A recent decision in the NSW Civil and Administrative Tribunal highlights the importance of thinking carefully about whether information constitutes personal information that may be protected by the Privacy and Personal Information Protection Act 1998 (NSW).
In CRP v Department of Family and Community Services it was found that, in the particular circumstances of the application before the Tribunal, an individual’s work address was personal information that was protected by the Act.
Following an incident in which a Departmental employee released the applicant’s work address to an estranged family member, the Tribunal has definitively stated that, in these circumstances at least, doing so amounted to a breach of privacy.
Given how easy it can be to reveal seemingly harmless information, this case demonstrates how important it is to be careful with any information that might be considered to be personal information.
The applicant was employed with the Department of Family and Community Services. He was estranged from his father, with whom he had a long-running personal dispute. The applicant’s father phoned the office without identifying himself. He requested, and received, the address of the applicant’s workplace: previously, he had only known the name of the organisation for which his son worked.
Following this, the applicant’s father went to the son’s place of work, where he confronted him and handed him some documents.
The son – the applicant in the proceedings, argued that through the Department’s actions, his personal information had been shared in breach of the Act.
The Tribunal considered whether the applicant’s work address was information ‘about an individual’ for the purposes of s4 of the Act. If so, by providing the information, the employee had breached ss 17 and 18 of the Act. The respondent argued that it was not, as this was information that had been shared within the normal course of business, as part of the applicant’s work. The Tribunal, however, found that this was not the case.
In coming to its decision, the Tribunal considered the findings of several previous Tribunal decisions saying that the definition of ‘personal information’ was to be interpreted broadly and that the Tribunal should not adopt an overly technical approach. Instead, the Tribunal said that it was important to consider the information that was provided in context.
Ultimately the Tribunal decided that the information had been provided in a context that solely related to the applicant. At the time, there had been no indication that the phone call was made in connection with the applicant’s work, or as part of his role as a caseworker. No other information was requested. By giving out the applicant’s work address, the Department’s employee provided personal information about him, and as a result breached his privacy.
As a result of this breach, the Department was ordered both to apologise to the applicant, and to review its current Privacy Management Plan. However, this case could evidently have significant general consequences. While providing a work address for a co-worker may seem harmless, as we have seen here, the results can be serious.