In GKT v Fire and Rescue New South Wales [2024] NSWCATAD 335, Fire and Rescue NSW (FRNSW) was ordered to pay $8000 as compensation for breaching the Privacy and Personal Information Protection Act 1998 (NSW) (the ‘PPIP Act’).   

The issue arose after attempts to resolve issues between the applicant, GKT, a platoon commander and the firefighters within his platoon.  To resolve these issues the zone commander met separately with GKT and the members of the platoon.  During the meeting with the platoon members the zone commander took notes. He later circulated draft minutes of the meeting so the members could ‘confirm the accuracy of his record and make any changes necessary’ ([7]). There was a subsequent meeting nd some changes were made, and a revised version of the minutes were circulated ([10]). The zone commander stressed that the meeting was confidential and directed firefighters to destroy hard copies of the minutes ([6] and [9]).

After the second meeting the zone commander was advised that a copy of the minutes was ‘on the watch room desk at the station’ ([11]).   EA MacIntyre, Senior Member (‘MacIntyre SM’) of the NSW Civil and Administrative Tribunal (‘NCAT’) said(at[12], [14], [16]-[18]]):

The zone commander’s evidence was that later that day, he contacted one of the other officers at the fire station. That other officer informed the zone commander that there was a copy of the minutes present in the station officer’s office. The zone commander’s evidence was that he then directed the station officers to destroy all copies of the minutes present in the station. His evidence was that he received confirmation from the station officer that this had been done and that no other copies of the minutes had been found, apart from the copy in the station officer’s office…

The zone commander’s evidence was that he directed the firefighters at the station to complete the Respondent’s privacy awareness training as soon as possible. He also informed the firefighters of the potential consequences of the conduct in question, that it was potentially a breach of privacy and could be referred to the Privacy Commissioner and the Commissioner of the Respondent…

On 25 March 2024, the Applicant made a complaint to the Respondent’s privacy officer. That complaint was about the confidential minutes being “out for everyone to read on the mess room desk, and watch room”. He saw this as “bullying by members of my crew and detrimental to a resolution of the conflict between us”.

The Respondent proceeded to conduct an internal review of the conduct. That review found that the Respondent had breached ss 12 and 17 of the PPIP Act.

The Respondent then provided an apology to the Applicant and advised of certain measures being taken. They included a direction to staff to undertake mandatory online privacy awareness training about behaviour that was contrary to the Respondent’s code of conduct and ethics. The matter had also been referred to the Public Service Board for assessment.

In an application to NCAT the applicant sought money damages and further orders to deal with the alleged breach of privacy. NCAT had to determine for itself whether there had been a breach of the privacy principles.

Lack of adequate security

The first allegation was that FRNSW had failed to comply with obligations to keep personal information secure (PIPP Act s 12).   FRNSW argued that they had ‘taking such security safeguards as are “reasonable in the circumstances”’ ([21]) as required by s 12(c).  At [25]-[26] MacIntyre SM’ said:

In the Respondent’s submission, the security safeguards in place to protect the Applicant’s personal information included repeated verbal warnings about confidentiality of the meeting in question and a direction to destroy all hard copies of minutes that had been printed out. The Respondent also pointed to provisions in the Respondent’s privacy policy and privacy management plan, setting out and establishing responsibilities of staff in protecting the privacy of individuals. The Respondent also produced evidence of relevant provisions of the Respondent’s code of conduct and ethics, and requirements to undergo privacy training. However, the Respondent conceded that only three firefighters at the platoon in question had completed training.

The Respondent submitted that any breaches occurred in contravention of an express direction made on a number of occasions that the information contained in the minutes be kept confidential. The Respondent submitted, accordingly, that s 12 did not impose liability for actions of an individual staff member where reasonable security safeguards had been imposed and that staff member has acted contrary to those security safeguards…

He continued (at [34]-[36]):

The Respondent’s evidence was that the matters set out … above, answer the descriptions of safeguards as are reasonable in the circumstances, including the directions given to platoon members to destroy hard copies of the minutes.

However, the events that transpired involved not just what happened at a particular point in time when a hard copy of the minutes were left in an open area at the station in question by an employee without authority to do so. The evidence is that the minutes in question were left in an open place for two days, with no action being taken by any person in charge to remove the minutes. The evidence was that the station was attended and in operation at all relevant times, including the period when the minutes were left out.

It is difficult to fathom why, for a period of two days, when the station was attended and in operation, and when fire fighters other than those belonging to the particular platoon in question may have attended the station, the minutes in question were left in an open place, without being collected by someone in charge. I do not in the circumstances consider that security safeguards as were reasonable in the circumstances were in place during the two days in question, regardless of the directions given and policies in place. What happened was more than a simple “inadvertent disclosure” occurring in a moment of time. An expectation that someone in charge would and should have removed confidential material discussed at meetings and not left it in at open area, is neither onerous nor unreasonable. Accordingly, I find that a breach of section 12(c) occurred during the period when the minutes in question were left in an open place for all to see, including firefighters from other places if visiting the station.

Improper use

Another alleged breach of the PIPP Act was the allegation that leaving the minutes out in the watch room constituted an improper use contrary to s 17 of the Act. MacIntyre SM said (at [42]-[43]):

Mere retrieval of information does not constitute a use (JD v Department of Health (GD) [2005] NSWADTAP 44, at [42]). In that case, it was said that “use” in the context of privacy legislation under consideration in that case should be “interpreted as the process of considering, assessing or weighing up personal information so as to make a decision or adopt a further course of action”. The Respondent’s submission was that leaving the relevant minutes out was not a “use” of that information in the relevant sense. Nor was there any “use” resulting from the firefighters at the station viewing or accessing the minutes.

The Respondent’s submission was that any use which an individual firefighter may have actually put the information to after having read the minutes, was not authorised by the Respondent and cannot be attributed to the Respondent.

At [48] the senior member concluded:

I am of the view that leaving minutes out or allowing them to be left out is a “use” of the minutes. “Use” of information may occur by assimilating or otherwise taking in the information. Allowing this to happen by leaving the minutes out, in my opinion, is also a “use” of the information. That use can be described in terms of allowing access to the minutes to persons other than those to whom the Respondent gave copies for the purpose originally intended. This amounts to more than simple inadvertence occurring in a moment of time. This was a “use” other than for a purpose for which the information was collected. I find, as a result, that a breach of s 17 took place.

Disclosure

The final allegation was a breach of s 18 that requires a public sector agency not to disclose personal information held by the agency except as permitted by the Act.  At [50] the Respondent’s submissions are summarised as:

… while the minutes may have been accessible to firefighters outside the platoon in question or to “on call” firefighters employed by the Respondent, they were still part of the Respondent. The Respondent submitted that the Applicant had not led any evidence that anyone outside of the Respondent viewed the minutes as a result of their being left out.

These submissions were accepted. MacIntyre SM said (at [53]):

There is no evidence that persons other than personnel belonging to the Respondent saw the minutes in issue. In these circumstances, I find that no breach of s 18 has occurred.

Damages

The tribunal awarded damages to compensate the applicant ‘for the psychological distress suffered’ ([68]).   At [73] the Tribunal said:

I do not consider that the circumstances at hand warrant damages at the high end of the scale … Nor am I of the view that the damages should be at the minimal end of the scale. I accept the evidence of the disruption to the Applicant’s life resulting from the Respondent’s breaches and the resulting psychological harm the Applicant claims. Even if reputational damage may not, of itself, ground a claim for damages, reputational damage is a relevant consideration where psychological harm is the consequence. I think in the circumstances an award of damage in the order of $8,000 is appropriate, having regard to the circumstances of the breaches that occurred and the consequential injury to the Applicant.

Further orders

The tribunal was satisfied that the Respondent had taken action to deal with the privacy issues, including requiring further privacy training for all firefighters at the station. Further (at [77]-[79]):

The firefighters attended a meeting in which they were reminded of the Respondent’s expectations around privacy and confidentiality.

… the Respondent had made arrangements for the staff at the station to undergo in person respectful workplace training and privacy training.

[And] … the matter was referred to the Public Service Board which conducted their own investigation and implemented a local management response.

In the Tribunal’s opinion (at [80]) ‘no further orders are required’.

This blog is made possible with generous financial support from (in alphabetical order) the Australasian College of Paramedicine, the Australian Paramedics Association (NSW), the Australian Paramedics Association (Qld), Natural Hazards Research Australia, NSW Rural Fire Service Association and the NSW SES Volunteers Association. I am responsible for the content in this post including any errors or omissions. Any opinions expressed are mine, and do not necessarily reflect the opinion or understanding of the donors.

This blog is a general discussion of legal principles only.  It is not legal advice. Do not rely on the information here to make decisions regarding your legal position or to make decisions that affect your legal rights or responsibilities. For advice on your particular circumstances always consult an admitted legal practitioner in your state or territory.