Tuesday 3 December 2019

VCAT confirms scope of data security obligations when serving documents

A recent VCAT decision found that privacy obligations with respect to court or tribunal documents that are served on a party cease upon valid service, even if the recipient refuses to accept service and abandons the documents.

On 1 December 2017, police officers attended Mr Zeqaj's workplace to serve him with documents on behalf of the Australian Taxation Office.  When Mr Zeqaj refused to accept service, the police officers placed the documents down in his presence and left.  Mr Zeqaj alleged that by serving him at his workplace and by leaving the documents unattended, Victoria Police contravened Information Privacy Principle (IPP) 4.1, which provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

VCAT found that Victoria Police had not contravened IPP 4.1 because the disclosure was authorised.  Victoria Police had collected the personal information for the purpose of serving it on Mr Zeqaj, and had effected service by identifying Mr Zeqaj and giving him 'ready and unimpeded means of exercising physical custody or control' over the documents.  Once the documents had been served, Victoria Police no longer 'held' the information within the meaning of IPP 4.1 and any unauthorised access from that point was a result of Mr Zeqaj's decision not to take possession of the documents.

VCAT also found that it did not have jurisdiction to consider Mr Zeqaj's claim that his rights under the Charter of Human Rights and Responsibilities Act 2006 had been breached because the claim had not been included in the original complaint to the Information Commissioner, or in the referral from the Commissioner to VCAT.

Contact us: 

Louise McNeil
Senior Solicitor

Catherine Roberts
Lead Counsel

Case: Zeqaj v Victoria Police (Human Rights) [2019] VCAT 1641

No comments:

Post a Comment