Federal Court: In SZSSJ: personal details of SZSSJ were unintentionally disclosed on the DHA's website; DHA refused to disclose the full content of a KPMG report on the data breach, but referred SZSSJ to an ITOA with instructions to assume that information from him had been accessed by all persons from whom he feared persecution; HCA held that even if there was a denial of procedural fairness in not disclosing the full report, that was cured by the assumption. Was the AAT in this case obliged to make that assumption?
Summary
To oversimplify this case, the Appellant's protection visa application was refused and the Appellant applied to the Tribunal for merits review of that refusal.
In 2014 and before the Tribunal made its decision, names and personal details of 9,258 people in immigration detention, including the Appellant, were unintentionally disclosed on the Department's website for about 2 weeks.
The Department's overall response to the data breach was twofold. It instituted processes labelled "International Treaties Obligations Assessments" (ITOA). 'The purpose of conducting the ITOA was to assess the effect of the data breach on Australia’s international obligations with respect to affected applicants'. Further, the Department retained KPMG to investigate the data breach.
Unlike in the High Court (HCA) decision in SZSSJ, where SZSSJ had been afforded an ITOA assessment, the Appellant was not afforded such an assessment. Further, the Department's referral of SZSSJ to an ITOA contained instructions to the ITOA assessor to assume that information from SZSSJ had been accessed by all persons from whom he feared persecution.
KPMG prepared a report on the breach. The Department notified the Appellant of the data breach and gave him an abridged version of that report, which merely recorded that the personal details of those 9,258 people had been accessed 123 times from 104 IP addresses. The Department wrote to the Appellant as follows:
... the [Tribunal] is the appropriate forum for you to raise any protection claims you may have in regard to the unintentional release of your personal information on the department’s website...
The Federal Court (FCA) summarised the Appellant's submission to the Tribunal as follows:
... The Department possessed all information in relation to the data breach, in particular the unabridged KPMG report which contained details of IP addresses and number of accesses to the information. Procedural fairness required that all relevant information be provided to the appellantbefore preparation of a reply, since, without having access to that information, he could not effectively and competently prepare his claim that he was a refugee sur place. A refugee sur place, I interpolate, is a person who is not a refugee when they left their country of origin but becomes one as a result of events occurring after their arrival in Australia. If the Department did not provide that information, the advisor submitted, the only course of action open to the Tribunal would be to recognise the appellant as a refugee sur place. The advisor went on to submit that the Tribunal could not complete its task without having full disclosure of the information that was in the possession of the Department.
The Tribunal affirmed the Department's decision and the Appellant then applied to the Federal Circuit Court (FCCA) for judicial review of the Tribunal's decision.
The FCCA dismissed that application and the Appellant eventually appealed the FCCA's decision to the FCA, to which the grounds of appeal were as follows:
31 In submissions filed on the appellant’s behalf by his then lawyers in May 2018, grounds 2 and 4 were collapsed into one:
[T]he way in which the Tribunal dealt with the ‘data breach’ issue occasioned a want of procedural fairness such as to amount to jurisdictional error, which was erroneously not recognised by the Court below.
32 This contention was particularised later in the submissions as follows:
The appellant submits that the department and/or Tribunal (s418(3) required the Secretary to forward all relevant documentation to the Tribunal) failed to provide him with the KPMG report, failed to provide him with sufficient information relating to the breach and failed to apply the assumption considered by the High Court in SZSSJ to have remedied the want of procedural fairness occasioned by the lack of disclosure of the report and the appellant’s actual disclosed information to cause the Tribunal to constructively fail to provide the appellant with an opportunity to be heard under s425 of the Act.
The questions to the FCA were as follows:
Question 1: Has the Tribunal made, in the Appellant's case, the same assumption made in SZSSJ by the ITOA assessor?
Question 2: If the answer to Question 1 is "no", did the lack of such an assumption amount to a denial of procedural fairness?
The FCA answered as follows: