- In the first COVID-related privacy case in NSW, a sensible result should not be misunderstood: privacy protections still apply.
- Personal information may be used or disclosed if necessary to prevent or lessen a serious and imminent threat.
Else v Service NSW  NSWCATAD 172 (‘Else’) is the first judgment to consider the impact of the pandemic under NSW privacy laws.
April 2020, Service NSW, on behalf of the NSW government, sent an email to approximately 4.6 million members of the public, for which it had email addresses, linked to Service NSW online accounts. The purpose of the email was to urge members of the public to take steps ‘to slow the spread of COVID-19 and save lives’. The email outlined steps required by public health orders such as not visiting family and friends, and good practices such as maintaining social distance, hand-washing and so on.
The complainant, Else, was an account holder, but had not opted in to receive email newsletters from Service NSW. She complained that the use of her email address to send the email was a breach of Information Protection Principle (‘IPP’) 10, the Use principle, under s 17 of the Privacy and Personal Information Protection Act 1998 (NSW) (‘PPIP Act’).
The privacy law about using personal information
Section 17 provides:
‘A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless –
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.’
The complainant’s name and email address was ‘personal information’ as protected by the PPIP Act.
The issues in dispute
The case was brought in the NSW Civil and Administrative Tribunal (‘the Tribunal’).
The respondent argued that the use of the personal information to send the email was allowed either because: the message was for the purpose for which the personal information was collected (i.e. the ‘primary purpose’); or because they had the implied consent of the individual as per s 17(a); or that it was allowed under the ‘serious and imminent threat’ test at s 17(c). The public health orders in relation to the pandemic, made under the Public Health Act 2010 (NSW), were seen as relevant to give context to the ‘serious and imminent’ nature of the threat.
(Surprisingly, the respondent did not seek to argue the exemption under section 25 of the PPIP Act, which allows reference to any other law which authorises, requires, necessarily implies or contemplates a use or disclosure. The public health orders could have been considered in that context, although admittedly they are better suited to arguments about data-sharing for contact tracing purposes.)
The complainant argued that COVID-19 was not a ‘serious and imminent threat’ such as to justify sending the email, because there was a very small risk posed to any given individual. She argued that the respondent did not know about her situation such as to determine whether or not the message was ‘necessary to prevent or lessen’ the risk to her.
What is ‘necessary’?
The respondent argued that the message was necessary to prevent or lessen a serious and imminent threat. They argued that the word ‘necessary’ in this context meant not ‘essential or indispensable’, but rather ‘reasonably appropriate and adapted’, quoting Gleeson CJ in Mulholland v Australian Electoral Commission (2004) 220 CLR 181 (at ). The Tribunal agreed with this reasoning, and with this interpretation of the word ‘necessary’. The Tribunal accepted that ‘it was critical that people understood what they needed to do in order to help bring community transmission of the virus under control’ (at ).
The Tribunal also accepted that sending an email to 4.6 million people was ‘the most efficient and effective method for disseminating the public health information in the circumstances’ (at ), which made it ‘“necessary” (in the sense of it being reasonably appropriate and adapted)’ (at ).
Risk to whom?
In response to the complainant’s argument that there was no serious and imminent threat to her in particular, the Tribunal rejected her formulation of the test and stated:
‘The applicant’s submissions that there was no serious and imminent threat, on the basis that for something to be a threat there must be more than a minimal likelihood of it being realised and that the harm arising from the threat (if realised) has to be significant, fails to be persuasive in the circumstance as presented by the COVID-19 pandemic’ (at ).
The Tribunal also found that the meaning of the word ‘individual’ in s 17(c) should be read as relating to not only the individual who is the subject of the information, but also other persons:
‘The argument that, for s 17(c) to be applicable, it has to apply specifically to the applicant, with knowledge of her risk profile with respect to COVID-19, is not correct … it was also not necessary for SNSW to know anything about the personal characteristics of the applicant and her risk profile with regard to contracting the virus, before sending the Email’ (at , ).
The Tribunal therefore found IPP 10 had been met, because of the ‘serious and imminent threat’ test, and thus there had been no breach of the privacy law.
Previous cases applying the threat test
Like other privacy laws regulating companies and public sector agencies, the NSW privacy legislation anticipates some emergency-type scenarios can be used to justify conduct which would otherwise be prohibited, in terms of the use or disclosure of personal information for purposes unrelated to the reason the information was first collected.
Until now, the cases interpreting the ‘serious and imminent threat’ test have involved scenarios in which only one person’s personal information was used or disclosed, typically to prevent harm to known individuals such as family members, or smaller cohorts such as patients of medical facilities. Cases which have turned on this test have included a psychiatrist disclosing a credible threat of serious domestic violence (BVS v Sydney Local Health District  NSWCATAD 171); and sharing information to prevent the re-employment of a health service provider who had been terminated for misconduct which involved putting patient safety at risk (DVH v South Eastern Sydney Local Health District  NSWCATAD 212).
While the Tribunal in Else accepted the government’s formulation of COVID-19 as posing a ‘serious and imminent threat’ to the health of an unknown proportion of the public at large, the pandemic should not be misunderstood as a justification for widespread use or sharing of personal information.
The legislative test still requires the ‘necessity’ threshold to be met. As formulated via the High Court phrase ‘reasonably appropriate and adapted’, the necessity threshold imports a requirement that the conduct being considered – i.e. the action of using or disclosing personal information for a purpose not previously planned or consented to – must be both useful in terms of addressing the threat, and a proportionate response to the nature of the threat. This will involve different considerations in every case.
In Else, there was no disclosure of anyone’s personal information to any third parties. Contact details were used for a new purpose, but in a way which could not conceivably cause harm to any individual beyond a degree of annoyance.
Privacy in a pandemic
The facts in Else should be distinguished from other privacy challenges arising in the context of COVID-19, such as contact tracing, employment-related vaccination requirements (which raise bodily privacy as well as informational privacy concerns), and the procedures and technologies for demonstrating evidence of vaccination status.
While it may be tempting to believe that management of a pandemic overrides all other concerns, organisations should continue to tread cautiously when considering their COVID safety plans. Organisations regulated by the federal Privacy Act 1988 (Cth), including many private sector organisations, can typically only collect health information with an individual’s consent, unless another law authorises or requires otherwise.
Health screening information, such as about an employee, customer or visitor’s vaccination status or COVID-like symptoms, may seem like fairly benign information compared with other forms of health information. However for now at least, information about vaccination status – or even just an admission to having the sniffles – can directly impact on an individual’s freedom of movement and freedom of association, as well as their access to employment, education and essential services.
In all cases, being able to demonstrate that your policy and your actions are necessary and proportionate to the risk, and that you have included controls to protect data security and to minimise the likelihood of causing any unnecessary privacy harm, will be critical to compliance with privacy laws.