Jackson v The University of New South Wales

NCAT Administrative and Equal Opportunity|2018-07-18

Introduction

Mr Jackson applied to the Tribunal for review of a determination by the University of New South Wales ("the University" of "UNSW") in relation to a complaint that he made in April 2016 about conduct of an officer of the University. His complaint was brought under the Privacy and Personal Information Protection Act 1998 ("the PPIP Act") seeking review of a decision made by the University.
The Tribunal's jurisdiction is governed by section 55 of the PPIP Act. That jurisdiction arises only where there has been an application for internal review of conduct pursuant to section 53.
The background to the application is set out in my decision recorded as Jackson v The University of New South Wales [2018] NSWCATAD12 ("the liability decision").
In that matter I considered whether the University had breached any Information Protection Principles ("IPPs") contained in the PPIP Act. I found that the University's conduct had breached section 17 of the PPIP Act through the actions of Mr Serov in sending an email to Mr Mooney on 9 February 2016 (copied to Professor Poole-Warren) and in sending an email to Mr Mooney on 12 February 2016 (not copied to Professor Poole-Warren).
The matter came before me again on 18 July 2018, to determine the consequences of the breaches. Prior to the hearing the University offered Mr Jackson a written apology and outlined the steps that have been taken, and will be taken, to ensure that such breaches are unlikely to reoccur. Mr Jackson rejected that apology.

The Issues

The issue for determination is what, if any, orders should be made in relation to the breaches.

The material before the Tribunal

Mr Jackson relies on his own evidence. He provided a document headed "Jackson self-assessment 2016/00378509 Jackson v UNSW" ("the Self-Assessment") and made oral and written submissions.
The University relies on the evidence of Mr Paul Serov. Mr Serov provided a statement and attended the hearing and was cross-examined. Ms Tronson provided both written and oral submissions.

The Self-Assessment

Mr Jackson accepts that there must be a link established between the breaches that the Tribunal has found to have occurred and any relief that is to be granted. He relies on the Self-Assessment as evidence in regard to the way the breaches have affected him. He does not have evidence that was created prior to or at the time of the breaches that might provide some contemporaneous account of the effect of the breaches.
The University objected to this evidence on the basis that it is new evidence, not evidence in reply; and further that it is evidence which should be given as expert evidence if at all. I determined to allow Mr Jackson to rely on the Self-Assessment, subject to weight. I agree with the University that it is evidence of the kind which the Tribunal would ordinarily expect to be given by an expert witness. However, Mr Jackson is in an isolated region and because of his isolation he has been unable to obtain expert evidence. As Mr Jackson also noted, if he were to obtain a medical evaluation from a practitioner who had not previously treated him, that practitioner would need to rely heavily on Mr Jackson's self-report of any past symptoms. However, I do not accept that a professional assessing Mr Jackson would rely solely on the information that Mr Jackson provided. They would bring their professional experience to the assessment.
[NOT FOR PUBLICATION]
Mr Jackson submitted that there are several reasons why the Tribunal should impose the maximum monetary penalty allowable. He links this to his assertion that the University failed to act in "good faith" in relation to his complaint.
He explained the causal link in the following terms: 30. It is my fairly recent understanding that my complaint against the University of New South Wales may constitute a consumer complaint involving breach in "trade or commerce". I request that the Tribunal take this likelihood into account in any orders they make under 55.2(e) or any other applicable subsection. 31. Recognition of the time and personal resources I have put into this matter should be considered under section 55.2.(e). I was unaware of the length of time and the number of hours I would need to sacrifice in order to bring this matter to a conclusion in the Tribunal. I estimate I have written approximately 60,000 words in connection to the proceedings. A great deal of distress has accompanied my participation in the proceedings. Anxiety related to the proceedings has exacerbated an already serious sleep disturbance. During the proceedings, ... [NOT FOR PUBLICATION] 32. As I have mentioned in a previous submission, I have now written more in relation to the matter of Jackson v UNSW than would normally be required for the doctoral thesis that underlies the concerns heard at the Tribunal. The matter has also taken up close to the amount of time that my PhD would have taken to complete. I am, of course, greatly saddened by these troubling facts. Should I have dropped the issue and let the University continue without having to acknowledge their conduct? This question will likely remain with me for the rest of my life. 33. Nevertheless, I take responsibility for my decision to pursue Jackson v UNSW to its conclusion. I believe the University should also take responsibility for their contribution to the state of affairs that made this necessary. Besides the monetary compensation, I seek to be indemnified from any lapses in time limitations that may have occurred during the proceedings, particularly in my impending complaint regarding the discontinuation of my candidature, which I still seek information from the University in order to file. 34. I would like the University to take responsibility for the amount of time these proceedings have taken, and indemnify me for the amount of time lost in making my underlying complaint regarding the discontinuation of candidature. 35. As I have written elsewhere, the breach and the circumstances surrounding it are inseparable from a larger picture in which I literally moved to China to obtain supervision. I did so at a time when the University claimed it could not find supervision for me on campus. The behaviour the University has shown, encompassing the breach, may amount to a breach of obligations that are recognizable under "trade or commerce" and applicable consumer laws. I request that section 55.2(e) be read under that light and appropriate orders be made in consideration of loss or damage as a consumer. (I am not knowledgeable in this field, so can offer nothing more specific). 36. In addition to the above, a formal apology - the University's fifth, should be issued from the President and Vice Chancellor. This apology should include the steps the University proposes to take to compensate for loss and damage and to safeguard the UNSW community from similar breaches in the future.
In relation to his application for orders pursuant to section 55(2)(g) of the PPIP Act i.e. such ancillary orders as the Tribunal thinks appropriate, Mr Jackson submitted: 37. As I understand this section, ancillary orders may fall into two categories: those addressing the breaches with a view towards preventing them from occurring again and those addressing the harm caused by the breach in the form of compensation. 38. I suspect that there are many ancillary orders that the Tribunal could make that I am not aware of. In addition to requesting that the Tribunal use all of their known powers under section 55 that I may not be aware of, I would like to request that the Information and Privacy Commission be consulted for their advice on any ancillary orders that may assist them in improving the information handling procedures at UNSW. 39. For instance, it may be the case that Jackson v UNSW has exposed questions concerning what information should be considered "personal" according to the context in which it was acquired or encountered and that conversations regarding it may be in breach of a privacy principle. The IPC may wish to recommend ancillary orders to address any future confusion. 40. What little I can contribute to the discussion of ancillary orders focuses around my belief, discussed above, that a significant breach remains to be uncovered, and the fact that I have few if any resources available to me, other than the Tribunal's possible orders, to pursue this question. 41. I believe these proceedings have uncovered substantial evidence of concealments relevant under the GIPA (2009) act. In particular, sections 116 - 120 describe actions by officers of a public agency that can be considered offenses. Briefly an officer must not: • Make a reviewable decision on an access application that you know to be unlawful; • Direct an officer of your agency to act in a manner or make a decision in relation to an access application that you know to be unlawful; • Improperly influence a decision on an access application; • Knowingly mislead or deceive an officer for the purposes of unlawfully obtaining access to government information; • Conceal or destroy government information (including by altering records) for the purpose of preventing the disclosure of the information. 42. The likelihood of conduct of this nature related to the breach at hand suggests that an ancillary order be made, with the effect of notifying the appropriate agencies that an investigation be conducted concerning possible concealments that would be considered offenses under sections 116-120 of the GIPA Act (2009). 43. Finally, I request that my lack of legal knowledge be taken into account in the request for orders above. I am certain that I have made errors that a legal professional could have avoided. I request that the Tribunal make any orders not mentioned above, that I would have been likely to request had I been professionally advised.
Under cross-examination Mr Jackson conceded that he had moved both his residence and his employment since the University had breached the PPIP Act. However, he did not accept that these changes were significant factors in regard to his stress or anxiety levels.
He contends that he has suffered because of the breaches and that compensation is warranted.

The University's apology

In his statement dated 18 May 2018 Mr Serov set out the steps that he has taken as a consequence of the findings that the University had breached the PPIP Act and he provided a personal apology to Mr Jackson.
Mr Jackson acknowledged the University's apology but rejected it. He considers the steps reported to have been taken, as well as those proposed, are inadequate and reflect the narrowest possible understanding of the University's liability. He contends that systemic problems plague the University's information handling and that these measures will do little to solve those problems.
Mr Jackson initially asserted that the apology was worded too narrowly. The University subsequently issued a further apology by Mr Serov which Mr Jackson also rejected. Mr Jackson is of the view that Mr Serov is not the appropriate functionary to apologize for the breach and that it should be issued from Professor Ian Jacobs in his capacity as Principal Officer of the University. He submits that as the University's Principal Officer, Professor Jacobs bears responsibility for the agency's compliance with the PPIP Act.
Mr Jackson further submitted that the apology should include the steps the University proposes to take to compensate for loss and damage and to safeguard the University's community from similar breaches in the future.

The University's case

The University acknowledges the liability decision and its importance. Mr Serov's evidence outlines the steps taken by the University to address the conduct considered in the liability decision and the likelihood of it being repeated.
Ms Tronson's submissions placed these actions in the context of the PPIP Act and the University's compliance with its obligations under that Act.
The University contends that Mr Serov is the appropriate person to make such an apology because the conduct that was in issue was found to be in breach of the PPIP Act; and he is the University's Right to Information Officer and Privacy Officer. In that role, Mr Serov is responsible for managing the University's obligations under both the GIPA Act and the PPIP Act, and for dealing with and deciding applications for access to personal information.
Mr Serov has provided evidence of changes he has already made and that changes that he plans to make to his work practices in relation to requests for access to information generally. Those changes are directly responsive to the liability decision.
In Ms Tronson's submission this demonstrates both the importance with which the University views the liability decision and the impact it has already had on its practices. Further, these changes permit the Tribunal to be satisfied that a breach of the kind that were found to have occurred in this case is unlikely to happen again.
Mr Serov also gave evidence of the creation of a Standard Operating Procedure. This is intended to facilitate the training of other staff members who may need to undertake the work that Mr Serov currently does.
It will also reduce the likelihood that they might repeat the type of conduct which has been found to constitute a breach of the PPIP Act.
The Tribunal's findings will also be taken into account in a proposed review of the University's privacy governance material.
Ms Tronson submitted that the Tribunal can be satisfied that the University is taking the findings seriously and making decisions or taking actions which take them into account. The University contends that these actions meet any concern arising out of the Tribunal's findings. Mr Jackson has received an apology and he can also see the impact his proceedings have had on the University's practices. Ms Tronson further submitted that the Tribunal can be satisfied that, because of the changes Mr Serov has made to his work practices, similar breaches are unlikely to occur again.
The University contends that there is no reason for the Tribunal to make any further order in this case.

Discussion

The approach to be taken by the Tribunal in matters of this kind is settled. A reasonable summary of that approach is set out by Principal Member Titterton in DED v Randwick City Council [2017] NSWCATAD 327 at paragraphs [59] - [61]: 59. The Tribunal also has the power to award compensation for loss or damage suffered because of the conduct of the [agency]: s 55(2)(a) of the PPIPA Act. However, the Tribunal may only make an order under that section if it is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the [agency]: s 55(4)(b). When making a claim for compensation, it is for the applicant to adduce evidence of causation, and establish the causal link between the breach of privacy and the damage suffered: AKL v University of Western Sydney [2013] NSWADT 147 at [58]. 60. Compensation for alleged financial loss and alleged psychological and physical harm can only be considered where the Tribunal finds that the alleged loss and harm was 'because of' or 'caused by' the contravening conduct of the respondent. The Tribunal is to be satisfied as to the causal link between the breach of a privacy principle and the claimed damage and it is the applicant who bears the onus of establishing that link: GR v Department of Housing [2004] NSWADTAP 25 at [38]. In other words, the burden for the applicant is to establish that he has suffered financial loss, or psychological or physical harm, because of the conduct of the [agency]. In order to persuade the Tribunal to the level of satisfaction required by s 55(4), particular evidence is required that the conduct of the agency that is complained of in the proceedings, and not the conduct of the agency more generally, has caused the harm identified in the section: GR at [46]. 61. Even where an applicant is able to substantiate loss or damage as a result of conduct that contravenes an 'information principle' under the PPIP Act, an award of damages under that Act remains a discretionary one. There have been several cases where there has been contraventions of privacy principles but no damages were awarded: see for instance, AHG v Snowy River Shire Council [2012] NSWADT 152; MH v NSW Maritime [2011] NSWADT 248; JS v Snowy River Shire Council [2010] NSWADT 247; JD v Director-General, NSW Department of Health (No. 2) [2007] NSWADT 256; SW v Forests NSW [2006] NSWADT 74; FM v Vice Chancellor, Macquarie University [2003] NSWADT 78. In other words, even if an applicant establishes that an agency's conduct has caused damage, the applicant is not automatically entitled to compensation: APV and APW v Department of Family and Community Services [2015] NSWCATAD 140 at [88]; AHG v Snowy River Shire Council at [24].
The Principal Member was not persuaded that he should make an order pursuant to section 55 of the PPIP Act and decided to take no further action.
I have formed the same view in this matter.
As the Principal Member found in DED v Randwick City Council, I am conducting a review of the University's conduct in releasing Mr Jackson's personal information. I am satisfied that Mr Jackson's personal information was released through human error. I do not consider that there was some other, nefarious, explanation. Further, I do not consider that the University failed to act in "good faith" in relation to Mr Jackson's complaint.
Mr Jackson has the onus of establishing the causal link between the breaches of privacy that I found in the liability decision and the damage that he has suffered.
I accept that Mr Jackson has suffered some psychological loss or damage during the period of his interactions with the University. However, I am not satisfied that this was 'because of' or 'caused by' the contravening conduct of the University. That being the case, the time and personal resources that Mr Jackson has put into this matter and distress and anxiety that have accompanied his participation in the proceedings are not factors that I should take into account.
Even if I am wrong in this view, I am not satisfied that it is appropriate to make an order for compensation. This is because I am satisfied that the University's response has been adequate.
I am in general agreement with the University in regard its response to the findings that I made regarding the breaches. I note the changes that the University has instigated. I also note the apology that has been made on behalf of the University. I agree with the University's view that Mr Serov is an appropriate person to issue an apology. I also agree with the University's view that it is appropriate to limit the apology to the breaches as found by the Tribunal: see APV v Department of Family and Community Services [2015] NSWCATAD 140 at [98].
Nevertheless, I understand Mr Jackson's preference for an apology issued by the Vice Chancellor. I also note Mr Jackson's view that the terms of the apology are too narrow.
I am also satisfied that the steps that the University has taken indicate that it is aware of its obligations under the PPIP Act. The PPIP Act requires the University to refrain from any conduct that would be in contravention of an IPP. In light of the changes that have been implemented and those which are proposed, it is unlikely that similar breaches will occur in the future.
In the circumstances I am not satisfied that it is appropriate to make an order requiring the University to undertake any other steps in relation to the matter.
As noted, Mr Jackson seeks an order that the University pay the maximum monetary penalty. I do not agree with him in that regard. I am not satisfied that the Tribunal should take any further action.

Order 1. The Tribunal decides to take no further action.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar

Amendments 27 March 2019 - Paragraphs 13 and 15 redactions made for confidentiality. DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 27 March 2019

At a glance

Court

Decision date

Source

Judgment (11 paragraphs)

Parties

Cases Cited (2)

Cited By (2)