IPC Case Notes - Privacy

The Information and Privacy Commission NSW (IPC) publishes case notes to highlight significant and interesting cases from the IPC's jurisdictions.

See below for case notes relating to Privacy.

IPC case notes are intended to serve public sector agencies and practitioners from the private, government and university sectors. The case notes are current at the date published. IPC case notes are not intended to replace legal advice, which should be sought as appropriate.


November 2022
Nepean Blue Mountains Local Health District v ENY [2022] NSWCATAP 356
An executor cannot apply for the amendment of personal information or health information of a deceased person under the PPIP Act and HRIP Act respectively. The wording of the provisions in the PPIP Act and HRIP Act relating to the amendment of personal information and health information make it clear that they only apply where a living person applies for the amendment of their own personal or health information.

July 2022
Commissioner of Police (NSW Police Force) v DVT [2022] NSWCATAP 231
A failure to provide an individual with access to their personal information without excessive delay may amount to a deemed denial of access. The onus is on the agency to provide evidence supporting the withholding of information. Section 14 of the PPIP Act does not include in its wording any qualifications, requirements or conditions in respect of an individual’s exercise of their right to access their personal information held by an agency.

May 2022
EIG v North Sydney Council [2022] NSWCATAD 127
Certain information, which would not ordinarily be ‘personal information’ or ‘health information’ under the PPIP Act or HRIP Act, may become ‘personal information’ or ‘health information’ when used in a particular context. In these proceedings, the Respondent’s use of the “Medical” in a report made available on its website as the reason why the Applicant was attending meetings remotely was found to be ‘health information’ under the HRIP Act.

April 2022
FCZ v Illawarra Shoalhaven Local Health District [2022] NSWCATAD 79
Section 22 of the HRIP Act confirms that any limitations on access imposed by the GIPA Act also apply to an agency’s obligation to comply with the HPPs. Where an overriding public interest against disclosure under the GIPA Act applies to the information, an agency is not required to provide access to the health information under the HRIP Act. The decision also identifies the importance of agencies confirming, by way of evidence, the parental responsibility of a person making a request for access to personal and health information about a child under the HRIP Act.

July 2021
EMF v Cessnock City Council [2021] NSWCATAD 219
The transfer of personal information within an agency, from one unit or employee to another, can involve a disclosure or use of that information. However, ‘disclosure’ for the purposes of IPP 11 generally refers to making the personal information in question available to people outside the agency. If an agency wishes to continue to use personal information collected for a specific purpose for another purpose, the agency should notify the complainant and consider providing them with an “opt-out” mechanism. In this matter, the Tribunal was satisfied that there were systemic or broader privacy compliance issues within the Respondent relating to compliance with IPPs 3 and 10.

April 2021
DVT v Commissioner of Police [2021] NSWCATAD 108
Under section 14 (IPP 7) of the PPIP Act, an individual can request access to their personal information held by a public sector agency. Except where non‑compliance is excused or compliance is exempted by law, the agency must provide the individual with access to the information without excessive delay and cannot impose any qualifications or conditions on access.

March 2021
EIG v North Sydney Council [2021] NSWCATAD 66
The information security obligation under section 12 (IPP 5) is not a static or ‘one size fits all’ obligation. Rather, IPP 5 requires such security safeguards as are ‘reasonable in the circumstances’. Where an agency is aware of the potential for deliberate and motivated circumvention of its security measures for likely political motives, actions which will not be easily thwarted by standard or existing security safeguards, the agency is required in those circumstances to implement increased security safeguards to meet this increased security threat.

March 2021
EHG v Commissioner of Police [2021] NSWCATAD 54
The decision reminds agencies to check the accuracy of a person's email address before sending personal information by electronic communications. In this case, the agency breached the disclosure principles in sections 18 and 19 of the PPIP Act by sending personal information to an unknown third party recipient.

October 2020
DRP v Orange City Council [2020] NSWCATAD 220
Publication of the applicant's objections to a development application report on the local council's website did not breach IPP 11 (disclosure) because the information was not personal information within the meaning of section 4 of the PPIP Act; and pursuant to section 5, IPP 11 does not affect the obligations of local councils to the mandatory proactive release requirements for ‘open access information’ under the Government Information (Public Access) Act 2009 (NSW).

May 2020
DTN v Commissioner of Police [2020] NSWCATAD 107
The time period for review under section 53(3)(d) of the PPIP Act commences when the applicant for review first became aware of the conduct; the awareness of the applicant or their agent, such as a solicitor, requires awareness of the relevant legal significance of the conduct within the meaning of section 53.

December 2019
DQN v The University of Sydney [2019] NSWCATAD 266
Use and disclosure of the applicant’s personal information for the purpose of complying with consultation requirements under the Government Information (Public Access) Act 2009 (NSW) and responding to an external administrative review did not breach IPP 10 (use) and IPP 11 (disclosure) because non-compliance was lawfully authorised under section 25(b) of the PPIP Act.

August 2019
DQA v Secretary, Department of Family and Community Services [2019] NSWCATAD 156
An agency will breach section 16 of the PPIP Act if it does not take steps, as are reasonable in the circumstances, to ensure the accuracy and relevance of personal information before using it; in this case, the agency was ordered to make a formal written apology to the applicant.   

June 2019
Transport for New South Wales v Waters [2019] NSWCATAP 96
This Appeal Decision confirms that section 8(1) of the PPIP Act requires consideration of whether the collection of the particular information that constitutes ‘personal information’ is reasonably necessary for the lawful purpose for which it has been collected, not whether the collection of information as personal information is reasonably necessary.  

June 2019
DKV v Southern NSW Local Health District [2019] NSWCATAD 12
Disclosure of information in a medical report by a specialist to treating GP was for the primary purpose for which it was collected, including for ongoing treatment by GP. Applicant’s specific consent to the disclosure was not required in the circumstances.

February 2019
DKB v Commissioner of Police NSW Police Force [2019] NSWCATAP 39
This is an Appeal Panel decision concerning the exemption under section 27 of the PPIP Act for the NSW Police Force and other agencies to comply with the IPPs and the exemption for public sector agencies under section 25 where non-compliance with IPPs is lawfully authorised or required.

December 2018
DGL v Illawarra Shoalhaven Local Health District [2018] NSWCATAD 296
An agency may depart from the Information Protection Principles for investigative functions, or where non-compliance is lawfully authorised, or required, or permitted.

April 2018
Jackson v The University of New South Wales [2018] NSWCATAD 12
The meaning of personal information can be gleaned from the content and the context in which information or an opinion appears and is not confined to the personal information of one person.

November 2017
CRP v Department of Family and Community Services [2017] NSWCATAD 164
In considering whether a work address is personal information the test is the content of the information and the context in which it can be said to be about an individual.

October 2017
CRE v Blacktown City Council [2017] NSWCATAD 285
Where it may not be practicable for an internal review to be conducted by an employee or officer of an agency, it may be necessary for an external consultant to be retained to conduct an internal review. 

August 2015
BKM v Sydney Local Health District [2015] WCATAD 87
The Tribunal's powers to make orders concerning the systemic nature of an information practice/system.

July 2015
ALZ v WorkCover NSW [2015] NSWCATAP 138
Statements on which organisations rely should be sufficient for an ordinary member of the community to ascertain the answers to the matters listed in HPP 6.

June 2015
AQG v Crown Solicitor’s Office [2015] NSWCATAD 112
The law relating to the use of McKenzie friends and agents in proceedings and implied non-compliance with the PPIP Act.