Have Eurobodalla Council failed in their duty of care to advise the public that their databases of ratepayer names, addresses and details have been misused by staff for their own personal use? Rather than pursue Freedom of Information requests, rather than take out a Code of Conduct complaint with the Office of Local Government, rather than complain to the Ombudsman or even attempt to make a formal complaint to the Privacy Commissioner this issue might best be delivered to Beagle readers to see if it passes the PUB TEST It all begins with a rental property, managed by a local real estate agent. For one reason or another the tenancy turns sour. Imagine now that the renter (let’s call him WhiteLeaper) works for Eurobodalla Council and accesses the address information of the owner from the Council data base. WhiteLeaper then contacts the owner directly, much to the owner’s surprise. The owner immediately suspects a breach of his privacy by the council worker, accessing his private home address and personal details. Let’s add that both WhiteLeaper and his partner both work at Eurobodalla Council and as such both have direct access to property information. Next we learn that WhiteLeaper is making direct contact demanding the owner to speak with him rather than to communicate via the property manager. The invasive calls continue through phone messages and documents sent to the owner’s private address despite constant clear instruction to desist. The owner feels threatened and intimidated knowing that he is exposed and that the WhiteLeaper knows where he lives. The owner advises his real estate agent of the contact by WhiteLeaper. He also formally advises Eurobodalla Council and is able to use, as evidence, an email sent by WhiteLeaper to the real estate agent confessing to the act of the privacy breach and apologising saying his actions were “unprofessional and inappropriate”. It turns out that not only are they “unprofessional and inappropriate” but they are illegal with a maximum penalty of 100 penalty units or imprisonment for 2 years, or both. The rental owner formally advises the Council of the breach, by email and also by a phone call. The latter phone call was patched through to the Human Resources section where the owner was told "that council takes such issues very seriously". When a senior Council manager was asked what the outcome was of the complaint and what sanctions were given for WhiteLeaper’s unlawful use of personal information it is understood by The Beagle that she replied “the outcome is private but we did take it seriously.” The owner then explained to the senior Council manager that it was “very serious what he (WhiteLeaper) has done, and the council did not have measures in place to protect personal details etc." The Council officer’s reply was “we are dealing with it” followed by the question “Why" questioning if the owner was “after vengeance”. The owner then replied "No, he has used my private information for personal reasons. The Council has a responsibility to protect my personal info, and in this case, have not, hence I would like to know what the outcomes are in response to my complaint.”
The owner then called Batemans Bay police where he was advised to send a record of the series of events, to add to the database and be logged with a reference number.
While the complaint had been made with a senior Council manager and should have immediately moved up the line to a Director by Council’s own Policy it should have also been immediately referred to the Privacy Contact Officer. The owner was not directed to the Privacy Contact Officer (under the Divisional Manager Governance and Information) to hear his complaint indicating that Council may not actually have an appointed Privacy Contact Officer. In stead the Human Resources section took the complaint rather than advising it was a matter, under policy, for the Council's appointed Privacy Contact Officer. Council is required to appoint a Privacy Contact Officer (PCO) who, according to the policy, acts as an internal privacy expert and deals with privacy-related enquiries, internal reviews and complaints. Why wasn't the owner directed to that Officer? We know that council's official records will show an incoming email advising the breach. No doubt this email was registered and given to the appropriate officer to follow up. We also know that a senior Eurobodalla Council manager was aware of the privacy breach and most likely it would have gone up the line to a Director and even up to the General Manager as protocols should ictate for such an urgent atter and such a serious breach. We also know that the Mayor had been verbally informed of the breach by a member of the public and, as such, would be duty bound to also advise the General Manager. So what happened to WhiteLeaper? What happened as a consequence of the formal complaint? Nothing. Council has not responded to the owner. WhiteLeaper still works at Council and still has access to the data. Needless to say WhiteLeaper no longer rents from the owner. The record of the breach and details of the communications remain on police records. And there is no doubt the entire matter would have been all handled internally, behind closed Council doors and there is no doubt that Council would have allowed the breach to reach the light of day, revealing to the community that they are incapable of ensuring security the personal details of their ratepayers. As it turns out that the consequences of a privacy breach such as the one at Eurobodalla Council by a council employee accessing ratepayer details are pretty soft. Privacy and Personal Information Protection Act 1998 No 133 53 Internal review by public sector agencies Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following—
(a) take no further action on the matter,
(b) make a formal apology to the applicant,
(c) take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),
(d) provide undertakings that the conduct will not occur again,
(e) implement administrative measures to ensure that the conduct will not occur again.
The privacy breach would have been recognised by Council as an "Operational Matter" and therefore deemed of no interest to Councillors; so we can assume they have not been informed, nor is there any reason the public need to know. As a councillor once said "You don't want to spook the herd". The only thing we, the public, can trust in is that Council has a policy that “ensures that council meets its obligations under legislation in an efficient and timely manner, and assures community confidence that any personal or health information collected and held by council is dealt with strictly in accordance to that legislation.”
Is there anything else that can be done? NO. Alas the breach happened in March 2019 and there in the small print you will find the following: A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) from the time the complainant first became aware of the conduct or matter.
Further reading: Under the Council’s Privacy and Information Protection Policy it states that “Eurobodalla Shire Council respects the privacy of its residents and ratepayers, workers, and all that do business with council. Council is also committed to encouraging transparency and accountability in managing the information that it collects and holds. Council as a NSW public sector agency is bound by the Privacy Code of Practice for Local Government (2000), Privacy and Personal Information Protection Act 1998 (PPIP Act), and the Health Records and Information Privacy Act 2002 (HRIP Act). This policy ensures that council meets its obligations under legislation in an efficient and timely manner, and assures community confidence that any personal or health information collected and held by council is dealt with strictly in accordance to that legislation.”
In accordance with the PPIP Act, council must prepare and implement a privacy management plan based on the model provided by the NSW Privacy Commissioner that explains: · Council’s policies and practices for complying with the Privacy Code of Practice for Local Government (200), PPIP Act and the HRIP Act · how council will make its workers aware of these policies and practices · procedures for dealing with privacy internal reviews under Part 5 of the PPIP Act Council is required to appoint a Privacy Contact Officer (PCO) who, according to the policy, acts as an internal privacy expert, deals with privacy-related enquiries, internal reviews and complaints. To anyone reading the above they might feel secure that Eurobodalla promotes an integrated framework for dealing with privacy and information protection to ensure that council meets its obligations under legislation in an efficient and timely manner, assuring community confidence that any personal or health information collected and held by council is dealt with strictly in accordance to that legislation. Councils policy states “Concerns received regarding privacy and information protection will be recorded on Council’s records system and handled in accordance with council’s Privacy Management Plan. They will be used to analyse the history of concerns and to help determine follow up actions The legislation and Codes of Practice are clear: Privacy and Personal Information Protection Act 1998 No 133
17 Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless—
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person. Part 8 Section 62
62 Corrupt disclosure and use of personal information by public sector officials
(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any personal information about another person to which the official has or had access in the exercise of his or her official functions.
Maximum penalty—100 penalty units or imprisonment for 2 years, or both.
(2) A person must not induce or attempt to induce a public sector official (by way of a bribe or other similar corrupt conduct) to disclose any personal information about another person to which the official has or had access in the exercise of his or her official functions.
Maximum penalty—100 penalty units or imprisonment for 2 years, or both.
(3) Subsection (1) does not prohibit a public sector official from disclosing any personal information about another person if the disclosure is made in accordance with the Public Interest Disclosures Act 1994.
(4) In this section, a reference to a public sector official includes a reference to a person who was formerly a public sector official.
PRIVACY CODE OF PRACTICE FOR LOCAL GOVERNMENT
(IPP 10) Section 17: Limits on use of personal information
4.11 Council may use personal information for a purpose other than the purpose for which it was collected in the following circumstances:
(1) where the use is for the purpose of undertaking Council’s lawful and proper function/s and Council is satisfied that the personal information is reasonably necessary for the exercise of such function/s, or
(2) where personal information is to be used for the purpose of conferring upon a particular person, an award, prize, benefit or similar form of personal recognition.
For instances when personal information is breached, requirements under the Privacy and Personal Information Protection Act 1998 include conducting a privacy internal review if a request is received from an individual, as well as co-operating with any enquiries by the Privacy Commissioner.