EIG v North Sydney Council [2021] NSWCATAD 66

Read the full decision here: EIG v North Sydney Council [2021] NSWCATAD 66

Summary

On 28 February 2020, EIG (the applicant) sought an internal review by North Sydney Council (the respondent) of alleged conduct of the respondent concerning the disclosure of the applicant’s personal information in an email and attachments.

Initially, the respondent found no breach of IPPs under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and decided to take no further action.

Following its decision, the respondent continued to investigate the incident and, based on that investigation, the respondent provided the applicant with a written apology and scheduled an additional course of training for staff on the importance of protecting personal information and the requirements of the PPIP Act.

The Tribunal found that the information was held by the respondent, disclosed by the respondent and such disclosure was in breach of section 18. Given the absence of any evidence from the respondent as to the specific security and access measures implemented by the respondent in respect of the physical copies of the personal information in the attachments, the Tribunal found that the respondent also failed to meet its obligations under, and therefore breached, IPP 5.

What you need to know

Not every action by an employee can be attributed to their employer. However, where an agency has not taken reasonable security safeguards to protect personal information under IPP 5 it may be liable for the unauthorised conduct of its employees.

The information security obligation under section 12 (IPP 5) is not a static or ‘one size fits all’ obligation. Rather, IPP 5 requires such security safeguards as are ‘reasonable in the circumstances’. That is, in accordance with the reasoning in XW v Department of Education and Training [2009] NSWADT 73, in circumstances where the respondent is aware of the potential for deliberate and motivated circumvention of its security measures for likely political motives, actions which will not be easily thwarted by standard or existing security safeguards, the respondent is required in those circumstances to implement increased security safeguards to meet this increased security threat.

Legislative background

PPIP Act

• Section 4 definition of “personal information”
• Section 12 retention and security of personal information
• Section 18 Limits on disclosure of personal information
• Section 53 internal review by public sector agencies
• Section 55 administrative review of conduct by Tribunal

Review requirements and jurisdiction

• Civil and Administrative Tribunal Act 2013 (NSW)
• Section 30 administrative review jurisdiction
• Administrative Decisions Review Act 1997 (NSW)
• Section 63 operation and implementation of decisions pending applications for administrative review

Factual background

On 28 February 2020, the applicant sought an internal review by the respondent of alleged conduct of the respondent concerning the disclosure of the applicant’s personal information. The applicant, who was a councillor of the respondent, alleged that on 25 November 2019 a group known as the “North Sydney Residents Alliance” sent an email with 14 attachments containing their personal information to a wide range of recipients.

Over a 2 to 3 year period prior to the sending of the email on 25 November 2019, the applicant and others had submitted the documents attached to the email to support requests to attend conferences, comply with obligations to notify the respondent of pecuniary interests and to claim expenses. The body of the email made assertions about the applicant and others based on the documents attached to the email, and also disclosed information about the applicant’s property ownership within the Local Government Area. The applicant alleged this information was taken from the applicant’s pecuniary interest returns and/or the pecuniary interest register held by the respondent.

After 60 days had lapsed from the date of receipt of the internal review request by the respondent, the respondent had not completed the internal review. Consequently, on 4 May 2020, the applicant filed an application for administrative review by the Tribunal.

On 4 May 2020, the respondent also issued its internal review decision. However, the applicant indicated that they did not receive the decision until it was provided by the respondent’s solicitors by email on 26 June 2020.

In its decision, the respondent concluded that no personal information of the applicant was released, there was no breach of the PPIP Act and therefore no breach of the applicant’s privacy. These conclusions were based primarily on the respondent’s determination that neither the contents of email sent by North Sydney Residents Alliance or any of the documents attached to it contained any personal information of the applicant because:

1. had a third party made an application to the respondent under the Government Information (Public Access) Act 2018 (GIPA Act) the respondent would have likely released the information excluding any information that is strictly personal information;
2. none of the attachments comprised personal information as they comprised information about an individual that is contained in a publicly available document or publication; and
3. there appeared to be no record of any employee of the respondent releasing any of the information.

Based on the conclusions above, the respondent decided to take no further action.

Following its decision, the respondent continued to investigate the incident and, based on that investigation, the respondent provided the applicant with a written apology and scheduled an additional course of training for staff on the importance of protecting personal information and the requirements of the PPIP Act.

On 15 June 2020, after commencement of these proceedings, the respondent published a report in which the applicant was identified by name as having lodged a privacy complaint against the respondent. Despite the applicant notifying the respondent of their concern in relation to the report, a subsequent report again published the name of the applicant and details of their privacy complaint including on the respondent’s publicly accessible website.

The following issues arose for determination by the Tribunal in these proceedings:

1. what (if any) personal information of the applicant was the subject of disclosure by the respondent;
2. was there any unauthorised disclosure of such personal information by the respondent in breach of section 18 of the PPIP Act;
3. whether the respondent failed to take reasonable security safeguards, as are reasonable in the circumstances, to protect the applicant's personal information in breach of section 12 of the PPIP Act; and
4. what orders, if any, the Tribunal should make under section of the 55(2) PPIP Act.

Tribunal findings

What (if any) personal information of the applicant was the subject of disclosure by the respondent

In relation to whether the information was the applicant’s personal information, the respondent made concessions, including:

1. the respondent accepted that its reasoning in its decision that the information in question was not personal information as it was of the type that may be released on request under the GIPA Act did not correctly engage with the definition of personal information in section 4 of the PPIP Act;
2. personal information was “held” by the respondent if the information was in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement;
3. subject to the Tribunal’s determination of the extent of the personal information disclosed and the extent to which the email and attachments contained personal information, the respondent conceded that it held such information and that the applicant’s identity could be reasonably ascertained (where it was not expressly stated) from such information;
4. attachments 1-13 were held by it and improperly disclosed by the respondent and, due to the context of their release, the identity of the applicant could be reasonably identified even if not otherwise explicit in the attachments;
5. it breached the PPIP Act by contravening IPP 11 as the disclosure of the applicant’s personal information was unauthorised, improper and in breach of section 18 of the PPIP Act; and
6. the respondent held physical copies of attachments 1-13 in a secure vault room which was only accessible by members of the respondent’s Finance Team.

The respondent did not concede that all of the information claimed by the applicant to be the applicant’s personal information was “personal information” under the PPIP Act.

The Tribunal was satisfied that attachment 14 was not held by the respondent, and even if it was, it was publicly available on the respondent’s website prior to the disclosure.

Was there a breach of section 18 of the PPIP Act

The Tribunal found that the information was held by the respondent, disclosed by the respondent and such disclosure was in breach of section 18.

Was there a breach of section 12 of the PPIP Act

The Tribunal had regard to the NSW Court of Appeal’s findings in Education and Training v MT [2006] NSWCA 270 that not every action by an employee can be attributed to their employer. However, where an agency has not taken reasonable security safeguards to protect personal information under IPP 5 (as was the case here) it may be liable for the unauthorised conduct of its employees. The Tribunal was therefore satisfied that the respondent’s concessions were supported by the evidence.

The Tribunal went on to state that:

… the information security obligation under IPP 5 is not a static or ‘one size fits all’ obligation. Rather, IPP 5 requires such security safeguards as are ‘reasonable in the circumstances’. That is, in accordance with the reasoning in XW v Department of Education and Training [2009] NSWADT 73, in circumstances where the respondent is aware of the potential for deliberate and motivated circumvention of its security measures for likely political motives, which actions will not be easily thwarted by standard or existing security safeguards, the respondent is required in those circumstances to implement increased security safeguards to meet this increased security threat.

The Tribunal held that it was reasonable to expect that the respondent should have implemented significant security safeguards across all of its personal information holdings, including in physical form, in order to address this concern.

Given the absence of any evidence from the respondent as to the specific security and access measures implemented by the respondent in respect of the physical copies of the personal information in the attachments, the Tribunal found that the respondent failed to meet its obligations under, and therefore breached, IPP 5.

Tribunal outcome

The Tribunal ordered that the respondent:

1. provide an unreserved formal written apology to the applicant addressing and apologising for the respondent’s breaches of section 18 and section 12 of the PPIP Act and all distress and embarrassment caused to the applicant.
2. implement security safeguards against loss, unauthorised access, use, modification or disclosure and against all other misuse for all of personal information it held in physical form and implement administrative measures necessary to ensure that the conduct of concern the subject of these proceedings did not occur again. The Tribunal noted that such security safeguards and administrative measures must include the respondent’s position as to when and in what circumstances an internal review of an incident would be sufficient and when an external independent review of an incident was required.
3. amend its Privacy Management Plan to reflect the security safeguards implemented in accordance with Order (2) above.
4. publish anonymous notices not identifying the applicant (in accordance with the publication restriction) in the ‘Latest News’ section of the respondent’s public website as follows:
   • under the heading “Council ordered to address personal information security breach”, a notice noting Orders (2) and (3) above of the Tribunal in relation to the respondent’s breach of IPP 5 and such notice must stay up until the notice in (b) below is published; and
   • after the respondent completed the measures required by Orders (2) and (3), under the heading “Council’s personal information security remediation completed”, a notice noting Orders (2) and (3) above of the Tribunal and that the respondent completed the measures ordered by the Tribunal to address its breach of IPP 5 and such notice must stay up for 3 months from publication.