Privacy Law and Policy Reporter
Unlike in other administrative review areas such as FOI, the ‘decision maker’ at the centre of a privacy complaint could be any employee or agent of an agency, whose conduct or decision could arise from any action or omission, whether deliberate or careless, and regardless of their state of knowledge about their privacy obligations.
This poses a significant risk to organisations in terms of ensuring their compliance with privacy legislation.
On the flipside, if there is a complaint, it should result in a review of the conduct at issue . The review prompts an analysis of whether or not the conduct complied with the relevant privacy principles or, if not, whether its non-compliance was authorised under an exemption.
It is the author’s experience that in defending a privacy complaint, a respondent agency will often seek to rely on an exemption, the existence of which is unlikely to have been known about, let alone consciously applied by, the agency’s employee at the time of their conduct. This poses a distinct advantage for respondent agencies in an already unbalanced and litigious atmosphere, which has been criticised by the NSW Privacy Commissioner .
The two recent cases of FM and MT highlight this scenario well.
However they also suggest that the NSW Administrative Decisions Tribunal will not hesitate to inquire into the actions and motivations of the person whose conduct is at issue, in order to assess an agency’s claim for exemption.
MT v Department of Education & Training
In MT, the agency claimed an exemption to disclosure on the ground that “the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person” .
The difficulty for the agency with their claim for this exemption was that the information, once disclosed, was not actually used to lessen or prevent any threat to MT’s life or health. Instead the recipient organisation used (or at least tried to use) the information to protect itself from any liability in the event that the threat was realised and MT suffered an injury. Nor was the Tribunal convinced that the purpose of the disclosure was anything other than an attempt to limit liability, rather than proactively minimise the chance of harm to MT.
The respondent agency claimed that how the information was actually used following the disclosure was not relevant. The agency also argued that the purpose of the statutory exemption need not have been the employee’s sole or even primary motivation. The Tribunal effectively rejected these arguments.
The Tribunal found that the employee who made the disclosure had a different motivation (protecting himself and the recipient organisation from liability in the case of MT being injured), and that his subsequent actions, and those of the people to whom the information was disclosed, were not consistent with a concern to prevent MT from being injured in the first place. The Tribunal therefore rejected the agency’s claim to that particular exemption. Another exemption claimed by the agency relied on the more nebulous notion of a teacher’s common law duty of care to their students as an example of a ‘law’ which authorises, requires, permits, reasonably contemplates or necessarily implies non-compliance with the normal prohibition on disclosure . Again the Tribunal rejected this claim, as the employee of the agency was found not to have acted in such a way as to discharge such a duty.
Macquarie University v FM
In FM again the focus was on whether or not an agency’s actions were genuinely consistent with the spirit of the exemption claimed (again, from the general prohibition on disclosure). And again, both the motivation of the employee when disclosing the information, and an examination of how the personal information was used subsequent to the disclosure, formed part of the assessment of whether or not the exemption could be claimed.
The exemption claimed in FM arose under a public interest direction issued by the Privacy Commissioner. The direction allowed for non-compliance with the privacy principle prohibiting disclosure, “if compliance might detrimentally affect (or prevent the proper exercise of) any of the agency’s investigative functions ...” .
The Appeal Panel noted that ‘might detrimentally affect’ is not a high standard to meet, but nevertheless found in this case that it had not been met.
The Appeal Panel reviewed the conduct at issue by indulging in a ‘what if’ scenario. The Panel effectively asked: if the particular information at issue had not been disclosed other than in compliance with the privacy principle, might the agency’s investigative functions have been detrimentally affected?
The Panel’s answer was ‘no’.
The evidence put forward by the respondent agency was about the generalities of what would have happened if it had not complied with the request for information at all, rather than what would have happened if it had limited its disclosure to those matters not in dispute. The evidence from the two employees who made the ‘extra’ (complained of) disclosures suggested their motivations were not with respect to not detrimentally affecting an investigation, but were related to a non-specific ‘duty’ to prevent a possible future danger posed by FM .
The Appeal Panel found that the investigation “did not, and did not need to, rely” on the particular ‘extra’ disclosures of personal information at issue . In particular, the Panel noted that had the respondent agency instead refused to disclose the information as requested (informal requests by way of telephone calls), the agency seeking the information could have applied in a more formal manner for the appropriate records, which would have prompted a more explicit and transparent application of the privacy principles to the request. In any case, the Panel found that the information at issue was not needed, as the recipient agency already had information sufficient for its purposes.
Ultimately, both these decisions chart a fairly sensible path in their application of a claimed exemption to the facts of the matter.
While not requiring proof that the person whose conduct is at issue knew of and applied the specific exemption now claimed, the Tribunal (in MT) and the Appeal Panel (in FM) have inquired into that person’s conduct in a fairly comprehensive way. The inquiry has extended into determining whether or not the spirit of the now-claimed exemption was a genuine motivation for their actions, and whether or not their actions, and the actions of other involved parties, were consistent with such a motivation.
Vague notions by agencies’ employees about having a ‘duty’ to disclose personal information to prevent some harm have been rejected by the Tribunal and Appeal Panel in favour of a more rigorous analysis of whether the facts meet the kinds of scenarios imagined when the exemptions were drafted, and whether the motivations and actions of the agency’s employees were consistent with the standards and pre-conditions applying to such exemptions.
Director of Privacy & Information Management Consulting, Salinger & Co
 I speak here of the NSW situation, under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act). Privacy complaints against public sector agencies about a breach of the information protection principles (IPPs) in the PPIP Act, or a breach of the health privacy principles (HPPs) in the Health Records & Information Privacy Act 2002 (HRIP Act), are dealt with first by way of internal review, and then on application by external review in the Administrative Decisions Tribunal.
 See Privacy NSW’s submission on the review of the PPIP Act, part 3.2.4, at <www.lawlink.nsw.gov.au/privacynsw>. The NSW Privacy Commissioner has recommended that the Act be amended “to place an onus on agencies claiming an exemption to justify any non-compliance with an IPP (or public register provision) to demonstrate that the person whose decision or conduct is at issue knew of and relied on that exemption at the time of their decision or conduct”.
 Vice-Chancellor, Macquarie University v FM (No.2)  NSWADTAP 37; and MT v Director General, NSW Department of Education & Training  NSWADT 194. See the summaries of these cases elsewhere in PLPR.
 See s.18(1)(c) of the PPIP Act.
 See section 25 of the PPIP Act, which refers to “an Act or any other law” as able to override some of the IPPs in certain circumstances. Much of the argument in MT related to whether or not a common law duty meets the definition of a “law” necessary to attract the application of section 25. Ultimately this point was not decided.
 See clause 4 of the Direction on the Processing of Personal Information by Public Sector Agencies in relation to their Investigative Functions, issued by the NSW Privacy Commissioner on 28 December 2001, under s.41 of the PPIP Act. That particular direction is no longer in force, but a similar version is; see <www.lawlink.nsw.gov.au/privacynsw>.
 The information at issue was only a part of the total personal information disclosed by the respondent agency; in essence, the applicant was arguing not that there should have been no disclosure at all, but simply that the disclosure ‘went too far’.
 The original judgment in this matter had already rejected the application of the “necessary to prevent or lessen a serious and imminent threat” exemption, with the Tribunal finding that any threat posed by FM was neither serious nor imminent; see para  in FM v Vice Chancellor, Macquarie University  NSWADT 78.
 at para 
 See paras - in the FM case, and paras - in the MT case.