Posted on May 30, 2018 by

Is disclosure of personal information within an agency a breach of the Privacy and Personal Information Act 1998?

The Civil and Administrative Tribunal of NSW (‘NCAT’) has recently considered if in setting up an electronic rule within its email system, the result of which was to automatically redirect all emails sent from a particular person’s known email addresses from the Vice Chancellor’s ‘in-box’ to the University’s Legal Unit, a University breached the Privacy and Personal Information Protection Act 1998 (‘PPIP Act‘).

In CBL v Southern Cross University [2018] NSWCATAD 97, an individual (anonymised as ‘CBL’) argued that the University breached the Information Protection Principles set down in the PPIP Act in respect of the collection and disclosure of personal information, by establishing such a rule.

Applicable legislation
Under the PPIP Act a public sector agency, which includes the University, must not:

  • collect personal information unless the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and the collection of the information is reasonably necessary for that purpose (s8(1));  and
  • collect personal information for any unlawful means (Section 8(2)).

A public sector agency must take reasonable steps in the circumstances to ensure that the information collected is relevant to that purpose and it does not intrude to an unreasonable extent on the personal affairs of the individual’s information (s11 of the PPIP Act).

Relevantly, the agency that holds personal information must not disclose it to a person (other than the individual to whom the information relates) unless specific requirements set out at subsections 18(1)(a) – (c) and 18(2) are met.

CBL’s case
CBL asserted that the University’s interception and redirection of his emails to the University’s Legal Unit, its failure to provide a lawful purpose for the collection of his emails and its failure to inform him of the purpose for the collection of his emails breached the PPIP Act. Central to his argument was that the Information Protection Principles in respect of collection apply to each internal movement of personal information within an agency.

CBL also submitted that the University’s decision to redirect his emails was not done for a lawful purpose but to ostracize him because he was a whistleblower.

Did the University unlawfully collect Personal Information?
The NCAT held that the University did not breach any of the provisions of the PPIP Act in its collection of CBL’s emails.

It held that there was no requirement under the PPIP Act for the University to articulate a lawful purpose for the internal redirection of CBL’s emails.

NCAT referred to the case of ZR v NSW Department of Education and Training (GD) [2009] NSWADTAP 69 where the NCAT Appeal Panel held at [64] that the provisions of the PPIP Act are not concerned with internal movements of personal information within agencies.

Redirection is distinct from the University’s collection of personal information and the lawful purpose requirement:

attaches to the collection of the emails…. The reason or purpose for the redirection is more relevant to the question of whether, once collected by the [University], there was any breach of the PPIP Act requirements for use and disclosure.’ (at [28])

No specific submissions were made by the CBL in respect of the improper use of his information by the University.

Did the internal redirection of CBL’s emails amount to disclosure?
The NCAT considered the principles relating to the internal disclosure of personal information. It noted that internal disclosures are not generally unlawful: AQK v Commissioner of Police NSW Police Force [2014] NSWCATAD 55 at [47]. However, in some circumstances, internal disclosures may amount to disclosure, either because the agency concerned consists of a number of discrete units, or the information is so highly confidential that it is reasonable to describe the manner in which it is disseminated as disclosure, or because of a combination of such factors (KJ v Wentworth Area Health Service [2004] NSWADT 84).

The NCAT did not consider that either of these circumstances were present in this case.

Although in this case, the NCAT found that the University’s electronic procedures did not breach the PPIP Act, the case is a timely reminder of the need to carefully consider the implications of the PPIP Act when establishing systems and procedures for the electronic management of personal information. Specifically, care needs to be taken when redirecting individuals’ personal information to different units within the same agency.

A copy of the case can be found here.