Privacy Case Note: Jackson v The University of New South Wales [2018] NSWCATAD 12
The IPC Privacy Case Note for Jackson v The University of New South Wales [2018] NSWCATAD 12 appears below. For the full decision click here
Summary
The meaning of personal information can be gleaned from the content and the context in which information or an opinion appears, and is not confined to the personal information of one person.
What you need to know
The Applicant complained that the University of New South Wales (the University) had used and disclosed his personal information to persons at the University. The Respondent after conducting an internal review concluded that there was no breach of an Information Privacy Principle or any breach of the Privacy and Personal Information Protection Act 1998 (PPIP Act).
The issues in dispute before the Tribunal were the nature of the personal information that is alleged to have been disseminated and extent of the dissemination.
The Tribunal at [78] in considering whether the list was personal information of the Applicant, was guided by cases referring to whether something meets the definition of ‘personal information’:
- While different contexts can provide different implications, it is information or opinion itself which must fall within the definition of ‘personal information’ EG v Commissioner of Police, NSW Police Service [2003] NSWADT 150 at [34]; NSW Police v EG; EG v NSW Police (GD) [2004] NSWADTAP 10 at [59].
The Tribunal at [89] observed that the definition of ‘personal information’ in the PPIP Act is not confined to information that concerns the ‘personal affairs’ of a person and that information can be the personal information of more than one person. WL v Randwick City Council [2007] NSWADTAP 58 at [20]; AJD v Royal Prince Alfred Hospital [2014] NSWCATAD 125 at [73] to [77]
In this matter the Applicant had provided a list of 19 named persons to the University and that list was disclosed to others. The dispute was whether the list was the Applicant’s personal information. The Tribunal accepted that the list is about those individuals included on the list, and was of the view that the list is also information about the Applicant, in that it is a list compiled by the Applicant [90].
The Tribunal observed that Information Protection Principle 10 (section 17 of the PPIP Act) is concerned with the internal use made of personal information by an agency rather than disclosure outside [100]. The Tribunal observed that use requires more than mere accessing or viewing, the information is to be employed for some purpose [102].
The Tribunal did not accept that the list was provided to one person to allow that person to be prepared to deal with a broad access application that had not yet been lodged. Therefore the Tribunal did not accept that the list was used for a purpose related to the purpose for which the information was collected [105] to [106]. The Tribunal was also not satisfied that the list was provided to another person for a purpose related to the purpose for which it was collected [107]. The exemptions in section 17 did not apply in the circumstances [109].
The Tribunal concluded that the University had breached the Applicant’s privacy in using the list of named persons for a purpose other than the purpose for which it was collected.
Legislative background
Section 4 Definition of personal information.
Section 17 Limits on use of personal information (IPP 10)
Factual background
The Applicant is a former student of the University and the disclosure of information was made to some persons at the University that the Applicant was in the process of making a complaint about. The conduct complained about occurred following the Applicant identifying that he was making an access application under the Government Information (Public Access) Act 2009 for information about his candidature as a doctoral research student. As part of the discussion concerning the request the Applicant provided the University’s right to information officer with a list of 19 names related to a complaint the Applicant was proposing to make. The University’s right to information officer sent the email from the Applicant including the list to staff at the University’s Graduate Research School as part of the gathering of information for the access request.
Tribunal findings: Breaches
The Tribunal was of the view [87] that the personal information in issue is not merely the 19 names on the list that the Applicant was intending to identify in an access application, but also to the existence of the list and that the Applicant proposed to make a complaint. The meaning of personal information is gleaned from the context and content in which information or an opinion appears. The Tribunal at [90] accepted that the list was about those names included on the list but also about the Applicant as it is a list the Applicant compiled.
The Tribunal found at [105] to [109] and [113] to [115] that:
- there was a breach of section 17(b) of the PPIP Act in that the University used the information regarding the existence of the list and the content of the list by sending it to two people, and this was for a purpose not related to the purpose for which the information was obtained; and
- the evidence did not support that any of the exceptions in section 17 apply.
The Tribunal at [117] otherwise affirmed the University’s decision that there were no breaches of the Information Protection principles, other than the two breaches of section 17.
The matter was set down for a further case conference to determine what action, if any, should be taken in relation to the breaches.