Case Note: EIG v North Sydney Council [2022] NSWCATAD 127

Read the decision here: EIG v North Sydney Council [2022] NSWCATAD 127

Summary

The Applicant was a Councillor of North Sydney Council (the Respondent). The Respondent disclosed in a report made available on its website that the reason why the Applicant was attending meetings remotely was ā€œMedicalā€.

A review by Salinger Privacy and the internal review undertaken by the Respondent both concluded that the information was not ā€˜health informationā€™ but was ā€˜personal informationā€™ for the purposes of the PPIP Act.

The Applicant applied for external review by the Tribunal. The Tribunal found that inclusion of the word ā€œMedicalā€ in the context in which it was used was information about the physical or mental health or a disability of an individual and therefore ā€˜health informationā€™ under the HRIP Act. The Tribunal subsequently found that inclusion of the word ā€œMedicalā€ breached HPPs 4 and 11.

What you need to know

Certain information, which would not ordinarily be ā€˜personal informationā€™ or ā€˜health informationā€™ under the PPIP Act or HRIP Act, may become ā€˜personal informationā€™ or ā€˜health informationā€™ when used in a particular context.

Legislative background

HRIP Act

Schedule 1 Health Privacy Principles

PPIP Act

Section 10 Requirements when collecting personal information

Section 12 Retention and security of personal information

Section 17 Limits on use of personal information

Section 18 Limits on disclosure of personal information

Section 25 Exemptions where non-compliance is lawfully authorised or required

Factual background

The Applicant was a Councillor of the Respondent. The conduct in issue was the disclosure by the Respondent in a Council Report titled ā€œRemote Attendance by Councillors at Council Meetingsā€ made available on its website that the reason why the Applicant was seeking to attend Council meetings remotely was ā€œMedicalā€. The Applicant claimed that this was ā€˜health informationā€™ under the HRIP Act and that disclosure contravened HPPs under that Act.

The Applicant sought an internal review of the conduct. An internal review was undertaken by the Respondent with the assistance of Salinger Privacy. Both Salinger Privacy and the internal review concluded that the information was not ā€˜health informationā€™ but was ā€˜personal informationā€™ for the purposes of the PPIP Act. Salinger Privacy concluded that the Respondent breached the IPPs contained in sections 10 and 18 of the PPIP Act. However, the internal review undertaken by the Respondent concluded that non-compliance was permitted under section 25 of the PPIP Act which provides that an agency is not required to comply with the IPPs if non-compliance is permitted under another Act. The internal review concluded that non-compliance was permitted under the Local Government Act 1993 (NSW).

The Applicant subsequently sought external review by the Tribunal.

The issues for determination by the Tribunal were:

  1. Whether the relevant information was ā€˜health informationā€™ for the purposes of the HRIP Act or ā€˜personal informationā€™ for the purposes of the PPIP Act;
  2. Whether the conduct of the Respondent the subject of the internal review application breached one or more of the Health Privacy Principles under the HRIP Act or the Information Protection Principles under the PPIP Act; and
  3. If so, what further action, if any, should be taken.

At the hearing, the Respondent conceded that it had breached section 10(b)-(c) of the PPIP Act and section 18 of the PPIP Act. However, the Respondent submitted a document to the Tribunal at the conclusion of the hearing which submitted that if the Tribunal determined that the information was ā€˜health informationā€™, the Respondent would concede that it had breached HPP 4(1)(c)-(d) (which is in similar terms to section 10(b)-(c) of the PPIP Act) and HPP 11(1) (which is in similar terms to section 18 of the PPIP Act).

Tribunalā€™s findings

Whether the relevant information was ā€˜health informationā€™ for the purposes of the HRIP Act or ā€œpersonal informationā€ for the purposes of the PPIP Act

The Tribunal agreed with the Applicantā€™s submission that inclusion of the word ā€œMedicalā€ in the context in which it was used was information about the physical or mental health or a disability of an individual and therefore ā€˜health informationā€™ under the HRIP Act. Accordingly, the Tribunal considered whether the Respondent had breaches HPPs.

Whether the conduct of the Respondent the subject of the internal review application breached one or more of the Health Privacy Principles under the HRIP Act

It was not in dispute that the Applicant was not made aware that the Respondent proposed to include the description ā€œMedicalā€ as the reason for their request to attend meetings remotely in the Report. The Tribunal found that had the Respondent done so, that would have provided the Applicant with an opportunity to withdraw their request so as to avoid the disclosure. The Tribunal therefore found that the Respondent correctly conceded that it breached HPP 4.

The Tribunal also held that the information was:

  • collected for the primary purpose of the Respondent considering the Applicantā€™s request to attend meetings remotely;
  • disclosed to the public on the Respondentā€™s website for the secondary purpose of placing on the public record relevant information in relation to the meeting; and
  • disclosed both without the Applicantā€™s consent and in circumstances where the Applicant would not reasonably expect that information to be disclosed

The Tribunal therefore found that the Respondent correctly conceded that it breached HPP 11.

Tribunal outcome

The Tribunal made the following orders:

  1. Pursuant to section 64 Civil and Administrative Tribunal Act the publication or broadcast of the name of the Applicant in these proceedings is prohibited. Note: A reference to the name of the Applicant includes a reference to any information, picture or other material that identifies the Applicant or is likely to lead to the identification of the Applicant.
  2. Within 14 days of the date of these Reasons for Decision the Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondentā€™s breaches of HPP 4 and HPP 11 in respect of the health information of the Applicant as identified in these Reasons for Decision and for all distress and embarrassment caused to the Applicant by such.
  3. Within 14 days of the date of these Reasons for Decision the Respondent must publish an anonymous notice not identifying the Applicant (in accordance with the publication restriction) in the ā€˜Latest Newsā€™ section of the Respondentā€™s website, under the heading ā€œCouncil found to have committed privacy breachesā€ and noting Order 2 of the Tribunal in relation to the Respondentā€™s breaches of HPP 4 and HPP 11 and such notice must stay up for a period of 3 months from publication.

IPC logo.

Ā© IPC

CC logo

Navigate

Useful links

IPC Social Media

   Linkedin

 

IPC Social Media Terms of Use