Registrar of Births, Deaths and Marriages v Kelloway

NCAT Appeal Panel|2023-07-21

14 February 2023 Before: J McAteer, Senior Member File Number(s): 2022/00147921

Introduction

In 2020, a solicitor in NSW advised the Appellant, the Registrar of Births, Deaths and Marriages (the Registrar) that he acted for a relative who was considering taking legal proceedings against Ms Kelloway (the Respondent) in a court in Peru relating to previous property transactions between her and her mother.
The solicitor advised that the Respondent's' birth certificate (the Birth Certificate) would be important in maintaining and succeeding in the proposed legal proceedings.
The solicitor confirmed that he did not act for the Respondent.
In March 2020, the Registrar provided a copy of the Respondent's Birth Certificate to the solicitor. This was done without the Respondent's consent.
In early 2022, the Respondent became aware of the release of her Birth Certificate and complained to the Registrar on 21 February 2022.
On 28 February 2022, the matter was accepted by the Registrar as an internal review under s 53 of the Privacy and Personal Information Protection Act 1998 (NSW) (the PPIP Act).
As the Registrar had not finalised the internal review within 60 days, the Respondent lodged an application for administrative review with the NSW Civil and Administrative Tribunal on 23 May 2022.

Background

On 5 February 2020, by letter dated 21 January 2020, Mr Luis Batalha, Director, Batallion Legal, on behalf of Mr Hugo Jose Schuetz Florez, applied for a certificate to be issued under s 49(1) of the Births, Deaths and Marriages Registration Act 1995 (NSW) (BDMR Act) to prove Mr Florez's niece, The Respondent, is the daughter of Isabel Kelloway, also known as Maria Isabel Schuetz Florez. Mr Batalha stated that Mr Florez's interest in the Birth Certificate was that he wished to tender it as evidence in a foreign court to have certain real property transfers between the Kelloways declared void, as a breach of Peruvian law.
In that letter, Mr Batalha submitted that the Registrar should be satisfied that Mr Florez had an "adequate reason" to request that information or apply for a search of the Births, Deaths and Marriages Register (BDM Register) under ss 46 and 47 of the BDMR Act for the purposes of obtaining a certificate under s 49. Attached to that letter was a letter dated 10 December 2019 signed by Mr Miguel Angel Ferreyra Sanchez, a Peruvian lawyer, requesting on Mr Florez's behalf the issue of the Respondent's Birth Certificate and its provision to Mr Batalha.
On 6 February 2020, Ms Justine Kim, Client Services - Mailroom, NSW Registry of Births, Deaths and Marriages (BDM Registry), sent a letter to Mr Batalha in relation to his application requesting three forms of identification, a letter of authority from the Respondent, a copy of his law society identification card or practising certificate and a completed birth certificate application form.
On 21 February 2020, by letter dated 8 March 2022, Mr Batalha stated that his application was on behalf of Mr Florez and not the Respondent, and noted that his client is "allowed, under law, to make the application for a certificate under s 49(1) of the Act, so long as our client has an 'adequate reason' for wanting the information". Mr Batalha enclosed a copy of his practising certificate, an annotated copy of Div. 4 of Pt 8 of the BDMR Act and an annotated copy of the of the Registrar's access policy made under s 53 of the BDMR Act, (the Access Policy).
Between 4 to 5 March 2020, Mr Batalha's application (being the letters dated 21 January 2020 and 8 March 2022 and the enclosures to the letters) was internally escalated within the BDM Registry before it was eventually provided to Mr Robert De Mayo, Legal and Policy Officer, for legal advice.
On 11 March 2020, Mr De Mayo advised that: "[t]aking into account PO 06 and section[s] 46 and 47[,] It is considered that adequate reasons have been established" and the requested "information can be released for the purposes of the court proceedings (only) as detailed in the solicitor[']s submissions".
On 12 March 2020, the Registrar's delegate made a decision that the Respondent's Birth Certificate could be released to Mr Batalha and Mr Batalha was contacted to provide payment for the Birth Certificate.
On or about 26 March 2020, a hard copy of the Respondent's Birth Certificate was subsequently posted to Mr Batalha.
On 21 February 2022 at 11:54 AM, the Respondent emailed the BDM Registry Security Unit (the BDM Security Unit) stating, among other things, that she had "just found out that my birth certificate has been obtained by someone else and submitted as part of overseas court paperwork ... but I didn't request this certificate, my parents didn't request it and no one has been authorised to request it".
On 28 February 2022 at 1:22 PM, the Respondent emailed the BDM Security Unit stating that "these emails are a formal complaint about my birth certificate being obtained without my authorisation" and "can I please confirm on what basis they [Mr Batalha] obtained my birth certificate?".
On 1 March 2022 at 11:20 AM, Ms Nicole Sargent, Senior Advisor, Ministerials & Customer Support, BDM Registry emailed the Respondent to state that her complaint had been "passed on to me to review and investigate why the record was released and if there has been a breach of privacy".
Ms Sargent conducted the internal review pursuant to s. 53 of the PPIP Act, with the assistance of Ms Tash Cogle, Manager - Identity Security, BDM Registry, as the usual BDM Registry employee who is directed to deal with such privacy complaints or internal review applications. Mr De Mayo, could not undertake the internal review as he was involved in the complained conduct.
On 10 March 2022 at 12:34 PM, Ms Sargent emailed the Respondent advising that a block would be placed on her record to prevent any further copies of her Birth Certificate from being printed or issued by the BDM Registry unless requested by another government organisation or law enforcement agency, following the Respondent's confirmation that she would like the block placed on her record.
On 2 June 2022, Mr Amit Padhiar, the Acting Registrar, provided the Respondent with a two-page letter in relation to the internal review stating that there had been a breach of ss 12(c)-(d), 17(a)-(c), 18 and 19(2)(e) of the PPIP Act and s 48 of the BDMR Act in providing Mr Batalha a copy of her Birth Certificate and apologising for those breaches. Mr Padhiar confirmed that a block had been placed on the Respondent's record.

The Tribunal's findings

In the Decision, the Tribunal found that the Registrar had breached the PPIP Act by disclosing the Respondent's personal information held in a public register (at [5]). Of particular relevance to this appeal, the Tribunal found that: 1. The Respondent had lodged an application for internal review that complied with the requirements in s. 53 of the PPIP Act and, therefore, as her administrative review application had been lodged within time (at [36], [40]), the Tribunal did have jurisdiction to review the conduct complained of in the Respondent's emails of 21 February 2022 and 28 February 2022 (at [5], [35]), which was "the unauthorised release of her personal information (her Birth Certificate)" (at [30]); 2. the BDM Register is a "public register'' for the purposes of the PPIP Act (at [1], [83], [87]); 3. in relation to Mr Batalha's application for access to The Respondent's Birth Certificate: 1. Mr Batalha was not aware of its exact contents (at [85]); 2. the purpose for which access to the Respondent's Birth Certificate was sought was to use it effectively against her in litigation (at [85), [88]); 3. not one of the stated legislative bases (namely, that Mr Batalha had provided an adequate reason for wanting access) or policy guidelines for release appear to have been enlivened (at [85]) 1. the conduct complained of in the Respondent's internal review application fell within the scope of s 52(1)(c) of the PPIP Act, being "the disclosure by a public sector agency of personal information kept in a public register" (at [83]) and, therefore, the Tribunal did not have jurisdiction to consider whether there had been a breach of ss 12 and 17 (at [92]) but could consider whether there had been a breach of ss 18(1) and 19(2) (at [94]-[95]); 2. the correct approach in considering whether there has been a disclosure of personal information kept in a public register is: 1. to read the "legislative authority to release information from a public register" (in this case, ss 46(1), 48 and 53 of the BDMR Act) with the privacy protections in the PPIP Act (at [91]), being the information protection principles (at [99]), without regard to s 25 of the PPIP Act (at [89], [106], [108]); 2. to be guided by whether there has been a breach of s. 18 of the PPIP Act (as s 19(2) did not apply: at [94]) in determining whether there has been a disclosure of personal information kept in a public register (at [99], [108], [113]); and 3. to have regard to "any statutory guidance available about the specific conduct under the auspices of the public register'' (at [108]), including whether releasing the information was envisaged by the policies or the BDMR Act, and whether the Respondent's views were sought on the release (at [110]), in determining whether there had been a breach of s 18(1) of the PPIP Act; and 1. the Registrar breached s 18 of the PPIP Act, although not strictly as the conduct complained of fell within the scope of s 52(1)(c) of the PPIP Act and not s. 55(2)(1)(a) (at [112]-[113]), as: 1. the Registrar knew the Respondent would object to the disclosure of her birth certificate given the BDM Registry staff had initially advised Mr Batalha to obtain The Respondent's consent, which he did not do and where his response indicated that her consent would be unlikely (at [111]); and the Registrar did not have regard to the policies under s 53 of the BDMR Act or comply with the requirements of s 48 of the BDMR Act and, therefore the provision of The Respondent's birth certificate was contrary to the requirement in s. 46(3) (at [85], [88], [110], [112]).

Amended Notice of Appeal

In this appeal, the Registrar relies upon six grounds of appeal, on questions of law and fact. In summary, the Registrar contends that: 1. the Tribunal erred in law in finding that the BDM Register is a "public register'' for the purposes of the PPIP Act (Ground 1); 2. the Tribunal erred in law by constructively failing to review the Registrar's conduct complained of by the Respondent by: 1. reviewing the wrong conduct by reviewing the Registrar's disclosure of The Respondent's Birth Certificate under s. 52(1)(c) instead of s. 52(1)(a) of the PPIP Act (Ground 2); or 2. in the alternative, asking itself the wrong question in reviewing the conduct under s. 52(1)(c) of the PPIP Act by not asking whether there had been a breach of s. 57 of the PPIP Act (Ground 5); 3. the Tribunal made a decision that was legally unreasonable in finding that the purpose for which the Respondent's uncle's Australian solicitor was provided access to the Respondent's Birth Certificate was not an "adequate reason" within the meaning of s. 46 of the BDMR Act (Ground 4); and 1. the Tribunal erred in fact and or made a finding without evidence that the Registrar's delegate did not consider the access policy made under s. 53 of the BDMR Act, "PO 06 Access to Information Contained in the Register Policy" dated 3 July 2019 (the Access Policy), before providing access to the Respondent's Birth Certificate to her uncle's Australian solicitor (Grounds 3 and 6).

Relevant Legislation

Section 52 of the PPIP Act is in Part 5 of the PPIP Act and provides: 52 Application of Part (1) This Part applies to the following conduct - (a) the contravention by a public sector agency of an information protection principle that applies to the agency, (b) the contravention by a public sector agency of a privacy code of practice that applies to the agency, (c) the disclosure by a public sector agency of personal information kept in a public register. (2) A reference in this Part to conduct includes a reference to alleged conduct. (3) This Part does not apply to any conduct that occurred before the commencement of this Part. (4) Section 53 (Internal reviews) of the Administrative Decisions Review Act 1997 does not apply to or in respect of conduct to which this Part applies.
Section 53 of the PPIP Act relevantly provides in respect of the Internal Review Process, the following: 53 Internal review by public sector agencies A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct. (1A) There is no entitlement under this section to the review of the conduct of a Minister (or a Minister's personal staff) in respect of a contravention of section 15 (Alteration of personal information). Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A). The review is to be undertaken by the public sector agency concerned. An application for such a review must: (a) be in writing, and (b) be addressed to the public sector agency concerned, and (c) specify an address in Australia to which a notice under subsection (8) may be sent, and (d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and (e) comply with such other requirements as may be prescribed by the regulations.
Section 18 of the PPIP Act concerns the alleged breaches identified by the Respondent, that is the disclosure of her personal information being her Birth Certificate, to the Solicitor for a third party. Disclosure concerns an Information Protection Principle the relevant IPP being IPP 11 which concerns s 18 of the PPIP Act. Section 18 provides: 18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless: (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. (2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
Overarching these IPP's is the definition of Personal Information provided for in section 4 of the PPIP Act. Section 4 provides: 4 Definition of "personal information" (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. (2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics. (3) Personal information does not include any of the following: (a) information about an individual who has been dead for more than 30 years, (b) information about an individual that is contained in a publicly available publication, (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act, (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth, (e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure, (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997, (g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry, (h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990, (i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009, (j) information or an opinion about an individual's suitability for appointment or employment as a public sector official, (ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000, (k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection. (4) For the purposes of this Act, personal information is held by a public sector agency if: (a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998. (5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.
The PPIP Act provides that a person who is not satisfied with the findings of an Internal Review or the action taken by the agency may apply to the Tribunal for an administrative review (s 55). Following administrative review by the Tribunal a suite of actions are available to the Tribunal under s 55 (2) including to take no action on the matter.
Section 55 relevantly provides: 55 Administrative review of conduct by Tribunal (1) If a person who has made an application for internal review under section 53 is not satisfied with: (a) the findings of the review, or (b) the action taken by the public sector agency in relation to the application, the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53. (1A) A person (the applicant) who is aggrieved by the conduct of a Minister (or a Minister's personal staff) constituting a contravention of section 15 (Alteration of personal information) may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct. (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders: (a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate. (3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.
There is no dispute that the Respondent's Birth Certificate is personal information within the meaning of the PPIP Act.
Section 46 of the BDMR Act is as follows: 46 General access to Register (1) The Registrar may, on conditions the Registrar considers appropriate-- (a) allow a person or organisation that has an adequate reason for wanting access to the Register, access to the Register, or (b) provide a person or organisation that has an adequate reason for wanting information from the Register, with information extracted from the Register. (2) In deciding whether an applicant has an adequate reason for wanting access to the Register, or information extracted from the Register, the Registrar must have regard to - (a) the nature of the applicant's interest, and (b) the sensitivity of the information, and (c) the use to be made of the information, and (d) other relevant factors. (3) In deciding the conditions on which access to the Register, or information extracted from the Register, is to be given under this section, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy.
Section 48 of the BDMR Act is as follows: 48 Protection of privacy In providing information extracted from the Register, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy.
Section 49 of the BDMR Act is as follows: 49 Issue of certificate (1) On completing a search of the Register, the Registrar may issue a certificate-- (a) certifying particulars contained in an entry, or (b) certifying that no entry was located in the Register about the relevant registrable event. Note : See section 25A(3) in relation to the requirement for the Registrar to issue more than 1 certificate for adopted persons. (2) A certificate under subsection (1) (a) is admissible in legal proceedings as evidence of-- (a) the entry to which the certificate relates, and (b) the facts recorded in the entry. (3) If the word "illegitimate", or any other word or expression referring to the fact that a child was born outside marriage, appears in an entry in the Register, that word or expression is not to be included in any certificate issued by the Registrar. (4) If requested to do so by an applicant, and authorised to do so under the Adoption Act 2000 , the Registrar must issue a single certificate (an "adopted person's birth record" ) certifying particulars contained in an entry relating to the birth of a person and particulars relating to a record sent to the Registrar under Chapter 7 of the Adoption Act 2000 (or a memorandum under the former Acts) and registered under this Act. (5) If requested to do so by an applicant, and authorised to do so under the Surrogacy Act 2010, the Registrar must issue the applicant with a full birth record, being a single certificate that certifies particulars relating to the birth of a person registered under section 17 and particulars of a parentage order or discharge of a parentage order relating to the person registered by the Registrar under Part 4A.

Ground 1: Is the BDM Register a 'public register'

Section 25 of the PPIP Act is as follows: 25 Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if - (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
By ground 1, the Registrar contends that the Tribunal erred in law in finding that the BDM Register is a 'public register' within the meaning of the PPIP Act.
In raising this ground, the registrar seeks to be granted permission to withdraw the concession made at the hearing that the BDM Register is a 'public register' within the meaning of the PPIP Act.
The Respondent opposed the Registrar being permitted to withdraw the concession at first instance. According to the Respondent to allow that concession to be withdrawn would be contrary to the public interest in the finality of litigation and the need to uphold efficiency in the Tribunal. Moreover, the Respondent contended, it would result in prejudice to a personal litigant who has the benefit of a first instance decision in her favour now having a fight on appeal that could have easily been dealt with at the hearing of the Tribunal.
The Appeal Panel has decided to permit the registrar to withdraw the concession made and to consider for itself whether or not the BDM Register is a 'public register' within the meaning of the PPIP Act for the following reasons.
First, the concession concerns a question of law of public importance, as to the proper meaning of 'public register' in the PPIP Act which has not been the subject of any consideration by the Tribunal or a Court. The question does not require the determination of any issues of fact to determine this question of law and this is recognised to be a circumstance where a party may be permitted to withdraw a concession on appeal: see Suttor v Gundowda Pty Ltd (1950) 81 CLR 418, 438; Water Board v Moustakas (1988) 180 CLR 491, 496-497; Hollis v Vabu Pty Ltd (2001) 207 CLR 21, [29] - [31].
Second, the context of the current proceedings is that of merits review proceedings where the Tribunal's goal is to reach the correct and preferable decision on a process of enquiry: see University of New South Wales v PC (GD) [2008] NSWADTAP 26, at [50].
Third, in our view, the prejudice to the Respondent if the Registrar were permitted to withdraw the concession is fairly limited given that the Respondent has the full opportunity to put forward her view as to the correct legal position.

Submissions of the Appellant

The Registrar referred to the definition of 'public register' in s 3(1) of the PPIP Act, being: 'a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee)'. The PPIP does not define what is meant by 'a register of personal information' or 'publicly available or open to public inspection'.
It was not in dispute between the parties that the BDM Register is a 'register of personal information'. What is in dispute is the meaning of the term 'publicly available or open to public inspection'.
The Registrar submitted that the meaning of 'publicly available or open to public inspection' in the context of the definition of 'public register' in s 3(1) of the PPIP Act requires a register of personal information to be 'available' or 'open' to any member of the public without satisfaction of some conditions other than the payment of a fee before access is granted.
The Registrar (at [45], [46], [51] of the Registrar's written submissions) contended this should be the interpretation given for the following reasons: 45. First, in the Registrar's submission, it is significant that the word "publicly" is used before "available" and the word "public" is used before "inspection" in the definition of "public register" as "publicly" and "public" ordinarily connote something that relates to people as a whole or at large. For those words to be given meaning and effect there must be some difference between a register of personal information that is made "available or open to inspection" and a register that is made "publicly available or open to public inspection". Having regard to the ordinary meaning of "publicly" and "public", the difference must be that a register of personal information that is made "available or open to inspection" is not made available or open to inspection to all. In other words, some sort of restriction may apply to accessing a register that is "available or open to inspection". Accordingly, it follows that a register of personal information that is made "publicly available or open to public inspection" is one where access is not subject to any restriction. 46. Secondly, as a matter of principle, where the same word or phrase appears in an Act, it is presumed to have the same meaning throughout unless the provides otherwise. The words "publicly available" also appear in the PPIP Act, in the context of "publicly available publication" in s. 4(3)(a), and have been the subject of consideration by the Tribunal's predecessor, the Administrative Decisions Tribunal, and the District Court. … 51. Thirdly, the definition of "public register" in s. 3(1) of the PPIP Act also includes the words "whether or not on payment of a fee" in parentheses. If the definition of "public register" could apply to a register of personal information to which access is potentially restricted for some reason, those words would have no work to do. A construction that gives all words in a statutory provision work to do is to be preferred.
Accordingly, the Registrar submits the BDM Register is not a 'public register' as it cannot be accessed by the public without restriction, other than by the payment of a fee.
This is not the case, according to the Registrar, as pursuant to s 46(1) of the BDMR Act, the Registrar's authority to allow access to the BDM Register and the information contained in it is subject to the Registrar being satisfied that the person has provided an 'adequate reason' and the Registrar favourably exercising her discretion to grant access to the person.

Submissions of the Respondent

According to the Respondent, the proposition that access to information in a public register can only be conditioned on a payment of a fee is inconsistent with s 57 of the PPIP Act, which together with s 52(1)(c), creates a condition on access, the contravention of which is conduct which is reviewable by the Tribunal.
The Respondent submits that such condition is the responsible public sector agency's satisfaction that personal information is to be used for the purpose relating to the purpose of the register or the Act under which it is kept.
The Respondent submitted that the Registrar's contention is also inconsistent with s 58 of the PIPP Act, which contemplates that not all personal information contained in the public register will be available to the public at large.
The Registrar referred to and supported the statement of the Tribunal at [89]: The Parliament saw fit to place Public Registers in the PPIP Act by giving them their own Part in that Legislation (Part 6). This clearly indicates that to some extent there is a presumption that privacy protections (however expressed) will apply in some way to the personal information held in public registers. I can think of no other reason to include them via their own Part in the PPIP Act.
Her further written submissions were as follows: 47. Further, the definition is not just a 'register of information' that includes personal information but a 'register of personal information'. It is inconsistent with the tenor of the PPIP Act, which serves to protect personal information, that a register could be made available with no conditions. The idea that a member of the public could come to a public register and have information from it provided to them "with no questions asked" is entirely inconsistent with the regime of the PPIP Act: cf AS [47]. 48. It is of no assistance that the phrase "publicly available" in s 4(3)(b) may have been interpreted in a particular way: cf AS [46]-[50]. That phrase there appears as a carve-out from the definition of personal information. The subsection provides that personal information does not include "information about an individual that is contained in a publicly available publication". It is obvious why in that context, it should be interpreted widely - as only information which can be taken to be known or knowable to others should not have the protection of the PPIP Act. But in the case of the public register, the phrase "publicly available" is to bring them within the scope of the PPIP Act. Those are quite different contexts, and it is consistent with the beneficial intent of the legislation that the phrase would be interpreted differently in s 3(1). 49. Applying the meaning of "public register" to the Register, the Register clearly falls within the meaning of s 3(1). The Registrar concedes that it was a "register of personal information". Thus, the debate between the parties is limited to whether the Register is "publicly available or open to public inspection (whether or not on payment of a fee)". The Register is open to public inspection in that members of the public at large - not just bureaucrats or law enforcement officials and so on - may apply to access the information contained within it. One of the objects of the BDMR Act is to provide for "access to the information in the registers in appropriate cases by government or private agencies and members of the public, from within and outside the State... ": s 3(e) (emphasis added). There are indeed restrictions on such access, but those restrictions can be seen to be essentially furthering the purposes of the PPIP Act. Except where information relates only to a person who has been dead for more than 30 years, all of the information within the Register would fall within the definition of "personal information". The Appellant's argument is that because there are measures to protect the privacy of personal information contained in the BDMR Act, consistent with the restrictions provided in ss 57 and 58 of the PPIP Act, that the Register should not be subject to the protections of the PPIP Act. 50. The Respondent further maintains that it is the legislature's practice to indicate with an express provision where a register is not intended to be a "public register": see, e.g., Radiation Control Act 1990 (NSW), s 13C(6); Pesticides Act 1999 (NSW), s 53(9). The absence of such provision here indicates that the Register is intended to be a public register.

Submissions of the Privacy Commissioner

The Privacy Commissioner appeared before us on this appeal but made no appearance before the Tribunal in the original proceedings.
The Privacy Commissioner contended that the Births, Deaths and Marriages Registry is not a public register within the meaning of s 3 of the PPIP Act essentially because the registers kept under the BDMR Act can only be accessed in 'appropriate cases'. This is to be determined at the discretion of the Registrar. The Commissioner referred to in this regard to s 3(e) of the BDMR Act: The objects of this Act are to provide for-- (e) access to the information in the registers in appropriate cases by government or private agencies and members of the public, from within and outside the State
The Commissioner also referred to s 58 of the BDMR Act which states: 58 Unauthorised access to or interference with Register A person must not, without the authority of the Registrar or other lawful authority-- (a) obtain access to the Register or information contained in the Register, or … : Maximum penalty--100 penalty units or 2 years imprisonment, or both.
The Commissioner also relied upon s 46 of the BDMR Act which we have already referred to above.
Finally, the Commissioner referred to s 48 of the BDMR Act which we have also previously quoted.
According to the Commissioner while it is acknowledged that the PPIP Act is beneficial legislation and should be given a broad construction (see Pearce v AQO [2015] NSWCATAP 162 at [24]; PN v Department of Education & Training [2006] NSWADT 122 at [57] - [58]), to bring the BDM Register within the definition of a public register strains the plain meaning of the words and is not required to give the PPIP Act effect.
According to the Privacy Commissioner, the reality is that the information held at the BDM Register is not ordinarily made available for inspection by any member of the public who wishes to do so. Access is by exception rather than the rule and some of the information held has strict limits against disclosure placed upon it: see, for example, ss 49(3), 22A(3), 56 and 60 BDMR Act.

Consideration

We agree with the submission of the Registrar and the Privacy Commissioner.
The key issue is the meaning of the words 'publicly available or open to public inspection'. The meaning of those words in the PPIP Act is to be ascertained through the task of statutory construction which involves consideration of the statutory text, understood in its context (including legislative history and secondary materials) and with regard to its purpose: see, for example, SZTAL v Minister for Immigration and Border Protection (2017) 262 CLR 362 at [14], [37] - [39]; Commissioner of Taxation v Consolidated Media Holdings Ltd (2012) 250 CLR 503, at 519 [39];
We agree with the Registrar's submission that the word 'publicly' and the word 'public' ordinarily connote something that relates to people as a whole or at large. For example, the Macquarie Dictionary (online edition) defines 'public' to mean as an adjective: 1. Of, relating to, or affecting the people as a whole or the community, state, or nations; 2. One, made, acting, etc., for the people or community as a whole; 3. Open to all the people; 4. Relating to or engaged in the affairs or service of the community or nation; 5. Maintained at the public expense, under public control, and open to the public generally; 6. Open to the view or knowledge of all; existing, done, etc., in public; 7. Having relations with or being known to the public generally, and as a noun: 1. Also, the general public. The people constituting a community, state, or nation, 2. a particular section of the people; 3. public view or access.
In Lester v NSW Minister for Planning and Ashton Coal Operations Pty Ltd (2013) 193 LGERA 97, Preston CJ of LEC (with Tobias and Young AJJA agreeing) held at [50] that the obligation imposed to make certain documents 'publicly available' in s 75X(2) of the Environmental Planning and Assessment Act 1979 (NSW) meant to make the documents available to the public at large.
In WL v Randwick City Council (GD) [2007] NSWADTAP 58, the Appeal Panel in finding that enforcement notices issued by a local council to which the council could refuse access if it were contrary to the public interest were not 'publicly available publications', relevantly stated (at [26]-[27]): The term 'publicly available' signifies, in our view, a state of affairs where any person can come to the agency, and have provided to them a document with no questions asked. We note, consistently with these observations, that the Tribunal has previously found that in relation to accessing a publication, it will not be a 'publicly available publication' unless 'its contents are freely available to any member of the public, without restriction' (see NW v NSW Fire Brigades [2005] NSWADT 73 at [261). We emphasise also that the exception refers to a publicly available 'publication'. The term 'publication' connotes, we think, more than a mere document that can be uplifted from an administrative file and inspected or copied. It has a connotation of greater formality than that. We are inclined to the view that what was in the mind of the Parliament was material in a published form consistent with general, unfettered availability such as a brochure, pamphlet or report. The reference to 'freely available' does not mean it has to be free of charge. 'Freely', in our view, connotes unrestricted access in this statutory context.
In University of New South Wales v PC (GD) [2008] NSWADTAP 26, the Appeal Panel, in finding information in the Dominion Law Reports was contained in a 'publicly available publication' (at [42]-[43]), determined (at [23]) that: [a] publication can not, I consider, be publicly available if there is a restriction on access to the publication (other than possibly the requirement for a reasonable payment).
We agree with the Privacy Commissioner submission that the reality is that the information held in the BDM Register is not ordinarily made available for inspection by any member of the public who wishes to do so.
The true position under the BDM Act is that access to the BDM Register is by exception rather than the rule and some of the information held has strict limits against disclosure placed upon it.
Whilst we accept that the PPIP Act is beneficial legislation and should be given a broad construction, this does not mean the ordinary or plain meaning of words in the statute should be strained and interpreted in such a way that whatever may be regarded as improving its enforcement must fall within the intention of the legislator: see the remarks of Spiegelman CJ in Director General, Department of Education & Training v NT (2006) 67 NSWLR 237 at [59] - [60].
For the above reasons we uphold ground 1 and accept that the BDM Register is not a public register within the meaning of s 3 of the PPIP Act.

Grounds 2 and 5: Did the Tribunal constructively fail to review the Registrar's conduct

By grounds 2 and 5, the Registrar contends that the Tribunal constructively failed to review the conduct that it was asked to review by the Respondent pursuant to s 55(1) of the PPIP Act which was the disclosure of her Birth Certificate to Mr Batalha without her consent.
In substance, the relevant issues are as follows: 1. Did the Tribunal fail to consider s 52(1)(a) of the PPIP Act and the application of s 25 of the PPIP Act? 2. Did the exemption in s 25 of the PPIP Act apply? 3. If yes, did the Tribunal have jurisdiction to decide whether or not the Registrar breached the BDMR Act?

Did the Tribunal fail to consider s 52(1)(a) of the PPIP Act and the application of s 25 of the PPIP Act?

Registrar's submissions

Section 52(1) of the PPIP Act refers relevantly to the following conduct: 1. the contravention by a public sector agency of an information protection principle that applies to the agency, 2. the contravention by a public sector agency of a privacy code of practice that applies to the agency, 3. the disclosure by a public sector agency of personal information kept in a public register.
According to the Registrar, the Tribunal considered the matter as coming within s 52(1)(c). The Registrar submitted that if the Registrar succeeds on ground 1, that it follows that the Tribunal erred in failing to review the conduct complained of by the Respondent against the relevant statutory provision being s 52(1)(a) rather than s 52(1)(c) as the BDM Register is not a public register governed by Part 6 of the PPIP Act.
According to the Registrar, the Tribunal ought to have considered the matter in the context of s 52(1)(a) and ask itself whether or not there had been a breach of the relevant information protection principles such as in s 18 or s 19 of the PPIP Act and whether or not they applied or whether or not the exemption in s 25 of the PPIP Act relied upon by the Registrar applied.

Submissions of the Respondent

The Respondent contended that the Tribunal below found that the release by the Registrar of the Birth Certificate amounted to a breach of s 18 of the PPIP Act (at [112]) and that in effect it was immaterial that the review was not being performed under s 52(1)(a) as the Tribunal in substance found that the exemption to the application of s 18 by s 25 of the PPIP Act did not apply and that the Registrar's conduct occurred contrary to the requirements of s 46(3) of the BDMR Act in any event.

Submissions of the Privacy Commissioner

The Commissioner made no submissions as to whether or not the Tribunal in substance dealt with the issue under s 52(1)(a) and made submissions as to the applicability or non-applicability of s 25 of the PPIP Act.
We deal with this issue later in our reasons.

Consideration

The Tribunal stated the following at [106] - [108]: 106 … It appears inconceivable that the Legislature would include within Part 5 of the PPIP Act conduct relating to personal information in public registers if such registers were covered or authorised (as they would be) by other Legislation and therefore excised from the PPIP Act due to the operation of s 25 of that Act. 107 Additionally I do not agree that the two cases referred to in the paragraphs above are authority for the submission being put by the Registrar, that in effect the Tribunal is constrained from examining the circumstances of the conduct under another Act (in this case the BDMR Act), when determining an administrative review. 108 That argument and submission might hold some weight when the external Legislation is not identified by reference to public registers being imported into the PPIP Act. Put another way because of the references at 52 (1) (c) of the PPIP Act, privacy matters relating to disclosure from public registers are captured. When looking as to whether such a disclosure is a breach of privacy the only guidance from the PPIP Act itself is s 18 (in this case). In order to ascertain whether the terms and provisions of s 18 have been offended the Tribunal, in reviewing conduct, must look to the actual conduct in question, and any statutory guidance available about the specific conduct under the auspices of the public register. In that manner the Tribunal must look to the BDMR Act.
The Tribunal also stated the following at [110], [111] and [112]: 110 Having examined the conduct complained of it is clear on the material given in evidence by the Registrar, that insufficient regard was had to protecting the privacy of Ms Kellaway. In that regard prima facie the Registrar was in breach of s 18 of the PPIP Act in that they disclosed Ms Kelloway's personal information from a public register without seeking her views, or in a practical sense having regard to their own polices, releasing the information in circumstances not envisaged in those polices or their own statute. 111 In my view none of the provision of s 18 of the PPIP Act were met by the Registrar's delegate in releasing the information. Clearly in the circumstances the Registrar knew that Ms Kellaway would object to release. Their initial response dated 6 February 2020 to the Solicitors asked then to obtain Ms Kelloway's consent. The Solicitor's letter in reply dated 8 March 2022 [sic] (2020) indicates that they are applying 'against' Ms Kelloway, therefore implying that consent would not be forthcoming. In any event the Solicitor's do not engage further on this issue. 112 The release by the Registrar of the personal information is therefore a breach of s 18 of the PPIP Act, because the conduct occurred contrary to the requirement in s 46 (3) of the BDMR Act. In that regard the conduct did not have regard to the Registrar's policies arising under s 53 of the BDMR Act, nor did the conduct comply with the requirements of s 48 of the BDMR Act on the evidence and material before the Tribunal and I so find.
In our view, the Tribunal clearly came to the view that s 52(1)(c) of the PPIP Act was applicable given its conclusion that the BDM Register was a public register within the meaning of s 3(1) of the PPIP Act. This is understandable in light of the concession made by the Registrar before the Tribunal.
Accordingly, in our view, ground 2 should be upheld.
In light of us upholding ground 1 of the Notice of Appeal, it follows that a matter necessarily to be determined by us is whether or not s 25 of the PPIP Act applies to exempt the Registrar from compliance with s 18 and s 19 of the PPIP Act.

Registrar's submissions

The Registrar contended that s 25 of the PPIP Act meant it was not required to comply with sections 18 or 19 of that Act.
Section 25 is as follows: 25 Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if-- (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
The Registrar submitted that s 25 'lawfully authorises' disclosure. The Registrar referred to Division 4 of Part 5 of the BDMR Act. According to the Registrar, the Division confers a discretion on, and lawfully authorises, the Registrar to 'provide a person who has adequate reason for wanting information from the Register, with information extracted from the Register': s 46(1)(b), BDMR Act.
Whilst the Registrar is required to have regard to various matters in deciding whether an applicant has 'adequate reasons' for wanting information extracted from the Register (s 46(2)), such requirements in no way detract from the lawful authorisation of the Registrar to provide the Respondent's Birth Certificate to her uncle's lawyers in the circumstances here.

Submissions of the Privacy Commissioner

The Privacy Commissioner submits that s 25 of the PPIP Act does not exempt the Registrar from compliance with sections 18 or 19 of the PPIP Act. According to the Commissioner, the operation of sections 46 and 48 do not otherwise permit nor reasonably contemplate non-compliance with s 18 or s 19(2) of the PPIP Act.
The Commissioner submits that s 46 and s 48 of the BDMR Act grant the Registrar three distinct discretions as follows: 1. A discretion to grant a person access to the Register; 2. A discretion to provide a person with an extract of information held by the Registrar; and 3. A discretion as to whether to apply any conditions on access or the provision of an extract.
The Privacy Commissioner's written submissions continued as follows: 46. What is significant is that all three discretions conferred on the Registrar are fettered by a mandatory limitation - that the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy. 47. The issue of the operation of s 25 of the PPIP Act then resolves into the enquiry as to whether there is any inconsistency between the exercise of those discretions and relevantly, the privacy principles in ss 18 and 19(2) of the PPIP Act. 48. The Commissioner submits that, owing to the mandatory fetters on the Registrar's decision making powers, strictly speaking, the Registrar could not, at law, make a reasonable and thereby valid decision (that is. could not validly exercise those discretions) to disclose information held by the Registry while completely ignoring the relevant privacy principles. At the very least, the BDRM Act does not otherwise permit and certainly doesn't necessarily imply or reasonably contemplate that the Registrar would exercise these discretions in such a fashion. 49. The Registrar has not submitted that it was impractical to comply with the relevant privacy principles in the circumstances of this case nor given an example of how it would be impractical in other circumstances. It is submitted that the Registrar's obligation to protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy 'as far as practicable' does not operate to expand the discretion such that relevant and practically applicable privacy principles may be ignored in its exercise. (footnotes omitted)

Submissions of the Respondent

The Respondent's position, as we understand it, was the same as that before the Tribunal below. The Tribunal at [67] recorded that the Respondent submitted that the release of the Birth Certificate is not sanctioned by s 25 of the PPIP Act, because the release (on her submission) is not authorised by s 46(1)(b) of the BDMR Act or any other section of the BDMR Act when one had regard to s 48 of the Act.

Consideration

In respect of s 25 of the PPIP Act, the Appeal Panel of the Administrative Decisions Tribunal in PN v Department of Education & Training (GD) [2010] NSWADTAP 59 at [53] - [60] stated the following: 53 In our view, the guidelines to which PN refers are no more than that. They do not lay down strict rules in relation to permissible disclosure in the way suggested in the submissions. 54 Further, we do not think that the task required of the Tribunal in deciding whether or not s 25 is applicable requires it to go so far as to make a microscopic comparison of an alternative law to which an agency refers in justification. Section 25 is expressed in broad language. It is enough that 'non-compliance is reasonably contemplated' by the other law. 55 The Tribunal is called upon, as we see it, to consider the subject matter of the alternative law and ask itself, first, is this the kind of subject matter with which a relevant IPP is concerned in the circumstances of the case before it. 56 Necessarily, the workers compensation regime involves the management of personal information. Moreover, the workers compensation regime has detailed provisions allowing movements of information between a number of parties who have a business role in the management of workers' injuries and the determination of claims. 57 In our view, it is enough for s 25(b) to apply that the transactions in issue (here, one instance of indirect collection and otherwise disclosures) are of a type that is contemplated by the regime; and that they are genuinely undertaken for the purpose of the scheme. Whether something is 'reasonably contemplated' is a factual determination for the trial tribunal to make, only vulnerable to appeal as an error of law on narrow grounds, such as no evidentiary basis for the finding or because the finding is one no rational tribunal could make. This is clearly not a case of that kind. 58 If the Department has breached the guidelines or the statutory provisions in the way it carried out its obligations under the workers compensation regime, as PN's submissions suggest, those are matters to be dealt with through the complaints mechanisms that the workers compensation regime has. The breaches are not open to be litigated within the framework of the privacy legislation. 59 The Tribunal's task is simply to make a broad judgement as to whether s 25 applies. The protection given to an agency by s 25 is not lost simply because the agency has failed to comply, in some aspect of the detail, with a requirement of the other law. 60 If the strict view pressed by PN were to be adopted, privacy cases raising s 25 would give rise to a detailed collateral inquiry into whether the agency had strictly complied with the alternative regime. We do not think that the words of s 25 support such a conclusion, and engagement by the Tribunal in a collateral inquiry would defeat the evident purpose of s 25.
The statement of principles in PN's case has been followed consistently, including by the Appeal Panel of the Tribunal. For example, the Appeal Panel of this Tribunal in CCM v Western Sydney University [2019] NSWCATAP 103 at [63] - [64] stated the following: 63 Section 25 has been the subject of consideration in several decisions of the Tribunal and its predecessor, including Appeal Panel decisions. The words "otherwise permitted (or is necessarily implied or reasonably contemplated)" in s 25(b) have been held to be extremely broad: JS v Snowy River Shire Council (No 2) [2009] NSWADT 210 at [53]. In PN v Department of Education and Training (GD) [2010] NSWADTAP 59, the Appeal Panel of the former Administrative Decisions Tribunal held at [54] that s 25 was expressed in broad language, and that in deciding whether or not s 25 is applicable the Tribunal is not required to go so far as to make a microscopic comparison of an alternative law to which an agency refers in justification. 64 In CYL v YZA [2017] NSWCATAP 105 the Appeal Panel of this Tribunal at [56] endorsed the reasoning of the Tribunal at first instance responding to the agency's claim made under s 25(b), which relied on the line of Appeal Panel and Tribunal authority on the meaning of "reasonably contemplated" (AIL v Department of Premier and Cabinet [2013] NSWADTAP 26; Department of Education and Communities v VK [2011] NSWADTAP 61; PN v Department of Education and Training [2010] NSWADTAP 59; BFP v NSW Ambulance Service [2015] NSWCATAD 39; MH v NSW Maritime [2011] NSWADT 248; AFC v Sydney Children's Hospital Speciality Network [2012] NSWADT 189). The relevant principles were stated in CYL v YZA [2016] NSWCATAD 314 in the following terms: 97. I do take from the authorities express or implicit support for the following: (1) No narrow view of the s 25(b) exemption should be taken. (2) A practical approach needs to be taken that avoids a detailed examination of every aspect of the information supplied and the identification of a sufficient connection between each aspect and the contemplation of the alternate law. Hence, one should focus upon the kind or type of information supplied to the external agency rather than its precise contents. Otherwise, there is danger that enforcement of the IPPs becomes embroiled in technical and lengthy disputes. (3) In a similar vein, one does not drill down into too much detail about the processes for provision of information under the alternate law. The search is not for what the alternate law requires or as to what would be in accordance with such law, but with the much broader inquiry of reasonable contemplation by that law. (4) The state of mind of the supplier of the information might be a relevant factor but genuineness in the supply is not a requirement; see AIL at [41]. Here again, the practicalities suggest that the Tribunal should be wary about conducting a trial within a trial about the motives of the agency in supplying the information.
The Tribunal's reasons in respect of whether or not s 25 of the PPIP Act applied was set out at [102] - [110] as follows: 102 This submission by the Registrar's legal representative relying on Skase and also Healthshare, was made on the basis that the provision in s 25 of the PPIP Act is merely enlivened and no inquiry into the merits of any decision under the other legislation can be made by the Tribunal. In short, the submission being that if another Act confers a power to authorise conduct of the agency, then no inquiry into how that power was exercised and the merits of the use of that power - being the conduct under review - can be examined under the provisions of the PPIP Act. Section 25 is an 'out' provision both for and from the PPIP Act. It was submitted that the Tribunal cannot conduct a review of the operation of the power under the other Legislation and then determine if that operation was flawed in some manner, and if so, bring the matter back into the PPIP Act. 103 Ms Kelloway's legal representative submitted that the Registrar's submission on s25 was extreme. In addition they submitted that this submission is not supported by PN, being a case relied upon by the Registrar. 104 Ms Kellaway submitted that in coming to a review position and decision in the matter the Tribunal needs to look at what the Birth Deaths and Marriages officers did. In doing that, without conducting a judicial review it is still necessary to go beyond the mere enlivening of the power that s 25 of the PPIP Act refers to. 105 A further submission was made about the objects provision of the BDMR Act at s 3. The objects provide: 3 Objects of Act The objects of this Act are to provide for- (a) the registration of births, deaths and marriages in New South Wales, and (b) the registration of adoption information, and (c) the registration of changes of name and the recording of changes of sex, and (d) the keeping of registers for recording and preserving information about births, adoptions, deaths, marriages, registered relationships, changes of name and changes of sex in perpetuity, and (e) access to the information in the registers in appropriate cases by government or private agencies and members of the public, from within and outside the State, and (f) the issue of certified information from the registers, and (g) the collection and dissemination of statistical information. (Emphasis added) 106 In my view the Registrar's reliance on Healthshare and Skase in the current matter is misplaced. That is because of the various references to privacy protections in the BDMR Act and public register references in the PPIP Act. In addition the current matter turns on different facts to those matters, and Skase was dealing with the Commonwealth Legislation (Privacy Act 1988 Cth) which is differently drafted. It appears inconceivable that the Legislature would include within Part 5 of the PPIP Act conduct relating to personal information in public registers if such registers were covered or authorised (as they would be) by other Legislation and therefore excised from the PPIP Act due to the operation of s 25 of that Act. 107 Additionally I do not agree that the two cases referred to in the paragraphs above are authority for the submission being put by the Registrar, that in effect the Tribunal is constrained for examining the circumstances of the conduct under another Act (in this case the BDMR Act), when determining an administrative review. 108 That argument and submission might hold some weight when the external Legislation is not identified by reference to public registers being imported into the PPIP Act. Put another way because of the references at 52 (1) (c) of the PPIP Act, privacy matters relating to disclosure from public registers are captured. When looking as to whether such a disclosure is a breach of privacy the only guidance from the PPIP Act itself is s 18 (in this case). In order to ascertain whether the terms and provisions of s 18 have been offended the Tribunal, in reviewing conduct, must look to the actual conduct in question, and any statutory guidance available about the specific conduct under the auspices of the public register. In that manner the Tribunal must look to the BDMR Act. 109 Having regard to release of information from the public register under s 46 of the BDMR Act, the Registrar is required to have regard to s 46 (3) amongst other matters. The section provides: (1) In deciding the conditions on which access to the Register, or information extracted from the Register, is to be given under this section, the Registrar must, as far as practicable, protect the persons to whom the entries in the Register relate from unjustified intrusion on their privacy. 110 Having examined the conduct complained of it is clear on the material given in evidence by the Registrar, that insufficient regard was had to protecting the privacy of Ms Kellaway. In that regard prima facie the Registrar was in breach of s 18 of the PPIP Act in that they disclosed Ms Kelloway's personal information from a public register without seeking her views, or in a practical sense having regard to their own polices, releasing the information in circumstances not envisaged in those polices or their own statute.
It appears to us that the Tribunal's conclusion on the applicability of s 25 of the PPIP Act was influenced by the view that the BDM Register was a public register within the meaning of the PPIP Act: see in particular paragraph [108].
In our view, the task of the Tribunal in considering whether or not s 25(b) of the PPIP applies, is to consider the subject matter of the alternative law, being the BDMR Act, and ask itself, first, whether or not this is the kind of subject matter with which a relevant IPP is concerned in the circumstances of the case before it.
In this regard it is clear that the BDMR Act grants a discretion to the Registrar to grant access to the Register or information extracted from the Register to another person including in circumstances where the Registrar may have reason to believe that the individual concerned would object to the disclosure and hence, such disclosure would be prima facie in breach of s 18 of the PPIP Act.
In our view, the release of the Birth Certificate by the Registrar is a release of information of a type that is contemplated by the BDMR Act and can be made genuinely for the purpose of the BDMR Act.
Following the approach of the authorities and in particular PN's case, we accept that it is not the role of the Tribunal to conduct a detailed or microscopic view of whether or not the Registrar has complied with the BDMR Act in the precise circumstances of the case here.
As stated in PN's case at [59], the protection given to an agency by s 25 is not lost simply because the agency has failed to comply, in some respect of the detail, with the requirement of the BDMR Act.
The substance of the submissions of the Privacy Commissioner is that given that the Registrar under the BDMR Act must, as far as practical, protect the persons to whom entries in the Register relate from 'unjustified intrusion on their privacy', there cannot ever be an inconsistency between a potential disclosure under the BDMR Act and the requirement of the privacy principles in sections 18 and 19(2) of the PPIP Act.
We accept that there may well be a deal of overlap between a legitimate conclusion of the Registrar that there is an 'unjustified intrusion' on a person's privacy if a certificate was revealed and whether or not a breach of the privacy principles in sections 18 and 19(2) of the PPIP Act has occurred. However, for the reasons we have explained above, this does not deprive s 25 of having potential application.
In order for the exemption in s 25 not to apply, we would have to be satisfied that it could not reasonably be contemplated that an authorised disclosure by the Registrar under the BDMR Act may otherwise be a breach of the Privacy principles in section 18 or 19(2) of the PPIP Act.
In our view, given that the language is different and the circumstances by which the Registrar is permitted to release a certificate is different to the circumstances whereby there is compliance with the privacy principles in sections 18 and 19(2) of the PPIP Act, we cannot come to the conclusion that a lawful release of a birth certificate by the Registrar under the BDMR Act must also comply with the privacy principles of sections 18 and 19(2) of the PPIP Act.
In conclusion, in our view, s 25 of the PPIP Act does apply to exempt the Registrar from compliance with the privacy principles in section 18 and 19(2) of the PPIP Act.

If yes, did the Tribunal have jurisdiction to decide whether or not the Registrar breached the BDMR Act?

The Tribunal at [107], quoted by us above, rejected the proposition that the Tribunal does not have jurisdiction to examine the circumstances of whether or not the Registrar breached the BDRM Act when determining the administrative review application before it. The Tribunal went on to find that the release by the Registrar of the personal information in question was in breach of s 18 of the PPIP Act, 'because the conduct occurred contrary to the requirements in s 46(3) of the BDMR Act.': at [112].
The Tribunal in that paragraph also concluded that the release of that information by the Registrar did not comply with the requirements of s 48 of the BDMR Act.
Whether the Tribunal has jurisdiction to consider if the Registrar was in breach of the BDMR Act and any consequences that might follow, is a matter that the Tribunal must satisfy itself of as a preliminary matter before embarking upon the merits of the application. The Privacy Commissioner made no submissions on the question of jurisdiction in the event that the Appeal Panel finds s 25 of the PPIP Act applies.

Registrar's submissions

Before the Tribunal at first instance the Registrar's submissions was that essentially the PPIP Act was not concerned with a breach of s 48 of the BDMR Act: see [73] of the Decision. The Registrar submitted that this position arises because s 56 of the BDMR Act only confers jurisdiction on the Tribunal for a decision of the Registrar because s 48 does not authorise the making of a decision then the Registrar submitted that no remedy under s 56 of the BDMR Act arises. Reference was made to PN's case.

Consideration

The Appeal Panel of the Administrative Decisions Tribunal in PN's case at [58] stated the following: If the Department has breached the guidelines or the statutory provisions in the way it carried out its obligations under the workers compensation regime, as PN's submissions suggest, those are matters to be dealt with through the complaints mechanisms that the workers compensation regime has. The breaches are not open to be litigated within the framework of the privacy legislation.
We accept the above is a correct statement of principle and that, accordingly, if s 25 applies, which we have so found, even if there has been a breach of the BDMR Act, this cannot be the subject of review or litigation under the terms of the PPIP Act.
This, however, is not the end of the matter. Section 56 of the BDMR Act is as follows: 56 Administrative review by the Civil and Administrative Tribunal (1) A person who is dissatisfied with a decision of the Registrar made in the exercise or purported exercise of functions under this Act may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the decision. (2) This section does not give a right of administrative review of a decision of the Registrar to refuse to register a change of name that was made only because the Commissioner of Corrective Services or the Commissioner of Police refused to give approval under section 31F.
In our view, the decision by the Registrar to release the Birth Certificate was a decision under the Act and capable of being the subject of an application for review pursuant to s 56 of the BDMR Act. A question for consideration is whether or not such an application was before the Tribunal.
Whilst in theory it may be possible to seek a review pursuant to s 56 of the BDMR Act of the decision to release information pursuant to 46(1) of the Act, it is clear to us that such a review was not before the Tribunal.
On 26 March 2020, the Registrar released a copy of the Respondent's Birth Certificate to Mr Batalha solicitor. The decision to provide a copy of the Birth Certificate must have occurred on or prior to that date. On 28 February 2022, subsequent to finding out about the provision of the Birth Certificate, the Respondent made a complaint to the Registrar about the provision of the Birth Certificate to Mr Batalha. When 60 days had elapsed after that date and no formal response had been received, the Respondent filed in the Tribunal her application for review on 23 May 2022.
The Respondent in her written submissions before the Tribunal at first instance stated the following at [2]: The [Appellant] correctly understood the complaint to involve an application for internal review under s 53 of the Privacy and Personal Information Protection Act 1998 (PPIP) in respect of the [Appellant's] conduct in respect of breaches of information protection principles in respect of disclosure by the Appellant of personal information kept in a public register.
In those written submissions of the Respondent (at paragraph 6), the Respondent noted that at the case conference on 27 June 2022 before the Tribunal, the Tribunal was informed that the Respondent sought compensation in the maximum amount allowed of $40,000.
We note that whilst damages in the maximum amount of $40,000 is available pursuant to section 55(2) of the PPIP Act, the Tribunal's powers and remedies that it can provide under the Administrative Decisions Review Act 1997 (NSW) (ADR Act), pursuant to a review authorised by s 56 of the BDMR Act are limited.
Section 63(3) of the ADR Act provides the following: (3) In determining an application for the administrative review of an administratively reviewable decision, the Tribunal may decide: (a) to affirm the administratively reviewable decision, or (b) to vary the administratively reviewable decision, or (c) to set aside the administratively reviewable decision and make a decision in substitution for the administratively reviewable decision it set aside, or (d) to set aside the administratively reviewable decision and remit the matter for reconsideration by the administrator in accordance with any directions or recommendations of the Tribunal.
The above remedies are more limited than the remedies under s 55(2) of the PPIP Act.
Accordingly, it is clear to us that the application for review that was before the Tribunal was for a review of the deemed refusal to consider the Respondent's complaint as to the conduct of the Registrar alleged to be in breach of the relevant privacy principles under the PPIP Act and for the remedies available under s 55(2) of the PPIP Act.
The decision to release the Birth Certificate was not sought to be reviewed under the power given to the Tribunal pursuant to s 56 of the BDMR Act and, indeed, given the limited remedies available under s 63(3) of the ADR Act the available remedies would have been of little benefit to the Respondent.
It is also clear to us that this is how the Tribunal and the parties considered and regarded the relevant review application before the Tribunal.
Accordingly, in light of our decision that s 25 of the PPIP Act exempted the Registrar from compliance with the relevant privacy principles set out in s 18 and 19(2) of the PPIP Act, it follows that the Tribunal could not grant any relief under the PPIP Act and there was no claim before it for review of the decision to release the Birth Certificate pursuant to s 56 of BDMR Act.

Conclusion

Accordingly, the orders of the Tribunal should be set aside. In lieu thereof the appropriate conclusion of the Tribunal should be pursuant to s 55(2) of the PPIP Act not to take any action on the matter.

Disposition

The Tribunal makes the following orders: 1. Appeal allowed. 2. Set aside the orders and directions of the Tribunal of 14 February 2023 and lieu thereof make the following decision: 1. Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 the Tribunal decides not to take any action on the matter. I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 22 August 2023

Radiation Control Act 1990(NSW)

At a glance

Court

Decision date

Source

Judgment (26 paragraphs)

Parties

Legislation Cited (6)

Cases Cited (14)

Cited By (2)