Knowles v Australian Information Commissioner

Case

[2025] FedCFamC2G 571

24 April 2025

FEDERAL CIRCUIT AND FAMILY COURT OF AUSTRALIA

(DIVISION 2)

Knowles v Australian Information Commissioner [2025] FedCFamC2G 571

File numbers: MLG 1198 of 2023
MLG 1390 of 2023
Judgment of: DEPUTY CHIEF JUDGE MERCURI
Date of judgment: 24 April 2025
Catchwords: ADMINISTRATIVE LAW – application for judicial review of separate decisions made by the Australian Information Commissioner under Part V, Division 1 of the Privacy Act 1988 (Cth) – where the applicant separately complained to the Commissioner under sections 36(1) and 36(2) of the Act in relation to the Department of Veterans’ Affairs alleged breaches of the Australian Privacy Principles – where the delegate decided not to investigate each complaint under sections 41(1)(d) and 41(1)(da) of the Act respectively– where the applicant alleges that the delegate failed to reach the state of satisfaction required by section 41 in exercising the discretion in each case – consideration of whether the respondent acted reasonably in the exercise of that discretionno jurisdictional error established – applications each dismissed.
Legislation: Privacy Act 1988 (Cth), ss 36(1), 36(2), 36A, 38, 38A, 40, 41(1), 41(1)(d), 41(1)(da)
Cases cited:

Foley v Australian Information Commissioner [2024] FCA 169

Jaworski v Australian Information Commissioner [2022] FCA 1400

Jones v Office of the Australian Information Commissioner [2014] FCA 285

Madzikanda v Australian Information Commissioner [2023] FCA 1445

Simjanovska v Department of Human Services [2019] FCA 499

VN and VV, VW [2020] AICmr 52 

Division: Division 2 General Federal Law
Number of paragraphs: 110
Date of hearing: 4 September 2024
Place: Melbourne
Counsel for the Applicant: The applicant appeared in person
Counsel for the Respondent: Ms H Sims
Solicitor for the Respondent: Holding Redlich

ORDERS

MLG 1198 of 2023
MLG 1390 of 2023

FEDERAL CIRCUIT AND FAMILY COURT OF AUSTRALIA (DIVISION 2)
BETWEEN:

KIERAN KNOWLES

Applicant
AND:

AUSTRALIAN INFORMATION COMMISSIONER

Respondent

ORDER MADE BY:

DEPUTY CHIEF JUDGE MERCURI

DATE OF ORDER:

24 APRIL 2025

THE COURT ORDERS THAT:

1.The applicant’s application in MLG 1198 of 2023 be dismissed.

2.The applicant’s application in MLG 1390 of 2023 be dismissed.

Note: The form of the order is subject to the entry in the Court’s records.

Note: The Court may vary or set aside a judgment or order to remedy minor typographical or grammatical errors (r 17.05(2)(g) Federal Circuit and Family Court of Australia (Division 2) (General Federal Law) Rules 2021 (Cth)), or to record a variation to the order pursuant to r 17.05 Federal Circuit and Family Court of Australia (Division 2) (General Federal Law) Rules 2021 (Cth).

REASONS FOR JUDGMENT

DEPUTY CHIEF JUDGE MERCURI:

INTRODUCTION

  1. Before the court are two applications for judicial review filed by the applicant. The first application (proceeding MLG 1198 of 2023) was filed on 5 July 2023. The second application (proceeding MLG 1390 of 2023) was filed on 3 August 2023. By those applications, the applicant seeks review of the following decisions by the Australian Information Commissioner (‘the Commissioner’) made under Part V, Division 1 of the Privacy Act 1988 (Cth) (‘the Act’):

    (a)On 7 June 2023, to not investigate the applicant’s complaint under section 36(2) of the Act for ‘lacking in substance’ pursuant to section 41(1)(d) of the Act, subject of proceedings MLG 1198 of 2023 (‘the 1198 decision’); and

    (b)On 27 July 2023, to not investigate the applicant’s complaint under section 36(1) of the Act on the basis that ‘investigation was not warranted having regard to all the circumstances’ pursuant to section 41(1)(da) of the Act, subject of proceedings MLG 1390 of 2023 (‘the 1390 decision’).

  2. Each application relates to the way in which the Privacy Commissioner dealt with a complaint made by the applicant.  Each complaint to the Privacy Commission in turn, related to the handling of the applicant’s personal information by the Department of Veterans Affairs (‘DVA’).

  3. Orders were made on 30 August 2023 in proceeding MLG 1390 of 2023, which, among other procedural orders, provided that:[1]

    1.Matter number MLG1390/2023 be joined to and run concurrently with MLG1198/2023.

    [1] Orders of Judge Forbes dated 30 August 2023.

  4. Accordingly, both matters have been dealt with together by this court since August 2023. On 4 September 2024, the applications in each matter were concurrently heard by videoconference.  The applicant appeared on his own behalf.   

    MATERIAL RELIED UPON

  5. In proceeding MLG 1198 of 2023, the applicant relied on the following documents:

    ·Application filed 5 July 2023;

    ·Affidavit filed 5 July 2023;

    ·Outline of Submissions filed 19 February 2023; and

    ·Outline of Submissions in reply filed 30 April 2023.

  6. In proceeding MLG 1390 of 2023, the applicant relied on:

    ·Application filed 3 August 2023;

    ·Affidavit filed 3 August 2023;

    ·Outline of Submissions filed 19 February 2023; and

    ·Outline of Submissions in reply filed 1 May 2024.

  7. The applicant also filed a List of Authorities in both proceedings on 7 June 2024 which was amended on 28 August 2024.

  8. The respondent relied on the following documents jointly filed in both proceedings:

    ·Response filed 14 August 2023;

    ·Outline of Submissions filed 22 March 2024; and

    ·List of Authorities filed 13 May 2024.

  9. The respondent also filed a court book on 7 December 2023 in both proceedings. The applicant filed a supplementary court book on 13 June 2024 with the consent of the respondent, although submissions were made about the relevance of some of the documents in the supplementary court book.

    RELEVANT PRINCIPLES AND LEGISLATION

    The Privacy Act

  10. Part III of the Act deals with Information and Privacy and relevantly defines the circumstances in which an act or practice of an APP entity will be taken to be an interference with the privacy of an individual.[2]   Division 2 of Part III deals with Australian Privacy Principles and provides that an APP entity must not breach the Australian Privacy Principles.   Part IV deals with the Functions of the Information Commissioner and Part V deals with Investigations. 

    [2] See s 13 of the Act.

  11. A complaint may be made to the Commissioner regarding an interference pursuant to section 36 of the Act. The Commissioner, having received a complaint validly made under section 36, is obliged to investigate that complaint pursuant to section 40 unless the circumstances in section 41 apply and the Commissioner determines to exercise its discretion not to investigate the complaint.

  12. The applicant made the 1198 and 1390 complaints to the respondent under section 36(2) and 36(1) of the Act, respectively.

  13. Relevantly, section 36 of the Act provides:

    (1)An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual.

    (2)In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any of those individuals may make a complaint under subsection (1) on behalf of all of the individuals.        

  14. Interference with privacy is defined in section 13 of the Act. Section 13F of the Act clarifies that an act or practice that is not covered by section 13 is not an interference with the privacy of an individual. Relevantly, section 13 provides:

    (1)An act or practice of an APP entity is an interference with the privacy of an individual if:

    (a)the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual; or

    (b)the act or practice breaches a registered APP code that binds the entity in relation to personal information about the individual.

  15. Relevantly, section 36A provides:

    In general, this Part deals with complaints and investigations about acts or practices that may be an interference with the privacy of an individual. 

    An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual.  If a complaint is made, the Commissioner is required to investigate the act or practice except in certain circumstances.

    The Commissioner may also, on his or her own initiative, investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1.

    The Commissioner has a range of powers relating to the conduct of investigations including powers:

    (a)       to conciliate complaints; and

    (b)       to make preliminary inquiries of any person; and

    (c)to require a person to give information or documents, to attend a compulsory conference; and

    (d)       to transfer matters to an alternative complaint body in certain circumstances.

    After an investigation, the Commissioner may make a determination in relation to the investigation.  An entity to which a determination relates must comply with certain declarations included in the determination.  Court proceedings may be commenced to enforce a determination.

  16. Section 38 of the Act provides the conditions for making a representative complaint. Section 38A provides that in certain circumstances, a complaint should no longer proceed as a representative complaint. Sections 38B, 38C and 39 further deal with representative complaints.

  17. Section 40 then deals with investigations, and as stated earlier, requires the Commissioner to investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint about that act or practice has been made under section 36 unless one of the circumstances in section 41 arises. Relevantly, section 40 of the Act provides:

    (1)      … the Commissioner shall investigate an act or practice if:

    (a)the act or practice may be an interference with the privacy of an individual; and

    (b)a complaint about the act or practice has been made under section 36.

  18. Relevantly, section 41 of the Act provides that:

    (1)The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that:

    (d)the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith (emphasis added);

    (da)an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances (emphasis added);

  19. Section 48 of the Act requires the Commissioner to inform the complainant and respondent agency of any decision to not investigate a matter to which a complaint relates, with reasons.

  20. The remainder of Part V Division 1 then deals with how the Commission conducts either a preliminary inquiry or an investigation and its powers in doing so. The balance of Part V then deals with the outcome of an investigation including the making and enforcement of a determination.

    The Australian Privacy Principles

  21. The Australian Privacy Principles (‘APP’) are set out in Schedule 1 of the Act.

  22. The 1198 and 1390 complaints allege breach of APP 11.1, 12.1 and 12.4 by the DVA respectively.

  23. Relevantly, APP 11.1 provides that:

    An APP entity must take reasonable steps to protect the personal information it holds:

    (a)       from misuse, interference and loss; and

    (b)      from unauthorised access, modification and disclosure.

  24. APP 12.1 provides:

    If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

  25. APP 12.4 then goes on to relevantly state:

    The APP entity must:

    (a)       respond to the request for access to the personal information:

    (i)        if the entity is an agency – within 30 days after the request is made; or

    (ii)       … and

    (b)give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

  26. Against this statutory context I will now consider the relevant background to the complaints.

    BACKGROUND - 1198 COMPLAINT

  27. On 1 July 2022, the applicant made the 1198 complaint by email to the respondent alleging the DVA’s breach of APP 11.1.[3] The applicant identified the complaint as a ‘representative complaint’ within the meaning of section 36(2) of the Act. I will come back to this issue in due course.

    [3] Court book at page 16 to 22.

  28. In the 1198 complaint, the applicant said:[4]

    The ANAO’s audit of the Department of Veterans’ Affairs’ 2020-21 financial statements raised a Category B ANAO finding which identified that the Department of Veterans’ Affairs had no processes in place to identify users who had access to systems, applications and data repositories that contained personal, and sensitive personal information, after terminations and had no process to monitor activities undertaken by these users.

    While the ANAO and the Department of Veterans’ Affairs have since consulted over what approach the Department of Veterans’ Affairs should take in future, this does not negate the Department of Veterans’ Affairs did not take reasonable steps under APP 11.1 to protect the class members personal information from the risk of misuse, interference, loss, unauthorised access, modification or disclosure.

    Breach of APP 11.1 does not require evidence of misuse, interference, loss, unauthorised access, modification or disclosure – the legislation is explicit that the obligation is that the entity must take such steps as are reasonable in the circumstances to protect such personal information. It is prospective not retrospective. As has been consistently stated by the Information Commissioner in s 52 determinations, ‘APP 11 is about the APP entity taking reasonable steps to prevent certain events, such as unauthorised disclosure in breach of APP 6, from occurring’ not a breach of disclosure itself.

    [4] Court book at page 16.

  29. The applicant then set out the requirements of a representative complaint and stated that the representative complaint included persons other than, but including, the applicant. The applicant described the class members of the representative complaint as:[5]

    … all Department of Veterans’ Affairs clients whose personal information, including sensitive personal information, was accessed by contractors of the Department of Veterans’ Affairs between 1 January 2021 and 31 Dec 2021 who have since subsequently ceased working for the Department of Veteran’s Affairs without proper and reasonable confirmation that all access to systems containing personal information, including sensitive personal information, of class members had been retracted, and those the Department of Veterans’ Affairs failed to take reasonable steps to confirm those contractors (PSPF termination/separation clearance) had agreed not to use their knowledge obtained from prior access obtained from these systems for other purposes.

    [5] Court book at page 17.

  30. The applicant sought declaratory relief from the Commissioner, including declarations that the class members were entitled to compensation for any loss and damage as a result of the interferences with their privacy, as well as a published apology.

  31. On 1 July 2022, the applicant also sent an email to the DVA outlining his claims of an alleged breach of the Act. By email dated 12 July 2022, the DVA responded in which the following statements were made:[6]

    The Department of Veterans’ Affairs … is committed to the privacy of veterans and their families.  There are currently a range of controls in place to support this; including confidential arrangements with contractors and third parties, policies and procedures, and legislative requirements.  The applications of each of these controls provides layered protection to veterans information to ensure there is no single point of failure.

    DVA believes that these controls meet the Office of the Information Privacy Commissioner’s interpretation of ‘reasonable steps’, and continues to prioritise enhancements where potential improvements are identified.

    … If you have evidence or information pertaining to a breach of APP 11 you are encouraged to provide the relevant information so this can be investigated and actioned appropriately.

    [6] Court book at page 27.

  32. The applicant was not satisfied with this response, remaining of the view that it was not consistent with the findings made by the Auditor General in his report. The applicant advised the respondent that he wished to proceed with his representative complaint.[7] 

    [7] Court book at pages 24 to 26.

  33. On 8 March 2023, the respondent wrote to the applicant advising that it appeared that the 1198 complaint lacked substance, and accordingly the respondent intended to exercise its discretion to not investigate the complaint under section 41(1)(d) of the Act.[8] The applicant was invited to comment before a final decision was made.

    [8] Court book at pages 32 to 35.

  34. Relevantly, in its letter of 8 March 2023, the respondent set out the applicant’s complaint and in particular noted:[9]

    You allege DVA has interfered with privacy by failing to comply with APP 11.1 in its handling of personal information.  You refer to a report published by the Australian National Audit Office (ANAO) regarding its audit of DVA.  Specifically, you state that the ANAO identified that DVA did not have any processes in place, at the time of the audit, to ensure that access to personal information was removed from users/staff after termination.

    [9] Court book at page 32.

  35. The respondent further set out the circumstances in which it would consider a complaint to be lacking in substance, namely ‘when there is insufficient information provided to enable us to verify the nature or substance of the complaint’.[10] 

    [10] Court book at page 33.

  36. In addition, the respondent went on to say:

    While we appreciate the concerns you have raised, the report referred to in your complaint states:

    4.3.84 After the ANAO identified this issue, DVA investigated activity of users after they had terminated and concluded that neither its data not IT systems had been compromised. 

    While APP 11.1 is concerned with the security safeguards that an organisation has in place to protect personal information from unauthorised disclosure, it does not prescribe what these steps must be.  Rather, the APP Guidelines advise that to meet the requirements of APP 11.1, an APP entity should implement strategies (internal practices, procedures and systems) in relation to such things as ICT security, access security, third party providers (including cloud computing) and data breaches.

    The identification of a security risk to personal information is not sufficient in itself to prove a breach of APP 11.1 in the absence of any information to suggest the APP entity has not taken reasonable steps to deal with the risk, or that the risk has been realised resulting in an actual authorised access or disclosure. (emphasis added)

    If there is evidence that your personal information has not been protected by DVA failing to restrict systems access to terminated users, the OAIC would then have a basis to review the security steps DVA had in place to consider if these were reasonable in the circumstances as required by APP 11.1 in the handling of your privacy complaint. 

    However, there is no information or evidence before us to suggest that DVA failed to protect the personal information that it holds.  Nor is their (sic) information or evidence to suggest that by lacking processes in place to identify users – who had access to systems, applications and/or data repositories after cessation of employment or contract – this resulted in any unauthorised access or disclosure of your personal information or any other individual’s personal information. 

    As there is insufficient information at this time to establish whether DVA has interfered with your privacy, or any individual’s privacy, in the manner alleged, this complaint is currently lacking in substance. (emphasis added)

  1. The respondent then went on to deal with the fact that the applicant had lodged the complaint as a representative complaint.  In this context, the respondent went on to state ‘for the reasons provided above, we are not satisfied, at this stage, that this complaint has substance. As such, the OAIC has not made a decision on whether to treat this complaint as a representative complaint under s 38 of the Privacy Act’.[11]

    [11] Court book at page 33.

  2. The respondent also went on to state:[12]

    Generally, please note that representative complaints can only be made on behalf of other individuals where the complainant also alleges that the same respondent has interfered with their own privacy.  The alleged interference must arise from the same or similar circumstances and relate to a substantial common issue of law or fact … As above, there is no information to indicate that your privacy has been interfered with as a result of the lack of processes – identified by the ANAO – in place for DVA to ensure that access to personal information was removed from users/staff after termination.

    [12] Court book at page 34.

  3. The respondent indicated that it was inclined to make a decision to exercise its discretion under section 41(1) not to investigate the complaint on the basis that it lacked substance but prior to making that decision, invited the applicant to make any submissions on this preliminary view.

  4. The applicant took up the opportunity to comment on the respondent’s preliminary view.  In his email of 8 March 2022, the applicant expressed strong disagreement with the view that the claim lacked substance.  The applicant expressed the view that the respondent’s assessment was ‘clearly untenable and illogical’. [13]

    [13] Court book at page 37.

  5. The applicant further submitted that APP 11.1 is ‘proactive not retrospective’ and does not rely on evidence of an actual interference with someone’s personal information.  The applicant then set out various factors which he indicated should be taken into account in considering whether ‘reasonable steps’ were taken to protect interference with personal information.  He submitted that when regard was had to these factors, and the Australian National Audit Office (‘ANAO’) report which ‘clearly identifies there was a failure to take such reasonable steps’, that it was untenable for the respondent to conclude that reasonable steps were in fact taken by the DVA. [14]

    [14] Court book at page 39.

  6. The applicant also took issue with the respondent’s view that a breach of APP 11.1 was dependent on the establishment of an actual interference with someone’s personal information.   The applicant’s submission is effectively summarised in the last paragraph in which he said:[15]

    In closing, the ANAO report is explicit in that reasonable steps to prevent misuse, interference, loss, unauthorised access, modification or unintended disclosure of the representative complainants (DVA clients) were not taken by the Department of Veterans’ Affairs, and therefore your intention to recommend dismissal of the representative complaint under s 41(1) of the Privacy Act 1988 (Cth) is untenable, as the basis of your recommendation is factually incorrect and wholly misrepresents the basis of APP 11 (which does not require any evidence of breach to find a breach of APP 11, just that reasonable steps that could have been taken were not taken to prevent the likelihood of such an event). 

    [15] Court book at page 41.

  7. By email on 9 March 2023, the applicant provided further submissions in support of his opposition to the respondent’s preliminary view.  Relevantly, he noted that:[16]

    Systematically failing to remove, for an extended period of years, terminated and separated contractors and employees from Departmental systems with access to the representative complainants’ identified sensitive personal data is a breach of APP 11.1.

    What is reasonable is proportionate and appropriate to the possible risk of a security breach and the level of harm that could result from a breach, as well as the capacity of the APP entity to fund such steps.  Some steps may require more stringent protections, based on the sensitivity or extent of the personal information. 

    If a system contains extremely sensitive personal information, such as health records, agencies must take more steps in protecting the information.

    The primary safeguard in protecting documents containing personal information is to limit access only to those who need to access it in order to do their jobs.

    In this regard, the ANAO report identified a critical failure of such reasonable steps by the Department of Veterans’ Affairs.

    [16] Court book at pages 44 to 45.

  8. On 7 June 2023, the respondent notified the applicant by email that its view was unchanged by the applicant’s further submissions, and it had decided to exercise its discretion under section 41(1)(d) of the Act to not investigate the 1198 complaint on the basis that it lacked substance.[17] In this letter, the respondent addressed the applicant’s responses to its preliminary view provided by the applicant on 8 and 9 March 2023.

    [17] Court book at pages 48 to 55.

  9. The respondent addressed each of the applicant’s comments.  Relevantly, to the extent that the applicant asserted that APP 11.1 is ‘proactive rather than reactive’, the respondent said:

    While I agree with you that APP 11.1 requires APP entities to have reasonable steps in place to protect personal information, which then allows the APP entities to mitigate risk of harm to personal information, the OAIC will not conduct an investigation into whether an entity is complying to its obligations under APP 11.1 unless there is sufficient information to suggest that there may be interference with an individual’s privacy. 

    Section 36(1) of the privacy states (sic):

    An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of an individual.

    From the information provided, the ANAO has already conducted an investigation into the situation have described in your complaint, being the DVA’s alleged failure to systematically remove terminated and separated contractors and employees from its systems.  It was noted in the ANAO’s report that the DVA found that neither its data nor IT systems had been compromised.

    Further, you have not provided any information or evidence to demonstrate that the DVA’s alleged failure to remove its terminated and separated contractors and employees from its system has led to an interference of your privacy under APP 11.1.  You have only provided a claim that the ANAO’s report explicitly shows that the DVA did not have reasonable steps in place to protect personal information under APP 11.1, at the time of the ANAO’s audit.

    Your reference to the ANAO’s report is not sufficient evidence for the OAIC to use in considering whether the DVA has interfered with your privacy in this instance.

    Therefore, from the information before me, I remain of the view that your complaint is lacking in substance and the OAIC will not be conducting preliminary inquiries with, or investigating the DVA about your complaint.

    However, as previously advised, we referred your concerns to our CII team for consideration.

    The Commissioner has a number of regulatory powers, including the ability to undertake investigations of her own initiative, known as Commissioner Initiated Investigations (CIIs).  …

    You claim that our response to you of 8 March 2023, was not consistent with the APP Guidelines.

    I appreciate your concern in this regard and your view that the OAIC has misapplied APP 11.1 in its assessment of an aspect/s of your complaint.  However, the OAIC assesses each privacy complaint received based on the Commissioner’s views on the practical application of the legislation.  In this instance, we have considered all of the information provided in your complaint received based on the Commissioner’s views on the practical application of the legislation.  In this instance, we have considered all of the information provided in your complaint, when forming our decision, including that there is no information or evidence before us to support your allegations that the DVA has failed to keep your personal information secure.

  10. The respondent also once again considered the fact that the applicant had made the complaint as a representative complaint.  In this regard, the respondent said:

    As previously advised, representative complaints can only be made on behalf of other individuals where the complainant also alleges that the same respondent has interfered with their own privacy.  The alleged interference must arise from the same or similar circumstances and relate to a substantial common issue of law or fact … As stated above, there is no information before us to indicate that your privacy has been interfered with due to the lack of processes in place, identified by the ANAO’s audit, for the DVA to ensure that access to personal information was removed from users/staff after termination.

  11. In June and July 2023, there was further correspondence between the applicant and the respondent in which the applicant continued to take issue with the respondent’s decision to not investigate the 1198 complaint.[18] In particular, on 7 June 2023, the applicant referred to section 13 of the Act which relevantly provided:

    (1)An act or practice of an APP entity is an interference with the privacy of an individual if:

    (a)the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual; or

    [18] Court book at pages 57 to 60, 62 and 64.

  12. The applicant asserted that there was an interference with the privacy of the members of the representative class by virtue of the failure of the DVA to have in place reasonable steps to protect the private information from misuse, interference and loss or unauthorised access, modification or disclosure.  The applicant maintained that the issue for the respondent was whether there was a ‘reasonable contention’ that the DVA had failed to have such measures in place.  The applicant maintained that there is no requirement that only an actual breach or unauthorised access to private information is required to establish a breach of APP 11.1.  Moreover, it was the applicant’s claim that there was such a reasonable contention based on the Auditor General’s report.

  13. In his email of 7 June 2023, the applicant went on to accept that APP 11.1 does not specify what constitutes reasonable steps, but guidance can be had from prior decisions and other publications by the respondent.  Moreover, the applicant further clarified that reasonable steps required to be taken are required to avoid ‘potential harm’ and that it is not necessary to establish a breach of APP 11.1 to establish actual harm.[19] 

    [19] Court book at pages 58 to 59.

  14. On 5 July 2023, the applicant filed his originating application in this court seeking judicial review of the respondent’s decision regarding the 1198 complaint.[20]

    CONSIDERATION AND FINDINGS – 1198 COMPLAINT

    [20] Court book at page 177 and following.

    The Court’s powers on review

  15. The principles governing this court’s powers on review of an exercise of discretion under section 41 of the Act was relevantly summarised by Greenwood J in Jones v Office of the Australian Information Commissioner [2014] FCA 285 (‘Jones’). In Jones, the court explained those principles in the following terms:

    19.As to the s 41(1)(a) discretion, every statutory discretion, or discretionary power, is confined by the subject matter, scope and purpose of the legislation under which it is conferred … and every statutory decision has to be exercised according to the ‘rules of reason’ (R v Anderson;…)

    22. Properly applied, a standard of legal reasonableness does not involve substituting a Court’s view as to how the discretion should be exercised for that of the decision-maker. Accepting then, that there are limits on the Court’s supervisory jurisdiction and that a ‘standard of reasonableness’ is not applied as a mechanism for merits review (or a vehicle for the Court substituting its own view of the manner of exercise of the discretion), but rather a feature of legality in decision making, leaves open the question of how the standard ‘is to be applied and how it is to be tested’ (Li, per Hayne, Kiefel and Bell JJ at [66]).

  16. The applicable principles when exercising a power of review with respect to decisions made under section 41 of the Act were also summarised by Perry J in Simjanovska v Department of Human Services [2019] FCA 499 (‘Simjanovska’) as follows:

    92. … the Court is limited on judicial review to considering only the legality of the Assistant Commissioner’s decision based upon the material before him …

    109. … it is not for this Court to exercise the discretion in s 41(1) of the Privacy Act for itself so as to determine whether or not the Commissioner or the Assistant Commissioner should investigate the applicant’s complaint… The only question for this Court is whether the discretion has been exercised by the Assistant Commissioner according to law.

  17. Whilst the relevant discretionary power considered in both Jones and Simjanovska, was that contained in section 41(1)(a) of the Act, the reasoning equally applies to the exercise of a discretion under section 41(1)(d) and (da).

  18. In essence, in reviewing the way in which the respondent dealt with the 1198 and 1390 complaints, the court is therefore concerned with the legality of the decision not to investigate the applicant’s complaints by reference to the discretionary conditions in section 41 of the Act. It is not for the court to exercise the discretion itself or to stand in the place of the decision maker. To do so would be to venture into the area of impermissible merits review.

  19. The particular state of satisfaction that ought be reached in exercising a discretion under section 41 of the Act was considered by Rofe J in Jaworski v Australian Information Commissioner [2022] FCA 1400 (‘Jaworski’) at [81]:

    81.The Privacy Act does not purport to prescribe the matters to which the decision maker must have regard in assessing whether the state of satisfaction is reached. The question whether the decision maker is required to take specific considerations into account is determined by implication from subject matter, scope and purpose of the Privacy Act. However, if there are errors in the process by which a state of satisfaction is reached, such as by considering extraneous or irrelevant considerations or by excluding relevant considerations, it may be that the state of mind has not been reached in a manner required by the statute. Banks-Smith J observed in Rana v Australian Information Commissioner [2022] FCA 817 at [58]:

    “The requisite state of mind should be one which has been formed logically and rationally upon findings of fact. Further, even if it cannot be detected that an error has occurred in the application of law or consideration of the relevant matters, if the conclusion is one which is wholly unreasonable, it can, nevertheless, be inferred that error has occurred…”

  20. Indeed, in Madzikanda v Australian Information Commissioner [2023] FCA 1445 (‘Madzikanda’), Wheelahan J stated, in the context of the delegate’s decision under section 41(1)(da) of the Act, that:

    52.… It is important to recognise that the delegate was not obliged to make findings, because he was not engaged in a process that involved the adjudication of rights, but only an administrative decision whether to continue to investigate. It is also important not to read too much complexity into the delegate’s reasons for deciding not to continue the investigation, and not to scrutinise the delegate’s reasons in an over-zealous manner with any eye keenly attuned to the detection of error…

  21. In relation to the 1198 complaint, the applicant submits that the respondent did not reach the requisite state of satisfaction required to render the exercise of its discretion under section 41(1)(d) lawful.[21] The applicant therefore seeks orders setting aside the decision of the respondent regarding the 1198 decision and remitting the matter to the Commissioner for reconsideration. The respondent opposes the making of these orders on the basis that it says there is no error in the decision made. The respondent submits that the decision reached by the Commissioner was open to on the material before it and that they reached the requisite state of satisfaction under s 41(1)(d) of the Act.

    [21] Application filed 5 July 2023.

    The state of satisfaction under section 41 of the Act

  22. In his application the applicant states:

    1.The applicant understands the delegate to have mischaracterised the matters they were required to have regard to in assessing whether they reached the state of satisfaction required to be reached, determined by implication from the subject matter, scope and purpose of Australian Privacy Principle… 11.1 of the Privacy Act, such that the required state of mind required by s 41(1)(d) was not reached in the manner required by the Privacy Act, amounting to a jurisdictional error.

  23. It is not in dispute that in circumstances where the Act does not expressly set out the matters that the Commission must have regard to in determining whether a complaint is lacking in substance, that the factors that the Commission may have regard to must be determined by reference to the subject matter, scope and purpose of the Act.[22]

    [22] See Jaworski v Australian Information Commissioner [2022] FCA 1400, [81].

  24. The objects of the Act are set out in section 2A of the Act. It relevantly provides:

    The objects of this act are:

    (a)to promote the protection of the privacy of individuals with respect to their personal information; and

    (aa)     to recognise the public interest in protecting privacy; and

    (b)to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying  out their functions or activities; and

    (c)to provide the basis for nationally consistent regulation of privacy and the handling of personal information; and

    (d)to promote responsible and transparent handling of personal information by entities;

    (e)       ….

    (f)       …

    (g)to provide a means for individuals to complain about an alleged interference with their privacy; and

    (h)      to implement Australia’s international obligations in relation to privacy.

  25. It is clear from the statutory framework set out earlier in these reasons that the respondent is required to investigate a complaint about a possible interference with the privacy of an individual unless it is satisfied that one of the conditions in section 41 is met.

  26. At the heart of the applicant’s application for judicial review, is the applicant’s submission that in concluding that the applicant’s 1198 complaint was lacking in substance, the respondent acted unreasonably.  The applicant points to criticisms made of the respondent in the report of the Royal Commission into the Robodebt Scheme about the approach taken in that instance not to investigate alleged privacy breaches. 

  27. Those observations are, in my view, of limited application in the present application.  Whilst the Royal Commission was critical of the assessments made by the respondent in relation to the matters before it in the Robodebt inquiry, it acknowledged that the question of whether there is a ‘reasonable’ apprehension of possible interference with the privacy of an individual remains the key question. 

  28. It was submitted by the applicant that the ‘delegate’s alleged state of satisfaction that applicant’s privacy complaint was ‘lacking in substance’ is a subjective jurisdictional fact.’[23]The applicant then referred to the decision of Derrington J in EHF17 v Minister for Immigration and Border Protection [2019] FCA 1681. In that decision at [70] - [71], Derrington J said:

    70.Thus, in conformity with the manner in which the legislature has granted power, any review by the Court, as to the existence of a subjective jurisdictional fact must be limited to determining whether the state of mind actually reached is one within the range which the legislature intended to be formed as a pre-requisite to the exercise of power.  If there are errors in the process by which a state of mind is reached, such as by considering extraneous or irrelevant considerations or by excluding relevant considerations, the state of mind will not be that which the legislature impliedly requires.  Similarly, if, in reaching the state of mind, the repository of power has asked themselves the wrong question as a consequence of a mistake of law, the state of mind is not that on which the exercise of power is conditioned.  It might also be noted that the Parliament implicitly intends the requisite state of mind should be one which has been formed logically and rationally upon findings of fact which are logically formed upon probative evidence.  Further, even if it cannot be detected that an error occurred in the application of law or consideration of the correct matters, if the conclusion is one which is wholly unreasonable, it can, nevertheless, be inferred that one of the identified error has occurred.  In Avon Downs at 360, Dixon J identified the range of errors which might vitiate a claimed state of mind on which a power is conditioned in the following manner:

    “If he does not address himself to the question which the [statute] formulates, if his conclusion is affected by some mistake of law, if he takes some extraneous reason into consideration or excludes from consideration some factor which should affect his determination, on any of these grounds his conclusion is liable to review. Moreover, the fact that he has not made known the reasons why he was not satisfied will not prevent the review of his decision. The conclusion he has reached may, on a full consideration of the material that was before him, be found to be capable of explanation only on the ground of some such misconception.  If the result appears to be unreasonable on the supposition that he addressed himself to the right question, correctly applied the rules of law and took into account all the relevant considerations and no irrelevant considerations, then it may be a proper inference that it is a false supposition. It is not necessary that you should be sure of the precise particular in which he has gone wrong. It is enough that you can see that in some way he must have failed in the discharge of his exact function according to law.”

    71.The reference by Dixon J to “unreasonable” did not suggest the existence of a ground of unreasonableness, rather it suggested that if the conclusion was unreasonable in the circumstances, that would evidence the existence of one of the other errors which was not, of itself, patent.

    [23] Applicant’s outline of submissions filed in proceeding MLG 1198 of 2023 on 19 February 2024, paragraph 10.

  1. The applicant further submits that the term ‘lacking in substance’ is essentially a conclusion reached where an investigation ‘would be of no practical effect’ or where the complaint ‘was based on an untenable position of fact or law’ or were ‘misconceived’ or ‘not reasonably made’

  2. The applicant further submits that the decision to exercise a discretion on the basis that a complaint is lacking in substance before even a preliminary investigation is undertaken, is one which ought not be exercised lightly.  Moreover, the applicant submits that the conclusion that the 1198 complaint was lacking in substance could not be logically supported where the complaint identified the relevant APP and pointed to evidence which reasonably supported the complaint of a potential breach.

  3. In support of this submission, the applicant relied upon the High Court decision in Spencer v The Commonwealth [2010] HCA 28 per Hayne, Crennan, Keifel and Bell JJ at [60]. This decision involved section 31A(2) of the Federal Court Act 1976 (Cth) which empowered the court to summarily dismiss an application in circumstances where the Court is satisfied that a party has ‘no reasonable prospects of successfully prosecuting the proceeding or that part of the proceeding’.   It is in this context, that the plurality said at [60]:

    60.… full weight must be given to the expression as a whole.  The Federal Court may exercise power under s 31A if, and only if, satisfied that there is “no reasonable prospect” of success.  Of course, it may readily be accepted that the power to dismiss an action summarily is not to be exercised lightly.  But the elucidation of what amounts to “no reasonable prospect” can best proceed in the same way as content has been given, through a succession of decided cases, to other generally expressed statutory phrases, such as the phrase “just and equitable” when it is used to identify a ground for winding up a company. 

  4. Whilst I do not take issue with the principles to which the applicant refers, ultimately, I am not satisfied that they apply in this instance and nor am I satisfied that the applicant has established an error as claimed. 

  5. The decision that the applicant’s complaint lacked substance was not based on a finding that there was no breach of the APP 11.1, rather it was based on the respondent concluding that there was insufficient information provided to determine whether there may be a breach of APP 11.1.  The applicant did not provide any evidence that his privacy had been breached.  Moreover, the respondent concluded that the mere reference to a risk identified in the ANAO itself was not sufficient to establish a breach of APP 11.1. 

  6. Whilst it is the case that the requirement in APP 11.1 is prospective, in that it requires a party bound to take reasonable steps to protect the privacy of information in its control, it does not require particular steps to be taken.  The comment in the ANAO report identified one risk but did not determine that other measures that may have been taken to protect against unauthorised access were insufficient.  Moreover, the same report noted that the respondent had reviewed its systems and determined that notwithstanding the particular risk identified by the ANAO, no actual privacy breach had occurred.  The conclusions reached by the respondent therefore were reasonably open on the material before it, when regard is had to the statutory framework as a whole. 

  7. Having regard to these matters, I find that it was reasonably open to the respondent to conclude that the complaint lacked substance.  

    Representative complaint under section 36(2) of the Act?

  8. The applicant submitted that the respondent mischaracterised the 1198 complaint by treating it as an individual privacy complaint in the sense contemplated by section 36(1) of the Act, rather than a representative privacy complaint under section 36(2) of the Act as purportedly made. The applicant claims that in doing so, the respondent erred.

  9. To the extent that the applicant claims that the respondent erred in determining that his complaint was not a representative complaint, I find that the respondent made no such determination.  In circumstances where the respondent concluded that the applicant’s complaint lacked substance, it was not necessary for it to consider whether or not the complainant could make a representative complaint.  The respondent simply outlined what would be required for a representative complaint to be accepted.

  10. For each of these reasons I therefore dismiss the application in proceeding MLG 1198 of 2023. 

    BACKGROUND - 1390 COMPLAINT

  11. By the 1390 complaint, the applicant alleged that the DVA had breached APP’s 11.1 and 12.4 in the manner in which it provided a document he requested from the DVA on 11 September 2021.  

  12. On 23 November 2021, the applicant made the 1390 complaint by email to the respondent alleging the DVA’s breach of:[24]

    (a)APP 11.1 as the portal to which the secure link connected required and tracked user logins, thereby capturing unordinary information about users;

    (b)APP 12.4(a)(i) as the DVA’s response time exceeded 30 days;

    (c)APP 12.4(b) as the sending of the document by secure link was contrary to the applicant’s request; and

    (d)APP 11.1 as the document was sent by unencrypted email (this ground of complaint was later added by the applicant by email to the respondent on 11 December 2021).

    [24] Court book at pages 192 to 203.

  13. On 26 November 2021, the respondent wrote to the applicant by email confirming receipt of the 1390 complaint.[25]  

    [25] Court book at pages 205 to 206.

  14. On 23 December 2022, the respondent notified the applicant by email that ‘before assessing the matter for investigation, we have reviewed this complaint and consider it is suitable for a conciliation teleconference as required under s 40A of the Privacy Act.[26] The applicant was advised that a conciliation conference was to occur on 20 February 2023. In that correspondence, the applicant was also invited to provide further information relevant to the complaint and confirm his attendance at the conciliation conference.

    [26] Court book at pages 316 to 318.

  15. On 23 December 2022, the applicant emailed the respondent seeking, amongst other things, elaboration as to why conciliation was deemed to have been suitable by the respondent in the circumstances.[27] 

    [27] Court book at pages 325 to 327.

  16. On 3 February 2023, the respondent notified the applicant by email that, having reviewed the responses received from both the applicant and respondent in relation to the scheduled conciliation conference, it was satisfied there was no reasonable likelihood that the matter would resolve by conciliation, pursuant to section 40A(3) of the Act.[28] The conciliation conference was accordingly vacated. The applicant was advised that the respondent would proceed to assess whether an investigation would be commenced in relation to the 1390 complaint.

    [28] Court book at pages 329 to 330.

  17. On 15 June 2023, the respondent advised the applicant by email that the respondent intended to exercise its discretion under section 41(1)(da) of the Act to decide not to investigate the 1390 complaint, as an investigation was not warranted in the circumstances. The applicant was invited to comment on this preliminary view.[29] The respondent also addressed the grounds of the 1390 complaint summarised at paragraph [80] above in that correspondence.

    [29] Court book at pages 334 to 336.

  18. On 1 July 2023, the applicant emailed to the respondent a series of queries in relation to discrete matters relevant to the preliminary view formed under section 41(1)(da).[30]  The applicant requested a response to these questions by 7 July 2023 to allow him to respond to the respondent’s preliminary view within the specified time frame, namely by 22 July 2023. 

    [30] Court book at pages 338 to 339.

  19. On 4 July 2023, the respondent emailed the applicant addressing the queries raised by the applicant in his correspondence of 1 July 2023.[31]

    [31] Court book at page 342.

  20. On 4 July 2023, the applicant emailed the respondent seeking further clarification in relation to further discrete issues arising from the preliminary view formed by the respondent that an investigation was not warranted.[32]  By emails on 10 and 13 July 2024, the applicant ‘followed up’ the respondent regarding his email of 4 July 2023.[33]

    [32] Court book at pages 344 to 345.

    [33] Court book at page 348; Court book at pages 350 to 351.

  21. On 22 July 2023, the applicant provided his comments on the preliminary view as requested in the respondent’s correspondence of 15 June 2023.[34] In that response, which I do not propose to summarise in detail but which I have considered, the applicant takes issue with the respondent’s proposed decision under s41(1)(da) to close his privacy complaint on the grounds that an investigation is not warranted in all the circumstances.

    [34] Court book at page 353 and following.

  22. On 27 July 2023, the respondent notified the applicant by email of its decision to exercise its discretion under section 41(1)(da) to not investigate the complaint, on the basis that an investigation was not warranted in all of the circumstances.[35]  That letter relevantly stated:

    [35] Court book at pages 371 to 375.

    On 15 June 2023, I wrote to advise you of my intention to exercise the Commissioner's discretion under s 41(1)(da) of the Privacy Act 1988 (Cth) not to investigate your complaint because I was of the view that an investigation was not warranted having regard to all the circumstances. I invited you to comment before making my decision.

    I have carefully considered your detailed submission of 22 July 2023.

    Review of your submission

    I accept that you did not decline to attend the scheduled conciliation conference and that the decision not to proceed with the conciliation conference rested with the OAIC. Upon further review, it is evident that:

    •the OAIC emailed you on 23 December 2022 advising you that your complaint had been listed for a 3 hour conciliation teleconference on 20 February 2023. You were asked to confirm your attendance and contact details, advise whether you wished to nominate a support person and provide details of the resolution you were seeking by 16 January 2023.

    •you responded to the OAIC on 23 December 2022:

    •stating that the OAIC had repeatedly refused to correct claims it allegedly made about you

    •questioning why the OAIC considered conciliation suitable and requesting that the OAIC elaborate on its decision to proceed with a conciliation conference

    •requesting that the OAIC correct the IMM/DLM used when sending correspondence to you and citing the Protective Security Policy Framework.

    •the OAIC emailed you on 3 February 2023 advising that the scheduled conciliation conference had been vacated and that your complaint would be assessed to determine whether an investigation should be commenced.

    I otherwise maintain the views expressed in my letter of 15 June 2023, namely that:

    •whilst unfortunate, the timeframe of approximately 2.5 months to address your access request was not unduly excessive

    •there is no information before me that would suggest that the respondent sought to withhold the requested information from you or intentionally delayed actioning your applications

    •it is difficult to accept that the respondent's attempt to disseminate the requested information via a Secure Email link to an online portal is contrary to the respondent's privacy obligations

    •to the extent that the respondent did not strictly comply with its obligations under the APPs, the nature and impact of that non-compliance is relatively minor

    •any loss or harm you suffered as a result of the respondent's actions appears to be minimal

    •it is unlikely that an investigation will result in a different or more favourable outcome for you.

    In response to your submission, I wish to add that:

    •the OAIC Privacy Regulatory Action Policy relates to the use of regulatory powers conferred on the Commissioner by the Privacy Act and other legislation and outlines the principles to be considered when exercising those powers. In the case of your complaint, I do not consider that regulatory action is warranted. Paragraph 16 of the Policy states that '[w]hen dealing with an alleged contravention of the Privacy Act or other legislation, the OAIC will give individual consideration to that alleged contravention and have regard to all relevant circumstances.' The Policy does not preclude the Commissioner or her delegate from properly exercising the discretion under s 41(1) of the Privacy Act to decide not to investigate a complaint.

    •in my view, ss 41(1) and (2) of the Privacy Act are expressed in a manner which contemplates that the Commissioner may decline to investigate or investigate further a complaint that involves a prima facie interference with an individual's privacy.

    •the fact that matters previously reviewed by the courts relating to the exercise of s41(1)(da) concern complaints about entities not subject to the Privacy Act, or involve relief in relation to other matters, does not in my view preclude me from exercising the discretion in the current circumstances.

    •in respect of your reference to the matter of 'VU' and 'VV', 'VW' (Privacy) [2020) AICmr 52, an investigation was commenced and a determination made under s 52 of the Privacy Act in circumstances where the respondents had not provided the complainant with access to the personal information she had requested and to which she was entitled. The Acting Commissioner declared that the respondents send copies of the complainant's records to the complainant, but did not make any declarations in relation to the payment of compensation because the complainant had not suffered any loss. That matter differs from your complaint in that the respondent actioned your access request, albeit not within a period of 30 days or in the specific manner you had requested.

    •I reject your suggestion that I have not formed, or am not reasonably able to form, the requisite state of mind to exercise the Commissioner's discretion under s 41 of the Privacy Act.

    Decision

    For the above reasons I am satisfied, in accordance with s 41(1)(da) of the Privacy Act, that an investigation of your complaint is not warranted having regard to all the circumstances. Consequently, in my capacity as the Commissioner's delegate, I have determined to exercise the discretion under s 41(1) of the Privacy Act to decide not to investigate your complaint.

    I understand that you are familiar with your review rights. Nevertheless, I have outlined those rights in the attachment to this letter for ease of reference.

    I will now close our file. Thank you for your complaint.

  23. On 27 July 2023, the applicant emailed the respondent expressing dissatisfaction with the decision made under section 41(1)(da).[36]

    [36] Court book at pages 377 to 378.

  24. On 3 August 2023, the applicant filed his originating application in this court seeking review of the respondent’s decision regarding the 1390 complaint.

  25. The applicant alleges that the respondent did not reach the requisite state of satisfaction required under section 41(1)(da) of the Act in deciding not to investigate the 1390 complaint.[37] In his application, the applicant states:

    1.The applicant understands the delegate to have mischaracterised the matters they were required to have regard to in assessing whether they had reached the state of satisfaction required to be reached, determined by implication from the subject matter, scope and purpose of the Privacy Act (including Australian Privacy Principle … 11 and APP 12), such that the required state of mind required by s 41(1)(da) was not reached in the manner required by the Privacy Act, amounting to a jurisdictional error.

    [37] Application filed 3 August 2023.

  26. Further, by that application the applicant states:

    5.The respondent did not conduct any s 40 investigation of the s 36 privacy complaint, or make any s 42 preliminary inquiries for the purpose of determining whether the Commissioner should decide to investigate the s 36 privacy complaint …

    7.Because the delegate made this s41(1)(da) decision before any s 40 investigation or any s 42 preliminary inquiries in the Department of Veterans’ Affairs, the burden of due care referred to by the respondent … in exercising this power is higher than may be the case if the decision was made later in the privacy complaint process.

    11.… the delegate in mischaracterised (sic) the nature of the matters they were required to have regard to in assessing whether they had reached the state of satisfaction that s 41(1)(da) required, applied tests other than that to be found in the APPs and the subject matter, scope and purpose of the Privacy Act (the delegate basing their views, without any investigation of the matters raised, as to their feeling as to the severity of the breaches of the APPs).

    12.The delegate in mischaracterising what was required to be taken into account in assessing what state of satisfaction s 41(1)(da) requires, … did not reach the requisite state of mind in the manner required by the Act, and that failure amounts to a jurisdictional error. …

  27. That application seeks orders setting aside the 1390 decision and remitting the matter to the Commissioner for reconsideration.

    CONSIDERATION AND FINDINGS – 1390 COMPLANT

  28. In considering the application in relation to the 1390 complaint, the issue for the court is whether the respondent erred in deciding to exercise the discretion in s 41(1)(da) of the Act not to conduct an investigation into the applicant’s complaint.

  29. The legal principles set out at [47] to [52] above equally apply in this context. 

  30. The applicant refers to observations made by the Royal Commission into the Robodebt Scheme said in its final report:

    The Information Commissioner’s task is a difficult one. The Commission appreciates the OAIC’s preference for educative and preventative action by conducting assessments under the Privacy Act. However, as noted in the ALRC Report, the OAIC needs to be prepared to adopt a more formal regulatory posture where there is a “reasonable” apprehension of possible interferences with the privacy of an individual.

  31. Accepting that those comments were made in the context of the Royal Commission into the Robodebt Scheme, ultimately, it is for the respondent in any particular circumstance to determine whether to exercise a discretionary power to proceed with an investigation, or not.  That discretion must be exercised reasonably.  The reasonableness of that exercise will be determined by reference to the statutory context in which it arises and the particular circumstances before the decision maker. 

  32. At paragraph 12 of his written submissions filed on 19 February 2024 in proceeding MLG 1390 of 2023, the applicant submits, after setting out his understanding of the relevant case law:

    12.The discretion in s 41(1)(da) is one that can be reasonably exercised where investigation “would be of no practical effect” or the complaint “was based on an untenable proposition of fact or law” or was “misconceived” or “not reasonably made” or possibly even, in the extreme, involved a negligible breach that would never be repeated but logically/rationally this does not apply in this case. Such discretionary powers to dismiss a complaint as “unwarranted” before any preliminary enquiries as to the matters raised in the complaint are made are ones “not intended to be exercised lightly” and are not logically supported where the delegate concedes a prima facie breach has occurred and that loss and harm has been suffered as a result. 

  33. The applicant further submits that the finding that an investigation was not warranted in this case, is untenable and irrational, in circumstances where the respondent has found that there is a prima facie breach of the APP.  It is submitted that the respondent’s conclusion that an investigation was not warranted was no more than a ‘bald conclusion’ and had no logical or rational basis to displace the evidence which supported a section 42 inquiry being undertaken.

  1. The applicant further relies upon a decision of the respondent in VN and VV, VW [2020] AICmr 52 (‘Vu and VV, VW’) in relation to what was held to be an unreasonable delay in responding and therefore a breach of APP 12.  In light of that decision, the applicant asserts that a conclusion that an investigation was not warranted is simply not logical or rational.  

  2. Section 41(1)(da) of the Act was recently the subject of consideration in Foley v Australian Information Commissioner [2024] FCA 169 (‘Foley’s case’).  In that case, the issue was how to deal with two complaints arising out of the same data breach and whether there was a ‘first in time’ approach that should be adopted in determining which complaint ought be investigated.  At [103], Beach J said:

    103.Finally for completeness, there is one interpretation of s 41(1)(da) that may implicitly permit of a consideration of a first in time criterion. If the JWS complaint is being investigated, could it be said that another investigation under the second MB complaint is not warranted? But that is more saying there should be one investigation and not two investigations on foot rather than strictly a first in time criterion as such. In other words, if only one investigation is warranted, then the AIC may have allowed the second MB complaint to be investigated and not the JWS complaint. So, s 41(1)(da) may on one view permit avoidance of duplication, but that does not necessarily entail a first in time criterion as such. But the more likely interpretation of s 41(1)(da) is that it is not a basis for eliminating duplication between complaints, but rather is looking only at the substantive question of whether the relevant act or practice should be investigated or further investigated in substance. But at this stage I will not say anything further concerning s 41 as the parties have not put detailed submissions thereon. And more importantly, the AIC has not purported to exercise any statutory power thereunder.

  3. These obiter comments do not assist the applicant.  Nor do the observations of Beach J at [156] and [159] in Foley’s case.  The issues in Foley’s case are not the same as the issues in this matter. 

  4. As briefly referred to above, in Madzikanda, Wheelahan J considered an application for judicial review of a decision by the AIC not to investigate the complaint, among other things, because they were not satisfied that the investigation was warranted in all the circumstances.  Relevantly, in considering this power, Wheelahan J said (citations excluded):

    49.The ground in s 41(1)(da) of the Privacy Act upon which the Commissioner may decide not to investigate a complaint further is broad, permitting the Commissioner not to investigate further where satisfied that further investigation is not warranted having regard to all the circumstances: … Paragraph 41(1)(da) was not a part of s 41 as originally enacted. It was inserted by Item 85 of Sch 4 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), and commenced on 12 March 2014. The Minister’s second reading speech in support of the Bill which became the 2012 amending Act, referred to the recommendations of the Australian Law Reform Commission in ALRC Report 108 that was titled For Your Information Report: Australian Privacy Law and Practice. The new ground in s 41(1)(da) of the Act reflected recommendation 49-1 in the report. In support of the recommendation the ALRC referred at [49.10]-[49.13] to the tension that existed in striking a balance between systemic issues and issues that have no implications beyond the immediate actions and rights of the parties to a complaint. At [49.11] of the report the ALRC stated:

    “A compromise needs to be made between addressing individual complaints and addressing systemic issues. The compromise recommended by the ALRC is to give the Commissioner more discretion not to investigate individual complaints in certain circumstances. First, the Commissioner should be given a discretion not to investigate an act or practice if he or she is satisfied that an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances. This discretion would enable the Commissioner to dismiss trivial complaints, or complaints that have no prospect of a practical or satisfactory resolution. …”

    50.The scope of s 41(1)(da) of the Privacy Act starts with its text, while at the same time having regard to its context and purpose. Context should be regarded at the first stage and not at some later stage and it should be regarded in its widest sense: Here, the extrinsic material in the form of ALRC Report is part of that context. As I remarked at the outset, the Privacy Act does not create a directly-enforceable action by individuals for the infringement of privacy. The Act provides for a means of complaining about an alleged interference with privacy. The role of the Commissioner is as an administrative gatekeeper of complaints about interferences with privacy. The Commissioner has powers of investigation, but a discretion on a number of grounds not to investigate, or not to investigate further. The powers of investigation include powers to obtain information and documents, the power to hold a hearing, the power to conduct a compulsory conference, and the power to examine witnesses: ss 43-45. However, unlike a court, the Commissioner has no duty to adjudicate rights: the statutory powers of investigation are tempered by the discretion to terminate the investigation.

    51.The words of s 41(1)(da) must therefore be construed in light of the gatekeeping role given to the Commissioner. There is nothing in the text, structure, or purpose of the Act that detracts from giving s 41(1)(da) the broad meaning that the text of the provision bears on its face. The factors upon which the Commissioner may rely in reaching the state of satisfaction provided for by s 41(1)(da) are therefore wide, and it is axiomatic that the weight to be ascribed to such factors is a matter for the Commissioner. For present purposes, it is sufficient to say that I consider that the words “having regard to all the circumstances” in s41(1)(da) are broad enough to entitle the Commissioner to take into account:

    (a) the strength of the evidence concerning a claimed interference with privacy advanced by the applicant in his s 36 complaint;

    (b)       the weight to be given to any legal arguments;

    (c)       the practical utility of pursuing an investigation; and

    (d)       the efficient allocation of the Commissioner’s resources and powers.

  5. In this case, the delegate set out their reasons for determining that an investigation was not warranted in all of the circumstances in their letter of 27 July 2023, set out in full at paragraph [89] above.  In that letter, the delegate set out in six points, a summary of the reasons for its decision that an investigation was not warranted.  Moreover, the delegate went on to address some of the additional matters raised by the applicant in his response, including the applicant’s reliance upon the decision in Vu and VV, VW and explained why in their view that decision differed from the present circumstances.

  6. In his response to this letter, the applicant takes issue with the fact that the delegate did not specifically relate their decision under section 41(1)(da) to the ‘subject matter, scope and purpose of the Privacy Act 1988’. As noted by Wheelahan J in Madzikanda at [52]:

    52.… It is important to recognise that the delegate was not obliged to make findings, because he was not engaged in a process that involved the adjudication of rights, but only an administrative decision whether to continue to investigate.  It is also important not to read too much complexity into the delegate’s reasons for deciding not to continue the investigation, and not to scrutinise the delegate’s reasons in an over-zealous manner with an eye keenly attuned to the detection of error …

  7. In this instance, the reasoning of the delegate is apparent from her correspondence to the applicant dated 27 July 2023.  The reasoning provides a rational and probative basis for the conclusion that an investigation was not warranted.  In relation to the any breach that did occur, the delegate concluded that the nature and impact of any non-compliance was relatively minor.  The question is not whether a different decision maker may have reached a different conclusion, but rather whether the conclusion reached was reasonably open on the material before the delegate having regard to the statutory context in which the power arose, and that it is not illogical or irrational.

  8. I find that there was a rational and probative basis for the conclusion reached by the delegate and the conclusion does not rise to the standard required to find that it is illogical or irrational. 

  9. For completeness I also note that when regard is had to the legislative framework as a whole, it is apparent that a decision that an investigation is not warranted can be made before an investigation is conducted under section 40 and without the need for preliminary inquiries under section 42. In this instances the delegate undertook a fair process in so far as they provided the applicant with notice that they were considering exercising their discretion under section 41(1)(da) not to conduct an investigation, invited him to provide submissions in relation to that preliminary view and had regard to those submissions. Ultimately, the delegate was not persuaded by the submissions put forward by the applicant. That is not sufficient to demonstrate jurisdictional error and invites the court to engage in impermissible merits review.

  10. In Madzikanda a similar argument was rejected by Wheelahan J who said in that case:

    32.… The delegate provided the applicant with a fair opportunity to be heard, which went so far as providing the applicant with an opportunity to respond to the delegate’s preliminary reasons.  In my view, having regard to the delegate’s functions to investigate, and to determine whether an investigation should continue, the delegate afforded the applicant an ample opportunity to be heard.  As Hill J stated in Enichem Anic Srl v Anti-Dumping Authority … at 469 (Gummow J and O’Connor J agreeing):

    “Decision-making is a function of the real world.  A decision-maker is not bound to investigate each avenue that may be suggested to him by a party interested.  Ultimately, a decision-maker must do the best on the material available after giving interested parties the right to be heard on the question.”

    33.It cannot be expected that the delegate will conduct the most searching of inquiries with respect to each and every argument or allegation put by a complainant.  Such a dogged search for truth would be inapposite to the function of real world administrative decision-making.  This is especially so where the discretion exercised here, in respect of which it is alleged that an error has been made, is one related to whether to investigate further a complaint or, instead, to terminate the complaint.

  11. I adopt these observations which in my view, apply equally to the arguments advanced in this case by the applicant.

  12. For these reasons, no reviewable error arises in relation to the 1390 complaint.

    CONCLUSION

  13. For each of these reasons, I therefore make the orders set out at the commencement of these written reasons for judgment.

I certify that the preceding one hundred and ten (110) numbered paragraphs are a true copy of the Reasons for Judgment of Deputy Chief Judge Mercuri.

Associate:

Dated:       24 April 2025


Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0

Cases Cited

8

Statutory Material Cited

1

Jones v Office of the Australian Information Commissioner [2014] FCA 285
Simjanovska v Department of Human Services [2019] FCA 499
Jaworski v Australian Information Commissioner [2022] FCA 1400