EMF v Cessnock City Council [2021] NSWCATAD 219

Read the decision here: EMF v Cessnock City Council [2021] NSWCATAD 219

Summary

On 17 April 2020, Cessnock City Council (Respondent) received a complaint (Complaint) from EMF (Applicant) which was addressed to the General Manager in an envelope marked “Confidential – Attention of Addressee Only”. The Complaint alleged breaches of the Respondent’s code of conduct (among breaches of other laws and codes) by the Mayor, the Mayor’s Office, the Director of Planning and Environment and the Acting Principal Strategic Planner (Councillors/Officers). The Complaint cited various provisions of the Local Government Act 1993 (NSW) (LG Act) concerning the responsibilities of the Councillors/Officers with respect to overseeing the Respondent’s policies, including those relating to privacy. The Complaint also referred to the Respondent’s Privacy Management Plan (PMP) and the obligations imposed on the Respondent’s Officers and other staff in handling, disclosing, and using personal information and the repeated failures by the Respondent to understand or comply with those obligations.

The General Manager did not accept the Complaint as a code of conduct complaint and, without contacting the Applicant, decided to treat the Complaint as a privacy complaint and, despite the ‘confidential’ and ‘addressee only’ wording on the envelope, provided the Complaint to the Respondent’s Public Officer to handle it as a ‘privacy complaint’.

The Tribunal found that on receipt of the Complaint, the Respondent should have taken reasonable steps to send (by post or email), as soon as possible after receipt, an IPP 3 compliant statement specifying how the Applicant’s personal information would be dealt with by the Respondent. Alternatively, the Respondent should have referred the Applicant to the “Privacy Statement” on its website.

The Tribunal also held that even though the General Manager determined that this was not a code of conduct complaint, given the Respondent’s Privacy Statement and that the Complaint was marked as ‘confidential’ and ‘for the addressee only’, it was incumbent on the Respondent to only use that personal information for the sole lawful purpose of assessing a code of conduct complaint. Once assessed as not meeting the criteria of a code of conduct complaint the Respondent could not lawfully use it for any other purpose without first obtaining the Applicant’s consent to do so.

What you need to know

The transfer of personal information within an agency, from one unit or employee to another, can involve a disclosure or use of that information by the first unit or employee but does not involve a fresh collection by the second unit or employee. Re-directing an in-bound email from one area to another within an agency is not a fresh ‘collection’ by the second recipient of the email. Collection is a single collection by the agency as a whole and not a separate collection by each employee or area of the agency who receives the information.

The exchange of personal information between units of an agency (i.e. within that agency) may be a ‘disclosure’ for the purposes of IPP 11. However, generally speaking, ‘disclosure’ for the purposes of IPP 11 refers to making the personal information in question available to people outside the agency.

If an agency wishes to continue to use the personal information collected for one type of complaint or provided on a confidential basis for a specific purpose for another type of complaint or other purpose (in the case of confidential information) the agency should notify the complainant of such and consider providing them with an “opt-out” mechanism to be able to avoid their personal information being used for any other complaint, especially where it has been collected on a ‘confidential’ basis for a specific purpose.

Legislative background

PPIP Act

  • Section 4 definition of “personal information”
  • Section 8 collection of personal information for lawful purposes
  • Section 10 requirements when collecting personal information
  • Section 12 retention and security of personal information
  • Section 17 limits on use of personal information
  • Section 18 limits on disclosure of personal information
  • Section 19 special restrictions on disclosure of personal information
  • Section 21 agencies to comply with principles
  • Section 53 internal review by public sector agencies
  • Section 55 administrative review of conduct by Tribunal

Review requirements and jurisdiction

  • Civil and Administrative Tribunal Act 2013 (NSW)
  • Section 60 costs
  • Administrative Decisions Review Act 1997 (NSW)
  • Section 9 when administrative review jurisdiction is conferred

Factual background

Previous proceedings

The Applicant and Respondent were involved in earlier and related proceedings: EMF v Cessnock City Council [2021] NSWCATAD 83 (EMF1). The conduct of concern and issues arising in the current proceedings were different to those in EMF1 but were related to those earlier events and the conduct dealt with in EMF1.

In EMF1, the Applicant sent an email on 20 January 2020 to the Mayor of Cessnock in relation to the Respondent’s request for submissions and comments on a proposed revision to the “Draft Cessnock Local Strategic Planning Statement” (Draft Plan). The email was intended only for the Mayor and made various complaints about officers and staff of the Respondent involved in and relating to the Draft Plan. The Mayor, however, forwarded the email to members of staff of the Council including those who were the subject of complaints in the email) believing it to be a submission or a comment on or response to the Draft Plan.

The Applicant was unsuccessful in establishing that the Respondent’s conduct resulted in any failure to comply with the IPPs. This was, in part, because the Applicant’s email was not clearly marked as ‘confidential’, ‘for the addressee only’ or such that there was an obvious and clear indication that the Applicant did not intend the email as a general response to or public comment on the Draft Plan to be dealt with in the ordinary course of the Draft Plan processes.

Current proceedings

On 17 April 2020, the Respondent received a complaint from the Applicant which was addressed to the General Manager in an envelope marked “Confidential – Attention of Addressee Only”. The Complaint alleged breaches of the Respondent’s code of conduct (among breaches of other laws and codes) by Councillors/Officers. The Complaint cited various provisions of the LG Act concerning the responsibilities of the Councillors/Officers with respect to overseeing the Respondent’s policies, including those relating to privacy. The Complaint also referred to the Respondent’s Privacy Management Plan (PMP) and the obligations imposed on the Respondent’s Officers and other staff in handling, disclosing, and using personal information and the repeated failures by the Respondent to understand or comply with those obligations.

The General Manager did not accept the Complaint as a code of conduct complaint and, without contacting the Applicant, decided to treat the Complaint as a privacy complaint and, despite the ‘confidential’ and ‘addressee only’ wording on the envelope, provided the Complaint to the Respondent’s Public Officer to handle it as a ‘privacy complaint’.

The Respondent’s Public Officer sent a letter dated 21 April 2020 to the Applicant acknowledging receipt of the Applicant’s “privacy complaint”. On 27 April 2020, the Applicant wrote a letter in response questioning why the Public Officer was contacting the Applicant in relation to the Applicant’s confidential code of conduct complaint relating to the Councillors/Officers addressed to the General Manager.

Despite the Applicant’s letter dated 27 April 2020, in a letter dated 4 May 2020, the Public Officer advised the Applicant of the outcome of his investigation into the Applicant’s “privacy complaint”. The Respondent advised that the Complaint was not accepted as a Code of Conduct complaint because it was a complaint about the conduct of a Council official arising from the exercise of their functions in good faith. The Respondent further advised that the Complaint was dealt with in accordance with Council’s PMP. The Respondent found that the Complaint was unsubstantiated because the Applicant had not provided any evidence to demonstrate the Applicant’s personal information was improperly accessed and used by Councillors and Council staff as alleged. The Respondent also determined that the Mayor’s action in forwarding the Applicant’s email dated 20 January 2020 was appropriate and necessary to ensure that Councillors pass on to the Respondent’s administration any views received from the community on the Draft Plan.

On 2 October 2020, the Applicant lodged an internal review request that alleged, among other things, that their personal information was accessed, used and disclosed by the Respondent in contravention of IPPs 5, 11 and 12.

The Respondent’s internal review found that there was no evidence that the Respondent had failed to comply with any of the IPPs in its handling of the Applicant’s personal information in or relating to the Complaint. In particular, the internal review decision found that the Applicant’s personal information was collected for a lawful purpose directly related to the Respondent’s functions and activities.

On 17 December 2020, the Applicant applied for administrative review by the Tribunal.

Tribunal findings

The Respondent did not dispute that the Complaint was:

  1. sent by registered post in an envelope clearly addressed to the General Manager and marked as “Confidential ‑ Attention of Addressee Only”;
  2. received, assessed and disclosed by the General Manager to other Council officers and staff, in particular the Public Officer;
  3. put into the Respondent’s electronic document management system;
  4. treated as a privacy complaint without the prior consent of the Applicant; and
  5. intended to be considered as a ‘code of conduct complaint’ and was dealt with as a ‘privacy complaint’.

Transfer of personal information within an agency is not a fresh ‘collection’

The Tribunal noted that a transfer of personal information within an agency (i.e. the Respondent in this case), from one unit or employee to another, can involve a disclosure or use of that information by the first unit or employee but does not involve a fresh collection by the second unit or employee. Re-directing an in-bound email from one area to another within an agency is not a fresh ‘collection’ by the second recipient of the email. Collection is a single collection by the agency as a whole and not a separate collection by each employee or area of the agency who receives the information.

Transfer of personal information within an agency may be a “disclosure”

The Tribunal noted that it has been held that, especially in large public sector agencies consisting of specialised units, the exchange of personal information between units of an agency (i.e. within that agency) may be a ‘disclosure’ for the purposes of IPP 11. However, generally speaking, ‘disclosure’ for the purposes of IPP 11 refers to making the personal information in question available to people outside the agency.

Where information is transferred, or access is provided to it within an agency and it is not a “disclosure” for the purposes of IPP 11 then it falls to be considered as a “use” under IPP 10.

Breaches of IPP 1

The Tribunal found that the Respondent collected the personal information of the Applicant related to the Complaint. Even if originally considered unsolicited, once the Respondent assessed, considered or dealt with the Complaint by, in this case, assessing whether it qualified as a code of conduct complaint and/or putting it in its electronic information management system, the personal information was collected and held by the Respondent and thus IPP 1 was relevant. Furthermore, as is the case for all solicited personal information, the Applicant’s personal information was subject to all the IPPs as amended by the Privacy Code of Practice for Local Government published in the Government Gazette Number 179 on 20 December 2019 (LG Privacy Code).

The Tribunal was satisfied that the General Manager, on behalf of the Respondent, was entitled to (and did) collect the Applicant’s personal information in and related to the Complaint for the lawful purpose of considering the Complaint as a code of conduct complaint. However, even though the General Manager later determined that the Complaint was not a code of conduct complaint, this did not change the lawful purpose for which the Applicant’s personal information was collected and any subsequent use of it falls to be considered under IPP 10 and the LG Privacy Code in relation to its use other than as a code of conduct complaint.

The Tribunal found that re‑directing the Complaint from the General Manager to other Council staff using the document management system was not a fresh ‘collection’ by each recipient in the Respondent of the personal information related to the Complaint. The initial collection by the General Manager was a single collection by the Respondent as a whole and there were no separate collections by each (or any other) staff member of the Respondent. However, each such “re‑direction” or making the Complaint available to others in the Respondent may have been a use (or, in some cases, a disclosure) which may on each occasion, subject to the LG Privacy Code, have been an unauthorised use (or possibly disclosure) of the Applicant’s personal information under IPP 10 (and/or IPP 11) if such were not for the ‘lawful purpose’ for which it was collected.

Breach of IPP 3

The Tribunal noted that no evidence was presented in this case that, on receipt of the Complaint (i.e. after the personal information was collected), the Respondent took any reasonable steps to send (by post or email), as soon as possible after receipt, an IPP 3 compliant statement specifying how the Applicant’s personal information in and related to the Complaint would be dealt with by the Respondent. There was also no evidence that reasonable steps were taken by the Respondent to refer the Applicant to the “Privacy Statement” on its website. While not necessarily an IPP 3 notice, this is the general public privacy statement of (or promise by) the Respondent to individuals about the way the Respondent will handle their personal information and any statements in it will, in the absence of an IPP 3 statement, prevail over any inconsistent rights or exemptions given to Council under the LG Privacy Code. In the absence of an IPP 3 statement, the Privacy Statement could be referred to by individuals in deciding whether to provide their personal information to the Respondent. In this case, the Privacy Statement would inform individuals as to how their personal information in relation to a complaint would be treated by the Respondent.

There was no mention in the Privacy Statement that one’s personal information provided for a specific complaint (e.g. a code of conduct complaint) would be used for any other type of complaint or of the additional rights granted to the Respondent in regards to use of their personal information for other purposes under the LG Privacy Code.

Breach of IPP 5

The Respondent conceded that the Applicant’s personal information related to and in the Complaint was stored in the Respondent’s electronic document management system and disclosed to a number of staff and used for a purpose other than a code of conduct complaint review (i.e. as a privacy complaint), without notification to or the consent of the Applicant. However, in the absence of any evidence from the Applicant of any unauthorised access by or disclosure to anyone outside of the Respondent and the failure of the Respondent to take reasonable steps to keep their personal information secure, the Tribunal found that there was no failure by the Respondent to comply with IPP 5.

Breach of IPP 10

The Tribunal held that even though the General Manager determined that this was not a code of conduct complaint, given the statement in the Privacy Statement and that the Complaint was marked as ‘confidential’ and ‘for the addressee only’, it was incumbent on the Respondent to only use that personal information for the sole lawful purpose of assessing a code of conduct complaint. Once assessed as not meeting the criteria of a code of conduct complaint the Respondent could not lawfully use it for any other purpose without first obtaining the Applicant’s consent to do so.

If the Respondent wishes to continue to use the personal information collected for one type of complaint or provided on a confidential basis for a specific purpose for another type of complaint or other purpose (in the case of confidential information) the Respondent should notify the complainant of such and consider providing them with an “opt-out” mechanism to be able to avoid their personal information being used for any other complaint, especially where it has been collected on a ‘confidential’ basis for a specific purpose.

Breach of IPPs 11 and 12

The Tribunal found that the Respondent had not breached IPPs 11 and 12.

Consideration of systemic or broader issues

The Applicant made submissions as to (and provided evidence of) a number of the Respondent’s non-compliances with the IPPs, most of which were not addressed by the Respondent. In addition, the Tribunal considered the “lessons” referred to in the findings in EMF1 (especially as regards dealing with communications marked “confidential” which are collected for a specific purpose).

The Tribunal was satisfied that there were systemic or broader privacy compliance issues within the Respondent relating to compliance with IPPs 3 and 10. The Tribunal was of the view that there were matters on which orders relating to systemic issues and ancillary orders were appropriate.

Damages

In assessing the damages to be awarded to the Applicant, the Tribunal found that the impact of the Respondent’s breaches on the Applicant were extremely severe.

Tribunal outcome

The Tribunal made the following orders:

  1. The decision of the Respondent is set aside.
  2. Within 30 days of the date of these Reasons for Decision the Respondent is to provide an unreserved written apology to the Applicant addressing and apologising for the Respondent’s breaches of IPPs 3 and 10 as identified in these Reasons for Decision and for all distress and harm caused to the Applicant as a result of such.
  3. Within 180 days of the date of these Reasons for Decisions the Respondent is to:
    • perform IPP 3 by implementing such measures as are reasonable in the circumstances to ensure IPP 3 compliant notices are issued in relation to all personal information collected by the Respondent,
    • amend the Privacy Statement to be (and keep it) consistent with all IPP 3 notices issued,
    • ensure all IPP 3 notices and the Privacy Statement clearly state any rights or exceptions under the Privacy Code of Practice for Local Government or other law or code the Respondent will rely on to permit other uses of information collected by it,
    • perform IPP 10 by implementing such measures necessary to ensure that no personal information collected by the Respondent is used other than for the lawful purpose(s) of collection unless either consented to by the individual whose personal information it is or such is permitted by a right or exception noted in an IPP 3 notice in accordance with (a) and (c) above, and
    • implement such administrative measures necessary to ensure that the conduct of concern the subject of these proceedings will not occur again.
  4. The measures implemented in accordance with Order (3) must specifically address the Respondent’s position as to information submitted to it in confidence and when and in what circumstances any personal information marked confidential collected by the Respondent may be used for purposes other than that for which it was lawfully collected.
  5. The Respondent is to amend the Privacy Management Plan to reflect the measures implemented in accordance with Order (3) above.
  6. Pursuant to s 54 Privacy and Personal Information Protection Act 1998, within 30 days of the Applicant providing their bank account (or other acceptable payment method) details to the Respondent, the Respondent is to pay the Applicant $30,000 as compensation for the harm suffered by the Applicant as a result of the Relevant Conduct of Concern.
  7. Under s 64(1) of the Civil and Administrative Tribunal Act 2013 the disclosure of the Applicant’s name or of material that identifies the Applicant or is likely to lead to the Applicant’s identification is prohibited.

IPC logo.

© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use