Kudleck v Victoria University [2013] VCAT 1971

Commentary

  • This decision was based on the preceding legislation to the Privacy and Data Protection Act 2014 (Vic) (PDP Act), the Information Privacy Act 2000 (Vic.) (IP Act).

IPP 2.1(e) – Use or disclosure is necessary to investigate or report unlawful activity

  • In this case, VCAT interpreted the term ‘unlawful activity’ as encompassing acts that breach the statutory laws of Victoria or Australia. It therefore did not extend to a potential breach of Victoria University’s internal policies which were neither statutory legislation or subordinate rules or instruments.
  • This can be compared to McLean v Racing Victoria [2020] VSCA 234 (see case note), where Victorian Supreme Court of Appeal (VSCA) held that the term ‘unlawful activity’ under the PDP Act extended to contravention of Rules of Racing because: (i) the control of racing was necessary to maintain the health and wellbeing of horses and jockeys; (ii) they prescribed various obligations on trainers and sanctions for contravention; and (iii) they included possible sanctions, including fines.
  • Both instances were of a similar nature in fact, involving a breach of rules that are neither statutory legislation or subordinate rules or instruments. We believe that the approach adopt by the VSCA should be followed for three reasons:
    • the VSCA was interpreting a section of the PDP Act, whilst VCAT was considering a section of the IP Act (now repealed);
    • the VSCA is a superior court which sets precedent that binds lower courts and tribunals, such as VCAT; and
    • such an interpretation would be consistent with the approach at the federal level. Under section 16 of the Privacy Act 1988 (Cth.) (Privacy Act), an exception exists where ‘serious misconduct’ is being engaged in, with ‘misconduct’ defined in section 6(1) of the Privacy Act as: “fraud, negligence, default, breach of trust, breach of discipline or any other misconduct in the course of duty.”

s 118 – Employees and agents

  • This decision is one of the where VCAT has held that an employee’s actions (that would otherwise have amounted to an interference of privacy) were not attributable to a respondent because the respondent had taken reasonable precautions and exercised due diligence to avoid the act. The other decision we are aware of is TSJ v Department of Health and Human Services [2016] VCAT 687 (see case note).
  • Factors that VCAT identified as relevant to its decision are:
    • Victoria University had a Privacy Policy in place and requiring employees to comply with their obligations under the IP Act;
    • Victoria University had an email policy which addressed the handling of personal information through email; and
    • Victoria University provided training to its employees on their Privacy Policy, privacy obligations, and email policy.
  • However, this approach appears to be inconsistent with the Office of the Victorian Information Commissioner’s (OVIC) position in its IPP Guidelines. Note that this decision predates the commentary found within the IPP Guidelines so it appears that OVIC updated its IPP Guidelines following this decision to condone such an approach.
    • At 1.32, OVIC states that the “mere fact that an organisation requires its staff to complete privacy awareness training… [or] has policies or procedures about the handling of personal information which specifically deal with… the use of email… will not automatically be sufficient to demonstrate that an organisation has taken reasonable precautions and exercised due diligence.”
    • OVIC goes on to explain at 1.33 that a better approach is to identify whether and what sorts of privacy risks are presented by employees’ or agents’ acts (or potential acts) and then determine whether steps to address those are required and taking them.
    • By way of illustration, applying such an approach to the facts of this case: the risk presented by employees, such as the Course Coordinator, was inadvertently disclosing personal information via email to unintended recipients by including them as recipients to an email chain. The reasonable precautions and due diligence that Victoria University could have exercised (but didn’t) included things like (examples only):
      • including a section in their email policy instructing employees not to share class lists through email, but through some other secure channel; or
      • introducing a technical solution, such as MailTips, to warn users when sending an email to a large group of recipients.

Facts and decision

  • The Complainant was studying a Graduate Diploma in Primary Teaching offered by Victoria University.
  • The Complainant’s Course Coordinator suspected her of plagiarism and sent an email to the acting heads of school raising his concerns about the Complainant and asking them how best to proceed (initial email).
  • After some further correspondence on the issue, it was decided that the Course Coordinator would organise a meeting to discuss failing and excluding the Complainant.
  • Within this email chain, one of the heads of school asked the Course Coordinator to send her a list of the students she would be teaching next semester.
  • The Course Coordinator replied to the email chain by inserting into the blind carbon copy field the email addresses of all Graduate Diploma students (secondary email). This resulted in all Graduate Diploma students being able to see the correspondence within the email chain, including the discussions about failing and excluding the Complainant.

Allegation 1 – Disclosure to the acting heads of school

IPP 2.1 – Use and disclosure for primary purpose

Submissions
  • The Complainant alleged that Victoria University interfered with IPP 2.1 when the Course Coordinator sent the initial email to the acting heads of school raising concerns about the Complainant. This was because the primary purpose of collection was set out in the Respondent’s Privacy Policy as to enrol students and deliver their course, and the use to which the Course Coordinator shared her personal information with other staff members was not to do this.
  • Victoria University alleged that it had not interfered with IPP 2.1 because the use was within the primary purpose of collection, the reference to the delivery of course and related services included the marking and assessing of a student’s work and ensuring that a student submitted their own work.
Decision
  • VCAT held that sharing the Complainant’s personal information through the initial email was for the primary purpose of collection and authorised under IPP 2.1.
  • VCAT agreed with Victoria University that the primary purpose of collection was to deliver the Graduate Diploma course and related services and that this included academic integrity.
  • VCAT then looked at testimony provided by the Course Coordinator and determined that having been made aware of a number of academic integrity issues with the Complainant’s work through a number of sources, raising those concerns with the heads of school who had responsibility for the Complainant’s academic progress was within this primary purpose.

IPP 2.1(a) – Use and disclosure for secondary, related and reasonably expected purpose

Decision
  • In addition to IPP 2.1, VCAT held that the use would also have been authorised under IPP 2.1(a):
    • Related to the primary purpose of collection – VCAT held that the management of a student’s progress and consideration of academic integrity issues was related to the delivery of the course and this was undisputed by the Complainant.
    • Reasonably expected – VCAT held that a student would reasonably expect their Course Coordinator to disclose any issues with their academic integrity to the heads of school because the Course Coordinator was required to do this in accordance with Victoria University’s Academic Honesty and Preventing Plagiarism Policy.

IPP 2.1(e) – Use and disclosure where organisation has reason to suspect unlawful activity and is reporting or investigating

Submissions
  • Victoria University also alleged that the sharing of personal information through the initial emails would have been authorised under IPP 2.1(e) because the Course Coordinator suspected that the Complainant may have been engaged in academic misconduct, which was a disciplinary offence under Regulation 2.7 made by the Respondent under the Victoria University Act 2010 (Vic).
Decision
  • VCAT held that the use would not have been authorised by IPP 2.1(e) because academic misconduct was not an unlawful activity.
  • VCAT held that the term ‘unlawful activity’ should be interpreted to encompass acts that breach the statutory laws of Victoria or Australia. In this case, academic misconduct was created by Regulation 2.7 which was neither a statutory rule (as defined by the Subordinate Legislation Act 1994 (Vic.)) or a subordinate instrument (as defined by the Interpretation of Legislation Act 1984 (Vic.)).

IPP 4.1 – Data security

Decision
  • VCAT held that there had been no interference with IPP 4.1 when the Course Coordinator sent the initial email because it did not amount to a misuse, loss, or unauthorised access, modification or disclosure of the Complainant’s personal information.

Allegation 2 – Disclosure to the Graduate Diploma students

s 118 – Employees and agents

Submissions
  • Victoria University acknowledged that the accidental disclosure of the Complainant’s personal information through the secondary email was capable of constituting a breach of IPP 2.1 and 4.1. However, it alleged that it took reasonable precautions and due diligence to avoid the act being done by the Course Coordinator, and so the actions of the Course Coordinator should not be attributable to it under s 68 of the IP Act (substantially similar to s 118 of the PDP Act with only minor intra instrument reference changes).
  • Victoria University contended that it had taken such reasonable precautions and exercised due diligence because:
    • It required employees to insert email disclaimers in their emails that stated that the email was intended solely for the intended recipient and that storage of emails received by unintended recipients was unauthorised.
    • It required employees to read and acknowledge their obligations to comply with its Privacy Policy and the IP Act.
    • When the Course Coordinator identified the error, he immediately attempted to recall the email and then sent another email to all recipients asking them to ignore and delete the secondary email because they were not the intended recipients.
  • The Complainant alleged that Victoria University had not taken reasonable precautions and exercised due diligence because it did not have a robust email policy that specifically addressed employees using student email lists.
Decision
  • VCAT held that Victoria University had taken reasonable precautions and exercised due diligence by doing the following (and therefore there was no interference of IPP 2.1 or 4.1 when the Course Coordinator sent the secondary email):
    • implementing a Privacy Policy that also set out employee obligations under the IP Act;
    • implementing an email policy that set out the risks associated with unlawful forwarding;
    • providing training to employees on their obligations under the Privacy Policy and IP Act, the email policy as well as how to use functions such as the BCC field of an email.
  • VCAT disagreed with the Complainant’s position that Victoria University needed a more robust email policy, because the disclosure was not as a result of the Course Coordinator being unaware of his privacy obligations or misunderstanding how to send information via email, rather, it was accidental.

About this decision

Venue: VCAT
Date of decision: 07/11/2013