Open and transparent government, but not at the cost of individual privacy

The recent decision of EIG v North Sydney Council [2021] NSWCATAD 313 in the Civil and Administrative Tribunal, is a reminder that open and transparent government must be weighed against individuals’ right to privacy.

In this case, the Tribunal ruled a local council breached Information Privacy Principles when a complainant’s identity was made public.

What happened?

The background facts are somewhat sketchy, as the Senior Member of the Tribunal tried to ensure the anonymity of the Applicant. What is clear is that:

  • the Applicant was a Councillor who had made an earlier complaint about the Council’s handling of personal information

  • the Applicant’s request for an internal review of that conduct was the subject of Initial Proceedings before the Tribunal.

Before the Initial Proceedings were decided, the Applicant’s name was published in two Legal and Planning Committee (LPC) meetings of the Council, certain LPC papers and on the Council’s public website. That occurred even though the Applicant’s name had been anonymised by the Tribunal, as per NCAT Administrative and Equal Opportunity Division Guidelines.

In these proceedings, the Applicant complained of the following breaches:

  • the Applicant’s name was identified in the ‘Current Appeals and Results Report’ (Report), which was included in the agenda papers for the LPC meeting in June and posted to the Council’s website

  • open discussion of the decision of the proceedings (knowing the Applicant had been identified in the Report) at the June LPC meeting and posting a recording of that meeting on the Council’s website

  • identifying the Applicant in a further report in October and including that report in the agenda papers to an LPC meeting in October and posting that information on the Council website.

Before the alleged breaches, the Council had been advised of the Tribunal’s anonymisation practice.

On becoming aware in July of the Council’s actions, the Applicant notified the Council of its breach of the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Tribunal’s anonymisation practice and requested an internal review of those breaches. Despite this, further breaches occurred in October.

What is personal information in relation to a public sector agency?

The PPIP Act defines personal information as:

information or an opinion (including information or an opinion forming part of the database and whether or not recorded in material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

Information or an opinion may be about an individual even if it has multiple subject matters. Further, even if a piece of information is not about an individual, it may become so when combined with other information. In Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 the Federal Court said:

in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require and evaluate to conclusion.

Importantly, it has been held that the definition of ‘personal information’ in the PPIP Act ‘is broad and to be interpreted broadly’.

‘Personal information’ excludes information about an individual in a publicly available publication. However, what seems clear is that disclosure of personal information is making that information known to a person who, but for that disclosure, would not know that information.

What was the personal information used?

The Council conceded that the personal information was the Applicant’s name attached to the details of the decision regarding the Initial Proceedings (Relevant Personal Information) and that it used and disclosed that information in the manner complained of.

What are the relevant privacy principals?

The relevant information privacy principles (IPPs) were:

(a) IPP 10 (use) – a public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless,

(i) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(ii) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(iii) the use of the information for that other purpose is necessary to prevent or lessen serious and imminent threat to the life or health of the individual to whom the information relates or
of another person.

(b) IPP 11 (disclosure) – an agency must not disclose personal information to … other than the individual to whom the information relates unless,

(i) the disclosure is directly related to the purpose for which it was collected and there is no reason to believe the individual concerned would object;

(ii) the individual is reasonably likely to have been made aware that such information is usually
disclosed to that other person; or

(iii) the agency believes are reasonable grounds disclosure is necessary to prevent or lessen a
serious or imminent threat to life or health of any person.

(c) Section 11 of the Local Government Act 1993 provides:

Public access to correspondence and reports

(1) A council and a committee of which all the members are councillors must, during or at the
close of a meeting, or during the business day following the meeting, give reasonable access to any person to inspect correspondence and reports laid on the table at, or submitted to, the meeting.

(2) This section does not apply if the correspondence or reports:

(a) relate to a matter that was received or discussed, or

(b) were laid on the table at, or submitted to, the meeting,

when the meeting was closed to the public.

(3) This section does not apply if the council or committee resolves at the meeting, when open to the public, that the correspondence or reports, because they relate to a matter specified in
section 10A(2), are to be treated as confidential.

Council’s arguments and concerns

The Council denied contravening the PPIP Act.

It said it used the personal information to prepare a report to the LPC meeting, comprising counsellors and senior staff. It also argued that IPP 10 did not apply to unsolicited information (such as a complaint), as this was not collected by the public sector agency. Alternatively, if the information was held to have been collected, the Council said it was used for the purpose for which it was collected; namely, to prepare an internal report for the LPC.

The Council also said that as the Applicant was reasonably likely to have been aware that parties to litigation were usually made public through the agenda of the LPC meetings, such disclosure was permitted under IPP 11.

Finally, the Council claimed it was obliged to make the Report public under section 11 of the Local Government Act 1993 dealing with open and transparent government.

Sorry but Open Government has its bounds?

(a) The Tribunal rejected the argument that the personal information was unsolicited. It said the Information Privacy Commissioner “has warned agencies against treating complaints as unsolicited information if the agency holds itself out as the agency to contact in relation to such complaints.”

(b) The information was therefore collected in relation to an internal review request and the Initial Proceedings. Further, the LPC was not involved in the day-to-day investigation, review and/or prosecution of complaints and only had an after-the-fact role in such matters. Accordingly, the Tribunal found that the use of the Relevant Personal Information in the report for the LPC was not for the purpose for which that information was collected or directly related to that purpose. The Council therefore breached IPP 10 in the incidents of June and October 2020.

(c) The Tribunal held that as a result of the Council’s Complaint Handling Policy and Access to Information Policy, the Applicant would not have expected his personal information to be disclosed in the Reports. In particular, the Complaint Handling Policy said:

“personally identifiable complainant information will be actively protected from disclosure and only used for the purposes of addressing the complaint within the Council”

“Council will ensure that confidentiality is maintained in regard to the complaints received. Personally identifiable information of the complainant will be used for the purposes of addressing and resolving the complaint only …’

“Complaints relating to privacy and breaches … will be managed in accordance with the requirements of the Privacy and Personal Information Protection Act 1998 and Council's Privacy Management Plan".

It was not reasonably likely, even if it was actually done, that the Applicant was aware the Relevant Personal Information was usually included in the Reports and disclosed to the public.

(d) Open Government – section 11 of LGA did not imply or contemplate publication of the Relevant Personal Information. The Senior Member of the Tribunal agreed that the Reports were required to be disclosed under section 11 at the LPC meetings; however, it was not necessary for the Relevant Personal Information to be included.

What orders were made?

The Tribunal made a number of orders including that:

  • within 14 days of the reasons for tribunal’s decision, the Council is to:

    • provide an unreserved formal written apology to the Applicant addressing and apologising for the Council’s breaches under IPPs 10 and 11 in respect of the personal information of the Applicant;

    • publish an anonymous notice not identifying the Applicant in the ‘Latest News’ section of a Council’s website, under the heading ‘Council found to have committed privacy breaches’ and noting the relevant orders of the Tribunal against the Council in relation to those breaches and the notice was to stay up for two months from its publication;

  • within 30 days of the date of the reasons the Council must take steps to anonymise the Applicant’s name in all publicly available digital publications and make all reasonable efforts to recover and destroy or anonymise the Applicant’s name printed in all hardcopy materials.

Take outs

The proceedings highlight that in applying the principles of open government, councils must also consider the application of any complaint handling policy, as well as privacy protection guidelines.

In brief, the commitment to open and transparent government is not unfettered.

Author: Norman Donato

Read further articles in Council Connect