Mending fences
I felt angry when I read the New South Wales Civil and Administrative Tribunal’s (the Tribunal’s) decision in DMW and DMX v NSW Rural Fire Service [2019] NSWCATAD 158 (9 August 2019).
I felt angry because it seemed to me that the Tribunal construed and applied the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) as if it was an Act developed to enable public agencies to go about their business with the least possible interference with the agencies assumed ‘right’ to handle personal information.
Courts and tribunals in other jurisdictions construe Acts in the light of their purpose and in the context of other provisions of the Act.[1] They choose a construction that advances the purpose over a construction that frustrates the purpose.[2] They take care to give human rights Acts a beneficial construction.[3]
The Tribunal did not. It broadly construed provisions that limit privacy rights and read the information protection principles (IPPs) in isolation. It had no regard to the purpose of the Act (the protection of personal information and privacy[4] ) and no regard to the context that the other IPPs provide.
I came across a High Court case that referred to, as an unregretted thing of the past:
The good old rule, the simple plan,
That he should take who has the power
And he should keep who can [5]
It made me think of conduct reviews in privacy matters in the Tribunal.
Background
DMW and DMX wanted to mend their fences but they needed to clear some vegetation first so they asked the Local Land Services about getting permission to do the clearing. The Local Land Service was very tardy to start with but then it went overboard trying to help DMW and DMX with their enquiry; it disclosed their personal information to other public agencies (including the Office of Environment and Heritage and the Rural Fire Service) without DMW’s and DMX’s knowledge or permission[6].
The Office of Environment and Heritage forwarded DMW’s and DMX’s personal information to the Rural Fire Service who used the information to decline an application for a hazard reduction certificate that DMW subsequently made.[7]
On top of that the Rural Fire Service forwarded emails containing DMW’s personal information to the Hawkesbury City Council because, it said, “DMW was threatening to clear vegetation illegally”[8] (which DMW denied[9]) and because that’s what it always did[10].
Then, when DMW and DMX asked the Rural Fire Service for access to their personal information, the Fire Service (who’d been so free and easy in exchanging it with other agencies) told DMW and DMX to apply for access to their personal information under the Government Information (Public Access) Act 2008 (NSW) (GIPA Act).[11]
Review applications
DMW and DMX applied to the Rural Fire Service for an internal review of its “collection, storage, use and distribution of their personal information”, and for a review of its refusal to provide them access to their personal information[12].
Not satisfied with the findings, DMW and DMX applied to the Tribunal for a review of the Rural Fire Service’s conduct under the Administrative Decisions Review Act 1997.[13]
Collection
Rural Fire Service’s position
The Rural Fire Service cited s 4(5) of the PPIP Act and said it had not collected DMW’s and DMX’s personal information for the purpose of the Act. It also cited s 27A(b)(ii) and said it was exempt from complying with the collection IPPs.[14] The Tribunal agreed with the Rural Fire Service.[15]
It appears that the Rural Fire Service and the Tribunal arrived at their conclusion by reading the text of the above provisions and taking them at face value, with no regard to the PPIP Act’s purpose, which was wrong because, as the High Court said, to ignore the beneficial character of the legislation or to treat it as immaterial to the function of interpretation is to read the words divorced from their context and purpose and that’s a mistake.[16]
Correct approach
Section 4(5) and s 27A(b)(ii) ought to be read and construed in the context of the PPIP Acts purpose – “An Act to provide for the protection of personal information, and for the protection of the privacy of individuals generally”[17] – with the aim of advancing and not frustrating the purpose.
Preferred constructions
Section 4(5)
Section 4 (5) of the PPIP Act says, “For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited”.
Meaning of ‘receipt’ and ‘unsolicited’
‘Receipt’ means “the act of receiving or fact of being received”[18] and ‘unsolicited’ means “not requested or invited”[19].
The Rural Fire Service did, in fact, receive the personal information in the email from the Office of Environment and Heritage so the question that remains is whether the receipt of the information by the Rural Fire Service was not solicited i.e. not requested or invited.
Getting real
The Rural Fire Service is a public agency that needs to receive communications (phone calls, emails, letters etc.) from persons and other public agencies so it can perform its functions and activities. Its contact information is published in the Service NSW directory and on its website. It employs people to receive and respond to the communications it needs to receive, which communications will very often contain personal information of some kind even if it’s just the name of person that has contacted it.
In those circumstances it’s not reasonable or realistic for the Rural Fire Service to say that it does not invite persons and other public agencies to contact it and provide it with the information, including personal information, that it needs carry out its functions and activities.
Invitation implied
The High Court said, “an invitee is a person who enters at the express or implied invitation of the occupier in a matter in which the two have a common material interest”[20].
The Office of Environment and Heritage (the invitee) entered into email communication at the implied invitation of the Rural Fire Service in the matter in which the two agencies had a common material interest; the matter being the issue of whether the vegetation along DMW’s boundary fence could be cleared.
Conclusion
The Rural Fire Service took receipt of the personal information in the email that it solicited (impliedly invited) the Office of Environment and Heritage to send.
The Rural Fire Service collected DMW’s and DMX’s personal information for the purposes of the Act.
Section 27A(b)(ii)
Section 27A(b)(ii) was inserted into the PPIP Act in 2015 to save the Privacy Commissioner the job of renewing annually a Direction that was made in the public interest under s 41 of the PPIP Act, which says:
The Privacy Commissioner, with the approval of the Minister, may make a written direction that … a public sector agency is not required to comply with an information protection principle or a privacy code of practice …
The Privacy Commissioner is not to make a direction under this section unless the Privacy Commissioner is satisfied that the public interest in requiring the public sector agency to comply with the principle or code is outweighed by the public interest in the Privacy Commissioner making the direction.
The Direction said, and s 27A says:
A public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if:
(a) the agency is providing the information to another public sector agency or the agency is being provided with the information by another public sector agency, and
(b) the collection, use or disclosure of the information is reasonably necessary:
(i) to allow any of the agencies concerned to deal with, or respond to, correspondence from a Minister or member of Parliament, or
(ii) to enable inquiries to be referred between the agencies concerned, or
(iii) to enable the auditing of the accounts or performance of a public sector agency or group of public sector agencies (or a program administered by an agency or group of agencies).
‘Inquiries’
It appears that the Rural Fire Service and the Tribunal assumed that the word ‘inquires’ in s 27A(b)(ii) had a wide scope that encompassed an inquiry about whether an individual can clear vegetation to mend a fence, which brings to mind the Sesame Street song, ‘One of these things is not like the other, one of these things doesn’t belong’, because s 27A(b)(ii) sits between an exemption that permits non-compliance that’s reasonably necessary to allow an agency to deal with correspondence from a Minister or member of Parliament, and an exemption that permits non-compliance that’s reasonably necessary to enable the auditing of the accounts or performance of agencies.
It seems unlikely to me (being a citizen and not a public agency) that Parliament intended to exempt agencies from complying with the collection, use and disclosure IPPs as they went about their every-day activities. Thankfully there is a legal maxim noscitur a sociis – “The meaning of a word or phrase is to be derived from its context”[21] that can be applied to narrow the meaning of ‘inquiries’ and restore common sense.
In the context of the surrounding exemptions the word ‘inquires’ means inquiries that concern the high level workings of the government or Parliament. ‘Inquiries’’ wide connotation is limited by the context in which it appears.[22]
Avoid a voiding construction
The High Court said, “[T]he task of a court construing a statutory provision is to give meaning to every word in the provision. It is a long-established rule of interpretation that “such a sense is to be made upon the whole as that no clause, sentence, or word shall prove superfluous, void, or insignificant, if by any other construction they may all be made useful and pertinent”.[23]
Which further supports that ‘inquiries’ has a narrow meaning because if ‘inquiries’ has a broad meaning the exemption for dealing with a Minister’s correspondence and the exemption for auditing an agency’s accounts are superfluous as they would be covered by the ‘inquiries’ exemption.
Beneficial and narrow
That ‘inquires’ should be narrowly construed is reinforced by other principles of statutory construction like choosing a construction that promotes the purpose of the Act over a construction that frustrates the purpose, and giving provisions that limit rights a beneficial i.e. narrow construction.[24]
Collection IPPs applied
The Rural Fire Service collected DMW’s and DMX’s personal information for the purpose of the Act; it was not exempted from complying with the collection IPP’s, consequently:
-
- The Rural Fire Service was prohibited from collecting personal information unless the information was collected for a lawful purpose that is directly related to a function or activity and the collection was reasonably necessary for that purpose, and it was prohibited from collecting by any unlawful means (s 8).
- It was required to collect DMW’s and DMX’s personal information directly from them unless they authorised the collection from the Office of Environment and Heritage (s 9).
- If the Rural Fire Service had collected DMW’s and DMX’s information directly from them it would have been required to take steps to ensure that it made DMW and DMX aware of the fact and purpose of the collection, who the intended recipients of their information were, whether the collection was required by law or voluntary and its (the Rural Fire Service’s) name and address (s 10).
- If the Rural Fire Service had collected the information from DMW and DMX it would have been required to take steps to ensure that the information was relevant to the purpose of collection, not excessive, was accurate, up to date and complete, and the collection not unreasonably intrusive (s 11).
Contravention of s 9
The Rural Fire Service contravened the direct collection principle in s 9 when it collected DMW’s and DMX’s personal from the Office of Environment and Heritage without DMW’s and DMX’s authorisation.
Circumvention of s 10 and s 11
The Rural Fire Service circumvented the other collection requirements in s 10 and s 11 of the Act. That circumvention denied DMW and DMX their right to know about and agree to the collection and proposed use of their information, and denied the Rural Fire Service the authorisation it needed from DMW and DMX to use their information to determine their entitlement to a hazard reduction certificate.
S 13 has work to do
Which might seem unfair given that the Rural Fire Service could not control what the Office of Environment and Heritage emailed to it but the IPP in s 13 gave the Rural Fire Service the means to fix things up; all the Rural Fire Service had to do was comply with it.
Compliance with s 13 would have entailed taking steps that enabled DMW and DMX to ascertain that it was holding personal information relating to them and “the nature of that information, and … the main purposes for which the information is used, and … [their] entitlement to gain access to the information”. It’s not much to ask really.
Compliance with s 13 would have put DMW and DMX in a position to request, as per their s 15 entitlement, appropriate amendments including the deletion of the information that they did not authorise the Rural Fire Service to collect or use and very likely would not have volunteered because it wasn’t relevant or up to date for the purpose of their application to the Rural Fire Service for a hazard reduction certificate.
Possession or control
Sections 12 – 19 of the PPIP Act contain IPPs that apply to a public sector agency that holds personal information. “Personal information is held by a public sector agency if … the agency is in possession or control of the information …”[25]
The High Courts has said:
“Few terms in law are as difficult to define as “possession”. What it means in one branch of the law may be different from what it means in another branch of the law. The policy behind particular branches of the law has always played a part in determining what constitutes “possession” for the purposes of those branches … the “general principle appears to be that, until the contrary is proved, possession in law follows the right to possess” … a person cannot have legal possession of that thing unless he or she either has actual control of, or the legal right to control, it. But that said, control or the legal right to control is central to the common law’s concept of possession.”[26]
“The phrase in the section we are called upon to interpret is “possession or control” … And the phrase possession and control denotes the right and power to deal with the article in question. In the instant case the question resolves itself into one of fact. In any given case it is necessary to take into consideration all the circumstances and the nature of the thing the subject of the inquiry.”[27]
“But possession may be unlawful in the relevant sense for a number of other reasons, and one cannot say that the conduct or intention of the person in possession is always immaterial to the lawfulness of possession”.[28]
It can’t be taken for granted, therefore, that an agency is legally entitled to possess or control an individual’s personal information just because it kept it.
No legal right to possess or control
As a consequence of contravening the direct collection IPP in s 9 the Rural Fire Service failed to obtain the authorisation it needed from DMW and DMX to use their information.
The Rural Fire Service had, therefore, no purpose for which the information may lawfully be used and it was required to dispose of the information (s 12).
The requirement to dispose of the information means that the Rural Fire Service had no right to retain the information; having no right to retain the information means no right to possess the information; no right to possess the information means no right to control the information; no right to control the information means no right to take steps to ‘verify’, or propose to use, or use, or disclose, the information.
Retention and security
The Rural Fire Service said that it had complied with the retention and security IPP in s 12, [29] but it did not read s 12 in the context of the other IPPs or the PPIP Acts purpose, which oversight is a pretty fundamental mistake to make when construing and applying a legislative provision.
Section 12 says:
A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
The Rural Fire Service did not have a purpose for which the information may lawfully be because when it contravened s 9 it failed to obtain DMW’s and DMX’s consent/authorisation to use the information (which consent DMW and DMX were entitled to give or withhold).
And the Rural Fire Service needed DMW’s and DMX’s authority because nowadays:
The good old rule, the simple plan,
That he should take who has the power
And he should keep who can [30]
no longer prevails.
Conclusion on s 12(a)
In contravention of s 12(a) the Rural Fire Service kept DMW’s and DMX’s personal information for longer than was necessary for the purposes for which the information may lawfully be used.
Unauthorised use and disclosure
The Rural Fire Service’s security safeguards were not sufficient to protect DMW’s and DMX’s information against the unauthorised use (that occurred when the Rural Fire Service used the information to refuse to issue a hazard reduction certificate) and the unauthorised disclosure (that occurred when the Rural Fire Service forwarded DMW’s email to it to the Hawkesbury City Council).
Conclusion on s 12(c)
The Rural Fire Service said that its above handling was correct and its usual practice, which is evidence, I think, that its safeguards are not reasonable to protect against unauthorised use and disclosure.
The Tribunal should have determined this issue, found a contravention of s 12(c) and made an order that required the Rural Fire Service to revise its handling practices and train its employees on their PPIP Act obligations.
Access
Nobody disputes that the Rural Fire Service contravened the access IPP in s 14 when it did not provide DMW and DMX with access to their personal information at their request but required them to apply for access under the GIPA Act.
It’s unsurprising that DMW and DMX were not satisfied with the Rural Fire Service’s apology and refund of the GIPA Act application fee when they believed that the Rural Fire Service’s contravention of the PPIP Act had caused its refusal to grant the hazard reduction certificate, and when the Rural Fire Service gave them the run around instead of the access to their information that the PPIP Act entitled them to.
The Rural Fire Service’s requirement that they make a GIPA Act application would, I think, have increased the stress, exacerbated the hurt, and worsened the mistrust that it’s natural to feel toward a person that interfered with your privacy, dignity and autonomy. Especially when the person is a public agency that maintains that it did nothing wrong.
Accuracy
Section 16 says:
A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
Failed the first test
Sections 16’s first test was whether the Rural Fire Service had legal possession and control of DMW’s and DMX’s personal information. According to my construction of the IPPs it did not.
Step not reasonable
The Rural Fire Service and the Tribunal read s 16 in isolation from the rest of the Act, including its purpose, and took a narrow view of the circumstances (which, as previously said, is wrong). They concluded that checking with DMW that he gave accurate information to the Office of Environment and Heritage was a reasonable step to comply with s 16. However, “what is reasonable depends on all the circumstances including the nature and purpose of the express stipulations”.[31]
Circumstances
The Rural Fire Service’s indirect collection circumvented its s 10 and s 11 obligations and denied DMW and DMX their correlative rights to provide relevant, accurate and up to date personal information for the purpose of their hazard reduction certificate request.
It doesn’t follow that because DMW and DMX provided the Office of Environment and Heritage with relevant and accurate information for the purpose of enquiring about permission to clear vegetation generally that the information was relevant, accurate and up to date for the purpose of applying for a hazard reduction certificate specifically.
It is probable that as they became better informed DMW and DMX would have concluded that the vegetation needed to be cleared primarily for the purpose of hazard reduction. It was their right to reach that conclusion and their right to volunteer relevant, accurate and up to date information that supported their application.
Reasonable step
In circumstances where the Rural Fire Service had engaged in a process that contravened the PPIP Act’s fair collection process that was protective of personal information and privacy rights a reasonable step would have been one that reinstated the fair statutory process.
Use and disclosure
The use IPP in s 17 and the disclosure IPP in s 18 apply to “A public sector agency that holds personal information …
According to my construction of the PPIP Act the Rural Fire Service were not in legal possession and control of DMW’s and DMX’s and it had no right and no authority to use and disclose it.
[1] Minister for Immigration v Eshetu [1999] HCA 21 (13 May 1999), [71].
[2] X v Commonwealth [1999] HCA 63 (2 December 1999), [146].
[3] Waters v Public Transport Corporation [1991] HCA 49 (3 December 1991), [21].
[4] PPIP Act, long title.
[5] Doodeward v Spence [1908] HCA 45; (1908) (31 July 1908).
[6] DMW and DMX v NSW Local Land Services [2019] NSWCATAD 128 (2 July 2019), [36].
[7] DMW and DMX v NSW Rural Fire Service [2019] NSWCATAD 158 (9 August 2019), [38].
[8] Ibid. [5], [39].
[9] Ibid. [67].
[10] Ibid. [48].
[11] Ibid. [33], [52].
[12] Ibid. [7].
[13] Ibid. [13].
[14] Ibid. [36-37].
[15] Ibid. [54].
[16] Minister Administering the Crown Lands Act v NSW Aboriginal Land Council [2008] HCA 48 (2 October 2008), [15].
[17] PPIP Act, long title.
[18] <https://www.collinsdictionary.com/dictionary/english/receipt>.
[19]< https://www.collinsdictionary.com/dictionary/english/unsolicited>.
[20] Rich v Commissioner for Railways (NSW) [1959] HCA 37 (21 August 1959).
[21] Australian Postal Corp v Pac-Rim Printing Pty Ltd [1999] FCA 640 (14 May 1999), [60].
[22] Ibid.
[23] Plaintiff M47-2012 v Director General of Security [2012] HCA 46 (5 October 2012), [41].
[24] Howe v QANTAS Airways Ltd [2004] FMCA 242 (15 October 2004), [7.26].
[25] PPIP Act, s 4(4).
[26] Western Australia v Ward [2002] HCA 28 (8 August 2002), [478].
[27] Williams v Douglas [1949] HCA 40 (15 September 1949).
[28] Gollan v Nugent [1988] HCA 59 (17 November 1988), [15].
[29] DMW and DMX v NSW Rural Fire Service [2019] NSWCATAD 158 (9 August 2019), [12].
[30] Doodeward v Spence [1908] HCA 45 (1908) (31 July 1908).
[31] Electronic Industries Ltd v David Jones Ltd [1954] HCA 69 (26 November 1954), [8].