In Privacy and Data Protection Commissioner has found that the University of Melbourne breached Information Privacy Principle (IPP) 1.3 in tracking its students who were engaged in a sit in protest in May 2024 and a direction by the Vice Chancellor to leave on 20 May 2024.

The investigation is a useful consideration of IPP 1.3 and 2.1 of the Privacy and Data Protection Act (Vic). The analysis and principles are applicable in relation to the extent to which the collector of personal information informs those who own that information what it will be used for.  It is considered whether the use was consistent with the purpose of gathering the information or a permissible secondary purpose.

Beyond making a finding against the University the Information Commissioner’s Office could take no action against the University notwithstanding an egregrious and serious breach of the Act.  The only action that could be taken is a Compliance Notice which is little more than a notice saying one should fix problems.  That’s it.  That highlights the fundamental weakness in the legislation. In the United Kingdom the Information Commissioner has the power to impose monetary penalties on agencies. 

Notwithstanding the lack of meaningful action taken against the University by the regulator that does not mean those whose privacy was interfered with don’t have causes of action in the courts.  

The Report is 31 pages long but some relevant points made include:

Regarding Function creep

Foreword

Social licence and function creep are two important concepts in interpretation of the relationship between human rights and technology. When governments or other official bodies implement technology, society expects them to respect human rights, including the right to privacy. This is usually achieved through the preparation of a Privacy Impact Assessment, and through communication with affected stakeholders about the purpose of the technology and the ways in which its use will be governed.

The University engaged in function creep by using surveillance of users of on-campus Wi-Fi in disciplinary proceedings it began after a protest. The University introduced the Wi-Fi tracking capability some years ago, for the purpose of network management, with a reassurance that it would not be used to surveil individuals. The University subsequently used the capability for disciplinary purposes, because it was already in place, without substantially considering the human rights or privacy impacts of doing so. In failing to consult with stakeholders about the policy change, the University failed to obtain a social licence for the use of this technology.

and 

The delivery method for the Notices related to Wi-Fi use – an on-screen pop-up – was also not an effective mechanism for explaining complex terms and conditions.

and 

…the governance and authorising processes the University used to authorise access to staff email accounts fell below the standard the Deputy Commissioner expects. This access occurred after the urgency of protest had passed, and could have been dealt with more carefully Read the rest of this entry »

The charges against Ryan Cho, a junior doctor who worked at Austin Hospital, arising out his alleged use of video devices in staff toilets has grown from a charge of stalking and using an optical device earlier this month (see my post here) to five new offences. According to a Victoria Police media release, and reported by the ABC, last Friday Cho has now been charged with 5 further offences, most relevantly of 3 counts of producing intimate image and 1 count of using an optical surveillance device. The alleged offences are now  believed to have occurred in in more than one health facility. According to the ABC the Victoria Police allege that Cho had over 10,000 “pieces of images” and videos relating to at least 460 females.

The focus of the story is the alleged criminality of the conduct.  And why not. It is a big story and there is a strong interest by the public and public interest (2 very different concepts) in the issue.  The legislatures in Australia were very quick to respond to the practice of surreptitious filming, usually of women by men, in very private places, such as showers, toilets and change areas.  That response however was confined to criminalising such conduct. That is appropriate.  But there are limitations for the victims in this process.  In criminal cases it is the Crown, in indictable cases, or police Informant, in summary jurisdiction cases, which commence and conduct prosecutions.  It is the Crown/Informant which may enter a plea deal.  In some cases some form of monetary order may be made but it is not the same as an assessment of damages.  And it is prosecutors discretion to seek such orders.  

For years the State legislatures refused to legislate a civil right of action for interferences with privacy.  In Victoria what limited scope of action was confined to breaches by government entities under the Privacy and Data Protection Act.  It is an ineffective process and the results at the Victorian Civil and Administrative Tribunal Act has been very unsatisfactory.  On top of that its use is confined to Victorian Government, its agencies and entities or those providing services on their (as the case may be) behalf.  While the Victorian Government, like many government entities, have had major privacy fails and data breaches those incidents are only a small sub set of the total number of privacy interferences, misuse of private information and data breaches in Victoria (let alone the rest of Australia).  

Equity responded to the lack of statutory privacy protection and the inability of individuals to take action to protect their privacy with the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236.  It extended the claim of breach of confidence into a claim of misuse of private information, following the UK authorities.  It was and is not a good fit in many privacy related breaches.  The law developed at a glacial pace in this generally unsatisfactory environment.  That said, the High Court in Smethurst v Commissioner of Police [2020] HCA 14 came tantalisingly close to recognising a stand alone right to privacy as an actionable tort as the UK Court of Appeal did Vidal – Hall v Google Inc [2015] EWCA Civ 311. In Smethurst the Appellant deliberately did not want the High Court to continue consideration of a claim for breach of privacy.  Their Honours Keifel CJ, Bell and Keanne stated, at [48] (absent footnotes):

The plaintiffs’ principal claim to an injunction is based upon the Court’s auxiliary jurisdiction in equity. This would ordinarily require that it be granted in aid of some legal right or interest or title to property. The plaintiffs make no claim to the property in the AFP’s USB stick. They do not claim a right to privacy which is actionable for breach. They do not ask this Court to continue the debate, left open by Gummow and Hayne JJ in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, as to whether the courts should recognise such a tort. The plaintiffs nevertheless contend that an injunction should be granted to reverse or protect them from the effects of the trespass committed as a result of the Second Warrant being invalid. Those effects are that the information may be used to further the investigation as to whether offences against s 79(3) of the Crimes Act have been committed and, if charges are laid, as evidence of the commission of those offences.

(Emphasis added)

The reason for the Appellants reluctance in pressing the question of privacy and “continuing the debate” (which the High Court was most definitely interested in having) is because the media was at 2020, just as it is today, very hostile to the idea of a tort of privacy.  It wanted the relief sought and a finding against the Commissioner of Police but on a more confined basis.  That was a great opportunity wasted but fortunately the legislative has finally enacted a statutory tort of serious invasion of privacy.  As to whether the tort the High Court may have found was a superior form of protection to what has been enacted is something we will never know.  T

he Federal Government enacted a statutory tort of serious invasion of privacy which came into effect on 10 June 2025. 

With the operation of the statutory tort of serious invasion of privacy the gap in the civil law has been closed.  It is able to provide some measure of justice and compensation for victims of the behaviour as alleged in this case.  

The elements of a statutory tort of serious invasion of privacy are set out in section 7(1) of Schedule 2 of the Privacy Act 1988 and they are:

(1)       An individual (the plaintiff ) has a cause of action in tort against another person (the defendant ) if:

(a)     the defendant invaded the plaintiff’s privacy by doing one or both of the following:

(i)      intruding upon the plaintiff’s seclusion;

(ii)     misusing information that relates to the plaintiff; and Read the rest of this entry »

The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

One question the regulators will no doubt ask is Read the rest of this entry »

The ABC reports in Hundreds of email addresses shared in Victims of Crime Assistance Tribunal administrative error that there was an accidental share of email addresses of victims of crime in an email advising of changes to the compensation application process. It appears that the email was a sent to multiple addressees, 480 the ABC has seen, however the addressees were not blind copied so the recipient could read the email address of other recipients.  The addresses included first and last names.  VOCAT sent 2 recall emails, which means very little. 

The damage is done.  Given the addressees are victims of crime, some of which may involve stalking, the presumed damage would be greater than might otherwise be the case. Damages in privacy cases have not been significant in Australian cases.  That is primarily because there have been relatively few reported cases where damages have been considered.  In the United Kingdom the courts also took a restrained approach to damages however with increased litigation and the bench’s greater understanding of how privacy breaches can impact a person the awards have risen.  And egregious privacy breaches have increased the ceiling over time.  In Victoria a complaint can be made under the Privacy and Data Protection Act 2014 with VCAT hearing a complaint.  Under Section 77(1)(a)(iv) it has jurisdiction to award damages of up to $100,000.  There has been only one instance where an award of damages has been made, Zeqaj v Victoria Police (Human Rights) [2018] VCAT 1733.  In that case the breach was proved and an award in the sum of $1,000 was made.  That is derisory.  The analysis was also very disappointing.  The jurisprudence in VCAT should not make a complainant optimistic.  It is very difficult to succeed, hence the award provision in the Act is virtually dead letter.  The analysis by VCAT is very disappointing and not consistent with privacy litigation in the UK or the USA, let alone Europe.   The Office of the Victorian Information Commissioner has a page titled Assessing compensation claims for loss in privacy complaints where it provides an overview of the law. It is fairly basic and not particularly sophisticated given the development of privacy in common law jurisdictions. It is useful given all complaints must proceed through the Victorian Information Commissioner. Many complaints are mediated and resolved there. Better that than taking one’s chances in VCAT. 

This type of error is all too common and especially prevalent in the public service. It is entirely preventable.  Proper training and Read the rest of this entry »

Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that “Last month the Office of the Victorian Information Commissioner was conducting preliminary enquiries with the University of Melbourne regarding the use of its surveillance technology to identify and bring misconduct hearings against students who undertook Pro Palestine sit ins. In July the University released a statement under the heading Conflict in the Middle East and activism on campus where it stated that it ” University of Melbourne”.. is a diverse, multi-cultural and multi-faith community..”, it “has a duty to uphold the principles of academic freedom and freedom of speech, and respect for legitimate and peaceful protest is core to our university’s values, as well as an activity protected by law”, it “operates fairly and in accordance with the law. Our policies also provide the basis for addressing actions or behaviours that adversely affect other members of the University community” and “to understand and implement appropriate support for students and graduate researchers during this time, with an increase in provisions for health and wellbeing, assessments, and safety on our campuses.” Waffly boilerplate that many organisations cobble together to cover and justify other activities and mask other behaviours not so consistent with the principles of the Enlightment which Universities should use as a touchstone. Such as using surveillance technology to bring action against students for conducting a sit in. As a result of disciplinary hearings 21 students received warnings. OVIC has now confirmed that it will launch an investigation into the University of Melbourne under the Privacy and Data Protection Act 2014.

The confirmation was reported by the Australian in “OVIC to probe Melbourne Uni over student surveillance” which provides:

The Office of the Victorian Information Commissioner will launch an investigation into the University of Melbourne after the academic institution used surveillance technology to gather evidence against students involved in a sit-in at a campus building.
Last month OVIC confirmed it was conducting preliminary enquiries with the university.
Victorian Information Commissioner Sean Morrison on Thursday confirmed the office has now decided to escalate the matter.
“Following conducting preliminary inquiries, the Privacy and Data Protection Deputy Commissioner has decided to commence an investigation under the Privacy and Data Protection Act 2014,” he said in a statement to The Australian.
“Given this is an active matter OVIC is unable to comment further until the investigation has concluded.”
In July, 21 students faced misconduct hearings before senior university representatives.
The students were notified of the disciplinary proceedings when the university sent them an email informing them they had breached its code of conduct during demonstrations and cited evidence from CCTV footage and Wi-Fi data obtained from the university’s network tracking their movements within the Arts West building during the 10-day sit in. Read the rest of this entry »

In A & J Morphett Nominees Pty Ltd v JBT Lawyers Pty Ltd & Anor [2022] VSC 238 Justice Dixon in upholding an appeal made important statements for practitioners on the role of stakeholders.

FACTS

On 26 November 2018 the appellant and Chloe Estelle Pty Ltd entered into the contract with the appellant paying the deposit of $42,000 to the respondent on 6 December 2018 [4].

On 21 March 2019, the appellant by written notice terminated the contract and requested that the respondent repay the deposit to it [4].

The appellant, A & J Morphett Nominees Pty Ltd, commenced proceedings against Chloe Estelle Pty Ltd, as first defendant, and the respondent, JBT Lawyers Pty Ltd, as second defendant in the Magistrates Court.  In its defence the respondent admitted that it received the deposit sum as a stakeholder as alleged by the appellant [6].

On 24 June 2019, the appellant entered default judgment in the proceeding against Chloe Estelle Pty Ltd, which included an amount for interest and costs [7]. The appellant did not recover against Chloe Estelle Pty Ltd as it was and on 18 July 2019, an administrator was appointed and it was subsequently ordered to be wound up. The liquidators made no claim for the deposit.

It was never been in dispute that the respondent received that sum as a stakeholder for the appellant and Chloe Estelle Pty Ltd [3].

On 29 March 2019, the Federal Circuit Court, per Small J,made an order in a Family Law dispute between different parties.  It relevantly Read the rest of this entry »

The arrest and charging of Dean Laidley for what has been described as stalking is a matter of public record.  He appeared before the Melbourne Magistrates Court and was remanded.  As no suppression or pseudonomysation orders  were made those details can be reported. 

However photographs police take of those charged are not public documents.  They are taken for the purpose of properly recording the processing of a person into custody.  Their purpose does not extend to providing colour to a story.  Further, other photographs taken in a police station of a suspect or a person charged are not for public consumption. Frankly there is no good reason for taking other still photographs. 

It is then appalling to see that the Herald Sun has Read the rest of this entry »

In a brilliant piece of analysis Dr Chris Culnane, Associate Professor Benjamin Rubinstein and Associate Professor Vanessa Teague of the University of Melbourne have demonstrated in their paper released today titled Stop the Open Data Bus, We Want to Get Off that de identification of unit record level data does not work without substantially altering the data to the point where its value is reduced.  The analysis was based on the data released by the Victorian Government in to a data science competition.  The authors have demonstrated that a combination of only needing a small number of points of information to make an individual unique and poor quality anonymisation and security techniques makes it quite easy to reidentify individuals. 

In the case of the myki data the authors found that “little to no de identification took place on the bulk of the data.”  They found it was a straightforward task to re identify two of the co authors cards.  They also established that is possible to identify a stranger from public information about their travel patterns, for example twitter to name just one source.  They identified Read the rest of this entry »

As of 1 September 2017 the State of Victoria will have an Information Commissioner, replacing the position of Privacy Commissioner.  The Information Commissioner will also be responsible for Freedom of Information applications.

The inaugural Information Commissioner is Sven Bluemmel.  Mr Bluemmel was Read the rest of this entry »

Misuse of confidential information and regular data breaches has been a longstanding and systemic problem for the Victorian Police Force.  In the past two years I have posted on problems with the misuse of the LEAP database, which contains personal information of Victorians, here and here.  Police documents containing sensitive personal information were found in the possession of outlaw bikie gang members in 2013.

In his 2016 annual report Victorian Commissioner for Privacy and Data Security set out problems in the Victorian Police with data management.  There was a 36% increase in data security breaches over the previous year.  The Commissioner identified Read the rest of this entry »