SZTVA v Minister for Immigration & Anor

Case

[2016] FCCA 2005

10 August 2016


FEDERAL CIRCUIT COURT OF AUSTRALIA

SZTVA v MINISTER FOR IMMIGRATION & ANOR [2016] FCCA 2005
Catchwords:
MIGRATION – Application for review of decision of Refugee Review Tribunal (Tribunal) – whether Tribunal failed to comply with s.422B(3) and s.425 of the Migration Act 1958 (Cth) because information held by the Department of Immigration and Border Protection relating to the inadvertent release of information concerning the applicant was not available to the applicant – whether for the same reason the Tribunal did carry out a proper review of the application before it – no jurisdictional error.

Legislation:

Migration Act 1958 (Cth), ss.422B, 422B(1), 422B(3), 425, 425(1), 427(3)(b)

Cases cited:
Minister for Immigration and Citizenship v SZMOK [2009] FCAFC 83; (2009) 257 ALR 427
Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29
SZBEL v Minister for Immigration and Multicultural and Indigenous Affairs [2006] HCA 63; (2006) 228 CLR 152
SZSSJ v Minister for Immigration and Border Protection [2015] FCAFC 125
Applicant: SZTVA
First Respondent: MINISTER FOR IMMIGRATION & BORDER PROTECTION
Second Respondent: ADMINISTRATIVE APPEALS TRIBUNAL
File Number: SYG 497 of 2015
Judgment of: Judge Manousaridis
Hearing date: 4 November 2015
Delivered at: Sydney
Delivered on: 10 August 2016

REPRESENTATION

Counsel for the Applicant: Mr P Bodisco
Solicitors for the Applicant: Michaela Byers Solicitor
Counsel for the Respondents: Mr D Hughes
Solicitors for the Respondents: Clayton Utz

ORDERS

  1. The application is dismissed.

  2. The Administrative Appeals Tribunal is substituted for the Refugee Review Tribunal as the second respondent.

FEDERAL CIRCUIT COURT
OF AUSTRALIA
AT SYDNEY

SYG 497 of 2015

SZTVA

Applicant

And

MINISTER FOR IMMIGRATION & BORDER PROTECTION

First Respondent

ADMINISTRATIVE APPEALS TRIBUNAL

Second Respondent

REASONS FOR JUDGMENT

Introduction

  1. This application for judicial review raises two questions. The first is whether, in conducting a review of a decision by a delegate of the first respondent (Minister) not to grant the applicant a Protection (Class XA) visa (Protection visa), the second respondent (Tribunal) denied the applicant procedural fairness. The claimed failure to accord procedural fairness is said to have consisted in the Tribunal’s deciding the application for review without the applicant having access to certain information relating to the Department of Immigration and Border Protection’s (Department) inadvertently making available for access from the Department’s website information about the applicant’s detention.

  2. The second question is related to the first; and that is whether the Tribunal failed to undertake the review of the applicant’s case by conducting the review without the applicant’s having access to information relating to the Department’s making available information relating to the applicant’s detention.

Background

  1. The applicant is a citizen of India, a Christian, and of Ghurkha ethnicity. He arrived in Australia in July 1998 under a student visa. The applicant overstayed his visa and, in 2013, he was detained in an immigration detention centre.

  2. In October 2013 the applicant applied for a Protection visa. The applicant claimed he feared persecution and harm by and from communists in West Bengal because the applicant had been involved with the Ghurkhaland Agitation.  

  3. A delegate of the Minister rejected the application, and the Tribunal, differently constituted from the Tribunal to which this application for judicial review relates, affirmed the delegate’s decision. That decision was set aside by the Federal Court on appeal from orders of this Court. The applicant’s application for review of the delegate’s decision was remitted to the Tribunal. The applicant appeared before the (now differently constituted) Tribunal on 18 February 2015.

  4. In February 2014 a routine report was inadvertently released on the Department’s website (data breach) which permitted access to some personal information of persons who were in detention as at 30 January 2014.  By letter dated 12 March 2014[1] the Department informed the applicant of the data breach, and informed him that some of his personal information may have been accessed through the report. The letter further stated:[2]

    [1] CB263

    [2] CB263

    The information was never intended to be in the public domain, and the department has taken a number of steps to ensure that this sort of incident does not happen again.

    The information that was possible to access was your name, date of birth, nationality, gender, details about your detention (when you were detained, reason and where) and if you have other family members in detention.

    . . . .

    The department will assess any implication for you personally as part of its normal processes. You may also raise any concerns you have during those processes.

  5. By letter dated 27 June 2014 to the applicant,[3] the Department noted the applicant had applied to the Tribunal for review of the delegate’s decision, and that the application suggested the applicant believed he may be adversely affected by the data breach, and that he may have claims that engage Australia’s protection obligations. The letter invited the applicant “to put in writing any concerns you may have regarding the impact of the data breach to you personally”. It appears the applicant responded by letter dated 2 July 2014.

    [3] CB264

  6. By letter dated 23 December 2014 to the applicant,[4] after referring to the Department’s having previously informed the applicant of the data breach, the Department’s letter dated 27 June 2014, and the applicant’s letter dated 2 July 2014, the Department stated that the Tribunal was the appropriate forum for the applicant to raise any protection claims he may have in relation to the unintentional release of any personal information as a consequence of the data breach. The letter further stated:[5]

    Should you have any protection claims in relation to the privacy data breach, including any information you provided to the department in your letter, the department now considers it your responsibility to submit them to the RRT.

    [4] CB307-308

    [5] CB307

  7. Sometime before 2 February 2015 the applicant was provided with an abridged report that had been prepared by KPMG. The Department commissioned that report after it had been alerted to the data breach. As recorded by the High Court in Minister for Immigration and Border Protection v SZSSJ:[6]

    Having been alerted to the Data Breach, the Department retained external consultants, KPMG, to investigate. KPMG prepared a report for the Department. An abridged version of the KPMG report was later made available to affected applicants. The abridged version of the report recorded that, during the 14 days in which the document disclosing the identities of the visa applicants had remained on the website, the document had been accessed 123 times and that the access had originated from 104 unique internet protocol (“IP”) addresses.

    The abridged version of the KPMG report did not record those IP addresses or give the precise time of access. Rather, the abridged version stated:

    “It is not in the interests of detainees affected by this incident to disclose further information in respect of entities [who] have accessed the Document, other than to acknowledge that access originated from a range of sources, including media organisations, various Australian Government agencies, internet proxies, TOR network and web crawlers”.

    [6] [2016] HCA 29, [5]-[6]

  8. By letter to the Tribunal dated 2 February 2015, the migration agent for the applicant submitted it would be impossible for the Tribunal to consider the applicant’s claims for protection based on the data breach in the absence of the applicant’s being given access “to the information held by DIBP”.[7]  The agent further submitted that if the Department will not give the applicant access to that information “the only course of action open to you is to recognise the applicant as a refugee sur place”. Finally, the agent submitted that, if the Tribunal were to determine the applicant’s claims adversely to the applicant “without disclosing any information in relation to the data breach then you have breached the rules of natural justice and procedural fairness”.

    [7] CB162

The hearing before the Tribunal

  1. At the hearing before the Tribunal, the applicant, although invited to do so, did not make any submissions about the harm he said he would or might face as a result of the data breach. That is apparent from the following passage from the Tribunal’s reasons for decision:[8]

    At the second hearing, when the applicant was asked to expand on his claims relating to the department’s data breach, he said he would be unable to comment until he knows what the information in relation to the data breach is. When asked if he was claiming that he would be subjected to harm as a result of the data breach, he said he would not comment.

    [8] CB328, [37]

Tribunal’s decision

  1. The Tribunal accepted that in February 2014 a routine report was unintentionally released on the Department’s website, disclosing some of the applicant’s personal information, namely, the applicant’s name, date of birth, nationality, gender and details about his detention, including when he was detained, the reasons for his detention, and where he was detained. The Tribunal was also prepared to accept that this information might have been accessed in India.[9]

    [9] CB328, [36]

  2. After noting the applicant was not prepared to expand on his claims relating to the data breach at the hearing, and that the Tribunal had informed the applicant that the information concerning the applicant that had been disclosed was his name, date of birth, nationality, gender, and details of his detention, the Tribunal found there was no evidence that any of that information was published or had been accessed by anyone. The Tribunal further found that, even if it were to accept that publication of the information relating to the applicant identified him as having sought protection in Australia, there was “no evidence to suggest that Indian nationals face adverse treatment, following their return to India, for reason of having applied for refugee status abroad”.[10]

    [10] CB329, [38]

Failure to comply with s.422B(3) and s.425 of the Act

  1. The first ground of application stated in the amended application is that the applicant was not given a fair hearing as was required by s.422B and s.425 of the Migration Act 1958 (Cth) (Act). The basis of that ground is that the applicant had requested, but has not received, from the Department the information which the Full Federal Court in SZSSJ v Minister for Immigration and Border Protection[11] held that the Minister was obliged to give to persons who were potentially adversely affected by the data breach. That appears to be a reference to “the full circumstances of the Data Breach, including by not being provided with the unabridged KPMG report” referred to by the Full Federal Court in SZSSJ (Claimed Information).[12]

    [11] [2015] FCAFC 125 (Rares, Perram and Griffiths JJ)

    [12] SZSSJ v Minister for Immigration and Border Protection [2015] FCAFC 125 at [126]

  2. In his written submissions, counsel for the applicant relied on s.422B(3) of the Act which provides that, in applying Division 4 of Part 7 of the Act, the Tribunal “must act in a way that is fair and just”. Counsel also relied on s.425 of the Act, and SZBEL v Minister for Immigration and Multicultural and Indigenous Affairs,[13] submitting that the applicant’s not having access to the Claimed Information rendered the process before the Tribunal unfair. It was unfair because the Tribunal found there was no evidence to support the applicant’s claims in circumstances where the Tribunal knew the applicant did not have access to information the Department held that was “credible, relevant and significant”.[14]

    [13] [2006] HCA 63; (2006) 228 CLR 152 (Gleeson CJ, Kirby, Hayne, Callinan and Heydon JJ)

    [14] Applicant’s Outline of Submissions, 21.10.2015, [14]

  3. Counsel for the Minister, on the other hand, relying on Minister for Immigration and Citizenship v SZMOK,[15] submitted that s.422B(3) of the Act was not intended to qualify in any way the express statement in s.422B(1) that Division 4 of Part 7 of the Act is taken to be an exhaustive statement of the requirements of the natural justice hearing rule in relation to the matters it deals with. Counsel also submitted the authorities on which the applicant relies requiring that the decision maker disclose information only applies where the decision maker holds the information, yet the Tribunal itself did not hold the Claimed Information.

    [15] [2009] FCAFC 83; (2009) 257 ALR 427 at [17] (Emmett, Kenney, and Jacobson JJ)

  4. In response to counsel for the applicant’s submissions based on s.425 of the Act, the Minister submitted that SZBEL has no application to the present case. There is no issue that was before the Tribunal of which the applicant did not have notice. Counsel for the Minister further submitted that the ground based on s.425 of the Act is based on an unfounded assertion that the applicant’s not having access to the Claimed Information prevented the applicant from having a sufficient opportunity to give evidence and make submissions about the data breach.

  5. In my opinion, ground 1 fails for a number of reasons. First, it is premised on the proposition that the applicant claimed he faced a risk of harm as a result of the data breach. That premise, however, is not correct. Although the applicant, through his agent, and at the hearing before the Tribunal, claimed he needed to have access to the Claimed Information, the applicant did not articulate the harm or possible harm he feared or claimed might occur to him as a result of the data breach if he were to return to India. The applicant decided not to comment in response to the Tribunal’s question whether the applicant was claiming he would be subjected to harm as a result of the data breach. In those circumstances, it is difficult to see how there could have been any unfairness in the manner in which the Tribunal conducted its review.

  6. Second, the submission that the Department held information that “was credible, relevant and significant” is an unsupported assertion. The applicant does not identify the information which he claims was “credible, relevant and significant information”, or how such information is said to be credible, relevant, and significant. That is not surprising, given the applicant was unwilling to inform the Tribunal of the harm he feared would or might occur to him as a result of the data breach. Further, as I have already noted, the Tribunal was prepared to assume that the data breach identified the applicant as having sought protection in Australia. It is difficult to see how, in those circumstances, the Claimed Information could have been “relevant and significant” to the review.

  7. Third, it is not suggested the Tribunal held the Claimed Information. It was open to the applicant to request the Tribunal under s.427(3)(b) of the Act to summon a person to produce documents in relation to the data breach. It may be the Tribunal would have refused such application, given the applicant’s having elected not to answer the Tribunal’s question whether he was claiming he would be subjected to harm as a result of the data breach. In any event, it cannot be said the Tribunal acted unfairly, or made any jurisdictional error, by not considering information that was not in its possession, or by not considering a request that was not made to it that it should summon the Department to produce information that was not in the possession of the Tribunal.

  8. The applicant’s position before the Tribunal may have been premised on the view that was accepted by the Full Federal Court in SZSSJ, namely, that procedural fairness required the Department to provide to the applicant the unabridged KPMG report, among other information. That view, however, must now be assessed in the light of the High Court’s decision in Minister for Immigration and Border Protection v SZSSJ.[16]

    [16] [2016] HCA 29

  9. In Minister for Immigration and Border Protection v SZSSJ a number of persons in detention whose personal details were made available as a result of the data breach were given letters to the same effect as the letter dated 12 March 2014 the Department sent the applicant in the case before me. The Department later wrote to these persons that an “ITOA” had been commenced to assess the effect of the data breach on Australia’s non-refoulement obligations in relation to those persons.[17] “ITOA” is the acronym for “International Treaty Obligations Assessment”. As the High Court explained, an ITOA was a process “conducted in accordance with standardised procedures set out in the Department’s publicly available Procedures Advice Manual”.[18] The High Court further noted:[19]

    The purpose of conducting these particular ITOAs was to assess the effect of the Data Breach on Australia's international obligations with respect to affected applicants. The particular international obligations to which the ITOAs were directed were Australia's non-refoulement obligations under the Refugees Convention, the Torture Convention and the International Covenant on Civil and Political Rights.

    [17] See for example Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29 at [19]

    [18] [2016] HCA 29 at [9]

    [19] [2016] HCA 29 at [9]; [19] (footnotes omitted)

  10. The High Court agreed with the Full Federal Court that, by issuing to SZSSJ (and others) a letter to the same effect as the letter dated 12 March 2014 the Department sent the applicant in the case before me, the Minister came under a duty to exercise procedural fairness to SZSSJ (and to the other applicants to whom similar letters were sent) when determining the impact of the data breach on Australia’s non-refoulement obligations. The High Court held, however, that the Minister did accord procedural fairness to SZSSJ and the other applicants in that case. The High Court said:[20]

    Whatever the inadequacy of the standard letter sent to them and to other applicants in March 2014, there could be no doubt that SZSSJ and SZTZI were put squarely on notice of the nature and purpose of the assessment and of the issues to be considered in conducting the assessment from the time of the formal notification of the commencement of the ITOA process with respect to each of them. In the case of SZSSJ, that occurred in the letter of 1 October 2014. In the case of SZTZI, it occurred in the letter of 13 January 2015.

    SZSSJ and SZTZI were each then told that an assessment was to be conducted. They were told that the assessment to be conducted was an ITOA in accordance with procedures set out in the Procedures Advice Manual. They were told that the purpose of conducting the ITOA was to assess the effect of the Data Breach on Australia's non-refoulement obligations under the Refugees Convention, the Torture Convention and the International Covenant on Civil and Political Rights with respect to them.

    [20] [2016] HCA 29 at [86]-[87]

  11. The High Court also held that procedural fairness did not require the applicants in that case to be given access to the unabridged version of the KPMG report:[21]

    SZSSJ and SZTZI were not deprived of any opportunity to submit evidence or to make submissions relevant to the subject-matter of the ITOA process as a result of not having such further information as might be inferred to have been contained in the unabridged version of the KPMG report. Exactly how and why the Data Breach occurred was simply not relevant to the question of whether one or more of Australia's non-refoulement obligations were engaged in respect of them. And irrespective of what the unabridged KPMG report might have to say about the identities of the 104 IP addresses from which the document had been accessed during the 14 day period of the Data Breach, the fact would remain that once the document was downloaded the personal information of SZSSJ and SZTZI could have been accessed by anyone. Even if the unabridged KPMG report might have allowed SZSSJ and SZTZI to prove by reference to the report that one or more of those IP addresses were associated with persons or entities from whom they feared harm, that proof would advance their cases for engagement of Australia's non-refoulement obligations no further than the assumption already made in their favour.

    [21] [2016] HCA 29 at [92]

  1. The applicant in the case before me was not offered an ITOA assessment. In its letter dated 23 December 2014, however, the Department informed the applicant that if he had any protection claims in relation to the data breach, it was the applicant’s responsibility to submit those claims to the Tribunal. Just as in Minister for Immigration and Border Protection v SZSSJ, therefore, the applicant before me was given notice of the data breach and of the means by which the applicant could pursue a claim that, because of the data breach, Australia owed the applicant protection obligations. Further, given the Tribunal was prepared to assume that the data breach in fact identified the applicant as having sought protection in Australia, and the applicant was not prepared to inform the Tribunal of the harm the applicant feared would or might occur to him as a result of the data breach, it is not possible to say how the availability to the applicant of the unabridged KPMG report and any other Claimed Information could have assisted the applicant.

  2. In the course of oral address, counsel for the applicant submitted the Tribunal was required to accord the procedural fairness the Full Federal Court in SZSSJ held it was necessary for the Minister to accord to applicants in that case.[22] Even if the Full Federal Court’s reasoning had been approved by the High Court, I would not have accepted that submission. First, the issue in SZSSJ was whether the Minister was under a common law duty to accord procedural fairness and, if so, whether the Minister did accord procedural fairness. Because of s.422B of the Act, however, the Tribunal’s duty to accord procedural fairness is limited to the duties provided by Division 4 of Part 7 of the Act. The applicant did not fail to comply with s.425 of the Act, or otherwise act unfairly. The applicant was invited to attend a hearing before the Tribunal to give evidence and present arguments. He had been given notice by the Department before the Tribunal hearing that if the applicant wished to claim Australia owed the applicant protection obligations, he should advance that claim before the Tribunal; and the Tribunal specifically invited the applicant to make submissions about whether he claimed Australia owed him protection obligations as a result of the data breach.

    [22] T17.35

  3. Second, and in any event, the High Court in Minister for Immigration and Border Protection v SZSSJ held the Minister did accord procedural fairness to the applicants in that case. In my opinion, even if the Tribunal had been under a common law duty to accord procedural fairness, for the reasons I have already given, the Tribunal did accord the applicant procedural fairness.

Not conducting required review

  1. The second ground claims the Tribunal failed to conduct the review of the applicant’s case it was required to conduct because the Tribunal decided the review when it was “fully aware that there was credible, relevant and significant information in the possession of the” Department to which the applicant had no access. This ground substantially, if not entirely, overlaps with ground 1.

  2. The Tribunal did review the applicant’s case according to law. It asked the applicant to expand on claims he had based on the data breach, and specifically asked the applicant whether he was claiming he would be subjected to harm as a result of the data breach. The Tribunal considered the material before it. It cannot be said the Tribunal did not review the applicant’s case because it did not consider information that was not before it.

  3. Ground 2, therefore, also fails.

Conclusion and disposition

  1. The applicant has failed on both of his grounds. The application will therefore be dismissed. I propose to order that the Administrative Appeals Tribunal be substituted for the Refugee Review Tribunal as the second respondent.

I certify that the preceding thirty-one (31) paragraphs are a true copy of the reasons for judgment of Judge Manousaridis

Date: 10 August 2016


Areas of Law

  • Administrative Law

  • Immigration

Legal Concepts

  • Judicial Review

  • Natural Justice

  • Procedural Fairness

  • Jurisdiction

Actions
Download as PDF Download as Word Document


Cases Citing This Decision

3