dedicated Email contained the Applicant's personal and/or health information.
On a similar basis is that set out in [96] above in relation to IPP 3 and HPP 4, in the absence of any persuasive submissions or evidence of the Respondent as to the steps it took to comply with IPP 6 and HPP 6, on the materials before me I am satisfied that the Respondent took no steps as required under IPP 6 and HPP 6 and that the Dedicated Email holds the personal and health information of the Applicant other than that collected directly from the Applicant. Therefore, on the material before me, I am satisfied that the relevant Conduct of Concern resulted in the Respondent contravening IPP 6 and HPP 6 in respect of the Applicant's personal and health information held by the Respondent in the Dedicated Email.

[28]

IPP 9/HPP 9

IPP 9 and HPP 9 require the Respondent to take reasonable steps, in the circumstances, to ensure before each and every use (including sharing within the Respondent) and disclosure of the information that the Applicant's personal and health information is accurate, its use is relevant and not misleading.
In PN v Department of Education and Training [2010] NSWADTAP 59 at [30] the Appeal Panel of the predecessor of this Tribunal concluded that IPP 9 was: … the most important provision in the [PPIP] Act. [Section 16 (IPP 9)] entrench the principle that agencies will take reasonable steps to ensure that before information held by them about individuals is used for an administrative purpose it is checked to ensure that it is appropriate to rely upon it. The agency is expected to satisfy itself that the information is relevant, accurate, up to date, complete and not misleading. [emphasis added]
The Appeal Panel in ALZ v WorkCover NSW [2015] NSWCATAP 138 held at [89], as regards HPP 9, that agencies are required to: … fairly use the information they hold at the point they are taking actions or making decisions based on it. It is especially directed to old information and seeks to encourage care in relation to use of information collected indirectly. [emphasis added]
The predecessor to the Tribunal held in JD v Director General, NSW Department of Health (No 2) [2004] NSWADT 227 at [67] that 'reasonable steps' must be determined: …not only in the context of the purpose for which the information was to be used, but also in the context of those matters [where] the applicant alleges the information was not relevant, inaccurate, out of date, incomplete or misleading.
Further, in JD v Department of Health (GD) [2005] NSWADTAP 44 the Appeal panel of the predecessor to the Tribunal held at [69]: What is reasonable in the circumstances will vary with the significance of the purpose to which the information is to be put, and may be affected by the urgency of the situation. It may be that no additional steps are necessary …
I also refer to the reasoning of the Tribunal in EEH v Insurance and Care NSW (iCare) [2021] NSWCATAD 72 on IPP 9, upheld by the Appeal Panel in Insurance and Care NSW v EEH [2021] NSWCATAP 350: 69 … This purpose, potentially adverse to the Applicant, …, imposes a high threshold on the Respondent (and its agents) as regards the steps needed to be taken to check if the information is accurate. 70 The Tribunal commented in MT at [185] that: … there is merit in the argument that if there is in fact an onus, the initial onus should rest on [the Applicant] to show that there was a use which involved irrelevant, inaccurate, out of date, incomplete or misleading information, whereupon the onus would shift to [the Respondent] to show that it took reasonable steps to check the information. 71 However, given the wording of IPP 9 (and the emphasised parts of prior decisions in paragraphs [43] to [45] above), it is the action of taking reasonable steps to check the accuracy of the PI under IPP 9, rather than the actual accuracy of the PI, that is the focus of IPP 9. That is, if reasonable steps were taken but the PI nonetheless turned out to be inaccurate and misleading then there may be no breach of IPP 9. However, even if the PI turned out to be accurate, if no reasonable steps were taken by the agency in the circumstances having regard to the purpose of the proposed use then there is a breach of IPP 9, irrespective of the accuracy of the information: see ALZ v SafeWork [2017] NSWCATAD 52 at [108 to 110]. If IPP 9 is breached and the PI turns out to be inaccurate, irrelevant, incomplete or out of date and misleading, then this will factor into the relief to be granted by the Tribunal. 72 Once a relevant use of the PI has been established (as in this case) IPP 9 is triggered and the Respondent then has the onus to show that it took such reasonable steps in the circumstances to check the accuracy of the information before using it. Given my finding that, for the purposes of IPP 9, the Respondent relevantly used the PI, the Respondent was required to take reasonable steps having regard to the purpose of use, to check the accuracy of the PI before using it. 73 If the Respondent cannot or does not show that such reasonable steps in the circumstances were taken then the clear inference is that it has not taken any such steps. The question then is whether the taking of no steps was reasonable in the circumstances having regard to the purpose of use of the PI: see JD at [67].
The Respondent's stated purpose for which the Dedicated Email was established and therefore the purpose for the subsequent collection of the Applicant's personal and health information using the Dedicated Email is to ensure the Applicant's enquiries and concerns are dealt with as efficiently and effectively as possible (i.e. the Respondent's Collection Purpose, see [119] and [120] below).
All of the Applicant's personal and health information in the Dedicated Email is available to all of the Respondent's Users at all times. Based on the evidence and submissions of the parties, the Respondent's Users' access to the Applicant's personal and health information includes full rights to modify, delete, send, create, print out and copy it with limited, if any, accountability, system restrictions or any other measures to ensure the accuracy (e.g. originality/non‑modification) of that information.
The Respondent presented little, if any, evidence and made no substantial submissions, in the circumstances of the access by the Respondent's Users as detailed in [9] above, as to what steps were taken by the Respondent to check, prior to each (or indeed any) use of the Applicant's personal or health information held in the Dedicated Email by the Respondent, the accuracy or relevance of that information and/or if its use would be misleading.
Based on the materials before the Tribunal and given the lack of evidence presented by the Respondent as to any relevant steps taken by the Respondent, I am satisfied that no such steps were taken by the Respondent. In this case the Tribunal must then determine if it was reasonable for the Respondent, in the circumstances of each use, to take no steps to check (a) the accuracy of the relevant information (including if it had been modified), (b) whether its use is relevant or (c) whether its use is misleading. The 'use' in this case is, at the very least, the access to and sharing of the Applicant's personal and health information by and among all of the Respondent's Users and the forwarding on/sending of any relevant information (e.g. as emails from the Dedicated Email using the associated email address) to other staff of the Respondent, others outside the Respondent and/or the Applicant for the Respondent's stated (or any other) administrative purposes.
Based on the material before the Tribunal, and my finding that the Respondent took no relevant steps prior to the use of the Applicant's personal and health information held in the Dedicated Email, I am satisfied that taking no such steps was not justified in the circumstances for the Respondent's use of the Applicant's personal and health information held in the Dedicated Email and, therefore, the relevant Conduct of Concern results in the Respondent contravening IPP 9 and HPP 9.

[29]

IPP 10/HPP 10

In order to consider if the relevant Conduct of Concern contravened IPP 10 and HPP 10 the Tribunal must first establish the 'purpose' for which the personal and health Information was collected by the Respondent (Collection Purpose). Once the Collection Purpose is determined the Tribunal must then determine whether all of the relevant Conduct of Concern (in this case) uses were for that Collection Purpose or another purpose. If for another purpose, the Tribunal must determine if either (a) the Applicant consented to the use of the personal and health information for that other purpose or (b) that other purpose was directly related to the Collection Purpose and, in relation to any health information, that the Applicant would also reasonably expect the Respondent to use it for that other purpose. If either (a) or (b) are established then use for that other purpose is permitted, despite the general prohibition in IPP 10 and HPP 10, and there is no contravention of IPP 10 or HPP 10.
The Respondent submitted (and the Applicant did not challenge) that its Collection Purpose for collection of both the personal and health information using the Dedicated Email was to "ensure [the Applicant's] enquiries [and concerns] are dealt with as efficiently [and effectively] as possible" (see [84(7)] and [114] above) (Respondent's Collection Purpose). I am satisfied on the materials before the Tribunal that the Respondent's purpose for the establishment of and collection of the personal and health information using the Dedicated Email was the Respondent's Collection Purpose.
The Respondent's Collection Purpose or a directly related purpose allows the sharing of the relevant information within the Respondent to the relevant employee(s) where necessary for that/those employee(s) to undertake their specific duties as regards the specific inquiry or concern of the Applicant. However, neither the Respondent's Collection Purpose nor any directly related purpose permits the wholesale collection of, access to, use or sharing of all of the Applicant's personal and health information in the Dedicated Email by all of the Respondent's Users (a) at all times for any purpose, (b) for all of the Applicant's inquiries and concerns and (c) for all of the Respondent's responses to such inquiries or concerns (see IPPs 1 and 4 and HPPs 1 and 2). That is, collection of, access to or use of all of the information by the Respondent's Users irrespective of (in each case) whether or not there is an inquiry and/or the relevance of that information to the specific duties of each of the Respondent's Users in dealing with each of the Applicant's concerns or inquiries is not a use under the PPIP Act or HRIP Act for the Respondent's Collection Purpose or a directly related purpose. The Respondent's Collection Purpose and directly related purposes are limited to permitting the use of (i.e. collection of, access to and sharing of) only that relevant (and not all of the) personal and health information of the Applicant which is reasonably necessary for that individual Respondent's User/employee (but not all of the Respondent's Users) to undertake their relevant duties as regards each specific inquiry or concern of the Applicant.
From the materials before the Tribunal I am satisfied that not all of the personal and health information collected by and held in the Dedicated Email for the Respondent's Collection Purpose used by the Respondent in each case for each concern or inquiry of the Applicant was or is always reasonably required by all of the Respondent's Users in order for each to undertake their specific duties to deal with that specific inquiry or concern of the Applicant.
Without evidence to the contrary from the Respondent and based on the materials before the Tribunal and my findings above, I am satisfied that at least some uses (i.e. providing access to and the sharing) of the Applicant's personal information and health information collected by/held in the Dedicated Email by some of the Respondent's Users for some inquiries of the Applicant were not used for the Respondent's Collection Purpose or a directly related purpose.
I am also satisfied on the evidence presented by the Applicant that (a) several written objections and complaints were made by the Applicant to the Respondent, (b) the Applicant did not consent to or expect such other uses of their personal and health information and (c) that the Respondent was aware of such objections and complaints.
In conclusion, the relevant Conduct of Concern resulted in the Respondent contravening IPP 10 in relation to the Applicant's personal information and HPP 10 in relation to the Applicant's the health information collected by and held in the Dedicated Email.

[31]

Damages and aggravated damages

On the materials before the Tribunal and my assessment of the Applicant in the Hearings, even in the absence of any independent evidence (e.g. from a health care professional) submitted by the Applicant, I am satisfied that the Applicant suffered harm, in particular distress, anxiety, embarrassment and humiliation and that such was caused by and resulted from the relevant Conduct of Concern in relation to which I have made findings of contraventions by the Respondent. Therefore, I am satisfied that damages are appropriate in the circumstances. However, despite the threats to do so made by the Respondent in its correspondence, without specific and persuasive evidence as to how the relevant Conduct of Concern caused the termination of the Applicant's PhD candidature and thus their loss of income, I am not satisfied that such was caused by the Conduct of Concern in this case.
Following the principles noted in [61], [62] and [63] above, and based on the materials before the Tribunal (in particular the Applicant's submissions and evidence) and the Respondent's: 1. flagrant and oppressive disregard for both (a) its obligations under the PPIP Act and HRIP Act and (b) the Applicant's rights under such legislation; 2. ignoring, summarily dismissing and its apparent contempt for the Applicant's numerous written complaints about and objections to the Dedicated Email prior to the IR Request; 3. various threats of disciplinary action and termination of the Applicant's PhD candidature if the Applicant did not agree to act contrary to their privacy rights and the Respondent's obligations under the PPIP Act and HRIP Act; 4. approach to and conduct of the AR Proceedings including the various delays, a significant failure to meet a prescribed timelines (e.g. filing of the s 58 ADR Act documents being filed only some 12 months after the AR Application and twice having to subsequently add to its s 58 ADR Act documents, including the latest addition being after the First Hearing) and that the s 58 ADR Act documents were still deficient (see [87] above); and 5. failure to address in its submissions and evidence much of the Conduct of Concern and the alleged resulting contraventions of the IPPs and HPPs detailed in the IR Request, I am satisfied that aggravated damages are warranted to compensate the Applicant for both the significant exacerbation of the harm and damage and the additional harm (in particular the additional and extreme anxiety, distress and humiliation) suffered by the Applicant caused by the relevant Conduct of Concern for which there are numerous findings of contraventions by the Respondent and the Respondent's subsequent conduct in the AR Proceedings.

[33]

Orders 1. The Respondent's internal review decision dated 15 February 2021 is set aside and replaced with the Orders below as the correct and preferable decision. 2. Order (4) of the Tribunal's Interlocutory Orders dated 13 May 2022 is, as at the date of these Reasons for Decision, set aside, replaced and superseded by these Orders. 3. Immediately after the date of these Reasons for Decision the Respondent will cease all use of the Dedicated Email and the associated email address. 4. Within fourteen (14) days of the date of these Reasons for Decision, the Respondent is to provide to the Applicant an unreserved formal written apology signed by the Chancellor of the University of Newcastle addressing and apologising for (a) the Respondent's contraventions of the IPPs and HPPs identified in these Reasons for Decision and (b) all harm, distress, humiliation and embarrassment caused to the Applicant resulting from such. 5. Within fourteen (14) days of the Applicant providing to the Respondent their bank account (or any other acceptable payment method) details, the Respondent is to pay to the Applicant a total of $22,500 as compensation for the harm suffered by the Applicant as a result of the relevant Conduct of Concern, which amount includes $15,000 in aggravated damages for the wholly avoidable exacerbation and aggravation of that harm and for the additional avoidable significant harm suffered by the Applicant caused by the Respondent's egregious and aggravating conduct as regards that relevant Conduct of Concern for which there are findings of contravention of the IPPs and/or HPPs. 6. Within fourteen (14) days of the date of these Reasons for Decision the Respondent will comply with IPPs 3 and 6 and HPPs 4 and 6 and provide the Applicant with the notice(s) and all information that is required to be (and should have been) provided by the Respondent under those IPPs and HPPs in relation to all personal and health information of the Applicant and uses and disclosures of such in the establishing and using of the Dedicated Email (including the associated email address) from the time of the creation of the Dedicated Email until the ceasing of its use in accordance with Order (3) above. 7. Within thirty (30) days of the date of these Reasons for Decision the Respondent must: 1. perform IPPs 5, 9 and 10 and HPPs 5, 9 and 10 as regards the Applicant's personal information and health information, respectively, collected by (no matter where currently held by the Respondent) or currently held in the Dedicated Email by the Respondent; and 2. implement such administrative measures necessary to ensure that, as regards the Applicant's personal and health information collected by (no matter where currently held by the Respondent) or currently held in the Dedicated Email, it has (i) taken reasonable security safeguards in accordance with IPP 5/HPP 5, (ii) taken reasonable steps to ensure the information used is accurate, relevant, up to date, complete and not misleading in accordance with IPP 9/HPP 9 and (iii) only use the Applicant's personal and health information in accordance with IPP 10/HPP 10. 1. For each of Orders (3) and (7) above, within seven (7) days of the date of the Respondent's compliance with each Order the Respondent must give the Applicant written notice signed by the Chancellor of the University of Newcastle confirming that it has complied with that Order.

Parties

Applicant/Plaintiff:

EJX

Respondent/Defendant:

University of Newcastle

Legislation Cited (1)

Privacy Act 1988(Cth)

Cases Cited (21)

Newcastle confirming that it has complied with that Order. Catchwords: ADMINISTRATIVE REVIEW - Privacy and Personal Information Protection Act and Health Records Information Protection Act - alleged contraventions of APPs 3, 5, 6, 7, 9, 10 and 11 and HPPs 4, 5, 6, 7, 9, 10 and 11 arising from the establishment and operation of an email account and address solely operated and controlled by the agency 'on behalf of' the individual - impact of agency policies on the agency's PPIP Act and HRIP Act obligations and the privacy rights of an individual - aggravating conduct of the agency and aggravated damages. Legislation Cited: Administrative Decisions Review Act 1997 Civil and Administrative Tribunal Act 2013 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 Privacy Act 1988 (Cth) Privacy and Personal Information Protection Act 1998 Cases Cited: AIN v Medical Council of New South Wales [2017] NSWCATAP 23 ALZ v SafeWork [2017] NSWCATAD 52 ALZ v Workcover NSW (No 2) [2014] NSWCATAD 122 ALZ v WorkCover NSW [2015] NSWCATAP 138 AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 BVV v Commissioner of Police [2020] NSWCATAD 182 CEU v University of Technology Sydney [2018] NSWCATAD 13 CJU v SafeWork NSW [2018] NSWCATAD 300 CPJ v The University of Newcastle [2017] NSWCATAD 350 DED v Randwick City Council [2017] NSWCATAD 327 Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 Department of Education and Training v ZR (No 2) [2009] NSWADTAP 44 Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 DTN v Commissioner of Police (No. 3) [2020] NSWATAP 73 EEC v Federation Council [2020] NSW CATAD 169 EEH v Insurance and Care NSW (iCare) [2021] NSWCATAD 72EJX v University of Newcastle [2022] NSWCATAP 105 EJX v University of Newcastle [2023] NSWCATAD 7 EJX v University of Newcastle [2023] NSWCATAP 105 EQ v Office of the Australian Information Commissioner (Freedom of Information) [2016] AATA 785 GA v Commissioner of Police, NSW Police Force [2004] NSWADT 254 GR v Department of Housing [2003] NSWADT 268 GV v Office of the Director of Public Prosecutions [2003] NSWADT 177 Hall v A & A Sheiban Pty Ltd (1989) 20 FCR 217 Insurance and Care NSW v EEH [2021] NSWCATAP 350 JD v Department of Health (GD) [2005] NSWADTAP 44 JD v Director General, NSW Department of Health (No 2) [2004] NSWADT 227 JD v NSW Medical Board (No. 2) [2006] NSWADT 345 KT v Sydney Local Health Network [2011] NSWADT 171 March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506 NK v Northern Sydney Central Coast Area Health Service (No. 2) [2011] NSWADT 81 NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 PN v Department of Education and Training [2010] NSWADTAP 59 Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 Rummery and Federal Privacy Commissioner (204) 85 ALD 386 WT v Auburn Council [2007] NSWADT 253 at [27] Texts Cited: NIL Category: Principal judgment Parties: EJX (Applicant) University of Newcastle (Respondent) Representation: Counsel: First Hearing - Ms V Bulut (Respondent) Second Hearing - Mr L Meagher (Respondent)

[2016] AATA 785

(1979) 46 FLR 409

(1989) 20 FCR 217

(1991) 171 CLR 506