A recent decision of the Appeals Panel of the NSW Civil & Administrative Tribunal has confirmed the broad reach of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act), and the nature of personal information which it protects.1

Introduction

Gilbert + Tobin represented two individuals in their claim that the Department (now Office) of Finance and Services had used and disclosed their personal information in breach of the PPIP Act. Although the information used and disclosed did not contain the individuals’ names, it did contain their address and other information about them and their property.  A simple internet search of that address readily led to a website run by the Department, from which their names could be ascertained.

The decision

The NCAT found in favour of our clients at first instance, adopting a definition of “personal information” extending to cases where an individual’s identity is not expressly mentioned, but can be “reasonably ascertained” from the relevant information by reference to extrinsic materials, including the internet.

The Appeal Panel in its recent decision dismissed the Department’s appeal in relation to this issue, upholding the decision that in this context, other documents could be consulted in determining whether the individuals’ identities could be “reasonably ascertained” from the information. 

The Appeals Panel also noted the beneficial purpose of the PPIP Act, and that it should be interpreted liberally to achieve its beneficial purpose.

Implications

While the primary focus of the PPIP Act is to protect the privacy interests of persons about whom public sector agencies collect information, this decision highlights the potentially broad scope of information covered by privacy laws, including the federal Privacy Act 1988 (Cth).

As a result, agencies and organisations will need to take care to ensure that when they disclose personal information about individuals, they consider whether there is other publicly available information, including on the internet, from which that person’s identity can reasonably be ascertained. The exclusion of an individual’s name alone may not itself be sufficient.