Privacy breach: personal info given to mediator

Cases

Privacy breach: personal info given to mediator

The NSW Civil and Administrative Tribunal has substantiated one of four complaints of privacy breaches following a workplace investigation at a university.

WantToReadMore

Get unlimited access to all of our content.

The NSW Civil and Administrative Tribunal has substantiated one of four complaints of privacy breaches following a workplace investigation at a university.

The decision clarifies limitation periods within the Act and possible exemptions for collection and use of personal information. 

Background

 
The applicant was an academic at Western Sydney University (WSU). She was subject to a workplace investigation in late 2013, after which she was made redundant. 
 
The applicant commenced unfair dismissal proceedings and then, on 28 December 2017, she applied for a review of the university’s conduct under s53 of the Privacy and Personal Information Protection Act (“PPIP Act”). 
 
She alleged that personal information was disclosed improperly in four instances, namely:
 
  • WSU sending its investigation allegations and her responses to Professor Mick Dodson
  • providing allegations and responses as annexures to affidavits made by WSU and filed in Federal Circuit Court proceedings
  • personal travel documents being accessed and used for an improper purpose; and
  • failure to correct personal information held in the allegations and responses. 

First complaint

 
WSU argued that Professor Dodson was engaged to assist with workplace issues and the information was collected and disclosed to him for this purpose. The tribunal commented that this claimed purpose was artificially wide. The purpose for collection was actually the workplace investigation, while the purpose for use was to allow mediation, said to be not directly related. 
 
While the applicant expressed her approval of Professor Dodson’s appointment, she did not mention the disclosure of her information. The specific correspondence could not establish that she would not object to information marked as “strictly private and confidential” being provided to third parties.
 
On procedural matters, WSU submitted that the application was outside of the six-month period under s53(3)(c) of the PPIP Act. There was no evidence that the applicant was made aware that the relevant information had been provided to Professor Dodson prior to 30 June 2017, the date relied on. As such, the application was in time. 
 
Finally, WSU submitted that some allegations were exempt. The tribunal agreed, as some findings were made as ‘public interest disclosures’ to the WSU’s office of audit and risk assessment, leading to a preliminary enquiry into the applicant’s conduct. The entire allegation was not exempt, however, but only those parts collected during the investigation. 
 
As such, WSU providing the applicant’s non-exempt personal information to Professor Dodson breached sections17 and 18 of the PPIP Act. The tribunal only made orders requiring further security safeguards against unauthorised disclosure or use.

The second complaint

 
The applicant again submitted that she only became aware of privacy breaches on 30 June 2017. As WSU did not provide evidence relating to the date of service of affidavits, and with the proceedings heard in July and August 2017, the applicant was in time.
 
WSU relied on an exemption within s25 of the PPIP Act, where an agency is lawfully authorised to not comply with privacy principles – as the affidavit was disclosed to enable compliance with court orders. In circumstances where neither party alluded to the relevant Federal Circuit Court law or order, the Tribunal was not satisfied that privacy principles were breached. 

Third and fourth complaint

 
In both cases, the applicant was aware of the alleged breach more than six months before lodging the application for review, meaning that the tribunal did not have jurisdiction to review.
 
The bottom line: This PPIP limitations clock starts running from the time the applicant is made aware of the breach and not the time of the relevant conduct constituting breach. Further, the nature of the information gathering as a public interest disclosure will allow future exemptions from privacy law. 

Read the judgment

Post details