CVP17 v Minister for Immigration and Border Protection

Background 5 The following summary of the background facts is drawn from the reasons of the Federal Circuit Court (which I will refer to as the Primary Judgment or PJ). In those reasons, the primary judge referred to evidence, given by the appellant by way of affidavit, in relation to a Departmental data breach. The appellant was not cross-examined about that evidence and the Minister did not adduce any evidence to contradict the affidavit. It appears that the primary judge accepted that evidence in the hearing below and, in this appeal, the Minister did not make any submission to the contrary. 6 The appellant is a citizen of Vietnam who arrived at Christmas Island by boat on 8 May 2013. This resulted in him being classified as an unauthorised maritime arrival for the purposes of the Act. He was held in immigration detention following his unauthorised arrival. By reason of s 46A(1) of the Act, the appellant was prevented from lodging a valid application for any visa while in Australia. 7 On 10 February 2014, whilst the appellant was in immigration detention, a document was unintentionally placed on the website of the then Department of Immigration and Border Protection (Department) which had the effect of releasing information about individuals, including the appellant, who were in immigration detention at the time. The information released included personal information, such as names, dates of birth, nationality, gender, detention details and details of any other family members in detention but not specific details of any claims for protection. I will refer to this incident as the Departmental data breach. 8 Before the Federal Circuit Court, the appellant adduced evidence of a Freedom of Information request made on his behalf in June 2018 in relation to the Departmental data breach. That request elicited production of the following documents from the Department: (a) A copy of a report prepared by KPMG for the Department dated 5 April 2014 and titled "Privacy breach - Data management". The report stated that a Microsoft Word document titled "Immigration Detention and Community Statistics Summary" dated 31 January 2014 had been uploaded to the Department's website on 10 February 2014. The analysis in the document was based on source data drawn from a Microsoft Excel Workbook which contained personal information of approximately 10,000 immigration detainees. The personal information became embedded in the Microsoft Word document in a manner that enabled that data to be accessed by persons viewing the Microsoft Word document. The potential access and distribution of the personal information in the document was widespread. There were 123 "hits" on the document from 104 unique IP addresses. For 26 of those "hits", the full document was downloaded and therefore the person accessing the document must be assumed to have obtained the underlying data. For 75 of those "hits", the document was browsed over the internet through a computer based browser, capable of downloading the full document and therefore the underlying data, though KPMG could not confirm that a download had in fact occurred. The remaining "hits" were considered a low risk of obtaining the document and the data due to the nature of the technology used to look at the document. The predominant access country was Australia, though many other views or potential access originated from a range of other countries. (b) A copy of the Department's policy titled "Onshore Protection Procedures Advice No 38 - Processing cases affected by the 10/02/2014 data breach" (the Data Breach policy). The document states that it was reissued on 14 October 2016, but there is no indication of the date it was first issued. The Data Breach policy referred to the Departmental data breach and stated as follows: Background 2. On 10 February 2014, the regular monthly 'Immigration Detention and Community Statistics 31 January 2014' report was published on the department's website. The report contained an inadvertent link to the details of the individuals in detention facilities as at 31 January 2014. 3. The incident affects a large number of people at various stages of processing. Most (approximately 8100 of the 9300 affected) have been identified as Illegal Maritime Arrivals who are currently awaiting processing or transfer to a regional processing country. There are approximately another 200 people identified as being affected who are in the primary assessment stage of processing. There are an additional 400 people affected at the review stage. 4. All persons affected by the data breach have been notified by the department by letter. Acknowledgement that this letter has been sent has been recorded in ICSE. Advice 5. A client of interest (COI) note was recorded in ICSE for all affected persons. If a COI note is not recorded in ICSE then the person was not on the list that was made publically available. If there is any information to suggest that the COI note is not accurate (including that the person claims to have been in detention as at 31 January 2014) then the information should be referred to the Onshore Protection branch for advice. The Data Breach policy also stated that all applicants affected had been informed in writing and that it was the responsibility of the applicant to raise a claim relating to the breach. When assessing protection claims in relation to the Departmental data breach, case officers were instructed to act on the basis that the applicant's personal information released on the Department's website may have been accessed by the authorities in the receiving country. (c) An undated Departmental computer screenshot which showed that the appellant was recorded as a "Client of Interest" and which stated: Client was in detention on 31/01/2014 and as such maybe affected by the unintentional access to personal information in the public domain. Officers to consult relevant guides for advice. 9 In evidence given before the Federal Circuit Court, the appellant deposed that he had only become aware of the specifics of what information was leaked in the Departmental data breach, and the relevance of it to his case, since being advised by his solicitor (I infer, at about the time that the appellant filed an amended application for judicial review in the Federal Circuit Court in September 2019). The appellant deposed that, sometime in mid-2015, but prior to the appellant's release from detention in October 2015, an unspecified person, presumably nominated by the Department, came to the appellant's detention centre and spoke to asylum seekers, as a group, to inform them that there had been an accidental leak of asylum seekers' details on the internet. Otherwise, the appellant deposed that he did not receive any details, in writing, in respect of the Departmental data breach or any specific invitation to comment on any personal implications of it, for him, if he were to be returned to Vietnam. The appellant deposed that he did not make any claim in relation to the Departmental data breach in his statement of claims or in his protection visa interview with the Department because a lot of time passed before he was invited to apply for a protection visa and he did not remember that he had been informed about the Departmental data breach and he did not understand the importance of the data breach or how it was relevant to his case. As noted above, the appellant was not cross-examined on that evidence and the Minister did not adduce evidence to contradict it. It appears that the primary judge accepted that evidence. 10 Having regard to the evidence adduced by the appellant before the Federal Circuit Court, which appears to have been accepted by the primary judge, I proceed on the basis that the facts are: (a) the appellant's personal information was the subject of the Departmental data breach (by reason of the existence of the "Client of Interest" record in respect of the appellant), such that it is possible that that information was accessed by authorities in Vietnam; and (b) in breach of its policy, the Department failed to advise the appellant of the data breach in writing, and only advised the appellant orally in mid-2015, as part of a group of asylum seekers, that there had been an accidental leak of asylum seekers' details on the internet. 11 On 30 November 2015, the Department wrote to the appellant advising him that the Minister had exercised the power in s 46A(2) of the Act to allow the appellant to apply for a temporary protection visa or a safe haven enterprise visa. 12 On 13 April 2016, the appellant applied for a safe haven enterprise visa on the following grounds: (a) He was a practising Roman Catholic, who had regularly participated in church and community activities whilst in Vietnam. (b) He had taken part in masses and church protests, which were critical of the government and which had come to the notice of the army. (c) His mother had attended one such mass and had been beaten by soldiers, sustaining injuries, which had led to her death. (d) He had sent petitions to the government, complaining about the action of the authorities in respect of his mother. (e) As a consequence, he had come to the notice of the police, who had requested he attend for questioning. (f) As a consequence, he had gone into hiding. (g) In January 2013, he had returned to his home. He discovered that one of his siblings had been interrogated and tortured to ascertain his whereabouts. (h) These various matters had resulted in him leaving Vietnam illegally. 13 The appellant attended a protection visa interview with the Department on 23 January 2017. It was common ground that neither the appellant nor the Departmental officers present referred to the Departmental data breach at that interview. 14 On 3 March 2017, a delegate of the Minister refused the application and provided a copy of the delegate's reasons to the appellant. The delegate did not accept that the appellant has a profile of interest to the Vietnamese authorities based on his religious activities or that the appellant had experienced or suffered any harm whilst living in Vietnam on account of his Catholic faith. The delegate concluded that, based on country information and the available evidence, there is no real chance that the appellant would suffer serious harm in Vietnam as a consequence of his Catholic religion. In relation to the Departmental data breach, the reasons stated: The applicant was affected by the departmental privacy breach that occurred in 2014. The applicant did not raise this claim in his written statement or during the PV interview. He has not claimed the Vietnamese authorities would be aware he has sought asylum in Australia as a result of the data breach. 15 The above statement appears to assume that the appellant had been notified in writing of the Departmental data breach, in accordance with the Data Breach policy. On the facts now known, the appellant had not been so notified. It follows that the above conclusion involved unfairness to the appellant. 16 The delegate's reasons stated the extent of the Departmental data breach in the following terms: The applicant departed Vietnam illegally in April 2013 and arrived in Australia on 5 May 2013. The applicant was in detention when the data breach occurred. In early 2014, the Department inadvertently published a document on its website that tabulated details regarding a number of people in immigration detention on 31 January 2014. This information included detainees' names, nationalities, dates of birth, and means of arrival in Australia. The document did not disclose the reasons for detention, nor did it provide information regarding detainees' claims for protection. This publishing error will be referred to as the "data breach" from here on in this assessment. The applicant was one of those individuals affected by the 2014 data breach. I accept the applicant departed Vietnam illegally and was in Immigration detention at the time of the departmental data breach. 17 Although the delegate noted that the appellant had made no claim based on the data breach, the delegate nevertheless considered the risk of the appellant suffering harm by reason of the data breach. The delegate concluded as follows: Imputed Political Opinion - data breach and implications if returned In 2014 confidential departmental information briefly became accessible. The applicant did not claim in his written statement or during the PV interview any fears associated with the departmental data breach. As the applicant was involved in the data breach and there is no evidence to support that the Vietnamese authorities were aware of the data breach and accessed the applicant's information, the possibility cannot be discounted. DFAT Country Information Report Vietnam, 31 August 2015 reports that: "Vietnamese nationals who depart the country unlawfully, including without travel documents may be subject to a fine upon return". Notwithstanding this, DFAT assesses that persons who paid money to people smugglers are viewed by the government as victims of criminal activity. Whilst some returnees may be detained and questioned, long term detention and investigation is towards those that are suspected to be involved in organising people smuggling. Although "Fleeing abroad or defecting to stay overseas with a view to opposing the people's administration" is an offence in Vietnam under Article 91 of the Penal Code 1999, DFAT is unaware of any cases where this provision has been used against failed asylum seekers. People returned to Vietnam are usually done so on the understanding that they will not face charges as a result for having made asylum applications. Considering the above information, and based on the fact the applicant has not been involved in any high level political or dissident activity whilst in Vietnam, any high level political activity in Australia, nor been involved in people smuggling activities, I do not accept the applicant's details are of interest to the Vietnamese authorities. Considering the above, I am not satisfied the applicant has a well-founded fear of persecution on account of the departmental data breach. 18 While the evidence indicates that the appellant was, in practical terms, unaware of the Departmental data breach prior to the delegate's decision, the appellant was made aware of that matter and its potential implications on receipt of the delegate's reasons on 3 March 2017. 19 On 8 March 2017, the Authority wrote to the appellant informing him that the delegate's decision had been referred to the Authority for review. The letter stated: The Department of Immigration and Border Protection (the department) has provided us with all documents they consider relevant to your case. This includes any material that you provided to the departmental officer before they decided to refuse you a protection visa. The IAA will proceed to make a decision on your case on the basis of the information sent to us by the department, unless we decide to consider new information. We can only consider new information in limited circumstances, which are explained in the attached factsheet and Practice Direction. 20 The "factsheet" attached to the letter contained information concerning the conduct of a review by the Authority. Relevantly, it provided the following information: Can I provide new information to the IAA? We can only consider new information if there are exceptional circumstances to justify considering the new information. New information is information that is relevant and was not before the department when it made its decision. If there is new information you want us to consider, you must also provide an explanation why the information: • could not have been provided to the department before it made the decision to refuse you a protection visa, or • is credible personal information that, had it been known to the department, may have affected the department's decision. This explanation should be no longer than 5 pages and accompany any new information you give us. Any new information we have not requested must be given to us within 21 days of your case being referred to us by the department. In very limited circumstances, we may invite you to give us new information or comments about your case in writing or at an interview. Can I make a submission to the IAA? You can provide a written submission on: • why you disagree with the department's decision, and • any claim or matter you presented to the department that was not considered. Your submission should be no longer than 5 pages and given to us within 21 days of your case being referred to us by the department. 21 The Practice Direction attached to the letter stated that it contained requirements for applicants and their representatives to follow when dealing with the Authority. Relevantly, it provided the following information: Submissions and new information 20. For the purposes of the review, you may provide a written submission on the following: • why you disagree with the decision of the Department • any claim or matter that you presented to the Department that was overlooked. 21. Any submission must be concise. It should identify and address the issues you want us to consider in our review. Your submission should: • be no longer than 5 pages, • be easily legible using a font size of at least 11 point with standard margins of at least 2.54cm, and • should be provided to us within 21 days of your case being referred to us by the Department. .... 23. We can only consider new information (information that was not before the Department) in very limited circumstances as set out in section 473DD of the Migration Act. We must be satisfied that there are exceptional circumstances to justify considering the new information provided by either you or the Department. … 28. Any new information you give to us that we have not requested of you, must be given to us within 21 days of the date on which your case was referred to us by the Department. Any new information given to us by the Department that has not been requested, must also be given to us within 21 days of the referral. 29. We may separately invite you to provide new information or to comment on new information that may be adverse to your case. • If we invite you to provide new information, you must provide that information within the period specified in the invitation. • If we invite you to make comments on new information, you must provide those comments within the period specified in the invitation. 22 By his affidavit evidence in the Federal Circuit Court, the appellant deposed that he had sought assistance from Sister Pat Sealey who was a migration agent, and had sent certain documents to Sister Sealey that corroborated his claims to fear harm in Vietnam with the intention that Sister Sealey would lodge a submission and the documents with the Authority on the appellant's behalf. As found by the primary judge (at [61]), those documents comprised: (a) A statutory declaration of the appellant dated 16 March 2017, in which he advised that he was waiting for his sister to send him the following documents: (i) a summons allegedly issued in respect of the appellant by the Communist police; (ii) a statutory declaration from a Catholic priest in Vietnam, detailing the treatment allegedly received by him in Vietnam; and (iii) a medical report concerning his brother. (b) A summons dated 5 August 2012 under the hand of the Chief of the relevant police ward, directing that the appellant attend at a police station to explain his involvement in an incident of public order disturbance which occurred at the church of Nghi Tan and Thu Thuy. (c) A certificate of sacrament in respect of the appellant dated 14 March 2017. (d) A statement of the appellant's sister supporting his claim that the appellant was a participant in a demonstration on 6 July 2012, during which he was targeted by local police. 23 The appellant acknowledged that he did not raise with Sister Sealey any claim based on the Departmental data breach (and, consequentially, did not seek to raise any such claim with the Authority). The appellant deposed that Sister Sealey failed to provide the appellant's documents to the Authority. However, the appellant did not raise the alleged failing of his migration agent as a ground of review before the Federal Circuit Court. In any event, Sister Sealey's failings in that regard did not cause the appellant to lose an opportunity to raise a claim based on the Departmental data breach because the appellant had not raised that matter with Sister Sealey. 24 On 9 June 2017, the Authority affirmed the delegate's decision to refuse the grant of a protection visa and provided a copy of the Authority's reasons to the appellant. In the reasons, the reviewing member stated that she had had regard to the material referred by the Secretary under s 473CB of the Act and that no further information was obtained or received in the review. In relation to the Departmental data breach, the reasons of the Authority state as follows: Although not raised by the applicant, the delegate noted that in February 2014, a report released on the Department of Immigration's website unintentionally enabled access to certain personal information about people who were in Immigration Detention on 31 January 2014. That data breach was removed from the website. The delegate has stated that as the applicant was in detention on 31 January 2014, his personal information (name, date of birth, nationality, gender, detention details and details of any other family members in detention) may have been accessed from the Department's website during the period of the data breach. I accept that the applicant's details would have been available on the website at that time and may reveal that he has sought asylum in Australia. Details of his claims for protection would not however have been available. There is no evidence before me that suggest that the information was accessed by the Vietnamese authorities. I nevertheless accept that the applicant may be identifiable on re-entry as a person who sought asylum in Australia. 25 The member's findings with respect to the appellant's claims were materially the same as the delegate's findings. Relevantly, the member concluded that there is not a real chance of the appellant suffering serious harm on the basis of his Catholic faith, nor on the basis that he departed Vietnam illegally, that he has spent time in Australia or that he unsuccessfully sought asylum in Australia.

Consideration of appeal 40 I accept the Minister's submissions. 41 Part 7AA establishes a limited form of review for certain types of migration decisions described as "fast track reviewable decisions". Section 473CA stipulates that the Minister must refer a fast track reviewable decision to the Authority as soon as reasonably practicable after the decision is made. Section 473CB stipulates the information that must be given to the Authority in respect of each fast track reviewable decision that is referred to it. Section 473CC provides that the Authority is required to review the Minister's decision and either affirm or remit the decision for reconsideration. It is implicit in the concept of a review that the Authority may reach different findings of fact to the Minister. 42 The conduct of a review under Pt 7AA is subject to the provisions of Div 3 of the Act. Those provisions govern matters such as the applicable scope of the natural justice hearing rule and the manner in which the Authority may inform itself in conducting the review. 43 Subsection 473DA(1) stipulates that Div 3 of Pt 7AA, together with ss 473GA and 473GB, is taken to be an exhaustive statement of the requirements of the natural justice hearing rule in relation to reviews conducted by the Authority. 44 Section 473DB stipulates that, subject to Pt 7AA, the Authority must review a fast track reviewable decision referred to it by considering the review material provided under s 473CB without accepting or requesting new information and without interviewing the referred applicant. In other words, the review is to be conducted "on the papers". However, s 473DC empowers the Authority to seek documents or information that were not before the Minister when the Minister made the decision under s 65 and that the Authority considers may be relevant. The discretion conferred on the Authority by that section is subject to the implied condition that it be exercised within the bounds of reasonableness in the sense explained in Minister for Immigration and Citizenship v Li (2013) 249 CLR 332 (Li): see Plaintiff M174/2016 v Minister for Immigration and Border Protection (2018) 264 CLR 217 at [21] per Gageler, Keane, and Nettle JJ and at [86] per Gordon J. The content of the constraint of reasonableness in this legislative context is informed by the legislative features of the scheme of review set out in Pt 7AA: Minister for Immigration and Border Protection v Stretton (2016) 237 FCR 1 at [11] per Allsop CJ, Griffiths and Wigney JJ agreeing; SZVFW at [59] per Gageler J. 45 Section 473DD contains further restrictions on the power of the Authority to consider new information when conducting the review. It stipulates that the Authority must not consider new information unless it is satisfied that there are "exceptional circumstances" and, in relation to new information given or proposed to be given by the referred applicant to the Authority, the referred applicant has satisfied the Authority that the information was not and could not have been provided to the Minister before the Minister made the primary decision and the information is credible personal information which was not previously known and, had it been known, it may have affected the consideration of the referred applicant's claims. 46 On a number of occasions, the Court has considered whether a failure by the Authority to seek additional information from a visa applicant under s 473DC when conducting a review is unreasonable in the legal sense. Each case turns on its own facts. However, it is possible to distil the following principles from the decisions: (a) The legislative scheme of review established by Pt 7AA (review by the Authority) differs from the legislative scheme of review established by Pt 7 (review by the Administrative Appeals Tribunal). In particular, under Pt 7, the Administrative Appeals Tribunal must invite the applicant to appear before the Tribunal to give evidence and present arguments. In those circumstances, procedural fairness requires the Tribunal to inform the applicant of potentially adverse conclusions that are not obvious on the materials and the nature and content of the adverse material: SZBEL v Minister for Immigration and Multicultural and Indigenous Affairs (2006) 228 CLR 152 at [32]. However, those principles are not directly applicable to a review under Pt 7AA given the different statutory requirements for the review. Pt 7AA of the Act is an "exhaustive statement of the requirements of the natural justice hearing rule in relation to reviews by the Authority": DGZ16 at [69] per Reeves, Robertson and Rangiah JJ. (b) As a general proposition, Pt 7AA contemplates that the Authority will evaluate for itself the material considered by the delegate and the Authority is not required to notify the referred applicant that it is considering taking a different view, which may be adverse to the referred applicant, of the material considered by the delegate: DGZ16 at [72]. That is so even if the Authority makes an adverse credibility finding against the referred applicant on the basis of the evidence: DYK16 v Minister for Immigration and Border Protection (2018) 267 FCR 69 at [74] per Collier, Middleton and Rangiah JJ. It is open to the Authority to reach a decision based on the review material even if the referred applicant is unaware of the significance of that material: CCQ17 v Minister for Immigration & Border Protection [2018] FCA 1641 at [55]-[57] per Thawley J. (c) However, circumstances may arise in which it would be legally unreasonable for the Authority to make a finding adverse to the applicant without exercising its powers to seek further information from the applicant. Legal unreasonableness is not to be assessed through the lens of procedural fairness to the applicant; rather, a conclusion in this regard requires close focus upon the particular circumstances of exercise of the statutory power: Minister for Home Affairs v DUA16 [2020] HCA 46; 385 ALR 212 at [26] per Kiefel CJ, Bell, Keane, Gordon and Edelman JJ, citing CRY16 at [67] and Li at [76]. An example is afforded by CRY16. The Authority had purported to determine the review on the basis that it was reasonable for the applicant to relocate to a particular part of his home country. However, that possibility had never been put to the applicant, before or during the review conducted by the Authority. The Full Court concluded that it was legally unreasonable for the Authority not to seek further information from the applicant in circumstances where the Authority knew that it did not have, but the applicant was likely to have, information on his particular circumstances and the impact upon him of relocation (CRY16 at [82] per Robertson, Murphy and Kerr JJ). CRY16 was a case where additional information (as to the reasonableness of relocation) was "necessary in order to complete the review": DGZ16 at [70]. (d) Similarly, the case of Minister for Immigration and Border Protection v DZU16 (2018) 253 FCR 526 concerned a decision of the Authority to affirm the refusal of a visa application on the basis that the visa applicant could relocate to another area within his home country. The Authority had considered new country information in determining the visa applicant's ability to relocate (to an area of his home country other than that considered by the delegate at first instance). The Full Court (Robertson, Murphy and Kerr JJ) applied CRY16 in finding that it was legally unreasonable for the Authority not to have considered whether to exercise its discretion under s 473DC of the Act to invite the visa applicant to an interview to give new information in respect of whether relocation to that area was practicable (at [81], [85]). (e) Another example is afforded by DPI17 v Minister for Home Affairs (2019) 269 FCR 134 (DPI17). In that case, the delegate had made a positive assessment of the appellant's demeanour at the interview and the delegate's acceptance of certain claims by the delegate was based primarily on the delegate's assessment of the appellant's demeanour (DPI17 at [46]). Further, during the course of the delegate's interview with the applicant, the delegate indicated that certain discrepancies in the applicant's evidence were not major and that she would not put a lot of weight on those discrepancies. In reliance upon those statements, the applicant did not address the inconsistencies in his post-interview submissions to the delegate. The Authority reviewed the decision and made various credibility findings adverse to the applicant based on the discrepancies in the evidence. The Full Court found that, in circumstances where the Authority must have been aware of the delegate's positive assessment of the applicant's demeanour in the interview, it was legally unreasonable for the Authority not to consider exercising its power under s 473DC to invite the applicant to give new information when it was minded to give weight to the discrepancies in the applicant's evidence and come to a different conclusion on the claim (at [46] per Griffiths and Steward JJ and [58] per Mortimer J). (f) In ABT17 v Minister for Immigration and Border Protection (2020) 269 CLR 439, the Authority listened to an audio recording of an interview that the delegate had conducted in person with the appellant. The Authority affirmed the delegate's decision, and in doing so rejected a central part of the appellant's account which the delegate had accepted as plausible. The majority of the High Court (Kiefel CJ, Bell, Gageler and Keane JJ) held (at [24]-[25]) that while the Authority is not required to interview a referred applicant merely because credibility is in issue, the Authority will be found to have acted unreasonably if, without good reason, it does not invite a referred applicant to an interview in order to gauge his or her demeanour for itself before it decides to reject an account given by the referred applicant in an audio recorded interview, and accepted by the delegate, wholly or substantially on the basis of its own assessment of the manner in which that account was given. (g) Most recently, in DVO16 v Minister for Immigration and Border Protection [2021] HCA 12; 388 ALR 389, the plurality (Kiefel CJ, Gageler, Gordon and Steward JJ) made the following observations about the potential for the Authority to breach the reasonableness condition in connection with its power to seek further information (at [20]): Faced with translation errors in a recording of a protection interview revealed or suggested by the review material provided by the Secretary, considered alone or in light of such submissions as might be made on behalf of the referred applicant during the course of the review, the Authority would have the potential to breach the reasonableness condition implied into its powers to get and consider new information were it to fail to exercise those powers to interview the referred applicant and then to consider the referred applicant's testimony as correctly translated. Equally, the Authority would have the potential to breach the reasonableness condition implied into its duty to review the referred decision by considering the review material were it to make findings adverse to the referred applicant with knowledge of translation errors without having exercised its procedural powers to get and consider new information which might address those errors. 47 In BWY17 v Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs [2021] FCA 860 (BWY17), Snaden J considered similar circumstances to the present involving the Departmental data breach. In that case, the appellant had been made aware of the existence of the data breach prior to the delegate's decision. The appellant's complaint was that he was not given any opportunity to advance submissions in respect of the data breach after the Authority took into account new information in the form of an article published by the Guardian Australia newspaper which referred to the data breach. Justice Snaden observed that the Guardian article was of limited significance and did not add to what was already known about the data breach (at [45]). His Honour stated (at [46]) that: In order that its failure to get, or consider getting, new information from the appellant might be impugned as legally unreasonable, it must first be shown that the Authority must have had reason to believe that he possessed some relevant information relating to the data breach that might assist in conducting its review. Absent some belief, or basis for belief, of that kind, it could not be said that the only course reasonably open to the Authority was to obtain, or consider obtaining, that new information. If all that existed was a mere possibility that the appellant might have something useful to say that had not already been said, the Authority's failure to extend, or consider extending, to him an invitation to say it would fall short of the threshold of legal unreasonableness. 48 In my view, the decision of the Authority not to invite new information in respect of the Departmental data breach cannot be characterised as legally unreasonable in the circumstances of this case. The Authority considered the same information in respect of the Departmental data breach that was before the delegate, and reached largely the same conclusion in respect of that information. This is not a case like CRY16, where the Authority knew that it did not have information on the appellant's circumstances that was necessary to perform its review, and knew that the appellant would be likely to have that information. Here, the Authority had no reason to believe that the appellant possessed new information relating to the Departmental data breach that was necessary for the Authority to consider as part of its review: BWY17 at [46]. 49 As stated above, accepting that the appellant was relevantly unaware of the Departmental data breach prior to the delegate's decision, he was made aware of that matter and its potential implications upon receipt of the delegate's reasons on 3 March 2017. That letter included a fact sheet that indicated the appellant could provide the Authority with new information, and that information would be considered if there were exceptional circumstances to justify its consideration. Therefore, upon becoming aware of the Departmental data breach when he received the delegate's reasons, it was open to the appellant to request that the Authority consider new information in relation to the Departmental data breach in its review, pursuant to s 473DD. In circumstances where the appellant did not himself raise new information relating to the Departmental data breach, and where there was nothing before the Authority to prompt the view that new information needed to be sought, I do not consider that the Authority acted in a legally unreasonable manner by not asking the appellant for new information. 50 In light of my conclusion that the Authority did not act in a legally unreasonable manner, it is unnecessary to consider the materiality of any such alleged error.

At a glance

Court

Decision date

Before

Source

Judgment (8 paragraphs)

Parties

Legislation Cited (2)

Cases Cited (16)

Cited By (1)