Exit Distraction Free Reading Mode
- Unreported Judgment
ZIL v Queensland Police Service QCAT 79
QUEENSLAND CIVIL AND ADMINISTRATIVE TRIBUNAL
ZIL v Queensland Police Service  QCAT 79
QUEENSLAND POLICE SERVICE
Other civil dispute matters
27 March 2019
9 November 2018
HUMAN RIGHTS – PRIVACY LEGISLATION – Information Privacy – where domestic violence orders in place – where information released was personal information – where information released was unauthorised and released by a serving police officer for purposes not relating to his duties as police officer – where release of information was to a childhood friend of the respondent under a domestic violence order – whether QPS took all reasonable steps to prevent unauthorised use or disclosure
Acts Interpretations Act 1954 (Qld), Schedule 1
Information Privacy Act 2009 (Qld), s 164, s 176, s 178, Schedule 3
Queensland Civil and Administrative Act 2009 (Qld)
AXP v Queensland Police Service  QCAT 680
Director General, Department of Education and Training v MT (2006) 67 NSWLR 237
JL v Queensland Police Service  QCAT 623
New South Wales v Lepore (2003) 213 CLR 511
OD v Department of Education and Training  NSWADT 312
APPEARANCES & REPRESENTATION:
S A McLeod QC, instructed by Qld Police Service Legal Unit
REASONS FOR DECISION
- It is not contested that in February 2014 Senior Constable Neil Punchard accessed the QPrime records of the Queensland Police Service (‘QPS’) without lawful authority. Senior Constable Punchard is attached to Road Policing Command where he performs traffic duties.
- Senior Constable Punchard did so at the request of a childhood friend – the then separated husband of ZIL. There were domestic violence orders in place to protect ZIL and her children from this marriage from ZIL’s estranged husband and ZIL was in fear of his actions if he became aware of her residential address.
- Despite these orders and without authority, Senior Constable Punchard nevertheless searched the police records to ascertain ZIL’s then residential address and provided it to his childhood friend.
- His actions and the inflammatory comments Senior Constable Punchard made to his childhood friend about the effect this knowledge would have on ZIL, were only discovered when ZIL’s mobile phone was discovered by her young son while visiting at the home of her estranged Husband and returned to ZIL by her son in May 2016.
- The QPS was unaware of this unauthorised access at any time prior to the discovery of the texts on the phone.
- During the 2 year period between February 2014 and May 2016, ZIL alleges her ex-husband used this information to further breach the domestic violence orders.
- ZIL now brings an application seeking compensation for what she says are breaches of the QPS’ obligations under the Information Privacy Act 2009 (Qld) (the ‘IP Act’) saying that the conduct of Senior Constable Punchard for breaches of the Information Privacy Principles (IPPs) is attributable to the QPS directly or relying on the Service being vicariously liable for Senior Constable Punchard’s unauthorised access of the QPrime records.
- ZIL’s application has two distinct parts. The first is the liability of the QPS under the Information Privacy Act for the breach of IPPs, either directly or vicariously. The second is any compensation that flows if a breach is found.
- At the hearing of this application on 9 November 2018 it was agreed with the parties that the first part of these two would be dealt with that day. If liability is found, compensation, if any, will be considered at a later date.
- The IP Act is an enabling Act under the Queensland Civil and Administrative Act 2009 (Qld) (the ‘QCAT Act’) in the Tribunal’s original jurisdiction referred to it by the Information Commissioner. A ‘privacy complaint’ is an act or practice of a relevant entity which is alleged (in relation to the individual’s personal information) to be a breach of the relevant entity’s obligation under the IP Act to comply with the privacy principles.
- The meaning of ‘entity’ is not defined under the IP Act, but in Schedule 1 of the Acts Interpretation Act 1954 (Qld) it includes a person or incorporated association. The IP Act does define a ‘relevant entity’ for the purposes of that Act.
- The QPS draws a distinction by which it says goes to its liability in this matter – both directly and vicariously. The QPS submits there is a distinction under the IP Act between ‘entity’ and ‘agency’ for the purpose of assigning responsibility. The QPS accepts that, as an agency, it is an entity for the purpose of the IP Act but says not all entities are agencies. The service submits that this affects whether it has responsibly under various IPPs.
- The QPS submits an entity (which includes a person), can ‘use’ information by, for example, accessing a computer system – as Senior Constable Punchard did in this case. But the responsibility for complying with some IPPs is the responsibility of the agency, not the person.
- In short, the QPS says Senior Constable Punchard’s conduct was so outside his policing responsibilities and so unauthorised that it was not directly the responsibility of the QPS as an agency.
- The QPS arrives at this position because:
- (a)A privacy complaint may only be made in relation to the misuse of information by ‘relevant entities.’ A ‘relevant entity’ (in relation to documents held by the agency) is defined to mean an agency or contracted service provider – not a person.
- (b)The effect of this is that whilst a person (as an entity) may misuse information, a breach of some IPPs (in particular IPPs 9, 10 and 11) will only directly arise where the conduct of the person and the agency ‘coalesce’ so that the conduct of the person is the conduct of the agency.
- (c)If Parliament had intended that IPPs 9 and 10 should apply to the conduct of all entities (including persons), then the IPPs would be expressly cast as such, namely, the privacy obligations on entities, rather than merely agencies.
- The QPS says that the actions of Senior Constable Punchard were unauthorised and not used for the purposes of the QPS. As such, the conduct of the person and the agency did not “coalesce” and the Service is not directly responsible for the actions of Senior Constable Punchard as his use of the information is not a breach of this Act because it does not apply to him as a person.
- Because this Tribunal does not have jurisdiction to hold Senior Constable Punchard primarily liable for his conduct under the IP Act, the QPS further submits it cannot be held vicariously liable for his conduct.
- The general principles of vicarious liability are that first the employee must be primarily liable and second, an employer will then be liable for the conduct of an employee undertaken in the course of their employment or in the ostensible pursuit of the employer’s business.
- As I have found above, Senior Constable Punchard is not primarily and personally liable – he is not a relevant entity. I must accept therefore that the QPS cannot be held vicariously liable for this breach under this legislation.
- ZIL accuses the QPS of breaching IPPs 4, 9, 10 and 11. As the applicant, ZIL has the responsibility of proving on the balance of probabilities, that the QPS has, as an agency, directly breached the IPPs by the actions of Senior Constable Punchard.
- The question that remains is although the conduct was not authorised, did the QPS acquiesce through either action or inaction sufficient to make the QPS directly liable for the misuse of the information by one of its officers.
IPPs 9, 10 and 11
- IPP 4 provides:
- (1)An agency having control of a document containing personal information must ensure that—
- (a)the document is protected against—
- (i)loss; and
- (ii)unauthorised access, use, modification or disclosure; and
- (iii)any other misuse; and
- (b)if it is necessary for the document to be given to a person in connection with the provision of a service to the agency, the agency takes all reasonable steps to prevent unauthorised use or disclosure of the personal information by the person.
- (2)Protection under subsection (1) must include the security safeguards adequate to provide the level of protection that can reasonably be expected to be provided.
- IPP4 requires an agency to protect personal information in documents from unauthorised access, use, or disclosure and if it is necessary for the document to be given to a person in connection with the provision of a service to the agency, the agency takes all reasonable steps to prevent unauthorised use or disclosure of the personal information by the person. (emphasis added)
- The QPs accepts it is an agency. On a plain reading of this section, the QPS must protect ZIL’s personal information in documents such as the domestic violence documents from unauthorised access, use, or disclosure by Senior Constable Punchard as a serving police officer, and take all reasonable steps to prevent the unauthorised use or disclosure of the personal information.
- It seems to me that the later IPPs are all based on, and flow from, this first principle. It would certainly be in line with community expectations of its law enforcement agency when dealing with citizens’ protection and privacy. The QPS is in a privileged position to demand, receive and hold personal information of ordinary citizens. But with that privilege comes responsibilities – as set out in the IPP Act.
- Information Privacy Principle 9 states:
- (1)This section applies if an agency having control of a document containing personal information proposes to use the information for a particular purpose.
- (2)The agency must use only the parts of the personal information that are directly relevant to fulfilling the particular purpose
- Information Privacy Principle 10 provides that subject to limited exceptions in paragraphs (a) – (f), an agency must not use information for a purpose other than the purpose for which it was obtained.
- Information Privacy Principle 11 provides that, subject to limited exceptions in paragraphs (a)- (e), an agency having control of a document containing an individual’s personal information must not disclose the personal information to an entity (the relevant entity), other than the individual the subject of the personal information.
- For the reasons set out above, the QPS is not vicariously liable for the misuse of the information under the IP Act by Senior Constable Punchard.
- But the question remains, is the QPS itself directly liable for the release of this information to an unauthorised person? Did the agency take all reasonable steps to prevent Senior Constable Punchard’s unauthorised use or disclosure of ZIL’s personal information to his childhood friend?
- The QPS as model litigant, provided the Tribunal with some evidence concerning the QPrime data base and access thereto.
- Senior Officer Doogan is a director of Frontline Systems at Queensland Police Service and was a project support officer of QPrime project from 2006. She is the QPS delegated business owner of the primary QPS database known as QPrime. Senior Officer Doogan was of limited assistance to the Tribunal concerning the technical aspects of the QPrime data base.
- Senior Officer Doogan gave evidence that there are various levels of access to the QPrime system, working progressively up the chain of command. This was the exchange between the Tribunal and Senior Officer Doogan:
… So it is possible to regulate the access that particular members of the service have to the system, isn’t it?‑‑‑Yes, there are.
…The corollary of that, the flip-side of that, is it possible to limit the sorts of files that people have access to?‑‑‑Yes, we can.
… So if you had a group of the population – in this case, we’re talking victims of domestic violence – whose personal information is sensitive, is it possible to restrict the access to that information to a certain level of officer?‑‑‑Yes, it is.
Is that what currently happens?‑‑‑Not in that example, no.
No. So we have an identifiable group of Queenslanders, those who are the subject of domestic violence orders, and I’m imagining your system is able to run a search that pulls up those people?‑‑‑Yes.
But there is no safeguard to their information in any different way to somebody looking at someone who doesn’t have a domestic violence order? ---All of the information is classified as protected, within the database.
I understand that. But it is – but there’s no differentiation between that group and a group – and that’s just the example that’s current to this. I mean, there’d be other groups of people, no doubt. But let’s just look at this group. So those with a domestic violence order against – in their favour – protection, and those without, are all together and there is no differentiation between the system in who accesses that? --- It depends on what’s been requested within the system. So it’s a case by case basis.
How – I’m – no, I don’t – I don’t follow that. It seemed that this particular police officer was able to fairly readily access the system for his own purposes, and didn’t need any other level of access. And I just wondered whether any – anyone who – who – anyone who logs onto QPrime can look at the information concerning someone with a domestic violence order as much as they can to someone without? --- That would be correct.
And, therefore, it’s up to the ethics of the individual and the warnings that come up, and the need to put in – so you – into the system what they’re doing, whether they access that or not? Yes.
- Detective Inspector Prestige also gave evidence to the Tribunal. Detective Inspector Prestige was an Acting Superintendent officer from the Ethical Standards Command team until recently. His evidence to the Tribunal was of the system of auditing. His evidence was that he was not aware of any random audits of QPrime in use in his 25 years of service.
- His evidence to this Tribunal as follows:
MEMBER: ‑ ‑ ‑ One of the allegations that’s made by the people who support ZIL is that the only way that the service becomes aware of an unauthorised access is if there’s been a complaint or an incident. Is that – is that right, in your view?‑‑‑Well, my role at investigations, that’s generally how we become aware of it.
…‑‑‑Either there’s a complaint or an incident to suggest there’s been unauthorised access.
- ZIL submits the Service’s actions were not enough. She says:
- (a)to be permitted access to QPrime a person must complete a ‘training package’, and fill out an application form and a confidentiality undertaking;
- (b)access is gained via a user ID and password;
- (c)the process of obtaining access has screens which provide standardised security warnings;
- (d)codes of conduct, policies and legislation all require only authorised access;
- (e)Senior Constable Punchard has completed a number of training courses – the content of which is not described.
- (f)That type of protection is one-dimensional in the sense that it establishes rules or guidelines to which QPrime users are obliged to adhere. In other words, the system relies on the integrity of the QPrime users.
- ZIL further submits
- (a)The entire database QPrime can be accessed by 15,000 QPS employees, and by a further unknown number of Public Safety Business Agency (PSBA) employees, all of whom are located in cities, suburbs and towns all over Queensland;
- (b)a user’s selection of a particular reason to access QPrime is not a security safeguard. This is because any selected reason will grant the user access to the same information, pages and reports as if the user selected any other reason. Thus, any reason given for accessing the database entitles the user to ‘at large’ access;
- (c)there is no credible evidence of any system of auditing or supervision. This submission is based on the evidence from Senior Officer Doogan who said she was aware that there are audits undertaken by the QPS Ethical Standards Command team but did not know what kind of audits were undertaken and auditing of staff using QPrime fell under normal management practices of oversight of staff members.
- ZIL submitted this must mean that there was no specific system of auditing QPrime use and that supervision on the use of the QPrime system was the responsibility of each supervising officer. She says there was no evidence that any supervising officers actually did audit the use of QPrime, or even that they were required or encouraged to do so.
- In reply, the QPS says in essence that the conduct of Senior Constable Punchard cannot be attributed to the agency because he acted without relevant authority.
- I accept he acted without relevant authority. But in my view, that is but the starting point of the examination. The real question, as I have postulated above is did the QPS take all reasonable steps to prevent his unauthorised use or disclosure of the personal information?
- On this question, the QPS submits:
Tthe correct approach with respect to liability is that it is necessary to identify, in each specific statutory context ‘the rules of attribution.’
- (d)These are rules adopted to determine which acts, knowledge or mental states of persons, through whom an organisation necessarily acts, are to be attributed to the organisation for the purposes of the legislative scheme.
- (e)The IP Act does not contain a specific provision that identifies, by way of clarification or by way of extension, when conduct of an employee or an agent of an organisation is to be attributed to the organisation.
- (f)Absent such a provision, the issue of liability is one of interpretation of the legislative scheme, giving weight to its scope and purpose.
- (g)The legislative scheme contained in the IP Act is concerned with the conduct of public sector agencies acting for their public purposes.
- (h)A distinction is drawn between the actions of an employee for the purpose of the agency, and the actions of the employee for personal reasons.
- (i)In the former case, the employee’s conduct may be attributed to the agency, even if the conduct was undertaken in an improper way. In the latter case, however, the conduct cannot be attributed to the agency.
- In considering the equivalent of IPP 4 in MT, the Court of Appeal considered a complaint under the Privacy and Personal Information Protection Act 1998 (NSW) (‘the PPIP Act’) against a teacher who accessed a student’s file for purposes related to his private role as a soccer coach. In this matter, it was accepted that the access was unauthorised and was conceded a breach of s 12(c).
- In relation to the issue of whether the Department had used or disclosed the information, Spigelman CJ observed:
 … the interaction of s.12(c) and s.62(1) … is such that, in my opinion, it leaves no scope for the extension of each reference to conduct of the public sector agency to encompass any conduct by an employee or agent, irrespective of whether it is within the scope of his or her functions as such. Where, as here, the “use” or “disclosure” of information was for a purpose extraneous to any purpose of the Department, it should not be characterised as “use” or “disclosure” by the Department or conduct of the Department. It is not appropriate to adopt a rule of attribution that extends so far.
 Of course Parliament may have intended that statutory obligations should overlap. In the Act under consideration, however, the focus of Parliamentary attention is upon public agency acting in that capacity for public purposes. Where the agency has satisfied its obligation under s 12, it was not, in my opinion, Parliament’s intention to expose every such agency to a form of absolute liability for the unauthorised private conduct of its employees or agents.
 Nothing in the text or the scope and purpose of the legislative scheme suggests that Parliament intended to impose absolute regulatory liability. Indeed, s 12(c) itself imposes an obligation only to adopt such “safeguards as are reasonable in the circumstances.”
- A similar outcome was found in OD v Department of Education and Training.
- The decision in MT was also followed by the learned member in AXP v Queensland Police Service  but here the learned senior member went on to conclude:
As such, the proper construction of PP 4 is that an agency having control of a document containing personal information must ensure that the document is protected by security safeguards adequate to provide the level of protection that can reasonably be expected to be provided.
I accept the submissions of the QPS as being an appropriate interpretation. The liability of agencies should be limited to those situations where the disclosure was within the ability of the agency to control either through its possession or control of the documents, or the adoption of protective safeguards. This involves a consideration of whether the disclosure was authorised by the QPS or done when an employee was acting for the purpose of the agency or alternatively for personal reasons.
- I am satisfied that this line of authority is distinguished by the facts of this this matter. Both of these 2006 decisions and the later reliance on MT, were at a time when the community’s view of domestic violence was different to that which it had become by 2014. Even since the QCAT decision in AXP some 6 years ago, the level of care expected by the community at large of the QPS in relation to information held by this agency and potentially jeopardising the safety of a victim of multiple acts of domestic violence is now in my view, justifiably high – certainly higher that it was in 2006 or even 2013.
- An internal email from the QPSW Police Commissioner Ian Stewart dated 30 March 2016 (during the period attributable to the actions of Senior Constable Punchard and concurrent with the events in this matter) was sent to all officers and staff. It addressed a direction to all concerning access to the QPrime system. This email reflects my view of the change in community attitude. The Commissioner says:
The purpose of this direction is to make it clear to all members of the QPS, both sworn and staff members, there has been a move in community attitudes towards misuse of information held by the QPS and as a consequence the QPSW and community’s tolerance for what amounts to criminal behaviour is very low. Discipline sanctions for inappropriate access of QPS information which have applied in the past will no longer apply into the future as the bar has been raised in order to clearly reflect organisational and community disapproval for such conduct.
- The QPS submits that by issuing this email and putting in place security measures to manage the risk of inappropriate access and disclosure, and a dedicated criminal offence (section 10.1 of the Police Service Administration Act 1990 (Qld)), the Service warned directly against such conduct, and took disciplinary action against Punchard for his conduct once it had been brought to the respondent’s attention.
- But this occurred after the event and from 2014 to 2016 the QPS had no knowledge – indeed had not looked to find – the unauthorised access by Senior Constable Punchard. Without the chance retrieval of the mobile phone, the evidence before me was that the QPS may never have discovered Senior Constable Punchard’s actions in accessing the system.
- The evidence before me is that the QPS had no systematic auditing procedures of access to the QPrime system – even for at risk groups such as domestic violence victims. It simply relied on either a complaint or an incident to highlight a breach of the QPrime system. This system of auditing after the fact allows for circumstances where catastrophic events involving ZIL and the safety of her family could have occurred based on knowledge taken from the QPS’s own data system by a traffic officer for a childhood friend.
- Whichever way I consider this, I cannot be satisfied that the QPS took all reasonable steps to prevent Senior Constable Punchard’s unauthorised use or disclosure of the personal information.
- They did not audit in any systemic way to supervise access even to a group of people (the victims of domestic violence) who had orders in their favour. The Service waited until there was a complaint or an incident – a time after any further potential damage to this vulnerable group. The QPS could have added to the QPrime system to allow restricted access to the information about this vulnerable group.
- They did give spasmodic web based training to staff and officers only on the responsibilities for accessing the QPrime system, but then rely on the moral fibre of an individual police officer to not access the system in circumstances (borne out by the evidence) where he knew he would not be caught – because no one looked.
- I am satisfied the complaint for a breach of IPP 4 has been substantiated.
- I am not satisfied that IPP 9 has relevance to the circumstances of this matter. This section applies if an agency having control of a document containing personal information proposes to use the information for a particular purpose. These are not the facts of this matter and I am not satisfied the complaint for a breach of IPP 9 has been substantiated.
- I am satisfied the complaint for a breach of IPP 10 has been substantiated. An agency must not use information for a purpose other than the purpose for which it was obtained.
- Because I am not satisfied that the QPS took all reasonable steps to prevent Senior Constable Punchard’s unauthorised use or disclosure of ZIL’s personal information, in my view it follows that the QPS allowed the use of this information for a purpose other than the purpose for which it was obtained.
- I accept this as a consequential breach to a primary breach of IPP 4. If I am wrong about this, I rely on my findings to find liability in ZIL’s favour on the basis of the substantiated breach of IPP 4.
- I am not satisfied that IPP 11 has been breached. The disclosure was to an individual, not as required by that IPP to an entity. The terms of the IPP are not sufficiently fulfilled in this matter to substantiate the basis of a breach.
- This hearing was about liability. The consequences of my finding liability have yet to be addressed. These arise under s 178 of the IP Act. Directions will now be made for the parties to provide written submission on the orders each seeks with supporting documentation – particularly from ZIL if she seeks any monetary compensation under the Act. Any documents must support the amount of compensation she is seeking.
- It will be open after the receipt of these submission for this Tribunal to also seek oral submissions from the parties on a future date – but this further oral hearing will depend on the Tribunal’s understanding of the submissions received from the parties.
- Finally, it is open to the parties to provide a joint submission on compensation for consideration by this Tribunal if any agreement can be reached.
 Transcript 1-20 at 40, to 1-21 at 30.
 IP Act: s 164.
 Ibid para 18.
 Outline of submissions filed 14 December 2018, para 10.
 Section 164 of the IP Act.
 New South Wales v Lepore (2003) 213 CLR 511.
 Ibid 22,
 Transcript 1-113, 33.
 Transcript 1-59, 2 onwards.
 Director General, Department of Education and Training v MT (2006) 67 NSWLR 237; approved in Meridian Global Funds Management Asia Limited v Securities Commission  2 AC 500, 506C .
  NSWADT 312.
  QCAT 680, para 120.
 Ibid para 125.
 Exhibit 11 Annexure ‘L’.
 Transcript 1-114, 5 onwards.
 Transcript 1-59, 1 onwards.
 IP Act: s 178.
- Published Case Name:
ZIL v Queensland Police Service
- Shortened Case Name:
ZIL v Queensland Police Service
 QCAT 79
27 Mar 2019