Privacy Law and Policy Reporter
All decisions noted, except those of the Victorian Commissioner, are available on AustLII <http://www.austlii.edu.au> by the citation given, unless otherwise stated. (General Editor)
Procedural note re NSW ADT
Following the Appeal Panel decision in GR v Director General, Department of Housing  NSWADTAP 26, the Administrative Decisions Tribunal is now likely to split proceedings, such that remedies will not be argued unless liability has first been confirmed (i.e. a breach has been proven). For example this is how the later case of MT v Director General, NSW Department of Education & Training  NSWADT 194 proceeded.
Macquarie University v FM (No 2)  NSWADTAP 37
NSW Administrative Decisions Tribunal – Internal Appeal Panel (3 September 2004)
Privacy – disclosure – investigative functions exemption
The following summary from the Privacy Commissioner explains the relevant background facts:
FM enrolled as a postgraduate student at the University of New South Wales after a previous post-graduate enrolment at Macquarie University. He signed a form authorising UNSW to obtain information from other Universities at which he had enrolled. UNSW subsequently became aware of his prior enrolment at Macquarie and sought further information from Macquarie. As well as obtaining a transcript of his academic record, a staff member of UNSW phoned two members of the teaching staff of Macquarie University and obtained information about incidents that had led to a disciplinary investigation. FM claimed that he had not authorised Macquarie to disclose this information to UNSW.
This appeal case only related to whether or not Macquarie University could rely on a particular exemption – a public interest direction relating to investigative functions - to authorise its breach of IPP 11 (s.18), the disclosure principle.
Only part of the information disclosed by Macquarie to UNSW was at issue here – the information conveyed during telephone calls, rather than the formal academic record
Assessing the claim for exemption
The exemption claimed arose under a public interest direction issued by the Privacy Commissioner. The direction allowed for non-compliance with the privacy principle prohibiting disclosure, “if compliance might detrimentally affect (or prevent the proper exercise of) any of the agency’s investigative functions ...” .
The Appeal Panel effectively asked: if the particular information at issue had not been disclosed, might the agency’s investigative functions have been detrimentally affected? The Panel’s answer was ‘no’; the investigation “did not, and did not need to, rely” on the particular disclosures of personal information at issue [para 55].
The Appeal Panel therefore found a breach of IPP 11 (s.18) without lawful excuse.
The appropriate remedy
The Panel commenced its deliberations on an appropriate remedy by noting:
“Ordinarily where a breach is demonstrated, some sanction should be applied to the agency; unless it can be shown that it has responded in an adequate way already to the problem identified, and no order therefore is needed” [para 54].
The Panel noted that the applicant had had his enrolment at UNSW terminated as a result of its investigation, but that the particular information disclosed in breach of IPP 11 was not actually relied upon by UNSW in making that decision. The Panel therefore found no basis for making a monetary compensation order.
The Panel also rejected the option of making a systemic order in response to this, a specific complaint, and furthermore noted that an “extenuating circumstance” for the respondent was that the conduct complained of occurred during the “early days of the new privacy legislation”.
The Panel found that its powers were not limited by those prescribed in the PPIP Act, and thus orders available to it under the Administrative Decisions Tribunal Act 1997 could also be applied. The Panel exercised one of these powers in remitting the matter back to the respondent organisation, with a recommendation that the university develop a privacy compliance policy for circulation, and that FM be advised once that had occurred.
This matter has had an extremely long history, generating five judgments to date, and it’s not over yet . In this judgment the applicant has finally been vindicated with respect to a small part of his original complaint, but he has received no personal remedy.
While the respondent has been recommended to develop a policy to further educate its staff, the Appeal Panel had also hinted along the way that its practices could also be amended so as to bring itself into compliance with the Act (such as through the use of proper privacy notices to students).
MT v Director General, NSW Department of Education & Training  NSWADT 194
NSW Administrative Decisions Tribunal (3 September 2004)
Privacy – security; disclosure – unsolicited exemption; duty of care exemption; serious and imminent threat exemption
MT was a 16 yr old student at a high school. She had played for a couple of years in a local soccer team, which was unrelated to the school, but had students in common. Her soccer team’s coach was a teacher at MT’s school.
MT has a rare medical condition affecting her joints, such that she is at risk of trauma from minor stresses. When MT commenced at the school (several years before the conduct at issue), a doctor’s advice was provided to the school about the types of sports she could and could not do. Both this doctor’s advice and a report prepared by the school counsellor were placed on MT’s general student file.
The teacher / soccer coach had not been told of MT’s condition. During the 2001 soccer season some of MT’s friends told the teacher that MT had a serious medical condition, that she had recently been injured, and that another injury could result in her being confined to a wheelchair. The teacher then accessed MT’s general student file and read information about her medical condition.
The teacher then asked MT what had happened. MT did not respond, and did not attend soccer training for the next 6 weeks. When she later mentioned her intention to play in the soccer grand final, the teacher said that she was not match fit, and that he was aware of her medical condition. The teacher told MT that her mother would need to take responsibility for MT if she played.
MT and her mother refused to sign anything. The teacher told the soccer club president of the situation, and the president then approached MT’s mother, expressing concern for MT’s safety. As a result, MT did not play in the grand final.
In 2002 MT lodged a disability discrimination complaint against the soccer club with HREOC about not being allowed to play in the 2001 soccer grand final. HREOC wrote to the soccer club, asking for a response to various questions, and to “provide copies of any medical or other evidence which was used to make the decision”. In order to respond to HREOC the teacher again accessed MT’s general school file, and took a copy of the school counsellor’s report, which he then provided to HREOC on behalf of the soccer club.
MT alleged breaches of IPPs 5 (security & storage), 9 (accuracy), 10 (use), 11 and 12 (disclosure) of the PPIP Act by the Department of Education, responsible for the school.
IPP 5: secure storage
MT’s general student file was stored in the main administration office at the school, and available to all teachers (not just MT’s teachers). The school had no policy about restricting access.
The Department conceded in the internal review that it had breached IPP 5 - specifically, s.12(c) of the PPIP Act, which states that an agency must ensure “that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse”.
IPP 9: check accuracy before use
This case reviewed whether the requirement in IPP 9 to check the accuracy of personal information before using it extends to ‘use’ by way of ‘disclosure’ ; and if so, whether the teacher had taken reasonable steps to do so. The Tribunal found that the word ‘use’ in IPP 9 should have the same meaning as that in IPP 10, and is distinguishable from ‘disclosure’.
However the Tribunal was forced to choose between two earlier cases which had already attempted to define ‘use’ - both decisions by Deputy President Hennessy, and both referring to the Macquarie Dictionary for the ordinary meaning of the word. In FM v Macquarie , in relation to IPP 10, the Tribunal chose the definition “to avail oneself of; apply to one’s own purposes”, while in the later case of GL v DET , in relation to IPP 9, the Tribunal had chosen the more neutral definition “to employ for some purpose, put into service; turn to account”.
Here the Tribunal chose the former approach, thus requiring proof that an agency applied the information to its own purposes, not any purpose, in order to apply IPPs 9 or 10 to an agency’s conduct. The Tribunal also clarified that merely accessing or viewing information will not constitute a ‘use’, unless the information is also ‘employed’ for some purpose.
In applying this interpretation to MT’s case, the Tribunal determined that there had been no ‘use’ of MT’s personal information by the agency. The conduct at issue related to the teacher in his other capacity as soccer coach, employing the information for the purposes of the soccer club, not the school.
In the alternative, the Tribunal found that the teacher had taken reasonable steps to check the accuracy of the information on behalf of the school, by approaching MT about the claims made to the teacher by MT’s friends.
IPP 10: use
As with the reasoning with respect to IPP 9, the Tribunal determined that there had been no ‘use’ of MT’s personal information by the agency, and therefore IPP 10 was not at issue.
IPPs 11 and 12: disclosure
The Department originally conceded that two disclosures had taken place (from the teacher to the soccer club president, and from the teacher to HREOC), but sought to rely on various exemptions in its argument that these disclosures did not breach IPPs 11 or 12.
Later in argument the Department sought to argue there had been no ‘disclosure’, only a ‘use’ by the teacher, for purposes not related to the agency’s purposes. This argument was rejected by the Tribunal, as not the intention of the legislature. (Given the decision above which limits the ‘use’ principle to uses for the agency’s own purposes, had the Department’s argument about ‘disclosure’ succeeded, there would remain no privacy protection against one person, having two jobs or capacities, to collect information in one capacity and apply it in the other.)
The Tribunal therefore found that a person with dual roles, who accesses personal information from one organisation and applies it to “guide the hand of” the other organisation, has ‘disclosed’ personal information, even if he or she does not otherwise discuss or reveal the information to other people within the second organisation.
The Tribunal therefore found that two disclosures had taken place. It then turned to relevant exemptions.
Exemption – unsolicited information
Section 4(5) of the PPIP Act provides:
For the purposes of this Act, personal information is not “collected” by a public sector agency if the receipt of the information by the agency is unsolicited.
IPP 11 (s.18), the primary disclosure principle, refers in part to enabling disclosure if “the disclosure is directly related to the purpose for which the information was collected ...”.
The Department argued that the information from MT’s friends, and the doctor’s report on file, were unsolicited, and therefore exempt from IPP 11. (The Department conceded that the school counsellor’s report was not ‘unsolicited’, and it would appear that the Department did not appear to raise the ‘unsolicited’ exemption in relation to the other disclosure principle at issue, IPP 12, which does not use the word ‘collected’).
The Tribunal confirmed an earlier interpretation of ‘unsolicited’ as meaning “not asked for”.
The Tribunal then examined whether or not the ‘unsolicited’ exemption applies to the use and disclosure principles. It accepted the applicant’s and the Privacy Commissioner’s argument to re-examine this issue, despite an earlier case (KD v Medical Board  NSWADT 5) which had found that the exemption applied to each privacy principle which mentioned the word ‘collected’. This decision affected the interpretation of IPPs 10 and 11.
The Privacy Commissioner argued that the purpose of the exemption was only to provide relief from the collection principles (IPPs 1-4), and that once held by an agency, the remaining obligations relating to storage, access, use and disclosure (IPPs 5-12) should apply to personal information regardless of whether it was actively ‘collected’, ‘unsolicited’, or otherwise came into the agency’s possession (such as by the agency’s own creation).
The Tribunal found that it cannot have been the intent of the legislature to undermine an agency’s obligations to handle even unsolicited information in accordance with IPPs 5-12. It noted that although the ordinary rule of construction is that a word has the same meaning wherever it appears in a statue, in this case the word ‘collected’ in IPPs 10 and 11 ought be read as ‘obtained’.
The Tribunal therefore found that s.4(5) limits the application of the collection principles (IPPs 1-4), but does not affect the obligations that arise once information has been obtained (whether collected or not), and/or once it is ‘held’ by an agency.
Exemption re disclosure – threats to health
The agency claimed an exemption to the first disclosure (to the soccer club president) on the ground that “the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person” .
The Tribunal found that the teacher had a different motivation (protecting himself from liability in the case of MT being injured), and that his subsequent actions, and those of the people to whom the information was disclosed, were not consistent with a concern to prevent MT from being injured in the first place. The Tribunal therefore rejected the agency’s claim to this exemption.
Exemption re disclosure – duty of care and s.25
Another exemption claimed to authorise the first disclosure (to the soccer club president) was the more nebulous notion of a teacher’s common law duty of care as an example of a ‘law’ which authorises, requires, permits, reasonably contemplates or necessarily implies non-compliance with the normal prohibition on disclosure . Again the Tribunal rejected this claim, as the teacher was found not to have acted in such a way as to discharge such a duty.
Exemption re disclosure – HREOC powers and s.25
An exemption claimed to authorise the second disclosure (to HREOC) was that the HREOC Act is a law which authorises, requires, permits, reasonably contemplates or necessarily implies non-compliance with the normal prohibition on disclosure . The Tribunal disagreed, noting that “for such a result to follow there would need to have been a direction from HREOC to the Agency. Here there was merely a request from the HREOC President and the request is not directed to the Agency or even the Teacher”.
The outcome – Three IPPs breached
The Tribunal found breaches of IPPs 5, 11 and 12. The matter was relisted for further consideration of an appropriate remedy (see procedural note above).
Comment – Investigative implications
This case confirms that an initial request for information, from an organisation such as HREOC which has powers to compel the information but has not yet exercised them, is not sufficient to invoke s.25 and thus override the normal prohibition on disclosure.
This confirms advice given previously by Privacy NSW, which was that agencies should take a risk management approach and ask the investigative agency to exercise its formal powers and lawfully require the agency to provide the personal information sought.
This has implications for all law enforcement and investigative agencies, and all agencies on the receiving end of requests for information from such agencies. Although the informal or more gentle way of seeking information from agencies may be more popular and efficient, it also exposes the target agency to a greater risk of breaching its privacy obligations.
Comment – Training as security
Is training a ‘security safeguard’ and thus a responsibility in itself? In discussing IPP 5, the Tribunal noted (at ) that “there is confusion among the School staff in relation to their responsibilities under the Privacy Act. ... The principle of the duty of care of teachers appears to be confused with Child Protection principles and procedures”.
It was also noted (at  and ) that the school had:
It would therefore appear that the ‘steps’ that should be taken under IPP 5 to safeguard personal information against misuse include not only physical security issues and policy issues, but wider training and awareness.
Anna Johnston, Salinger & Co
MY v Director General, Department of Community Services  NSWADT 203
NSW Administrative Decisions Tribunal (17 September 2004)
Privacy – accuracy (IPP 9)
MY’s four children were removed from MY and his wife by DOCS, and care proceedings were instituted. Various affidavits from DOCS caseworkers were tendered during the care proceedings. Those proceedings resulted in each of MY’s children remaining in the Minister’s care until adulthood. MY subsequently claimed that the affidavits contained false, misleading and irrelevant statements about himself and his wife. He sought a review of DOCS’ conduct under the PPIP Act.
Scope of principles under review
It would appear that although MY was essentially complaining about both the accuracy of the information (IPP 9) and its disclosure to the court (IPP 11), his internal review application was framed in terms of his access and amendment rights (IPPs 6-8) and accuracy (IPP 9). Nonetheless in its internal review report, DOCS reviewed its compliance against collection and disclosure principles as well.
MY subsequently lodged an application in the Tribunal, again only arguing IPPs 6-8 and 9. MY was unrepresented and failed to appear at the final hearing of this matter.
MY had conceded at an earlier planning meeting that the relevant children’s care legislation provided exemptions for the Department to IPPs 6-8, although this point is not well explained in the judgment. The judgment refers to section 248 of the Children & Young Persons (Care and Protection) Act 1998, which authorises certain exchanges of information, and thus goes to collection and disclosure rather than access or amendment.
IPP 9: accuracy before use
The remaining argument about IPP 9 related to various statements, made in the affidavits, which MY disputed. The Department provided evidence as to the source documents and statements upon which the caseworkers had relied in drafting their affidavits. It argued that the information presented in the affidavits presented accurate summations of other information, and also noted that MY had not challenged the veracity of the material at the appropriate time, which was when they were presented in the original care proceedings.
The Tribunal concluded that the Department had ‘used’ MY’s personal information in drafting the affidavits, but that before doing so it had taken reasonable steps to ensure its accuracy, and thus complied with IPP 9.
Comment: IPP 9, the ‘sleeper’ principle?
This case illustrates the potential of IPP 9 to be used by applicants who seek to re-argue cases and decisions from other arenas.
Unfortunately the Tribunal did not explicitly address the point raised by the respondent in this case, which was that the appropriate time in which to challenge the veracity or accuracy of material was during the original care proceedings. A related point would be that the more appropriate mechanism to challenge that decision was by way of appeal, rather than a privacy complaint.
In another case , the same Tribunal member accepted that a defence to an argument about IPP 9 might be that the applicant had previously been given an opportunity to correct or argue against the accuracy of the information, but had failed to do so. (That is, presenting information to or before the applicant in some forum which affords them an opportunity to raise a concern or correct the record could constitute ‘reasonable steps’ under IPP 9.)
Here the Tribunal simply accepted that ‘reasonable steps’ had been taken, without expliciting stating whether or not the fact of the information being previously the subject of litigation (but not challenged at that time) was one of those steps.
Anna Johnston, Salinger & Co
 See the Case Note on the Privacy NSW website for the original judgment in FM v Macquarie University  NSWADT 78, available at www.lawlink.nsw.gov.au/privacynsw .
 See clause 4 of the Direction on the Processing of Personal Information by Public Sector Agencies in relation to their Investigative Functions, issued by the NSW Privacy Commissioner on 28 December 2001, under s.41 of the PPIP Act. That particular Direction is no longer in force, but a similar version is; see <www.lawlink.nsw.gov.au/privacynsw>.
 In addition to the FM v Macquarie cases, see the related DO v UNSW cases. The judgment in Vice Chancellor, Macquarie University v FM  NSWADTAP 43 is still pending an appeal to the Court of Appeal.
 Other IPPs draw a distinction between ‘use’ (IPP 10) and ‘disclosure’ (IPPs 11-12).
 FM v Vice Chancellor, Macquarie University  NSWADT 78
 GL v Director General Department of Education and Training  NSWADT 166
 See s.18(1)(c) of the PPIP Act.
 See section 25 of the PPIP Act, which refers to “an Act or any other law” as able to override certain of the IPPs in certain circumstances. Much of the argument in MT related to whether or not a common law ‘duty’ meets the definition of a “law” necessary to attract the application of section 25. Ultimately this point was not decided.
 See section 25 of the PPIP Act, which refers to “an Act or any other law” as able to override certain of the IPPs in certain circumstances.
 MT v Director General, NSW Department of Education & Training  NSWADT 194 at - .