1) The decision of the respondent is set aside. 2) Pursuant to section 55 (2) (b) of the Privacy and Personal Information Protection Act 1998, the respondent is to refrain from the conduct in breach of Information Protection Principle 1 concerning any collection of personal information relating to travel movement history of the applicant in contravention of section 8 (1) (b) of the Act.

Reasons for decision

What these proceedings are about

These proceedings concern whether the requirements of Transport for NSW in respect of electronic (Opal) ticketing for public transport concession entitlement holders contravene an Information Protection Principle (IPP) under the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The dominant concern is that the introduction of electronic ticketing removed the ability of certain concession entitlement holders to travel anonymously under that entitlement, with their movements tracked by the respondent agency (as an arm of the Government), contrary to the privacy protections of citizens under the PPIP Act. One issue is whether the collection of personal information for that purpose is reasonably necessary having regard to the stated purpose that the information is collected.

Background

On 2 May 2016 the applicant filed an application for administrative review with the Tribunal. That application concerned how the respondent had dealt with the applicant’s request for Internal Review under the PPIP Act. In that Internal Review application the applicant had made a general policy type complaint about the reasonable necessity to collect certain information at the time that Gold Opal cards are registered. However it is clear that at some time this personal information was collected from the applicant (in order for him to register his Gold Opal card), and that when using consequential on the use of the card, the applicant’s travel movements were collected by the respondent. As a result the applicant agitated a breach of section 8 (IPP 1) of the PPIP Act in respect of his personal information. CNS is the applicant’s pseudonym. The Tribunal has de-identified the applicant’s name from any open reasons consistent with the practice of the Tribunal in privacy reviews. This is an application for a review of the conduct of the Respondent Public Sector Agency, which was subject to an Internal Review application under Part 5 of the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The applicant has attained the age of 60 years and as a result is eligible (as a Senior) for a Gold Opal Card which entitles him to a reduced tariff for daily travel on public transport. Prior to the introduction of the Opal Electronic ticketing system Seniors could access similar concessions by purchasing paper tickets from a vendor. Whilst those tickets were sold and were to be used subject to legal conditions there were apparently no limitations on their purchase, only on their use. The evidence before the Tribunal indicates that batches of tickets for future use could be purchased and no checks were conducted or verification carried out at point of sale. The system appeared to focus on verifying eligibility of the user when the ticket was in use (by inspectors) and other compliance checks at entry and exit points and on trains, buses and ferries during the journeys. Under the current electronic ticketing system, some concession holders are required to register their tickets with the respondent. The Seniors category falls into this group. The applicant’s general grievance is that this change in the policy has introduced an effective form of surveillance over his ingress and egress within the relevant parts of the State by the lack of any equivalent option for anonymous travel. The applicant ties this grievance to various IPP’s but predominantly his grievance is that the ‘requirement’ of collection of his personal information is not reasonably necessary for the unstated purpose of travel on public transport as an eligible Senior. This central argument equates to a breach of IPP 1 and as a result is contrary to the requirements in s 8 of the PPIP Act.

The relevant legislation

These proceedings will traverse a number of threshold requirements in the PPIP Act in order to ascertain whether the decision of the respondent should be affirmed, varied or set aside. Due to the complexity of the issues in these proceedings and the broad public interest matters that may arise in my view the appropriate course is to address all of the potential legal privacy issues irrespective of whether a threshold question might otherwise determine the matter conclusively. This approach is consistent with the view of the parties as agreed as the case developed over the course of the hearing. It also acknowledges that many of these issues would appear (from the evidence before the Tribunal) to have only been considered for the first time due to the applicant raising them. This is not a critical comment concerning the respondent, rather an observation as to how the respondent’s case developed and changed over the 12 months of hearings and adjournments for further evidence and submissions as the arguments before the Tribunal developed. The PPIP Act defines personal information at s 4. The requirement that the data meets the personal information definition is the precondition to coverage under the PPIP Act. This (s 4) requirement in the current matter extends to the nature of the data or information subject to the claimed breach. Section 4 provides:

4 Definition of “personal information”

(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

(2) Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.

(3) Personal information does not include any of the following:

(a) information about an individual who has been dead for more than 30 years,

(b) information about an individual that is contained in a publicly available publication,

(c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,

(d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,

(e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure,

(f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,

(g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,

(h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,

(i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009,

(j) information or an opinion about an individual’s suitability for appointment or employment as a public sector official,

(ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,

(k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.

(4) For the purposes of this Act, personal information is held by a public sector agency if:

(a) the agency is in possession or control of the information, or

(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.

(5) For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited.

Section 4(3) (above) contains 12 exemptions to the definition of personal information. In my view none of those exemptions arise in the current proceedings. As indicated at paragraph 7 above, a number of threshold requirements apply to privacy determinations under the PPIP Act. Having established preliminary jurisdiction (that the breach occurred in or originated from New South Wales) the first of these requirements relates to whether the information at the centre of the grievance constitutes personal information as defined in the PPIP Act. I will return to this matter but first need to establish preliminary jurisdiction in the Tribunal. The PPIP Act provides that privacy grievances involving New South Wales public sector agencies can be dealt with by way of an internal review. An internal review has various statutory pre-conditions or requirements as set out at Part 5 and specifically s 53 of the PPIP Act. An internal review takes the form of a fact-finding investigation whereby the reviewer accumulates evidence and material to the extent necessary to make a factual finding concerning the alleged conduct (the conduct under review) and then applies those findings to the relevant provisions of the PPIP Act. After considering the statutory provisions and the availability (or otherwise) of various exemptions, the reviewer then makes a series of findings in respect of the IPP’s and any ensuing recommendations as and where appropriate. Section 53 (6) of the PPIP Act provides guidance on the appropriate timeframes for conducting an Internal Review. Whilst the PPIP Act does not specify a strict time, it uses the words that 'the review must be completed as soon as is reasonably practical'. In addition it provides that if the review is not completed within 60 days, the applicant/complainant may apply to the Tribunal for a review of the conduct concerned. It is uncontroversial between the parties that the applicant made a valid application for internal review under Part 5 of the PPIP Act. The Internal Review response dated 5 April 2016 from the respondent refers to the applicant’s request for an internal review of conduct under the Privacy and Personal Information Protection Act 1998 dated 3 February 2016. The review was therefore in writing and appears in conformity with the provisions of s 53.

53 Internal review by public sector agencies

(1) A person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.

(1A) There is no entitlement under this section to the review of the conduct of a Minister (or a Minister’s personal staff) in respect of a contravention of section 15 (Alteration of personal information).

Note. Any such conduct can still be administratively reviewed by the Tribunal. See section 55 (1A).

(2) The review is to be undertaken by the public sector agency concerned.

(3) An application for such a review must:

(a) be in writing, and

(b) be addressed to the public sector agency concerned, and

(c) specify an address in Australia to which a notice under subsection (8) may be sent, and

(d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and

(e) comply with such other requirements as may be prescribed by the regulations.

I make these observations because the Tribunal has not been provided with a copy of the actual internal review application, however during the course of the proceedings the applicant provided written material which detailed the terms of his initial privacy grievance. The application for administrative review was lodged on 2 May 2016. The application attached the completed internal review (report) from the respondent and included the following grounds in the application:

TfNSW have reached an incorrect decision on my complaint about a breach of the Privacy and Personal Information Protection Act 1998, partly due to a misunderstanding of the basis of my complaint, and partly due to misinterpretation of the requirements of the Information Protection Principles. They have also failed to take into account of views expressed to them by the Privacy Commissioner which can be considered supportive of my complaint.

Jurisdiction

Based on the above history I am satisfied that the Tribunal has jurisdiction to determine the matter under section 55 (1) of the PPIP Act.

55 Administrative review of conduct by Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with:

(a) the findings of the review, or

(b) the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

Section 55 lists a number of other matters concerning an administrative review by the Tribunal. The remainder of the section relevantly provides:

55 Administrative review of conduct by Tribunal

(1) ….

(1A) ....

(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c) an order requiring the performance of an information protection principle or a privacy code of practice,

(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f) an order requiring the public sector agency not to disclose personal information contained in a public register,

(g) such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4) The Tribunal may make an order under subsection (2) (a) only if:

(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

…

(6) The Privacy Commissioner is to be notified by the Tribunal of any application for an administrative review. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an administrative review.

The remaining sections of s 55 are not relevant to the issue in these proceedings.

The initial review

The respondent summarised the application in their internal review report. The initial privacy internal review request included in summary:

The justification for collection of personal information for Gold Opal cardholders appears to be to enhance the ability to verify entitlement through data matching.

This policy approach is discretionary as it is not applied to young people travelling on a concession entitlement.

In order to justify the ‘reasonably necessary’ test under s 8 TfNSW would need to support the approach by significant evidence of abuse of seniors’ entitlements.

Mere administrative convenience or efficiency should not be a sufficient reason for mandating registration, having major privacy implications.

Other jurisdictions provide anonymous travel for entitlement based discounts.

Assurances about the management of the data are irrelevant to the s 8 reasonably necessary (to collect) argument.

The review summarised the OPAL Electronic Ticketing System and the Opal Card in the following manner in their response :

All Opal Cards can be registered, however travelling on a full fare Adult or half fare Child/Youth Opal Card are not required to register the card.

When a customer registers an Opal Card, a customer profile is created and linked to the card. In creating a customer profile, the customer is required to provide their title, first name, last name and address. The customer profile is stored on the Customer Relationship Management Database.

In the internal review the respondent addressed the privacy legislation and the relationship with the Opal Privacy Policy. Of note is the fact that the respondent was satisfied that the information in question constituted personal information under the PPIP Act. Later at hearing the respondent resiled from this position and argued that the information was not personal information, in contradiction to the published Opal Privacy Policy. The reviews stated:

I am satisfied that the information collected for the purpose of obtaining and registering an Opal Gold Card is within the definition of ‘personal information’ for the purpose of the PPIP Act.

The review identified that s8 (IPP 1) was the relevant issue in the applicant’s grievance and provided the following information from their Opal Privacy Policy (OPP):

4.2 Our collection of information

The nature of the personal information that we collect under the Opal Ticketing System and the way that we collect it depends on the type of Opal card, how a customer acquires, adds value to or uses the Opal card, and whether the Opal card is registered.

In relation to registered and/or concessional Opal card holders, we only collect information that is reasonably necessary for the purpose of providing and managing the Opal Ticketing system having regard to the Card type. Before using the information, we take reasonable steps to ensure that it is relevant, correct, not misleading and up to date having regard to the purpose for which it is to be used. However, we rely on customers to provide us with accurate and up to date personal information. Information provided in support of an application for certain categories of concessional Opal cards is validated by or on behalf of us.

[paragraph 4.2]

The respondent observed that the Opal Gold Card is different from other types of concession cards in that it was not only age based, but also employment based, in that a holder could only work a minimum number of hours per week. The respondent rejected the applicant’s assertion that evidence of significant abuse of the travel entitlements was necessary to justify the reasonable necessity of the collection of personal information by way of mandated registration. The respondent found that:

The collection of personal information for the purpose of registering the Gold Card would appear to be reasonably necessary for the purpose of regulating the types of tickets and other ticketing arrangements.

The respondent went on to outline their ‘understanding’ as to how the information was recorded and linked.

…, as I understand the system, personal information in not being accessed at the transaction point as it is not possible to identify the individual from this information alone.

For all Opal Cards, information is transferred from the Opal reader to the Customer Relationship Management Database within a couple of hours of the transaction being recorded.

The respondent concluded that the travel patterns of registered and unregistered cards could be requested in specific circumstances (permitted by law including privacy law) and that such a history can only be accessed and assessed sometime after the person has used their Opal Card. As the accessing of the applicant’s information was never alleged that aspect was not addressed, and the respondent concluded that there had been no breach of s 8 (IPP 1) of the PPIP Act.

The hearing before the Tribunal

Following an initial Case Conference in July 2016 the matter was set down for hearing in October 2016, initially for one day. As the arguments of the parties developed and there was a desire to lead higher quality evidence by the respondent, the matter was eventually heard over three days. The matter was protracted due to the need for the parties to consider the second suite of evidence filed in late 2016 following the October hearing, and then decide to proceed further with testing of that evidence at hearing. Timetables were set between these further hearings for the filing and serving of submissions and material in reply. At all times the Tribunal was conscious of the need to resolve the matter in a timely manner and the significance of the guiding principle applying to the Tribunal. The parties were reminded of these issues at the hearings, and the need to finalise the matter in a just, quick, and cheap manner.

Applicant’s Written Evidence

The applicant tendered a number of documents as evidence in support of his application. These mainly took the form of written submissions attaching primary documents issued by the respondent as evidence of the arguments that the applicant was putting forth. The formal written evidence of the applicant comprised:

Application for review dated 29 April 2016 filed 2 May 2016 with a series of grounds – Exhibit ‘A 1’.

Signed 16 page statement of the applicant dated 28 August 2016 attaching 14 ‘attachments’/annexures of evidence – Exhibit ‘A 2’.

Signed statement/submission by the applicant (6 pages) dated 7 October 2016 - Exhibit ‘A 3’.

Signed statement/submission by the applicant (8 pages) dated 6 January 2017 – Exhibit ‘A 4’.

Seven page statement by the applicant dated 10 May 2017 referencing evidence of the respondent and the Privacy Commissioner – Exhibit ‘A5’.

Other material was before the Tribunal as referred to at [15] (above) including detailed written submissions. These were additional to the evidence outlined above and comprised material dated 8 August 2017 (Final Submissions including a response to new material from the respondent), and 20 October 2017 being further final submissions and response to further material filed by the respondent.

Respondent’s Written Evidence

The formal written evidence of the respondent comprised:

Statement of M. Iverach signed 4 November 2016 – Exhibit ‘R1’.

Statement of L. Clark signed/filed 4 November 2016 – Exhibit ‘R2’.

Supplementary Statement of L. Clark signed/filed 5 December 2016 – Exhibit ‘R3’.

Supplementary Statement of M. Iverach signed 28 April 2017 including annexures – Exhibit ‘R4’.

Submissions and evidence filed 23 September 2016 – Exhibit ‘R5’.

‘Business Rule’ (for disclosure of Opal information to law enforcement agencies under the PPIP Act dated September 2015 issued by TfNSW – Exhibit ‘R6’.

Affidavit of L Clark affirmed 27 July 2017 (including annexures) – Exhibit ‘R7’.

The respondent filed four detailed sets of submissions and material (not referred to above). These were:

Supplementary Submissions dated 5 December 2016;

Submissions in reply dated 20 February 2017;

Respondent’s Further Submissions dated 26 July 2017 (attaching transcript of hearing on 19 May 2017);

Respondent’s submissions 18 August 2017.

A number of further bundles were tendered enclosing copies of cases referred to by the parties. I note that the respondent having completed a review did not file documents under the provisions of s 58 of the Administrative Decisions Review Act 1997. This position seems somewhat inconsistent with the change from a review of conduct, (as referred to in s 55 of the PPIP Act prior to the enactment of the Civil and Administrative Tribunal Act 2013 and the repeal of the Administrative Decisions Tribunal Act 1997), to an administrative review of conduct. However, the general approach of respondent agencies in privacy reviews since the change of the legislation is to continue to file in some form the internal review, and then to file the evidence and material they seek to rely on in resisting the application through a hearing de-novo or fresh review (however limited to the scope of the original conduct under review). I also observe consistent with the s 58 observations that the respondent agencies in practice do not file the material which has been gathered in the internal review process and material which substantiates the conclusion of that review. It may be that nothing of any significance turns on this point however I note that due to the lack of any significant documented material available pre-hearing (other than Exhibits R5 and R7) by the respondent, the Tribunal was required to give leave for the respondent to adduce further evidence to substantiate their position at the conclusion of the first day of hearing. However I note that the provisions of s 58 of the Administrative Decisions Review Act 1997 remain in force.

58 Duty of administrator to lodge material documents with Tribunal where decision reviewed

(1) An administrator whose administratively reviewable decision is the subject of an application for review to the Tribunal must, within 28 days after receiving notice of the application, lodge with the Tribunal:

(a) a copy of any statement of reasons given to the applicant under section 49 (or, if no such statement was given to the applicant, a statement of reasons setting out the matters referred to in section 49 (3)), and

(a1) a copy of any statement of reasons for a decision in an internal review conducted in respect of the administratively reviewable decision, and

(b) a copy of every document or part of a document that is in the possession, or under the control, of the administrator that the administrator considers to be relevant to the determination of the application by the Tribunal.

In addition to the parties at various times during the proceedings the Privacy Commissioner exercised their right to appear and be heard in the proceedings. [See Section 55 (6) as per [18] above]. The Privacy Commissioner initially advised in October 2016 that she would not be taking part in the proceedings (due to the applicant relying on public statements of the Commissioner to support his case). In February 2017 and April 2017 the Privacy Commissioner responded positively to the Tribunal’s request for comment on the statutory provisions examined at hearing and provided written material by way of submissions. In addition a representative of the Privacy Commissioner appeared at the final hearing date.

Evidence at Hearing

The applicant did not give evidence at the hearing and this position was consistent with the argument put forth concerning a contravention of s 8 of the PPIP Act.

8 Collection of personal information for lawful purposes

(1) A public sector agency must not collect personal information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) A public sector agency must not collect personal information by any unlawful means.

(Emphasis added)

In opening submissions at hearing the applicant stated that due to having a registered Opal Gold Card, he has standing to run the privacy grievance in accordance with Part 5 of the PPIP Act. The fact that he has applied for and received a card means that the collection of the information has occurred, and that information is put to a use once the card is used. The applicant submitted that the respondent had ‘misunderstood’ his privacy grievance. The applicant submitted that the design of the Gold Card could have been done in a better way in order to include the notion of privacy by design. In respect of the ‘reasonably necessary’ argument the applicant submitted that the respondent had failed to rebut his complaint and in the review had failed to show how they had complied with s 8 (1) (b) of the PPIP Act. In opening submissions the respondent submitted that a question for the Tribunal was whether travel movement data constituted personal information. The issue becomes one whereby ‘personal information’ is the pre-condition for all of the IPP’s and as such it becomes a precondition for the s 8 (1) (b) ‘reasonably necessary’ prong. The respondent submitted that it was not personal information. Reliance was placed on the case of WL v Randwick City Council (No 2) [2010] NSWADT 84 at [33] in respect of the timing as to when data becomes personal information.

33 When taken the photographs were digitally recorded in the camera Mr Kerr used. These photographic images on the camera did not identify the street location of the unit. However, in my opinion it would be incorrect to find that this was the moment in time when this information was ‘collected’ by the Council and this is the relevant point in time to determine if the information is ‘personal information’.

Reference was also made to the decision in Office of Finance and Services v APV and APW [2014] NSWCATAP 88 at [54]-[70] concerning an analysis of the meaning of the term personal information under the PPIP Act.

Definition of 'personal information'

54. We have concluded that, depending on the circumstances, sources of information other than the information or opinion which contains the personal information, may be consulted to ascertain the person's identity. That conclusion is based on the natural and ordinary meaning of the text. It is also supported by the beneficial purpose of the legislation and the legislative scheme in general.

55. The task of statutory construction must begin and end with a consideration of the text itself but that text must be considered in context. The context includes the legislative history and extrinsic materials, but that information "cannot displace the meaning of the statutory text": Federal Commissioner of Taxation v Consolidated Media Holdings Ltd [2012] HCA 55 at [39]; [2012] HCA 55; (2012) 87 ALJR 98 at 107 [39] French CJ, Hayne, Crennan, Bell and Gageler JJ. The starting point when construing a statutory provision is the natural and ordinary meaning of the words: Cooper Brookes (Wollongong) Pty Ltd v Commissioner of Taxation [1981] HCA 26; (1981) 147 CLR 297 at 305, 320-321.

56. The definition of personal information states that the information is about an individual "whose identity is apparent or can reasonably be ascertained from the information or opinion." Those words do not mean that other material cannot be consulted. That is obvious from the fact that there are two ways in which information or an opinion may disclose a person's identity. Either the identity is "apparent" from the information or it "can reasonably be ascertained" from that information. The dictionary definition of the adjective "apparent" is "capable of being clearly perceived or understood; plain or clear." (Macquarie Dictionary online). The verb "ascertain" means "to find out by trial, examination, or experiment, so as to know as certain; determine." (Macquarie Dictionary online). By including the option that a person's identity can "reasonably be ascertained" from the information, the legislature was intending to allow a person to find out or determine the identity of the person from the information and, where reasonably identifiable from other information, from that other information.

57. That construction is supported by the beneficial purpose of the PPIP Act. An interpretation that would promote that purpose is to be preferred to a construction that would not promote it, but the purpose cannot override the clear words in the statute: Interpretation Act 1987 (NSW), s 33.

58. The primary focus or purpose of the legislation is to protect the privacy interests of persons about whom public sector agencies collect information: Director General, Department of Education and Training v MT (2006) 67 NSWLR 237; [2006] NSWCA 270 (29 September 2006) Spigelman CJ (with whom Ipp JA and Hunt AJA agreed) at [29]. Because the PPIP Act is beneficial legislation, it must be interpreted liberally to achieve its beneficial purpose: [49]-[50].

59. We acknowledge, as Spigelman CJ has pointed out, that:

That does not mean that it must be interpreted in such a way that whatever may be regarded as improving its enforcement must fall within the intention of the legislature: While the PPIP Act is beneficial legislation because it is designed to protect an individual's personal information, not every provision has a beneficial purpose or is to be construed beneficially: ADCO Constructions Pty Ltd v Goudappel [2014] HCA 18, French CJ, Crennan, Kiefel and Keane JJ at [29].

60. The case of Director General, Department of Education and Training v MT did not relate to the meaning of "personal information" but to whether a public sector agency is liable for the conduct of its employees which had nothing to do with that employee's employment. The Chief Justice's conclusions were made in the context of deciding that the public sector agency was not liable for the employee's conduct. The circumstances of this case do not are different because the definition of personal information is a provision which should be construed beneficially. This is a case where the narrow interpretation put forward by the Office of Finance and Services would defeat the beneficial purpose of the legislation: Khoury v Government Insurance Office of NSW (1984) 165 CLR 621 at 638 per Mason, Brennan, Deane and Dawson JJ.

61. The other parts of the definition of "personal information" also support our view. Section 4(3)(b) states that:

Personal information does not include any of the following:

(b) information about an individual that is contained in a publicly available publication

62. The Office of Finance and Services assumed that the information on the NSW government's tendering website is in a "publicly available publication" and submitted that it would defeat the purpose of the exception in s 4(3)(b) if regard were to be had to such information in determining a person's identity.

63. The Tribunal did not need to make a finding about whether the information on the NSW tendering website, linking APV's and APW's address with their names, was information in a "publicly available publication". If that information is a "publicly available publication" the information that APV and APW were the successful tenderers for the property and that they live at that address, is not personal information. But the other information in the Conservation Management Plan and the Schedule of Repair Works, including photographs of the interior of their home, the floor plan and interior design features, was not available on the website and is therefore not excluded from the definition of "personal information" by s 4(3)(b). That conclusion does not have the effect of defeating the purpose of the exception in s 4(3)(b).

64. The extent to which other information may be consulted to ascertain a person's identity depends on the context in which it is collected, used or disclosed. Various contexts have been considered in previous cases.

65. In Re Pfizer and Department of Health, Housing and Community Services (1993) 30 ALD 25 647, [80] the Administrative Appeals Tribunal interpreted the former definition of "personal information" in s 6 of the Privacy Act 1988 (Cth) on which the definition in the PPIP Act was based. The AAT held that that "if the identity is apparent or can be reasonably ascertained from a telephone number or other material, then such material would fall within the section."

66. The Administrative Appeals Tribunal has given detailed consideration to the equivalent definition of "personal information" in s 4(1) of the Freedom of Information Act 1982 (Cth) (FOI Act) (Cth): Re Lobo and Department of Immigration and Citizenship [2011] AATA 705; (2011) 124 ALD 238 at [287] - [302]. One issue in that case was whether certain information was exempt from disclosure under s 41(1) the FOI Act (Cth) because it would involve the unreasonable disclosure of "personal information" about any person. Forgie DP concluded at [300] and [301] that if access is given to the document, it becomes part of the information that is available to the public. The Deputy President went on to say that:

If the identity of an individual is apparent or can reasonably be ascertained by reading both the information in the document and that which is already available in the public arena, the "information or opinion" in the requested document is no less the "source or origin" of the identification. It is the source or origin of information that gains its meaning from the context in which it is disclosed. As the definition of "personal information" requires that an individual's identity is apparent or can reasonably be ascertained from the information or opinion, the context in which that is ascertained must also be defined by reference to the information that is apparent in the public arena or can reasonably be ascertained from it.

67. Deputy President Forgie then mentioned some examples:

If, for example, information in the wider context were only available from a private source, that would not be in the public arena and could not be used to decide whether the information enabled the identity of an individual to be identified as required by the definition of "personal information". If that information were in the public arena but could only be obtained after complicated and tedious searches, that would be a factor in determining whether the individual's identity "can reasonably be ascertained" (emphasis added) from the information or opinion.

68. The following year Forgie DP re-iterated and summarised her views: Re Denehy and Superannuation Complaints Tribunal [2012] AATA 608; (2012) 131 ALD 413 at [26]. We note that the definition of "personal Information" in the Privacy Act 1988 (Cth) has been amended. As from 12 March 2014 the relevant part of the definition has been:

"personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

69. Similar recommendations by the NSW Law Reform Commission have not led to any legislative amendment to the PPIP Act: NSW Law Reform Commission, "Access to Personal Information" (Report 126).

70. While the AAT decisions relate to the operation of the definition of "personal information" in an exemption to the FOI Act, the Appeal Panel of the Administrative Decisions Tribunal has used similar reasoning in relation to the PPIP Act. One issue for consideration in WL v Randwick City Council [2007] NSWADTAP 58 was whether photographs of the inside of a home unit taken by Mr Kerr, a compliance officer employed by the Council, was "personal information" about the owner. The Appeal Panel held at [15] - [16] that:

15 Documents which themselves do not contain any obvious features identifying an individual may take on the quality by virtue of the context to which they belong. We accept that the photographs of building works, without more, might not reasonably be said to contain 'information ... about an individual whose identity is apparent or can reasonably be ascertained from the information'. However, if the photographs were taken in circumstances where the identity of the owner of the property was known to the photographer, it might at least be arguable that the photographer (and the organisation to which he or she belonged) knew that the photographs recorded the condition of a property owned by a specific individual. This combination of factors might produce the conclusion that the information as a whole was information to which s 4(1) applied.

16 Even if Mr Kerr did not know at the time who owned the property, he quickly proceeded to obtain that information from the Council files, in order to take the enforcement steps. It is strongly arguable that by this point the photographs formed part of a body of information which amounted to 'information ... about an individual whose identity is apparent or can reasonably be ascertained from the information'.

The respondent submitted that the collection of travel movement information (by itself) does not constitute personal information. Reference was made at hearing to the initial written submissions of the respondent filed 23 September 2016. Paragraphs 71-75 of those submissions addressed the collection and use of Opal data. The submissions stated the respondent does not collect personal information concerning the applicant’s travel history directly from him. Instead the respondent collects information from a number of differing sources which if combined can identify the travel history of an Opal card user. The relevant submissions went on to state that:

73. Personal information collected as part of the application for a Gold Opal card is stored in a dedicated database which is compliant with applicable safety and security standards. Information held in this databases (“PAS Database”) is subject to data retention and disposal policy for Opal data.

74. Travel data collected from Opal readers at train stations and on buses and ferries and stored on a separate database within a data centre, managed by a contracted third party, Cubic Transportation Systems Australia (“Opal Database”)….

75. The Opal Database records each transaction involving an Opal card. Each transaction record contains information such as the card number, time, date and location of the tap on or off, the mode of transport, the value of the journey and any discounts applied. The Opal Database does not contain links to the personal information in the PAS Database and cannot link the Opal card used to the person issued with the card without access to the PAS Database.

76. The information collected from the Opal readers is not collected in real time and “live tracking” cannot be performed.

77. TfNSW does not routinely link these data sets. Data matching may be performed in the event that a customer seeks information regarding his or her own travel history or specific information is required by law to be given (for example, to law enforcement agencies). Auditable records are generated when the matching process is undertaken and access is limited to staff with a relevant function necessitating the data linking.

78. Customers who have registered on Opal.com.au may access their own travel history through the website. The functionality of the site links the information in the PAS Database to the travel history in the Opal Database.

I observe as a preliminary point that the submission made by the respondent in paragraph 78 of the September 2016 submissions appears to contemplate a functionality whereby the link becomes seamless and the types of information (if defined separately as personal/non-personal) become fused as what could only be described as personal information. However at this stage this is merely a preliminary observation. The respondent made a number of background submissions concerning the Opal card, namely that the card itself contained a ‘smart chip’ which stored a dollar value and limited travel history and some code ensuring that the correct fare is charged. The respondent submitted that the limited travel history concerns the last 5-7 tap on/off events only. Submissions were also made concerning the terms and conditions of use of the Gold Opal card and at paragraph 22 of their September 2016 submissions the respondent advised that:

22… TfNSW regularly revalidates eligibility with the concession entitlement issuer. This is done automatically through a bulk, online verification process. Where the process identifies that the individual is no longer entitled to the concession, the individual is notified and the Gold Opal card can be remotely cancelled. It is therefore necessary to identify the specific Gold Opal card issued to each individual concession holder.

Presumably this data matching of personal information occurs under the provisions of s 23(4) or (5)(d)(i) of the PPIP Act (protection of public revenue) or some other provision not articulated in the hearing. That section provides:

23 Exemptions relating to law enforcement and related matters

…

(4) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue.

(5) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned:

…

(d) is reasonably necessary:

(i) for the protection of the public revenue,

…

Various other submissions were made as to the basis that the registration of the Opal Gold card was reasonably necessary in order to deal with and otherwise mange fraud and loss. Resource statistics were asserted concerning 300 enforcement officers not being practical to cover the entire network or cost effective. Following discussion and direction by the Tribunal it was agreed that the respondent would put on evidence to substantiate some of these submitted arguments concerning the issue where the linking of the registration data was reasonably necessary. The applicant raised a concern with one aspect of the respondent’s submissions whereby they made reference at paragraph 15 to relevant Regulations (since repealed).

Passenger Transport Regulation 2007 (Repealed)

69 Definitions

In this Part:

…

concession ticket means a ticket intended to provide free travel, or travel at a reduced fare, on a public passenger vehicle or train.

….

Part 6 Division 4 Clause 77C

77C Concession tickets

(1) A person must not travel, or attempt to travel, on a public passenger vehicle or train on the authority of a concession ticket unless the person is entitled to the concession ticket.

Maximum penalty: 5 penalty units.

It was submitted that these matters were a statement of fact and at no time was the applicant trying to argue that he was free to travel without a ticket or absent the entitlement to the concession. The applicant returned to his ongoing submission that collection is not reasonably necessary and that:

TfNSW has stubbornly refused to factor the issue into their design of the system.

The hearing was adjourned in order for the respondent to put on further evidence and the parties to prepare arguments and submissions about that evidence. Prior to considering the evidence of reasonable necessity (or whether the collection was reasonably necessary), it appears appropriate to now address the issue of whether the information is personal information.

Consideration of personal information threshold

The applicant argues that the information in question is personal information. The respondent (after initially conceding at review stage) that there was no controversy concerning the personal information issue, during the progress of the hearing developed significant and at times evolving arguments as to how the information in question was not personal information within the definition of the PPIP Act. The relevant part of the definition is produced at [9] (above). The central provisions being s 4 (1) of the PPIP Act:

(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

Applicant’s personal information collection grievance

The applicant’s argument concerns the collection of personal information. In many ways it is a quite straightforward argument. The applicant objects to the collection of personal information for the purpose of

‘verifying entitlement through data-matching’ (Internal review request 3 February 2016).

‘It is the mandatory provision of personal information for the purpose of registering the card (i.e linking the particular card to my personal particulars) to which I object, and which I submit is a breach of section 8 of the PPIP Act because it is not ‘necessary’. (Internal review application supplemental information 13/6/2016).

‘It is the routine and automatic collection of travel movement information about identifiable individuals which I allege is a breach of IPP 1 / Section 8 (1) (b) in respect of all Opal Gold card holders using their card, because of the mandatory registration of Opal Gold Card holders. (submissions 28 August 2016 Pg 2 paragraph 5)

Applicant’s personal information collection non-grievance

The applicant goes on to state that the collection of personal information for two other purposes does not concern him. That is for policing the use of the card on public transport and applying for the card and establishing entitlement.

‘I have no objection to providing personal information, either at the point of acquiring a card or while it is in use, in order to verify my entitlement to a concession card.’ (Internal review application supplemental information 13/6/2016).

The respondent seems to have considered this grievance more akin to a use of personal information rather than a collection. These proceedings (as stated many times during the hearing) only concern the collection of personal information. The applicant does not agitate the use principle or to the extent that the respondent believes that he does or must, the applicant abandons any such right. IPP 1 / s8 of the PPIP Act does, in my view, link to the ‘active’ IPP’s (such as use, disclosure, access etc.) due to the presence of the following emphasised words in the section.

8 Collection of personal information for lawful purposes

(1) A public sector agency must not collect personal information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) A public sector agency must not collect personal information by any unlawful means.

(Emphasis added)

I note that many of the respondent’s submissions throughout the three days of hearing and the written material focused on this issue of personal information and submitted that the information was sufficiently removed from the definition of personal information (as supported by the cited cases). However in my view, when one looks to the totality of the complaint, and the fact that it concerns a grievance about the collection of personal information for a purpose that goes beyond the matters raised in the evidence (verification of entitlement and enforcement), then the majority of the respondent’s preliminary arguments fall away.

Does the grievance concern personal information

I note that the respondent provides the following evidence in respect of the type of information collected from relevant customers. At paragraph 5 of Exhibit ‘R2’ the following is stated:

5. When applying for the Gold Opal card NSW Senior applicants are notified that their personal information is collected and Transport for NSW will need to access the database of their concession card issuers to verify the details provided with their application.

6. To complete the application, the customer must provide their NSW Seniors Entitlement Card number, First Name, Last Name and Date of Birth. The applicant must consent to this information being verified with their concession entitlement issuer.

7. During the application process, applicants must also create a profile, enabling them to utilise features such as auto top up and to allow us to post a card to their nominated address. Any personal details provided by the applicant during the creation of the profile are not verified and may be completed using a pseudonym.

(Emphasis added)

In respect of creating an Opal account, personal information is collected which is not validated and is not required to be consistent with the name of the applicant for a Gold Opal card. The respondent requires the address to be accurate however, as this is the address that the card is posted to. All of this information also constitutes personal information under the PPIP Act. At the time of creating an Opal account the respondent collects:

An account holder’s full name;

Account holder’s address; and

Email address or phone number

(paragraph 4 Exhibit ‘R7’)

It is difficult to see how, on the applicant’s construction of his grievance/complaint, the information that he objects to the collection of, is anything other than his personal information. The tracking information concerns a card that is registered to the applicant. It appears to me that the arguments concerning tracking and movement surveillance are easily understood. Whether those arguments are legally founded remains to be seen. However the applicant’s concerns appear to be based at a far more primary level, in that he objects to the collection of his personal information for a future use/additional purpose (travel movements). The objection is that in his view, such a collection is not reasonably necessary for the purpose of managing ongoing entitlement. The applicant’s argument as I understand it concerns the mandatory provision of personal information when registering/activating the card, after having already been allocated a card through vetting for eligibility. This collection of information allows for the separate purpose of the applicant’s travel movements, due to the functionality of the registered card. In the evidence of the respondent’s witness at hearing it was conceded that there was a staged process to fraud/loss prevention prior to the introduction of the Gold Opal card. This involved removing ‘vending machine based’ purchases, and eventually the removal of paper based tickets. Once the card was introduced a different staged process occurred involving a process of: application, verification, allocation and registration (including activation). It could be described that the first Opal process was to limit availability of the Gold Opal Card to those entitled to be allocated one. This was done by collecting certain personal information from an individual who ‘applies’ for a Gold Opal card in order to ascertain that they qualify for the card and then sending the card to the individual. However the second phase, requiring a user to ‘activate’ the card by ‘registering it’ through a website in order for the card to be active and capable of use, is part of the point of contention. There are a great number of cases which deal with personal information over the 20 years of privacy cases under the PPIP Act. As stated, it appears from a proper understanding of the applicant’s grievance that the issue is quite straightforward, however I will review some of the cases that the parties put forth to argue their opposing positions. The applicant made submissions concerning the case of CRP v Department of Family and Community Services [2017] NSWCATAD 164. In that case I observed the following concerning whether information about a person’s place of employment was personal information at [72]-[75].

72. In deciding whether the work address was personal information the Tribunal is guided by the cases referring to the correct approach to this question.

73. The case of EG v Commissioner of Police, NSW Police Service [2003] NSWADT 150 made the following observations at paragraph 24:

24. I accept the Privacy Commissioner's submission that since the PPIP Act is beneficial legislation, s 4(1) should be interpreted broadly and the exclusions from the definition of personal information should be construed narrowly. I also accept the Privacy Commissioner's submission that meaning is gleaned from both the content and the context in which information or an opinion appears. This was recognised by President O'Connor in Y v Director General, Department of Education & Training [2001] NSWADT 149 when considering the exception in s 4(3)(j):

The test ... must in each case be whether having regard to the content of the information in issue and the context in which it is found it can reasonably be said to be `about an individual's suitability for appointment or employment."

74. The case of JD v New South Wales Medical Board [2008] NSWADT 67 provides authority that the Tribunal should not adopt an overly technical approach to this question. At paragraph 24 the following observation was made:

24 In my opinion Parliament did not intent that an overly technical approach be taken when considering whether particular information was or was not ‘personal information’ or ‘health information’. The information should be viewed in its proper context and not necessarily dissected into parts or analysed in detail word for word.

75. In my view the information is about an individual in that the information was both requested and provided in a context solely concerning the applicant. His identity was apparent in that context. Whilst the information concerned the applicant’s work address, as distinguished from the recent Federal Court case of Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 in that whilst the information was about the applicant and his work address, it never ceased to be information of this kind. In the Telstra case whilst the broad request might have related to an individual, the technical aspects of the request (seeking his specific call data) and the resultant data sought resulted in the response data being information about billing, calls and location data, not information about the caller as an individual. In the current matter the information (even if argued as not being personal information strictly) always retained the identity by name of the applicant in both the request and the holdings from which the response was obtained.

76. Importantly from the Telstra case the full Federal Court found at paragraph 63 that:

63.The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

It would appear from the information before the Tribunal that the information collected under section 8 was clearly about CNS, and it would also appear (from the evidence given about travel history etc. during the hearing) that the tapping on and off at various locations was information about CNS, as his identity could be ascertained both by combining it with other information (in respect of the respondent seeking a travel history for law enforcement purposes or customer queries), or the customer checking their own travel history seamlessly. In addition (noting the Telstra case) for all relevant purposes, especially concerning a mandatorily registered Gold Opal card, the travel information was more about CNS than about the card. There was no purpose attached to the card information (unique to its requirement for registration) that was not about CNS. Whilst it is true that the respondent aggregates travel data for planning and other related issues, this is true of all cards, registered or otherwise. On this basis the baseline aggregated Opal travel information attaches to all cards. However, the applicant’s card (by being registered) brought that information into the realm of personal information whereby it was not just the number of persons who passed through a transport hub on a certain day etc. It also provided information (where capable of being identified – by the linking to the registered user) which showed the details of the individuals who passed through that hub. The aggregation of the ‘de-identified’ data for transport planning/demographic or similar purposes is not in issue in these proceedings. The applicant raises the issue that he should be able to travel anonymously on a Gold Opal card from an electronic use perspective (the tapping on and off). I note from the evidence in the proceedings that the ‘history of a card also shows where and when the card was topped up and the dollar value. Why this information has been built into the system was not advanced during the hearing. The respondent says that that option is open to him, but only if he obtains an unregistered adult Opal (full fare) card. I note that evidence was given that unregistered users (adult full fare Opal cards and children) can check their own travel history (in respect of the most recent suite of transactions). This history includes when/where they ‘tapped’ on and off and the dollar value of top ups. This adds to my view that this information constitutes personal information of the relevant individual – and in these proceedings, the personal information of CNS. Following on from the Telstra case the Australian Privacy Commissioner issued a Guide in May 2017 concerning what constitutes personal information. That Guide was issued in conjunction with the relevant Guideline under the Privacy Act 1988 (Cth)

“Information is ‘about’ an individual where there is a connection between the information and the individual. This is ultimately a question of fact, and will depend on the context and the circumstances of each particular case.

…

Information will also be ‘about’ someone where it reveals or conveys something about them - even where the person may not, at first, appear to be a subject matter of the information”.

More recently in the case of AIN v Medical Council of New South Wales [2017] NSWCATAP 23 the NCAT Appeal panel considered whether letters written by another containing information on the applicant, were the applicant’s personal information. At paragraph 112 the Appeal panel stated:

We accept that the definition of personal information is very broad: ABA v Randwick City Council [2007] NSWADTAP 58 at [20]; OS v Mudgee Shire Council [2009] NSWADT 315 at [19]. However, we agree with the Medical Council that none of the information referred to is personal information within the meaning of the PPIP Act. The information supplied in the first two categories consisted of contentions by the Medical Council as to what it had done in response to AIN’s complaint about the Contravening Publication and as to its responsibility for what had occurred. The apology, the third category of information relied upon, was information about the Medical Council’s stance in relation to AIN’s complaint. All of that information was information about the Medical Council’s response and stance in relation to AIN’s complaint. Clearly, AIN was very interested in this reaction from the Medical Council, but it was not information ‘about’ AIN.

In AIN the information was about the medical Council’s response, not AIN. In my view that finding does not detract from the applicant’s arguments concerning personal information. The respondent relied on the case of DAB v Byron Shire Council [2017] NSWCATAD 104 to argue that the travel information was not personal information of the applicant. However the facts in DAB were significantly different to the current matter. A vehicle registration number was briefly transmitted by a parking meter to a server overseas so as to check whether that number was on a list of parking exemption numbers. Neither the meter nor the server held records that the number check had occurred. In the absence of any record there was no way in which it was possible to link the meter information with the owner’s details and specific particulars held locally by the Council. It would appear that the information that the respondent collected from the applicant when he applied for his Gold Opal card was personal information within the meaning of the PPIP Act. The information is his name, date of birth and address. Paragraph 6 of Exhibit ‘R2’ states the following:

6. Personal information is collected directly from individuals or their authorised representative. This information is provided by the customer through the Opal web portal or over the phone when applying for a concession Opal card.

The affidavit goes on to make a number of other observations about the collection of information, and the systems operated by or authorised by the respondent. At paragraphs 7 - 13 Mr Clark states:

7. The personal information is kept in a separate database to the transaction data and is only connected for a legitimate purpose, such as a request from the customer.

TRANSACTION DATA

Core Central System (CCS)

8. The CCS contains two separate databases which record interactions between ant ETS device and a smartcard (Opal). These are the Transaction Database and the Card Database.

9. Where an Opal card is processed by a smartcard reader, such as an Opal reader located on a bus, barrier gate or dedicated pole, this information is processed and recoded in the Transaction Database.

10. The Transaction Database is managed and controlled by Cubic Transportation System (Cubic) on behalf of TfNSW.

11. The information that is recorded for each tap on or off transaction includes:

Opal card number

Date / Time of transaction

Location

Mode of transport

Type of Opal card used

Journey cost

Transaction sequence number

12. The second database in the CCS is the Card Database. This database contains the relevant information about [sic] the state of each Opal Card based on the transaction data processed. This includes:

Opal card number

Card balance

Card status

Top up status

Auto load settings.

13. The two databases operate together to ensure that proper payment is made for each journey undertaken on public transport on the Opal network.

I observe that the card number and particulars relating to the actual card (as issued) are held on the second database in the CSS system. I also observe that the first item on both the first database (The Transaction Database) and the second database (the Card Database) is the actual Opal Card number. It would appear that this item of information is the link between the two databases which opens up the issues of contention to the applicant. The affidavit of Mr Clark (Exhibit ‘R2’) goes on to state the following concerning the customer information which is referred to as ‘personal information’. It refers to two further subsets of databases in a further system. At paragraphs 14 - 16 the following is deposed:

CUSTOMER PROVIDED INFORMATION

14. The personal information that is collected from the customer through the customer channels when applying for a concession Opal Card is stored in the Customer Support System. The information from customers is separated into two databases. The first is the Entitlement Management Database, which contains entitlement issuers (such as Universities and the Commonwealth Department of Human Services). The second is the Customer Database, which contains the Opal account information.

15. The Entitlement Management database is responsible for maintaining the relationship of entitlement validity between the ETS and the systems used to validate entitlements. This includes:

Entitlement issuer identifier (An entity with authority to approve free or Concession travel for customers)

Entitlement unique identifier

Entitlement holder details:

- Entitlement holder name

- Entitlement holder date of birth

- Delivery address for card

Entitlement expiry date

Opal Card Number

16. The Customer Database contains information provided by the applicant when establishing an Opal account. This information is displayed to the customer via the Opal.com.au portal and smart phone apps. The information is not verified and can be updated and deleted by the customer at any time.

NSW Privacy Commissioner’s Submissions on ‘personal information’

The Privacy Commissioner made submissions concerning the personal information threshold. The Privacy Commissioner submitted in April 2017 that:

…the creation of the travel history information has one purpose: to identify the registered card holders. This makes the travel history to be information about the individual, even when interpreting the definition of personal information restrictively, namely capturing the biographical data.

The Privacy Commissioner noted that this issue was only raised by the respondent after the Telstra case was decided.

The agency introduced the question of whether the travel history information is ‘about’ the registered card users recently in this case and referred to the Federal Court’s judgment.

The Privacy Commissioner referred to a number of overseas cases and International law/policies to make the point that the travel information is personal information. The Privacy Commissioner observed in submissions that:

The registered card holder’s travel history data is about them even on the restrictive approach to the definition, which says the data must be biographical about the person.

The major judgments from the UK that discuss the restrictive approach are Durant v Financial Services Authority [2003] EWCA Civ 1746 and Edem v The Information Commissioner, The Financial Services Authority [2014] EWCA Civ 92.

Paragraph 28 of the Durant judgment says that there are two aspects: information may be biographical of the person or the information may have the person as its focus. It also says that the issue is about a continuum of relevance or proximity to the person.

This is consistent with the question that the Tribunal asked in MR Grubb’s (Telstra) case.

The UK Information Commissioner’s guidance, issued after the Durant case contains the following example of what is personal information at page 3:

‘Another example would be the details of a car photographed by a speed camera where those details are used to direct a notice of intention to prosecute to the registered keeper of the vehicle.”

The photograph cannot be said to be about the car. It is about the person. Similarly, travel history of registered card users is not about the card or the way the system works. It is about the person. The agency’s submission at paragraph 13 (20/2/2017) says:

‘Rather it is information the subject of which is an Opal card that is in the possession of a particular individual.’

This submission does not persuade. The agency uses data its system collects from registered Opal cards to aggregate with other information for billing purposes or disputes or enforcements. It also assist police to provide proof of biological information about users, namely their travel history. The card travel history data next to the other data the agency holds identify the registered card holder.

…

The network data in Mr Grubb’s case may well have been far along the continuum of relevance and proximity, so that they do not trigger the privacy right, but travel history information is especially close and relevant.

The Privacy Commissioner also referred to their Guidelines/Fact Sheet published in January 2017 issued under the Commissioner’s functions under s 36 (2) (b) of the PPIP Act. Those guidelines make the following ‘Key Points’:

A person’s identity can be apparent or ascertained even if they are not directly named.

The test is whether identification is possible by any person (or machine) other than the subject themselves.

The surrounding context, and other available information sources, can enable a person’s identity to become apparent or ascertainable from the information or opinion, if no more than moderate steps are required to combine the data sources.

If information has been de-identified to the point where re-identification is not possible, it is no longer ‘personal information’.

…

(Fact Sheet: Reasonably Ascertainable identity January 2017 FS 2017/001)

In submissions dated 2 February 2017 the Privacy Commissioner submitted the following:

The fact that the agency stores the information in question in separate databases does not take away the agency ability to bring the data together as it may choose or as it may be required and therefore aggregate it.

Separate storage is more an indication that the agency has recognised its privacy and security obligations because the information is “personal information”/ rather than the opposite.

(Emphasis added).

Findings on threshold issue

I have carefully considered all of the arguments of the parties (and the submission of the Privacy Commissioner) on this issue. All material has been considered even if not every case or matter has been referred to so far in these reasons. Some matters referred to above have been observed for the evidence and submissions even though they were not necessarily argued or otherwise focussed on at hearing. The ability of all Opal cards (registered or otherwise) to allow the seamless identification of the recent travel history through the respondent’s website is one such observation.

I make a finding consistent with the evidence as set out later in these reasons, and the submissions, arguments and consideration above, that the information provided by the applicant at the time of application and registration of the Gold Opal card is the applicant’s personal information. I make a further finding that the travel history as recoded and accessible from the applicant’s registered Gold Opal card amongst other things (accessible from the card) meets the definition of personal information and is the personal information of the applicant.

Further evidence of respondent concerning the operation of the Opal card (the reasonably necessary argument).

The respondent provided two witnesses in the proceedings who both made signed statements/affidavits which were entered into evidence. The second day of hearing was entirely focussed on the evidence of one the witnesses Ms Iverach who gave evidence at the hearing. Some of this evidence concerns both the ‘reasonably necessary’ argument and the ‘personal information’ argument. I have set out much of this evidence as I believe that it is relevant and provides a context for the necessary findings made in these reasons for decision.

Respondent’s witness

Melissa Iverach gave evidence at hearing for the respondent. Most of this witness’s evidence related to the reasonable necessity argument attaching to the registering of Opal Gold cards. Ms Iverach is the Principal Manager Security Revenue protection and Intelligence in the Service Delivery and Performance Branch within Transport for NSW. The witness adopted as true and correct her statements reviewed as Exhibits ‘R1’ and ‘R4’. In cross-examination the witness was asked to clarify the reference in paragraph 17 of the respondent’s initial submissions concerning Opal Gold card eligibility. The witness stated that the Gold card can apply to pensioners, seniors, and some asylum seekers. The witness was taken to the assertion in paragraph 25 of those submissions that there was significant risk of misuse that without the registration measures individuals would be able to obtain multiple cards which could be used by other, non-entitled individuals. When asked what figures support that assertion the witness advised that her ‘role was to ensure that the maximum number of passengers travel compliantly’. The witness attested to the veracity of some of the assertions in the respondent’s written submissions, in particular those relating to the types and volume of ‘loss’ and related matters arising from the shift from paper to electronic ticketing. The witness accepted that the matters in the submissions were generalised statements concerning concession records. The witness was asked to comment on one of the paragraphs of the submissions that she attested (No 29) concerning the 2013 restriction of concession tickets availability. (No longer available at vending machines – only available at a ticket window after presenting ‘proof of entitlement’). As a result of this change it was asserted that four million less concession tickets were sold and this resulted in $10 million in extra revenue. The witness was asked which percentage of the concession tickets referred to were Gold or Seniors card holders. The witness was unable to answer that question. Questions were asked about paragraph 32 of the submissions concerning the linking of a card to an account and the ability to cancel the cards. The witness advised that Opal cards are valid for 9 years and for that reason it is vital that there is an ability to ‘cancel’ the cards. The witness drew an analogy with a lost credit card being a thing of value and the need to prevent the unauthorised use by a third party. The applicant observed that the paragraphs of the submissions referring to loss and misuse and other related issues in some ways conflated two separate issues, being the ability of TfNSW to determine an individual’s eligibility when applying for a card, and the ability to do various things that arise from having the link between the person and the card. The witness agreed with this observation and noted that the results of the 2012 survey concerning the wide misuse of concession tickets was unexpected by the respondent. A decision was made that restricting access to concession tickets would result in individuals misusing them less. The manner in which TfNSW verifies entitlement arises from a ‘data file’ being sent from the relevant institutions. The Tribunal asked questions of the witness and sought to understand earlier evidence concerning the change from ticket sellers and vending machines, to ticket-sellers only (in respect of concession tickets). The witness agreed that the written evidence was only based on rail staff, not newsagents, bus drivers or other methods of face-to-face sale. In respect of the monitoring of concession use process, the witness gave evidence that her understanding involved the data file being received from the relevant institutions by TfNSW. Then a ‘data matching’ process took place and if that indicated a change whereby the customer had become ineligible, then a further process occurred. The customer is advised and given notice (so that if there was an error they can correct it). TfNSW checks again and if the matter has not been updated, (due to verification of an error) then the card is cancelled. The witness clarified her earlier evidence that the result of the 2012 network wide compliance survey - non-compliance was 11%. The Tribunal clarified that paper tickets still exist (for bus journeys where a single trip ticket is purchased from the driver). The witness clarified that those tickets only relate to adult and child, not concession (Gold Opal equivalent) tickets. The witness gave evidence about her own personal experience as a registered user of checking her travel history on the system. The witness stated that this was directly analogous with the process that a Gold Opal user could undertake. Her evidence was that as a registered user you can log onto the: opal.com.au website and be able to view your travel history, the locations that the user has tapped on and tapped off, the fare they were charged and the balance of their card. In re-examination the witness was asked about the ‘pre-validation’ process to contain a concession card. The witness advised that the process that seniors or Gold Opal applicants go through is identical to the process that students (concession over 15) go through. Concession fares are 50% of the normal fare whereas Gold Opal fares are $2.50 per day. If any user (concession or Gold) in this category no longer meets the eligibility requirements then their card is cancelled along the lines of the process outlined earlier. Universities for example signed up to Opal in 2015 and provide information to TfNSW. In addition the witness was asked whether concession ticket holders must carry authorisation material when travelling. The witness advised that the Passenger Transport Regulation provides for this requirement of users. The witness advised that this requirement extends to all ‘concession holders’ students and Gold Opal card holders. In addition the witness clarified that by the time of the hearing, all concession Opal card holders are required to register. The witness in further cross-examination confirmed that the ‘Opal statement’ generated by the registered card holder, lays out the usage of the card, the fare charged and locations of tap on and off. The respondent’s legal representative confirmed that the records are retained for a maximum of two years under an administrative order similar to the State Records Act 1998. An issue arose during the evidence as to the assumptions that aspects of the case were based upon. I have already dealt with the issue of standing, in that the applicant applied for and registered a Gold Opal card based on the Senior entitlement (coupled with working an amount of hours below the threshold and resident in New South Wales). Having registered and received that card, the applicant stated on the record early in the proceedings that he had used his card. On this basis I decided that the applicant had standing to bring his grievance both at internal review and administrative review stages. Additionally however, the applicant wished to use that standing to argue that the onerous requirements attached to the collection of the data (personal information), was a breach of section 8 for all seniors (in the absence of an ‘opt out’ type arrangement). The applicant conceded that at the time of the review and the Tribunal application he had assumed that all Gold Opal holders were ‘seniors’ but as he now understood from this witness, all concession holders (other than child, student and school) receive what is referred to as a Gold Opal card. The witness set out the various types of cards issued by the respondent.

Green Opal Card (Child / Youth) 50% reduced fare

Gold Opal Card (available to Seniors who qualify, Pensioners of all types e.g.: aged pensioners, disability pensioners etc., asylum seekers, and some other small groups of eligible individuals). $2:50 daily cap

Silver Opal Card (Marked ‘Concession’ and available to tertiary students, TAFE Students, apprentices, trainees, job seekers and some other Centrelink covered groups). 50% reduced fare

Opal Card (the normal ‘adult’ card). Full fare

In addition there are a number of ‘free’ 100% concessions for vision impaired and Transport employees. Other full discount groups receive an ‘Employee Card’ such as ex-judges and other eligible groups. The witness gave evidence that all Opal cards other than the Green Card and the normal (full fare) Opal card must be registered and are subject to the same scrutiny as the Gold Opal as outlined above. The witness clarified that her evidence in Exhibit ‘R4’ referred to all concession tickets, Gold, and Silver etc. That evidence outlined a $41milion loss in 2012, $11 million loss Dec 2014-May 2015 (six months), $11 million loss in following six months, and $6 million loss Dec 2015 – May 2016 (six months) for all customers using all concession tickets without a valid entitlement. The witness clarified that the way the survey was formulated did not allow for TfNSW to estimate the number of people misusing the different type of concession tickets. The witness advised that it was never possible to have a Gold Opal card and not have it registered. There were in fact three initiatives around concession cards. The witness advised that the first initiative involved restricting the sale from vendor machines, the second involved pre-validation of the card and the third involved mandatory registration, which lined up with the systems put in place to ensure that the users of the cards remained entitled to use them. (The ongoing data matching referred to above). The witness was questioned about the effectiveness of the three initiatives, and whether the first two significantly reduced misuse so as to render the third (registration) of minimal consequence to loss prevention. The witness believed that steps were continually being put in pace during 2014 and 2015 to reduce access to the paper concession tickets and prevent misuse. When asked about whether there was any analysis or survey data for the period after paper tickets could be used the witness advised that there was no data available. (1 September 2016 onwards). However an analysis of infringement data (as detected by enforcement officers) shows a shift from concession misuse with paper tickets to offences of not ‘tapping on’ with electronic tickets (Opal Cards). Reference was also made in the evidence to 20,000 Gold Opal cards being cancelled (since introduction) due to changes in the Federal Government pension entitlement thresholds. The witness also gave evidence about the key policy shift of the respondent to take control of the tickets (of a concession nature). It was conceded however that some matters would have been re-activated as individuals held another entitlement (as Seniors) after age pension adjustments. Previously the concession entitlement resided with the various Universities, Centrelink or similar body. If a person held a concession authority which was no longer correct (due to a change in circumstances) there was no method to withdraw that authority (from the various institutions) or any ability for the Transport operator to control the use through tickets. The witness gave key evidence that TfNSW moved to take control over the tickets as a solution and as a result the Opal cards are effectively controlled by TfNSW. They can cancel, top up and raise requisitions or queries with the holders of the tickets. Evidence was also given that a School Opal card provides a 100% discount. For high school students 16 and over the witness referred to a ‘senior secondary student concession card’ which is issued through High Schools to students 16, 17 and 18 years of age. This card must be shown on demand and cannot be verified through a database. This card is as a result not registered like the Green (child) Opal card. The witness was taken back to some of the statistics annexed to her statement in evidence. There was discussion between the Tribunal and the parties and to why the concession misuse had appeared to sit at 1.8% for three years in a row and then dropped to 1%. At the end of the discussion the witness conceded that many of the figures were indicators of changes not absolute findings on changes capable of being fully supported by detailed evidence to break down the types of behaviours that caused those results. In respect of one sample (of 60,000 tickets) the witness was unable to give a proper breakdown of the data. This was because her area was not directly involved in how the survey outcomes were recorded.

We engage our transport performance and analytics team who are much more expert in this type of stuff, to do this survey on our behalf and then they engage two experts, which is a field work company and a statistical company.

And what I’m advised is that this is designed to be an accurate estimate of the rate of non-compliance at a network level. It’s supposed to look at rail across time, etcetera, but it’s not supposed to be about at a more granular level, what’s happening on Tuesday mornings or what’s happening with specific ticket types. And, the reason that’s been given to me before is because we don’t have accurate information of how people are using those ticket types at the population level and that’s a reference data set. So although we know how many people are travelling on the Western line, we don’t know how many people are using each individual ticket type on the Western line. Therefore, when they extrapolate it up, it’s not an accurate sum, … is what has been told to me before.

The witness therefore concluded that she did not possess the type of evidence the applicant was interested in examining to support his position. It appears that the respondent could not provide the detailed evidence to make or support part of its case in these proceedings because the focus of their data collection and analysis was concerning global compliance, trying to identify:

‘the biggest problem and drive that towards compliance.’

The respondent asked some further questions of their witness concerning eligibility for a concession entitlement and how ‘undetected misuse’ had occurred. It was suggested to the witness that in the absence of electronic ticketing there would be no method of cancelling the relevant cards held by persons no longer entitled to use them. The witness broadly agreed with this proposition and the situation persisting (if other forms of ‘entitlement’ – on board ID- were produced) for up to nine years.

Further finding on standing

Based on the matters referred to at [102] (above) and in the applicant’s own material, in my view the applicant has standing in these proceedings and I so find. It is unusual that the issue of standing would in any event be raised following an Internal Review and so far into the legal proceedings. What is less clear is the status of the applicant's argument that all Gold Opal holders who wish to opt out, are subject to the collection of their personal information contrary to s 8 (1) (b). The notion of standing requires that a person be ‘aggrieved’. In the case of AFW v WorkCover Authority of New South Wales [2013] NSWADT 133 Judicial Member Montgomery (as he was) dealt with this issue of standing referring to an earlier Administrative Decisions Tribunal (ADT) case of GA v Department of Education and Training & NSW Police (No 2) [2005] NSWADT 10

56. In my view Judicial Member Robinson correctly stated the position in GA v Department of Education and Training & NSW Police (No 2) [2005] NSWADT 10 in the passage from paragraph [24] of his decision that has been referred to above.

57. The Applicant is only permitted to agitate matters before the Tribunal in proceedings that relate to conduct or alleged contraventions concerning him personally and where he has suffered some tangible and measurable impact.

In GA the ADT found on similar facts that the applicant does not have standing to bring his privacy grievance on behalf of unknown others or persons who have not been subject to an internal review. At paragraph 24 -25 the Tribunal observed:

24 Accordingly, the applicant is only permitted to agitate matters before the Tribunal in these proceedings that relate to conduct or alleged contraventions concerning him personally (his personal information) and which directly relate to such conduct "that was the subject of the [internal review] application" under s 53 of the Privacy Act. That is the nature of the application that has already been substantially heard before the Tribunal and in which several interlocutory applications have been heard and determined.

25 In relation to matters that do not concern the applicant personally (in that they do not comprise his personal information), the applicant has not sought a Tribunal review of the conduct that was the subject of the application under section 53 of the ADT Act (s 55 of the Act).

On the basis of agreement with the above decisions, and noting the precondition for an Internal Review, I do not accept the applicant’s position that I can deal with all Gold Opal card holders in these proceedings. Whilst I might make recommendations consistent with the remedies sought by the applicant, and it would be prudent and appropriate that any such action by the respondent arising from any findings make the system compliant, in my view I cannot make an order in that regard, only a recommendation. That is not the case with the applicant’s Gold Opal card which is clearly ‘grounded’ with him in these proceedings. In dealing with any third party issues that arise I am mindful of the guidance of the President of the ADT in the case of NR and NP v Roads and Traffic Authority [2004] NSWADT 276. At paragraph 58 of NR and NP without proceeding to a finding on standing the President observed:

58 The Tribunal makes the following brief observations. Standing to apply to the Tribunal is given by the Privacy Act to a ‘person aggrieved’ by the conduct in issue. On the other hand the rights conferred by the Act seek to protect the personal information of ‘individuals’. Had the Parliament intended to limit standing to those individuals it would, presumably, have used that term rather than ‘person aggrieved’. As a matter of statutory construction, the ‘applicant’ referred to in s 55(2)(a) is the ‘person aggrieved’ referred to in s 53(1), by dint of the definition of ‘applicant’ found in the latter provision. So, it may be the case that a ‘person aggrieved’ other than the individual affected by the contravention could make a claim for monetary compensation.

I therefore find that these proceedings do not directly concern the personal information of other Gold Opal card holders but that any legal findings would be applicable to persons who wished to avail themselves of an unregistered card.

The ‘reasonably necessary’ s8 (1) (b) ground

The respondent in submissions dated 18 August 2017 makes a number of submissions concerning s 8(1) (b) (the reasonably necessary argument) but presents them within the personal information/non-personal information argument. This is because the structure of the hearing encompassed evidence of the threshold issue and the ‘reasonably necessary’ issue concurrently. The submission also seeks to provide evidence concerning the conduct/information in issue in these proceedings. At paragraph 4 of those submissions the following is stated:

4. Opal Customer Care has advised that, at the time the applicant placed a Gold Card order on 11 March 2016, he would have been asked: “do you agree for your personal information to be used as outlined in the Opal privacy policy”? That policy (copy attached “A”) notified the applicant that the respondent was able to connect his Opal card number to his customer details (at [4.1]). The applicant voluntarily provided or consented to the provision of his eligibility information, which was plainly personal information, on the basis of this awareness of the automated opal card system. After placing his order, the applicant was provide with a “Welcome aboard” package which, under the heading “Frequently asked questions,” notified him that his personal information was collected in accordance with that policy. (A copy of the package and sample covering letter is attached, “B”). The applicant’s provision of personal information, in these circumstances, amounted to a consent that the applicant wished to avail himself of the generous concession and did so on the terms and conditions applicable. In such circumstances, the applicant cannot subsequently complain that the ongoing collection by the respondent of the applicant’s (or, indeed, the class that the applicant purports to represents) card’s travel history was no longer reasonably necessary.

My concern with the above submission is that it raises a number of propositions which in my view are contradictory and in addition appear to miss the real grievance before the Tribunal. The submission at paragraph 1 refers to:

1. ..the collection by an agency of non-personal information for a purpose which is lawful and reasonably necessary does not become a collection of personal information which is not “reasonably necessary” merely because the person later voluntarily provides, or consents to the provision of, the person’s personal information to the agency, where the possible linking of the 2 types of information has the effect of converting what would otherwise be non-personal information into personal information. In such circumstances, the collection of the original non-personal information continues to be “reasonably necessary”.

The issue at play in these proceedings appears somewhat different. The applicant provided personal information to apply for a Gold Opal card. In the applicant’s view the collection of that personal information was reasonably necessary for the use (or purpose) of establishing entitlement. The applicant appears to concede that (from the respondent’s evidence at hearing), they need to have the customer’s name in order to verify entitlement (ongoing) and they need to have the card number – allocated to the customer – in order to be able to identify the particular card so that they can cancel the card should the entitlement lapse. The applicant appears to accept (on the respondent’s evidence) that such a collection is reasonably necessary, but argues that the collection for any other purpose (such as travel history) is not reasonably necessary. The issue of consent (as referred to in paragraph 4. Of the respondent’s August 2017 submissions) is – by the respondent’s own argument at paragraph 8 – only relevant to IPP’s 2, 3, 11 and 12.

8. Consent is a fundamental concept in the PPIP Act. It operates as an exception to compliance with ss. 10, 18 and 19 (by s.26(2)), s.9 (by s.9A) and s.17 (by s.17(a)).

Relevantly the concept of consent is not enlivened by s 8. The section involves the collection of personal information for lawful purposes. In this matter the information is collected from the applicant. That is not in dispute. There is no dispute (from the applicant) that the collection of the information is lawful, but the dispute lies in the view that it is not reasonably necessary for the extended purpose, because the ‘extended purpose’ is not necessary essentially on the respondent’s own evidence. I have examined the references to the cases provided by the respondent on this issue of consent. Barton v Armstrong [1973] 2 NSWLR 598; Crescendo Management Pty Ltd v Westpac Banking Corporation (1988) 19 NSWLR 40; TV Shopping Network v Scutt (1998) 43 IPR 451; and Tofilau v The Queen (2007) 231 CLR 396. They all deal with notions of consent and whether an individual acts in a purely voluntary manner or something more akin to a lack of choice. The respondent submitted at paragraph 5. Of 18 August 2017 submissions that:

5. As to consent, the respondent submits that the authorities establish that consent in law is voluntary where, as here, any pressure to obtain that concession eligibility information was not illegitimate but merely an inducement. (Reference was then made to TV Shopping Network).

Like my views expressed at paragraphs [129] and [130] the respondent seems to misunderstand that it is the reasonable necessity for the collection (for the allied purpose) that is in issue. There was no desire by the applicant to prevent the respondent from obtaining the concession eligibility information as it w