NCAT: CNS v Transport for NSW [2018] NSWCATAD 40
This recent decision of the New South Wales Civil and Administrative Tribunal (NCAT) illustrates the importance of practicing privacy by design and data minimisation so that your agency can have confidence that they are only collecting personal information that is necessary for their functions or activities, and that they can adequately articulate the grounds for a particular collection when they need to.
The Tribunal considered whether the requirement of Transport for NSW (TfNSW) that certain concession Opal cards be registered (thus linking the card’s travel, billing and location histories to the owner) resulted in the collection of more personal information than was reasonably necessary for TfNSW’s stated purpose of ensuring entitlement and enforcing eligibility requirements for those cards, in contravention of Information Protection Principle (IPP) 1 under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
The Tribunal found in favour of the Applicant, it appears largely because TfNSW was unable to offer a ‘cogent explanation’ of the need for the cards to be registered. The Tribunal ordered TfNSW to refrain from any collection of personal information relating to the travel movement history of the Applicant, leaving the technical details of how this might be done to TfNSW.
Also of interest is the Tribunal’s consideration of whether the travel data generated by the card was personal information ‘about’ the Applicant, applying Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 and reviewing other relevant case law.
This article was written by Jordan Wilson-Otto, Acting Assistant Commissioner Operational Privacy and Assurance, Office of the Victorian Information Commissioner. The views expressed in this post are the author’s own and do not necessarily reflect the views of OVIC.