The NSW Court of Appeal has found that an agency is not responsible or liable for breach of the use and disclosure principles in the Privacy and Personal Information Protection Act where an employee utilises information for unauthorised purposes not related to agency functions.
In Department of Education and Training v MT (2006) NSWCA 270, Chief Justice Spigelman said that the scheme of the Act did not suggest that Parliament intended to impose liability for use or disclosure except where an agency was acting for public purposes. “…It was not in my opinion Parliament’s intention to expose every ….agency to a form of absolute liability for the unauthorised conduct of its employees or agents”.
Where such conduct occurred, the Act provided for criminal charges under Section 62.
The case involved a school teacher, who as coach of a local soccer team accessed the school records of a member of the team, and subsequently used and disclosed this information in dealing with a complaint to the soccer club concerning discrimination.
The Court of Appeal overturned the decision of the Appeal Panel of the Administrative decisions Tribunal that there had been a breach of use and disclosure principles. It did not disturb the finding that the Department had breached the Act in failing to protect information through reasonable security safeguards (Section 12(c)).
The decision reverses previous findings in this and other cases before the ADT, that an agency is liable for authorised or unauthorised actions by employees that result in contravention of the use and disclosure principles in the Act.
The decision leaves open the possibility that a person could seek and be awarded compensation where a breach of the security safeguards principle is proven and can illustrate loss or damage as a result. However no claim could be made against an agency for loss or damage resulting from use or disclosure by an employee for purposes that are not related to the employee's official functions. It means that the agency concerned is not subject to any sanction, in these circumstances. The only potential penalty applies to the employee who could be charged with a criminal offence for intentional misuse or disclosure of personal information under Section 62 of the Act.
There have been no indications that anyone has been charged under Section 62 since the Act commenced 6 years ago.
Another issue for the NSW Law Reform Commission in its current review of NSW privacy laws is whether the Court of Appeal decision amounts to good public policy.
No comments:
Post a Comment