SZSSJ v Minister for Immigration and Border Protection

REASONS FOR JUDGMENT THE COURT: 1 The applicant seeks an extension of time and leave to appeal from a decision of the Federal Circuit Court of Australia (FCCA) which was delivered on 20 June 2014 (SZSSJ v Minister for Immigration & Anor [2014] FCCA 1379). The FCCA upheld the Minister's submission that it lacked jurisdiction to entertain the applicant's judicial review application on the ground that the applicant had failed to identify "a migration decision" which enlivened the FCCA's jurisdiction. 2 Before summarising the FCCA's reasons for making that decision, it is convenient to outline the background facts.

Summary of background facts 3 The applicant is a citizen of Bangladesh. He arrived in Australia on a student visa on 27 May 2005. He remained in Australia after his student visa expired. He was placed in immigration detention on 3 October 2012 and, shortly thereafter, applied for a protection visa. His application was refused by the Minister's delegate and that decision was affirmed by the Refugee Review Tribunal (the Tribunal) on 19 February 2013. His application for judicial review of that decision was unsuccessful and the High Court refused special leave to appeal. 4 In February 2014, forms of personal information relating to the applicant (and approximately 10,000 other persons who were in immigration detention as at 31 January 2014) were inadvertently disclosed on the Department of Immigration and Border Protection's (the Department's) public website (the Data Breach). In an affidavit sworn by the applicant in support of his application before us, the applicant deposed that he became aware of the Data Breach from newspaper reports. He commenced his judicial review proceedings on 7 March 2014, presumably because he feared being removed from Australia before the full ramifications of the Data Breach were known and acted upon. 5 It is evident that on 12 March 2014 the Department wrote in substantially similar terms to all detainees who were affected by the Data Breach. The applicant denies ever being provided with a copy of the pro forma letter. His Departmental Case Manager swore an affidavit in the proceedings before us in which she said that she recalled a copy of the 12 March 2014 letter being handed to the applicant in the period between 12 and 27 March 2014. She also recalled the applicant taking a copy but then refusing to sign a letter acknowledging that he had received the same. 6 The letter dated 12 March 2014 was in the following terms: 12 March 2014 Unauthorised access to personal Information In February 2014 a routine report released on the department's website unintentionally enabled access to some personal information about people who were in immigration detention on 31 January 2014. This information was accessible online for a short period of time before it was removed from the department's website. The information was not visible as part of the report, and was not easily accessible. As you were in immigration detention on 31 January 2014, I am informing you that some of your personal information may have been accessed through the report for that short time. We deeply regret inadvertently allowing potential unauthorised access to your personal information. The department takes privacy very seriously, and has in place a range of policies and procedures to ensure that personal information is managed properly. The information was never intended to be in the public domain, and the department has taken a number of steps to ensure that this sort of incident does not happen again. The information that it was possible to access was your name, date of birth, nationality, gender, details about your detention (when you were detained, reason and where) and if you have other family members in detention. The information did not include your address (or any former address), phone numbers or any other contact information. It also did not include any information about protection claims that you or any other person may have made, and did not include any other information such as health information. The department will assess any implications for you personally as part of its normal processes. You may also raise any concerns you have during those processes. If you would like to seek more information about the incident, talk to your case manager. Yours sincerely ### Secretary Department of Immigration & Border Protection 7 It is to be noted that the applicant was informed that personal information relating to him (and other detainees) "was accessible online for a short period of time" and that some of his personal information "may have been accessed through the report for that short time". He was also advised that the Department "will assess any implications for you personally as part of its normal processes" (emphasis added) and he was told that he could raise any concerns he had during those processes. 8 In his affidavit below, the applicant said that towards the end of 2013, his Case Manager "forced" him to sign documents which authorised the Department to contact the Bangladeshi High Commission in Canberra to have his passport renewed. It is evident that this gave rise to an apprehension on his part that he was going to be removed from Australia to his country of origin. The applicant also claimed that from February 2013 to March 2014, the Tribunal had published its decision which rejected his application for review of the decision to refuse him a protection visa. 9 The applicant deposed before us that around 27 June 2014 he received a letter from the Department. The letter referred to the notification given in March 2014 relating to the Data Breach and confirmed that the implications for the applicant personally were being assessed as part of "the department's normal processes". Reference was also made to the judicial review proceedings which the applicant had commenced in the FCCA. He was invited to put in writing any information relating to the impact of the Data Breach on him personally. He was also told that if he had any particular concerns about the impact of the Data Breach on him being returned to his home country he should provide specific reasons and details for those concerns. He was told that if no response was given to that invitation within 14 days, the Department would proceed on the basis of the information provided in support of his judicial review application. He was told that he would be advised of the outcome of the assessment of his claims relating to the Data Breach in due course and that if the assessment was adverse and there were no ongoing matters before the courts or the Department, he would be expected to leave Australia. That information is consistent with there being a clear prospect that the applicant might be involuntarily removed from Australia if he elected not to go voluntarily. 10 The applicant responded to that invitation by a letter dated 4 July 2014 in which he claimed that the 14 day period was unreasonable. He asked that a lawyer be made available to assist him in what he described as "a quite complicated task to put my case on the issue". He referred to the fact that he had complained to the Privacy Commissioner about the Data Breach and that he feared a real risk of harm because of the Data Breach were he to be returned to his home country. He alleged that the Department had breached s 336E of the Migration Act 1958 (Cth) (the Act) by revealing his name and personal details on the internet and that the Department had a conflict of interest because of this breach. He also said that "there is no possible way of determining who has accessed and/or saved my personal information" and that there was no way of knowing from whom he faced a real risk of harm as the information "may go well beyond the authorities, insurgents and paramilitaries in my home country, including foreign security and intelligence agencies". 11 The applicant deposed that he wrote a letter dated 11 July 2014 to the Minister. He said that he needed further information before he could respond to the Department's letter referred to in [9] above. He asked the Minister to explain how such a serious breach of privacy had occurred and what measures had been taken to prevent a recurrence. 12 He received a reply to that letter from a Departmental officer, writing on the Minister's behalf. He was told that the Data Breach had been rectified and that a number of steps had been taken to avoid a recurrence but that, as "these steps are now part of the data security process, I am not able to comment further on this matter". He was told that the responses he had provided in his letters dated 4 and 11 July 2014, together with this response, "will also be placed on your client file for consideration" and that the Department "will assess any implications for you personally as part of its normal processes". He was again invited to raise any concerns he had during those processes. 13 The applicant also deposed that he had received a further letter dated 1 October 2014 from the Department. It advised him that: (1) on 30 September 2014 the Department had commenced what was described as "an International Treaties Obligations Assessment" (ITOA), "in order to assess whether the circumstances of your case engage Australia's non-refoulement obligations"; (2) any "protection claims you may have in relation to this breach of your personal data will now be assessed through this ITOA"; and (3) the ITOA would consider Australia's non-refoulement obligations under the 1951 Convention relating to the Status of Refugees as amended by the 1967 Protocol, the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment and the International Covenant on Civil and Political Rights and its Second Optional Protocol. 14 The letter also made general reference to "various provisions" of the Act which were said to contain "concepts relevant to assessing the non-refoulement obligations arising under the above treaties and reflect Australia's Interpretation [sic] of those obligations" and that, accordingly, "this assessment will use relevant provisions contained in the Act, even though this is not an assessment of a protection visa application". (Emphasis added) 15 The applicant was advised by the letter that his earlier protection claims would be considered as part of the overall ITOA and that he could submit further information within 14 days as part of that assessment if he wished. 16 The applicant deposed that, apart from the communications described above, he had not had any further communication from the Minister or the Department about the Data Breach. 17 In his affidavit before us, the applicant deposed that in late September 2014 his new Case Manager asked him whether he was willing to leave Australia voluntarily. He says that he was also told that once his court case was finished, the Minister would be making a decision regarding the matters raised in the Department's letter dated 1 October 2014. He says that he was told that, despite his complaint to the Privacy Commissioner regarding the Data Breach, the Minister could still decide to remove him. 18 The applicant attached to his affidavit before us a copy of an abridged report dated 20 May 2014, which had been prepared by KPMG on the Data Breach at the Department's request. An earlier and fuller report had been prepared by KPMG and provided to the Department on 5 April 2014. The abridged report was apparently prepared at the Department's request for "an abridged factual report which may be appropriate for public release". Key relevant statements in the abridged report include: "the potential data access and distribution is widespread, with 123 'hits' on the document from 104 unique IP addresses. Analysis of available data has provided the DIBP with some indication of the likelihood of each IP address having access to the personal information of detainees" (p 4); The material which had inadvertently been uploaded to the Department's website was accessible for nine days (from 10 - 19 February 2014) until it was removed after the Department was told by the Guardian newspaper of the disclosure (pp 6 and 8); and "It is not in the interests of detainees affected by this incident to disclose further information in respect of entities to [sic] have accessed the Document, other than to acknowledge that access originated from a range of sources, including media organisations, various Australian Government agencies, internet proxies, TOR network and web crawlers" (p 10).