Civil and Administrative Tribunal New South Wales

• Medium Neutral Citation: ALZ v WorkCover NSW [2014] NSWCATAD 93
• Hearing dates: On the papers
• Decision date: 08 July 2014
• Jurisdiction: Administrative and Equal Opportunity Division
• Before: S Montgomery, Senior Member

Decision

1. The matter is remitted to the Respondent for reconsideration under section 65 of the Administrative Decisions Review Act 1997.

2. The reconsideration is to be completed by 29 July 2014.

3. The matter is listed for a further planning meeting at 3pm on 5 August 2014.

• Catchwords: Privacy - information protection principle - personal information -Health information - Health Privacy Principle - use of health information - collection - disclosure - storage - accuracy of personal health information
• Legislation Cited: Administrative Decisions Tribunal Act 1997; Civil and Administrative Tribunal Act 2013; Health Records and Information Privacy Act 2002; Privacy and Personal Information Protection Act 1998
• Cases Cited: AIL v Department of Premier and Cabinet (GD) [2013] NSWADTAP 26; ALZ v WorkCover NSW [2014] NSWCATAD 49; Department of Education and Communities v VK [2011] NSWADTAP 61; Department of Education and Training v GA (No 3) [2004] NSWADTAP; JD v Department of Health (GD) [2005] NSWADTAP 44; JD v New South Wales Medical Board [2008] NSWADT 67; KJ v Wentworth Area Health Service [2004] NSWADT 84; KO and KP v Commissioner of Police (GD) [2005] NSWADTAP; NX v Office of the Director of Public Prosecutions [2005] NSWADT 74; PC v University of New South Wales [2005] NSWADT 157; PN v Department of Education and Training (GD) [2010] NSWADTAP 59; SB v Roads and Traffic Authority [2010] NSWADT 255
• Category: Principal judgment
• Parties: ALZ (Applicant); WorkCover NSW (Respondent)
• Representation: ALZ (Applicant in person); Crown Solicitor's Office (Respondent)
• File Number(s): 133158

reasons for decision

1 This matter was commenced in the General Division of the Administrative Decisions Tribunal ("the ADT") pursuant to the Administrative Decision Tribunal Act 1997 ("the ADT Act"). On 1 January 2014, the ADT was abolished and its functions were taken over by the Civil and Administrative Tribunal of New South Wales ('NCAT'). The present decision is therefore a decision of NCAT. However, because the proceedings to which it relates are 'part heard proceedings' as defined in clause 6(1) of Schedule 1 of the Civil and Administrative Tribunal Act 2013, they are to be determined as if that Act had not been enacted (see clause 7(3)(b) of that Schedule).

2 In these reasons the names of private individuals have been anonymised so as to preserve the privacy of their personal affairs. The Applicant is referred to as ALZ. At relevant times ALZ was employed by a local council ("the Council").

3 ALZ alleges that the Respondent's conduct contravened several of the Health Privacy Principles ("HPP"s) of the Health Records and Information Privacy Act 2002 ("HRIP Act") and also several of the Information Protection Principles ("IPP"s) of the Privacy and Personal Information Protection Act 1998 ("PPIP Act").

4 This matter relates to the Respondent's internal review of a complaint by the Applicant regarding conduct of the Respondent. In her 'Privacy complaint: internal review application form' ALZ identified the conduct that she was complaining about as the collection of a psychiatric independent medical examination report by Dr Kar from the Council. In that part of the form that requested that she identify how to best describe her complaint ALZ ticked boxes indicating "collection of my personal or health information" and "use of my personal or health information".

5 I have set out the relevant background in my decision in ALZ v WorkCover NSW [2014] NSWCATAD 49.

6 Mr Craig McBride, the Respondent's Privacy Officer, undertook the internal review. I also set out the background to the internal reviews undertaken by Mr McBride in my decision in ALZ v WorkCover NSW [2014] NSWCATAD 49.

7 In his determination dated 14 September 2012 Mr McBride concluded:

Based on all the information available to me at the time of this internal review, I am unable to establish any evidence to support the alleged conduct has occurred.

8 Mr McBride suggested that Dr Kar's report was obtained from StateCover. In fact, Inspector Dall collected the report from the Council. On 13 December 2011, Inspector Dall made an oral request for the report to the Council's Return-to-Work Co-ordinator. The Return-to-Work Co-ordinator provided the report to Inspector Dall on 15 December 2011.

9 In an email dated 22 August 2012 from Inspector Dall to ALZ Inspector Dall wrote:

I requested a copy of a report from Dr Prabal Kar Psychiatrist ... I received a copy of the report from [the Council's] Return to work Coordinator after verbally requesting it as part of the investigation I was conducting into the before mentioned complaint.

10 This email was clearly written prior to Mr McBride's determination dated 14 September 2012. The Respondent accepts that Mr McBride made an error about how Inspector Dall obtained the report. However, it contends that this did not affect the substance of the determination or the conclusions reached.

11 Mr McBride also noted in his determination that:

It is important to advise that this internal review can only assess alleged breaches made by WorkCover. Having said this however, WorkCover has an obligation to ensure that injured workers are treated fairly and in accordance with the relevant legislation that binds the effective management of workers compensation claims. Therefore, a review of StateCover's actions has also been taken into consideration.

...

I understand your health information to be an independent psychiatric report by Dr Kar dated 10 November 2011. This report was requested by StateCover following your claim for workers compensation. Specifically I understand you are concerned about how this information was collected and used by StateCover, as the specialised insurer of workers compensation for [the] Council.

...

I have considered whether StateCover has collected and used your personal health information in accordance with the Health Records and Information Privacy Act 2002. I am of the opinion the actions comply with Health Privacy Principle 1, as the information was collected for a lawful purpose and directly related to StateCover's activities.

12 ALZ denies that she has complained about StateCover's conduct and contends that the Respondent has not provided any evidence to support the claim made by Mr McBride in the September 2012 internal review (and relied on in its submission) that their review of StateCover was in response to issues raised by ALZ.

13 ALZ subsequently lodged a second complaint under the HRIP Act in which she described the conduct complained of as:

"the conduct relating to the IME report from Dr Kar as follows:

Use of my personal or health information

Storage of my personal or health information

Disclosure of my personal or health information

Access and accuracy of my personal health information

This conduct of Mick Dall occurred in December 2011 and January 2012."

14 Mr McBride also undertook the internal review in relation to this second complaint. In his determination dated 5 December 2012 Mr McBride found that

(a) Inspector Dall did not complete his investigation into ALZ's complaint until 19 January 2012 and the outcomes were reviewed by his District Coordinator on 23 January 2012;

(b) the Respondent had not breached HPP 10 by using the medical report as part of Inspector Dall's investigation, as non-compliance was permitted, necessarily implied or reasonably contemplated under occupational health and safety laws for the purposes of the exception in HPP 10(2)(b);

(c) HPP 11 did not apply as the Respondent had not disclosed the medical report to any third party;

(d) the Respondent had not breached HPP 5;

(e) HPPs 7 and 8 did not apply, as the Respondent was not aware of any request by ALZ for access or amendment to her health information;

(f) the Respondent had not breached HPP 9. The medical report was just one piece of a broader range of evidence that was considered by Inspector Dall during the occupational health and safety investigation.

15 Mr McBride concluded:

You have asked WorkCover to undertake an internal review of how WorkCover used, disclosed, stored, accessed and considered the accuracy your health information when investigating your complaint about bullying and harassment at [the Council].

In light of all the evidence gathered and reviewed as part of this internal review, I am unable to establish that WorkCover has breached any relevant Health Privacy Principle during its investigation, under the OHS Act, of the complaint you made to WorkCover.

16 In February 2013, ALZ applied to the Respondent for an internal review of Mr McBride's conduct relating to the internal review of her complaint. ALZ specified the conduct that she was complaining about as:

That Mr Craig McBride, Privacy Officer, WorkCover NSW, while conducting an internal review of a privacy breach, collected both personal and health information about me, some of which was irrelevant, some of which is incorrect, and some of which is misleading.

He used the information in a way which was unfavourable to me, and which necessitated its disclosure to:

· the office of the Privacy Commissioner

· officers of the ADT, including the Tribunal member, and

· legal representatives of WorkCover.

17 ALZ ticked boxes on the complaint form to describe her complaint as:

"collection of my personal and also my health information

security or storage of my personal or health information

accuracy of my personal or health information

use of my personal or health information

disclosure of my personal or health information

other"

18 She also provided the following information in regard to her complain:

"What effect did the conduct have on you?

Mr McBride's conduct:

· made me feel anxious and upset, and is an ongoing stressor in my life

· is costing me (and my family) time and money, and causing inconvenience

· caused me humiliation and frustration

It makes me feel that WorkCover lack good faith in their dealings with me, and that they have a complete disregard for my right to privacy, and my right to make a complaint about privacy breaches. I feel that Mr McBride's conduct shows a contempt for the legislations which pertain to internal reviews i.e. section 53 PPIP Act, the HRIP Act and the ADT Act.

What effect might the conduct have on you in the future?

It is likely that the ongoing stress and anxiety will continue to affect all aspects of my life including; family, study, work, finances and health.

What would you like to see the agency do about the conduct? (for example: an apology, a change in policies or practices, your expenses paid, damages paid to you, training for staff, etc.)

I would like WorkCover to apologise to me. I would like them to examine the culture of the organisation with regard to privacy, which seems to show a widespread lack of regard for and knowledge about the privacy rights of individuals and the PPIP Act and HRIP Act; from WorkCover inspectors, to District Coordinators, to complaints officers to their privacy officer."

19 Ms Christine Laing, the Respondent's A/Right to Information Coordinating Officer, undertook the internal review of the February 2013 complaint. In her determination dated 23 April 2013 Ms Laing found:

Part One - Collection of personal information

General

On review of your application I cannot identify exactly what personal or health information it is that you consider has been 'collected', for the purpose of the previous internal reviews that is irrelevant, incorrect and/or misleading. Therefore I am unable to establish any basis for contention in this regard. However, I provide the following information.

First Internal Review: In regard to the first internal review, I considered the assumption that WorkCover did "collect" personal or health information about you in the course of this internal review dated 14 September 2012 and provide the following advice.

For the most part, all information used for this review was already "held" by WorkCover (within the meaning of section 4(4) of the PPIP Act and section 10 of the HRIP Act), apart from information contained in the application lodged by you and three documents 'collected' during the evidence gathering process of the internal review.

The three documents considered to have been 'collected' for the purpose of the first internal review are two emails from StateCover Mutual Limited, which provide evidence of StateCover's management of your workers compensation claim, along with a copy of your Employee Claim Form for workers compensation.

I note that in the first internal review decision, WorkCover advised you of its requirements to consult with other parties and I conclude that the conduct undertaken was appropriate and relevant in the circumstances.

Second Internal Review: After reviewing the conduct of the second internal review dated 5 December 2012, I consider that all information used for this review was already "held" by WorkCover (within the meaning of section 4(4) of the PPIP Act and section 10 of the HRIP Act), apart from information contained in the application lodged by you.

PPIP Act

Section 25 of the PPIP Act provides that non-compliance with the principles concerning collection of personal information (and certain other privacy principles) is permitted where (a) an agency is authorised or required by or under law not to comply with the principles or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law.

An example of disclosure that is required or authorised under law is an investigation carried out by an agency under specific legislative authority or where the power to conduct the investigation is necessarily implied or reasonably contemplated under an Act or other law.

I am satisfied that, in both previous internal reviews, WorkCover's Privacy Officer acted in accordance with obligations legislated by the PPIP Act and the guidelines set out by the Information and Privacy Commissioner.

I also refer you to an extract from a decision of the Appeal Panel - Administrative Decisions Tribunal in ZR and Department of Education and Training [2010] at [72] that "[o]nce a person enters an official complaints stream, they cannot reasonably expect that an investigation will be undertaken at no risk to the revelation of their identity or the transmission of the contents of the complaint." The individual to whom the information relates is not permitted "to set his or her own terms as to the way the agency is to handle the information conveyed to it" (at [74]).

This decision has since been referred to at least twice, i.e. Administrative Decisions Tribunal matters WH v Internal Audit Bureau of NSW 237 [2011] and, AET and Western NSW Local Health District [2012].

I am of the opinion that you officially requested WorkCover to undertake an internal review on two separate occasions prior to this instance. In doing so, you entered into WorkCover's official complaints stream. It would be reasonable to consider that in seeking a review of the privacy concerns you have raised, you expected WorkCover would undertake a thorough investigation, which would include the 'collection' of information about you.

My review reveals that a thorough investigation was undertaken for both previous reviews. In order to do this, WorkCover's Privacy Officer was required to 'collect' enough relevant information from appropriate personnel within WorkCover, and in the case of the first internal review, from StateCover Mutual Limited, that was reasonably necessary for the proper exercise of undertaking a lawful investigation (specifically, under section 53 of the PPIP Act), and was thus authorised, required or at least necessarily implied or reasonably contemplated within the meaning of section 25 of the PPIP Act.

HRIP Act

Under the HRIP Act, Health Privacy Principles (HPPs) 1, 2, 3 and 4 deal generally with collection of health information. HPPs 2 and 3 do not appear to be applicable in the present review. I also reiterate my comments above that no health information appears to be have been "collected" by WorkCover when conducting the second internal review, as that material was already 'held' by WorkCover.

However, in relation to the first internal review to the extent (if any), that HPP 4 ("Individual to be made aware of certain matters") may be applicable, I note that HPP 4(4) provides that

"(4) An organisation is not required to comply with a requirement of this clause if:

(a) the individual to whom the information relates has expressly consented to the organisation not complying with it, or

(b) the organisation is lawfully authorised or required not to comply with it, or

(c) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998)"

For the same reasons given above in relation to the PPIP Act, it appears that WorkCover's "collection" of health information was authorised, required or reasonably contemplated under a law (specifically section 53 of the PPIP Act).

Further, to the extent that you provided personal or health information as part of your applications for internal review, I am of the view that such information was "unsolicited", and therefore not "collected" by WorkCover (within the meaning of section 4(5) of the PPIP Act and section 10 of the HRIP Act). For example, the Appeals Panel of the ADT has stated in Vice-Chancellor, Macquarie University v FM (GD) [ 2003] NSWADTAP 43: "As we conceive of the term "unsolicited' it refers to information that an agency finds itself receiving (primary meaning, Macquarie Dictionary, 'not asked for'). A public sector agency is not bound by the collection principles in that situation as it had no opportunity to define or set the parameters under which it was received."

I therefore believe that there is no basis to conclude that WorkCover "collected" personal or health information about you that was irrelevant, misleading or incorrect. On that understanding, no breach of the principles relevant to Part One of your application is made out.

Part Two - Use and Disclosure of Personal Information

The second part of your application deals with the manner in which your personal and health information was 'used' and then 'disclosed' by WorkCover's Privacy Officer to the Privacy Commissioner, officers of the ADT and also WorkCover's legal representatives.

PPIP Act

"Use"

As discussed above, section 25 gives an agency a right not to comply with most of the privacy principles if legally authorised or required, or if non-compliance is permitted or reasonably contemplated under an Act or any other law. As stated above, the previous internal reviews were conducted in accordance with Part 5 of the PPIP Act.

I note that section 25 of the PPIP Act does not apply to section 16, which provides: "A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading."

However, based on your application and the information available to me, it is my view that the personal information "used" by WorkCover in the course of its previous internal reviews was used for the purpose of conducting those internal reviews requested by you, and not for other purposes. A range of information in WorkCover's possession, including material provided by you for the purpose of the internal reviews, was considered. When regard is had to the purpose for which it was to be "used" (ie. the conduct of the reviews and the full investigation of the matters that you complained of), I conclude that the information was relevant, accurate and not misleading.

I therefore believe that no breach of section 16 of the PPIP Act took place.

"Disclosure"

As a public sector agency, WorkCover has a statutory obligation (sections 53(5) and 54 of the PIPP Act) to update the Privacy Commissioner during the course of all privacy related internal reviews. This includes, advising the Privacy Commissioner of applications that are received by the agency and providing a copy of the application. It also includes advising the Privacy Commissioner once an internal review is complete and providing copies of the agency's decision. Agencies are also able to seek advice from the Privacy Commissioner, if required, during the course of an internal review. Agencies must also consider any submissions made by the Privacy Commissioner during an internal review.

WorkCover is also lawfully authorised and obliged, to provide information to the ADT when an applicant has sought review in the ADT under section 55 of the PPIP Act. As you are aware, you and WorkCover are currently engaged in two reviews before the ADT as a result of the two applications for review that you have brought in the ADT. In order to review conduct the subject of this appeal, the ADT used its authority under the Administrative Decisions Tribunal Act 1997 (ADT Act), to seek copies of certain documents from WorkCover, and WorkCover complied with that direction. As required by the ADT, WorkCover provided to the ADT a copy of its determinations (including attachments) in each of the previous internal review matters.

For the reasons set out above, I have concluded that WorkCover's disclosure of information to external parties described above was subject to clause 25 of the PPIP Act, which allows disclosure if the agency is lawfully authorised or required not to comply with the principle concerned, or non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law.

HRIP Act

Under the HRIP Act, HPP 9 provides:

"An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading."

HPP 9 (Accuracy) is equivalent to section 16 of the PPIP Act (discussed above) and requires the agency reasonably to ensure that, when regard is had to the purpose for which the information is to be used, that the information is "relevant, accurate, up to date, complete and not misleading" before using it. For the same reasons given above in relation to section 16 of the PPIP Act, I conclude that no breach of HPP 9 is made out.

Under the HRIP Act, HPP 10 relevantly provides:

"10 Limits on use of health information

(1) An organisation that holds health information must not use the information for a purpose (a "secondary purpose") other than the purpose (the "primary purpose") for which it was collected unless:

(Various exemptions are listed in paragraphs (a) to (k)).

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998)."

HPP 11 relevantly provides:

"11 Limits on disclosure of health information

(1) An organisation that holds health information must not disclose the information for a purpose (a "secondary purpose") other than the purpose (the "primary purpose") for which it was collected unless:

(Various exemptions are listed in paragraphs (a) to (I)).

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998),"

For similar reasons to those set out above in relation to the application of the PPIP Act, I have concluded that WorkCover's use of information for the purpose of the previous internal reviews, and disclosure of information to external parties, are subject to the exemptions in HPPs 10 and 11, which provide that an agency is not required to comply with those HPPs if it lawfully authorised or required not to comply with the HPP concerned, or non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law.

Use of legal representatives

WorkCover also engaged the services of legal counsel to represent the agency throughout the appeal process and, to fully apprise counsel of the details, provided relevant information to its legal representative. Engagement of legal counsel is done on a confidential basis, and legal counsel are not permitted to disclose confidential information to third parties or to the public except in the course of carrying out their legal instructions or where required by law to do so.

As you are the applicant in these proceedings, it is reasonable to assume you would be aware that your information would be provided to these external parties as part of the appeal process.

With the above in mind, I am satisfied that the conduct of WorkCover (including WorkCover's Privacy Officer) was appropriate in the circumstances and that the relevant information was used or disclosed for purposes directly related to the purpose for which it was collected and/or that WorkCover lawfully used and disclosed relevant information to external parties in accordance with the PPIP Act, HRIP Act the ADT Act, and other legislation to which WorkCover is subject.

CONCLUSION

In conclusion, I advise that in regard to Part One of your application, I have been unable to establish the contentions in your application. I conclude that WorkCover did not "collect" your health or personal information for the purpose of the second internal review. However, I conclude that WorkCover did 'collect' information for the purposes of the first internal review and that such collection was legally permitted or required. Further, the information 'collected' was not irrelevant, inaccurate or misleading when regard is had to the purpose of such collection or use (ie. the conduct of an investigation in accordance with the PPIP Act).

In regard to Part Two of your application, I am satisfied that WorkCover and WorkCover's Privacy Officer acted appropriately and in accordance with the HRIP Act, the PPIP Act and the ADT Act. I am satisfied that 'use' and 'disclosure' of personal and health information was legally permitted or required, or necessarily implied or reasonably contemplated under an Act or other law.

20 ALZ subsequently lodged an Application in the Tribunal, seeking review of the Respondent's conduct. She has alleged contravention of a number of provisions of the PPIP Act and the HRIP Act. The Respondent denies that its conduct contravened any of those provisions.

21 The Tribunal's jurisdiction is limited to reviewing contraventions of the IPPs and HPPs by a "public sector agency. The scope of the application to the Tribunal is limited to conduct that was the subject of the application for internal review to the Respondent. Matters which the Applicant raises which do not fall within that scope are outside the Tribunal's jurisdiction.

22 By agreement between the parties, the Application is to be determined 'on the papers' with the benefit of written submissions by the parties but without the need for a hearing. The issue of liability should be determined as a preliminary issue.

Applicable legislation

23 The review of conduct by an agency is addressed in Part 5 of the PPIP Act. Section 53 concerns the making of complaints alleging a grievance by the conduct of a public sector agency under the PPIP Act. The internal review is to be undertaken by the public sector agency concerned (section 52(2)), and the agency is required to determine the internal review in one of five ways (section 53(7)). In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by the applicant (section 53(5)(a)) and the Privacy Commissioner (section 53(5)(b)). As soon as practicable (or within 14 days) after the completion of the review, the public sector agency must notify the applicant in writing of the outcome and rights of review (section 53(8)).

24 An agency must notify the Privacy Commissioner of any application received (section 54(1)(a)), keep the Privacy Commissioner updated on the progress of the internal review (section 54(1)(b)), and inform the Privacy Commissioner of the findings of the review and any action proposed to be taken in relation to the matter (section 54(1)(c)). The Privacy Commissioner is entitled to make submissions to the agency in relation to the subject matter of the application (section 54(2)).

25 If a person who has made an application for internal review under section 53 is not satisfied with the findings of the review or the action taken by the public sector agency in relation to the application, the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53 (section 55(1)).

26 The term "personal information" is defined in section 5 of the HRIP Act as:

5 Definition of "personal information"

(1) In this Act,

"personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.

(3) Personal information does not include any of the following:

...

(m) information or an opinion about an individual's suitability for appointment or employment as a public sector official,

...

27 The term "health information" is defined in section 6 of the HRIP Act as:

"health information" means:

(a) personal information that is information or an opinion about:

(i) the physical or mental health or a disability (at any time) of an individual, or

...

but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.

28 Section 4 of the PPIP Act provides a similar definition of "personal information" to that in section 5 of the HRIP Act.

29 Section 9 of the HRIP Act provides:

9 What constitutes "holding" information

For the purposes of this Act, health information is

"held" by an organisation if:

(a) the organisation is in possession or control of the information (whether or not the information is contained in a document that is outside New South Wales), or

(b) the information is in the possession or control of a person employed or engaged by the organisation in the course of such employment or engagement, or

(c) in the case of a public sector agency-the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998 .

(5) For the purposes of this Act, personal information is not

"collected" by a public sector agency if the receipt of the information by the agency is unsolicited.

30 Section 10 of the HRIP Act provides:

10 Unsolicited information not considered "collected"

For the purposes of this Act, health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited.

31 The relevant HPPs are set out in Schedule 1 to the HRIP Act as follows:

SCHEDULE 1 - Health Privacy Principles

...

1 Purposes of collection of health information

(1) An organisation must not collect health information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the organisation, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) An organisation must not collect health information by any unlawful means.

2 Information must be relevant, not excessive, accurate and not intrusive

An organisation that collects health information from an individual must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:

(a) the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete, and

(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

3 Collection to be from individual concerned

(1) An organisation must collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so.

(2) Health information is to be collected in accordance with any guidelines issued by the Privacy Commissioner for the purposes of this clause.

4 Individual to be made aware of certain matters

(1) An organisation that collects health information about an individual from the individual must, at or before the time that it collects the information (or if that is not practicable, as soon as practicable after that time), take steps that are reasonable in the circumstances to ensure that the individual is aware of the following:

(a) the identity of the organisation and how to contact it,

(b) the fact that the individual is able to request access to the information,

(c) the purposes for which the information is collected,

(d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind,

(e) any law that requires the particular information to be collected,

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

(2) If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is generally aware of the matters listed in subclause (1) except to the extent that:

(a) making the individual aware of the matters would pose a serious threat to the life or health of any individual, or

(b) the collection is made in accordance with guidelines issued under subclause (3).

(3) The Privacy Commissioner may issue guidelines setting out circumstances in which an organisation is not required to comply with subclause (2).

(4) An organisation is not required to comply with a requirement of this clause if:

(a) the individual to whom the information relates has expressly consented to the organisation not complying with it, or

(b) the organisation is lawfully authorised or required not to comply with it, or

(c) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ), or

(d) compliance by the organisation would, in the circumstances, prejudice the interests of the individual to whom the information relates, or

(e) the information concerned is collected for law enforcement purposes, or

(f) the organisation is an investigative agency and compliance might detrimentally affect (or prevent the proper exercise of) its complaint handling functions or any of its investigative functions.

(5) If the organisation reasonably believes that the individual is incapable of understanding the general nature of the matters listed in subclause (1), the organisation must take steps that are reasonable in the circumstances to ensure that any authorised representative of the individual is aware of those matters.

(6) Subclause (4) (e) does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.

(7) The exemption provided by subclause (4) (f) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

5 Retention and security

(1) An organisation that holds health information must ensure that:

(a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and

(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.

Note: Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

(2) An organisation is not required to comply with a requirement of this clause if:

(a) the organisation is lawfully authorised or required not to comply with it, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).

(3) An investigative agency is not required to comply with subclause (1) (a).

...

9 Accuracy

An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

10 Limits on use of health information

(1) An organisation that holds health information must not use the information for a purpose (a

"secondary purpose" ) other than the purpose (the

"primary purpose" ) for which it was collected unless:

(a) the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b) the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note: For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c) the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

(i) a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii) a serious threat to public health or public safety, or

(d) the use of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and:

(i) either:

(A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

(B) reasonable steps are taken to de-identify the information, and

(ii) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

(iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

(e) the use of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and:

(i) either:

(A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

(B) reasonable steps are taken to de-identify the information, and

(ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

(iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

(f) the use of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:

(i) either:

(A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

(B) reasonable steps are taken to de-identify the information, and

(ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

(iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

(g) the use of the information for the secondary purpose is by a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or

(h) the organisation:

(i) has reasonable grounds to suspect that:

(A) unlawful activity has been or may be engaged in, or

(B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) , or

(C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and

(ii) uses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or

(i) the use of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or

(j) the use of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or

(k) the use of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).

(3) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions.

(4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency:

(a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or

(b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter.

(5) The exemption provided by subclause (1) (j) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

11 Limits on disclosure of health information

(1) An organisation that holds health information must not disclose the information for a purpose (a

"secondary purpose" ) other than the purpose (the

"primary purpose" ) for which it was collected unless:

(a) the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b) the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note: For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c) the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

(i) a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii) a serious threat to public health or public safety, or

(d) the disclosure of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and:

(i) either:

(A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

(B) reasonable steps are taken to de-identify the information, and

(ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

(iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

(e) the disclosure of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and:

(i) either:

(A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

(B) reasonable steps are taken to de-identify the information, and

(ii) if the information could reasonably be expected to identify the individual, the information is not made publicly available, and

(iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

(f) the disclosure of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:

(i) either:

(A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

(B) reasonable steps are taken to de-identify the information, and

(ii) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained, and

(iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

(g) the disclosure of the information for the secondary purpose is to provide the information to an immediate family member of the individual for compassionate reasons and:

(i) the disclosure is limited to the extent reasonable for those compassionate reasons, and

(ii) the individual is incapable of giving consent to the disclosure of the information, and

(iii) the disclosure is not contrary to any wish expressed by the individual (and not withdrawn) of which the organisation was aware or could make itself aware by taking reasonable steps, and

(iv) if the immediate family member is under the age of 18 years, the organisation reasonably believes that the family member has sufficient maturity in the circumstances to receive the information, or

(h) the disclosure of the information for the secondary purpose is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or

(i) the organisation:

(i) has reasonable grounds to suspect that:

(A) unlawful activity has been or may be engaged in, or

(B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) , or

(C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and

(ii) discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or

(j) the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or

(k) the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or

(l) the disclosure of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ), or

(c) the organisation is an investigative agency disclosing information to another investigative agency.

(3) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions.

(4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency:

(a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or

(b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter.

(5) If health information is disclosed in accordance with subclause (1), the person, body or organisation to whom it was disclosed must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

(6) The exemptions provided by subclauses (1) (k) and (2) extend to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

32 Comparable provisions are found in the PPIP Act.

33 Section 25 of the PPIP Act provides

25 Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a) the agency is lawfully authorised or required not to comply with the principle concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).

Relevant provisions of the Workplace Injury Management and Workers Compensation Act 1998 ("WIMWC Act")

34 Section 22 of the WIMWC Act provides:

"22 General functions of Authority

(1) The general functions of the Authority are:

(a) to be responsible for ensuring compliance with the workers compensation legislation and the work health and safety legislation,

(b) to be responsible for the day to day operational matters relating to the schemes to which any such legislation relates,

(c) to monitor and report to the Minister on the operation and effectiveness of the workers compensation legislation and the work health and safety legislation, and on the performance of the schemes to which that legislation relates,

(d) to undertake such consultation as it thinks fit in connection with current or proposed legislation relating to any such scheme as it thinks fit,

(d1) to monitor and review key indicators of financial viability and other aspects of any such schemes,

(e) to report and make recommendations to the Minister on such matters as the Minister requests or the Authority considers appropriate.

(2) The Authority has such other functions as are conferred or imposed on it by or under the workers compensation legislation, the work health and safety legislation or any other legislation.

(3) In exercising its functions, the Authority must:

(a) promote the prevention of injuries and diseases at the workplace and the development of healthy and safe workplaces, and

(b) promote the prompt, efficient and effective management of injuries to persons at work, and

(c) ensure the efficient operation of workers compensation insurance arrangements, and _

(d) ensure the appropriate co-ordination of arrangements for the administration of the schemes to which the workers compensation legislation or the work health and safety legislation relates.

35 Section 243A of the WIMWC Act provides:

"243A Information gathering and use by Authority and Nominal Insurer

(1) The Authority and the Nominal Insurer may collect, analyse, use and disclose data, statistics and other information relating to any of the following:

(a) claims for compensation and work injury damages,

(b) the functions, activities and performance of scheme agents, specialised insurers and self-insurers,

(c) policies of insurance,

(d) the investment of assets of the Insurance Fund.

(2) For that purpose, the Authority and the Nominal Insurer may obtain information from scheme agents, specialised insurers, self-insurers and from any other source.

(3) This section extends to authorise the Authority and the Nominal Insurer to collect and analyse, and to disclose to such persons or classes of persons as may be prescribed by the regulations, personal information about the health of an individual, but only in relation to (or in connection with) the matters referred to in subsection (1).

(4) Section 243 does not prevent the disclosure of information in accordance with this section."

ALZ's case

36 ALZ relies on her own evidence and written submissions. She provided the following context for her initial complaint that was determined by Mr McBride:

I wrote to WorkCover's compliments and complaints unit saying:

... Why, when his investigation was completed on the 7th December [2011], did he [the inspector] go back to Council on December 15th and get a copy of the psychiatric report? ...

The complaints officer did not answer this part of my complaint so I made an application to WorkCover for an internal review of the inspector's conduct under section 21 of the Health Records and Information Privacy Act 2002 (HRIP Act). My complaint said:

What is the specific conduct you are complaining about? Collection of an IME by Dr Kar from [the] Council.

37 ALZ submits that instead of reviewing the conduct that she had complained about, Mr McBride made an erroneous finding that the inspector had collected the report from StateCover. He purported to think that she had complained about StateCover's management of her workers compensation claim and conducted a review of the insurer's conduct under workers compensation legislation. ALZ submits that Mr McBride used information from the insurer in the internal review decision and when she applied to the ADT for a review of the inspector's conduct, the information was disclosed to others.

38 ALZ disputes the Respondent's contention that Mr McBride's error did not affect the substance of the determination or the conclusions reached as the error was Mr McBride's conclusion that he was "unable to establish any evidence to support the alleged conduct has occurred".

39 ALZ disputes the Respondent's contention that the collection, use and disclosure of her personal and health information was reasonably necessary for the proper exercise of undertaking a lawful investigation, specifically, under section 53 of the PPIP Act, and thus was authorised, required or at least necessarily implied or reasonably contemplated within the meaning of section 25 of the PPIP Act.

40 She submits that section 53 of the PPIP Act does not authorise, require, or impliedly permit or contemplate the section 25 exemptions. She contends that all section 53 does is give the agency a first opportunity to deal with the complaint: KO and KP v Commissioner of Police (GD) [2005] NSWADTAP 56 at paragraph [13]. The opportunity to resolve a complaint at the 'local level' between the agency and the complainant is a typical feature of legislation regulating the conduct of public sector agencies: PC v University of New South Wales [2005] NSWADT 157 at paragraphs [3] - [4]. The point of the review exercise is to determine whether the conduct amounted to a contravention of one or more of the privacy principles: Department of Education and Training v GA (No 3) [2004] NSWADTAP 50 at paragraph [5].

41 ALZ referred to the decision in JD v New South Wales Medical Board [2008] NSWADT 67 in which Judicial Member Higgins considered whether the conduct of the Board was exempt under section 25 of the PPIP Act. She stated at paragraphs [46] - [47]:

Consideration - was the conduct exempt under section 25 of the PPIP Act?

46 The Board argued that the express obligation of an agency, under sub-section 54(1) of the PPIP Act, to notify and inform the Privacy Commissioner of all section 53 internal review applications impliedly permitted non-compliance, or authorised non-compliance with section 18 of that Act.

47 In my opinion, sub-section 54(1), on its proper construct, does not authorise or impliedly authorise non-compliance by an agency of the disclosure IPP set out in section 18 of that Act. The purpose of the section is to further the Privacy Commissioner's ability to fulfil his/her statutory functions such as monitoring and complaint handling under Part 4 of the Act. It prescribes a specific circumstance where an agency is obliged to provide information concerning conduct of an agency alleged to have breached an IPP or other prohibited conduct under the Act. That is, it provides for an authorised disclosure of personal information in the circumstances prescribed. This does not mean that an agency is free to disclose at any time personal information it holds to the Privacy Commissioner.

42 ALZ submits that the Respondent was authorised under section 53 of the PPIP Act, to review 'the conduct the subject of the application'. She says that the conduct was the collection of a medical report from the Council. ALZ further submits that section 53 did not authorise, require, contemplate or permit the section 25 exemptions and that the Respondent was obligated to handle her health and personal information in compliance with the HPPs and the IPPs.

43 ALZ submits that the Respondent had no right to the information in her workers compensation file. However, it was able to gain that access by fabricating a complaint from her and purporting to review StateCover under the WIMWC Act to ensure that ALZ was "treated fairly and in accordance with the relevant legislation that binds the effective management of workers compensation claims". She contends that the Respondent collected her information under false pretences and misused it.

44 She submits that neither the PPIP Act nor the WIMWC Act permit (or necessarily imply or reasonably contemplate) that this conduct should exempt an agency from complying with privacy legislation. She further submits that section 20 of the PPIP Act does not intend that the Respondent's section 53 obligations should release them from the obligations of the privacy principles. She says that the Respondent's chief obligation when inquiring into an inspector's collection of her health information was to comply with the privacy principles of the HRIP and PPIP Acts.

45 ALZ further submits that the HPPs and the IPPs should have informed the review officer's and the privacy officer's conduct, and therefore the Respondent should have had a lawful purpose (not a false pretence) and only collected directly from ALZ personal information that was relevant, not excessive, accurate, up to date and complete, and which did not intrude to an unreasonable extent into her personal affairs. A section 53 internal review of conduct does not permit, imply or contemplate noncompliance with the privacy principles.

46 ALZ disputes the Respondent's assertion that noncompliance was reasonably contemplated by the WIMWC Act. She says that the Respondent could only rely on the WIMWC Act as a basis for not complying with the privacy principles if the collection of ALZ's personal and health information from StateCover was related to the management of her workers compensation claim. ALZ further says that the Respondent asserted that she had complained to it about StateCover, and that the Respondent is persisting with that claim despite ALZ's assertions that she did not make such a claim, and despite its failure to adduce any evidence to show that she did make such a claim.

47 In regard to the Respondent's contention that StateCover as the "subject of a complaint by the applicant" was afforded procedural fairness and given an opportunity to give their "version of events" ALZ submitted that StateCover did not require procedural fairness. There was no complaint for it to answer. ALZ further submitted that the Respondent used the pretext of a complaint from her as a means of inducing StateCover to disclose her personal and health information and that the Respondent in turn disclosed the information in the internal review.

HPP 1 and Section 8 of the PPIP Act

48 ALZ contends that the Respondent contravened HPP 1 and Section 8 of the PPIP Act. She submits that the Respondent collected a substantial amount of personal and health information about her from third parties without her consent while conducting an internal review. She submits that her application for internal review only authorised the Respondent, under section 53 of the PPIP Act, to review 'the conduct the subject of the application' i.e. the collection of a medical report from the Council.

49 She referred to Ms Laing's reasons where she said:

My review reveals that a thorough investigation was undertaken for both previous reviews, in order to do this, WorkCover's Privacy Officer was required to collect enough relevant information from appropriate personnel within WorkCover and ... StateCover Mutual Limited, that was reasonably necessary for the proper exercise of undertaking a lawful investigation (specifically under section 53 of the PPIP Act)

50 ALZ contends that the Respondent did not conduct an internal review of conduct under section 53 as it did not investigate its collection of Dr Kar's report from the Council. She says that the Respondent made a deliberately erroneous finding that the conduct did not occur and that Dr Kar's report had been collected from StateCover Mutual Limited - not the Council; and that this constitutes a constructive refusal to carry out the section 53 inquiry.

51 ALZ contends that there was an abundance of easy-to-obtain evidence which showed that Inspector Dall had collected Dr Kar's report from the Council's return to work officer on 15 December 2011. That is, the conduct under review had occurred and that Mr McBride did not conduct a review of the alleged conduct because of the erroneous finding that the conduct did not occur. She further asserts that because it did not conduct an internal review of 'the conduct the subject of the application', the Respondent did not have a lawful purpose under HPP 1 or section 8 of the PPIP Act to collect her personal or health information - directly or indirectly. Further, she asserts that the Respondent certainly did not have a lawful purpose to collect incorrect, irrelevant and misleading health and personal information from third parties without her consent.

52 ALZ submits that HPP 1(1)(b) and section 8(1)(b) of the PPIP Act prohibited the Respondent from collecting any health/personal information that was not reasonably necessary for the purpose. She says that 'reasonably necessary' should be interpreted as meaning that the agency would not be able to perform its functions without collecting the information. She points to the decision in SB v Roads and Traffic Authority [2010] NSWADT 255 at paragraph [35] where I found that the expression "reasonably necessary" as a qualification of "necessary", is meant to be something less than "essential".

53 She itemised aspects of her personal and health information that she says the Respondent collected and she asserted that the information was not 'reasonably necessary' for the purpose of reviewing 'the conduct the subject of the application'. She further asserted that it was not reasonably necessary for a review of the erroneous finding that Inspector Dall had collected the report from StateCover and not from the Council. As an example she said that Mr McBride could have investigated the conduct without reference to ALZ's children or the fact that ALZ made a claim for workers compensation eleven weeks after Inspector Dall collected Dr Kar's report from the Council. Collection of that information was not 'reasonably necessary' for the purpose of reviewing 'the conduct the subject of the application'.

54 HPP 1(2) and section 8(2) of the PPIP Act provide that an organisation must not collect health/personal information by any unlawful means. ALZ points to the decision in NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at [25] where I accepted that an 'unlawful means' was to be interpreted to mean a positive legal prohibition. ALZ submitted that section 11(3) of the HRIP Act prohibits and agency doing anything, or engaging in any practice that contravenes a HPP. Therefore, she submits, section 11 legally prohibits the contravention of a HPP. A similarly provision is found in section 21 of the PPIP Act.

55 ALZ contends that the Respondent's collection of her personal/health information without a lawful purpose, when it was not reasonably necessary, contravenes HPP 1(1)(a) and (b), and section 8(1)(a) and (b) of the PIPP Act.

HPP 3 and Section 9 of the PPIP Act

56 ALZ contends that the Respondent's indirect collection of her personal/health information contravenes HPP 3 and Section 9 of the PPIP Act. If the Respondent had a lawful purpose of collection, it was required to only collect ALZ's health information from her, unless it was unreasonable or impracticable to do so. The Respondent collected it from third parties. ALZ submitted that there was no circumstance which prevented the Respondent from collecting her personal or health information directly from her. There was no impediment to a direct collection and therefore the Respondent contravened HPP 3 and section 9 of the PPIP Act.

HPP 4

57 HPP 4 required the Respondent before, at, or as soon as practicable after the collection of ALZ's health information to take steps that are reasonable in the circumstances to ensure that she was aware of:

(a) the identity of the organisation and how to contact it,

(b) the fact that the individual is able to request access to the information,

(c) the purposes for which the information is collected,

(d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind,

(e) any law that requires the particular information to be collected,

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

58 ALZ contends that the Respondent did not take any steps to make her aware of that information and her entitlements. She stated that she only became aware that the Respondent had collected her health and personal information when the internal review decision was mailed to her. She stated that the Respondent did not make her aware of the information specified at (b), (c), (d), (e) or (f), and this prevented her from exercising her rights.

59 ALZ points to the decision in KJ v Wentworth Area Health Service [2004] NSWADT 84 where I found that the purpose of the notification principle of the PPIP Act was for individuals to be able to give informed consent. At paragraph [35] - [36] of KJ v Wentworth Area Health Service I stated:

35. Sufficient information must be provided to an individual when their personal information is collected, to allow the individual to give informed consent. What information would be sufficient will vary from case to case. However, in my view, the information provided would not be sufficient unless it included information regarding the intended recipients of the individual's information. Whether an agency would need to seek further consent for necessary uses and disclosures will depend on the circumstances of the case and the needs and wishes of the individual.

36. The Privacy Commissioner has submitted, and I agree, that the type of personal information at issue is relevant in determining whether an agency has taken such steps as are reasonable in the circumstances to make an individual aware of the matters in section 10. In this case, a particularly sensitive class of health information is at issue. KJ has posed a number of circumstances in which it would be unnecessary for employees of the Agency to have access to that sensitive personal information. In my view, had the Agency specified who would receive the information that KJ provided, KJ would have had information on which to base a decision about whether or not to provide her information to the Agency. ...

60 ALZ submitted that if the Respondent had complied with HPP 4 she could have exercised her rights and protected her reputation by preventing the use and disclosure of the information, and applied for a review of the unlawful collection. She stated that until she raised the conduct at a planning meeting before the Tribunal, she was not aware that she had any rights with regard to the way her health information was collected, used and disclosed in the first internal review decision.

61 ALZ noted that HPP 4 exempts agencies from the notification principle in certain circumstances. She submitted that none of those circumstances are relevant in this matter. Therefore, she submits, the Respondent acted in contravention of HPP 4.

HPP 5 and Section 12 of the PPIP Act

62 HPP 5 and section 12 of the PPIP Act required the Respondent to not hold ALZ's health and personal information without a lawful purpose; to dispose of it securely; to protect it from loss, unauthorised access, use, modification or disclosure and against all other misuse. ALZ submits that the Respondent contravened those provisions because it did not have a lawful purpose to hold the health and personal information contained in the internal review response; did not dispose of it appropriately; and did not protect it from unauthorised use or disclosure and all other misuse.

63 She submitted that Mr McBride made a decision to use the information, rather than dispose of it. She contends that he authored the internal review document, and without checking for relevance, accuracy, or whether the information would mislead, used ALZ's information in a way that was unfavourable to her, and which caused it to be disclosed to other people. She contends that he also collected and is holding a copy of the IME report, even though the content of the report was not relevant or reasonably necessary to his section 53 inquiry.

64 In regard to the Respondent's retention and security of the report, ALZ submitted that while the Respondent may have archives, and a password-protected database for the retention and security of her personal and health information, these safeguards are undermined to the point of complete collapse by the actions of its privacy officers. She says that the information was not lawfully retained, it was used and disclosed without authority and it is not protected or secure and this contravenes HPP 5 and section 12 of the PPIP Act.

HPP 9 and section 16 of the PPIP Act

65 HPP 9 and section 16 of the PPIP Act required the Respondent to not use health and personal information without 'taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading'.

66 ALZ contends that the Respondent took no steps to ensure that the information they were proposing to use and disclose was relevant to the section 53 inquiry into Inspector Dall's conduct, accurate, up to date, complete and not misleading. She itemised a number of statements that were made in the internal review determination which she says are inaccurate. She also itemised a number of statements that were made in the internal review determinations which she says are misleading and others that she says are Irrelevant to the section 53 review of 'the conduct the subject of the application' i.e. Inspector Dall's collection of the report from Council.

67 ALZ contends that in the circumstances the inaccurate and misleading personal and health information had no forensic use, and it would embarrass her. She says that it was harmful to her reputation, and could adversely affect the way other people perceived her as she proceeded to take further steps to exercise her privacy-related rights.

68 ALZ contends that in contravention of HHP 9 and section 16 of the PPIP Act the Respondent took no steps to ensure before use that in the above circumstances, her personal and health information was relevant, accurate, up to date, complete and not misleading.

HPP 10 and section 17 of the PPIP Act

69 ALZ submitted that, in contravention of HPP 10 and section 17 of the PPIP Act, the Respondent used her personal and health information without her consent for the purpose of embarrassing her and harming her reputation.

70 With limited exceptions, HPP 10 and section 17 provide that a public sector agency that holds personal and health information must not use the information for a purpose other than that for which it was collected.

71 ALZ asserted that until she received the internal review document she did not know that her personal and health information had been collected and that she did not consent for the use of her information for any other purpose than that for which it was collected.

72 ALZ contends that the Respondent identified that her personal and health information was collected and used for the following purposes:

a) To ensure that ALZ was treated fairly and 'in accordance with the relevant legislation that binds the effective management of workers compensation claims;

b) As evidence of StateCover's management of ALZ's workers compensation claim; and 'for the proper exercise of undertaking a lawful investigation (specifically, under section 53 of the PPIP Act); and

c) For 'a detailed background description of the matter'.

73 In reply to those alleged purposes, ALZ contends that Mr McBride was not authorised to review the management of her workers compensation claim; and his use of her personal and health information does not address the fairness of StateCover's management of her claim or their compliance with legislation.

74 ALZ further contends that ensuring that she was treated fairly by StateCover would:

• have required the Respondent to ask her if she had any concerns about the management of her claim, and sought to address those concerns;
• not have proceeded without her permission as the Respondent's inquiries of StateCover imply that she had complained to the Respondent, and this may have prejudiced her interests;
• not have quoted legislation erroneously;
• have applied legislation correctly;
• have anticipated that inaccurate and misleading information may be provided to them;
• have given her an opportunity to correct inaccurate and misleading information.

75 ALZ submitted that StateCover's management of her workers compensation claim was not the conduct under review in the section 53 inquiry. Further, she says that the Respondent did not 'use' her personal and health information to address the purpose of reviewing the management of her workers compensation claim. Nor was it used to inquire into Inspector Dall's conduct. Therefore, her personal and health information has not been 'used' for the purpose of providing a detailed background description of the circumstances of Inspector Dall's collection of Dr Kar's report from the Council.

76 ALZ points to the decision in JD v Department of Health (GD) [2005] NSWADTAP 44, where the Appeal Panel said at paragraph [41] - [42]:

41 In the Act 'use' is differentiated from other activities such as 'collection', 'access' and 'disclosure'. Importantly the standards which apply to the 'use' of information are separated from the standards that apply to the 'disclosure' of the information.

42 We agree with the Tribunal that 'use' normally bears the connotation of employing information for a purpose. Mere access or retrieval would normally not be enough ... In our view, if an agency merely retrieves information in its possession and discloses that to an external person or body, there is no 'use' involved. The action is governed by the standards relating to the 'disclosure' of information. Similarly, there may be situations in which the agency 'uses' information and then 'discloses' the information. ...

77 ALZ submitted that her personal and health information was employed for the purpose of informing the reader (erroneously) that her complaints had no merit and she was likely to harm herself or other people. She further submitted that it is reasonable to assume that the actual use was the same as the intended use and therefore, that the Respondent collected and used her information to discredit her.

HPP 11 and section 18 of the PPIP Act

78 HPP 11 and Section 18 of the PPIP Act prohibited the Respondent from disclosing ALZ's health or personal information without her consent. ALZ submits that as she was unaware that the information had been collected, and she did not know how the Respondent proposed to use it, she was not able to consent to the disclosure of her information. Accordingly, she submitted, the Respondent contravened the disclosure principles.

ALZ's case in summary

79 In summary, ALZ submitted that despite the surfeit of evidence in support of her complaint, Mr McBride found that the conduct that was the subject of her complaint (Inspector Dall's collection of Dr Kar's report from the Council) had not occurred. The erroneous finding caused the Respondent's unauthorised review of StateCover. The review of StateCover disclosed information to the Office of the Privacy Commissioner, the Respondent's legal representatives and the ADT.

80 ALZ submitted that the first internal review decision could have been communicated without the inclusion of the incorrect and misleading personal and health information. She submitted that the Respondent expanded and commented on a section of workers compensation legislation that implied that she was dangerous, but didn't review other sections of the legislation, seek her point of view, or allow her to reply. She says that these matters have remained uncorrected. She seeks findings that the Respondent has contravened multiple HPPs and IPPs, and orders that will alleviate the harm caused, and require the Respondent to uphold the privacy principles.

81 In support of her application ALZ also seeks to rely on:

a. an extract of the Independent Commission Against Corruption, "Report on unauthorised release of government information", Volume 1, August 1992; and

b. Submission No 2, "Inquiry into Allegations of bullying in WorkCover NSW", Name supressed, 2 July.

82 The ICAC report lead to the enactment of the PPIP Act. The submission was made to a Parliamentary Inquiry into allegations of bullying in WorkCover. The Respondent has objected those documents on the basis that the ICAC report could not assist to confirm the meaning of any provision in the PPIP Act relevant to these proceedings and the submission has no probative value to an issue in dispute in these proceedings. I agree with the Respondent in that regard and I do not propose to take that material into account.

The Respondent's Case

83 The Respondent denies the alleged breaches of the IPPs and HPPs. I have set out above the findings made by Ms Laing in her 23 April 2013 determination.

84 The Respondent relies on Ms Laing's determination and also relies on a statement of Craig McBride, dated 10 October 2013 and written submissions by its solicitor, Ms Johnson. It also seeks to rely on affidavits of Inspector Michael Dall and Inspector Gary Mason, which were filed in proceedings earlier proceedings on the basis that they concern matters raised by ALZ in these proceedings. I discussed the evidence of Inspector Dall and Inspector Mason in my decision in ALZ v WorkCover NSW [2014] NSWCATAD 49.

85 ALZ objects to the evidence of Inspectors Dall and Mason on the basis that it is not relevant to the conduct under review. She denies the Respondent's assertion that they concern matters raised by her.

86 The Respondent has not provided any support for the assertion that the evidence of Inspectors Dall and Mason is relevant to the matters to be determined and I therefore will not consider it further.

87 The Respondent contends that, to the extent that ALZ's personal and health information was collected by the Respondent and was disclosed to StateCover, this was necessarily implied or reasonably contemplated by the PPIP Act, whether under section 53, or the provisions concerning the review of conduct of an agency under Part 5 more generally, or in accordance with the Respondent's regulatory functions under the WIMWC Act.

88 The Respondent further contends that the disclosure of ALZ's personal and health information to the Privacy Commissioner and the ADT was compelled by law pursuant to sections 54 and 55 of the PPIP Act and section 58 of the ADT Act.

89 The Respondent submits that it did not "disclose" ALZ's personal and health information to its external lawyers as those external lawyers are "agents" of the Respondent and not legally separate. Alternatively, to the extent that any disclosure occurred, this was permitted or reasonably contemplated by law, either because it involved the discharge of the Respondent's functions under the PPIP Act, or was provided pursuant to common law rights to seek confidential legal advice.

90 Ms Johnson referred to a number of statements in Mr McBride's internal review decisions that ALZ had raised. These statements included:

a) "Providing medical reports to employers is consistent with an insurer's obligations under Chapter 3 of the Workplace Injury Management and Workers Compensation Act 1998."

b) "In December 2011, StateCover forwarded a copy of the medical report to the Injury Management Coordinator at [the] Council."

c) "Specifically, I understand you are concerned about how this information was collected and used by StateCover, as the specialised insurer of workers compensation for [the] Council."

d) "I understand you sought access to a copy of Dr Kar's report from StateCover and that StateCover elected not to provide you with a copy directly. Instead, and in accordance with section 46(5) of the Workers Compensation Regulation 2010, StateCover provided a copy of the report to your nominated treating doctor and your legal advisor... worker."

e) "It is not uncommon for insurers to elect to use section 46(5) of the Regulations when there are concerns for the well being of individuals in regard to personally sensitive medical information about them."

f) "I am advised the report was provided appropriate and that it was relevant, accurate and up to day [sic]..."

g) "I also understand StateCover provided a copy of Dr Kar's report to [the] Council's Injury Management Coordinator, on a confidential basis, for the specific purpose of actioning a return to work program for you. Providing medical reports to employers... your claim."

h) "In January 2012, Inspector Dall contacted you to advice [sic] the outcome of WorkCover's investigation."

91 Ms Johnson submitted that those matters do not concern ALZ's personal or health information and therefore they are not subject to the Tribunal's jurisdiction.

92 The Respondent disagrees that it collected, or used, the following information in the course of the internal reviews, as it was information that it already held:

a) "In October 2011, following a complaint made by yourself, WorkCover undertook an investigation of bullying and harassment issues at [the] Council."

b) "In January 2012, Inspector Dall contacted you to advice [sic] the outcome of WorkCover's investigation."

c) "In October 2011, you made a psychological injury claim for workers compensation while employed by [the] Council."

d) "In November 2011, in order to determine liability of your claim, StateCover requested you attend an Independent Medical Examination with Dr Kar."

e) "In December 2011 your claim for compensation was disputed.

f) "WorkCover's privacy officer also collected and is holding a copy of the IME report that was the subject of my July complaint, even though the content of the report was not relevant or reasonably necessary to his section 53 inquiry."

g) "In October 2011, following a complaint made by yourself, WorkCover undertook an investigation of bullying and harassment issues at [the] Council."

HPP 1 and section 8 of the PPIP Act

93 The Respondent obtained three documents from StateCover - two emails from StateCover dated 3 and 22 August 2012, and a copy of ALZ's Employee Claim Form for workers compensation. The Respondent submits that its collection of information from StateCover directly related to its conduct of the internal review as required by section 53 of the PPIP Act and was reasonably necessary for this purpose.

94 In response to ALZ's assertion that the Respondent did not have a lawful purpose for collecting her personal or health information because it did not investigate 'the conduct the subject of the application', the Respondent accepts that there was an error in regard to how Inspector Dall obtained the medical report; however, the Respondent submits that this did not affect the substance of the determination or the conclusions reached. The Respondent further submits that ALZ's submission puts too narrowly the purpose of the legislative scheme, and the power of an agency on review of conduct under section 53.

95 The Respondent submits that collection of information from StateCover was clearly for the purpose of conducting the internal review, and it was reasonably necessary for the Respondent to make enquiries of StateCover for this purpose.

96 Ms Johnson referred to the Appeal Panel in AIL v Department of Premier and Cabinet (GD) [2013] NSWADTAP 26 in support of her submission that the scope of ALZ's written complaint cannot dictate the scope of the Respondent's reply. The Appeal Panel said at paragraph [39]:

"We have noted that the appellant confined the contextual information he gave in the written complaint to that of the internal grievance process. However, that can not dictate the scope of the respondent's reply. The issue remains whether what is in fact supplied can be said to be information of a kind that is permitted, necessarily implied or reasonably contemplated by the relevant legal regime. Here there had been another stream of investigation that overlapped in time with the internal grievance investigation that involved consideration of the conduct of which the appellant complained. The Tribunal was at liberty to find as a matter of fact that disclosure of the details of the second stream of investigation including the assessment report was reasonably contemplated by the [Anti-Discrimination Act 1997]."

97 Ms Johnson submitted that in the present case, ALZ's workers compensation claim, bullying and harassment complaint and privacy complaints have overlapped not simply in time, but in substance, as the conduct complained of in the privacy review concerned the collection of a medical report prepared in relation to ALZ's workers compensation claim by the Inspector who investigated her bullying and harassment complaint. Therefore, she submits, the Respondent's collection of information from StateCover as to the circumstances of the disclosure of the medical report, which StateCover had requested, was therefore directly for the purpose of conducting the internal review, and reasonably necessary for that purpose.

98 In regard to assessment of whether non-compliance is reasonably contemplated under another Act, Ms Johnson submitted that the approach to be taken is that set out in PN v Department of Education and Training (GD) [2010] NSWADTAP 59, the Appeal Panel considered the appropriate approach to applying section 25(b) of the PPIP Act, which is in comparable terms to HPPs 10(2)(b) and 11(2)(b). The Appeal Panel stated:

"54 Further, we do not think that the task required of the Tribunal in deciding whether or not s 25 is applicable requires it to go so far as to make a microscopic comparison of an alternative law to which an agency refers in justification. Section 25 is expressed in broad language. It is enough that 'non-compliance is reasonably contemplated' by the other law.

55 The Tribunal is called upon, as we see it, to consider the subject matter of the alternative law and ask itself, first, is this the kind of subject matter with which a relevant IPP is concerned in the circumstances of the case before it.

56 Necessarily, the workers compensation regime involves the management of personal information. Moreover, the workers compensation regime has detailed provisions allowing movements of information between a number of parties who have a business role in the management of workers' injuries and the determination of claims.

57 In our view, it is enough for s 25(b) to apply that the transactions in issue (here, one instance of indirect collection and otherwise disclosures) are of a type that is contemplated by the regime; and that they are genuinely undertaken for the purpose of the scheme. Whether something is 'reasonably contemplated' is a factual determination for the trial tribunal to make, only vulnerable to appeal as an error of law on narrow grounds, such as no evidentiary basis for the finding or because the finding is one no rational tribunal could make. This is clearly not a case of that kind.

58 If the Department has breached the guidelines or the statutory provisions in the way it carried out its obligations under the workers compensation regime, as PN's submissions suggest, those are matters to be dealt with through the complaints mechanisms that the workers compensation regime has. The breaches are not open to be litigated within the framework of the privacy legislation.

59 The Tribunal's task is simply to make a broad judgement as to whether s 25 applies. The protection given to an agency by s 25 is not lost simply because the agency has failed to comply, in some aspect of the detail, with a requirement of the other law.

60 If the strict view pressed by PN were to be adopted, privacy cases raising s 25 would give rise to a detailed collateral inquiry into whether the agency had strictly complied with the alternative regime. We do not think that the words of s 25 support such a conclusion, and engagement by the Tribunal in a collateral inquiry would defeat the evident purpose of s 25."

99 In Department of Education and Communities v VK [2011] NSWADTAP 61, the Appeal Panel considered the conclusion at first instance below that a transaction, such as a disclosure of personal information, cannot be genuinely undertaken for the purposes of the workers compensation scheme if the information conveyed is not relevant for the purposes of the workers compensation legislation. In rejecting that analysis, the Appeal Panel stated as follows:

"14. The Department's submission is that in deciding what is 'reasonably contemplated' by a law one looks to the overall circumstances of the communication but does not drill down to the specific elements of the communication and appraise them by reference to a standard of relevance.

15. The limitation expressed by the Appeal Panel in its reasons in PN was directed, in the Department's submission correctly, to the situation of a malicious or bad faith communication (viz. the reference to whether a communication was 'genuinely undertaken for the purpose of the scheme'). It is enough in the Department's submission that the principal (in this instance) dealt in good faith with a type of communication that is usual in the workplace assessment process.

16. We agree with the Department's submission. The approach commended in PN involves a broad inquiry. By introducing the 'relevance' qualification the Tribunal below added a factor which we think is not embraced by the words 'reasonably contemplated'."

HPP 3 and section 9 of the PPIP Act

100 The Respondent submits that it was unreasonable or impractical for it to collect information from ALZ about whether Inspector Dall had collected Dr Kar's report from the Council or StateCover, and the circumstances within which the Council had received the report as this was not within ALZ's own knowledge at that time, and Inspector Dall's conduct was subject to investigation in the Internal Reviews. Therefore, the Respondent submits it did not breach HPP 3.

101 The Respondent also submits that section 53 of the PPIP Act or, alternatively Part 5 of the PPIP Act in its entirety and the provisions of the WIMWC Act, necessarily implies or reasonably contemplates non-compliance with section 9 of the PPIP Act in the circumstances of this case, for the purposes of section 25 of the PPIP Act.

102 The Respondent submits that applying PN (at paragraph [55]), the initial consideration is whether the subject matter of sections 53 or Part 5 of the PPIP Act more generally, or the WIMWC Act, is the kind of subject matter with which section 9 is concerned in the circumstances of this case.

103 It contends that in order for an agency to investigate a complaint under the PPIP Act, as described in section 53, consideration must ordinarily be given to whether the conduct complained of occurred and in what context, as applicable to the applicant. Accordingly, the provision of information or documents requested by the agency in the course of an investigation under section 53 must necessarily involve the disclosure of information personal to the relevant individual, whether personal information or health information.

104 In the alternative, the Respondent contends that the investigative nature of the functions conferred on an agency under section 53 impliedly empower an agency to gather information from the relevant parties to the complaint, or other sources, albeit voluntarily. To "investigate" means "to search or inquire into; search or examine into the particulars of; examine in details" or "to examine in order to obtain the true facts" (Macquarie Dictionary, 4th edition). It submits that this means the agency must consider more than simply the information provided by the complainant in the complaint. In order for the agency to "search or inquire into" the substance of the complaint, the agency must be in a position to request information from the relevant sources to ascertain their version of events. It submits that this is confirmed by section 53(7)(a) which permits the agency to take no further action on the matter. Further, as a matter of procedural fairness, the agency must have the opportunity to have input into the investigative process.

105 The final consideration outlined in PN is whether the disclosure of information that occurred in the context of this case was "genuinely undertaken for the purpose of the scheme", in the sense that it was done in good faith for the purpose of the scheme.

106 Ms Johnson submitted that section 53 does not limit the agency's power to consider material which may be relevant to its conduct of the review. Section 53(5), however, requires an agency to consider any relevant material submitted by the applicant and the Privacy Commissioner. She further submitted that it is not appropriate to undertake a detailed analysis of the internal review determination or the communications between the Respondent and StateCover to determine whether it met every requirement of section 53, or that each communication concerned only the collection of Dr Kar's report from the Council. Even if the Respondent had failed to comply with some aspect of section 53, which is not conceded, this is not material. It is sufficient that, considering the "overall circumstances of the communication", it met the central tenor of the provision.

107 Ms Johnson submitted that the email from StateCover dated 3 August 2012 and its attachments are responsive to the Respondent's requests for information in relation to the complaint. She contends that it provides a reply to the substance of the complaint and, on the face of the email, information considered by StateCover to be of assistance to the Respondent's internal review. She further submitted that it is not necessary to establish that the information provided by StateCover was relevant to the Respondent's internal review; merely that it was provided for the purpose of the legislative scheme, that is, section 53.

108 In the alternative, Ms Johnson submitted that even if the information was not provided in response to a request under section 53, it was provided to the Respondent at its request in order to give its version of events. She contends that such a step is impliedly contemplated by the investigative or regulatory functions conferred on the Respondent under sections 22 and 243A of the WIMWC Act and the requirements of procedural fairness.

109 Ms Johnson further contends that on neither basis is there any ground for concluding that the collection of the information, in the form of requests to StateCover for information concerning the conduct under review was anything other than genuinely undertaken for the purpose of either section 53 of the PPIP Act or the investigative regime in the WIMWC Act. Therefore, in the circumstances of this case non-compliance with section 9 of the PPIP Act is necessarily implied or reasonably contemplated.

HPP 4

110 The Respondent contends that to the extent that ALZ provided personal or health information to it, such information was unsolicited and therefore not collected by the Respondent.

111 For the reasons given in relation to section 9 of the PPIP Act, the Respondent submits that it was not required to comply with HPP 4(1) and (2) in requesting information from StateCover because non-compliance is "otherwise permitted (or is necessarily implied or reasonably contemplated)" under the PPIP Act, or in the alternative, the WIMWC Act, for the purposes of HPP 4(4)(c).

112 In the alternative, the Respondent submits that even if the information was not provided in response to a request under section 53, it was provided at the Respondent's request in order to give StateCover's version of events. The Respondent submits that this is a step impliedly contemplated by the investigative function conferred on the Respondent under sections 22 and 243A of the WIMWC Act and the requirements of procedural fairness.

113 The Respondent submits that there is no ground for concluding that the collection of the information, in the form of requests to StateCover for information concerning the conduct under review was anything other than genuinely undertaken for the purpose of either section 53 of the PPIP Act or the investigative regime in the WIMWC Act.

HPP 5 and section 12 of the PPIP Act

114 The Respondent submits that there is no evidence that it breached the retention and security principles in the PPIP and/or HRIP Act in conducting any of its internal reviews. The evidence of Mr McBride is that the medical report is securely stored on an electronic Privacy file and cannot be accessed by others.

115 However, the Respondent submits that it was not required to comply with HPP 5(1) in conducting the internal review because non-compliance is otherwise permitted, necessarily implied or reasonably contemplated under the PPIP Act or the WIMWC Act for the purposes of HPP5(2).

HPP 9 and section 16 of the PPIP Act

116 HPP 9 and section 16 of the PPIP Act provide that an agency that holds health/personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading."

117 Having regard to the purpose for which ALZ's health or personal information was used, which was to conduct an internal review into the matters complained of, the Respondent submits that the information was relevant, accurate and not misleading.

HPP 10 and section 17 of the PPIP Act

118 "Use" refers to "action taken by the agency to use information for its own purposes": Department of Education and Communities v VK at paragraph [20]. The Respondent accepts that it used ALZ's personal and health information in the course of conducting the internal review. It submits that it is apparent that it had regard to the information provided by StateCover in preparing the Internal Review determination of 14 September 2012.

119 However, the Respondent submits that it was not required to comply with HPP 10(1) in conducting the Internal Review because non-compliance is "otherwise permitted (or is necessarily implied or reasonably contemplated)" under the PPIP Act for the purposes of HPP 10(2)(b).

HPP 11 and section 18 of the PPIP Act

120 With limited exceptions, an agency that holds health/personal information must not disclose the information for a purpose other than the purpose for which it was collected.

121 The Respondent does not accept that it disclosed ALZ's health information to StateCover when it made its request for background information regarding the circumstances of the provision of Dr Kar's report to the Council, as this information was already held by StateCover, who managed ALZ's workers compensation claim.

122 However, the Respondent submits that it was not required to comply with HPP 11(1) or section 18 in disclosing this information to StateCover because non-compliance is "otherwise permitted (or is necessarily implied or reasonably contemplated)" under the PPIP Act or the WIMWC Act for the purposes of HPP 11(2)(b) and section 25 of the PPIP Act.

123 Ms Johnson submitted that in order for an agency to investigate a complaint under section 53, an agency may need to disclose some minimal health information to a third-party. In order for the third-party to provide information to the agency to give its version of events, as part of its investigative functions under section 53, it will generally be necessary for the third-party to be provided with some person or health information. She submitted that this was genuinely undertaken by the Respondent for the purpose of its internal review under the PPIP Act.

124 Ms Johnson further submitted that, to the extent that the Respondent disclosed information to the Tribunal and the Privacy Commissioner, such disclosure was compelled by law pursuant to sections 54 and 55 of the PPIP Act, respectively, and section 58 of the ADT Act. Further, to the extent that the Respondent transferred information to external lawyers, those lawyers are "agents" of the Respondent, and thus not legally separate from the Respondent, meaning that no "disclosure" within the meaning of the PPIP Act or HRIP Act occurred. Alternatively, if such transfer of information did amount to "disclosure" within the meaning of the PPIP Act or the HRIP Act (which the Respondent denies), then such disclosure was permitted or reasonably contemplated by law, either because it involved the discharge of the Respondent's statutory functions, or it was pursuant to a common law right to seek confidential legal advice.

Discussion

125 As noted above, the complaint that is the subject of this application concerns the conduct of internal reviews by Mr McBride. It is common ground that ALZ identified the conduct that she was complaining about as the collection of a psychiatric independent medical examination report by Dr Kar from the Council. It was this conduct that was the subject of Mr McBride's internal reviews.

126 It is also common ground that Inspector Dall obtained Dr Kar's report from the Council's Return-to-Work Co-ordinator on 15 December 2011.

127 In his internal review determination made on 14 September 2012 Mr McBride wrote:

In order to gather evidence to undertake this internal review, I have been required to consult with StateCover Mutual Limited, the specialist insurer concerned with your claim for workers compensation. I have also consulted with the manager of WorkCover's Provider Services Unit and Inspector Michael Dall of WorkCover's Ballina District Office. ...

128 Notwithstanding that he stated that he consulted with Inspector Dall, and clear evidence from Inspector Dall stating that he had obtained Dr Kar's report from the Council's Return-to-Work Co-ordinator on 15 December 2011, Mr McBride concluded that:

Based on all the information available to me at the time of this internal review, I am unable to establish any evidence to support the alleged conduct has occurred.

129 In his internal review determination Mr McBride also wrote:

WorkCover has an obligation to ensure that injured workers are treated fairly and in accordance with the relevant legislation that binds the effective management of workers compensation claims. Therefore, a review of StateCover's actions has also been taken into consideration. ... Specifically I understand you are concerned about how this information was collected and used by StateCover, as the specialised insurer of workers compensation for [the] Council.

130 There does not appear to be any material before me to show how Mr McBride could have reached his understanding that ALZ had concerns about conduct by StateCover. ALZ has asserted that she made no such complaint against StateCover.

131 To a significant extent the Respondent's case is based on the perceived need to inquire into the conduct of StateCover. On the material before me I am not satisfied that such a need existed.

132 Ms Johnson submitted that the email from StateCover dated 3 August 2012 and its attachments are responsive to the Respondent's requests for information in relation to the complaint. I accept that the email was in response to a request from the Respondent. However, it is unclear how it is said that the material is in relation to the complaint that Mr McBride was investigating i.e. the collection of Dr Kar's report from the Council.

133 In my view, the Respondent could have undertaken its investigation of the complaint without consideration of StateCover's material. It was not necessary that StateCover provide the material to the Respondent in order to give its version of events as StateCover's version of events was not necessary for the conduct of the investigation.

134 I do not accept that ZR and Department of Education and Training [2010] at [72] is authority for the principle that a request to the Respondent to undertake an internal review is consent for the Respondent to undertake an investigation of matter that were not the subject of the complaint or the collection of information about a complainant that is unrelated to the complaint. Nor do I accept that section 53 of the PPIP Act authorised, required or reasonably contemplated non-compliance with the Principles applicable to the collection of ALZ's health and personal information. I agree with ALZ in regard to the proper construction of section 53 of the PPIP Act.

135 Section 53 does not authorise, require, contemplate or permit non-compliance with the obligation to handle ALZ's health and personal information in compliance with the HPPs and the IPPs.

136 There appears to me to be merit in ALZ's assertion that the conduct to be investigated was limited to the collection of Dr Kar's report from the Council. If that is the case, there is no basis for the Respondent's collection of ALZ's personal and health information from StateCover or disclosure d of ALZ's personal and health information to StateCover. There would have been simply no need for communication between the Respondent and StateCover in regard to the investigation concerning the collection of Dr Kar's report from the Council. Any personal or health information that the Respondent collected from StateCover for the purpose of the internal reviews would therefore have been irrelevant to those reviews.

137 It is not clear how Ms Laing was able to conclude that the Respondent had a requirement to consult with StateCover or that "the conduct undertaken was appropriate and relevant in the circumstances". Similarly, it is unclear how she formed the view that "WorkCover's Privacy Officer was required to 'collect' enough relevant information ... from StateCover Mutual Limited, that was reasonably necessary for the proper exercise of undertaking a lawful investigation

138 On the material before me that conclusion is not justified. The Respondent would have been able to perform its investigation concerning the collection of Dr Kar's report from the Council without collecting the information from StateCover. The collection of ALZ's health/personal information from StateCover was not reasonably necessary for the purpose of reviewing the conduct that was the subject of the application.

139 Similarly, the WIMWC Act would not assist the Respondent in regard to any non-compliance with the PPIP Act and HRIP Act. I accept ALZ's assertion that she had not made any complaint about StateCover's conduct. I agree with ALZ's submission that the Respondent could only rely on the WIMWC Act as a basis for not complying with the privacy principles if the collection of ALZ's personal and health information from StateCover was related to the management of her workers compensation claim. In the circumstances of this matter the investigation of ALZ's complaint concerning the collection of Dr Kar's report from the Council did not relate to the management of her workers compensation claim and therefore non-compliance with the PPIP Act and HRIP Act could not have been permitted, necessarily implied or reasonably contemplated by the WIMWC Act.

140 It is also my view that the exemptions asserted in relation to the use of ALZ's information cannot apply in the circumstances of this matter to information that was collected in contravention of IPPs and HPPs.

141 I note Ms Johnson's reference to the Appeal Panel decision in AIL v Department of Premier and Cabinet (GD). AIL involved a department responding to an official enquiry from an investigating body. The investigating body was operating within a statutory framework. That is not the case here. In my view the scope of ALZ's written complaint does in fact set the parameters of the Respondent's consideration in this matter.

142 I also note Ms Johnson's reference to the Appeal Panel decision in Department of Education and Communities v VK which considered disclosure of personal information for the purposes of the workers compensation scheme. As I have noted, I do not agree with the Respondent's submission in regard to the application of the WIMWC Act.

143 The Respondent contends that the disclosure of ALZ's personal and health information to the Privacy Commissioner and the ADT was compelled by law pursuant to sections 54 and 55 of the PPIP Act and section 58 of the ADT Act. No argument has been present in regard to how those provisions relate to information that was collected in contravention of IPPs and HPPs.

144 The Respondent has not addressed these issues in either the internal review undertaken by Ms Laing.

145 Given the extent to which the Respondent's case relies on the issues that I have raised and in particular its assertion that non-compliance with various provisions is authorised, it is my view that the matter should be re-determined to allow the Respondent to take account of those issues. In that regard I make the following findings:

(i) Inspector Dall obtained Dr Kar's report from the Council's Return-to-Work Co-ordinator on 15 December 2011;

(ii) In regard to the determination of 14 September 2012, Mr McBride did not conduct a review of the alleged conduct because of the erroneous finding that the conduct did not occur;

(iii) ALZ did not make any complaint against StateCover that warranted review by the Respondent;

(iv) the investigation of ALZ's complaint concerning the collection of Dr Kar's report from the Council did not relate to the management of ALZ's workers compensation claim;

(v) it was not reasonably necessary for the Respondent to collect information from StateCover for the proper exercise of an investigation of ALZ's complaints;

(vi) the WIMWC Act does not lawfully authorise or require non-compliance with IPPs and HPPs as asserted by the Respondent in the circumstances of this matter; and

(vii) section 53 of the PPIP Act does not authorise or require non-compliance with IPPs and HPPs as asserted by the Respondent in the circumstances of this matter.

Orders

1. The matter is remitted to the Respondent for reconsideration under section 65 of the Administrative Decisions Review Act 1997.

2. The reconsideration is to be completed by 29 July 2014.

3. The matter is listed for a further planning meeting at 3pm on 5 August 2014.

 

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar

Decision last updated: 08 July 2014