DQN v The University of Sydney [2019] NSWCATAD 266

Read the full decision here DQN v The University of Sydney [2019] NSWCATAD 266

Summary

In the course of an administrative review by the Tribunal under the Government Information (Public Access) Act 2009 (NSW) (GIPA Act), the agency consulted with staff whose personal information was contained in the information being sought by the applicant. Their responses were annexed to an affidavit that was filed and served by the agency in support of its case in those proceedings. Among those was an email from the applicant’s former manager which contained information that was not relevant to the information to which access was sought but formed a basis of her reasons why she objected to the applicant being granted access to her personal information. The applicant alleged breaches of privacy in respect of that information. The Tribunal found the agency did not breach the use and disclosure Information Protection Principles (IPPs) under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) because non-compliance was permitted, necessarily implied and/or reasonably contemplated by the Civil and Administrative Tribunal Act 2013 (NSW) (NCAT Act), the Administrative Decisions Review Act 1997 (NSW) (ADR Act) and/or the GIPA Act.

What you need to know

Personal information or health information?

Before determining whether the IPPs or the Health Privacy Principles (HPPs) under the Health Records and Information Privacy Act 2002 (HRIP Act) apply to particular information, it is necessary to determine whether it is personal information or health information.

‘Personal information’ is defined in section 4 of the PPIP Act. Except as provided by the PPIP Act or the HRIP Act, the definition of personal information in section 4 excludes ‘health information’ within the meaning of the HRIP Act (section 4A of the PPIP Act). This means that health information is covered by the HPPs, and not the IPPs.

Under the HRIP Act, ‘health information’ includes personal information that is information or an opinion about the physical or mental health or a disability (at any time) of an individual (section 6(a)(i)).

In this matter, the Tribunal was not persuaded that a reference to an ‘illness’ meant the information was health information, therefore, the Tribunal considered the application of the IPPs.

Exemptions where non-compliance is lawfully authorised or required

Section 25(b) of the PPIP Act provides that a public sector agency is not required to comply with sections 9, 10, 13-15 or 17-19 of the PPIP Act, if non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 (NSW)).

In this matter, the agency had accepted that except for the exemption in section 25, the conduct under review breached the use and disclosure IPPs under section 17 and 18 of the PPIP Act. However, it contended that non-compliance with these principles was otherwise permitted (or is necessarily implied or reasonably contemplated) by:

• the NCAT Act (legislation that sets out the practice and procedure for administrative review by the Tribunal)
• the ADR Act (legislation that defines the availability and scope of administrative review), and/or
• the GIPA Act (legislation that provides a legally enforceable right of access to government information held by an agency and requires consultation with third parties in certain circumstances prior to release of their personal information).

Citing the decisions of PN v Department of Education and Training (GD) [2010] NSWADTAP 59, at [52] to [60] and Department of Education and Communities v VK (GD) [2011] NSWADTAP 61 at [14] to [16], the Tribunal confirmed the following principles:

• the Tribunal is not required to undertake a ‘microscopic comparison’ of the alternative law for the purposes of section 25(b) of the PPIP Act
• it will be enough for section 25(b) to apply if the transactions in issue are of a type contemplated by the regime under the other Act or law; and that they are genuinely undertaken for the purpose of the scheme
• deciding what is ‘reasonably contemplated’ involves a broad inquiry and does not involve drilling down to specific elements of a communication and appraising those elements by reference to a standard of relevance.

Legislative background

Information Protection Principles (IPPs)

Section 17 Limits on use of personal information (IPP 10)

Section 18 Limits on disclosure of personal information (IPP 11)

Specific exemptions from IPPs

Section 25 Exemptions where non-compliance is lawfully authorised or required

PPIP Act provisions

Section 4 Definition of “personal information”

Section 4A Exclusion of health information from definition of “personal information”

Section 53 Internal review by public sector agencies

Section 55 Administrative review of conduct by Tribunal

HRIP Act provisions

Section 6 Definition of “health information”

Factual background

This matter arose from an application for administrative review of a decision on an access application under the GIPA Act determined by the NCAT in DQN v University of Sydney [2019] NSWCATAD 159. The applicant had sought access to a preliminary assessment report of a complaint he had made to the agency under its ‘Bullying, Harassment and Discrimination Resolution Procedures 2015’ (the report).

The agency had refused access to parts of the report on the basis of an overriding public interest against disclosure. In making its decision, the agency determined that disclosure of the information could reasonably be expected to:

• reveal an individual’s personal information (clause 3(a) of the table to section 14 of the GIPA Act), and
• contravene an IPP under the PPIP Act or HPP under the HRIP Act (clause 3(b) of the table to section 14).

The applicant was dissatisfied with the decision and sought administrative review by the Tribunal under section 100 of the GIPA Act. In preparing the agency’s response to the application for administrative review, the Director of Workplace Relations sent an email to the staff whose personal information was contained in the report, including the applicant’s former manager, against whom the complaint was made. The Director of Workplace Relations notified the staff of the applicant’s request for access to the report and asked if they objected to their personal information being disclosed to the applicant.

The applicant’s former manager objected to the applicant being granted access to her personal information in the report. In her reasons for objecting, she referred to an unrelated claim the applicant had made in relation to his employment with the agency, which she had direct knowledge of through her role as the applicant’s then manager.

The Director of Workplace Relations then included the responses received from staff in her affidavit, which was filed in the Tribunal and served by the agency in support of its case in the GIPA proceedings.

Tribunal findings

The Tribunal found that the relevant information was personal information about the applicant, not health information. Other than containing the word ‘illness’, the information did not include any information or an opinion about the physical or mental health of the applicant. The Tribunal found that even if the information were health information this would not affect its decision because the ‘use’ and ‘disclosure’ IPPs and HPPs are in similar terms.

In making its finding that non-compliance with the use and disclosure IPPs was permitted, necessarily implied and/or reasonably contemplated by the relevant legislation, the Tribunal had regard to the following:

• the decision under review by the Tribunal was to refuse access to information under section 58(1)(d) of the GIPA Act because there is an overriding public interest against disclosure of the information
• the role of the Tribunal in an administrative review is to stand in the shoes of the respondent and make the ‘correct and preferable decision’ on access to information having regard to the applicable law and the relevant facts (section 63(1) of the ADR Act)
• the onus was on the agency in the proceedings to establish that its decision to refuse access to information is justified (section 105 of the GIPA Act)
• the Tribunal had made orders under the provisions of the NCAT Act (section 38(1)) for the parties to file and serve their evidence.

The Tribunal found that the email from the Director of Workplace Relations to staff was for the purpose of complying with section 54 of the GIPA Act, and the consultation was undertaken in order to support the agency’s case in the administrative review proceedings.

Tribunal outcome

The Tribunal concluded at [49] that as there had been no breach of an IPP or HPP, the appropriate order was to decide to take no further action.