[Home] [Databases] [WorldLII] [Search] [Feedback] Administrative Decisions Tribunal of New South Wales

XW v Department of Education and Training (No 2) [2010] NSWADT 17 (19 January 2010)

Last Updated: 1 February 2010

NEW SOUTH WALES ADMINISTRATIVE DECISIONS TRIBUNAL

CITATION:
XW v Department of Education and Training (No 2) [2010] NSWADT 17


DIVISION:
GENERAL DIVISION

PARTIES:
APPLICANT
XW

RESPONDENT
Department of Education and Training



FILE NUMBERS:
063319

HEARING DATES:
On the papers

SUBMISSIONS CLOSED:
23 November 2009



DATE OF DECISION:
19 January 2010

BEFORE:
Montgomery S - Judicial Member





LEGISLATION CITED:
Administrative Decisions Tribunal Act 1997
Privacy and Personal Information Protection Act 1998
Health Records and Information Privacy Act 2002

CASES CITED:
XW v Department of Education and Training [2009] NSWADT 73

TEXTS CITED:


APPLICATION:
Privacy – information protection principle – personal information –Health information – health privacy principle – security

MATTER FOR DECISION:



REPRESENTATION:
APPLICANT
ZR, agent
RESPONDNENT
J McDonnell, solicitor


ORDERS:
The Tribunal determines to take no action with respect to the application.


Reasons for Decision:

REASONS FOR DECISION

1 In these reasons the names of private individuals, and other information which might identify them, have been anonymised so as to preserve the privacy of their personal affairs. The applicant is referred to as XW.

2 These proceedings concern the security of documents containing information relating to the personal affairs of XW held by a school (referred to as "the School") operated by the NSW Department of Education and Training ("the Department"). XW applied to the Tribunal for review of conduct of the Department and alleged that the Department had contravened s12(c) of the Privacy and Personal Information Protection Act 1998 ("the PPIP Act").

3 The substantive issues in this matter were determined by Judicial Member Pearson and her decision is recorded at XW v Department of Education and Training [2009] NSWADT 73 ("the substantive decision"). The background to the matter are set out in that decision. At paragraph [93] the Judicial Member concluded:

93 For the above reasons, I conclude that the security safeguards adopted in the School against loss or unauthorised access to personal information were not reasonable in the circumstances, and accordingly there was a failure to comply with s12 of the PPIP Act. The applicant sought an order pursuant to section 55(2) of the Act. The matter should be relisted to consider the further progress of the matter in regard to that issue.

4 XW has been represented in these proceedings by his mother, as agent. In the substantive decision she is referred to as ZR. In these reasons I will also refer to XW’s agent as ZR.

Applicable legislation
5 The Tribunal's role under section 55 of the PPIP Act is to undertake a review of the conduct that was the subject of the complaint. The Tribunal may decide not to take any action on the matter, or may make anyone or more of the orders specified in section 55(2). As noted, the applicant sought an order pursuant to section 55(2), which provides:

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

6 In his application to the Tribunal, XW sought the following orders:

- Acknowledgement that the DET contravened an information protection principle and privacy code of practice.

- Compensation for damages suffered because of the conduct.

- Order requiring performance of an IPP or privacy code of conduct.

7 XW has withdrawn his application for financial compensation. He has received a draft of a letter from the Assistant Crown Solicitor acknowledging responsibility for the breach of section 12(c) of the PPIP Act. Argument is therefore limited to whether any further orders should be made and if so, what those orders should be.

Applicant's case
8 XW refers to Pearson JM’s views as to the requirements of section 12 at paragraph [67] of the substantive decision where she stated:

67 Section 12(c) requires security safeguards that are reasonable in the circumstances. That is clearly an objective evaluation, and one that requires consideration of the nature of the information, which would include its sensitivity, and the consequences of loss, unauthorised access, use or disclosure. The s12(c) obligation applies in relation to information the agency has a need to hold, which is the only information an agency should hold (s12(a) PPIP Act). The issue of who in the agency needs to be able to access it, and how access is regulated, is relevant.

9 XW also refers to Pearson JM’s comments about the Department’s attempt to ensure reasonable security safeguards at paragraphs [80] – [82] of the substantive decision where she stated:

80 Based on the documents provided, I accept that the respondent Department provided general information to staff about their obligations under the PPIP Act. Bulletin No 4, dated 16 February 2001, addresses the storage of and access to personal information. The clearest guidance provided in that bulletin is that "where practicable, filing cabinets containing personal information should be locked and personal information stored on electronic files should be password protected". I accept that as committed professionals, staff at the School were conscious of the need to protect personal information. AB noted in his evidence that some matters were discussed at meetings rather than being put on paper. The School Counsellor noted that the need for confidentiality was discussed at staff meetings. FG gave evidence that when he moved offices he was assisted by students, but took his files himself because of his concern that students not see them. However, apart from the general Department bulletins, there does not appear to have been any written or unwritten guide or policy about handling documents relating to students, apart from, according to FG’s evidence, a staff handbook which he had received some time earlier. The respondent relied on publications including a School "Communications" document, however on the evidence of the School Counsellor this document dates from some time in 2005 to 2006; in any event, it refers only to "use" of personal information and not its security.

81 The evidence was consistent as to the practice for access to student files in the interview room, which was that staff could ask the Senior Administration Manager to obtain a file, or read from the file in the interview room after the Senior Administration Manager had provided access. In other respects, however, access to documents relating to students was less controlled. AB’s evidence was that reports relating to a student might go from him to the student’s teachers, advisors and the counsellor. There was no evidence as to School or Departmental policy for individual teachers or others who received documents relating to students, apart from the School Counsellor.

82 Viewed in context, I am satisfied that in many respects the School was conscious of the need for, and took steps to ensure, appropriate security in the administration area. The School upgraded the master key system over time, and access to master keys was restricted to those with a legitimate need to have such access. I am satisfied that individual staff were conscious of the need to be careful about distribution of documents relating to individual students. However, while policy and practice as to filing and storage of such documents was in general clear and followed, there were gaps, for example in how individual teachers and year advisers dealt with the documents passed on to them from the Principal. The evidence of the School Counsellor was that staff such as year advisors and those involved with student welfare would often maintain their own files and keep copies of documents for ease of access. There did not appear to be any consistent practice for disposal of such documents: on the School Counsellor’s evidence, after an individual student left the School some year advisors would transfer information on to the School file, while others would destroy the documents.
10 At paragraph [92] of the substantive decision, Pearson JM observed that the School’s response to the specific concerns about security issues, including access to the computer system, was slow.

11 ZR contends that these comments provide a basis for an order that sets out the manner in which the Respondent should be required to comply with section 12(c) to ensure that personal information held by the Respondent is protected against "loss, unauthorised access, use, modification or disclosure, and against all other misuse". She submits that for the performance of section 12(c) there needs to be:

a. an objective evaluation, that considers the nature of the information its sensitivity, and the consequences of loss, unauthorised access, use or disclosure ('the circumstances'), as well as who in the agency needs to be able to access it, and how access is regulated;

b. a guide or policy for staff about handling documents relating to students, including their security;

c. advice for individual teachers or others who received documents relating to students, apart from the School Counsellor;

d. a consistent practice for disposal of such documents;

e. documentation of an appropriate procedure and timeframe for responding to security breaches;

f. an acknowledgement in the policy or guide that sensitive 'personal information' in documents, such as those held by a School Counsellor, requires additional levels of security.

12 XW requests that the Tribunal issue an order requiring the Respondent's performance of section 12 by developing a guide or Policy for employees that includes:

a. the classification of ‘personal information' taking into account its sensitivity, and the consequences of loss, unauthorised access, use or disclosure;

b, the minimal security safeguards required for different types of 'personal information' according to its classification;

c. who is entitled to access the different levels of ‘personal information' and how this access is regulated and recorded;

d. a procedure for tracking the location of the ‘personal information' including its location and disposal, after a student leaves school;

e. a procedure for response to a breach of these security safeguards and how these breaches are recorded and acted upon;

f. a regular ongoing program for education of staff on security of ‘personal information' that takes into account :

- transfer of staff into new position

- appointment of new staff

- promotion of staff into positions with an expansion of their responsibilities and wider or different access to 'personal information'

Respondent's case
13 The respondent submits that the only contraventions and/or failures to ensure reasonable security safeguards recorded by Judicial Member Pearson are contained in paragraph [92] of the substantive decision. Mr McDonnell submits that the matters that ZR has identified as necessary for the performance of section 12(c) are merely ZR's suggestions for improvements in privacy compliance. He says that none of these suggestions reflects a contravention. He submits that Judicial Member Pearson did not find that steps were not taken in response to specific concerns about security issues. The only contravention of section 12(c) that she found was that the response was slow and therefore inadequate.

14 Mr McDonnell submits that the Tribunal's power under section 55(2)(c) does not extend to ordering the respondent to "develop a guide or Policy for employees". It merely authorises the Tribunal to make an order "requiring the performance of" an IPP or privacy code of practice. He argues that no such order could be made here, as there is no suggestion that any IPP or code of practice is not being performed.

15 Alternatively, Mr McDonnell submits that the Tribunal should not require the respondent to develop a guide or policy addressing the matters that ZR has identified, as the range of possible security safeguards reasonable in the circumstances will be enormous, from the most serious breaches requiring immediate police assistance to far less serious breaches. Further, he asserts that there is no suggestion in the substantive decision that any such documentation should be required.

16 The respondent submits that, given that the contravention of section 12(c) found in paragraph [92] of the substantive decision occurred in the past and there is no suggestion of any ongoing failure to perform an IPP, the Tribunal cannot or, alternatively, should not make any order under section 55(2)(c).

Consideration
17 I agree with Mr McDonnell’s submission that the only contravention that Judicial Member Pearson has identified is contained in paragraph [92] of the substantive decision. The only contravention of section 12(c) that she found was that the response was slow and therefore inadequate.

18 It does not appear to be in dispute that the conduct which was found to be in contravention of section 12(c) of the PPIP Act occurred several years ago. The last unauthorised access to the school counsellor's room was in 2005. There is no reason to conclude that there is any ongoing contravention of section 12(c).

19 I note that XW has received a draft of a letter acknowledging responsibility for the breach of section 12(c). I am not aware of whether or not that has now been provided as a formal acknowledgment of the breach by the Department. In my view, it is appropriate that such an acknowledgment be provided if it has not been given already.

20 I do not agree with Mr McDonnell that the Tribunal's power under section 55(2)(c) is limited in the way that he suggests. However I do agree that it would not be feasible to make the orders that ZR has suggested. I also agree that those orders are not warranted in the circumstances of this matter, as I am unable to conclude that any IPP or code of practice is not being performed.

21 It follows that the Tribunal should not make any order under section 55(2) of the PPIP Act.

Order
The Tribunal determines to take no action with respect to the application.