Privacy and the Complaints Process: A Costly ($30,000) Lesson

A failure to comply with the Information Privacy Principles has cost Cessnock City Council $30,000 in damages for psychological harm.

The case of EMF v Cessnock City Council [2021] NSWCATAD 219 involved privacy concerns stemming from a complaint made by EMF to Council, and is a stark reminder of Council’s obligations under privacy legislation when dealing with personal information.


EMF originally sent an email to the Mayor of Cessnock making various complaints about officers and staff of the Cessnock City Council (“Council“) involved in the Draft Cessnock Local Strategic Planning Statement (Draft Plan). The Mayor, without reading, forwarded on the email to members of staff of the Council, including those who were the subject of complaints, believing it to be a submission or comment in response to the Draft Plan. EMF was unsuccessful at the Tribunal in establishing that the Council failed to comply with obligations under the Information Privacy Principles (“IPPs“) that applies to the conduct of public sector agencies when handling an individual’s personal information) as the email was not clearly marked as ‘confidential’ or ‘for the addressee only’.

The issue in the subject proceedings was the handling of EMFs personal information in relation to a subsequent and separate complaint addressed to the General Manager of Council regarding the original complaint.

The second complaint was marked ‘Confidential – Attention of Addressee only’ and alleged breaches of the Council’s code of conduct, among others. The General Manager did not accept the complaint as a code of conduct complaint and treated the complaint as a privacy complaint.

Despite the wording indicating it was confidential and to the addressee only, the complaint was passed on to public officer to handle it as a privacy complaint. The public officer wrote to the applicant acknowledging receipt of the complaint to which the respondent replied questioning why the public officer was contacting them in relation to the confidential complaint.

An Internal Review was requested due to the alleged breach of the IPPs through the compliant being accessed, used and disclosed by Council. The internal review determined that there was no evidence that the Council had failed to comply with the IPPs in its handling of personal information and the complaint. EMF subsequently commenced proceedings.

The Tribunal made some key points, including that the transfer of personal information within an agency is not a fresh collection of information, but may be a disclosure for the purposes of the IPPs.

Ultimately, the Tribunal made the following, relevant findings in respect to the purported breaches by Council:

  • IPP 1: Collection of personal information for lawful purposes. The collection of personal information by the General Manager on behalf of Council was collected for the lawful purpose of considering the Complaint. Redirecting the complaint was not considered a fresh collection.
  • IPP 3: Requirements when collecting personal information. This requires Council to take reasonable steps to ensure that the applicant was made aware of the collection of personal information as soon as possible, the purpose and the intended recipients of the information. There was no evidence that Council had, after receipt of the complaint, took reasonable steps to send to the applicant an IPP 3 compliant statement, or referring the applicant to Council’s privacy statement on its website.
  • IPP 10: Limits on use of personal information. Considering the complaint was marked as ‘confidential’ and ‘for the addressee only’, the General Manager should have sought the applicant’s consent before passing on the information.
  • IPP 11: Limits on disclosure of personal information. Personal information may only be disclosed with consent, if the person was told at the time it would be disclosed, if it directly relates to the purpose for which the information was collected and there is no reason to believe the person would object. The Tribunal found that no ‘disclosure’ of the applicant’s personal information occurred by Council providing it to various officers and staff of Council or by including the information in Council’s electronic information management system.

The failure to comply with IPPs 3 and 10, resulted in damages being awarded to the applicant in the amount of $30,000 to compensate for the psychological harm suffered as a result of Council’s breaches. In addition, Council was to provide to the applicant a written apology addressing Council’s breach of IPPs 3 and 10 and for all distress and harm caused to the applicant as a result of such.

Council was also directed to implement various measures to ensure that it complied with the IPPs moving forward, including updating its Privacy Statement and improving its administrative measures to ensure that the conduct the subject of these proceedings did not occur again.

If you would like advice about anything in this article, please contact Greg Lee on 02 8235 1254 or your usual ClarkeKann contact.

This bulletin is produced as general information in summary for clients and subscribers and should not be relied upon as a substitute for detailed legal advice or as a basis for formulating business or other decisions. ClarkeKann asserts copyright over the contents of this document. This bulletin is produced by ClarkeKann. It is intended to provide general information in summary form on legal topics, current at the time of publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal advice should be sought in particular matters. Liability limited by a scheme approved under professional standards legislation. Privacy Policy


…and we’ll email you valuable insights into issues affecting you and your business.

More Insights

Court Strikes Down Declaration of Heritage Listing

Court Strikes Down Declaration of Heritage Listing

Key Takeaways Decisions by consent authorities to list buildings in the state's heritage register are vulnerable to legal challenge if the decision is not supported by reasons which have ‘regard to any statutory requirements applying to the decision’. Consent...

read more