Posted on November 28, 2024 by Dimitrious Havadjia and Stuart Simington

Breach of the Information Protection Principles by Fire and Rescue NSW

By nature of their operations, public sector agencies and organisations possess personal information provided by their employees and the general public they serve.

While much community focus has been placed on protecting data stored digitally, agencies must ensure compliance with procedures and practice good physical file management.

A recent NCAT decision serves as a timely reminder of these principles, where leaving a confidential document on a desk in an accessible office resulted in an order for compensation.

Background

The Privacy and Personal Information Protection Act 1998 (PPIP Act) regulates public sector agencies’ use and disclosure of personal information in NSW. The NSW Civil and Administrative Tribunal (NCAT) can review potential breaches of the PPIP Act and award compensation to those affected by a breach.

In GKT v Fire and Rescue New South Wales (GKT), Fire and Rescue NSW (FRNSW) held a series of confidential meetings in response to complaints from the Applicant and other employees about workplace conduct.

FRNSW advised those involved in the meetings that the process was confidential and any copies of documents relating to those meetings must be destroyed.

Notwithstanding, the minutes of one of those meetings were inadvertently left on the watch room desk at the relevant fire station for two days (Meeting Minutes). All employees of the fire station, as well as other FRNSW staff visiting the fire station, were able to access the watch room.

Once discovered, FRNSW directed the fire station to be searched and any copies of the Meeting Minutes destroyed, and further privacy training was provided to all involved.

The Applicant sought relief from NCAT, alleging that FRNSW had breached its obligations under the PPIP Act concerning their personal information contained in the Meeting Minutes.

Relevant Findings

In GKT, a Senior Member of NCAT found that FRNSW had breached two provisions of the PPIP Act:

  1. it failed to take ‘such security safeguards as are reasonable in the circumstances’ (section 12), and
  2. used ‘information for a purpose other than that for which it was collected’ (section 17).

In relation to Section 12, the Senior Member was satisfied that FRNSW generally had systems and policies in place to protect personal information (though whether the training provided was sufficient was disputed).

However, the fact that Meeting Minutes, which were meant to be confidential and contained personal information, were left in an accessible place for two days before anyone from FRNSW (either management or other employees) took steps to remove them demonstrated that the safeguards were not reasonable, and that ‘an expectation that someone in charge would and should have removed the confidential materials… is neither onerous nor unreasonable.’

In relation to section 17, the Senior Member rejected the FRNSW’s argument that nobody had used the Meeting Minutes for any other reason than to resolve the workplace complaints.

Instead, the Senior Member found that the length of time the Meeting Minutes remained in the watch room meant that FRNSW, in effect, allowed others to access the Meeting Minutes, which was a distinct and separate use of the personal information in the Meeting Minutes to which the Applicant had not consented.

Although there was limited evidence as to the impact of the breaches on the Applicant, the Senior Member determined that $8,000 was appropriate in the circumstances to compensate the Applicant for the alleged psychological harm suffered by FRNSW’s breach.

Implications

There are several key takeaways for public agencies and authorities.

The first is that breaches of the PPIP Act can have significant financial implications. The amount awarded in GKT is relatively high for a breach of the PPIP Act, especially given the limited evidence as to the harm caused to the Applicant. But the amount is well below the jurisdictional maximum of $40,000. In any case, the operational costs of proceedings and investigations into PPIPA Act breaches can disrupt a workplace and strain resources. To avoiding these costs, agencies should maintain robust data protection measures and review compliance with the PPIP Act.

Another key takeaway from GKT is the importance of management’s role in ensuring compliance with procedures. The Senior Member acknowledged that FRNSW was not generally responsible for actions by employees that were unauthorised (in this case, creating a further copy of the Meeting Minutes in breach of instructions). That said, the Senior Member expected management to have taken a more an active role in ensuring compliance by taking steps to remove the Meeting Minutes much more quickly. As the Senior Member observed, policies that are not adequately enforced or followed will not be sufficient to discharge an agency’s obligation to maintain reasonable safeguards under the PIPP Act.

Finally, the Senior Member appears to have expanded what constitutes a ‘use’ of personal information under the PPIP Act. It is well settled that mere retrieval of information does not constitute a use of that information for the purposes of section 17. In this case, there was limited evidence that anyone read the Meeting Minutes while they were in the watch room, nor much evidence that anyone had ‘used’ the personal information contained therein.

However, the Senior Member’s view was that the length of time the Meeting Minutes were available provided sufficient opportunity for others to ‘use’ the Meeting Minutes, and therefore that conduct was, in and of itself, a use. This appears to be a lower threshold than has previously been adopted by NCAT and raises questions as to whether the mere existence of materials containing personal information, if not properly managed, could constitute a separate breach of the PIPP Act.

As such, we anticipate that GKT may be relied on by later applicants to seek relief from NCAT, even if there is no evidence that anyone actually read or used the relevant information.

If you would like to discuss any of the above, including what steps need to be taken to ensure compliance with the PPIP Act in light of this decision, please get in touch with Dimitrious Havadjia or Stuart Simington.

 GKT v Fire and Rescue New South Wales [2024] NSWCATAD 335 can be read in full via this link: GKT v Fire and Rescue New South Wales – NSW Caselaw.