We are one week away from our NSW Government Lawyers CLE day. Taking place in our Sydney office on Thursday 22 February, the all-day intensive centres the theme of 'the more things change'. Our legal panel will be sharing tips and traps of transacting with option deeds, reasonable steps to managing privacy risk, how to prevent workplace harassment and discrimination, the planning system's role in addressing Australia's housing crisis and providing a model litigant refresher. Click here to register your spot.

We dive into one of our presentation topics below.

Taking reasonable steps to protect privacy

While agencies are only required to adopt 'reasonable' safeguards to protect against unauthorised access, use and disclosure of personal and health information, determining what is reasonable can be a complicated minefield to navigate. In a rapidly evolving area, what was 'reasonable' a few years ago may no longer meet the test.

In 2006, the NSW Court of Appeal in Director General, Department of Education and Training v MT [2006] 67 NSWLR 237; [2006] NSWCA 270 held that common law rules of attribution, such as the principles of vicarious liability, are not applicable when considering an agency's liability for an employee's conduct under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) or the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).

The Court held that the scheme of the PPIP Act and the HRIP Act told against there being absolute liability for privacy breaches and also held that the principles of vicarious liability didn't apply. . However, there remains a potential area of liability – whether the agency has taken reasonable steps to ensure that the information is protected against unauthorised access, use or disclosure (PPIP Act, section 12(c); HRIP Act, HPP 5). A similar obligation also exists under the Privacy Act 1988 (Cth) under APP 11 and other state and territory privacy regimes.

Both the PPIP Act and the HRIP Act requires agencies to adopt "safeguards as are reasonable in the circumstances" to prevent unauthorised access, use or disclosure of personal information. The requirement to take reasonable steps supports a risk-based approach to the security of personal information. What this means in practice is unclear – however it calls for a complex and multifactorial assessment, including:

  • the size of the agency and its resources
  • the nature of personal information it collects and holds
  • the harm that might occur if the information was improperly accessed, used or disclosed
  • the nature of the agency's functions and the requirements of employees to access, use and disclose personal information
  • the agency's existing privacy and information security systems, policies and procedures (most importantly, its Privacy Management Plan)
  • regular review of privacy and information security risks and measures adopted to mitigate such risks, including regular audits
  • training and educating agency staff, particularly those who have access to personal information as part of their official functions.

If an agency is accused of breaching its obligation to adopt reasonable safeguards to protect personal information, it may seek to defend itself by providing detailed evidence of the above factors. In practice, this places a heavy onus on agencies to prepare a large amount of evidence setting out the full range of protections in place, as well as how any breaches have been investigated and managed by the agency. Both the NSW Civil and Administrative Tribunal and the various Commonwealth and State Privacy Commissioners have commented that a proportional approach should be taken, based on the degree of harm that may result if the information is improperly accessed, used or disclosed and the likelihood of that harm occurring. In essence, the more sensitive the information, the greater the need to implement robust safeguards for those safeguards to be reasonable in the circumstances.

In the past, accusations of failing to have reasonable safeguards tended to arise in the context of a 'rogue employee' situation, in which an agency employee acted outside the scope of their employment (see for example BZX, BZY and BZZ v Western Sydney Local Health District [2015] NSWCATAD 210 and EQH v Health Administration Corporation (No. 2) [2022] NSWCATAD 45). Those cases focus on the adequacy of internal policies and procedures, in particular privacy training, and measures taken to ensure access to personal information by the employee was limited to the extent reasonably necessary. Other aspects include protective mechanisms such as unique log-ins and audit capabilities and supervision of employees' access to personal information.

However, an accusation that an agency lacks reasonable safeguards could also arise in the situation of unauthorised access by a third party, such as a hacker. In this context, the focus shifts to the agency's information security systems. Given the recent high profile data breaches, the escalation in attacks on agency information and the development of information security technology, what is "reasonable in the circumstances" could change rapidly. As the risk of an attack is reasonably foreseeable and clear, an agency could be found to lack reasonable safeguards if they have not kept information security and privacy management plans up to date.

In our upcoming NSW Government annual CLE intensive, we will present a session delving into reasonable privacy and data safeguards based on recent matters involving NSW government agencies and potential reforms in this space. The session will take place on 22 February 2024 in Sydney. Register here.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.