HYYL and Privacy Commissioner
[2023] AATA 2961
•13 September 2023
HYYL and Privacy Commissioner [2023] AATA 2961 (13 September 2023)
Division:Freedom of Information Division
File Number(s): 2021/1143
Re:HYYL
APPLICANT
AndWP
APPLICANT
Privacy CommissionerAnd
RESPONDENT
AndSecretary, Department of Home Affairs
JOINED PARTY
DECISION
Tribunal:Justice Melissa Perry, Deputy President
Date:13 September 2023
Place:Sydney
The Tribunal orders that:
1.Pursuant to s 43(1)(a) of the Administrative Appeals Tribunal Act 1975 (Cth), Declaration 4 of the Determination made by the respondent on 11 January 2021 (the Determination) is set aside and the following is made in its place:
The members of the class who:
(a) did not provide a submission and/or evidence to the Office of the Australian Information Commissioner (OAIC) within the timeframe specified by the OAIC, and who did not opt out; and
(b) do not provide a reasonable explanation for not making submissions or providing evidence in response to the January 2018 OIAC notice within 3 months of the publication of a notice by the scheme administrator as described in Annexure A;
have not substantiated that they have suffered loss or damage as a result of the conduct constituting an interference with the privacy of class members and subject of this Determination (the data breach). Pursuant to s 52(1)(b)(iv) of the Privacy Act 1988 (Cth), the Tribunal declares that it would be inappropriate for any further action to be taken in relation to those individuals.
2.Pursuant to s 43(1)(c) of the Administrative Appeals Tribunal Act 1975 (Cth), Declarations 2 and 3 of the Determination are set aside and the following are made in their place:
Each of the participating class members, being:
(a) the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out; and
(b) the class members who establish, within the timeframe prescribed in order 1 above, that they have a reasonable explanation for not responding to the January 2018 OIAC notice and make submissions and/or provide evidence of loss or damage;
is to be paid an amount of compensation worked out in the manner specified in Annexure A to these orders.
3.Pursuant to ss 52(4) and/or 52(5) of the Privacy Act 1988 (Cth), the Department of Home Affairs is to pay:
(a) the costs of the expert determination process described in Annexure A;
(b) the costs of translating communications relating to the assessment of compensation for loss and damage arising from the data breach;
(c) the costs of interpretation/translation services relating to the provision of evidence by those participating class members without a written language and communications with that cohort of class members relating to the assessment of compensation for loss and damage arising from the data breach; and
(d) for assessments conducted under the compensation assessment scheme described in Annexure A, up to $500 to each participating class member to obtain assistance from a legal practitioner to prepare the participating class member’s evidence or submissions for provision to an expert assessor (to be paid on the participating class member’s provision of an invoice from the legal practitioner).
4.There be liberty to apply to the Tribunal on the basis that the Compensation Assessment Scheme in Annexure A hereto has become incapable of effective implementation in whole or in part.
Annexure A: Compensation Assessment Scheme
1.Under s 38B(3) of the Privacy Act 1988 (Cth), within 28 days of the appointment of the scheme administrator (as to which, see clause 6(a) below), the scheme administrator is to publish a notice inviting:
(a)the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC and who did not opt out (the existing participating class members), to make submissions or submit updated and/or supplementary submissions, and/or evidence of loss or damage to the scheme administrator; and
(b)class members who did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out (non-participating class members) to submit an application to participate in the compensation scheme described below (the scheme).
2.The notice referred to in clause 1 above is, among other things, to:
(a)be expressed in plain English in a manner intended to facilitate translation to other languages after consultation with one or more qualified and experienced translators;
(b)explain the scheme and relevant timeframes;
(c)give examples of compensable loss and damage, including explaining that non-economic loss for which compensation may be paid includes (but is not limited to) consequences such as fear, distress, anxiousness, loss of sleep, headaches, and mental illness;
(d)give examples of the kinds of evidence which a class member might provide in support of a claim for economic and/or non-economic loss or damage such as a statutory declaration from the class member explaining the impact of the data breach upon them, statutory declarations from family and friends explaining their observations as to the impact of the data breach upon the class member, financial documents supporting any claim of economic loss, and reports from relevant medical practitioners;
(e)explain that verbal evidence with the assistance of a qualified interpreter (if required) may be taken by the scheme administrator upon request by the class member if the class member does not possess the necessary written language skills; and
(f)explain the consequences if the invitation pursuant to clauses 1(a) or (b) above is not taken up by the class member.
3.Any existing participating class member who wishes to make submissions or provide updated and/or supplementary submissions, and/or evidence of loss or damage pursuant to clause 1(a) above is to do so within a period of 3 months of the publication of the notice, unless the existing participating class member requests an extension of time within which to do so and the scheme administrator considers that it is reasonable to allow the existing participating class member an extension of time.
4.Any non-participating class member who wishes to participate in the scheme must submit an application to the scheme administrator within 3 months of the publication of the notice, including:
(a)an explanation as to why the non-participating class member did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC; and
(b)the non-participating class member's name, date of birth, client ID and, if applicable, boat ID, to enable the Department of Home Affairs to confirm that the non-participating class member was affected by the data breach.
5.Upon receiving confirmation from the Department of Home Affairs that a non-participating class member who has submitted an application to participate in the scheme was affected by the data breach, the scheme administrator will consider the non-participating class member's application. If the scheme administrator is satisfied that the non-participating class member has provided a reasonable explanation for not making submissions or providing evidence to the OAIC within the timeframe specified by the OAIC, the scheme administrator is to declare them to be a participating class member (see clause 6 below) who is to be paid an amount of compensation for loss or damage arising from the data breach worked out in the manner described below.
6.Under ss 52(1)(b)(iii) and (4)(a) of the Privacy Act 1988 (Cth), the existing participating class members, as well as class members identified through the process set out in clauses 1(b), 4 and 5 above (collectively referred to as the participating class members), are to be paid an amount of compensation for loss or damage arising from the data breach worked out in the following manner:
(a)A law firm which is independent of the Secretary of the Department of Home Affairs (Other Party) and of class members will be appointed to administer the scheme (the scheme administrator) through the following process:
(i)within 14 days of the publication of the Tribunal's decision, the Department of Finance will prepare a Request for Quote (RFQ) and provide it to the applicants' solicitors for comment;
(ii)the applicants' solicitors will provide any comments on the RFQ to the Department of Finance within 14 days of receipt of the information outlined in clause 6(a)(i) above from the Department of Finance;
(iii)the Department of Finance will consider any comments received from the applicants' solicitors in accordance with clause 6(a)(ii) above in finalising the RFQ;
(iv)within 14 days of receiving any comments from the applicants' solicitors in accordance with clause 6(a)(ii) above, the Department of Finance will issue the RFQ to each of the legal services providers that:
A.are appointed to the Whole of Australian Government Legal Services Panel in the areas of:
1)compensation, damages and personal injury; and
2)freedom of information, privacy and public interest disclosure; and
B.have not represented or advised the Other Party, or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship; and
C.have not represented or advised any class members in relation to this proceeding; and
(v)the Department of Finance will assess each response to the RFQ on a value-for-money basis, having regard to each provider's expertise and experience, and will identify a provider to act as scheme administrator.
(b)The scheme administrator:
(i)shall administer the scheme fairly, impartially, and reasonably according to its terms, with their duty owed to the Tribunal to take priority over any obligation to a participating class member; and
(ii)must not act as the solicitor for the Other Party, the Commonwealth or any class member in relation to any matter relating to the data breach.
(c)The scheme administrator shall conduct an assessment of each participating class member's submissions and/or evidence, allocate the participating class member into a non-economic loss category set out in the table at Annexure B, and identify the appropriate quantum of compensation (under the heads of economic loss and non-economic loss, where relevant) for the participating class member. For the avoidance of doubt, that quantum may be nil.
(d)On completion of the assessment for each participating class member, the scheme administrator is to provide the assessment and relevant evidence to the participating class member or their representative, and request a response from the participating class member as to whether the class member wishes to make a settlement offer to the Other Party, to be communicated by the scheme administrator. For the avoidance of doubt, the participating class member is not limited to making an offer in the proposed amount identified by the scheme administrator. If the participating class member’s settlement offer is not the same as the amount identified by the scheme administrator, the scheme administrator will provide both the settlement offer and its assessment to the Other Party.
(e)In the event that the participating class member, or their representative, fails to respond to the scheme administrator's assessment within 28 days, the scheme administrator will provide its assessment directly to the Other Party.
(f)Upon receipt of a settlement offer in writing of proposed compensation payable to the participating class member through the scheme, the Other Party may:
(i)accept the participating class member's offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or
(ii)make a counter-offer in writing, which the Other Party will provide to the scheme administrator with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.
(g)If the scheme administrator has provided its assessment directly to the Other Party in accordance with clause 6(e) above, the Other Party is to:
(i)consider the scheme administrator's assessment in the same way it would consider a settlement offer received from a participating class member or their representative; and
(ii)either accept the assessment or propose a different amount of compensation for the participating class member, with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.
(h)If the Other Party makes a counter-offer in accordance with clauses 6(f)(ii) or 6(g) above, the scheme administrator will provide the Other Party's counter-offer and statement of reasons to the participating class member by email and/or registered post, and will inform the participating class member or their representative in writing as to whether it considers the Other Party's counter-offer to be reasonable. The participating class member may:
(i)accept the Other Party's counter-offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or
(ii)request that the dispute concerning the participating class member's compensation entitlement be resolved by expert assessment. (The Tribunal notes that the Other Party has voluntarily undertaken to agree to have the participating class member’s claim resolved in this manner if the claim has not been settled by this point, meaning that the expert determination stage will be a consensual process adopted between the parties.)
(i)If the participating class member does not respond to the Other Party's counter-offer within 30 days of the counter-offer being sent by email or registered post to the participating class member or their representative, the participating class member will be taken to have agreed to the Other Party's counter-offer.
(j)If a participating class member's compensation entitlement is to be resolved by expert assessment, the scheme administrator will provide the expert with:
(i)the evidence and/or submissions provided by the participating class member to the OAIC;
(ii)the scheme administrator's assessment;
(iii)the participating class member's settlement offer to the Other Party; and
(iv)the Other Party's counter-offer, including the statement of reasons and any further information provided by the Other Party with its counter-offer.
(k)The experts to provide the assessments referred to in clauses 6(h)(ii) and (6)(j) above will be agreed upon by the Other Party and the solicitors for the applicants. Appropriately qualified counsel, with relevant skills and at least three years’ experience in legal practice in relevant areas of the law, would be suitable to appoint as an expert in accordance with Appendix D to the Legal Services Directions 2017 (Cth).
(l)The Other Party and the solicitors for the applicants may approach the respondent for assistance in resolving any dispute regarding the choice of experts or the terms of the experts' engagement.
(m)The Other Party is to pay the amount of compensation agreed between the Other Party and the participating class member, or identified by an independent expert pursuant to the process described above, within a reasonable period and to advise the scheme administrator in writing when payment to the participating class member has been made.
Annexure B: Categories of non-economic loss
Category
Description
Quantum
0
The individual has not provided a submission and/or evidence that substantiates loss or damage resulting from the data breach.
$0
1
Minor loss or damage resulting from the data breach (for example, general anxiousness, fear, anger, stress, worry concern or embarrassment).
$500 - $4,000
2
Moderate loss or damage resulting from the data breach (for example, moderate anxiousness, stress, fear, pain and suffering, distress and/or humiliation), which has caused minor physiological symptoms, such as some loss of sleep or headaches.
$4,001 - $8,000
3
Major loss or damage resulting from the data breach (for example, major or prolonged anxiousness, stress, fear, pain and suffering, distress, humiliation, loss of sleep, and/or headaches) which has caused psychological and/or physiological harm, and has resulted in a consultation with a health practitioner.
$8,001 - $12,000
4
Significant loss or damage resulting from the data breach (for example, the development or exacerbation of a diagnosed psychological or other medical condition), which has resulted in a prescribed course of treatment from a medical practitioner.
$12,001 - $20,000
5
Extreme loss or damage resulting from the data breach.
> $20,000
....................................[SGD]....................................
Justice Melissa Perry, Deputy President
CATCHWORDS
HUMAN RIGHTS – privacy – data breach – where thousands of individuals in immigration detention had personal details inadvertently published online in an excel spreadsheet by the Department of Home Affairs – where majority of individuals subject to the data breach (class members) were people purporting to seek asylum in Australia – where Office of the Australian Information Commissioner (OAIC) found Department to be in breach of Information Privacy Principles 4 and 7 – where proceedings commenced under s 52 of the Privacy Act as in force at the date of the data breach – where Department issued notice to class members setting out the process by which class members who believed they had suffered loss or damage could establish their eligibility for compensation – finding that notice was inadequate and insufficiently clear to inform class members of the compensation process – finding that a new notice should be issued to class members to provide those with a reasonable explanation for not responding to the previous notice with another opportunity to participate in the compensation scheme
COMPENSATION – whether it is necessary for class members to establish that they have suffered loss or damage for the purposes of compensation under s 52 of the Privacy Act – whether there is power to award compensation merely on the assumption that class members have “objectively” experienced loss and damage as a result of the breach of privacy itself – finding that compensation requires class member to establish that they have suffered loss or damage and cannot be awarded simply by reason of the breach of the Privacy Act – finding that categories of non-economic loss are appropriate setting a range of amounts of compensation for each category save for the most extreme cases where compensation is uncapped
COMPENSATION – question of which law firm is the correct and preferable administrator of the compensation assessment scheme – whether the applicants’ lawyers (Slater & Gordon), Department’s lawyers (Clayton Utz) or an independent law firm should be scheme administrator – finding that scheme administrator should be an independent law firm with appropriate expertise in personal injury and privacy law – finding that scheme administrator should be selected by a procurement process from the Australian Government Legal Services Panel but not act for the Department or Minister for Immigration with respect to any matter arising from the data breach or in proceedings relating to visa applications and citizenship – where scheme should allow disputes over compensation assessments to be resolved by negotiation at first instance, and subsequently (if dispute is not resolved) be referred to expert determination – where Department is to pay for translation and interpretation assistance during operation of scheme
LEGISLATION
Administrative Appeals Tribunal Act 1975 (Cth) ss 30(1A), 35, 41(2), 43
Australian Human Rights Commission Act 1986 (Cth) s 46PO
Federal Court of Australia Act 1976 (Cth) Pt IVA, s 33ZF
Migration Act 1958 (Cth) ss 48A, 48B
Privacy Act 1988 (Cth) ss 14, 16, 36, 38B, 52 (compilation start date of 1 July 2013)
Privacy Act 1988 (Cth) ss 52(3A), 96
Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) Sch 6 items 14, 18
Public Governance, Performance and Accountability Act 2013 (Cth) s 15
Racial Discrimination Act 1975 (Cth)
Sex Discrimination Act 1984 (Cth)
Legal Services Directions 2017 (Cth)
Civil Liability Act 2002 (NSW)
Data Protection Act 2018 (UK)Human Rights Act 1998 (UK)
CASES
Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) [2009] HCA 41; (2009) 239 CLR 27
Application 1421375 [2015] RRTA 59
Livingstone v Raywards Coal Company [1880] 5 App Cas 25
Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63; (2001) 208 CLR 199
BMW Australia Ltd v Brewster [2019] HCA 45; 269 CLR 574
Campbell v MGN Ltd [2004] 2 AC 457
Casey v DePuy International Ltd (No. 2) [2012] FCA 1370
Certain Lloyd’s Underwriters v Cross [2012] HCA 56; (2012) 248 CLR 378
Construction, Forestry, Maritime, Mining and Energy Union v Australian Building and Construction Commissioner (The Bay Street Appeal) [2020] FCAFC 192; (2020) 282 FCR 1
Frugtniet v Australian Securities and Investments Commission [2019] HCA 16; (2019) 266 CLR 250
Gulati v MGN [2015] EWHC 1482 (Ch)
Hall v A & A Sheiban Pty Ltd [1989] FCA 65; (1989) 20 FCR 217
Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333
March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506
Maynes v Casey [2011] NSWCA 156
Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29; (2016) 259 CLR 180
NWFQ and Privacy Commissioner [2019] AATA 1302
Pharm-a-Care Laboratories Pty Ltd v Commonwealth of Australia (No 6) [2011] FCA 277
Plenty v Dillon [1991] HCA 5; (1991) 171 CLR 635
R v Australian Broadcasting Tribunal; Ex parte Hardiman (1980) 144 CLR 13
Richardson v Oracle [2014] FCAFC 82; (2014) 223 FCR 334
Rummery v Federal Privacy Commissioner [2004] AATA 1221; (2004) 85 ALD 368
Sands v South Australia [2013] SASC 44
Vincentia MC Pharmacy Pty Ltd v Australian Community Pharmacy Authority [2020] FCAFC 163; (2020) 280 FCR 397Wotton v State of Queensland (No 5) [2016] FCA 1457; (2016) 157 ALD 14
SECONDARY MATERIALS
Australian Law Reform Commission’s report on Australian Privacy Law and Practice (2008)
Jason Varuhas, Damages and Human Rights (2016) Ch 2
Judicial Council on Cultural Diversity, Recommended National Standards for Working with Interpreters in Courts and Tribunals (2nd ed, 2022)Onshore Protection Interim Procedures Advice No: 6/2015
REASONS FOR DECISION
Justice Melissa Perry, Deputy President
13 September 2023
DECISION
Annexure A: Compensation Assessment Scheme
Annexure B: Categories of non-economic loss
REASONS FOR DECISION
1. INTRODUCTION
2. BACKGROUND
2.1. The data breach
2.2 Privacy complaints in respect of the data breach
2.3. Notification of class members and complaints procedure
2.4. Respondent’s Determination of the representative complaint
2.4.1. Contravention of Principles 4 and 11
2.4.2. Calculation of quantum of compensation for loss or damage
2.4.3. No compensation for non-participating class members
3. ISSUES FOR DETERMINATION AND SUMMARY OF CONCLUSIONS
4. CONSTRUCTION OF THE PRIVACY ACT
4.1. Issue (a): Which version of s 52 of the Privacy Act applies to these proceedings?
4.2. Issue (b): What is the proper construction of s 52 of the Privacy Act?
4.2.1. Overview of s 52 of the Privacy Act
4.2.2. Issue (b)(i): Is it necessary for class members to establish that they have suffered loss or damage for the purposes of s 52 of the Privacy Act?
4.2.3. Issue (b)(ii): Does the Tribunal have power to, and should the Tribunal, direct the Other Party to undertake an exercise of non-statutory power that might culminate in a submission to the Minister to consider lifting the bar which prevents refused class members from making a further protection visa application?
5. DESIGN OF THE SCHEME
5.1 Issue (c): As to Declaration 4 of the Determination: is it correct and preferable that a declaration be made under s 52(1)(b)(iv) of the Privacy Act that no further action be taken in relation to individuals affected by the data breach who did not provide a submission or evidence of loss or damage prior to the making of the Determination?
5.1.1. Issue (c)(i): Is there power, under s 52(1)(b)(iv) of the Privacy Act or otherwise, to make a declaration in the terms of Declaration 4?
5.1.2. Issue (c)(ii): Were class members given adequate prior notice of the consequences provided for in Declaration 4 to support the making of a declaration in those terms?
5.1.3. Issue (c)(iii): Should all class members be given a further opportunity to make submissions or provide evidence of loss or damage and, thus, to become class members who are eligible for an award of compensation in this representative complaint?
5.2. Issue (d): As to Declaration 2 of the Determination: what is the correct and preferable method for assessing compensation for individuals affected by the data breach?
5.2.1. Issue (d)(i): Who is the correct and preferable administrator of the compensation assessment scheme?
5.2.2 Issue (d)(ii): What is the correct and preferable manner for working out class members’ compensation (ss 52(1)(b)(iii), 52(4)(a), 52(5)(a)), and for determining any dispute regarding class members’ entitlement to compensation (s 52(5)(b))?
5.2.3. Issue (d)(iii): What are the correct and preferable categories of non-economic loss (both as to magnitude of harm and as to quantum) to which individual class members should be assigned for the purposes of assessing their compensation for the data breach?
5.2.4. Issue (d)(iv): What is the correct and preferable scheme for review of compensation decisions?
5.3. Issue (e): Is it correct and preferable to direct that the Other Party pay for particular aspects of the compensation assessment process—specifically, access to translation and interpretation assistance during the operation of the compensation assessment process?
DECISION
Annexure A: Compensation Assessment Scheme
Annexure B: Categories of non-economic loss
Appendix 1: Historical Notice published by the OAIC in 2018 to class members as to their entitlement to seek compensation under the OAIC determination
1. INTRODUCTION
These proceedings concern an application for review of a decision of the respondent, the Privacy Commissioner, made on 11 January 2021 pursuant to s 52 of the Privacy Act 1988 (Cth) (Determination). The Determination concerned a breach by the Secretary of the Department of Home Affairs (Other Party) of principles 4 and 7 of the Information Privacy Principles (IPPs) by reason of the online publication of personal information about individuals in immigration detention. The applicants and the Other Party to the proceedings both seek to set aside the Determination.
The applicants, HYYL and WP, are two individuals who were affected by the data breach. By an application for review of decision to the Administrative Appeals Tribunal dated 24 February 2021, the first applicant sought a review of the Determination on behalf of all persons whose interests are affected by the Determination. This was on the basis that the respondent’s Determination was wrong and not the correct and preferable decision for three key reasons:
(a)the respondent erred in making Declaration 4 at [3] of the Determination, namely that it was inappropriate for any further action to be taken in relation to members of the class who did not provide a submission and/or evidence to the respondent within the timeframe specified;
(b)the quantum of compensation in Declaration 2(a) is below the quantum that ought to be awarded in all the circumstances of the case, based on outdated examples of compensation awarded, and not in keeping with the expectations of the community for breaches of privacy; and
(c)translation assistance ought to be provided by the respondent to class members so as to enable class members requiring translation assistance to access and participate in the compensation scheme.
The relief sought by the applicants is set out at [128] of the applicants’ updated Statement of Facts, Issues and Contentions (ASFIC) as follows:
(a)that under s 43(1)(b)(i) of the Administrative Appeals Tribunal Act 1975 (Cth) (AAT Act), Declarations 2–4 of [3] of the respondent’s Determination are set aside and substituted with the following declarations;
(b)that under s 52(4)(a) of the Privacy Act, class members who register with the scheme administrator to participate in the compensation assessment scheme within six months of the publication of the notice to class members of this decision, or who have previously made submissions or provided evidence of loss or damage to the respondent, are to be paid compensation for loss or damage arising from the publication as assessed in the manner outlined in Attachment A of the ASFIC; and
(c)that under s 52(1)(b)(ii) and/or s 52(3A) of the Privacy Act, the Other Party, in respect of class members who made applications for protection visas and were refused (refused class members):
(i)provide a reasonable opportunity for class members to provide further information in relation to the data breach; and
(ii)reconsider refused class members’ applications for protection visas by way of a process directed to consideration of exercise of the power in s 48B of the Migration Act 1958 (Cth).
I consider material aspects of the compensation scheme proposed by the applicants as set out in Attachment A to the ASFIC, which were ultimately pressed, in the course of considering the appropriate scheme in these reasons.
On 6 April 2021, the Other Party made an application to the Tribunal under s 30(1A) of the AAT Act to be joined as a party to the review proceedings, for the reason that the (then) Department of Immigration and Border Protection would be affected if the Determination is set aside or varied. The Other Party submitted that such a decision was likely to result in an increase in the amount of compensation payable by the Department to the class members, and increase the Department’s total costs incurred. On 26 April 2021, the Tribunal was satisfied that the Department was affected by the decision under review, and made orders joining it as an ‘other party’ pursuant to s 30(1A) of the AAT Act.
On 10 June 2021, the representative complainant to the respondent’s Determination made a joinder application, submitting that the complainant would be entitled to claim compensation for loss and damage suffered arising from the interference with his privacy. On 21 June 2021, the Tribunal made orders joining the representative complainant as the second applicant, WP.
On 8 April 2021 and 21 June 2021, the Tribunal made pseudonym orders for the first and second applicants respectively, and their personal details were restricted from publication or disclosure, in accordance with s 35 of the AAT Act and on the basis that the applicants have previously made protection claims.
On 21 June 2021, the Tribunal made consent orders for the operation and implementation of the Determination to be stayed, in accordance with s 41(2) of the AAT Act, until the decision of the Tribunal on the application for review comes into operation or until further order of the Tribunal. This decision was made on the basis that there was a real prospect that the Tribunal may make different declarations as to the compensation assessment scheme.
The parties filed lengthy statements of facts, issues and contentions, which in the case of the Other Party and the respondent were helpfully amended by way of being updated prior to the hearing: the ASFIC, the respondent’s Updated Statement of Facts, Issues and Contentions (RSFIC), and the Other Party’s Further Updated Statement of Facts, Issues and Contentions (OPSFIC). The Tribunal is indebted to the parties’ legal representatives for their detailed and careful assistance, and to the parties for the making of appropriate concessions including in the course of the hearing.
The applicants rely on a tender bundle of documents referred to in the ASFIC. They also rely upon the following affidavits, which were the subject of rulings as agreed by the parties or otherwise upheld by me at the hearing:
(a)the affidavit of Andrew Paull affirmed on 28 October 2021 (Paull affidavit);
(b)the affidavit of Sarah Dale affirmed on 27 October 2021 (Dale affidavit); and
(c)the affidavit of Andrew Paull affirmed on 2 December 2021.
The Other Party likewise relies upon a tender bundle of documents referred to in their OPSFIC and upon the following affidavit evidence, read without objections:
(a)the affidavit of Tobias Gregg affirmed on 17 November 2021;
(b)the affidavit of Ian Temby affirmed on 18 November 2021 (Temby affidavit);
(c)the affidavit of Andrew Kiley affirmed on 18 November 2021;
(d)the affidavit of Jackson Evans affirmed on 6 December 2021; and
(e)the affidavit of Ian Temby affirmed on 12 December 2021.
Mr Kiley and Mr Temby were cross-examined on their evidence.
2. BACKGROUND
2.1. The data breach
On 10 February 2014, a Microsoft Word document dated 31 January 2014 entitled ‘The Immigration Detention and Community Statistics Summary’ (report) was published on the website of the Department (the data breach). The report had a Microsoft Excel spreadsheet embedded within it, which included the personal information of 9,258 individuals who were in immigration detention on 31 January 2014 (class members). The personal information included class members’ full names, gender, citizenship, date of birth, period of immigration detention, relevant detention facility, reason for detention, boat name and boat arrival details. The applicants submit that, of these 9,258 identified people, it could be inferred that the overwhelming majority were people purporting to seek asylum in Australia. The applicants, without dispute, claim that this inference could be drawn because one column of the excel spreadsheet designated a majority of class members as either an “irregular maritime arrival”, an “unauthorised maritime arrival” or an “irregular maritime arrival”. The applicants further submit that, from the published information (alongside other information), it is possible to infer that such persons were in Australia for the purpose of seeking protection from that country or those refugee-producing countries’ regimes even if some of those claims had not been accepted. I agree that this inference is appropriately drawn and do not understand this to have been in dispute.
The report was publicly accessible when published on the website on 10 February 2014. On 19 February 2014 at 9.15am, the Other Party was notified about the data breach by a journalist. By 10am that same day, the Other Party removed the report from its website. Consequently, the report was available for the public to access from the Other Party’s website for approximately eight days. While on the website, the report was accessed 123 times by 104 unique Internet Protocol (IP) addresses, although it is uncertain how many of these IP addresses had accessed the spreadsheet.
The Department subsequently identified that the report was also available on the Internet Archive from 11 February 2014. On 27 February 2014, the report was removed from the Internet Archive. The document was therefore accessible on the Internet Archive for a period of 16 days. It is not known how many times the report was accessed on the Internet Archive.
In total, therefore, the document was publically accessible from 10 to 27 February 2014, that being an overall period of 17 days.
It follows, as the High Court held in Minister for Immigration and Border Protection v SZSSJ[2016] HCA 29; (2016) 259 CLR 180 at [4], that “On any view, the Data Breach was very serious”. Furthermore, as the High Court also held at [7], “there was obviously a risk that those in other countries from whom the applicants for protection visas claimed to fear persecution or other relevant harm might have gained access to the document containing the embedded information so as to become aware of the identities of applicants for protection visas in Australia.”
2.2 Privacy complaints in respect of the data breach
On 12 March 2014, the Department wrote to all individuals who were in immigration detention on 31 January 2014 to inform them that their personal information had been inadvertently disclosed, and to express the Department's regret in “inadvertently allowing potential unauthorised access to [the individuals'] personal information”. Subsequently, the Department engaged KPMG to initiate a forensic investigation into the data breach. The focus of the investigation was directed to identifying “how access to personal information was allowed by unauthorized person/s and any recommendations to prevent this occurring again”. The investigation did not concern the consequences of the breach for affected class members.
Between 21 March 2014 and 11 October 2017, 1,757 individual complaints were made under s 36 of the Privacy Act to the Office of the Australian Information Commissioner (OAIC) in relation to the data breach. On 1 November 2014, the OIAC published the results of its investigation (investigation report). The investigation report found that the Department had breached principle 4 of the IPPs by failing to put in place reasonable security safeguards to protect personal information, and principle 11 of the IPPs as the publication of the personal information was an unauthorised disclosure. Based on the Department’s remediation activities, the Department’s ongoing implementation of recommendations made by KPMG, and the Department’s intention to engage an auditor to confirm its remediation steps, the respondent closed its investigation into the data breach.
On 30 August 2015, an individual formally lodged a representative complaint with the respondent. The complainant sought a declaration that the class members were entitled to an apology from the Other Party, compensation for economic and non-economic loss, and aggravated damages. The respondent attempted to resolve the representative complaint through conciliation, but was unsuccessful. On 9 February 2018, the respondent was advised that the representative complainant had passed away and, on 10 October 2018, the respondent replaced the original representative complainant with another class member, being the second applicant to this proceeding, WP.
2.3. Notification of class members and complaints procedure
Across January and February 2018, upon direction by the respondent, the Other Party sent a notice to 9,086 class members whose personal information was disclosed in the data breach (the notice). Of these:
(a)6,084 were sent in hard copy to class members for whom the Other Party had postal address details;
(b)3,002 were sent electronically to class members for whom the Other Party had email contact details; and
(c)172 were not sent a notice, because they were marked on the Other Party’s systems as either deceased, without a known forwarding address, or without known contact details.
The notice (a copy of which is reproduced at Appendix 1 to these reasons) set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation. Among other things, the notice advised (at [5]–[8]):
Why is this notice important?
5. In order to make a determination about the Representative Complaint, including whether any of the persons whose personal information was published in the Data Breach are entitled to compensation for any loss or damage suffered, the Commissioner needs information from you.
6. If you were affected by the Data Breach and do not provide information of the kind described below, the Commissioner may conclude that he is not satisfied you have suffered any loss or damage as a result of the Data Breach and you may not receive compensation for the Data Breach.
What do I need to do?
7. If you did not suffer any loss or damage as a result of the Data Breach, you will not be entitled to compensation and you can ignore this Notice.
8. If you believe you suffered loss or damage as a result of the Data Breach, and want the opportunity to potentially recover compensation for that loss or damage, you need to provide the Commissioner with information about your loss or damage[.]
(Emphasis in original.)
On 24 January 2018, the respondent:
(a)published the notice on its website in English and 20 non-English languages;
(b)published the notice in the legal notices section of The Australian newspaper; and
(c)sent a copy of the notice to class members who had previously contacted the respondent, the representative complainant’s lawyer and asylum seeker support organisations.
The deadline for providing information to the respondent for the purposes of establishing eligibility for compensation was originally stipulated to be on 19 April 2018. That deadline was subsequently extended on two occasions: first to 12 July 2018, and subsequently to 19 October 2018.
The respondent continued to accept responses after the 19 October 2018 deadline from class members who:
(a)had outstanding information requests with the Other Party as at 19 October 2018; or
(b)had not received a response to their request for information by 10 September 2018.
Class members within these categories were granted an extension for providing responses until 40 days after the receipt of the decision on their information request, and the material the subject of that decision.
On 20 December 2018, the respondent granted a further 40-day extension (i.e. up to and including 31 January 2019) to certain class members, namely those class members who needed to respond to a file released by the Department after 26 November 2018. For these class members, the final date for providing submissions was 22 April 2019. Seven class members opted out of the representative complaint process under s 38B(2) of the Privacy Act, and 6,679 class members did not respond to the notice. A total of 2,579 individuals registered their interest as class members, and provided their contact details to the respondent. Of the class members who registered, 1,297 individuals provided submissions or evidence of loss or damage to the respondent, and 1,282 did not.
For those individuals who responded to the notice, but did not provide submissions on loss or damage, the Department submitted that the respondent had acknowledged receipt of each response and, where appropriate, had:
(a)invited the class member to add to their submission if they wished;
(b)noted that the class member had indicated that they wished to provide evidence of loss or damage but had not attached supporting information or evidence, and encouraged the class member to provide evidence;
(c)noted that the class member had referred in their response to obtaining particular medical or other care, and invited them to provide evidence such as medical reports to assist with the class member's complaint; or
(d)stated that to be considered a member of the class, the class member must demonstrate that they have suffered loss or damage as a result of the data breach and therefore invited them to provide evidence about the impact that the data breach had on them.
Further, of the 1,297 individuals who were included in the list of individuals and provided submissions on loss or damage, the Other Party provided unchallenged evidence that:
(a)2 entries on the list are duplicates;
(b)8 individuals were not in immigration detention on 31 January 2014, and were therefore not affected by the data breach;
(c)1,059 individuals were affected by the data breach (participating class members); and
(d)further identifying information is required to confirm whether 228 individuals were affected by the data breach (and therefore potentially falling within the category of participating class members).
2.4. Respondent’s Determination of the representative complaint
The respondent has the power to make a determination in respect of a complaint pursuant to s 52 of the Privacy Act. That section, as in effect at the date of the data breach, relevantly provided that:
(1) After investigating a complaint, the Commissioner may:
(a) make a determination dismissing the complaint; or
(b) find the complaint substantiated and make a determination that includes one or more of the following:
(i) a declaration:
(A) where the principal executive of an agency is the respondent—that the agency has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; or
(B) in any other case—that the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;
(ii) a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;
(iii) a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;
(iv) a declaration that it would be inappropriate for any further action to be taken in the matter.
…
(4) A determination by the Commissioner under subparagraph (1)(b)(iii) on a representative complaint:
(a) may provide for payment of specified amounts or of amounts worked out in a manner specified by the Commissioner; and
(b) if the Commissioner provides for payment in accordance with paragraph (a), must make provision for the payment of the money to the complainants concerned.
(5) If the Commissioner makes a determination under subparagraph (1)(b)(iii) on a representative complaint, the Commissioner may give such directions (if any) as he or she thinks just in relation to:
(a) the manner in which a class member is to establish his or her entitlement to the payment of an amount under the determination; and
(b) the manner for determining any dispute regarding the entitlement of a class member to the payment.
The respondent made the Determination on 11 January 2021, finding that:
(a)under s 52(1)(b)(i)(A) of the Privacy Act, the Other Party has engaged in conduct constituting an interference with the privacy of class members in contravention of IPPs 4(a) and 11;
(b)under s 52(4)(a), the participating class members are to be paid compensation for loss or damage in accordance with a procedure outlined in the Determination; and
(c)class members who did not provide a submission and/or evidence to the respondent within the timeframe specified, and who did not opt out, have not substantiated that they have suffered loss or damage as a result of the interference with their privacy, and it would be inappropriate for any further action to be taken in relation to those individuals.
The second applicant, WP, provided a submission to the respondent and was, in accordance with the Determination, entitled to claim compensation. The first applicant, HYYL, did not provide a submission or evidence and so, in accordance with the Determination, was excluded from claiming compensation. While the applicants allege that HYYL never received a copy of the notice, the Other Party submits that the notice was sent to HYYL’s most recent address provided to the Department.
2.4.1. Contravention of Principles 4 and 11
Under s 16 of the Privacy Act, as in force on 10 February 2014, an agency was prohibited from acting, or engaging in a practice, that breached the IPPs. The IPPs are contained in s 14 of the Privacy Act. Principle 4, entitled “Storage and security of personal information”, provides that:
A record‑keeper who has possession or control of a record that contains personal information shall ensure:
(a)that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
(b)that if it is necessary for the record to be given to a person in connection with the provision of a service to the record‑keeper, everything reasonably within the power of the record‑keeper is done to prevent unauthorised use or disclosure of information contained in the record.
Principle 11, entitled “Limits on disclosure of personal information”, relevantly provides that:
1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;
(b) the individual concerned has consented to the disclosure;
(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;
(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
In response to the OIAC investigation report, the Department acknowledged that the data breach violated principles 4 and 11 of the IPPs. The respondent relied on that acknowledgment in making findings of breach in the Determination (Determination at [44]).
2.4.2. Calculation of quantum of compensation for loss or damage
Subsections 52(4) and (5) of the Privacy Act, outlined above, govern the respondent’s powers with respect to determining compensation for loss or damage in a representative complaint. Pursuant to those subsections, the respondent, at [75] of the Determination, referred the matter of damages to a form of dispute resolution for the parties to negotiate on quantum, with any unresolved claims to be put before the respondent for her consideration. To that end, Addendum A of the Determination, which was constructed to reflect the claims made by class members, provided a method of calculating the quantum of compensation for non-economic loss, to assist parties in their negotiations. This addendum included various categories of non-economic loss, ranging from general anxiousness, trepidation, concern or embarrassment (with a compensation amount between $500 and $4000), to extreme loss or damage resulting from the data breach (with a compensation amount of over $20,000).
The respondent, from [79]–[83] of the Determination, outlined the principles governing damages for economic loss. The respondent found that economic loss must be determined on a case-by-case basis (at [83]), and is awarded to restore an individual to “the same position as [they] would have been in if [they] had not sustained the wrong for which [they are] now getting [their] compensation” (Determination at [80], quoting Livingstone v Raywards Coal Company [1880] 5 App Cas 25). As the respondent further explained, the principles relevant to causation concerning economic loss were articulated by the High Court in March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506, and were not in dispute between the parties.
The respondent noted that the power to award damages included a power to award aggravated damages in addition to general damages (at [84]). However, in the circumstances of the case, the respondent reached the view that an award of aggravated damages was not justified (at [86]).
2.4.3. No compensation for non-participating class members
At [52] of the Determination, the respondent found that she is empowered under s 52(1)(b)(iii) of the Privacy Act to award monetary compensation only where a complainant has established that they, individually, have suffered loss or damage by reason of the Other Party’s interference with their privacy. The respondent considered that, because the wording of s 52(1)(b)(iii) only permits a declaration entitling a complainant to compensation “for loss or damage suffered”, class members must provide an evidentiary basis to establish their entitlement to compensation (Determination at [52]–[54]). In other words, the respondent determined that a causal link, supported by evidence, must first be established between the data breach and any non-economic loss class members claim to have incurred as a result, before the respondent is empowered to award monetary compensation (Determination at [59]). In light of these reasons, the respondent determined that only participating class members—being individuals who provided submissions or evidence of loss or damage to the respondent—are to be paid compensation for loss or damage arising from the interference with their privacy (Determination at [63]).
The respondent was further satisfied that there was no evidence that a serious procedural problem had occurred, or that such a finding of a procedural problem (if proven) would have led to an unjust outcome (Determination at [68]). The respondent reached this view for multiple reasons, including the respondent’s findings that (amongst others):
(a)the requirements for class members to make a claim for loss and/or damage were clearly expressed in the notice;
(b)numerous steps had been taken to ensure that the notice was effectively communicated to class members; and
(c)class members were given a reasonable opportunity to provide submissions and evidence (Determination at [69]–[70]).
3. ISSUES FOR DETERMINATION AND SUMMARY OF CONCLUSIONS
The Tribunal must decide whether the Determination was the correct and preferable decision and should therefore be affirmed, or whether it should be set aside or varied in whole or in part.
The applicants and the Other Party agreed that the Determination required amendment but did not agree on all of the issues. The following matters were conceded or agreed (including as a result of the parties’ modifying their positions during and after the hearing):
(a)The Other Party amended its proposed compensation scheme as follows:
(i)Annexure B, category 4—replaced the reference to “medical specialist” with “health practitioner”;
(ii)Annexure D, clauses 3(a)(i)(B),(ii) (the words “and the Respondent will identify the legal service providers that are acceptable to the Respondent as potential scheme administrators”) and (iv)(C) were not pressed.
The following issues arise for determination and are answered by me as summarised below in italics:
(a)Which version of s 52 of the Privacy Act applies to the Tribunal’s review in these proceedings?
The Privacy Act as at the date of the data breach.
(b)What is the proper construction of s 52 of the Privacy Act? In particular:
(i)Is it necessary for class members to establish by evidence that they have suffered loss or damage for the purposes of s 52 Privacy Act?
Yes.
(ii)Does the Tribunal have power to, and should the Tribunal, direct the Other Party to undertake an exercise of non-statutory power that might culminate in a submission to the Minister to consider lifting the bar which prevents refused class members from making a further protection visa application?
No. The respondent (and the Tribunal standing in the shoes of the respondent) has no power to make such a direction.
(c)As to Declaration 4 of the Determination: is it correct and preferable that a declaration be made under s 52(1)(b)(iv) of the Privacy Act that no further action be taken in relation to individuals affected by the data breach who did not provide a submission or evidence of loss or damage prior to the making of the Determination?
No.
As part of this issue:
(i)Is there power, under s 52(1)(b)(iv) of the Privacy Act or otherwise, to make a declaration in the terms of Declaration 4?
Yes.
(ii)Were class members given adequate prior notice of the consequences provided for in Declaration 4 to support the making of a declaration in those terms?
No. While the notice was widely disseminated, there were deficiencies in the notice itself as a result of which the notice failed to provide class members with a sufficient opportunity to have their claims considered in the respondent’s resolution of the representative complaint.
(iii)Should all class members be given a further opportunity to make submissions or provide evidence of loss or damage and, thus, to become class members who are eligible for an award of compensation in this representative complaint?
No. However, any class member who did not make submissions or provide evidence of loss or damage in response to the OIAC notice in 2018 but establishes to the satisfaction of the scheme administrator that they have a reasonable explanation for not doing so, should be given an opportunity to participate and provide evidence of loss or damage.
In addition, any existing participating class member who wishes to make submissions and/or provide updated and/or supplementary submissions and/or evidence of loss or damage is to do so within three months of the publication of the further notice unless granted an extension by the scheme administrator.
(d)As to Declaration 2 of the Determination: what is the correct and preferable method for assessing compensation for individuals affected by the data breach?
As part of this issue:
(i)Who is the correct and preferable administrator of the compensation assessment scheme?
A law firm with appropriate expertise which is appointed in accordance with [6(a)] of the new Determination in Annexure A to the orders, being (among other things) a law firm which: is independent of the Other Party and class members; has not represented or advised any of the class members in relation to this proceeding; is appointed to the Whole of Australian Government Legal Services Panel in relevant areas; and has not represented or advised the Other Party or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship.
(ii)What is the correct and preferable manner for working out class members’ compensation (ss 52(1)(b)(iii), 52(4)(a), 52(5)(a)), and for determining any dispute regarding class members’ entitlement to compensation (s 52(5)(b))?
See Annexure B to the orders.
(iii)What are the correct and preferable categories of non-economic loss (both as to magnitude of harm and as to quantum) to which individual class members should be assigned for the purposes of assessing their compensation for the data breach?
Compensation for non-economic loss is to be determined as set out in Annexure B to the orders according to 5 categories ranging from: no compensation where the individual has not provided a submission or evidence substantiating any loss or damage resulting from the data breach; to compensation from $20,000 for extreme loss or damage resulting from the data breach, with the amount of compensation available for the last of these categories being uncapped. Categories 2 to 5 include examples of loss or damage falling within the category to assist in assessing the appropriate category.
(iv)What is the correct and preferable scheme for review of compensation decisions?
See Annexure B to the orders.
(e)Is it correct and preferable to direct that the Other Party pay for particular aspects of the compensation assessment process—specifically, access to translation and interpretation assistance during the operation of the compensation assessment process?
Yes, but only such expenses as are reasonably necessary to ensure that individual class members have a real opportunity to receive and understand information relevant to their claims, and to communicate their responses, concerning the implementation of the compensation assessment process (as the Other Party accepts).
In accordance with the principle in R v Australian Broadcasting Tribunal; Ex parte Hardiman (1980) 144 CLR 13, the respondent did not seek to be heard in relation to the determination of facts or identification of issues in the proceeding, with the exception of sub-paragraphs (a), (b) and (c)(i) above.
4. CONSTRUCTION OF THE PRIVACY ACT
4.1. Issue (a): Which version of s 52 of the Privacy Act applies to these proceedings?
It is not in dispute that the Tribunal’s jurisdiction arises from s 96 of the Privacy Act as in force on 11 January 2021 when the Determination was made. However, a question arises as to which version of the Privacy Act applies in the proceeding. This question is important because the applicants seek to rely upon s 52(3A) of the Privacy Act as currently in force even though the legislation applicable as at the time of the data breach did not contain that provision. The new s 52(3A) provides that:
A determination under paragraph (1)(b) or subsection (1A) may include any order that the Commissioner considers necessary or appropriate.
I accept the Other Party’s and respondent’s submission that by virtue of the transitional provisions to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Amending Act), the Privacy Act as at 10 February 2014 (with the compilation start date of 1 July 2013) applies, this date being the date of the data breach. It follows from this that the respondent attached the wrong version of s 52 to her Determination, even though it is clear from the Determination itself that the respondent at [24]–[28] intended to apply the 2013 version.
First, item 18(1) in Schedule 6 to the Amending Act relevantly provides that the new s 52 applies if:
(a) before the commencement time, an act was done, or a practice was engaged in, by an agency or organisation; and
(b) the act or practice may be an interference with the privacy of an individual under section 13 or 13A of the Privacy Act (as in force immediately before that time); and
(c) immediately before that time:
(i) the individual has not made a complaint about the act or practice to the Commissioner under section 36 of that Act; and
(ii) the Commissioner has not decided to investigate the act or practice under subsection 40(2) of that Act.
Significantly, item 18(2) then provides that:
Despite the amendments of the Privacy Act made by this Act, the individual may, after the commencement time [i.e. 12 March 2014], complain to the Commissioner about the act or practice, and the complaint may be dealt with, under the Privacy Act as if those amendments had not been made.
(Emphasis added.)
The applicants’ submit that the use of the word “may” in item 18(2) confers a discretion on the respondent to apply the statute as in force either before or after the amendments of the Amending Act. However, read in context, the word “may” where it first occurs simply signifies that an individual may complain about an act or practice that occurred before the 2014 amendments despite those amendments having occurred and, if such a complaint is made, it “may” in the sense of ‘will’ be dealt with as though the amendments made by the Amending Act had not been made.
It follows, as the Other Party submitted, that the effect of item 18(2) is relevantly that, “where there is a post-Amending Act complaint in respect of a pre-Amending Act privacy breach, the Commissioner is to investigate and determine it by applying the provisions of the pre-Amending Act legislation” (emphasis omitted). This item applies to the present case given that the data breach pre-dated the commencement time, and the relevant complaints were submitted to the respondent after the commencement time. As to the latter, the respondent received an individual complaint on 25 March 2014 and the representative complaint on 30 August 2015: Determination at [11]–[13].
I also agree with the Other Party that no different result is required by item 14. That item provides that:
Paragraphs 96(1)(c), (e), (f) and (g) of the Privacy Act, as inserted by Schedule 4 to this Act, apply in relation to a decision made after the commencement time.
As the Other Party submits, those paragraphs of s 96 relate only to the scope of the Tribunal's review jurisdiction and do not address the law which the Tribunal must apply in the exercise of its jurisdiction.
Secondly, I note that the respondent adopted the same position: Determination at [26]–[28]. In this regard, in exercising its power of review under s 43(1) of the AAT Act, the Tribunal “is subject to the same general constraints as the original decision-maker and should ordinarily approach its task as though it were performing the relevant function of the original decision-maker in accordance with the law as it applied to the decision-maker at the time of the original decision” (Frugtniet v Australian Securities and Investments Commission [2019] HCA 16; (2019) 266 CLR 250 at [14] (Kiefel CJ, Gageler, Keane and Gleeson JJ), subject to any legislative indication to the contrary. As the Other Party submits, there is no reason why the Tribunal reviewing the respondent’s decision and applying s 52 of the Privacy Act should apply any different scheme for the remedies available to the complainants. Rather, the Tribunal effectively stands in the shoes of the respondent.
4.2. Issue (b): What is the proper construction of s 52 of the Privacy Act?
4.2.1. Overview of s 52 of the Privacy Act
Section 52 of the Privacy Act, as at the date of the data breach, has earlier been set out at [29] above.
Applying ss 52(1)(b)(iii) and (4)(a), the Tribunal (standing in the respondent’s shoes) may make a determination in the context of a representative complaint that includes a declaration providing for payment to class members of specified amounts, or amounts “worked out” in a specified way, by way of “compensation for any loss or damage suffered" by them. Section 52(5) then provides that, where the respondent makes a determination under s 52(1)(b)(iii) on a representative complaint, the respondent may give directions as to the manner by which a class member may establish her or his entitlement to payment of an amount under the determination and manner of resolving any disputes regarding the entitlement of class members to payment. It was not in issue that ss 52(1)(b)(iii), (4) and (5) are sufficiently broad to support a process of claim assessments and expert assessments by third parties, as the Other Party submitted.
It is also common ground between the parties that the respondent (and here the Tribunal) has power pursuant to s 52(4) to set out a scheme whereby payment of compensation to class members is worked out by reference to sub-s (1)(b)(iii). Evidently, it is not necessary in the context of a representative complaint for the Tribunal to specify an exact amount of compensation for each complainant; rather, s 52(4) authorises the Tribunal in a determination to provide a scheme whereby a specified amount of compensation for each complainant in a representative complaint can be worked out. The ultimate aim of the scheme, in other words, is to provide for a method of working out an amount by way of compensation for loss or damage that has been suffered for each class member.
4.2.2. Issue (b)(i): Is it necessary for class members to establish that they have suffered loss or damage for the purposes of s 52 of the Privacy Act?
4.2.2.1 Relevant principles of statutory interpretation
The relevant principles of statutory construction are well-established. These were summarised by Perry and Stewart JJ in Vincentia MC Pharmacy Pty Ltd v Australian Community Pharmacy Authority [2020] FCAFC 163; (2020) 280 FCR 397 at [46]–[48]:
In Project Blue Sky Inc v Australian Broadcasting Authority (1998) 194 CLR 355 (Project Blue Sky), McHugh, Gummow, Kirby and Hayne JJ explained that:
69.The primary object of statutory construction is to construe the relevant provision so that it is consistent with the language and purpose of all the provisions of the statute. The meaning of the provision must be determined ‘by reference to the language of the instrument viewed as a whole’. In Commissioner for Railways (NSW) v Agalianos [(1955) 92 CLR 390 at 397], Dixon CJ pointed out that ‘the context, the general purpose and policy of a provision and its consistency and fairness are surer guides to its meaning than the logic with which it is constructed’. Thus, the process of construction must always begin by examining the context of the provision that is being construed.
The importance of starting with the statutory context and text was recently emphasised by Kiefel CJ, Nettle and Gordon JJ in SZTAL v Minister for Immigration and Border Protection (2017) 262 CLR 362 in the following passage:
14.The starting point for the ascertainment of the meaning of a statutory provision is the text of the statute whilst, at the same time, regard is had to its context and purpose [citing Project Blue Sky with approval]. Context should be regarded at this first stage and not at some later stage and it should be regarded in its widest sense. This is not to deny the importance of the natural and ordinary meaning of a word, namely how it is ordinarily understood in discourse, to the process of construction. Considerations of context and purpose simply recognise that, understood in its statutory, historical or other context, some other meaning of a word may be suggested, and so too, if its ordinary meaning is not consistent with the statutory purpose, that meaning must be rejected.”
Context “in its widest sense”, as referred to in this passage, includes “such things as the existing state of the law and the mischief which … one may discern the statute was intended to remedy”: CIC Insurance Ltd v Bankstown Football Club Ltd (1997) 187 CLR 384 at 408 (Brennan CJ, Dawson, Toohey and Gummow JJ) (cited with approach [sic] in SZTAL at [14]). To have regard to context in this sense, as integral to the process of statutory construction irrespective of whether ambiguity or inconsistency exists in the literal text, accords with the mandate in s 15AA of the Acts Interpretation Act that the interpretation which best gives effect to the legislative purpose must be preferred to any other interpretation: Mills v Meeking (1990) 169 CLR 214 at 235 (Dawson J). As a result, as Dawson J also explained with respect to Victoria's equivalent to s 15AA, the approach required by interpretive provisions of this kind “allows a court to consider the purposes of an Act in determining whether there is more than one possible construction” (ibid); see also the discussion in Pearce D, Statutory Interpretation in Australia (9th ed, LexisNexis Butterworths, 2019) … at [2.17]-[2.20]; Herzfeld P and Prince T, Interpretation (2nd ed, LawBook, 2020) … at [7.20]-[7.30]. That said, it must also be borne steadily in mind that, as Hayne, Heydon, Crennan and Kiefel JJ cautioned in Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) (2009) 239 CLR 27, “[h]istorical considerations and extrinsic materials cannot be relied on to displace the clear meaning of the text. The language which has actually been employed in the text of legislation is the surest guide to legislative intention”.
(Emphasis in original.)
In Certain Lloyd’s Underwriters v Cross [2012] HCA 56; (2012) 248 CLR 378 (at [25]), French CJ and Hayne J elaborated upon the process by which the statutory purpose is ascertained, emphasising the objective nature of that inquiry:
Determination of the purpose of a statute or of particular provisions in a statute may be based upon an express statement of purpose in the statute itself, inference from its text and structure and, where appropriate, reference to extrinsic materials. The purpose of a statute resides in its text and structure. Determination of a statutory purpose neither permits nor requires some search for what those who promoted or passed the legislation may have had in mind when it was enacted. It is important in this respect, as in others, to recognise that to speak of legislative “intention” is to use a metaphor. Use of that metaphor must not mislead. “[T]he duty of a court is to give the words of a statutory provision the meaning that the legislature is taken to have intended them to have”. And as the plurality went on to say in Project Blue Sky:
Ordinarily, that meaning (the legal meaning) will correspond with the grammatical meaning of the provision. But not always. The context of the words, the consequences of a literal or grammatical construction, the purpose of the statute or the canons of construction may require the words of a legislative provision to be read in a way that does not correspond with the literal or grammatical meaning.
(Citations omitted; emphasis added.)
Accordingly, in ascribing meaning to text, a Court must have regard to the context and purpose of that provision, including having regard, where appropriate, to legitimate secondary material. As Allsop CJ explained in Construction, Forestry, Maritime, Mining and Energy Union v Australian Building and Construction Commissioner (The Bay Street Appeal) [2020] FCAFC 192; (2020) 282 FCR 1 at [4]–[5]:
… The principle is clear: Meaning is to be ascribed to the text of the statute, read in its context. The context, general purpose and policy of the provision and its consistency and fairness are surer guides to meaning than the logic of the construction of the provision. The purpose and policy of the provisions are to be deduced and understood from the text and structure of the Act and legitimate and relevant considerations of context, including secondary material.
There can be no doubt that the search for principle in the High Court reveals a settled approach of some clarity. The notion that context and legitimate secondary material such as a second reading speech or an Explanatory Memorandum cannot be looked at until some ambiguity is drawn out of the text itself cannot withstand the weight and clarity of High Court authority since 1985.
(Citations omitted.)
In Rummery v Federal Privacy Commissioner [2004] AATA 1221; (2004) 85 ALD 368, the Tribunal (Downes J (as President), Senior Member Constance and Member Miller) considered the principles relevant to the assessment of compensation in the context of a substantiated breach of the applicant’s privacy contrary to the Privacy Act. The Tribunal considered that there was no conflict between the principles enunciated by the Full Court in Hall v A & A Sheiban Pty Ltd [1989] FCA 65; (1989) 20 FCR 217 with respect to the award of compensation under the Sex Discrimination Act 1984 (Cth) and the provisions of s 52 of the Privacy Act (at [41]). Based on this view, the Tribunal (at [36]–[41], [46] and [54]–[55]) identified the relevant principles as follows:
(a)where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course;
(b)compensation extends to damage in the form of injury to feelings, distress and humiliation;
(c)awards should be restrained but not minimal;
(d)in measuring compensation the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute;
(e)in an appropriate case, aggravated damages may be awarded; and
(f)compensation should be assessed having regard to the complainant’s (subjective) reaction to a breach of the Privacy Act and not by reference to the perceived (i.e. objectively assessed) reaction of the majority of the community or of a reasonable person in similar circumstances (applying, by analogy, the observations of Wilcox J in Hall that “a sexual harasser takes his victim as he finds her”).
I agree with this articulation of the relevant principles. Furthermore, as to (b) above, this statement accords with the approach of Mortimer J in Wotton v State of Queensland (No 5) [2016] FCA 1457; (2016) 157 ALD 14 at [1622] in the context of an action for compensation for a breach of s 9(1) of the Racial Discrimination Act 1975 (Cth) that:
It is true, as the applicants submit (and the respondents do not dispute) that compensation can be awarded for what May LJ in Alexander v Home Office called “injured feelings”: [1988] 1 WLR 968 at 975. However, this phrase is generally used interchangeably with descriptions such as “distress’, “humiliation”, “insult”, “anxiety” and “stress”. The dominant theme is a feeling, or emotional reaction, with discernible negative effects. In other words, they are all characterisations of feelings which carry a sense of injury, and therefore sufficient connection with the statutory concept of “loss” and “damage”. Without questioning their sincerity, feelings such as anger, outrage and a sense of injustice, without more, are not susceptible to a characterisations as an injury, or as damage. They may or may not be negative in character: in some cases they are emotions with considerable positive force. In my opinion, reactions and feelings of that kind should not occasion an order for compensation in the circumstances of this proceeding, where protest and outrage was a key component of the circumstances giving rise to some of the acts of unlawful discrimination.
4.4.2.2 Compensation requires proof of loss or damage
The applicants contend that all class members have necessarily suffered a “common”, i.e. non-individualised, loss which should be reflected in a base payment of $10,000 for each class member. The applicants contend that compensation should reflect common law principles and the text of s 52 of the Privacy Act does not warrant any different approach.
The applicants’ submission cannot, with respect, be sustained. It is plain from the text and context of s 52 of the Privacy Act that compensation can be awarded only where class members establish that they have suffered loss or damage for the purposes of s 52 for the following reasons.
First, the circumstances in which “compensation” can be awarded turns upon the proper construction of s 52(1)(b)(iii) of the Privacy Act. That section provides that “compensation” can be awarded to a complainant “for any loss or damage suffered by reason of the act ... the subject of the complaint” (emphasis added). Read according to its ordinary and natural meaning:
(a)the word “for” links the award of compensation to the requirement for loss or damage to be suffered by reason of the act;
(b)the verb “suffered” contemplates an actual experience of loss or damage by the class member; and
(c)the words “by reason of the act” introduce a requirement of causation.
It follows that there is no foothold in the text of s 52 for the proposition that there is power to award compensation merely on the assumption that class members have “objectively” experienced loss and damage as a result of the breach of privacy itself, as the applicants contemplate. To the contrary, the Parliament could not have expressed more clearly its intention to limit the power to award compensation under s 52(1) to cases where the class member establishes that they have personally suffered loss or damage which is causally connected to the breach. In this regard, the language actually employed in the text “is the surest guide to legislative intention”: Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) [2009] HCA 41; (2009) 239 CLR 27 at [47] (Hayne, Heydon, Crennan and Kiefel JJ).
This construction is supported by s 52(1A) of the Privacy Act which provides that the loss or damage referred to in s 52(1)(b) “includes injury to the complainant’s feelings or humiliation suffered by the complainant” (emphasis added). This serves to emphasise that s 52(1)(b)(iii) requires an individual complainant to have suffered actual loss or damage.
The Other Party’s process comprises the following five steps:
(a)The scheme administrator conducts the initial assessment of the class member's claim.
(b)The scheme administrator will provide their assessment to the class member and request a response from the class member as to whether they wish to make an offer of compensation to the Other Party to be communicated by the scheme administrator. The offer (and, if it differs, the scheme administrator's assessment) is put to the Other Party for consideration.
(c)Upon receipt of an offer by the class member, the Other Party may either accept the class member's offer, at which point the class member's claim will be resolved by agreement, or make a counter-offer. In the latter scenario, the Other Party will provide the counter-offer to the scheme administrator with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the class member's loss.
(d)The scheme administrator will provide the Other Party's counter-offer and explanation to the class member, and inform the class member as to whether it considers the Other Party's counter-offer to be reasonable. The class member may either accept the Other Party's counter-offer, at which point the class member's claim will be resolved by agreement, or seek referral of the matter to an expert assessment.
(e)If a class member requests that their dispute be resolved by expert assessment, the Other Party undertakes to agree to have the class member’s claim resolved in that manner if the claim has not been settled by this point. In other words, the expert determination stage will be a consensual process adopted between the parties. The scheme administrator will then provide both parties' submissions to an independent expert, who will assess the appropriate amount of compensation to be paid to the class member. The parties are free to seek to negotiate an agreement before the expert gives their assessment.
I agree with the Other Party’s approach. In my view that approach is likely to reduce costs and delays in the process. In particular, not only will the parties have greater participation and control over the process, and therefore be more likely to be satisfied with the result. This approach is also likely to reduce the number of disputes which need to be referred to the external assessor and therefore avoid the additional costs and delays inherent in the applicants’ scheme.
Finally, as I have noted above, there is power under s 52(5) of the Privacy Act for the respondent to give such directions as she or he thinks just. Such a power may be used in circumstances where something unforeseen arises in the course of implementing the scheme. I agree with the Other Party’s suggestion that the scheme should include a provision allowing the parties liberty to apply to the Tribunal in the event that a view is formed that the compensation assessment scheme has become incapable of effective implementation in whole or in part. Such a provision should only deal with unusual or unforeseen circumstances which are major in nature. All other minor issues, such as how a particular decision might be dealt with, should be directed to the scheme administrator for resolution at its discretion.
5.3. Issue (e): Is it correct and preferable to direct that the Other Party pay for particular aspects of the compensation assessment process—specifically, access to translation and interpretation assistance during the operation of the compensation assessment process?
The applicants submit that due to the vulnerabilities of the class members, who face language and cultural barriers as well as unfamiliarity with the Australian legal process, it will be necessary to provide interpretation services to class members who have queries regarding the compensation assessment scheme. In the applicants’ submission, not only is this a reasonable expense and a prerequisite for class members’ losses to be redressed, but it will also facilitate the smooth and efficient implementation of the compensation assessment scheme.
The Other Party accepted that ss 52(4) and (5) of the Privacy Act implicitly authorise the Tribunal to require the Department to pay such costs as are reasonably necessary for the purposes of administering the compensation scheme prescribed by determination under s 52(1)(b)(iii). It also accepted that this category of costs included such expenses when they are reasonably necessary to ensure that individual class members have a real opportunity to receive and understand information relevant to their claims, and to communicate their responses, concerning the implementation of the compensation assessment process. I agree. I also agree with the submission by the Other Party that those costs should be proportionate to the compensation assessment process.
The Other Party agreed that it should pay costs that are reasonably necessary to ensure that class members have a real opportunity to participate in the compensation assessment process and as such, that it should be responsible for:
(a)the translation costs set out at [136] of the OPSFIC; and
(b)the interpreting assistance described at [136A] of the OPSFIC, in respect of class members with no written language skills.
Specifically, the Other Party confirmed in response to the Determination that it would:
(a)write to all participating class members seeking confirmation as to the language they wish the scheme administrator to communicate with them in regarding the data breach out of the list of 21 languages into which the respondent translated the 2018 notice;
(b)translate all correspondence to the participating class members into the language they chose from the letter in (a) above, and send them both English and translated versions to enable communication with their representatives; and
(c)allow the class member to communicate with the scheme administrator in the language they chose from the letter in (a) above in responding to matters relating to the data breach.
The Other Party accepted that a cohort of approximately 100 class members do not have any written language skills, and therefore interpretation costs are reasonably necessary to enable this cohort of class members to participate in the compensation scheme. Accordingly, the Other Party has agreed to:
provide interpreters to the cohort of class members who do not have any written language skills to:
(a)inform the class member of the Tribunal’s decision, including the categories of loss and damage and the types of evidence that would establish a claim for compensation;
(b)receive information from the class member regarding their claim, and write that information in the statement;
(c)inform the class member of the assessment of their claim, obtain instructions to make an offer, and inform the class member of any counter-offer; and
(d)if the class member’s claim proceeds to external assessment, take instructions and prepare a submission to the expert, and inform the class member of the outcome of the external assessment.
I agree with these concessions subject to the following qualifications. First, the reference to “provid[ing] interpreters to the cohort of class members” should be amended in the orders to refer to “interpreters/translators”. Secondly, so as to reflect the proper role of interpreters (as identified in the JCCD National Recommended Standards at [115]), I consider that the concessions at (c) and (d) above would more accurately be expressed as follows:
(c)translate the assessment of the class member’s claim for the class member, translate the class member’s offer, and translate any counter-offer for the class member; and
(d)if the class member’s claim proceeds to external assessment, translate the class member’s submission to the expert reviewer, and translate the external assessment for the class member.
Finally, with respect to the engagement of interpreters, I consider that the Other Party should have regard to the standards articulated in the JCCD National Recommended Standards.
DECISION
The Tribunal orders that:
1.Pursuant to s 43(1)(a) of the Administrative Appeals Tribunal Act 1975 (Cth), Declaration 4 of the Determination made by the respondent on 11 January 2021(the Determination) is set aside and the following is made in its place:
The members of the class who:
(a) did not provide a submission and/or evidence to the Office of the Australian Information Commissioner (OAIC) within the timeframe specified by the OAIC, and who did not opt out; and
(b) do not provide a reasonable explanation for not making submissions or providing evidence in response to the January 2018 OIAC notice within 3 months of the publication of a notice by the scheme administrator as described in Annexure A;
have not substantiated that they have suffered loss or damage as a result of the conduct constituting an interference with the privacy of class members and subject of this Determination (the data breach). Pursuant to s 52(1)(b)(iv) of the Privacy Act 1988 (Cth), the Tribunal declares that it would be inappropriate for any further action to be taken in relation to those individuals.
2.Pursuant to s 43(1)(c) of the Administrative Appeals Tribunal Act 1975 (Cth), Declarations 2 and 3 of the Determination are set aside and the following are made in their place:
Each of the participating class members, being:
(a) the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out; and
(b) the class members who establish, within the timeframe prescribed in order 1 above, that they have a reasonable explanation for not responding to the January 2018 OIAC notice and make submissions and/or provide evidence of loss or damage;
is to be paid an amount of compensation worked out in the manner specified in Annexure A to these orders.
3.Pursuant to ss 52(4) and/or 52(5) of the Privacy Act 1988 (Cth), the Department of Home Affairs is to pay:
(a) the costs of the expert determination process described in Annexure A;
(b) the costs of translating communications relating to the assessment of compensation for loss and damage arising from the data breach;
(c) the costs of interpretation/translation services relating to the provision of evidence by those participating class members without a written language and communications with that cohort of class members relating to the assessment of compensation for loss and damage arising from the data breach; and
(d) for assessments conducted under the compensation assessment scheme described in Annexure A, up to $500 to each participating class member to obtain assistance from a legal practitioner to prepare the participating class member’s evidence or submissions for provision to an expert assessor (to be paid on the participating class member’s provision of an invoice from the legal practitioner).
4.There be liberty to apply to the Tribunal on the basis that the Compensation Assessment Scheme in Annexure A hereto has become incapable of effective implementation in whole or in part.
Annexure A: Compensation Assessment Scheme
1.Under s 38B(3) of the Privacy Act 1988 (Cth), within 28 days of the appointment of the scheme administrator (as to which, see clause 6(a) below), the scheme administrator is to publish a notice inviting:
(a)the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC and who did not opt out (the existing participating class members), to make submissions or submit updated and/or supplementary submissions, and/or evidence of loss or damage to the scheme administrator; and
(b)class members who did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out (non-participating class members) to submit an application to participate in the compensation scheme described below (the scheme).
2.The notice referred to in clause 1 above is, among other things, to:
(a)be expressed in plain English in a manner intended to facilitate translation to other languages after consultation with one or more qualified and experienced translators;
(b)explain the scheme and relevant timeframes;
(c)give examples of compensable loss and damage, including explaining that non-economic loss for which compensation may be paid includes (but is not limited to) consequences such as fear, distress, anxiousness, loss of sleep, headaches, and mental illness;
(d)give examples of the kinds of evidence which a class member might provide in support of claim for economic and/or non-economic loss or damage such as a statutory declaration from the class member explaining the impact of the data breach upon them, statutory declarations from family and friends explaining their observations as to the impact of the data breach upon the class member, financial documents supporting any claim of economic loss, and reports from relevant medical practitioners;
(e)explain that verbal evidence with the assistance of a qualified interpreter (if required) may be taken by the scheme administrator upon request by the class member if the class member does not possess the necessary written language skills; and
(f)explain the consequences if the invitation pursuant to clauses 1(a) or (b) above is not taken up by the class member.
3.Any existing participating class member who wishes to make submissions or provide updated and/or supplementary submissions, and/or evidence of loss or damage pursuant to clause 1(a) above is to do so within a period of 3 months of the publication of the notice, unless the existing participating class member requests an extension of time within which to do so and the scheme administrator considers that it is reasonable to allow the existing participating class member an extension of time.
4.Any non-participating class member who wishes to participate in the scheme must submit an application to the scheme administrator within 3 months of the publication of the notice, including:
(a)an explanation as to why the non-participating class member did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC; and
(b)the non-participating class member's name, date of birth, client ID and, if applicable, boat ID, to enable the Department of Home Affairs to confirm that the non-participating class member was affected by the data breach.
5.Upon receiving confirmation from the Department of Home Affairs that a non-participating class member who has submitted an application to participate in the scheme was affected by the data breach, the scheme administrator will consider the non-participating class member's application. If the scheme administrator is satisfied that the non-participating class member has provided a reasonable explanation for not making submissions or providing evidence to the OAIC within the timeframe specified by the OAIC, the scheme administrator is to declare them to be a participating class member (see clause 6 below) who is to be paid an amount of compensation for loss or damage arising from the data breach worked out in the manner described below.
6.Under ss 52(1)(b)(iii) and (4)(a) of the Privacy Act 1988 (Cth), the existing participating class members, as well as class members identified through the process set out in clauses 1(b), 4 and 5 above (collectively referred to as the participating class members), are to be paid an amount of compensation for loss or damage arising from the data breach worked out in the following manner:
(a)A law firm which is independent of the Secretary of the Department of Home Affairs (Other Party) and of class members will be appointed to administer the scheme (the scheme administrator) through the following process:
(i)within 14 days of the publication of the Tribunal's decision, the Department of Finance will prepare a Request for Quote (RFQ) and provide it to the applicants' solicitors for comment;
(ii)the applicants' solicitors will provide any comments on the RFQ to the Department of Finance within 14 days of receipt of the information outlined in clause 6(a)(i) above from the Department of Finance;
(iii)the Department of Finance will consider any comments received from the applicants' solicitors in accordance with clause 6(a)(ii) above in finalising the RFQ;
(iv)within 14 days of receiving any comments from the applicants' solicitors in accordance with clause 6(a)(ii) above, the Department of Finance will issue the RFQ to each of the legal services providers that:
A.are appointed to the Whole of Australian Government Legal Services Panel in the areas of:
1)Compensation, damages and personal injury; and
2)Freedom of information, privacy and public interest disclosure; and
B.have not represented or advised the Other Party, or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship; and
C.have not represented or advised any class members in relation to this proceeding; and
(v)the Department of Finance will assess each response to the RFQ on a value-for-money basis, having regard to each provider's expertise and experience, and will identify a provider to act as scheme administrator.
(b)The scheme administrator:
(i)shall administer the scheme fairly, impartially, and reasonably according to its terms, with their duty owed to the Tribunal to take priority over any obligation to a participating class member; and
(ii)must not act as the solicitor for the Other Party, the Commonwealth or any class member in relation to any matter relating to the data breach.
(c)The scheme administrator shall conduct an assessment of each participating class member's submissions and/or evidence, allocate the participating class member into a non-economic loss category set out in the table at Annexure B, and identify the appropriate quantum of compensation (under the heads of economic loss and non-economic loss, where relevant) for the participating class member. For the avoidance of doubt, that quantum may be nil.
(d)On completion of the assessment for each participating class member, the scheme administrator is to provide the assessment and relevant evidence to the participating class member or their representative, and request a response from the participating class member as to whether the class member wishes to make a settlement offer to the Other Party, to be communicated by the scheme administrator. For the avoidance of doubt, the participating class member is not limited to making an offer in the proposed amount identified by the scheme administrator. If the participating class member’s settlement offer is not the same as the amount identified by the scheme administrator, the scheme administrator will provide both the settlement offer and its assessment to the Other Party.
(e)In the event that the participating class member, or their representative, fails to respond to the scheme administrator's assessment within 28 days, the scheme administrator will provide its assessment directly to the Other Party.
(f)Upon receipt of a settlement offer in writing of proposed compensation payable to the participating class member through the scheme, the Other Party may:
(i)accept the participating class member's offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or
(ii)make a counter-offer in writing, which the Other Party will provide to the scheme administrator with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.
(g)If the scheme administrator has provided its assessment directly to the Other Party in accordance with clause 6(e) above, the Other Party is to:
(i)consider the scheme administrator's assessment in the same way it would consider a settlement offer received from a participating class member or their representative; and
(ii)either accept the assessment or propose a different amount of compensation for the participating class member, with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.
(h)If the Other Party makes a counter-offer in accordance with clauses 6(f)(ii) or 6(g) above, the scheme administrator will provide the Other Party's counter-offer and statement of reasons to the participating class member by email and/or registered post, and will inform the participating class member or their representative in writing as to whether it considers the Other Party's counter-offer to be reasonable. The participating class member may:
(i)accept the Other Party's counter-offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or
(ii)request that the dispute concerning the participating class member's compensation entitlement be resolved by expert assessment. (The Tribunal notes that the Other Party has voluntarily undertaken to agree to have the participating class member’s claim resolved in this manner if the claim has not been settled by this point, meaning that the expert determination stage will be a consensual process adopted between the parties.)
(i)If the participating class member does not respond to the Other Party's counter-offer within 30 days of the counter-offer being sent by email or registered post to the participating class member or their representative, the participating class member will be taken to have agreed to the Other Party's counter-offer.
(j)If a participating class member's compensation entitlement is to be resolved by expert assessment, the scheme administrator will provide the expert with:
(i)the evidence and/or submissions provided by the participating class member to the OAIC;
(ii)the scheme administrator's assessment;
(iii)the participating class member's settlement offer to the Other Party; and
(iv)the Other Party's counter-offer, including the statement of reasons and any further information provided by the Other Party with its counter-offer.
(k)The experts to provide the assessments referred to in clauses 6(h)(ii) and (6)(j) above will be agreed upon by the Other Party and the solicitors for the applicants. Appropriately qualified counsel, with relevant skills and at least three years’ experience in legal practice in relevant areas of the law, would be suitable to appoint as an expert in accordance with Appendix D to the Legal Services Directions 2017 (Cth).
(l)The Other Party and the solicitors for the applicants may approach the respondent for assistance in resolving any dispute regarding the choice of experts or the terms of the experts' engagement.
(m)The Other Party is to pay the amount of compensation agreed between the Other Party and the participating class member, or identified by an independent expert pursuant to the process described above, within a reasonable period and to advise the scheme administrator in writing when payment to the participating class member has been made.
Annexure B: Categories of non-economic loss
Category
Description
Quantum
0
The individual has not provided a submission and/or evidence that substantiates loss or damage resulting from the data breach.
$0
1
Minor loss or damage resulting from the data breach (for example, general anxiousness, fear, anger, stress, worry concern or embarrassment).
$500 - $4,000
2
Moderate loss or damage resulting from the data breach (for example, moderate anxiousness, stress, fear, pain and suffering, distress and/or humiliation), which has caused minor physiological symptoms, such as some loss of sleep or headaches.
$4,001 - $8,000
3
Major loss or damage resulting from the data breach (for example, major or prolonged anxiousness, stress, fear, pain and suffering, distress, humiliation, loss of sleep, and/or headaches) which has caused psychological and/or physiological harm, and has resulted in a consultation with a health practitioner.
$8,001 - $12,000
4
Significant loss or damage resulting from the data breach (for example, the development or exacerbation of a diagnosed psychological or other medical condition), which has resulted in a prescribed course of treatment from a medical practitioner.
$12,001 - $20,000
5
Extreme loss or damage resulting from the data breach.
> $20,000
I certify that the preceding two hundred and three (203) paragraphs are a true copy of the reasons for the decision herein of Justice Melissa Perry, Deputy President.
……………………………[SGD]…………………………
Associate
Dated: 13 September 2023
Dates of hearing: 13-14 December 2021 Counsel for the Applicants:
Mr M Guo Solicitors for the Applicants: Slater & Gordon Counsel for the Respondent: Ms E Bathurst with Ms A Poukchanski Solicitors for the Respondent: Corrs Chambers Westgarth Counsel for the Other Party: Ms K Richardson SC with Ms C Winnett Solicitors for the Other Party: Clayton Utz APPENDIX 1: HISTORICAL NOTICE PUBLISHED BY THE OAIC IN 2018 TO CLASS MEMBERS AS TO THEIR ENTITLEMENT TO SEEK COMPENSATION UNDER THE OAIC DETERMINATION
TO ALL PERSONS IN IMMIGRATION DETENTION ON 31 JANUARY 2014
Background
1.On 10 February 2014, the Department of Immigration and Border Protection (Department) published a detention report on its website in error. The report contained the personal information of persons who, as at 31 January 2014, were in immigration detention facilities or in the community under residence determination, or alternative places of detention (Data Breach).
2.The personal information was removed from the Department’s website on 19 February 2014 and from The Internet Archive on 27 February 2014.
3.On 30 August 2015, a representative complaint was made to the Commissioner on behalf of all persons whose information was published by the Department in error (Representative Complaint).
What is a representative complaint?
4.A representative complaint is a complaint made by an individual under the Privacy Act 1988 (Cth) on behalf of other individuals who have similar complaints about an act or practice that may be an interference with their privacy. The Commissioner may make a declaration that class members are entitled to compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.
Why is this notice important?
5.In order to make a determination about the Representative Complaint, including whether any of the persons whose personal information was published in the Data Breach are entitled to compensation for any loss or damage suffered, the Commissioner needs information from you.
6.If you were affected by the Data Breach and do not provide information of the kind described below, the Commissioner may conclude that he is not satisfied you have suffered any loss or damage as a result of the Data Breach and you may not receive compensation for the Data Breach.
What do I need to do?
7.If you did not suffer any loss or damage as a result of the Data Breach, you will not be entitled to compensation and you can ignore this Notice.
8.If you believe you suffered loss or damage as a result of the Data Breach, and want the opportunity to potentially recover compensation for that loss or damage, you need to provide the Commissioner with information about your loss or damage:
(a)You should provide all the information you consider to be relevant to the loss or damage you suffered.
(b)The information may be in the form of a statutory declaration or signed statement in your own words. Statutory declarations or signed statements in a standard form will be given little weight.
(c)The information may include evidence from the time of the Data Breach or when you first found out about the Data Breach, such as medical reports, that contain details about how you felt or reacted to the Data Breach and any treatment you received. Medical reports prepared after the date of this Notice will be given little weight.
(d)Letters written on your behalf, which are not in your own words, will be given little weight.
(e)The Commissioner may not consider information that is provided after the deadline below.
9.You must upload this information on the Response Form at oaic.gov.au/repcomplaint. You can also provide the information by sending it to [email protected] or to GPO Box 5218, Sydney NSW 2001. You must provide sufficient information (including your full name and date of birth, and any relevant Department of Immigration identification number) to allow the OAIC and the Department to identify you.
10.You must send any information by: 4.00 pm on 19 April 2018.
Opting-out of the Representative Complaint
11.If you do not consent to the Representative Complaint being made on your behalf and do not want to be part of it, you can opt out of the Representative Complaint at any time by visiting the OAIC website at oaic.gov.au/repcomplaint and filling out the Response Form.
12.Opting out may affect your ability to obtain compensation in respect of the Data Breach. Please read the information on the Response Form carefully.
Questions and assistance
13.If you need assistance to understand or respond to this Notice, please contact OAIC on 1300 363 992 or email [email protected].
0
18
0