1. The University has breached section 17 of the Privacy and Personal Information Protection Act 1998. 2. The University’s decision that there were no breach of any Information Protection Principle set out in the Privacy and Personal Information Protection Act 1998 is otherwise affirmed. 3. The matter is listed for a further case conference on Tuesday, 6 March 2018 at 9.30 am.

Judgment

The Applicant has applied to the Tribunal for review of a determination by the University of New South Wales (“the University” or “UNSW”) in relation to a complaint that he made in April 2016 about conduct of an officer of the University. His complaint was brought under the Privacy and Personal Information Protection Act 1998 (“the PPIP Act”) seeking review of a decision made by the University. The decision is dated 11 July 2016. The names of private individuals, and other information which might identify them, have been anonymised so as to preserve the privacy of their personal affairs. I have also limited my discussion of some issues in order to preserve the privacy of their personal affairs. The hearing in this matter took place in June 2017 and August 2017. Following the August 2017 hearing a timetable was set for the parties to file further submissions. In December 2017, the applicant applied to have the proceedings reopened to allow him to file further material. This was well after the period allowed for filing of further material and the University opposed his application. Despite requests for further information regarding the nature of the new material that he wished to file and an explanation regarding how it is relevant to the proceedings, the applicant had not provided any reasonable basis for me to conclude that the proceedings should be reopened. In the circumstances I decline his request.

Background

Mr Jackson is a former student of the University. He contacted the University’s Right to Information Officer, Mr Paul Serov, in relation to a request for information under the Government Information (Public Access) Act 2009 ("the GIPA Act"). The information related to his candidature as a postgraduate research student at the University. The applicant sought review of Mr Serov's conduct in sending information, including a list of names, to Dominic Mooney, the Assistant Director, Candidature & Thesis in the University's Graduate Research School (“GRS”). The applicant’s original complaint was dated 5 April 2016 and it was made using the Information and Privacy Commission form titled Privacy Complaint internal review application form. Under paragraph 5 – the section of the form that requests “What is the specific conduct you are complaining about?” the applicant wrote:

Mr. Paul Serov, UNSW's Rights to Information Officer, disclosed sensitive information to a party who is closely connected to an entity within the university whom I am attempting to file a formal complaint against. He did so without my knowledge or consent. Mr. Serov's actions were in violation of several sections of the Privacy and Personal Information Protection Act of 1998.

The details are as follows:

At the direction of Kimberley Dickinson, the manager of UNSW's Conduct and Integrity Unit, I submitted what I believed to be a confidential list of names of personnel who were connected to a complaint I plan on submitting. Without my knowledge, and against my wishes, Mr. Serov promptly turned my list over to an individual who was not only on my confidential list, but who also serves in an administrative capacity to the school I am trying to file a grievance against.

Mr. Serov claims he needed to submit my list to the Graduate Research School to ascertain the scope of my request. This makes little sense within the context of what was disclosed and to whom. Only a fraction of the names on the list were employed by the Graduate Research School. There is no reason to believe that Dominic Mooney, or anyone else at the Graduate Research School, could have provided Mr. Serov with useable information in relation to my request. The list would, however, be of much greater potential value to parties associated with my impending complaints, potentially affecting my ability to pursue a complaint that I may submit in the future.

I believe Mr. Serov's conduct is in violation of the following sections of the Privacy and Personal Information Protection Act (1998):

Section 12c: "A public sector agency that holds personal information must ensure that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse[.]"

Section 17a: "A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless...the individual to whom the information relates has consented to the use of the information for that other purpose."

Section 18(1)b: (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless...the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body.

Section 10 also includes language that would assure any reasonable person that they were protected from the sort of unauthorized disclosure made by Mr. Serov.

Under paragraph 10 of the form that requests “What effect did the conduct have on you?” the applicant wrote:

Because Mr. Serov furnished important information to the very entity at UNSW I am complaining about, there exists a substantial lack of trust which has impeded my ability to proceed with a request for personal information through GIPA (2009) which Mr. Serov administers. This has had a very negative effect on my ability to proceed with a time-sensitive complaint. It was for the purpose of submitting this complaint that I submitted my list to Mr. Serov.

The unauthorized disclosure of my information to the third party may affect my ability to carry through with my original complaint. Like many breaches in privacy, the effects are not possible to gauge accurately but are unquestionably negative.

In addition, I have suffered significant emotional distress as a result of a complex situation being made more so.

Under paragraph 11 of the form that requests “What effect might the conduct have on you in the future?” the applicant wrote:

Mr. Serov's conduct has had an unquestionably negative effect on the complaint(s) I am seeking to file. It was for the purpose of filing these complaints that I requested Mr. Serov's assistance in obtaining information potentially related to them. At this point in time, it is not possible to gauge, monitor or regulate how the unauthorized disclosure of information may have been misused by others.

The underlying complaint that I hope to file deals directly with a pattern of dishonesty and maladministration very closely connected to both GRS and Dominic Mooney's office. Therefore, Mr. Mooney's assurances that the information was not and will not be misused by GRS is completely beside the point. Viewed objectively, it is not possible for anyone to gauge with any accuracy the potential consequences of the unauthorized disclosure.

I can say with certainty, however, that what may be inferred from the list, given to unauthorized third parties, may have a very seriously detrimental effect on the outcome of my impending complaint(s), the composition of which was my reason for seeking information from Mr. Serov in the first place. In short, Mr. Serov's conduct damaged the process in which he is employed to assist. I am unclear as to how to proceed with my impending request under the current circumstances, further impeding my ability to submit my planned complaint(s) in a timely fashion.

Under paragraph 12 of the form that requests “What would you like to see the agency do about the conduct? (for example: an apology, a change in policies or practices, your expenses paid, damages paid to you, training for staff, etc.)” the applicant wrote:

All of the above examples seem appropriate. I also think the university needs to recognize this incident as operating within a widespread pattern of abuses, including routine breaches of confidentiality within their complaint system. I believe the parties involved should be censured, an apology issued, and an attempt made to rectify their procedures. Most importantly, I request assurances that the information I am seeking for my impending complaint will be administered in close accordance with both GIPA (2009) and PPIP (1998).

Due to my lack of legal knowledge, I am not prepared at this point in time to comment on whether any form of financial compensation is due in relation to my complaint against Mr. Serov. I have, however, suffered significant damage and considerable loss of time.

In his amended application to the Tribunal the applicant set out the background to the complaint as follows:

On 15 January 2016, I sent Mr. Serov an email clearly marked as a "GIPA Request" in the subject line, and invoking the GIPA Act of 2009 in the first sentence. My email contained a list of 19 individuals. It stated "my search is rather broad and includes correspondence and meetings held with the following personnel (this is a partial list):" followed by the list of 19 names. In a telephone conversation, I told Mr. Serov that I was making my GIPA (2009) request at the direction of Kimberley Dickinson, the University's Student Conduct and Integrity Officer, who instructed me on several occasions to make my request "as broad as possible" (email, 14 January, 2016). In addition, I told him that my request pertained to an impending complaint against Laura Poole-Warren and the Graduate Research School. ...

...

I now know that on 9 February 2016, Mr. Mooney requested a face-to-face meeting with Mr. Serov. In his reply, Mr. Serov CC'ed Laura Poole-Warren, by deliberately clicking "Reply All" and informing both of them of the substance of my GIPA (2009) request. The outcome of whatever meeting or conversation that took place was the subsequent forwarding of the entirety of my GIPA (2009) request to Mr. Mooney (email 12 February, 2016) which Professor Poole-Warren had already been apprised of without my knowledge. It appears that it was requested verbally from the Graduate Research School between 9 and 12 February, 2017.

Both Dominic Mooney and Laura Poole-Warren's names appear on the list of the 19 names I submitted, as they are central figures in my underlying complaint.

…

I had not even made a request for my student record when I submitted my GIPA (2009) request, and only did so at the prodding of Mr. Serov when he assured me that "Much of the information you are looking for will likely be on this file" (email, 15 January, 2016). ...

Applicable legislation

The Tribunal's jurisdiction is governed by section 55 of the PPIP Act. That jurisdiction arises only where there has been an application for internal review of conduct pursuant to section 53. The applicant raised several privacy-related concerns and he requested an internal review of the University’s conduct under the PPIP Act. He alleged that the University’s conduct breached a number of Information Protection Principles (“IPPs”) contained in the PPIP Act. In particular he complained in relation to the use and disclosure of his personal information. The expression “personal information” is defined in section 4 of the PPIP Act as follows:

4 Definition of "personal information"

(1) In this Act, "personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.

(3) Personal information does not include any of the following:

(a) information about an individual who has been dead for more than 30 years,

(b) information about an individual that is contained in a publicly available publication,

(c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,

(d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,

(e) information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure,

(f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,

(g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,

(h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,

(i) information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009,

(j) information or an opinion about an individual's suitability for appointment or employment as a public sector official,

(ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,

(k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.

(4) For the purposes of this Act, personal information is "held" by a public sector agency if:

(a) the agency is in possession or control of the information, or

(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or

(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.

(5) For the purposes of this Act, personal information is not "collected" by a public sector agency if the receipt of the information by the agency is unsolicited.

Section 5 of the PPIP Act provides:

5 Government Information (Public Access) Act 2009 not affected

(1) Nothing in this Act affects the operation of the Government Information (Public Access) Act 2009.

(2) In particular, this Act does not operate to lessen any obligations under the Government Information (Public Access) Act 2009 in respect of a public sector agency.

In his amended application the applicant specifically alleged breaches of sections 10, 12, 17 and 18 of the PPIP Act. Section 10 of the PPIP Act provides:

10 Requirements when collecting personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:

(a) the fact that the information is being collected,

(b) the purposes for which the information is being collected,

(c) the intended recipients of the information,

(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,

(e) the existence of any right of access to, and correction of, the information,

(f) the name and address of the agency that is collecting the information and the agency that is to hold the information.

Section 11 of the PPIP Act provides:

11 Other requirements relating to collection of personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:

(a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and

(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

Section 12 of the PPIP Act provides:

12 Retention and security of personal information

A public sector agency that holds personal information must ensure:

(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and

(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

Section 17 of the PPIP Act provides:

17 Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

Section 18 of the PPIP Act provides:

18 Limits on disclosure of personal information

(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:

(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or

(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or

(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

Section 25 of the PPIP Act provides:

25 Exemptions where non-compliance is lawfully authorised or required

A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

(a) the agency is lawfully authorised or required not to comply with the principle concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

The University’s decision

The University’s decision was made by Mr Aaron Magner and is dated 11 July 2016. It summarised the applicant’s complaint as follows:

The conduct you have complained of relates to handling of information by Mr Paul Serov, UNSW's Compliance Manager, Privacy Officer and Right to Information Officer.

Your complaint is that Mr Serov disclosed your personal information to Mr Dominic Mooney, the Assistant Director of UNSW's Graduate Research School. The information Mr Serov disclosed to Mr Mooney was an email from you to Mr Serov dated 15 January 2016 with the subject heading "GIPA request" ("GIPA request email"). The GIPA request email included a list of nineteen names of UNSW employees and other information related to your PhD candidature from 2011 to the present.

The GIPA request email relates to a separate complaint you intend to make about UNSW's Graduate Research School. You describe this as your original complaint, underlying complaint or impending complaint (the "underlying complaint"). You are concerned that Mr Serov's disclosure of the GIPA request email to Mr Mooney was a breach of privacy that may adversely prejudice your prospects for pursuing a resolution of your underlying complaint.

Mr Magner concluded:

The original purpose for which you provided the GIPA request email to the University related to your request for access to your student file held by the Graduate Research School. The GIPA request email included a list of nineteen UNSW staff and broad parameters of information related to your PhD candidature.

…

The email was not marked confidential or state that the information is sensitive

Mr Serov forwarded the GIPA request email to Mr Mooney for the purposes of responding to your request for access to your student file and information. To facilitate access to the information requested by you Mr Serov needed to liaise with personnel in the Graduate Research School.

Mr Mooney role in the Graduate Research School involves responding to requests from higher degree research students for access to information on their student file. This requires that Mr Mooney interact with Mr Serov in his capacity as UNSW's Right to Information Officer.

The internal disclosure by Mr Serov to Mr Mooney was therefore consistent with section 18(a) of the Privacy Act in that it directly related to the purpose for which the information was collected Mr Serov, in disclosing the information to Mr Mooney, had no reason to believe at the time of his disclosure that you would object to the disclosure.

I therefore do not consider the disclosure by Mr Serov to Mr Mooney occurred for any reason other than to assist in responding to your request for access to your student records. I have concluded that the internal sharing of the GIPA request email was directly related to the purpose for which the information was collected.

Decision

Having considered your application and reviewed the conduct subject to your complaint I have concluded that your complaint is not upheld and in accordance with s.53(7)(a) of the Privacy Act I have decided to take no further action.

As noted, the applicant has sought review of that decision in this Tribunal. An issue arose in regard to whether the application had been lodged within the time permitted by the legislation. That issue was dealt with by Senior Member Dinnen who agreed to extend the time for lodging of the application. A timetable was set for filing of material in the proceedings and CWI was granted leave to file an amended application. He filed an amended application on 8 May 2017.

Preliminary issue

Initially, the matter came before me for hearing in June 2017. At that time a preliminary issue arose in regard to the scope of the application. The scope of an application for internal review is a matter of fact to be determined objectively by construing the application reasonably. In KO and KP v Commissioner of Police, New South Wales Police (GD) [2005] NSWADTAP 56 the Administrative Decisions Tribunal Appeal Panel stated at paragraphs [13] - [14]:

13 … In our view, it is clear from the scheme of the Act, in particular ss 53 and 55, that the scope of the application for internal review, reasonably construed, provides the scope for the agency’s examination of the application. Unless there is some widening of the application within that process which is accepted by the agency, the application for internal review, reasonably construed, sets the scope for the application for review of the conduct by the Tribunal. It is plain from the scheme of the Act that the Parliament intended that the agency have the first opportunity, always, to deal with the matters of complaint. ...

14 The question of what is the scope of the application, reasonably construed, is one of fact but, as we have indicated, affecting jurisdiction. Its determination is not driven, in any significant way, in our view by any recitation of Information Protection Principles that may appear in the applicant’s application. Often there will be no recitation of Information Protection Principles. Sometimes there will be a detailed recitation seeking to bring into play many, or every one of, the Principles. The key question is what facts and circumstances has the applicant referred to which might give rise to questions of compliance with the Information Protection Principles, and to identify the relevant Principles.

This approach has been adopted in this Tribunal. See for example CYL v VIA [2016] NSWCATAD 314 where Senior Member Durack stated at paragraph [45]:

Unless there is some widening of the scope of the internal review application, which is accepted by the agency, the application for internal review, reasonably construed, sets the scope of the application for review of the conduct by the Tribunal: KO and KP v Commissioner of Police, New South Wales [2005] NSWADTAP 56 at [13] – [14]. There is no need for there to have been a reference to any particular IPP: Department of Education and Training v GA (No3) [2004] NSWADTAP 50 at [12] – [13]. What is important are the facts and circumstances referred to and about which complaint is made.

It is now well established that the scope of an application is determined by reference to the conduct that was the subject of the applicant’s complaint. In the present matter there is no suggestion that the University accepted a widening of the scope of the complaint in internal review application. The scope of the application is therefore that identified in the complaint dated 5 April 2016. The applicant’s contention was that the scope of his complaint was wider than the construction that Mr Magner gave to it. The applicant contended that the complaint concerned the dissemination of information by Mr Serov anywhere in the University i.e. not confined to staff within the Graduate Research School, whereas Mr Magner’s decision only considered the dissemination of information by Mr Serov to Mr Mooney. Following the presentation of arguments by each party I concluded that the complaint should be construed more widely than Mr Magner had considered it to be but narrower than the applicant had submitted. In this regard I relied on the information that the applicant had included under paragraph 10 of the form in addition to that set out under paragraph 5 of the form. I considered that the complaint concerned the dissemination of the applicant’s information to staff in the University's Graduate Research School. The complaint covers the period from 15 January 2016 to 5 April 2016. I made the following orders:

The decision by The University of New South Wales made on 11 July 2016 is returned to The University of New South Wales for re-consideration.

The reconsideration is to be made on the basis that the scope of the applicant’s request for internal review dated 5 April 2016 is to be interpreted by the University as a complaint about the dissemination by Mr Paul Serov of the email sent by the applicant to Mr Serov dated 15 January 2016, or information in that email (including information about the applicant’s request for information), to staff members employed within the University’s Graduate Research School, between 15 January 2016 and 5 April 2016.

I also made directions with a timetable for completion of the redetermination and the filing of further material. The redetermination was undertaken by the University’s Director of Governance, Mr James Fitzgibbon, and was completed on 7 July 2017. Mr Fitzgibbon identified the complaint as follows:

In his application for internal review, the Applicant states that the University has misused his personal information by the unauthorised disclosure of sensitive information, being the disclosure of the names of 19 staff members he was intending to identify in an access application, which the Applicant states was for the purpose of filing a formal complaint. This information is not personal information of the applicant. It would be more accurate to state that the Applicant was concerned that it was revealed that he was the person who had submitted the list of 19 staff members and his name was revealed together with the list that he had submitted.

He made the following findings:

The use of the Applicant's personal information for a purpose other than that for which it was collected

The Applicant contacted Mr Serov on 15 January 2016 to 'request information under the act of 2009'. This was in fact, not a valid access application under the GIPA Act but an email requesting guidance on how to request the correct information, given it was a broad search from a partial list of personnel, comprising 19 staff members.

In the emails from Mr Serov to Mr Mooney on 9 February 2016 and 12 February 2016, and the telephone call between Mr Serov and Mr Mooney on or about 12 February 2016, Mr Serov clearly references the Applicant as being the person who was intending to make an information request (access application) related to the 19 staff members of UNSW. In so doing, he revealed the personal information (that is, the name of the Applicant and the fact that the Applicant was seeking the particular information he sought).

The question then, is whether revealing the name of the Applicant (and the fact that the Applicant was seeking the particular information he sought) amounts to a use of the information for a purpose other than that for which it was collected, and if so, whether any of the exceptions identified in section 17 of the PPIP Act apply.

The Applicant provided his name and the list of staff members for the purpose of preparing an access application under the GIPA Act. The Applicant noted that his search was rather broad and Mr Serov, in his email reply to the Applicant dated 15 January 2016, stated

1 That the Applicant could request his student file from the Graduate Research School without the need to make a formal access application, and

2 That if the information being sought was not in the Applicant's student file, he could make an application under the PPIP Act to access personal information, however the request was very broad and a reduction in scope would likely be sought.

The purpose for which Mr Serov used the information from the Applicant, in communications with Mr Mooney, was to facilitate preparation for the expected information request. Mr Serov advised that he was expecting the Applicant to provide a revised application for information, and that if the Applicant provided a valid access application under the GIPA Act, he would need to process the application within 20 working days, subject to limited extensions in certain circumstances. Alternatively, if the Applicant had submitted an application under the PPIP Act, then the information should be provided within 35 days of the request under the University's Privacy Management Plan. Mr Serov stated that, given the timeframes involved, he wanted Mr Mooney to be aware of the information that he would be requesting pending receipt of the Applicant's application.

I therefore find that the information was not used for a purpose other than that for which it was collected.

Finding - I find there is no evidence to give any substance to the University breaching section 17 of the PPIP Act, or any other provisions of the PPIP Act, in regard to this complaint.

CONCLUSIONS

Based upon the findings stated above, there is no evidence that the conduct by the University that is the subject of the complaint by the Applicant was in breach of the Information Protection Principles as set out in the PPIP Act.

RECOMMENDATION

That the University take no further action.

The applicant was not satisfied with the outcome of the redetermination and the matter was listed for further hearing on 23 August 2017.

The issue for determination

The issues for determination are

whether the conduct by the University that is the subject of the applicant’s complaint was in breach of the Information Protection Principles as set out in the PPIP Act; and if so, what action, if any, should be taken in regard to any breaches.

The material before the Tribunal

The applicant relies on various documents that he filed in the matter. He did not give evidence but provided written and oral submissions in support of his case. The University relies on the statement of Mr Serov, written submissions, a bundle of material and a chronology that refers to the documents in the bundle and shows the relevant events. Mr Serov attended the hearing and was cross-examined.

The applicant’s case

The applicant submits that Mr Serov furnished sensitive information to individuals that were to be the subject of a proposed complaint. The parties do not agree in regard to the nature of the personal information that is in issue. The applicant contends that the personal information extends to not only the list of 19 names related to a complaint that the applicant proposed to make, but also to the existence of the list. His complaint extends to the dissemination of that information. He is aware that the information was given to Mr Mooney and to Professor Poole-Warren but he is not aware of whether any other listed individuals have also been given the information. The applicant submits that even if Mr Serov contacted Mr. Mooney so that Mr Mooney would be aware of the potential scope of the applicant’s proposed GIPA access application so that he could prepare as necessary, there is no reasonable explanation as to why the information would have been given to Professor Poole-Warren. Professor Poole-Warren had no role to play in the gathering of information in response to his proposed GIPA access application. The applicant also points to a chain of emails between himself and Mr Serov and between himself and Mr. Mooney, in which he attempted to ascertain whether the list of 19 names had been provided to any other staff members. These attempts were initially unsuccessful despite the applicant repeatedly raising the issue. The applicant maintains that he still does not have a clear answer to the question. The applicant contends that Mr Serov should have assumed that the information was sensitive because of the circumstances in which it had been provided and the information that the applicant had given him in a conversation that they had in regard to the applicant’s proposed GIPA request. As noted above, the applicant has alleged that the University has breached a number of IPPs. He contends that the information could be construed as "solicited" and therefore "collected" and disputes the University’s claim that section 10(c) does not apply. He submits that the section requires that he must be told who will be using his information. He says that even if the release of information to others is a valid use of the information, he was not told who would be using it. He points to the requirement in section 12(d) that everything reasonably within the power of the agency is to be done to prevent unauthorised use or disclosure of the information. He submitted that the University has been unable to provide any rationale for giving either Mr. Mooney or Professor Poole-Warren his information. The applicant points to the requirement in section 17 that a public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected. He submitted that this remains an issue for consideration. With regard to section 17(a), he stated that he never gave consent for his information to be released to Mr. Mooney or Professor Poole-Warren. With regard to section 17(b) he submitted that there is no logical basis for the University's argument that the release of information to Mr. Mooney and Professor Poole-Warren was directly related to the purpose for which the information was collected. He further submitted that the University is not able to show how the release of information to Mr. Mooney and Professor Poole-Warren constitutes any legitimate "use". With regard to section 18 the applicant noted the University’s argument that the information was "used" rather than "disclosed". However, he submitted that Mr. Mooney holds dual roles within the University - manager of student records and Assistant Director of Graduate Research – and that there is reason to consider whether a disclosure occurred as a result of this dual role. He noted that the University is permitted release his information for a reason that is related to the purpose for which the information was obtained and if it can be reasonably assumed that he would not object. He submitted that the University has been unable to explain what the "related reason" was to justify the "release" of information to other personnel; that he clearly did not consent to the release; and that he would have objected if he had known that it would be released. With regard to section 25 the applicant disputes the contention that non-compliance is lawfully authorised or required. He submits that his student record request does not provide a justification for the University's subsequent behaviour regarding his GIPA request. He argues that even if Mr. Mooney did act in a compliant manner in both of his roles, there is no reason to conclude that the release of information to other personnel was anything other than an unauthorized disclosure. The applicant points to Mr Serov’s concession that the applicant and Mr Serov had a long telephone conversation on 15 January 2016 and that the conversation included discussion about the applicant’s view that he had been treated unfairly in having his PhD candidature terminated. He submitted that Mr Serov was aware that the list of 19 names related to a complaint that the applicant proposed to make against Professor Poole-Warren and the Graduate Research School. He submits that when he forwarded the list to Mr. Mooney, Mr Serov was aware that the intended complaint was the basis for his request for information.

The University's case

It is not in dispute that the applicant sent an email to Mr Serov on 15 January 2016, requesting information pertaining to his candidature as a postgraduate research student. In the email the applicant referred to the GIPA Act, stated that the request was rather broad and included correspondence and meetings held with a number of named personnel. He included a list in which he named 19 people. Mr Mooney’s name was in the list. Mr Mooney is the Assistant Director, Candidature & Thesis in the University's Graduate Research School. Mr Mooney had access to information on the student files of higher degree research students, and Mr Serov regularly liaised with him in this capacity. It is also not in dispute that on 9 February 2016 Mr Serov sent the 15 January 2016 email to Mr Mooney or that a copy of the email to Mr Mooney was sent to Professor Poole-Warren. The list of 19 names was not included in the email on that occasion. However, on 12 February 2016 Mr Serov sent a copy of the complete email, including the list of 19 names, to Mr Mooney. That email was not copied to Professor Poole-Warren.

Mr Serov’s evidence

The University relies on Mr Serov’s evidence. Mr Serov provided a written statement in which he set out his usual procedure for dealing with GIPA applications. He noted that he often starts working to identify the relevant information before he receives the valid access application so that he can meet the statutory deadline more easily. He stated that if he receives a request from an individual who is or has been a higher degree research student (including PhD students) his usual practice is to direct the individual to the University's Graduate Research School as he is aware that the GRS holds individual files relating to each higher degree research student. He stated that a request for viewing an individual's own Student File can generally be dealt with under the informal access provisions of the GIPA Act. This can usually be done more quickly than responding to a formal access application under the GIPA Act. He stated that the GRS also often requests his advice when they receive a request from an individual to view their own Student File to ensure the University complies with its obligations under the GIPA Act and the PPIP Act, for example, to ensure that any personal information of others which might be contained in the Student File is not inappropriately disclosed to the person who has requested access. His evidence is that he forwarded the applicant’s email to Mr Mooney in that context. That is, in anticipation of a formal GIPA access application for information and in an effort to ensure that the statutory timeframes were met by making Mr Mooney aware of the scope of the proposes access application so that he could be prepared for it. Mr Serov also stated that he had a telephone conversation with Mr Mooney on or about 12 February 2016. He said that he informed Mr Mooney that the applicant was seeking information regarding correspondence between CWI and a large number of University staff, including employees within the GRS. He stated:

On 12 February 2016 I sent an email to Mr Mooney ... My email to Mr Mooney forwarded the email correspondence I had with Mr Jackson on 15 January 2016. I sent the email to Mr Mooney on 12 February because I had discussed Mr Jackson’s access application during my phone call with Mr Mooney on 12 February 2016 and I thought Mr Mooney should have further details of the information that Mr Jackson wished to obtain, so that Mr Mooney would be in a position to identify the relevant information (to the extent it was held by him and the GRS) once I received an amended application from Mr Jackson.

Mr Serov did not give other evidence in regard to the conversation that he had with Mr Mooney. Under cross-examination Mr Serov conceded that the applicant had explained that he regarded the termination of his PhD candidature as unfair and that the applicant intended to lodge a complaint. However he said that he was not aware of the specifics of the intended complaint. He was aware that the complaint involved Professor Poole-Warren and that her name was included on the list. However, he said that he did not advise her about the list. She was not sent a copy of the email that included the list that he sent to Mr Mooney. In response to the applicant’s question in regard to why individuals who were named in the list would be consulted, Mr Serov explained that he liaises with individuals to ensure that he is able to identify all information that is relevant to a GIPA access application is identified.

Submissions

Ms Tronson, counsel for the University, provided both written and oral submissions. The University’s position is that most of the IPPs to which the applicant has referred do not apply in this matter:

IPP 3 (section 10) does not apply as it relates to the collection of personal information and the applicant voluntarily provided his name and the list of 19 staff members to Mr Serov on 15 January 2016. The personal information provided by the Applicant was unsolicited and was not 'collected' by the University;

IPP 5 (section 12) is not relevant as the applicant has not raised issues in regard to whether security safeguards protected his personal information or issues regarding unauthorised access, use, modification or disclosure of the information or other misuse of the information. The University submits that the applicant’s assertion that that the University has been unable to provide any rationale for giving the information to either Mr Mooney or Professor Poole-Warren doesn’t appear to be an allegation that the University has failed to protect the information. It argues that Mr Serov was an authorised officer of the University for the purpose of dealing with information requests and making reviewable decisions on access applications under the GIPA Act, and that he provided the information to Mr Mooney in that capacity;

IPP 11 (section 18) does not apply as it relates to the disclosure of personal information. The University submits that provision of information within an agency is use under section 17, rather than disclosure under section 18. Therefore the dissemination of the applicant's name and the list of 19 staff members did not amount to an unauthorised disclosure of his personal information by Mr Serov because he did not disseminate it outside and beyond the control of the University. In this regard the University relies on the decision in CTH v University of New South Wales [2017] NSWCATAD 244 which concerned the delineation between use and disclosure in sections 17 and 18 of the PPIP Act.

In regard to IPP 10 (section 17) the University’s position is that information may be used for a purpose for which it was collected or a purpose directly related to the purpose for which the information was obtained. The University accepts that the mere "obtaining" of information constitutes "collection" for the purposes of section 17. On this basis, in determining the limits imposed by section 17 in a particular case, it is necessary to determine the purpose for which information is obtained. Ms Tronson submits that the information was obtained by the University as part of a request by the applicant for access to certain information held by the University. Further, the information was obtained by Mr Serov in the course of dealing with the request for information. Mr Serov determined that the request for information was not a valid GIPA access application. Ms Tronson further submits that as at 12 February 2016, the relevant circumstances were:

The applicant's email dated 15 January 2016 which contained the request for information was headed "GIPA request" and stated "I am writing to request information under the act of 2009";

Mr Serov had been engaging in his implied obligations to assist the applicant (and had thus, from his perspective, been working with the applicant to ensure that an appropriate application was made and could be processed);

Mr Serov anticipated that the applicant would make an amended application, whether by way of an informal request pursuant to section 8 of the GIPA Act, an application for access to his personal information pursuant to the PPIP Act, or both or something else;

Mr Serov anticipated that he would be required to deal with any amended application reasonably expeditiously; and

The applicant did in fact send an informal request, albeit to Mr Mooney.

Ms Tronson further submits that Mr Serov's provision of the information to Mr Mooney was for the purpose of dealing with the applicant’s request. He anticipated that the applicant would send an amended version of the request for information and he provided the information to Mr Mooney in order that Mr Serov would be able to process any formal application within the required time frame. The University’s position is that as Mr Serov used the information for a purpose for which it was obtained there is no breach of section 17. Further or in the alternative, Ms Tronson submits that Mr Serov's purpose in providing the information to Mr Mooney was directly related to the purpose for which the information was collected and therefore there is no breach of section 17 pursuant to section 17(b). Further or in the alternative, Ms Tronson submits that the circumstances surrounding the request for information and the steps Mr Serov took, demonstrate that noncompliance was permitted, necessarily implied or reasonably contemplated by the GIPA Act and/or the PPIP Act. She contends that even where there are no obligations to process an application, such as where an informal request for information is made or where an application is not yet a valid access application but where it is anticipated this might be remedied, there is still a permission, necessary implication or reasonable contemplation that such steps might be taken. Ms Tronson submits that the applicant has not demonstrated any breach of the PPIP Act and therefore his application to the Tribunal ought to be dismissed.

Discussion

The PPIP Act aims to strike a balance between the rights of individuals to privacy and the need for agencies to carry out their legitimate functions efficiently and effectively. It defines ‘personal information’ at section 4. The Tribunal has generally interpreted the expression broadly to provide the maximum benefit from the rights afforded by the PPIP Act. In EG v Commissioner of Police, NSW Police Service [2003] NSWADT 150 Deputy President Hennessey stated at paragraph [24]:

24 I accept the Privacy Commissioner's submission that since the PPIP Act is beneficial legislation, s 4(1) should be interpreted broadly and the exclusions from the definition of personal information should be construed narrowly. I also accept the Privacy Commissioner's submission that meaning is gleaned from both the content and the context in which information or an opinion appears. This was recognised by President O'Connor in Y v Director General, Department of Education & Training [2001] NSWADT 149 …

I agree with that approach. The current matter concerns the dissemination of the applicant’s email to staff of the University. The parties do not agree in regard to the nature of the personal information that is alleged to have been disseminated or the extent of the dissemination. As is often the case, the applicant is not able to ascertain easily what took place. This is because he does not have complete access to the University’s records. It appears that his general distrust of the University has caused him to question the information that he has been given and whether or not the dissemination was wider than the University has conceded.

What personal information is in issue?

The context can be important in determining whether or not something meets the definition of ‘personal information’: WL v Randwick City Council [2007] NSWADTAP 58; WL v Randwick City Council (No 2) [2010] NSWADT 84. However, while different contexts can provide very different implications, it is the information or opinion itself that must fall within the definition of “personal information”: EG v NSW Police Service at paragraph [34]; NSW Police v EG; EG v NSW Police (GD) [2004] NSWADTAP 10 at paragraph [59]. In this matter, the applicant contends that the information that was conveyed was not limited to the email and the associated list of 19 staff members but extends to information regarding the existence of the list. The dissemination took place in the context of a long discussion that had taken place between the applicant and Mr Serov. There are no contemporaneous notes that record the content of that discussion. In the circumstances any contextual information regarding the list remained in Mr Serov’s mind. He does not now remember the details of the conversation other than the applicant considered that he had been treated unfairly. The New South Wales Court of Appeal considered the issue of information being ‘held’ in a person’s mind in the case of Vice Chancellor Macquarie University v FM [2005] NSWCA 192 (“FM”). In FM the Court dealt with a disclosure of information that had been gleaned through conversation with another individual. The Court stated at paragraph [40]:

40 The primary context of the legislative scheme which gives meaning to the words “holds personal information” is Pt 2 Div 1, with the definitions in s4. That context strongly indicates that the words do not extend to information held in the mind of an employee.

The situation is not so clear in circumstances where an agency holds a record and conveys information verbally. Senior Member McAteer considered this issue in CRP v Department of Family and Community Services [2017] NSWCATAD 164 and stated at paragraph 78 of his decision:

In my view the ‘exemption’ offered by FM is not available in the current matter because the information was held by the respondent in its information holdings or database, in a recordable form, and transmitted verbally by an officer to a third party.

In the present situation it is also clear that the University holds the email in a recordable form. The applicant provided additional information in his conversation with Mr Serov. In some circumstances, ‘personal information’ can include “oral and other forms of personal information” that are not recorded in material form: see the discussion in Vice-Chancellor, Macquarie University v FM (GD) [2003] NSWADTAP 43 at paragraph [71]. However, information acquired verbally, and used or disclosed verbally, without ever being recorded by an agency, will not meet the definition of being “held” by the agency: GR v Department of Housing (No. 2) (GD) [2006] NSWADT 34. Information that has been recorded in some fashion e.g. stored on paper, will become “held” by the agency. Any subsequent handling of that information, whether in a recorded form or not, will be subject to IPPs 5-12. This would be the case for example, if the applicant had explained the link between the list and his proposed complaint in an email to Mr Serov. In the present situation it appears that the contextual information remained in Mr Serov’s mind and was not recorded in any material form. There is evidence that Mr Serov was aware that Mr Mooney’s name was included on the list of names that he gave to Mr Mooney. However, there is no evidence to suggest that Mr Serov discussed that context with Mr Mooney. Mr Serov did not give evidence regarding the content of conversations that he had with Mr Mooney. Mr Mooney did not give evidence. In my view it is conceivable that some discussion might have taken place between Mr Serov and Mr Mooney in regard to the context in which the list had been created. However, I am unable to make any finding in that regard.

Is the information “about” the applicant?

The University has narrowly construed the information that is the subject of the applicant’s complaint. In his redetermination Mr Fitzgibbon stated:

In his application for internal review, the Applicant states that the University has misused his personal information by the unauthorised disclosure of sensitive information, being the disclosure of the names of 19 staff members he was intending to identify in an access application, which the Applicant states was for the purpose of filing a formal complaint. This information is not personal information of the applicant. It would be more accurate to state that the Applicant was concerned that it was revealed that he was the person who had submitted the list of 19 staff members and his name was revealed together with the list that he had submitted

I do not agree that this is an accurate statement of the personal information that is the subject of the complaint. In my view, the personal information in issue is not merely “the names of 19 staff members he was intending to identify in an access application”. The personal information extends to not only the list of 19 names related to a complaint that the applicant proposed to make, but also to the existence of the list and the fact that the applicant proposed to make a complaint because he considered that he had been treated unfairly. Meaning is gleaned from both the content and the context in which information or an opinion appears. In this matter, the relevant context is that the applicant had compiled a list that contained the names of 19 staff members. The additional context is that the applicant had compiled the list in circumstances where he considered that he had been unfairly treated. There can be no doubt that Mr Serov would have been or should have been aware of that context. The definition of “personal information” in the PPIP Act is not confined to information that concerns the ‘personal affairs’ of a person: WL v Randwick City Council [2007] at paragraph [20]. Further, information can be the personal information of more than one person. See for example the discussion in AJD v Royal Prince Alfred Hospital [2014] NSWCATAD 125 at paragraphs [73] – [77]. I accept that the list is information “about” those individuals whose names have been included in the list. However, in my view the list is also information “about” the applicant in that it is a list that the applicant had compiled. The applicant is the author of the list.

The relevant IPPs

I am in general agreement with the University in regard to IPP 3 (section 10), IPP 5 (section 12) and IPP 11 (section 18). IPP 3 (section 10) is concerned with the collection of information. The purpose of the requirement of notification under IPP 3 is to allow a person to give or refuse their informed consent to the collection of their personal information: KJ v Wentworth Area Health Service [2004] NSWADT 84 at paragraph [35]. IPP 3 does not apply to unsolicited information. Section 4(5) of the PPIP Act provides:

(5) For the purposes of this Act, personal information is not "collected" by a public sector agency if the receipt of the information by the agency is unsolicited.

In Vice-Chancellor, Macquarie University v FM (GD) the Appeal Panel stated at paragraph [86]:

As we conceive of the term ‘unsolicited’ it refers to information that an agency finds itself receiving (primary meaning, Macquarie Dictionary, ‘not asked for’). A public sector agency is not bound by the Collection principles in that situation as it had no opportunity to define or set the parameters under which it was received.

I am satisfied that the information in issue was unsolicited. As the University has argued, the applicant provided his personal information to Mr Serov on 15 January 2016. The fact that the applicant may have provided the information at the suggestion of an employee of the University does not alter this view. That being the case, University is not bound by this IPP. IPP 5 (section 12) relates to the retention and security of personal information. I note that the applicant has asserted that the University has not provided a rationale for disseminating the information. However, he has not asserted that the information was not appropriately secured. Nor has he raised issues regarding the retention of the information. In my view, IPP 5 has no role to play in this matter. IPP 11 (section 18) relates to the disclosure of personal information. It has been generally agreed in decisions that have dealt with the issue that there cannot be a disclosure within a public sector agency. An exception is the view that I expressed in KJ v Wentworth Area Health Service [2004] NSWADT 84 at paragraph [50]:

While generally speaking the expression "disclosure" refers to making personal information available to people outside an agency, in the case of large public sector agencies consisting of specialised units, the exchange of personal information between units may constitute disclosure.

In CTH v University of New South Wales Senior Member McAteer discussed a number of decisions that dealt with the question of whether there can be disclosure of personal information within an agency. At paragraphs [38] – [41] he stated:

38. In this regard the respondent relied upon a line of privacy cases in the Tribunal and the former Administrative Decisions Tribunal (ADT), starting with the appeal case of Director General Department of Education and Training v MT (GD) [2005] NSWADTAP 77 and continuing to CEU v University of Technology Sydney [2017] NSWCATAD 79. At paragraph [125] - [127] of CEU the following authority was relied upon by the respondent.

125. The University says that the provision of the letter was not a ‘disclosure’ by the agency in any event, because the information was provided by the agency to itself – that is, by one administrative unit of the agency to another.

126. The distinction between “disclosure” and “use”, as those terms are used in the Health Privacy Principles, was discussed by the Appeal Panel of the Administrative Decisions Tribunal in AF v Minister for Health [2012] NSWADTAP 61 [at 102]:

‘Use' and 'disclosure' have usually been presented as discrete concepts in data protection law, and that distinction is drawn in this law. 'Use' is generally seen as referring to the internal use made of personal information by the collecting agency, whereas 'disclosure' is used to describe the act of supplying the information to a third party external to the agency.

127. The reasoning in AF has been applied in this Tribunal: BVS v Sydney Local Health District [2015] NSW CATAD 171. By providing his letter to the Special Needs Service, Dr Cai was not providing it to a third party external to the university. For those reasons, the provision of the letter to the Special Needs Service was not a ‘disclosure’ within the meaning of Health Privacy Principle 11.

39 I observe that this is an often relied upon provision in that it is generally agreed on basic facts that there cannot be a disclosure within a public sector agency, and if such conduct was to offend the IPP’s then it would more likely offend the use provisions.

40 In AQK v Commissioner of Police NSW Police Force [2014] NSWCATAD 55 the Tribunal also observed that contentions of disclosure within an agency can be problematic. At paragraph [46] and [47] the following was observed.

Section 18 - Limits on disclosure of personal information

46. The Applicant alleged that there has been a contravention of s.18 of the PPIP Act, which imposes restrictions on an agency and its ability to disclose personal information to any other person or body. The Applicant contended that his personal information was disclosed, in contravention of s.18, through the publication of the Minutes. The Respondent, in its Internal Review, concluded that there had been a contravention of s.18 of the PPIP Act in the publication of the Minutes on the Intranet, but now resiles from that position.

47. Section 18 is concerned with an agency's disclosure of an individual's personal information to a person or body outside the agency. Internal disclosures are not generally unlawful, and do not constitute a contravention of s.18 of the PPIP Act: NZ v Department of Housing [2005] NSWADT 58 at [69]; Director General Department of Education and Training v MT (GD) [2005] NSWADTAP 77 at [39]; and AOB v Commissioner of Police [2013] NSWADT 138 at [18]. Mr Beatson's evidence was that the Minutes were published on the Intranet, which can only be accessed by employees of the NSW Police Force and requiring some dedication to the task of making that access. The Respondent has, essentially, only disclosed the information to itself.

41 The submission being that there cannot be disclosure within an agency and for that reasons the provision of the applicant's personal information to the supervisor (it was submitted) was not a breach of section 18 of the PPIP Act.

The circumstances of this matter are not in any way comparable to those that I considered in KJ v Wentworth Area Health Service [2004] NSWADT 84. The fact that Mr. Mooney holds dual roles within the University is not a basis for a finding that there was a disclosure of the applicant’s personal information within the University. The dissemination of the applicant's name and the list of 19 staff members did not amount to an unauthorised disclosure of his personal information by Mr Serov because he did not disseminate it outside and beyond the control of the University.

IPP 10 - Section 17 of the PPIP Act.

IPP 10 - Section 17 of the PPIP Act is concerned with the internal use made of personal information by an agency, rather than disclosure outside of the agency. In this regard the University relies on the decision in CTH v University of New South Wales. In BFP v NSW Ambulance Service [2015] NSWCATAD 39 Senior Member Isenberg found at paragraph [37]:

The information was "used" internally by Mr Burke, in emailing it up the chain of command and by Mr McKenna in forwarding it to the Injury Management Coordinator and the HR Manager.

Mere accessing or viewing information will not constitute a “use”, unless the information is also “employed” for some purpose. Section 17(b) of the PIPP Act provides that an agency must not use information for a purpose other than that for which it was collected unless, relevantly, the other purpose for which the information is used is directly related to the purpose for which the information was collected. In this context, "collected" means "obtained": MT v Department of Education and Training [2004] NSWADT 194 at paragraph [171]. Mr Serov did not give evidence regarding the content of conversations that he had with Mr Mooney. Mr Mooney did not give evidence. However, the emails that were sent between them are in evidence. It is clear that on 9 February 2016 Mr Mooney forward to Mr Serov a copy a request that he had received from the applicant for access to his Student File and asked to be able to speak with Mr Serov in regard to the request. It was in response to that request from Mr Mooney to Mr Serov that Mr Serov informed Mr Mooney about the 15 January 2016 email that he had received from the applicant and the existence of the list. I do not accept that on that occasion Mr Serov provided the information about the list to Mr Mooney so that Mr Mooney would be prepared to deal with a broad access application in anticipation that it would be lodged. On that occasion Mr Serov provided the information in the context of a request from Mr Mooney for a meeting to discuss the applicant’s request for access to his Student File. In those circumstances I do not accept that the information was used for a purpose related to the purpose for which the information was obtained. The email from Mr Serov was also copied to Professor Poole-Warren. There is no apparent reason why Professor Poole-Warren would have been given the information. I am not satisfied that it was for a purpose related to the purpose for which the information was obtained. In my view, the University has used the information regarding the existence of the list by sending it to Mr Mooney and Professor Poole-Warren. As noted above, section 17 of the PPIP Act provides that agency that holds personal information must not use the information for a purpose other than that for which it was collected unless one of three identified circumstances existed. In my view none of those exceptions apply in the circumstances of this matter. It follows, in my view, that the University has breached section 17 of the PPIP Act. On 12 February 2016 Mr Serov provided Mr Mooney with a copy of the email that he had received from the applicant on 15 January 2016 and this included the list. This correspondence was not copied to Professor Poole-Warren. It is reasonable to infer that some discussion took place between Mr Serov and Mr Mooney between the time when Mr Serov informed Mr Mooney of the existence of the list on 9 February 2016 and when he provided Mr Mooney with a copy of the list on 12 February 2016. I cannot make a finding in regard to the nature of the discussion however it is reasonable to infer that it included the content of the email that Mr Serov had received from the applicant on 15 January 2016. I am not satisfied that Mr Serov provided the list or the information about the list to Mr Mooney so that Mr Mooney would be prepared to deal with a broad access application in anticipation that it would be lodged. In my view, the University has used the information regarding the existence of the list and the content of the list by sending it to Mr Mooney on 12 February 2016. I do not accept that the information was used for a purpose related to the purpose for which the information was obtained or that any of the section 17 exceptions apply. It follows, in my view, that the University has breached section 17 of the PPIP Act. The matter should be relisted to set a timetable for determination of what action, if any, should be taken in relation to these breaches. With the exceptions of these two breaches, I affirmed the University’s decision that there was no breach of any Information Protection Principle set out in the Privacy and Personal Information Protection Act 1998.

Order

The University has breached section 17 of the Privacy and Personal Information Protection Act 1998. The University’s decision that there were no breach of any Information Protection Principle set out in the Privacy and Personal Information Protection Act 1998 is otherwise affirmed. The matter is listed for a further case conference on Tuesday, 6 March 2018 at 9.30 am.

I hereby certify that this is a true and accurate record of the reasons for decision of the New South Wales Civil and Administrative Tribunal.

Registrar

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Amendments

05 February 2018 - Applicant's name amended, anonymisation removed.

DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.