Privacy Law and Policy Reporter
Ormonde v NSW National Parks & Wildlife Service (No 2)
 NSWADT 253, 4 November 2004
Tribunal member : Montgomery JM
The original access request
The applicant Mr Ormonde was an employee of the respondent, NPWS. He lodged numerous applications for access to his own personal information held by the NPWS, under IPP 7 (s.14). The decisions on access variously provided copies of some documents, parts of others, and refused access to others. The applicant sought internal review of all decisions to deny him partial or total access, and then took the matter to the Tribunal.
Review in the Tribunal : jurisdictional issue
In addition to reviewing his actual access requests, Mr Ormonde wanted the Tribunal to review the way in which NPWS had conducted the internal review. He claimed a lack of procedural fairness in the conduct of the internal review. The Tribunal noted it lacked jurisdiction to review the way in which NPWS had conducted its internal review, as the only matter the Tribunal can review is the original conduct which is said to have breached an IPP, privacy code, or the public register provisions in the PPIP Act.
Tribunal hears substance of the case : exemptions imported from the FOI Act
The Tribunal then heard the application in relation to the various decisions made to deny access to whole or parts of documents, on the basis of (i) exemption for legal professional privilege (imported from the FOI Act); (ii) exemption for personal affairs (also imported from the FOI Act); (iii) denial of access because documents were ‘out of scope’; and (iv) denial of access due to lack of evidence that such documents or information existed in an accessible form. All the claims for exemption were upheld.
Need for common sense when denying because documents are ‘out of scope’ of access request
The Tribunal upheld the denial of access because documents were ‘out of scope’; but Montgomery JM also cautioned agencies to take a common sense approach when interpreting the scope of an applicant’s request. Montgomery JM noted that respondents should not be required to second guess an applicant’s true meaning or intention, but equally they should not take an overly restrictive approach:
“The Agency is entitled, in my view, to consider the words of the request in order to set the limits of the inquiry to be undertaken. Nevertheless, the adoption of a common sense approach that allows some deviation outside those limits is to be encouraged.” [para 65]
Existence of other information : how to gain access to non-recorded information?
The Tribunal also noted that the applicant wanted “information”, a wider concept than just “documents”. The PPIP Act covers information including information not recorded in a material form, whereas the FOI Act only covers ‘documents’.
The Tribunal then wrestled with the tricky question of how to give access under IPP 7 to information that is not held in a recorded, material form.
Montgomery JM noted that “It is difficult to identify common sense assumptions which would endorse the idea that an agency should be required to give access to knowledge or opinions of its employees which have never been reduced to a material form and may never have been communicated . This however does not dispose of Mr Ormonde’s concerns that a meeting can take place, opinions be expressed about him and adverse action initiated as a result, and so long as nothing is written down he has no privacy remedy. There is clearly a concern that privacy protection might be circumvented in this way.” 
The Tribunal said that while accepting the applicant had a valid concern, they could not, or at least should not, require a respondent agency to retrospectively create a record of a meeting, so as to create a document that could then be subject to an access request. Since there were no records of the relevant meetings, it followed that where access to non-recorded information is at issue, “there is simply no remedy available” under the PPIP Act. [para 90]
Anna Johnston, Salinger & Co
GA v Commissioner of Police, NSW Police
 NSWADT 254 5 November 2004
Tribunal member : Deputy President Hennessy
GA sought an internal review of conduct which he identified as being the provision of a particular document by the respondent agency (the police) to a named person (the school principal). He did not suggest who in the agency made the disclosure, nor the date on which he alleges it occurred. GA stated that he was “not limiting the scope of his request in any way.”
NSW Police refused to accept GA’s internal review request, on the basis that the request was not specific enough to identify the conduct at issue. They argued that GA did not provide enough information to enable an investigation to be conducted into his privacy complaint. GA then approached the Tribunal.
Hennessy DP described [at para 4] the Tribunal’s jurisdiction as predicated on three “pre-conditions” first being satisfied:
the applicant has made an application for internal review under s.53 of the PPIP Act, and
the applicant is dissatisfied with the findings of the review or the action taken by the respondent in relation to the application, and
the applicant is now asking the Tribunal to review the conduct that was the subject of the internal review application
Identifying the conduct at issue : did GA make a valid request for an internal review?
An applicant must identify to some degree of particularity the conduct about which he or she is aggrieved “in sufficient detail to allow the agency to determine whether it constitutes a breach” [at 7], and if not “the agency should initially request further information from the applicant. If an applicant does not provide that information within a reasonable time, then the agency will be justified in declining to review the conduct.” [at 7]
GA identified the conduct at issue as being the provision of a particular document to a named person (the school principal). He did not suggest who in the respondent agency made the disclosure, nor the date on which he alleges it occurred.
Hennessy DP accepted the respondent Police’s argument that with this much information they were “unable to identify the conduct in sufficient detail to allow (them) to determine whether it constitutes a breach of an information protection principle ... “ [para 10].
She therefore found that GA was not entitled to an internal review of that conduct. Hennessy DP therefore found that as the first pre-condition to jurisdiction had not been met, GA’s application could be dismissed. However she then went on to consider the other pre-conditions to jurisdiction, in case her decision on the first one was considered incorrect.
Can the Tribunal review a matter if an internal review has not yet been completed?
The second “pre-condition” to jurisdiction is that the applicant is dissatisfied with the findings of the review or “the action taken” by the respondent in relation to the application.
Hennessy DP then examined whether “action taken ... in relation to the application” refers only to action taken after the internal review has been completed and findings made, or more widely to any action taken by the respondent agency.
She decided to take the narrower view, and thus found that a decision to refuse an internal review request, on the basis that the request did not sufficiently identify the conduct at issue, was not “action taken in relation to the application”. Therefore Hennessy DP found she had no jurisdiction to review the conduct complained of by GA.
Having dismissed GA’s application, Hennessy DP went on to describe GA’s application as “vexatious”, on the grounds that he did not, when requested to by police, specify in greater detail the conduct at issue, and instead lodged the present case in the Tribunal, thus putting the respondent “to the unnecessary expense of defending this matter”. 
She suggested that any future applications to the Tribunal by GA could result in an adverse costs order, unless he has first identified specific conduct and allowed an agency sufficient time to conduct a review of that conduct.
Commentary : can decisions to not process an application ever be reviewed?
Hennessy DP examined whether “action taken ... in relation to the application” refers only to action taken after the internal review has been completed and findings made, or more widely to any action taken.
There has been conflicting case law on the issue of whether “action taken ... in relation to the application” refers only to action taken after the internal review has been completed and findings made, or more widely to any action taken. President O’Connor took the narrower view in Y v DET  NSWADT 149, and Britton JM took the broader view in BQ v Police  NSWADT 64.
However both the Y and BQ cases were in relation to agency decisions to decline a request for internal review on the basis it was lodged out-of-time - a relatively straight-forward factual issue, compared to the more subjective decision at issue here.
Here the Tribunal decided to take the narrower view, and thus Hennessy DP found that a decision to refuse an internal review request, on the basis that the request did not sufficiently identify the conduct at issue, was not “action taken in relation to the application”. Therefore Hennessy DP found she had no jurisdiction to review the conduct complained of.
Thus even if Hennessy DP had determined differently above (e.g. if she had found that GA had identified the conduct at issue in sufficient detail to enable an investigation to occur), she would still have found no jurisdiction for the Tribunal to review that conduct.
The implication of this judgment is that a respondent agency may simply refuse to deal with an application for any reason, no matter how spurious, in order to deny the applicant the “pre-condition” needed to lodge a review request in the Tribunal. Alternatively, a respondent agency could commence, but never complete, an internal review, in order to thwart an application. Neither of these scenarios was addressed by Hennessy DP in this case.
Nor did Hennessy DP refer to s.53(6) of the PPIP Act, which allows an applicant to approach the Tribunal if more than 60 days has lapsed since lodging their request for internal review with the agency. However that section refers back to s.55, by allowing an applicant to make an application to the Tribunal (after the 60 days has lapsed) under s.55.
Thus the question is: does the ’60 day rule’ in s.53 override the second pre-condition in s.55 (and if so, how), or is a failure to complete an internal review within 60 days an example of “action taken in relation to the application” and thus part of the second pre-condition in s.55?
If the latter view is taken, it would conflict with Hennessy DP’s view in this case, and re-open the question about what other types of actions or inactions by a respondent agency could trigger jurisdiction.
Commentary : how should an applicant identify the scope of their application?
In the absence of further discussion about why the police could not commence an investigation into GA’s complaint about disclosure of a particular document to a named person, one is left with the impression that the police lack either basic investigative skills or a willingness to submit to administrative review. (For example, what would prevent a reviewing officer from starting with an interview with the school principal to ask them whether, and if so when and from whom, they received a copy of the particular document?) Given the broad exemptions from the IPPs enjoyed by NSW Police, this reticence appears extraordinary.
Often complainants will know, or believe, that a disclosure of their personal information has occurred, because they have experienced some repercussions as a result. However they may not be in a position themselves to determine exactly how the disclosure occurred (who, what, when or why).
A major flaw in the complaints resolution model in the PPIP Act is that it forces applicants to choose between an independent investigation by an authority with sufficient powers to determine what might have happened, but who cannot then enforce any remedy (the Privacy Commissioner conciliation route), and an internal investigation by the respondent, who has little incentive to conduct a thorough fact-finding expedition, followed by external review in the Tribunal without first being armed with the results of a true investigation (the internal / external review route).
The applicant GA has been involved in numerous proceedings in the Tribunal and before the Appeal Panel. He lodged the internal review request at issue here in September 2004, while also involved in hearings before the Appeal Panel, which were addressing the question of whether a narrowly-framed request for internal review could be expanded upon at a later stage. (That judgment is found at DET v GA (No. 3)  NSWADTAP 50.)
It is perhaps therefore not surprising, given that experience, that GA drafted the internal review request at issue here in a manner designed to be as open-ended as possible. The result was not only dismissal of his application, but the threat of an adverse costs order should he make a similar request again.
This case illustrates the many perils that await the unrepresented litigant.
President O’Connor has more recently found that “the action taken” could include “inaction by refusing to deal with the matter”, and he referred to the ’60 day rule’ for support of his view . This suggests that GA v Police might have been decided a different way by President O’Connor – if a respondent’s decision to decline a request for internal review is “action taken”, then the Tribunal would have had jurisdiction to hear GA’s case.
Anna Johnston, Salinger & Co
NS v Commissioner, Department of Corrective Services
 NSWADT 263 16 November 2004
Tribunal member : Higgins JM
NS was on parole, having served a custodial sentence for child sexual assault. He was prohibited from any employment involving unsupervised access to children.
NS’s mother, NT, taught a Scottish dancing class. In August 2002, when she went away on holidays, NT asked NS to conduct the classes on her behalf. She asked the parents of children in the class to ensure they remained in the room while classes were being run.
Ms Munro was a probation and parole officer employed by the respondent agency, the Department of Corrective Services. She was not NS’s parole officer. Ms Munro was also President of the Scottish Dancing Association.
In October 2002 Ms Munro used her access to the Department’s computer system to find out information about NS. She found out about NS’s criminal history from interstate, and about his period of imprisonment in NSW. Ms Munro then contacted NS and demanded that he tell the parents of the children in the dancing class about his criminal record and that he was a prohibited person (in terms of working with children). She stated that if he didn’t do so within 10 minutes, she would call them herself. Ms Munro then called the various parents.
Ms Munro also called NS’s parole officer, and the following day NS was arrested for breach of the conditions of his parole, and re-imprisoned.
In February 2003 NS was released but then immediately re-arrested in relation to a new charge of sexual assault against a child, to which he pleaded guilty. The child had been a Scottish dancing student. Ms Munro then used her access to the Department’s computer system to find out who had visited NS previously in gaol. She then contacted one of those visitors, identified herself as being from the Scottish Dancing Association, and informed them that NS had been re-arrested and charged with a new offence against one of the dancing students.
Is an agency responsible for a rogue employee’s conduct?
The respondent argued that Ms Munro’s conduct was not condoned or authorised by the Department. They argued that her actions were taken in her private capacity as President of the Scottish Dancing Association, and therefore the Department had not breached any of the IPPs.
The Department argued that Ms Munro should and could be personally liable for possible criminal offences involving the unauthorised use and disclosure of personal information, under the offence provisions in Part 8 of the PPIP Act. The Department argued that the existence of these separate criminal provisions suggests that agencies ought not be liable for conduct that was an unauthorised act of an employee.
The Privacy Commissioner’s office contended that compliance with the IPPs by public sector agencies “would be rendered nugatory if agencies were not held responsible for the conduct of its employees.”  The Privacy Commissioner noted that an agency, having been found to have breached an IPP, can in turn seek a remedy against the employee who caused the breach: either internal disciplinary action, or prosecution for an offence under Part 8 of the PPIP Act.
The Tribunal found at  that
“An agency can only act through its officials, which is recognised in the Act by placing an obligation on agencies to put into place appropriate systems that will ensure the security, accuracy and limited use and disclosure of such information. Accordingly ... an agency is prima facie responsible for acts and omissions of its officials in respect of personal information of another person that an official obtains in the course of his/her employment.”
Higgins JM found that Part 8 (the criminal offence provisions) act independently of Part 5 of the Act (the internal and external review provisions).
The Tribunal nonetheless stated at  that:
“The fact that an agency is prima facie responsible for its officials does not mean that the agency will in fact be held to be have contravened (an IPP). What needs to be assessed is whether the agency has taken every reasonable step to ensure that its systems of collecting, accessing, using and disclosing personal information comply with the PPIP Act and that its officials are aware of the official’s and the agency’s obligations in respect of that information. What amounts to reasonable steps will vary depending on the nature of the personal information collected, used or held by an agency, how that information is stored or recorded, and who needs to have access to the information for the proper functioning of the agency.”
The security system
The database accessed by Ms Munro included a warning message upon accessing the system, noting:
“The information from the system now available to you is confidential and must NOT be disclosed to unauthorized persons under any circumstances, nor are you authorised to access such information for personal reasons...” (quoted at para )
The Tribunal found that Ms Munro had been warned “that she was not authorised to obtain access to tat information for her own personal needs, nor was she authorised to disclose that information to an unauthorised person”.  The Tribunal therefore found the Department had taken reasonable steps to prevent an unauthorised access, and therefore there had been no breach of IPP 5.
The use and the disclosure
The Tribunal found that Ms Munro acted with a “dual purpose” , and that she had obligations in both her roles. In finding out whether or not NS was breaching the conditions of his parole, and then informing his parole officer, Ms Munro was acting in accordance with her duty as a Departmental employee. The Tribunal found that her actions were consistent with lessening a ‘serious and imminent threat’ and were therefore compliant with IPPs 10 and 11.
In relation to both Ms Munro’s disclosure of the information to the parents of the students in the dance class, and the third incident, in which Ms Munro accessed the database to find out NS’s visitors, and then approached one visitor and disclosed information about NS to that person, the Tribunal found that Ms Munro was acting “entirely for her own private purposes”  and “in her private capacity” .
In relation to both these incidents, Higgins JM found that, despite Ms Munro having used and disclosed personal information without authorisation or excuse, the Department was not responsible for that use or disclosure, because it had taken reasonable steps to prevent it occurring.
The Tribunal therefore found the Department had not breached IPPs 5, 10 or 11 in relation to any of the three incidents.
The Tribunal had (at ) accepted that “an agency is prima facie responsible for acts and omissions of its officials”, because the alternative is that “it would be easy for agencies to avoid their core responsibilities under the Act.”
Yet in suggesting that an agency’s responsibility to comply with the IPPs only extends to “tak(ing) every reasonable step to ensure that its systems ... comply” , Higgins JM appears to have significantly watered down, or misapplied, s.21 of the PPIP Act, which imposes a strict liability on agencies:
(1) A public sector agency must not do any thing, or engage in any practice, that contravenes an information protection principle applying to the agency.
(2) The contravention by a public sector agency of an information protection principle that applies to the agency is conduct to which Part 5 applies.
While some IPPs themselves only require ‘reasonable steps’ (such as IPP 5 which regulates data security), others impose strict requirements to do or not do certain things (such as IPPs 10 and 11, regulating use and disclosure). This judgment did not distinguish between the two types of requirements.
This case signifies a significant loophole in the schema of privacy protection, if the Tribunal continues with the view that people harmed by the actions of a ‘rogue’ employee have no civil remedy against either the individual or the agency that employs them.
However this approach may not be favoured across the Tribunal; the earlier case of MT v DET  NSWADT 194 for example took a different approach to the notion of an agency employee acting with dual purpose, but was not mentioned in this case. The determination of the pending appeal case in MT v DET may provide an opportunity for the Appeal Panel to revisit the consequences of both decisions. l
Anna Johnston, Salinger & Co
 NZ v Commissioner of Police  NSWADT 35 at [7-8].