On 12 December 2022, FQS (the Applicant) filed an application for administrative review of certain conduct of concern of the Respondent. She alleged that the Respondent had breached unspecified provisions of the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act) and unspecified Information Privacy Principles. The application was filed pursuant to s 55 of the PPIP Act.
On 25 February 2022, the Applicant lodged a contact form with the Respondent, in which she stated:
Dear Sir / Madam, I am making inqurie about the corruption which was over the years, as result this I am making inquire about the process of sending information. I did involve the human rights, they deny things occurred in the work place and it is ongoing issues. I have notified the Federal Government as a result of that I have been tagged and labelled, currently looking for jobs, and I have rejected more than 200 jobs. I am decided to submit my matter to Supreme Court for what has happened over the years. This was involved with the NSW department of health and Liverpool Hospital, then involved the case further to UNSW. Looking forward to hear from you…
On 25 February 2022, the Respondent sent an automated response email to the Applicant, advising her that she would soon received correspondence and that it aims to treat all information received and all sources of information confidentially, but in some cases this may not be possible. It concluded:
If you wish to provide any further information, please submit it to the Commission at (email address provided).
On 2 April 2022, the Applicant sent an email to the Respondent and stated:
…I am attaching a PDF file summary of the events occurring due to ongoing corruption.
I tried my best to bring to the attention of the Minister of Health - Mr Brad Hazard. But unfortunately, he avoided both Federal and State governments' instructions. As a result, I had to re-write both governments and seek advice, and I have received the same direction from State Government to contact Mr Brad Hazzard.
I have also included the other documents where I have been asked to contact Mr Brad Hazzard, and he is still not responding. I have been waiting for months. As a result, I have been writing several times since 2020. Mr Brad Hazzard is aware of all the incidents from 2018 to 2021. I do not understand why he avoids seeing me or allowing a person to meet with me so I can discuss this further.
As a result of ongoing issues, I have asked the Australian Human Rights to assist me, and they were looking at the aspect that they can provide help.
I will not be doing the job as I used to due to what they have done to me. I am not seeking any compensation or apology. I do not understand why I have to come to this position, and I will no longer be doing the same job, as it was painful enough to come this far. I hope this summary helps your department reduce corruption and improve medicine, health, research and academic situations. So no other person ever goes through the same I did. No patients or clinicians should suffer as a result of corruption. Australia should not see this sort of corruption.
In her "PDF Summary", the Applicant stated that she was submitting her report to the Respondent for investigation of corruption and fraud "in multi-organisation sectors". She alleged that "a significant number of incidents" occurred at Liverpool Hospital's intensive care unit that "put me in a bad situation". She also stated, relevantly:
…I lost privacy, dignity, civil rights, and identity, faced insufficient naming, malicious gossiping, a period (of loss of speech, loss of cognition), difficulty in finding a job, isolation which I had no choice to protect, made my life difficult in public.
I am not seeking an apology from those organisations and the individuals involved who put me in that bad situation. I am not seeking compensation. Instead, I hope for a better system where corruption and fraud become lesser in this country, so no other human being ever experienced what I did over the years…
In the PDF Summary, the Applicant set out a number of "Case Studies" of incidents that she described as occurring within multiple organisations. She also attached copies of correspondence between Liverpool Hospital and herself and the Hon Gabrielle Upton and herself.
The Respondent assessed the information submitted by the Applicant but decided not to conduct an investigation. Despite being advised of that decision, the Applicant continued to send information to the Respondent, including:
1. On 4 September 2022, the Applicant sent an email to the Editor of the Washington Post, in which she asserted (amongst other things) that she had lost all of her opportunity of her job in Australia and had become labelled as "Mental" my Mr Brad Hazzard. She also stated:
…Applied for 500 jobs and been rejected, been writing to get help and I become subject of humiliation and the worse was my privacy no longer had meaning with the Australian Telecommunications System. They had entery to my home, my car my life and what I am now doing keeping myself safe trying to move forward and keep applying for job for US so I can move on with my life. I did not understand that why my PhD had to led me to direction of loss of everything. I am writing with hope somehow there be someone out there to help me. O been writing to our Prime Minister with hope he gets my writings and see what has happened to me…
I do not know what else I can do, no money can heal my pain but to go and the worse of knowing that I helped mankind put me through this path…
1. On 7 September 2022, the Applicant sent a further email to the Editor of the Washington Post, in which she stated:
I try to ring and speak to your department to get help, my hacking is ongoing issues and still due to what they did to me given my informational to those international Islamic Regime of Iran…
Please forward these details so that I can get help am trying to reach out to the ADF and they not seeing my matter seriously and NSW Police had to deal with the ongoing mess situation and I want myself out of this situation. Those hackers are well trained they took over my life, my movement and put me into this path of ongoing issues… This is a mess that created by the NSW Minister of health Brad Hazzard and former Premier Gladis Balijican and I should not be in this situation am not a politician…
1. On 7 September 2022, the Applicant sent an email to multiple persons at The Washington Post, which was copied to the Respondent, in which she stated, relevantly:
…I am in the mess that created by the former Premier and also NSW Minister - Mr Brad Hazzard who basically knew about ongoing corruption of Liverpool Hospital my presence was used and I was abused and my PhD completed in cost of my dignity, identity, reputation and my everything and worse I was handed to the Islamic Regime of Iran hackers, and am getting help of NSW Police to keep me safe but why I have to be in this mess. I am not politician the mess created due to rapid corruption, and I have to keep reaching out to NSW Police to get help. I am unemployed, because my life in hands of hackers, I am female alone and doing best to move forward. I cannot believe am in this situation because of dealing with politicians that put me in the direction of hackers. This is not Islamic regime of Iran.
I been tagged as mental by NSW gov/NSW Minister of Health Mr Brad Hazzard. I am mental because I agree to help and I did not know a mental person can study but I did not know they will hand me to Islamic Regime of Iran hacker. Why NSW Police had to look after my messy case.
I have to beg to get a letter of recommendation. I must beg to get somewhere and rapidly have to explain myself because of ongoing corruption. NSW Police had to deal with my messy case. There is law if a woman wants to get pregnant if that announce in TV and the next minute the door is open. But there is no law to end the ongoing corruption and messy situation that NSW Police had to deal with my ongoing case. My case is 4 years cases, I am in this position because agree to help in cost of everything…
NSW Police should not deal with my messy situation. Please stop those local to come after me and stop hacking me and open the door to another English-speaking country and to end this mess situation. It's been four years to the point am writing because I have nothing left…
Require help to move on with my life and no longer want to be in the centre of hackers which is intentionally I been put to, so they isolate me. I am doing best, please Optus do not close my case and do know that I am moving forward, want to end this messy situations which am in for four years…
On 2 November 2022, the Respondent advised the Applicant that while it would consider any further information that she provided to it in writing, it would not contact her again unless the further information differed substantially from that which it had already received.
On 4 November 2022, the Applicant completed an Internal Review Application Form, in which she alleged that the conduct occurred in April 2022 and that she became aware of it in May 2022. She described the "conduct" as follows:
I reported the ongoing corruption within Liverpool Hospital, Sydney, Australia, and those organisations associated with the Liverpool Hospital. Those reports were asked to be sent by the ICAC department. I had nowhere else to reach out to as soon as I provided those files to the ICAC department. I was poorly attacked, followed by the gang, hacked, verbally abused, and worse, punished; my details were given to the Islamic Regime of Iran hackers and those associated working with that regime. I lost the opportunity of more than 500 jobs and became unemployed, and had to reach out everywhere for my safety. Those hackers managed to stroke my visit anywhere and even had access to my medical records and did everything with those records. I contacted Mr Micheal Firor in this relation, but he did not take my matter seriously. He told me to get the NSW Police for help, and regarding the job and my future, he told me the government had nothing to support me and that I should reach out to the private sector. My details are in the hands of international criminals. I came to Australia as a political refugee. In those years, I served the Australian public sector; I was shocked to see this advice given by an Australian organisation that was supposed to deal with anti-corruption. This is Australia, not the Islamic Regime of Iran, my data was bridged at the ICAC department, and I was treated like a person with no rights. Why does this organisation even word where no protocol for safety has? To get help. I had to reach out to the international police force FBI; my case was so tense that those hackers had been following me to that extreme as soon I joined my network to the Optus telecommunications been hacked; if your organisation could not deal with extreme cases of like my case why they put me in this position it is a total crime, and it is absolute corruption. Can ICAC return my safety? Can ICAC help me with those international criminals whom they trained to internally to be any organisation? My case was four years since I agreed to allow the former NSW gov/ and NSW Minister of Health. This is an absolute scandal how my data was released by the ICAC and put me in this ongoing issue. For physical safety, I have to reach out to the police, and for my ongoing hacking problems, I have to keep reporting to Australian Cyber Security; those criminals were not only after me. They almost cost the lives of thousands of police forces and those trying to help me. My data was bridged, and I am currently reaching out to another English-speaking Country to build some future. I have lost everything: my reputation, dignity, and identity; former Premier of NSW… and NSW Minister of Health… were aware of my ongoing issues, health failure, and ongoing problems. They guaranteed my safety; otherwise why would I be staying my doctorate study? This is life. I am living now. Can ICAC protect the rest of my life? Can ICAC explain, if they could not help, why they bothered to ask for those files and bridge my privacy? Why was I told to take my matter to the media is what your member at your organisation told me. Is this how Australia functions? If I were after money, I would do such a cheap act to the media and lawyers. I came for my safety in Australia, which I am grateful Commonwealth helped; I am shocked at how ICAC allowed my data to be bridged and put me in this situation. What kind of future am I going to have? This is a matter of my safety and the Country's national security. An organisation like ICAC should be dealt with to end the ongoing corruption. Instead, I am dealing with the corrupted work of members of ICAC who did nothing but allow my data to be exposed and then be in this position. Those internal hackers did enough damage to any organisation; they knew about my presence and did everything they could to destroy me. I do not think even ICAC understood the meaning of political refugee, hacking and dealing with international criminals. Currently, telecommunications commissioner, Optus, police and Australian Cybersecurity are working, and I have to reach out rapidly to the Federal Government to get advice. The Privacy department has been on the side trying to help me. This happened as a result of a negligent data bridged data in the ICAC department.
I have been reaching out internationally to get help in any form I could. All those files are with the FBI department, NSW police, federal police was notified several times, Australian Cybersecurity, and scammer watch. The irresponsible behaviour and careless action of the ICAC department allowed this case which was initially messy and heavy, to become much worse than allowed any other outside to take advantage of the situation.
In answer to the question - "What would you like to see the agency do about the conduct?", the Applicant stated:
I want my dignity, identity and reputation back, and can the agency help me with my safety and future? Can ICAC notify the wrongdoing of the media? I have no desire to do that. I leave for your department (ICAC) to report the misconduct and mischief to the press. I worked those years with dignity and did my best to be a citizen that helped in silence; I do not regret that I helped all those years, but I am shocked at how Australia ICAC acts like those acting like the Islamic Regime of Iran. ICAC did not understand the meaning of refugee, safety, national security, personal security and war. I want that ICAC behaviour and those who have committed corruption to the criminal courts of Australia and internationally (to deal with those international criminals). If ICAC cares for Australia and wants to take responsibility and take this matter under its wing and try to change the system so no one ever suffers because of helping and should not experience my path, then change the system. Australian Government organisations should not behave like the Islamic Regime of Iran.
On 6 December 2022, the Solicitor to the Respondent sent a letter to the Applicant by email, which stated, relevantly:
The Commission has received an application/complaint made by you pursuant to s 53 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The application/complaint was received by the Commission on 4 November 2022.
I understand the issue raised by you to be that information you provided to the Commission has been "hacked" and, through the negligence of the Commission, there has been a data breach within the Commission which has resulted in information relating to you being released.
Section 54 of the PPOP Act requires an agency that receives an application under s 53 of the PPIP Act to notify the Privacy Commissioner. The Privacy Commissioner has been notified of your application and has advised that she does not intend to make any submissions in relation to this matter.
I have conducted an internal review as required by s 53 of the PPIP Act. This has involved the Commission's Manager, Technology Services and Service Delivery undertaking an audit of the Commission's records relating to you. No evidence has been found of any compromise to the security of that information the audit did however identify that in some correspondence with the Commission you copied your emails to a number of other email addresses.
In these circumstances, I am satisfied there has been no breach of your privacy by the Commission. Accordingly, the Commission will not be taking any further action with respect to this matter.
The Respondent advised the Applicant of her rights to seek an administrative review by this Tribunal and I am satisfied that it complied with its notice obligation under s 53(8)(c) of the PPIP Act.
On 7 December 2022, the Applicant sent an email to the Solicitor to the Respondent, in which she stated:
Disagree my case was exposed by your colleague Mr Michael Froni. After he told me to get help from NSW police force I was severe attacked by local and my details were given to the international criminals. I had to file report to FBI. And I am going to seek for investigation as you have not doing your job again.
I would like external parties involve fully in investigation of my matter and I will notify the NSW police force as well the FBI in requesting to help me in this matter. After my name was exposed by your department I have been in hands of international criminals. Your colleges mentioned to me to go to the media. It is a shocking to see is happening in Australia when I reach out for help to the government agency mentioned to me to get help through media.
This is embracing for a 1st world country like Australia. I would like this matter to be investigated fully as your department failed in its duty and put me in bad situations…
On 7 December 2022, the Solicitor to the Respondent sent a further letter to the Applicant by email, in which he stated, relevantly:
…As I advised you in my letter of 6 December, there is no evidence of any compromise to the security of any information relating to you held by the Commission. No information you provided to the Commission has been "exposed" by the Commission and there has been no breach of your privacy by the Commission.
In these circumstances, as previously advised, the Commission will not be taking any further action with respect to this matter.
On 23 December 2022, Mr McDonnell sent an email to the Applicant, enclosing a copy of the Notice of Representation filed with the Tribunal. He also stated:
It would appear that you are alleging that the respondent has breached one or more of the information protection principles in Division 1 of Part 2 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act) by releasing your personal information.
I wish to draw your attention to s 27(1)(a) of the PPIP Act which provides that unless the conduct was "in connection with the exercise of its administrative and educative functions" (s 27(2)):
27 Specific exemptions for certain law enforcement agencies
(1) Despite any other provision of this Act, the following are not required to comply with the information privacy principles -
(a) the Independent Commission Against Corruption, …
As the respondent is not required to comply with provisions such as the prohibition on disclosure in s 18 or retention in s 12 of the PPIP Act, there can be no breach of those provisions.
Accordingly, I would invite you to seek legal advice or withdraw your application to the Tribunal prior to the case conference scheduled for 23 January 2023…
On 18 January 2023, the Applicant sent an email to Mr McDonnell, in which she stated that she would be representing herself in the proceedings. She also stated:
As I mentioned I am not in a position to trust any lawyer, due to the nature of my background, and the sensitivity of the case. The further it goes this case it become more high risk for those be involve. I am already been dead not once and they attempt.
I am looking forward to present my own case and let the judge decide. Whatever I did was for this country - Australia, which I name it as home as I am the citizen of it. I have nowhere to go yet, as am still trying to see which other English-speaking country can take me.
It is unfortunate what happened and my intention to use my pen and seeking knowledge to help mankind. It is a shame to see if I give my case to any lawyer see it as a subject of making money.
I simply and repeatedly mention this before. I was not after seeking money. What I am after is justice and somehow end the corruption.
Australia had a population of only 26 million, how is this country going to survive when it population reach 80 million? Is this country going to have a path of Islamic Regime of Iran, then I leave this to judge to decide.
On 20 January 2023, the Applicant sent a further email to Mr McDonnell, in which she stated that it is "very risky for me to discuss anything now with any ordinary lawyers". She also stated:
I did not served the country and sent those files to get money and walk out of this just simply. Now am dealing with the international criminals, it hurts me this been evidence in Australia. I am hoping soon my matter gets in hands of Commonwealth. My identity should not be released to those associated with Islamic Regime of Iran and I was punished for just because simply helped.
I just want to keep myself safe and have some stability carry out my research and study able to work regardless of what has happened. Their attempts to kill me I leave that to Australian Government - police and international police force.
I am very upset how the reckless behaviour of those just used my position, and name to clean up the years of mess. I have no regret to help. If I was after money, would take one of those 5 lawyers that I spoke to in initial incidents of what the Liverpool Hospital did to me in 2020. Now is very messy, I want to just somehow get more stages and stability.
If they want to kill me they can, because I am ready for it, when I left Iran I was dead, but somehow years made it, now just want to find why those useless human did these things to me, in cost of not my life only but also those police forces. I lost everything, the only thing left for me is single pen.
[2]
Procedural directions
Senior Member Montgomery conducted a case conference on 23 January 2022, at which the Applicant appeared in person and Mr J McDonnell, Crown Solicitor's Office, appeared for the Respondent. The Senior Member made an order under s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) (the NCAT Act), which prohibited the publication or broadcast of the Applicant's name. He also ordered the Applicant to file and serve her evidence, including statements, documents and a summary of legal arguments about the alleged conduct and about any financial, psychological or physical harm suffered because of the conduct, by 6 February 2023. He ordered the Respondent to file and serve all material in Reply and any application for dismissal by 20 February 2023. He ordered the Applicant to file and serve any material in reply by 6 March 2023. He also made the following orders:
5. Having afforded the parties an opportunity to make submissions under s 50(3) of the Civil and Administrative Tribunal Act 2013, and having considered the submissions made, and being satisfied that any dismissal application (the dismissal application) can be adequately determined in the absence of the parties by considering the written submissions and other documents and material provided to the Tribunal (the papers), a hearing on the dismissal application is dispensed with, and the dismissal application will be determined on the papers.
6. Either party my apply to have the matter relisted to deal with the dismissal application should the need arise.
[3]
Issues for determination
The real and substantive issues between the parties are:
1. Whether s 27(1) of the PPIP Act operates to exempt the Respondent from compliance with ss 12 and/or 18 of the PPIP Act in the circumstances of this matter.
2. If 'yes', whether the proceedings be dismissed pursuant to s 55(1)(b) of the NCAT Act on the basis that the Tribunal considers that they are frivolous or vexatious or otherwise misconceived or lacking in substance.
3. If 'no', has the Respondent breached ss 12 and/or 18 of the PPIP Act?
[4]
Relevant legislation
Section 12 of the PPIP Act provides:
12 Retention and security of personal information
A public sector agency that holds personal information must ensure -
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
Section 18 of the PPIP Act provides:
18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless -
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
Section 27 of the PPIP Act provides, relevantly:
27 Specific exemptions for certain law enforcement agencies
(1) Despite any other provision of this Act, the following are not required to comply with the information privacy principles -
(a) the Independent Commission Against Corruption,…
(2) However, the information protection principles do apply to a public sector agency mentioned in subsection (1) in connection with the exercise of the agency's administrative and educative functions. which, in summary and most relevantly, provides:
[5]
Scope of administrative review proceedings under the PPIP Act
The scope of the current application for administrative review is limited by the internal review request and the scope of the internal review request, which set out the conduct of concern, is a matter of fact to be determined by objectively and reasonably construing the internal review request.
The Tribunal's role is to consider the conduct afresh, based on the evidence and material before it at the time of the hearing: Drake v Minister for Immigration and Ethnic Affairs (1979) 46 FLR 409 and KT v Sydney Local Health Network [2011] NSWADT 171 at [64].
There is no dispute that the current application for administrative review and these proceedings are within the scope of the internal review request, in particular the conduct of concern as set out in that request.
[6]
Applicant's evidence and submissions
On 25 January 2023, the Applicant filed her evidence, in the form of a letter to the Tribunal. She alleged that sixty-five files were filed with the Respondent by email in April 2022 "instructed by Mr Michael Froni". After filing those documents, she "became compromised and was under severe verbal abuse by any race from local, followed by the high". For her safety, she "had to reach out to police, follow their instructions, and report all the incidents through the Australian Cybersecurity website". The Respondent's website did not have the option of uploading files and due to their size, she sent three emails to ICAC, but after sending them, "…my email shut down, and I had no more access. I had the activities on my online. I had to call the police for safety and follow their instructions.
The Applicant stated that she filed a complaint with "the Microsoft department", and she notified the police, but she is "still waiting to hear back from the Privacy Commissioner about their investigations". She then had to change her network, but she still has issues and "telecommunication is helping me to secure my communication with the ongoing challenges". She also stated:
…Only recently, on 23 January 2023, the ICAC told me that my email was used and had the information of cc to others. The same thing has happened with the other emails that I have created. I have had to use the icloud.com hide features to develop many email addresses to communicate with various places to prevent those hackers from being able to follow me.
Only I and the ICAC department had access to those files.
Centrelink local told me to remove the file even from my record where I put the threat of Liverpool Hospital. That file was also given to your department.
Those hackers are well aware of any organisation I have been communicating with - internally using any organisations to stop my communication to seek help.
ICAC knew about my files, the disadvantages I had, and the period of loss of speech, facial problems and loss of almost vision. ICAC knew the status of how I entered Australia, with refugee status and ICAC asked for those details.
I forward every detail to ICAC. This put me at a considerable risk of being unsafe, and they did not bother to contact me. ICAC knew about my refugee status and how I had to reach out for my safety to Human Rights, and previous federal government, and the NSW government.
After filing those reports with ICAC, I was under severe pressure and attack, and for safety, I had to reach out to the police on May 2022. So to seek help, I reach out to the ACT, which is underway coming back. In my home mailbox is a card of appointment for the mental health institution left by the NSW Liverpool Hospital. I had to go police station to get help. They mentioned it was from NSW gov/NSW health and asked me to wait to be seen by the team is coming.
I was interviewed by two females who did not introduce themselves. Only they did it after the interview and questioned the monetary value of my next PhD project and their insistence on taking me to the hospital to scan my brain. These two women carried the idea of NSW health on them; they knew about the system and me. All these incidents started after filing those files to the ICAC department.
The Liverpool Hospital harassed my mother after losing I lost my identity due to filing those documents to your department.
If I had been informed that filing those files will be put me at high risk with ICAC, I would not file anything to put myself in this situation. However, my status of safety and network became much worse when I notified ICAC through email.
This almost cost the life of not me but the police force. I report the ongoing corruption with various departments to your department. The hackers well knew about the Australian system, and I am doing my best to keep informing anyone I can and to get help. They are internal hackers. I have given all the evidence to your department through 65 files about ongoing stressful situations I was facing from 2018 to 2021 as a result of the initial report of corruption of Liverpool Hospital to UNSW, where the previous Federal Government was well aware of my situation.
Corruption allowed hacking to steal and destroy my reputation, loss of identity, have my identity completely exposed to international criminals. After losing my identity and filing those files, I suffered more severe attacks and difficulties with the help of NSW police, trying to move forward. This is because the internal criminals and those hackers repeatedly try to reap me, and I have filed all those incidents and reached out for help to the NSW police forces under case number (number provided). The internal corruption and internal hackers caused enough confusion. I have to seek GIPA to ensure those criminals have not touched my police records because they have access to all my details. Repeatedly I have notified places with anything changes and physically go places so they can see me. I have no more normal life. After filing those documents to your department, I had a lady exactly looking like me follow me in the street. They are doing everything to destroy me.
It made me unemployed and lost dignity, my identity reputation caused my safety, and for every incident, I have reached out to the police. As a result, I am doing my best to leave the country and have some stability.
Twenty years never had issues to this extreme that, for my safety reached out to the police readily. This started after filing those files to the ICAC department due to the bridge of data and privacy. When I reached out to Mr Michael Froni, he clearly stated that Government needs something for me to reach out to the NSW police and private company. It is shocking to hear such advice from a member of ICAC and put me at risk the same others, who were doing their best to help me. Forty thousand police are not equipped with high te4chnology, and ICAC did know about the files.
My privacy bridged put me at this high risk where for my safety, I had to reach out to the police. I had to deal with Centrelink's unprofessional behaviour, and verbal and emotional abuse at two places (Liverpool and Fairfield), who wanted me to remove a file from the record about the corruption of Liverpool Hospital's behaviour for how they put the threat on me and ICAC is aware of that file. This has happened recently, and the police are well aware of it the Centrelink has done.
Attached with this letter is the information of my repeatedly contacting the various department to get help as a result of my exposure of my privacy of data with ICAC department…
The Applicant annexed a schedule comprising 75 pages of her contact/reporting of alleged incidents to multiple organisations to her Submissions.
However, I note that the Applicant did not address the matters raised in Mr McDonnell's email to her in December 2022 and she did not address the exemption under s 27(1) of the PPIP Act.
[7]
Application for dismissal and the Respondent's written submissions
On 20 February 2023, the Respondent filed an Application for Miscellaneous Matters, which sought an order that the proceedings be dismissed under s 55(1)(b) of the NCAT Act. The grounds of the application are set out in the Respondent's written submissions, which are summarised below.
The Respondent referred to the Applicant's submissions dated 23 January 2023 and noted that she appeared to allege that it: (1) Disclosed her personal information in breach of s 18 of the PPIP Act; and (2) Failed to protect her information against unauthorised access, use or disclosure in breach of s 12 of the PPIP Act.
The respondent argued that the Tribunal's power to dismiss proceedings under s 55 (1)(b) of the NCAT Act is to be construed broadly to capture any kind of abuse of process that can reasonably be seen to fall within the four categories of conduct: BDK v Department of Education and Communities [2-15] NSWCATAP 129 (BDK) at [66], which was approved in Minister for Education and Early Childhood Learning v Zonnevylle [2020] NSWCA 232 at [45]. It is a discretionary power: Hariz v Commissioner of Police [2021] NSWCATAD 6 at [39]; Samuell v Medical Council of New South Wales [2020] NSWCATOD 149 at [1].
The respondent stated that the words "frivolous, vexatious, misconceived or lacking in substance" have been held to refer to "the insufficiency or to the absence of merit or factual basis for the allegations made in the complaint rather than to whether the complaint is one within the provisions of the Act at all": Langley v Niland [1981] 2 NSWLR 104 at 107, cited by the Tribunal in Eagle Arts and Vocational College v State of New South Wales [2018] NSWCATAD 147 at [26].
The respondent argued that proceedings are "misconceived" if no cause of action is disclosed because there is a misunderstanding of legal principle: Alchin V Rail Corporation NSW [2012] NSWADT 142 at [26]. Further, proceedings are "lacking in substance" if the complaint is based on "an untenable proposition of fact or law" or is otherwise not "reasonably arguable": Chalker v Murrays Australia Pty Ltd [2016] NSWCATAD 283 at [22]; Braiding v Charles Sturt University [2016] NSWCATAD 90 at [27], which the Tribunal applied in Hariz at [42].
The respondent submitted that these proceedings are lacking in substance because there is no evidence to support the essential elements of the Applicant's complaint: see, by analogy, Riseley v Suncorp Portfolio Services Ltd [2022] FCAFC 8 at [102]-[103]. Specifically, it stated that the Audit conducted on 14 November 2022 found no evidence that its systems were hacked by external parties (grounding a possible breach of s 12 of the PPIP Act) or that information relating to the applicant has been released by its staff (grounding a possible breach of s 18 of the PPIP Act).
Accordingly, there is no material before the Tribunal that could lead to a sound conclusion that the Applicant's personal information was disclosed, and in turn, not stored securely. The absence of evidence has the effect that the complaint is not reasonably arguable. The proceedings should be dismissed because they are lacking in substance.
The respondent argued that the proceedings are misconceived, as even if the Applicant's personal information was disclosed, s 27 of the PPIP Act would apply to exempt it from compliance with the Information Privacy Principles (the IPPs). This provides, relevantly:
27 Specific exemptions for certain law enforcement agencies
(1) Despite any other provision of this Act, the following are not required to comply with the information privacy principles -
(a) the Independent Commission Against Corruption, …
(2) However, the information protection principles do apply to a public sector agency mentioned in subsection (1) in connection with the exercise of the agency's administrative and educative functions.
The respondent stated that s 27(1) confers upon it a blanket exclusion from compliance with the IPPs in respect of all of its activities, subject only to the qualification set out in s 27(2): Commissioner of Police, NSW Police Force v YK (GD) [2008] NSWADTAP 28 at [20]. The starting point is that all of its functions have the benefit of the exclusion in s 27, unless the activity is brought back under the regulation of the PPIP Act because it is an administrative or educative function: see Cavallaro v Commissioner of Police [2020] NSWCATAD 132 at [116]; EFR v Commissioner of Police [2020] NSWCATAD 159 at [30].
The effect of the immunity afforded by s 27(1) "is not without controversy": AEC v Commissioner of Police, NSW Police Force (GD) [2013] NSWADTAP 30 at [30]. However, in recent times, the Tribunal has rejected the "core/non-core" distinction that had been previously drawn and concluded that the word "administrative" in s 27(2) of the PPIP Act bears its ordinary meaning of "relating to administration; executive; administrative ability; administrative problems": CTU v NSW Police Force [2017] NSWCATAD 204 at [18], which was cited by the Tribunal in EFR at [31]. Administrative functions include, but are not limited to, "corporate services areas performing functions such as personnel, budget and information technology": EPR v Commissioner of Police [2021] NSWCATAD 237 at [23].
For an act to fall within the meaning of an "educative function" of an agency, it requires "something more than [the] mere provision of information: AEC at [34]. For example, the Tribunal has found that work done by the NSW Police Force "in connection with community and school education programs, as well as in relation to its internal education and training programs" is part of its educative functions: HW v Commissioner of Police, New South Wales Police Service [2003] NSWADT 214 at [31] (HW).
In this matter, the asserted breaches of the PPIP Act are alleged to have occurred after the Applicant emailed documents to it in connection with her complaint about suspected corrupt conduct. It then dealt with those documents, and the personal information contained within them, for the purpose of making a preliminary decision as to whether to investigate the complaint.
Section 13(1)(a) of the Independent Commission against Corruption Act 1988 (NSW) (the ICAC Act) provides that the investigation of complaints about suspected corrupt conduct is one of its principal functions. The function of assessing documents provided by complainants for the purpose of determining whether to investigate cannot, on any view, be appropriately described as an "administrative or educative function". Therefore, s 27(2) of the PPIP Act is not engaged and the conduct falls squarely within the exemption in s 27(1)(a).
Further, even if there had been a disclosure of the Applicant's personal information, it would not be open to the Tribunal to conclude that the Respondent breached either s 12 or s 18 of the PPIP Act. Therefore, the current application for administrative review is based on a misunderstanding of legal principle as it does not have regard to the effect of s 27 of the PPIP Act.
Accordingly, the respondent concluded that these proceedings should be dismissed under s 55(1)(b) of the NCAT Act.
[8]
Consideration and Findings
The IPPs are set out in Div 1 of Part 2 of the PPIP Act (in ss 9-19). Div 2 of Part 2 of the PPIP Act includes general provisions, including s 20, which states that the IPPs apply to public sector agencies, and s 21, which states that a public sector agency must not do anything or engage in any practice that contravenes an IPP applying to the agency.
However, Div 3 of Part 2 of the PPIP Act provides specific exemptions from the PPIP Act and compliance with the IPPs. The Respondent relies on the specific exemption applicable to it in s 27(1)(a) of the PPIP Act. However, under s 27(2) PPIP Act the exemption granted by s 27(1) does not apply to the agency "in connection with the exercise of their administrative and educative functions".
The interpretation of s 27 of the PPIP Act and, particularly the term "administrative" as used in s 27(2), has been considered in a number of decisions of this Tribunal and its predecessor, the Administrative Decisions Tribunal.
In HW, the Administrative Decisions Tribunal distinguished between what it described as "core" responsibilities of the New South Wales Police Force, which would not be described as "administrative", and other responsibilities which are not part of the core responsibilities of NSW Police:
25 The question therefore is where does the conduct in issue lie along the spectrum of the operational areas identified by s 27. The section seeks, I consider, to draw a distinction between the core responsibility of the Police Service and its 'administrative' and 'educative' functions.
26 The provision of 'police services' could perhaps be described as the core responsibility. Another way it was put in submissions was that its core responsibility was 'law enforcement'. The Police Act 1990 s 6 provides that the Police Service has three functions, the first of which is 'to provide police services for New South Wales'. 'Police services' are defined as follows:
"police services" includes:
(a) services by way of prevention and detection of crime, and
(b) the protection of persons from injury or death, and property from damage, whether arising from criminal acts or in any other way, and
(c) the provision of essential services in emergencies, and
(d) any other service prescribed by the regulations.
27 A broad interpretation of 'administrative functions' may be appropriate in a legislative scheme which does not otherwise compartmentalise the functions of a public sector agency (as I considered to be the case in relation to the way that expression applies to the Police Service in the setting of the amendment of personal record provisions in the Freedom of Information Act 1989: see N (No. 3) -v- Commissioner of Police, New South Wales Police Service [2002] NSWADT 34 (subject to appeal)). However in s 27 the Parliament has taken a compartmentalised approach to the functions of the law enforcement agencies mentioned. The division, as I see it, is as between their core responsibilities and those responsibilities which are not part of their core responsibilities. In particular the meaning of the word 'administrative' is to be read down so as not to embrace those core responsibilities. Similarly 'educative' responsibilities, which might on one view simply be a component of 'administrative' activity are to seen as separate from administrative responsibilities and again not forming part of the core responsibilities.
28 In my view the activities of a police officer in supporting a prosecution, at least where he or she is asked to exercise independent discretion and judgment in performing a task, are activities that form part of the core responsibilities of the Police Service. The fundamental responsibility of the Police Service is the investigation of crime. While the Police Service's responsibility for investigation is usually at an end by the time a case has gone to the District Court for trial, there may be a continuing need for some activity of that kind. In this instance the prosecution team called for a further narrow work of an investigative kind to be done. The means to be used was a subpoena for documents. This in my opinion was work of a investigative nature (though not connected with the crime itself) and related to the Police Service's core responsibilities.
29 It was not 'administrative' in the sense in which I consider this term is used in this Act. In order for the primary provision, s 27(1), to be given effect, the term cannot be used to refer to the entirety of the administrative activity of the Police Service, which includes the investigation of crime. Read in context, I am satisfied that it is intended to have a narrower compass going to those aspects of the operation of the agency that, as I see it, do not directly involve the carrying out of the core responsibilities. As I see it, 'administrative' when used in contradistinction to s 27(1) and alongside the term 'educative' seeks to refer to those activities of the Police Service that have to do with providing administrative support for the conduct of its core responsibilities.
30. So, for example, corporate services areas performing functions such as personnel, budget and information technology involve the performance of 'administrative' functions. There may be areas of the Police Service where the characterisation of the activity in terms of core/administrative/educative may vary depending on context that has given rise to the conduct in issue. (The handling of criminal records may provide an example where in some instances the disclosures occur in the course of the investigation of crime, while in other instances they are done administratively, for example for background checks on prospective employees. The exception in s 27(2) may also cover licensing responsibilities vested in the Commissioner, such as for firearms licensing and security industry licensing. It is not necessary to pursue these questions any further here.)
In YK, the Appeal Panel disapproved of the reliance on a "core" and "non-core" distinction in respect of the activities of the New South Wales Police Force and stated:
17 In our view, the Tribunal erred in depicting the question of whether a 'core'/'non-core' distinction provides the basis for analysis. We agree with the Police submission that the Tribunal in para [26] mischaracterised the question. The President was using, as we see it, 'core' as an aid to understanding the generality of the policing functions of the Police Force. The term was not being used to prescribe a legal test.
…
20 In our opinion, section 27(1) gives a blanket exclusion from the application of the Act to the named agencies in respect of all of their activities, subject only to the qualification set out in s 27(2). Therefore the starting point is that all functions of the Police Force have the benefit of the s 27(1) exclusion. It is not necessary to refer to the Police Act list of functions. The question is simply whether the activity is brought back under the regulation of the Act because it belongs to the 'administrative' or 'educative' services of the Police Force. In our view, the way 'administrative services' is depicted in para [30] of the President's reasons in HW, especially sentence one, captures the meaning intended for this term in sub-section (2).
…
25 The primary function of the Police Force is the one set out in s 90(2)(a), i.e. 'to provide police services for New South Wales'. Functions vested in the Police Force under sub-section (2)(b) may fall outside the immunity conferred by s 27 of the Privacy Act, for example the functions connected with security and firearms licensing.
26 In these proceedings the issue is whether LSCON Parker's notification to the school Principal of the incident involving EFR was "in connection with the exercise of …administrative" functions of the NSW Police Force. If it could not be so characterised, the NSW Police Force was not required to comply with the IPPs in respect of that conduct.
In EFR, Principal Member Pearson summarised the Tribunal's current approach to applying the s 27 PPIP Act exemption as follows:
29 As YK holds, the language of "core" and "non-core" is not the basis for analysis, and the word "core" was used in HW as an aid to understanding the generality of the policing functions of the NSW Police Force. As noted in HW at [29], the term "administrative" cannot refer to the entirety of the administrative activity of the NSW Police, which would include investigation of crime, and it is intended to have a narrower compass. As discussed in HW at [30], in determining what that is, the context that has given rise to the conduct in issue is relevant.
30 Section 27(1) PPIP Act excludes all of the functions of the NSWPF from compliance with the IPPs. The question then is, under s 27(2) PPIP Act, whether the particular activity or conduct the subject of the complaint is, to use the language of YK at [20], "brought back under the regulation of the Act because it belongs to the 'administrative' or 'educative' services of the Police Force".
In CTU at [18], and as referenced in EFR at [31], the Tribunal has held that, unless the context indicates some other meaning is intended, the word "administrative" in s 27(2) of the PPIP Act is to be given its ordinary or commonly understood meaning. According to the Macquarie Dictionary, that meaning is "relating to administration; executive; administrative ability; administrative functions". As held in HW at [30], 'administrative functions' include "corporate services areas performing functions such as personnel, budget and information technology". However, as discussed in AEC, the term "administrative" is not limited to functions relating to the NSWPF's corporate services.
Principal Member Pearson summarised the Tribunal's decisions in relation to what might be encompassed by the term "administrative" and how to consider the application of that term to the relevant circumstances, as follows:
32 In AEC the NSW Police had disclosed information about a spent conviction for AEC to his ex-partner in the course of Local Court proceedings in which AEC's ex-partner sought an Apprehended Violence Order and AEC was charged with assault. The Tribunal at first instance (AEC v NSW Police Force [2013] NSWADT 32) had found that dealing with AEC's criminal records in that matter could not be characterised as administrative, referring to the distinction drawn in HW in the context of handling of criminal records to disclosures which occur in the course of the investigation of crime, and those which are done administratively, for example for background checks on prospective employees. That conclusion was not disturbed on appeal: AEC at [29].
33 In CTU the applicant had been convicted in 2005 and sentenced to imprisonment, suspended on his entering into a bond. In 2015 the applicant was issued with a National Criminal History Check and a National Police Certificate, each showing the conviction. It was not in dispute that the NSWPF provided information about the applicant's conviction to third parties for the purposes of the National Criminal History Check and National Police Certificate. The issue was whether the provision of a criminal record check to members of the public was in connection with the administrative functions of NSW Police. The Tribunal rejected a submission that information sharing is a public function which is not administrative, holding at [19] that the provision of criminal history information to a third party for the purposes of a National Criminal History Check or National Police Certificate, where done as part of a routine application, is an administrative function according to the ordinary meaning of the terms. The processing of an application for a National Police Check, online and on payment of a fee, is an administrative function as is the processing of an application for a criminal records check.
In CTU, the Tribunal distinguished AEC stating at [22]:
22. The facts of AEC are clearly distinguishable from those of the present case. AEC involved a situation where the Police disclosed information about a person's criminal history in the course of proceedings for an apprehended violence order (or perhaps for the purposes of the assault proceedings). The disclosure was not done as part of any routine processing of a criminal history application or similar; rather it was in the context of court proceedings involving an alleged crime. The provision of criminal history information in a routine way when an individual completes a form is of a more administrative nature. Consistently with what was said in AEC, the context in this case requires a different result.
The reasoning of CTU was also followed in the matters of DKB and EFR.
In this matter, the Applicant alleges that the breaches of the PPIP Act occurred after the she emailed sixty-five files of documents to the Respondent in relation to her complaint about suspected corrupt conduct and that it was responsible for compromising her privacy by either releasing her confidential information or allowing the information that it held to be hacked, resulting in her information being accessed by others and placing her in danger.
Based on a consideration of the information before me, which includes the Audit report that the Respondent completed on 14 November 2022, I am satisfied that there is no evidence that the Respondent's systems were hacked or that it otherwise released the Applicant's information.
I am satisfied that the Respondent dealt with the documents provided by the Applicant, and the personal information contained in those documents, in order to make a preliminary decision as to whether or not to investigate her complaint. I note that s 13(1)(a) of the ICAC Act provides that a principal function of the Respondent is to investigate complaints about suspected corrupt conduct.
In my view, the function of assessing documents provided by complainants for the purposes of deciding whether or not to investigate a complaint is clearly a principal function of the Respondent and it cannot be considered an "administrative" or "educative" function.
For these reasons, I am satisfied that the conduct of concern falls within the exemption under s 27(1)(a) of the PPIP Act and that the Respondent was not required to comply with the IPPs (and specifically ss 12 and/or 18 of the PPIP Act).
It follows that the information before me does not disclose any cause of action and in my view there is a clear misunderstanding of legal principle in the Applicant's case. I am therefore satisfied that the current proceedings are misconceived and that they are also lacking in substance, as the Applicant's complaint against the Respondent is based on an untenable proposition of fact or law and, based on the Audit report, it is not reasonably arguable.
[9]
Conclusion
I am satisfied that it is appropriate to dismiss the proceedings under s 55(1)(b) of the NCAT Act.
[10]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 04 April 2023