EHG v Commissioner of Police  NSWCATAD 54
Read the full decision here: EHG v Commissioner of Police  NSWCATAD 54
The applicant “EHG” sought administrative review of the conduct by the NSW public sector agency, Commissioner of Police (the respondent) under the Privacy and Personal Information Protection Act 1998 (PPIP Act). The conduct under review was the respondent’s email to a third party which attached a notice of decision made on EHG’s application for information under the Government Information (Public Access) Act 2009 (GIPA), despite EHG confirming the correct email address. The Tribunal found that EHG’s personal information was disclosed to the recipient of the email and there was an apparent breach by the respondent of the provisions on disclosure under section 18 of the PPIP Act. The Tribunal also found that, if the email recipient was a person outside NSW, this disclosure also breached section 19(2) of the PPIP Act. The Tribunal relied on statutory guidance by the NSW Privacy Commissioner on the transborder disclosure principle in section 19(2). The Tribunal made orders requiring the respondent to formally apologise to EHG in writing and remind staff of the importance of correctly recording email addresses and of addressing emails correctly.
What you need to know
In this case, the Tribunal made significant comments on the nature and consequences of email communication for NSW public sector agencies, and the practical difficulties for persons aggrieved by conduct involving misdirected email communications.
The decision highlights for agencies that a breach of the IPPs under the PPIP Act can inadvertently occur through electronic communications with the public where individuals can have similar email addresses. The decision is a strong reminder to agencies to always check an applicant’s email address to avoid a possible breach of the IPPs.
The decision also highlights statutory guidance by the Privacy Commissioner on the operation of section 18 (disclosure IPP) and 19(2) (special restrictions on disclosure outside NSW) of the PPIP Act. A link to the guidance is here: https://www.ipc.nsw.gov.au/guidance-transborder-disclosure-principle-section-192
Information Protection Principles (IPPs)
Section 18 Limits on disclosure of personal information (IPP 11)
Section 19 Special restrictions on disclosure of personal information (IPP 12)
Section 57 (required period for deciding application)
Electronic Transactions Act 200
Sections 8, 13A and 13B
On 4 January 2020, EHG made an access application under the GIPA Act to the Commissioner of Police. EHG requested that all correspondence in relation to this application be by email and confirmed the correct email address. The agency had previously sent an email intended for the applicant to an email address in error, with the incorrect email address differing from EHG’s email address by the removal of one letter in the middle of the address. On 5 February 2020, the agency emailed its decision on EHG’s access application under the GIPA Act to the incorrect email address. EHG made an application for internal review. On 6 April 2020, EHG received the internal review report which concluded that it did not breach an information protection principle (IPP) under the PPIP Act because the exercise of the Commissioner of Police’s functions under the GIPA Act are exempted from the operation of the PPIP Act by section 27(1) of that Act.
On 17 April 2020, EHG sought administrative review by the Tribunal, which conducted several case conferences. On 19 June 2020, the respondent advised it no longer relied on section 27.
The issue in dispute before the Tribunal was whether the sending of an email to an incorrect email address constitutes a disclosure of the information contained in the email, and in its attachment, to the user of that email address (at ).
In considering the parties’ evidence (at ), the Tribunal stated:
In submissions, the Commissioner submitted that there had been a typographical error that resulted in an incorrect email address being used. There is no evidence before me that justifies this conclusion. The Commissioner has not produced evidence from the person who sent the email explaining why the wrong email address was used. A number of explanations suggest themselves, both innocent and otherwise. The reality is that there is no explanation of why the access decision containing EHG’s personal information was emailed to a stranger. There is agreement that it was and that there was no message received indicating that the email had bounced back.
The Tribunal (at -) considered the parties’ submissions on whether the ET Act applied to the notice under the GIPA Act, and determined that the emailed notice of decision was not sent to EHG’s designated electronic address, and that section 13B of the ET Act has no operation. The Tribunal went on to say that “If that section did apply, its effect would be to assume that the email was capable of being retrieved by the addressee, not that it was opened and read by the addressee”.
In considering the respondent’s conduct against section 18 of the PPIP Act, the Tribunal considered the Commissioner’s submissions that there was no evidence that EHG’s personal information was disclosed to another person (being the recipient of the email sent to an incorrect email address (at ).
The Tribunal (at ) determined that:
There is no suggestion that the recipient may have already been aware of EHG’s personal information. In those circumstances, I think it reasonably open to me to draw an inference that the personal information would be new to recipient, if she or he accessed the email.
The Tribunal also considered the respondent’s submission that because there was no evidence that the recipient did actually open the email (at ), the Tribunal cannot be satisfied that there has been a disclosure in breach of section 18.
The Tribunal (at -) did not agree with the respondent’s submission and considered that, as there was no doubt that the email sent to the wrong address contained EHG’s personal information, there was no conflict of evidence to grapple with, or requirement for verification or corroboration as the content of the email was certain.
At -, the Tribunal made significant comments on the nature of email communication:
There are real, practical difficulties confronting anybody who becomes aware that an NSW government agency has misdirected an email containing their personal or health information to the wrong email addresses and who seeks to hold the agency to account under the PIPP Act. Where the agency does not request a read or received receipt from recipients of its emails, an aggrieved person cannot look to the agency to provide evidence that a wrongly named recipient received or accessed the email concerned. If there is a bounce back notice received, the agency can demonstrate that the email was not received. If there is no such notice, then no one, apart from the recipient, will be in position to demonstrate whether the email was or was not received or accessed. Persons aggrieved may also find themselves in a position, like EHG, where the agency - who dispatched the email to an incorrect address - puts them to the near impossible task of proving that the misdirected email was received and accessed by its new recipient. As has occurred in this case, they may also be asked by the agency to demonstrate that the personal information the email contained was new to the recipient and that the recipient was in NSW.
The Tribunal determined at  that:
In my view, it is highly likely that the email dispatched by the Commissioner to the wrong recipient was received and accessed by that recipient. I have already indicated that I am prepared to infer in the circumstances that the personal information contained in the email was new to the recipient. I am satisfied that EHG’s personal information was disclosed to the recipient. There has been an apparent breach by the Commissioner of the provisions of section 18 of the PIPP Act.
At - the Tribunal suggested that the Commissioner investigate how it could use existing technology to address the risk of incorrect email addresses being used:
I do not think it appropriate in this circumstance to make orders which look to un-costed specific system changes or modifications. However, it would seem sensible for the Commissioner to investigate whether it is possible, using existing systems and software:
- to automatically populate email addresses from the case management system; and,
- to request email received receipts and email read receipts when sending decisions under the GIPA Act to access applicants.
If either are possible, some problems arising from incorrect email addresses being used may be prevented, or their consequences ameliorated.
The Tribunal made orders to the Commissioner of Police, including, to formally apologise to EHG in writing, and to remind staff of the importance of correctly recording email addresses and of addressing emails correctly.