IPC Case Notes - Privacy
The Information and Privacy Commission NSW (IPC) publishes case notes to highlight significant and interesting cases from the IPC's jurisdictions.
See below for case notes relating to Privacy.
IPC case notes are intended to serve public sector agencies and practitioners from the private, government and university sectors. The case notes are current at the date published. IPC case notes are not intended to replace legal advice, which should be sought as appropriate.
EIG v North Sydney Council  NSWCATAD 127
Certain information, which would not ordinarily be ‘personal information’ or ‘health information’ under the PPIP Act or HRIP Act, may become ‘personal information’ or ‘health information’ when used in a particular context. In these proceedings, the Respondent’s use of the “Medical” in a report made available on its website as the reason why the Applicant was attending meetings remotely was found to be ‘health information’ under the HRIP Act.
FCZ v Illawarra Shoalhaven Local Health District  NSWCATAD 79
Section 22 of the HRIP Act confirms that any limitations on access imposed by the GIPA Act also apply to an agency’s obligation to comply with the HPPs. Where an overriding public interest against disclosure under the GIPA Act applies to the information, an agency is not required to provide access to the health information under the HRIP Act. The decision also identifies the importance of agencies confirming, by way of evidence, the parental responsibility of a person making a request for access to personal and health information about a child under the HRIP Act.
EMF v Cessnock City Council  NSWCATAD 219
The transfer of personal information within an agency, from one unit or employee to another, can involve a disclosure or use of that information. However, ‘disclosure’ for the purposes of IPP 11 generally refers to making the personal information in question available to people outside the agency. If an agency wishes to continue to use personal information collected for a specific purpose for another purpose, the agency should notify the complainant and consider providing them with an “opt-out” mechanism. In this matter, the Tribunal was satisfied that there were systemic or broader privacy compliance issues within the Respondent relating to compliance with IPPs 3 and 10.
DVT v Commissioner of Police  NSWCATAD 108
Under section 14 (IPP 7) of the PPIP Act, an individual can request access to their personal information held by a public sector agency. Except where non‑compliance is excused or compliance is exempted by law, the agency must provide the individual with access to the information without excessive delay and cannot impose any qualifications or conditions on access.
EIG v North Sydney Council  NSWCATAD 66
The information security obligation under section 12 (IPP 5) is not a static or ‘one size fits all’ obligation. Rather, IPP 5 requires such security safeguards as are ‘reasonable in the circumstances’. Where an agency is aware of the potential for deliberate and motivated circumvention of its security measures for likely political motives, actions which will not be easily thwarted by standard or existing security safeguards, the agency is required in those circumstances to implement increased security safeguards to meet this increased security threat.
EHG v Commissioner of Police  NSWCATAD 54
The decision reminds agencies to check the accuracy of a person's email address before sending personal information by electronic communications. In this case, the agency breached the disclosure principles in sections 18 and 19 of the PPIP Act by sending personal information to an unknown third party recipient.
DRP v Orange City Council  NSWCATAD 220
Publication of the applicant's objections to a development application report on the local council's website did not breach IPP 11 (disclosure) because the information was not personal information within the meaning of section 4 of the PPIP Act; and pursuant to section 5, IPP 11 does not affect the obligations of local councils to the mandatory proactive release requirements for ‘open access information’ under the Government Information (Public Access) Act 2009 (NSW).
DTN v Commissioner of Police  NSWCATAD 107
The time period for review under section 53(3)(d) of the PPIP Act commences when the applicant for review first became aware of the conduct; the awareness of the applicant or their agent, such as a solicitor, requires awareness of the relevant legal significance of the conduct within the meaning of section 53.
DQN v The University of Sydney  NSWCATAD 266
Use and disclosure of the applicant’s personal information for the purpose of complying with consultation requirements under the Government Information (Public Access) Act 2009 (NSW) and responding to an external administrative review did not breach IPP 10 (use) and IPP 11 (disclosure) because non-compliance was lawfully authorised under section 25(b) of the PPIP Act.
DQA v Secretary, Department of Family and Community Services  NSWCATAD 156
An agency will breach section 16 of the PPIP Act if it does not take steps, as are reasonable in the circumstances, to ensure the accuracy and relevance of personal information before using it; in this case, the agency was ordered to make a formal written apology to the applicant.
Transport for New South Wales v Waters  NSWCATAP 96
This Appeal Decision confirms that section 8(1) of the PPIP Act requires consideration of whether the collection of the particular information that constitutes ‘personal information’ is reasonably necessary for the lawful purpose for which it has been collected, not whether the collection of information as personal information is reasonably necessary.
DKV v Southern NSW Local Health District  NSWCATAD 12
Disclosure of information in a medical report by a specialist to treating GP was for the primary purpose for which it was collected, including for ongoing treatment by GP. Applicant’s specific consent to the disclosure was not required in the circumstances.
DKB v Commissioner of Police NSW Police Force  NSWCATAP 39
This is an Appeal Panel decision concerning the exemption under section 27 of the PPIP Act for the NSW Police Force and other agencies to comply with the IPPs and the exemption for public sector agencies under section 25 where non-compliance with IPPs is lawfully authorised or required.
DGL v Illawarra Shoalhaven Local Health District  NSWCATAD 296
An agency may depart from the Information Protection Principles for investigative functions, or where non-compliance is lawfully authorised, or required, or permitted.
Jackson v The University of New South Wales  NSWCATAD 12
The meaning of personal information can be gleaned from the content and the context in which information or an opinion appears and is not confined to the personal information of one person.
CRP v Department of Family and Community Services  NSWCATAD 164
In considering whether a work address is personal information the test is the content of the information and the context in which it can be said to be about an individual.
CRE v Blacktown City Council  NSWCATAD 285
Where it may not be practicable for an internal review to be conducted by an employee or officer of an agency, it may be necessary for an external consultant to be retained to conduct an internal review.
BKM v Sydney Local Health District  WCATAD 87
The Tribunal's powers to make orders concerning the systemic nature of an information practice/system.
ALZ v WorkCover NSW  NSWCATAP 138
Statements on which organisations rely should be sufficient for an ordinary member of the community to ascertain the answers to the matters listed in HPP 6.
AQG v Crown Solicitor’s Office  NSWCATAD 112
The law relating to the use of McKenzie friends and agents in proceedings and implied non-compliance with the PPIP Act.