This is an application pursuant to the Privacy and Personal Information Protection Act 1998 ("PPIP Act"). The applicant in this matter, GKT ("Applicant") alleges a breach of information protection principles contained in the PPIP Act. The respondent, Fire and Rescue NSW ("Respondent") denies any such breach. The questions for determination in this matter are whether such a breach occurred and if so the consequences.
[2]
Background
The Applicant has been employed by the Respondent since 1996 as a firefighter. He has been a station officer since 2007. He has been in charge of a platoon in a station in the Sydney area since approximately June 2023. The station at which that platoon is located has 20 permanent firefighters and 11 retained on call firefighters.
The zone commander with responsibility for the area in which the station was located became aware in January 2024 of a potential conflict between the Applicant and certain other members of the platoon that he led. The Applicant had approached him about an issue with the firefighters' work routines at the station. Separately, one of the firefighters in the platoon had approached the zone commander regarding the Applicant's leadership.
The zone commander organised separate meetings on a confidential basis with the Applicant on the one hand and the firefighters at the station on the other. His evidence was that this was done in an attempt to resolve the matter. No formal complaint had been made.
The issues at hand also came to the attention of the Fire Brigade Employees Union. An officer of that union requested to be present at the meeting with the firefighters and to act as a support person during the conversation with them.
On 12 February 2024, the zone commander convened a meeting with the firefighters of the platoon in question along with the union representative. A duty commander was also present at the meeting. The zone commander's evidence was that at the outset of the meeting, he explained that the meeting was part of a confidential process.
The zone commander also informed the attendees that he would circulate a typed version of the minutes "so they could confirm the accuracy of his record and make any changes necessary". He kept a notebook in his possession and saved his typed version of the minutes on a laptop in a personal folder.
On 20 February 2024, the zone commander sent a typed copy of the minutes to the attendees of the meeting on 12 February 2024 so that, according to his evidence, they could make any changes or corrections. Later that day, the zone commander attended the station and met with the firefighters of the platoon who were in attendance at the meeting on 12 February 2024. His evidence was that he did this to go through the draft of the minutes.
The firefighters had each printed copies of the minutes. The zone commander's evidence was that he made some changes to the minutes at the request of the firefighters. At the end of the meeting, his evidence was that he told the firefighters that the meeting process was confidential. The zone commander's evidence was that he directed the firefighters to destroy all copies of the minutes.
Following the meeting, on 20 February 2024, the zone commander sent the revised minutes to the attendees by email.
On 22 February 2024, the zone commander received an email from the Applicant that alleged that the minutes of the meeting were on the watch room desk at the station.
The zone commander's evidence was that later that day, he contacted one of the other officers at the fire station. That other officer informed the zone commander that there was a copy of the minutes present in the station officer's office. The zone commander's evidence was that he then directed the station officers to destroy all copies of the minutes present in the station. His evidence was that he received confirmation from the station officer that this had been done and that no other copies of the minutes had been found, apart from the copy in the station officer's office.
There was evidence of a discussion at a local shopping centre about the events in question taking place between employees of the Respondent, although it was unclear whether third parties overheard the discussion.
The zone commander's evidence was that he directed the firefighters at the station to complete the Respondent's privacy awareness training as soon as possible. He also informed the firefighters of the potential consequences of the conduct in question, that it was potentially a breach of privacy and could be referred to the Privacy Commissioner and the Commissioner of the Respondent.
On 20 March 2024, the zone commander notified the Applicant and the firefighters at the station of his intended plan going forward in order to resolve the issues at hand.
On 25 March 2024, the Applicant made a complaint to the Respondent's privacy officer. That complaint was about the confidential minutes being "out for everyone to read on the mess room desk, and watch room". He saw this as "bullying by members of my crew and detrimental to a resolution of the conflict between us".
The Respondent proceeded to conduct an internal review of the conduct. That review found that the Respondent had breached ss 12 and 17 of the PPIP Act.
The Respondent then provided an apology to the Applicant and advised of certain measures being taken. They included a direction to staff to undertake mandatory online privacy awareness training about behaviour that was contrary to the Respondent's code of conduct and ethics. The matter had also been referred to the Public Service Board for assessment.
[3]
Consideration
The first question for determination is whether the matters described in the Background above gave rise to a breach of the PPIP Act.
[4]
Section 12 - security safeguards
Section 12 of the PPIP Act imposes certain obligations on a public sector agency that holds personal information. It provides as follows:
"12 Retention and security of personal information
A public sector agency that holds personal information must ensure -
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information".
It was not in dispute that the Respondent is a "public sector agency" that held "personal information". The question was whether there had been a breach of any part of s 12. The Respondent submitted that there has been no breach of s 12. In their submission, while the Respondent had an obligation to protect information by taking such security safeguards as are "reasonable in the circumstances" under s 12(c), the Respondent's safeguards, satisfied this description.
The Respondent relied on the decision in ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 in its submission that no breach had occurred. In that case, the Tribunal accepted the following conclusions of O'Connor DCJ in FH v Commissioner, NSW Department of Corrective Services [2003] NSWADT 72:
"It is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur".
IN ALZ, the Tribunal referred to various kinds of safeguards considered in other cases. In FH, there was no log to establish who had accessed files. This was not found to be a shortcoming that was relevant where the system as a whole possessed adequate security. In another case considered in ALZ, a database which included a user warning message was accepted as constituting reasonable steps to prevent unauthorised access (NS v Commissioner, Department of Corrective Services [2004] NSWADT 263).
In ALZ, the Tribunal said, in considering whether a medical report was properly secured:
"In this matter, there is no evidence that the Respondent has adopted any safeguards of the kind considered in these cases. In contrast, the evidence suggests that a casual approach was taken to the protection of the medical report e.g. a copy was initially placed in a tray on the Client Services Officer desk's and then in a file on her desk", at [39].
In the Respondent's submission, the security safeguards in place to protect the Applicant's personal information included repeated verbal warnings about confidentiality of the meeting in question and a direction to destroy all hard copies of minutes that had been printed out. The Respondent also pointed to provisions in the Respondent's privacy policy and privacy management plan, setting out and establishing responsibilities of staff in protecting the privacy of individuals. The Respondent also produced evidence of relevant provisions of the Respondent's code of conduct and ethics, and requirements to undergo privacy training. However, the Respondent conceded that only three firefighters at the platoon in question had completed training.
The Respondent submitted that any breaches occurred in contravention of an express direction made on a number of occasions that the information contained in the minutes be kept confidential. The Respondent submitted, accordingly, that s 12 did not impose liability for actions of an individual staff member where reasonable security safeguards had been imposed and that staff member has acted contrary to those security safeguards. The Respondent, in their submission, relied on the decision of the Court of Appeal in Director General, Department of Education and Training v MT [2006] NSWCA 270. The Court of Appeal considered a situation where an employee had impermissibly used information held by an agency. In the relevant circumstances, the Court of Appeal said the agency had not contravened s12. It held:
"Where an agency has 'ensured' that its information is "protected" by implementing 'reasonable security safeguards', I can see no purpose of the scheme that is served by imposing liability on the agency. It has done all the Act requires of it. The sanction is, in such circumstances, appropriately directed to the employee".
In CYH v Family and Community Services [2018] NSWCATAD 84, the Tribunal found that inadvertent disclosure of information did not breach s 12(c), in circumstances where disclosure was permitted by another statute (at [32]).
In BE v University of Technology, Sydney [2008] NSWADT 139, reasonable safeguards protecting information were found to exist. The Respondent in that case could not find certain correspondence but there was no evidence that the personal information in question had been obtained by anyone other than relevant persons identified in the evidence. In these circumstances, there was no relevant breach.
The breach alleged is not that minutes were shared with the firefighters belonging to the platoon in question but that they were left in an open place within the station with the result that personnel of the Respondent in attendance at the station, other than the firefighters participating in the meeting of [12] February 2024, could see the minutes.
Whether a breach occurred or not turns on whether there were security safeguards in place that were "reasonable in the circumstances". The outcome in each of the cases referred to above turns on the facts of each case, and in particular the safeguards in place or not in place. The outcome in the present matter also depends on what safeguards were in place or not, having regard to all of the evidence.
The evidence of the Respondent includes the directions given to members of the platoon in question to destroy copies of the minutes. It also includes evidence of documents of the Respondent including its privacy policy, privacy management plan and code of conduct and ethics.
The evidence establishes that, despite the direction given and the relevant policy documents, some person or persons present at the meeting and in possession of a hard copy of the minutes, left that hard copy in an open area of the station, contrary to the directions given by the zone commander and applicable policies.
That an employee acted outside the scope of their employment and in breach of directions and policy, does not of itself allow the conclusion to be drawn that a breach of section 12(c) has occurred. The question for determination, is whether the Respondent had safeguards as were reasonable in the circumstances to protect the information in question.
The Respondent's evidence was that the matters set out at [31] above, answer the descriptions of safeguards as are reasonable in the circumstances, including the directions given to platoon members to destroy hard copies of the minutes.
However, the events that transpired involved not just what happened at a particular point in time when a hard copy of the minutes were left in an open area at the station in question by an employee without authority to do so. The evidence is that the minutes in question were left in an open place for two days, with no action being taken by any person in charge to remove the minutes. The evidence was that the station was attended and in operation at all relevant times, including the period when the minutes were left out.
It is difficult to fathom why, for a period of two days, when the station was attended and in operation, and when fire fighters other than those belonging to the particular platoon in question may have attended the station, the minutes in question were left in an open place, without being collected by someone in charge. I do not in the circumstances consider that security safeguards as were reasonable in the circumstances were in place during the two days in question, regardless of the directions given and policies in place. What happened was more than a simple "inadvertent disclosure" occurring in a moment of time. An expectation that someone in charge would and should have removed confidential material discussed at meetings and not left it in at open area, is neither onerous nor unreasonable. Accordingly, I find that a breach of section 12(c) occurred during the period when the minutes in question were left in an open place for all to see, including firefighters from other places if visiting the station.
The evidence also is that only three members of the platoon had had privacy training at the times in question. These circumstances, as a separate matter, raise questions as to the adequacy of the Respondent's safeguards at the station.
[5]
Section 17 - use of personal information
Section 17 of the PPIP Act restricts the use of personal information. It provides that:
"17 Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless -
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person".
The question at issue is whether the firefighters' conduct in leaving the relevant minutes out, constituted a "use" of the Applicant's personal information within the meaning of s 17. The Respondent's internal review concluded that there was such a "use". The Respondent in these proceedings, however, contests that characterisation.
The Respondent's submission in these proceedings is that the only purpose for which the minutes were used by it was for the purpose for which the Applicant's personal information was collected, that is, as part of the conflict resolution process engaged in by the zone commander.
The "use" referred to in s 17 is specifically use by the public sector agency in question. It is not "use" by any other person. The question is whether a relevant "use" by the Respondent occurred.
Mere retrieval of information does not constitute a use (JD v Department of Health (GD) [2005] NSWADTAP 44, at [42]). In that case, it was said that "use" in the context of privacy legislation under consideration in that case should be "interpreted as the process of considering, assessing or weighing up personal information so as to make a decision or adopt a further course of action". The Respondent's submission was that leaving the relevant minutes out was not a "use" of that information in the relevant sense. Nor was there any "use" resulting from the firefighters at the station viewing or accessing the minutes.
The Respondent's submission was that any use which an individual firefighter may have actually put the information to after having read the minutes, was not authorised by the Respondent and cannot be attributed to the Respondent.
In BLW v Nepean Blue Mountains Local Health District [2015] NSWCATAD 184, the issue under consideration was alleged conduct by staff members discussing a person's personal and health information. The Tribunal said, at [81]:
"I am satisfied that the staff members' alleged conduct in discussing the applicant's personal and health information, and their alleged conduct in inappropriately accessing the applicant's information on the respondent's databases, was not authorised by the respondent and was not for a purpose of the respondent. As the respondent submitted, to the extent that the information in question was held by the respondent, its access, use and disclosure was for a purpose extraneous to any purpose of the respondent, and is therefore not conduct of the respondent: see Director General, Department of Education and Training v MT [2006] NSWCA 270; (2006) 67 NSWLR 237 at 247 [43].
A similar conclusion was reached in DVG v Western Sydney Local Health District [2020] NSWCATAP 78, at [10].
This is not a case where staff members have inappropriately accessed personal information held by the Respondent, for example by accessing files held in a secure place without authority. This is a case where the employees of the Respondent had authorised access to the minutes but where the Respondent allowed the Applicant's personal information to remain in open view for two days. As a consequence of allowing this, that information was accessible to not just the platoon members who participated in the relevant meeting and obtained copies of the minutes, but also to any person visiting the station in question.
It is accepted that relevant actions of an employee or employees, in this case leaving the minutes in an open space, were not authorised by the Respondent and cannot necessarily be attributed to the Respondent. Whether the Respondent breached s 17, however, turns on whether allowing the minutes in question to remain in an open place for two days is a "use" of the information contained in the minutes within the meaning of s 17.
I am of the view that leaving minutes out or allowing them to be left out is a "use" of the minutes. "Use" of information may occur by assimilating or otherwise taking in the information. Allowing this to happen by leaving the minutes out, in my opinion, is also a "use" of the information. That use can be described in terms of allowing access to the minutes to persons other than those to whom the Respondent gave copies for the purpose originally intended. This amounts to more than simple inadvertence occurring in a moment of time. This was a "use" other than for a purpose for which the information was collected. I find, as a result, that a breach of s 17 took place.
[6]
Section 18 - disclosure of personal information
The remaining question for determination as regards breach, is weather a breach of s18 of the PPIP Act has occurred. Section 18 provides that:
"18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless -
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it".
The Respondent's submission is that for a breach under s 18 to occur, an individual's personal information must have been disclosed to a person or body outside of an agency (BLW, at [80]). The Respondent submitted that while the minutes may have been accessible to firefighters outside the platoon in question or to "on call" firefighters employed by the Respondent, they were still part of the Respondent. The Respondent submitted that the Applicant had not led any evidence that anyone outside of the Respondent viewed the minutes as a result of their being left out.
In CNC v NSW Police Force [2017] NSWCATAD 94, at [20]-[21], the Tribunal distinguished between the handling of information that is internal to an agency and a use and the provision of information to a party external to it. The Tribunal questioned whether the provision of information to an agency's solicitors in the course of an engagement of those solicitors was a provision of information to a third party external to the agency. The solicitors were acting on behalf of the agency and representing it so we're not external to it.
In BFP v NSW Ambulance Service [2015] NSWCATAD 39, the question was whether disclosure of personal information to an insurer contravened s 18. The Tribunal accepted that internal disclosures such as those up the chain of command and to HR manager are not generally unlawful and do not constitute a contravention of s 18. The Tribunal went on to find that an agency can provide personal information to an insurer in the context of a workers compensation claim. This was reasonably contemplated by the workers compensation legislation and therefore was not in breach of a non disclosure principle, (at [46]).
There is no evidence that persons other than personnel belonging to the Respondent saw the minutes in issue. In these circumstances, I find that no breach of s 18 has occurred.
[7]
Damages
The Tribunal has power to award damages for the breach of the PPIP Act pursuant to section 55. That power is limited to an award of damages up to $40,000. Section 55(2) provides:
"(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders -
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct ….
(4) The Tribunal may make an order under subsection (2) (a) only if -
(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and
(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency".
The provisions set out in subsection (4A) are, on the evidence, not relevant in the present instance.
The discretionary power to award damages under s 55 can arise where there is a contravention of a relevant provision of the PPIP Act (Wojciechowska v Secretary, Department of Communities and Justice; Wojciechowska v Registrar, Civil and Administrative Tribunal [2023] NSWCA 191, at [116]). The Applicant bears the onus of establishing a causal link between the breach or privacy and the damage alleged. He must show that the Respondent materially contributed to the loss or damage suffered (DTN v Commissioner of Police, NSW Police Force [2020] NSWCATAD 16, at, [68]).
The Tribunal in AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 set out the following matters going to whether damages should be awarded or not:
● "damages are compensatory in that the applicant should be awarded such sums of money so as that he/she may be restored to the position that he/she would have been in but for the breach:.... However, this must also be viewed in the context of the $40,000 limit as provided for in the PPIP Act;
● in measuring compensation the principles of damages as apply in tort law are a guidance but the ultimate guide is the wording of the PPIP Act and its objectives;
● compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances;
● 'psychological harm' in s.55(4) of the PPIP Act is intended to encompass situations where an individual suffered some impairment of the mental states and processes. These being conditions such as depression and anxiety.
● even where an applicant is able to substantiate loss or damage as a result of conduct that contravenes an 'information principle' under the PPIP Act, an award of damages under that Act remains a discretionary one;
● compensation for alleged financial loss and alleged psychological and physical harm can only be considered where the Tribunal finds that the alleged loss and harm was 'because of' or 'caused by' the contravening conduct of the respondent".
The Applicant submitted that he had lost opportunities to earn as a result of the events in question and the constraints they placed on where he could work. The Applicant submitted that he had not accepted offers of a transfer to a station near to the station where he had been in February 2024, on account of his concerns about working with employees of the Respondent who worked nearby and were aware of the events that took place in February 2024. He had also, in his submission, suffered reputational damage and psychological distress.
The Respondent submitted that there were no employment related losses, including losses relating to transfers and promotions and no evidence provided by the Applicant to substantiate losses of this kind. The evidence was that throughout the period in question he had been employed in accordance with the standardised award and remained in employment at the station officer level. The Respondent further submitted that the Applicant had eventually been offered a transfer to a station in the Sydney area which he had accepted. The location of that station was about 40 km from the station at which he had been located when the events in question occurred.
The Respondent submitted that any claim for additional travel time would arise from the Applicant's own choices as to place of work rather than minutes being left out. He was also entitled to a kilometre allowance for any travel between his base station to the location of his work.
The Respondent also submitted that promotions would depend on various criteria applicable to the public service and there is no evidence that the Applicant had been denied a promotion because of the minutes being left out. Nor had he applied for a promotion since that time.
In these circumstances, the Respondent submitted that the Applicant had suffered no monetary loss.
As regards claims of reputational harm, the Respondent denied that the Applicant's reputation had been damaged as a result of the minutes being left out. The only evidence from one person who did not attend the meeting but was known to have seen the minutes, was that he considered that the Applicant did nothing wrong. The Applicant also submitted that reputational damage was not grounds for an award of damages.
As regards the Applicant's claimed pain and suffering, the Respondent's submission was that there was no evidence before the Tribunal of the nature of this pain and suffering and or medical evidence in support of the claim and no evidence of extensive and lasting damage. The Respondent further submitted that they had taken sufficient steps to mitigate the impact of the circumstances, including provision to the Applicant of access to support services. These services included wellbeing support and an employee assistance programme.
I have found that breaches of s 12 and 17 of the PPIA Act have occurred so that the Tribunal may make an award of damages. Having reviewed numerous cases concerning the award of damages as discussed below, I am of the view that an award of damages is appropriate in the circumstances of this case.
I accept the Respondent's evidence as to the absence of financial loss, in light in particular, of the Applicant's continued employment at the same level and at the same salary and wages as he earned before February 2024 and on the same award and terms and conditions. I also take note of the offers for transfers to stations nearby, even if the Applicant refused those transfers for the reasons he has given.
I accept the Respondent's submissions as to the absence of medical evidence and the steps the Respondent has taken to assist the Applicant. However, I accept the Applicant's evidence as to the psychological distress caused to him as a result of the circumstances that arose in February 2024.
The question remaining is the quantum of damages for the psychological distress suffered by the Applicant.
The Respondent's submission was that if monetary compensation should be awarded, then in the absence of any medical evidence, the Tribunal should award an amount within the range of $500 to $2000.
In DRX v City of Canada Bay Council [2020] NSWCATAD 26, a nominal amount of damages ($500) was awarded to an applicant for some distress in circumstances where evidence of the consequential impact of the distress was lacking and certain questions about the reliability of the witnesses evidence arise. An award of damages for distress was made in CJU v SafeWork NSW [2018] NSWCATAD 300 in the amount of $1,000, in circumstances where there was an absence of evidence as to the consequential impact of distress upon the applicant. There was no evidence that the respondent had acted maliciously, in bad faith or otherwise in a manner that could justify an award at the high end. The facts of DTN v Commissioner of Police, NSW Police Force [2020] NSWCATAD 16 involved an award of $1,000 where there was a contravention of a health privacy principle resulting in psychological distress.
An award of damages in the sum of $8,318 was made in DKV v Southern NSW Local Health District (No 2) [2019] NSWCATAD 243, in circumstances where psychological harm had occurred but the breach in question was not found to be a serious breach. Most of the award covered medical expenses. The amount awarded for pain and suffering was $2000. The respondent had acted responsibly and tried to alleviate the consequences for the applicant as best as it could.
Each particular case turns upon its facts as to the amount of damage to be awarded. A damages award in the maximum amount has been made in situations of multiple and varying breaches of privacy resulting in severe consequences to the applicants including an attempted suicide (NK v Northern Sydney Central Coast Area Health Service (No.2) [2011] NSWADT 81).
I do not consider that the circumstances at hand warrant damages at the high end of the scale allowed under the PPIP Act. Nor am I of the view that the damages should be at the minimal end of the scale. I accept the evidence of the disruption to the Applicant's life resulting from the Respondent's breaches and the resulting psychological harm the Applicant claims. Even if reputational damage may not, of itself, ground a claim for damages, reputational damage is a relevant consideration where psychological harm is the consequence. I think in the circumstances an award of damage in the order of $8,000 is appropriate, having regard to the circumstances of the breaches that occurred and the consequential injury to the Applicant.
[8]
"Something more" to done
The Applicant considers that something more needs to be done, being dissatisfied with the actions taken against the crew.
The Respondent submits that further action was taken. They included in compliance with the zone commander's direction, all firefighters at the relevant station completing an online privacy training course. The privacy awareness training included interactive modules on data security, disposal of personal information and the employees' obligations to comply with privacy protection.
Although the Respondent was unable to determine who was responsible for leaving the minutes out, a local management response was implemented at the station in question to address the officers' disregard for the directions given that the minutes be destroyed.
The firefighters attended a meeting in which they were reminded of the Respondent's expectations around privacy and confidentiality.
Finally, the Respondent had made arrangements for the staff at the station to undergo in person respectful workplace training and privacy training.
To the extent that the Applicant sought disciplinary action, the Respondent noted that the matter was referred to the Public Service Board which conducted their own investigation and implemented a local management response.
The Tribunal has jurisdiction to award the damages described above. That award, in my opinion, is appropriate in the circumstances and no further orders are required.
[9]
Orders
1. That the Respondent pay the Applicant $8,000 by way of financial compensation for the contraventions found.
2. Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 (NSW) no further action to be taken in this matter.
3. Pursuant to s 64(1)(a) and (c) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure of the name of the Applicant or reference to any information, picture or other material that identifies the Applicant or is likely to lead to the identification of the Applicant is prohibited.
[10]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 11 November 2024