Privacy Law and Policy Reporter
Cases and complaints
FM v MACQUARIE UNIVERSITY  NSWADT 78
Privacy and Personal Information Protection Act 1998 (NSW) — s 4 ‘personal information’ — s 4(4) information ‘held’ — s 18 disclosure of personal information — s 26(2) express consent — s 41 Direction concerning investigative functions — s 55(4) damages — s 55 status of Privacy Commissioner in litigation
FM was accepted in to a PhD program at the University of New South Wales (UNSW). UNSW subsequently requested academic transcripts and other information concerning FM from Macquarie University (Macquarie) and other universities FM had attended.
The principal issue was whether Macquarie had breached s 18 (the disclosure principle) of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) during two telephone conversations between a UNSW staff member and two Macquarie staff members when the Macquarie staff members disclosed details of alleged incidents in which FM had been involved at Macquarie and which resulted in his candidature there being terminated. Hennessy Dep P decided this issue on the basis that the ‘personal information’ concerned was ‘the content of the telephone conversations’. There is nothing in the facts stated in the decision to indicate that this content had at any point been written down by any Macquarie staff member.
Hennessy Dep P rejected five defences raised by Macquarie, and found that it had breached s 18 in relation to the conversations.
1. Macquarie claimed that parts of the conversations were not ‘personal information’ (as defined in s 4(1)) because ‘knowledge obtained from visual observation’ is not within the meaning of the term, at least ‘where people who are not employees of Macquarie are aware of the information through simple observation’. Macquarie argued that since by s 4(3)(b) information contained in a ‘publicly available publication’ is excluded from the definition of ‘personal information’, it would be ‘absurd’ not to also exclude information about a person’s conduct which is observed by members of the public (and is therefore ‘publicly available’) from the definition. Hennessy Dep P rejected this, holding that there was no such express or implied exclusion in the legislation. ‘While there may be policy or other reasons for narrowing the definition in this way, the legislature has not done so.’
She also held that the information could not be excluded because the content of the conversations ‘was in the minds’ of the Macquarie staff members. ‘There is no exclusion in the definition of “personal information” for information or opinions that are not in a material form.’
2. Macquarie claimed that the information was not ‘held’ by it as required by s 18. Information is ‘held’ by an agency if ‘the information is in the possession or control of a person employed or engaged by the agency ...’ (s 4(4)(b)). Macquarie’s argument that they ‘did not “possess” the information because there was no proprietary element involved, they simply had knowledge of the incident’, was rejected. The legislation does not require a proprietary element. ‘If it is accepted that information and opinions do not have to exist in a material form, then the only meaning that can be given to the word “possess” is that the person has that information or opinion in their mind.’ Macquarie therefore ‘held’ the information by possessing it in its staff’s minds.
3. Macquarie claimed that the disclosure was permitted under the s 18(1)(c) exemption ‘where the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person’. Although there was evidence before the Tribunal that the Macquarie staff were concerned that on the basis of FM’s alleged behaviour at Macquarie he might injure someone at UNSW, even if it could be characterised as a threat to the life or health of any person (and the Tribunal was not satisfied that it could), any threat must be both serious and imminent. ‘In this case it was neither.’
4. Macquarie argued that FM had expressly consented (as per s 26(2)) to it not complying with s 18, because FM’s express consent to UNSW for it to collect official records from Macquarie also involved an implied consent that Macquarie could disclose personal information to UNSW (and that such consent need not be given directly to Macquarie). This argument failed because the consent only related to ‘official records’ and not to all ‘personal information’ (as would be required to cover the content of the telephone calls).
5. Macquarie claimed its actions were exempt from compliance with s 18 because they were within the s 41 Direction by the Privacy Commissioner entitled ‘Direction on Processing of Personal Information by Public Sector Agencies in relation to their Investigative Functions’ (December 2001). This was rejected because the Direction assumes there is a ‘lawful investigation’, defined in the Direction to mean ‘an investigation carried out by an agency under specific legislative authority or where the power to conduct the investigation is necessarily implied or reasonably contemplated under an Act or other law ...’. It was accepted that Macquarie’s ‘investigative functions’ could be exercised in relation to a lawful investigation by UNSW. However, there was no reference to the kind of investigation that involved FM in the legislation, by-laws and rules relating to UNSW, and so this investigation was not within the Direction.
Macquarie had also disclosed FM’s official academic transcript to UNSW. FM authorised UNSW to obtain such ‘official records’ when he signed his Application for Admission at UNSW. However, Hennessy Dep P held that:
Even if the Tribunal accepts that FM impliedly gave consent to Macquarie to disclose its academic record to UNSW, implied consent is not sufficient to bring Macquarie’s actions within the exemption in s 26(2). That exemption requires that FM ‘expressly’ consent to Macquarie not complying with s 18. There is no evidence of any such express consent in this case.
Other grounds on which Macquarie argued it had not breached s 18 concerning the transcript were also dismissed: a draft Code of Practice for Universities was irrelevant, and the Direction on investigations was inapplicable for the same reasons as concerned the conversations.
The Tribunal therefore held that Macquarie was in breach of s 18 in relation to both the transcripts and the conversations.
Concerning remedies, FM claimed that the termination of his enrolment and scholarship at UNSW had a significant financial and emotional impact on him. FM sought compensation for damage to his career and for loss of opportunities, and also asked the Tribunal to order the removal of his file and any personal information held by the UNSW.
The Tribunal considered that ‘[w]hile FM should have reasonably expected his academic transcript to be disclosed, he is justified in being extremely indignant by the disclosure of the information in the telephone conversations’. However, it found that ‘[t]here is a causal connection between the disclosure of FM’s academic transcript and his termination, but the connection between the disclosure of the information and opinions in the telephone conversations and FM’s termination is less clear’.
The Tribunal ordered that any Macquarie employees are ‘to restrain from disclosing information or opinions in relation to students or former students, which is held in their minds, unless an exemption relating to s 18 applies’. She also recommended that Macquarie’s ‘instruction to staff be clarified to ensure that express consent is obtained before the disclosure of academic transcripts in the future’.
On the question of damages, the Tribunal pointed out that:
Although a person’s rights under the PPIP Act can loosely be described as a statutory tort, the Tribunal’s role differs significantly from the role a court or tribunal would adopt in relation to torts. Firstly, the Tribunal is reviewing certain conduct, rather than merely determining whether there has been a contravention of a statute or the common law. Secondly, 55(2) of the PPIP makes it clear that after reviewing the conduct the Tribunal ‘may decide not to take any action on the matter, or it may make any one or more of the ... orders’ listed in s 55(2). A finding that loss or damage has occurred because of the conduct of Macquarie does not automatically mean that FM is entitled to compensation (cf Hall v A & A Sheiban Pty Ltd  FCA 72; (1989) 20 FCR 217).
No damages were awarded in relation to the disclosure of the academic transcript. The Tribunal would have been inclined to make an order for damages in relation to the disclosures in the telephone conversation under s 55(4) if it had been satisfied that ‘FM “suffered financial loss, or psychological or physical harm, because of” Macquarie’s conduct’. The Tribunal applied the ‘but for’ test of whether ‘the conduct caused the damage if that damage would not have occurred without (but for) it’ (March v Stramare  HCA 12; (1991) 171 CLR 506). Here, the evidence indicated that FM’s candidature was terminated because of the information in the transcript, and the Tribunal was ‘not satisfied that disclosure of that information made any difference to the outcome’. No damages were awarded.
The Tribunal also held that the Commissioner was not a party to matters under the Act. The PPIP Act s 55(6) requires the Tribunal to notify the Privacy Commissioner of any application made to it. ‘The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to a review under this section’ (s 55(7)). One consequence of being a party is that it gives that person a right to appeal against the Tribunal’s decision to the Appeal Panel of the Tribunal. A person who is not a party has no such right (Administrative Decisions Tribunal Act 1997 s 113). Although normally only a party may appear in proceedings, statutory or common law rules may give a legal entity a right to become a party or intervene as an amicus curiae (Levy v State of Victoria  HCA 31; (1997) 146 ALR 248). Here, as a matter of statutory construction, the Tribunal held that Parliament intended the Privacy Commissioner ‘should operate in a similar way to amicus curiae at common law, rather than being a party to the proceedings’.
There are many important holdings in FM v Macquarie, but one is startling and makes the NSW Act fundamentally different from all other Australian privacy legislation, and most other laws in the region.
The failure of Macquarie’s claims that information obtained from observations of FM and apparently never written down but contained only ‘in the minds’ of Macquarie staff members, was not ‘personal information’ and was not ‘held’ appears to mean that information can be subject to the NSW IPPs even though it has never entered the record-keeping system of an agency. The definition of ‘personal information’ (s 4) to mean ‘information or an opinion (... whether or not recorded in a material form) ...’ also supports this approach. All of the NSW IPPs refer to ‘personal information’ but do not separately require any recording of that information.
In contrast, most of the Common-wealth IPPs (Privacy Act 1988 s 14) require personal information ‘in a record’ before they apply (to the Commonwealth public sector). The same result is reached in relation to the NPPs applying to the private sector because of s 16B.
By different means, the same precondition that information must be recorded or in a record is achieved in the legislation in Victoria (s 3 definition of ‘personal information’), the Northern Territory (s 4 definitions of ‘personal information’ and ‘government information’) and in Hong Kong (s 2 definitions of ‘data’ and ‘document’).
None of the devices used in these other Acts or Ordinances are found in the NSW legislation. This means that its scope is inherently far broader than the law applying to other public sectors or the private sector (despite the many specific exemptions in the NSW Act). This may have unexpected consequences for agencies that proceed as if the NSW Act only applies to their record-keeping systems and not to the knowledge of their employees.
This is only one aspect of the increasing divergence between Australia’s public sector privacy laws, which will be the subject of a later article in PLPR. l
D v PRIVATE HEALTH SERVICE PROVIDER  PRIVCMRA 2
Privacy Act 1988 (Cth) — National Privacy Principle 6 — access and correction — s 16C(3)
D sought access in 2002 from a medical specialist to a copy of D’s entire medical record relating to treatment by the specialist. The specialist claimed that the record was still exempt from access under s 16C(3) because the specialist had not collected, used or disclosed the information since 21 December 2001 (when the private sector provisions of the Act came generally into force).
D could not verify that the specialist had provided any treatment since that date, though treatment had been obtained from other doctors. The Commissioner was satisfied that NPP 6 did not apply to the specialist. The complaint was closed under s 41(1)(a) on the basis that the circumstances disclosed did not give rise to a breach of the Act. l
Graham Greenleaf, General Editor.
POYSDEN v LOWER HUTT MEMORIAL RSA INC (Dec No 14/02, HRRT 35/01)
Privacy Act 1993 (NZ) — Information Privacy Principle 6, s 66
The plaintiff alleged an interference with his privacy arising out of his right of access under Principle 6, namely that the defendant had withheld personal information about him contained in minutes of meetings held by its Executive Committee in which a complaint made by him about the conduct of the (then) Club President was discussed, and had also not provided other information sought by him in a timely manner. The matter raised a possible further breach under ss 40 (timeframe for decisions on requests) and 44 (obligation when refusing requests) of the Act, in that the plaintiff alleged that the defendant had failed to deal with a second request for access in the manner prescribed by these sections, in consequence of which a further interference with his privacy had occurred.
The defendant argued that it had provided the plaintiff with all the information about him contained in the minutes of meetings where his complaint was discussed and, in respect of information which the plaintiff alleged had been withheld, argued that it had a proper basis for withholding this information under s 29(2)(a) (that the information was not readily retrievable) and/or s 29(2)(b) (that the information did not exist/could not be found). It also argued that the plaintiff’s second request had been responded to within the terms of ss 40 and 44 of the Act.
During the course of cross-examination it became clear that the defendant held information which had not been supplied to the plaintiff when he had received the information he had sought (some two years after he had made his request), nor had this information been supplied to the Privacy Commissioner during the course of his investigation of the complaint. The content of that information was directly relevant to the request for access and the contest in the Tribunal.
The Tribunal found that the defendant’s failure to provide the plaintiff with all the information it held about him, and its failure to provide him with information in a timely manner, had led to the original dispute becoming more entrenched and had caused the plaintiff considerable distress at not being able to access information to which he was otherwise entitled. It therefore found that the defendant’s actions had caused an interference with the plaintiff’s privacy.
Although this case again raised the issue as to which of s 66(1)(b) or 66(2) should apply in respect of interferences with privacy arising out of infractions of the right of access (first raised before the current Tribunal in Plumtree), the Tribunal considered it was not necessary to resolve the issue in this case because the circumstances were such that it was satisfied that the plaintiff had suffered adverse consequences as a result of the defendant’s actions and, because the plaintiff had made it clear that he was not seeking an award of damages against the defendant, there was no need for the kind of detailed enquiry into the loss (whether pecuniary or of a benefit) or other kinds of adverse consequence alleged, which an award under s 88(1) would otherwise entail. l
CD v HAWKES BAY DISTRICT HEALTH BOARD (Dec No 15/02, HRRT 40/01)
Privacy Act 1993 (NZ) — Health Information Privacy Code Rule 8
The plaintiff alleged that the defendant had used health information it held without first taking steps to ensure it was accurate and up to date. The information at issue was a report dating from the mid-1960s (from another healthcare provider) and a diagnosis (from one of the defendant’s employees, based upon the 1960s report) dating from the 1970s. The content of both was disputed by the plaintiff.
The plaintiff claimed that the defendant had used the disputed information in the provision of treatment, and had disclosed it to other healthcare providers in the district. The plaintiff alleged that these ‘uses’ had occurred within the period of coverage of the Health Information Privacy Code, citing an instance from the late 1990s as an instance of a recent use in breach of Rule 8. The plaintiff gave evidence of the adverse consequences suffered as a result of this failure to comply with Rule 8.
The defendant argued that the matter should be struck out as the facts did not disclose any evidence of use since the Privacy Act and related Code had come into force. It admitted that there was evidence of use of the information prior to that time, but submitted that such uses had ended before the Act/Code became operative. It denied that the reference to the information in the 1990s constituted a ‘use’ as that term should be understood in the context of the Rule.
The Tribunal found that in the circumstances of the case there had been no ‘use’ of the disputed information within the period covered by the Act/Code and therefore dismissed the matter.
The decision is notable for the Tribunal’s reflections on the relevance of the Privacy Act and the changes in attitude and approach to the handling of health information evident since its enactment. l
AB v ACC (Dec No 17/02, HRRT 40/02)
Privacy Act 1993 (NZ) — Health Information Privacy Code Rule 3
The plaintiff and the defendant had a longstanding relationship as a result of which the defendant had collected information from the plaintiff, including during the period prior to the enactment of the Privacy Act in 1993, and in relation to which it continued to use that information, both internally and by way of disclosure of it to relevant third parties, most relevantly in 1998/9.
The plaintiff alleged that the defendant had breached Rule 3 of the Health Information Privacy Code when it failed to comply with its Rule 3 obligations, in particular by failing to advise the plaintiff of its intention to provide the information it had collected to a previously unacknowledged third party recipient. The plaintiff argued that as a result of this failure there had been a number of (predictable) adverse consequences arising from contact being initiated by that third party in circumstances where the plaintiff had received no previous indications that information would be disclosed to that person, and where the plaintiff had made it clear that any further requirement for contact with such third parties would be rejected.
The defendant argued that no obligations under Rule 3 existed because there had been no ‘collection’ as a result of the contact between the third party and the plaintiff in 1998/9 so as to trigger these. In the alternative, it argued that if any obligations under Rule 3(1)(c) existed in relation to information it had collected prior to 1993, which it had disclosed to the third party for the purposes of further assessment of the plaintiff (arising out of the obligation under Rule 3(2) to communicate the matters under Rule 3(1) as soon as reasonably practicable after collection if this could not be done prior to it), then these had been met by correspondence between its officers and lawyers acting for the plaintiff prior to it having forwarded that information to the third party and contact having been initiated by that person.
The defendant argued that, notwithstanding that the correspondence relied on had been sent in late December (at a time when it might have been anticipated that the plaintiff’s lawyers would not immediately receive and act upon it), this action constituted a reasonable step in the circumstances to ensure the plaintiff was aware of the fact that the third party was an intended recipient of historical health information held about the plaintiff, and in respect of which it now sought further assessment.
The Tribunal held that there had been no breach of Rule 3.
The Tribunal found itself unable to determine whether the defendant had fulfilled its obligations under Rule 3(1)(c) when it had collected information from the plaintiff (in or about 1993) because of the absence of any evidence as to what had been said to the plaintiff at the time (the plaintiff did not appear or give evidence on these matters by way of written brief). For the same reason it considered itself unable to resolve the question of whether the defendant had any obligations to advise the plaintiff of a new recipient in respect of that information arising as a result of Rule 3(2) prior to providing it to the third party.
In respect of the contact initiated by the third party in 1998/9, the Tribunal found that no obligations existed because although contact had been made, the third party had been unable to proceed to ‘collect’ information from the plaintiff because that contact had been terminated before collection could occur. l
O’NEILL v HEALTH AND DISABILITY COMMISSIONER (Dec No 02/03, HRRT 02/02)
Privacy Act 1993 (NZ) — ss 14(a) and 82
This was a decision on a preliminary matter arising from the breaches of the Privacy Act alleged and the relief sought by the plaintiff in his notice of intention to bring proceedings.
The plaintiff had named the Health and Disability Commissioner as defendant, but in addition had alleged that the Privacy Commissioner had breached s 14(a) of the Privacy Act (which obliges the Privacy Commiss-ioner to take account of certain important human rights and social interests competing with privacy, as well as certain international obligations) and had sought, as a remedy, a review of the whole of the conduct of the Privacy Commissioner’s investigation of his complaint.
Following submissions from the parties and the Privacy Commissioner, the Tribunal struck out that part of the plaintiff’s complaint in which he sought a review of the conduct of the Privacy Commissioner’s investigation on the basis that it had no jurisdiction to deal with that matter. It referred to its earlier decisions on this issue: Cable, Steele.
In respect of the remainder of the plaintiff’s complaint, the Tribunal made a number of orders with which the plaintiff must comply before he may proceed with the substantive matter against the defendant. l
Michelle Donovan, Office of the NZ Privacy Commissioner.