[Home] [Databases] [WorldLII] [Search] [Feedback] Administrative Decisions Tribunal of New South Wales

VK v Department of Education and Training (No 2) [2009] NSWADT 288 (24 November 2009)

Last Updated: 4 December 2009

NEW SOUTH WALES ADMINISTRATIVE DECISIONS TRIBUNAL

CITATION:
VK v Department of Education and Training (No 2) [2009] NSWADT 288


DIVISION:
GENERAL DIVISION

PARTIES:
APPLICANT
VK

RESPONDENT
Department of Education and Training



FILE NUMBERS:
063020

HEARING DATES:
18 July 2008 and 20 April 2009

SUBMISSIONS CLOSED:
22 June 2009



DATE OF DECISION:
24 November 2009

BEFORE:
Wilson R - Judicial Member





LEGISLATION CITED:
Privacy and Personal Information Protection Act 1998

CASES CITED:


TEXTS CITED:


APPLICATION:
Whether inaction may constitute ‘conduct’ within the meaning of the Privacy and Personal Information Protection Act 1998.Whether data recorded on a website which does not identify an individual may come within the exception provided by s 4(3)(b) of the Act.

MATTER FOR DECISION:



REPRESENTATION:
APPLICANT
In person
RESPONDENT
A Johnson, solicitor
Ms Mattes, solicitor


ORDERS:
1.The matter is listed for directions on 18.12.09 at 12:00 noon, the parties being granted leave to attend by telephone should they so wish.


Reasons for Decision:

REASONS FOR DECISION

1 The applicant commenced substantive proceedings in the Tribunal alleging that the respondent, by the actions of its officers, breached a number of provisions of the Privacy and Personal Information Protection Act 1998 (NSW). The matter has not yet reached a final hearing as the respondent commenced proceedings in the Appeal Panel in relation to earlier determinations by the Tribunal at first instance. The Appeal Panel proceedings are still pending.

2 The present determination is concerned with a matter remitted to the Tribunal at first instance by direction of the Appeal Panel on 06 March 2008. By this remitter the Appeal Panel directed the Tribunal at first instance to determine the issue whether the allegations (by the applicant) in relation to the closure of the website concern ‘conduct’ by the respondent within the meaning of the Act (the first direction) and to rule on outstanding applications for summonses (the second direction). The first direction concerns the argument advanced by the applicant, as one part of his claim, concerning the failure of the respondent to take steps so that students and staff at the school could not access, by using school computer facilities, data on a number of websites. It is common ground that, for a period of 7 days, after the parties became aware of the existence of this data on several websites, the data could be viewed from school computers. The data was not innocuous and was quite derogatory in content and clearly had been placed there with malicious intent. Access to the data on the several websites from school computers was in fact barred on 02 August 2004, its existence first becoming known on 27 July 2004. The period of delay could be significant on the assumption that the school already had restrictions in place which limited access to various websites, an assumption that is quite likely to be correct. If this be so, access could be restricted within a matter of minutes. During the course of the hearing, and by reason of the matters argued by the parties in their written submissions, a separate issue (the third issue) arose for consideration which was not the subject of any specific direction from the Appeal Panel. This third issue is considered post.

3 The question concerning the summonses that may issue was determined at hearing on 18 July 2008 and may be dealt with shortly in these reasons. Leave was granted to the applicant to issue summonses to the witnesses Bensch, Riddington, Norris and Henderson, there being no contest in relation to these witnesses and the Tribunal being of the view that they were likely to be able to give relevant evidence. However, the possibility that the other witnesses contemplated by the applicant could give relevant evidence was not sufficiently significant, at this stage, to persuade the Tribunal to grant leave for summonses to issue to them.

4 The first direction from the Appeal Panel has been set forth above. As noted, the applicant’s allegation here concerns the inaction of the respondent once it had become known that the data existed on the website, or, more correctly, on several websites. The parties agreed that this direction concerned alleged inaction which involved the allegation that the respondent failed to prevent access to the website data, as well as involving a failure to "close" the websites (see the agreed formulation in exhibit RR4 at paragraph1). The question raised by the first direction is whether, in point of law, inaction or failure to act may constitute ‘conduct’ within the meaning of the Act. This is a question of construction.
5 The relevant provisions are contained in Parts 2 and 5 of the Act and in the definition sections. Division 1 of Part 2 provides for the information protection principles that must be observed whilst Division 2 applies those principles to public sector agencies: s.21 in particular provides that such agencies may not do any thing, or engage in any practice, that contravenes any information protection principle. Any such contravention is conduct to which Part 5 applies (s.21(2)). Similarly, s.52 applies the provisions of Part 5 to conduct which is constituted by, inter alia, a contravention by a public sector agency of an information protection principle. The legislation then provides for pathways to internal review and to Tribunal review by reference to the conduct of a public sector agency (ss. 53(1) and 55(1)). Consequently, any thing done by an agency or any practice engaged in by an agency (s.21), which contravenes an information protection principle, is conduct within Part 5. The question remitted by the Appeal Panel then becomes whether the inaction of the respondent alleged by the applicant is capable of bringing about a contravention of an information protection principle, assuming the other requisite elements are satisfied. If so, it is conduct within Part 5.

6 It is often difficult to distinguish between action and inaction in a meaningful way. The common law experienced the same difficulty in relation to misfeasance and nonfeasance. There are times when the distinction is no more than an artifice which serves little purpose. In the present case, for example, should analysis be based on a failure to prevent access to the data or should it be based on the fact that the respondent continued to make available computer facilities capable of accessing the data? The former concerns inaction whereas the latter involves acts that in fact occurred. There is really no substantial difference between the two ways of expressing the same point. The Act could clearly apply to the acts of the respondent in continuing to make computer facilities available during the period in question. For this reason alone the allegations by the applicant in relation to the closure of the website may constitute conduct within the meaning of the Act, despite being allegations of inaction rather than allegations of positive conduct. This, of course, does not determine the further question, which remains for final hearing, whether or not the respondent has acted in breach of any information protection principle.

7 However, on its proper construction, the legislation does envisage that, in certain situations, a failure to take certain steps may well bring about a contravention of relevant principles. Where a respondent collects information about a person from a third party so that a breach of s.9 arises, the conduct giving rise to the breach is a failure to obtain that information from the person concerned as the Act requires. Similarly, if information is held and not protected because reasonable safeguards are not put into place, the breach of s.12(c) is constituted by a failure to take the reasonable steps that were open. For this reason as well, the allegations by the applicant are capable of constituting ‘conduct’ within the meaning of the Act. Again, this does not determine the question of breach.

8 For the reasons set forth above the first issue remitted by the Appeal Panel should be answered yes: the allegations (by the applicant) in relation to the closure of the websites, including failure to restrict access, do concern ‘conduct’ by the respondent within the meaning of the Act.

9 During the course of the hearing, and arising from written submissions that were filed, the parties pressed two particular issues that appeared to be additional to the issue that was remitted. The respondent’s written submissions concerning the remitter from the Appeal Panel are contained in exhibit RR4. The argument advanced by the respondent in those submissions was that the failure to prevent access to the website did not involve the respondent in the collection, holding, use or disclosure of the applicant’s personal information (at paragraph 10) as the respondent’s response to the website was not "conduct" regulated by the Act. In part this was argued on the bases that first, the respondent did not hold the information contained on the website and, secondly, in any event, that information was not personal information as defined as it was contained in a publicly available publication (paragraph 11).

10 These two issues appear to go beyond the terms of the remitter. However, at hearing the parties requested the Tribunal to determine these issues on the materials then available, even if they were outside the remitter. The Tribunal acquiesced in this course in order to progress the proceedings as much as possible, given the time that the proceedings have already consumed.

11 The first aspect to consider is whether the data on the website was contained in a publicly available publication. There is much common ground factually, albeit with limited precision. The data in question was contained on some 8 websites which had been set up by an entity distinct from the respondent. The respondent did not set up any of these websites, nor did it maintain them: the way in which this fact was put was that the websites were not hosted by the respondent. The data was then supplied by a third party to each of the websites where it was recorded and remained available for inspection. Inspection was achieved by the use of any computer which had the capability of making contact with any of the websites and which could then scan the data there recorded and subsequently cause it to be viewed (in the English language) on a screen linked to the computer being used. The respondent provided computers with these several capabilities at the school involved. These computers could be used by both staff and students at the school to set up a connection with the websites and to scan the data held thereon and eventually to view the data in the English language on screens connected to the school computers. The school computers were in fact so used on multiple occasions.

12 The nature of the data as it existed on any website was, of course, in electronic form. Consequently it was most likely recorded thereon in a binary format so that it was unintelligible until, through one device or another, it was transformed into the English language format. For this reason, conceptualising the data as stored as being equivalent to data stored in a published book in the English language which is held in a public library is not apposite. The storage of the data on the website was nothing like this at all. The definition of personal information in s.4(1) of the Act, by its terms, of course envisages that electronically stored data like this could constitute relevant information for the purposes of the Act, provided that other requisite elements are satisfied. However, the point is that computer facilities are necessary to render such data intelligible and this requires an examination of the events that occur when this is done.

13 When this electronic data was made available for perusal in the English language it appeared on the computer screens located at the school. At that stage it could be perused by the operator and by anyone in the vicinity. This was possible by reason of the fact that the schools computers were set up with internet access, that is, the computers were able to scan the data held on the host’s computers and reproduce that data in the English language on the screens connected to the school computers. The evidence does not deal with precisely how this was done, but the usual course involves an interactive process (between computers) whereby the data from the website is actually stored on school computers, even if only temporarily whilst the data was visible on the school’s computer screens, or for a relatively short time thereafter. Equally, the evidence does not reveal whether or not the data would remain on school computers and would be accessed from that location (rather than the host website) whenever a later user endeavoured to access the data via the internet: this is a common feature of computers which is employed for economy and efficiency in terms of time. The parties did not delve into these aspects of computer interaction as they appeared to be arguing upon the assumption that the school computers simply "viewed" the data as it was stored on the host website on each occasion. It is unlikely that such an assumption is valid.

14 When the data appeared on the screens, it appeared as a narration of a story, in English. The characters in this story were given names, but the applicant’s actual name was not used in relation to any character. However, it was argued from both sides that, in point of fact, that the category of persons who used school computers to peruse the website data would have been able to discern that one of the characters in part of the story was actually the applicant, or to put it another way, that part of the story was in fact referring to the applicant. The evidence whereby this nexus was established was not developed by the parties during argument and the Tribunal was asked to simply accept the assertion as fact. However, it was implicit in this argument that other persons viewing the relevant data, who did not fall into this category, would not have been able to discern that parts of the story were in fact about the applicant. This circumstance has relevance for both the definition of personal information and the application of the publicly available exception (sections 4(1) and 4(3)(b)).

15 Clearly, the websites in question here should be accepted as being available to all members of the public who have computer facilities which enable them to interact with the website computers. Of course, not all data contained on such websites would be accessible to users: programs associated with the running of the websites are prime examples as well as any other parts of the site which only allow restricted access to data, for one reason or another. The parties have asked the Tribunal to accept, however, that the data in question here (the story itself) was open to viewing without restriction. It therefore follows that this data was contained in a publicly available publication. However, this is only part of the question that s.4(3)(b) raises: the question under that sub-section is whether the data constitutes information about an individual that is contained in a publicly available publication. The element that the data be information about an individual cannot be passed over.

16 On these assumptions, the facts are quite unique. The point of the s.4(3)(b) exception is to remove from the control of the Act information about an individual that is freely available to everyone in a document that is publicly accessible. There is no purpose to be achieved in controlling such information. Here the information that is publicly available is not information about an individual (the applicant). For the vast majority of potential readers it is no more than a story in which characters are identified by fictitious names. For these potential readers, the data cannot be said to be information about an individual. Of course, on the assumed facts, some members of the school, both staff and students, are able to identify the applicant with one of the characters in the story. However, on the proper construction of the sub-section, this makes no difference. The sub-section, properly construed, requires that the data itself should provide identification of the individual to whom it refers (or is about). Identification of the particular individual should appear in the data ex facie without any recourse to extrinsic material or knowledge. There is, of course, no reference in this sub-section to the possibility whether the individual’s identity may be reasonably ascertained, as there is in s.4(1). Also, the application of s.4(3)(b) should not be made dependent upon the ability of readers of the data to form views as to the identity of the individual concerned: it is preferable if the test is an objective one.

17 Consequently, s.4(3)(b) has no application to the assumed facts. The respondent further submitted, if this be the case, then it necessarily follows that the data on the website would not constitute personal information as defined as it did not identify the applicant. However, the evidence does not address this point in sufficient detail to enable any determination to be made at this stage. Tribunal notes, as well, that the construction of s.4(1) of the Act will necessarily involve different considerations due to the different elements for which the sub-section provides, particularly the question whether the applicant’s identity could be reasonably ascertained.

18 The further aspect that was raised during the course of the interlocutory hearing was the question whether any of the data the subject of the proceedings was information that was in fact held by the respondent at any relevant stages. Clearly, the data contained on the several websites, given that they were hosted by a third party, necessarily means that the respondent did not hold the data, in the normal sense, to the extent that it was located on these websites. However, the Act deals with conduct that is not dependent upon holding the personal information concerned, such as obtaining information, and s.4(4) of the Act envisages that control may bring about a holding of the information. Clearly the respondent had control over the websites that its computers could access. The Tribunal notes the allegation that copies the website data was printed out from school computers and copies were handed around the school as well as the respondent’s argument that this lies outside the ambit of the applicant’s original application for review. This aspect therefore should be left to a substantive hearing, particularly given the interactive processes between computers that have been discussed above. It is not apposite to consider this question at this stage.

19 Given these findings it is not apposite for the Tribunal to make any orders at this stage. However, the matter will be listed for a further directions hearing on 18 December 2009 at 12:00 noon to enable the parties to determine the future conduct of the matter, including submissions as to any interlocutory orders that should be made and to consider the steps they may wish to take in relation to the proceedings pending in the Appeal Panel. The parties are granted leave to attend the hearing by telephone. Should any party wish to follow this course a convenient telephone number should be provided to the Registry within 7 days of receipt of these reasons for decision.