SZTYD v Minister for Immigration

FEDERAL CIRCUIT COURT OF AUSTRALIA

REPRESENTATION

ORDERS

1. The application made on 15 August 2016, amended on 27 September 2016 and further amended on 13 February 2017 is dismissed.

2. The applicant pay the first respondent’s costs set in the amount of $7,206.

SYG 2207 of 2016

Applicant

And

First Respondent

Second Respondent

REASONS FOR JUDGMENT

1. By way of an application filed on 15 August 2016 and amended on 27 September 2016, then further amended as attached to submissions filed on 13 February 2017, the applicant seeks the following relief:

   “1. A declaration that the exercise of ministerial discretion under subsection 46A(2) of the Act on 13 August 2015 was not in accordance with law and the exercise of ministerial discretion under subsection 46A(2) of the Act applies to allow the applicant to make a SHEV visa application with its associated bridging visa is one visa application.

   2. Alternate to Order 1, a declaration for the SHEV visa application’s associated bridging visa be decided in accordance with law.

   3. Costs.

   4. Such other orders as the Court thinks just and necessary.

   5. Interlocutory relief by the issue of a writ of habeas corpus. ”

   [Errors in original.]

   I note that the issue of a writ of habeas corpus was not pressed by the applicant and this was noted in orders made by the Court on 12 October 2016.

2. The evidence before the Court is as follows:

   a)A bundle of relevant documents filed and tendered by the Minister (“the Court Book” – “CB”, “RE1”).

   The applicant tendered the following:

   b)A letter from the former Secretary of the Department of Immigration and Border Protection to the applicant dated 12 March 2014 (“AE1”).

   c)Certain “data breach” information (“AE2”).

   d)A KPMG abridged report dated 20 May 2014 (“AE3”).

3. The parties also handed up an Agreed Statement of Facts at the Court event on 24 February 2017. In oral submissions, it was also agreed by the parties that an abridged KPMG report was publicly available at all relevant times.

4. The Minister’s written submissions filed on 20 February 2017 set out the background to this matter in some detail. I am satisfied, having regard to the evidence before the Court, that they contain a fair summary of the relevant background as follows ([2] – [7] of the Minister’s written submissions):

   “[2] The applicant, who is a national of Sri Lanka, travelled to Australia by boat and arrived at Christmas Island in November 2012. He was taken into immigration detention, where he has remained since. In February 2014, personal information relating to persons in immigration detention on 31 January 2014 was inadvertently and briefly made available on the internet by the Department (the data breach).

   [3] On 13 August 2015, the Minister exercised his power under s 46A(2) of the Migration Act 1958 (Cth) (the Act) to allow the applicant to lodge an application for a Temporary Protection Visa or a Safe Haven Enterprise Visa (SHEV). The submission signed by the Minister contained various attachments, with one (Attachment B) listing illegal maritime arrivals who were in detention, including the applicant. The submission stated “[a]ny decision made by you to exercise your power to lift the bar will only be in regard to a TPV or a SHEV application and will not include an associated Bridging Visa E. In October 2015, the applicant lodged an application for a SHEV. He made a further application for a SHEV on 22 April 2016 and withdrew his earlier SHEV application. The applicant satisfies the definition of “fast track applicant” under s 5(1) of the Act.

   [4] On 22 June 2016 a delegate of the Minister refused to grant the applicant a SHEV. The applicant was notified in the letter enclosing his decision record that his case had been automatically referred to the IAA for review. On 5 August 2016, the IAA affirmed the decision not to grant the applicant a protection visa.

   [5] The IAA noted that during the interview with the delegate, the applicant claimed that as a result of the data breach, the Sri Lankan police would be aware of his information and would easily be able to track him down; and that the Sri Lankan authorities may think he is a terrorist and send him to prison because they would be aware that he had previously used a Tamil name (in an earlier, fraudulent, claim for the purposes of seeking asylum in New Zealand).

   [6] The IAA decision considered new information in relation to the data breach. The IAA stated that it considered it necessary to obtain such information in order to determine the claim concerning the data breach and because there was insufficient information before it regarding the data breach to enable it to properly assess the claim. The IAA was satisfied that there were exceptional circumstances justifying the consideration of this new information under s 473DD of the Act. For the purposes of s 473DE(3)(a), the IAA considered that this information was not specifically about the applicant and was just about a class of persons of which the applicant is a member (ie, people whose information was included in the data breach). The new information consisted of a newspaper report in relation to the judgment of the Federal Court in SZSSJ v Minister for Immigration and Border Protection [2015] FCAFC 125, the judgment itself and the Office of the Australian Information Commissioner (OAIC)’s report into the data breach.

   [7] The IAA stated that it would give the applicant the benefit of the doubt as to the disclosure of his personal information in the data breach, because the delegate had accepted that his information had been disclosed. The IAA accepted that authorities in Sri Lanka may have accessed the disclosed information, but was not satisfied that the applicant would face harm due to the data breach, because his claims for protection were made after the data breach and in any event, the OAIC’s report indicated that the data released did not include the nature of the applicant’s claims. The IAA considered that the Sri Lankan authorities would be able to identify the applicant as having applied for asylum in Australia from the circumstances of his return to Sri Lanka and found no material significance to any risk of harm arising from the data breach.  The IAA considered each of the applicants’ claims individually and cumulatively as well as his personal circumstances and was not satisfied that he had a well-founded fear of persecution, or that there was a real risk that he would suffer significant harm, due to his political claims, his claim of having been a victim of rape, his claims arising from the data breach and/or his pretending to be a Tamil.”

   [Footnotes omitted.] [Errors in original.]

5. The applicant presented the further amended application attached to his submissions filed on 13 February 2017. The grounds of that application are in the following terms:

   “1. The Minister has still not undertaken the normal departmental process as promised in the Secretary’s letter dated 12 March 2014 and as detailed in the High Court of Australia’s judgment in the matters of Minister for Immigration and Border Protection v SZSSJ; Minister for Immigration and Border Protection v SZTZI [2016] HCA 29 in [52] to [55].

   Particulars

   a. The Immigration Assessment Authority is not part of the normal departmental process; and

   b. The Immigration Assessment authority does not exercise any power under section 48B, 195A or 417;

   2. The Immigration Assessment Authority failed to apply the assumption that all of the applicant’s personal information had been accessed by all the persons or entities from whom he feared persecution or other relevant harm as held by the High Court of Australia in Minister for Immigration and Border Protection v SZSSJ; Minister for Immigration and Border Protection v SZTZI [2016] HCA 29 in [91].

   Particulars

   a. A [5] the Immigration Assessment Authority found these was ‘insufficient information before me regarding the data breach for me to be able to properly assess the claim’.

   3. The Secretary breached his legislative duty under s418(3) 473CB(1)(c) of the Migration Act 1958(Cth) by failing to forward the appellant’s disclosed personal information to the Tribunal/Authority and thereby causing the Authority to constructively fail to consider the data breach claim.

   4. The Immigration Assessment Authority asked itself the wrong question and/or made an irrelevant consideration.

   Particulars

   a. At [31] the Authority found as follows:

   I do not consider there to be any material significance to the applicant’s risk of harm that his personal details were included in the data breach. I consider Sri Lankan authorities would be able to identify the applicant applied for asylum in Australia from the circumstances of his departure from and return to Sri Lanka;

   b. The Authority made this finding without actually knowing what information was disclosed, in particular the applicant’s boat ID number was disclosed;

   c. Until the data breach occurred Sri Lankan authorities did not know that the applicant had departed Sri Lanka illegally and was being held in immigration detention in Australia for X number of days indicating Australia’s adverse interest in the applicant.

   5. The First Respondent has incorrectly applied the operation of section 46A in relation to the applicant’s two valid Safe Haven Enterprise (Class XE) visa applications.

   Particulars

   a. The SHEV visa applications and its associated  bridging visas are one visa application requiring the First Respondent to exercise his power under subsection 46A(2) on one occasion only;

   b. On 13 August 2015 the First Respondent exercised his power under subsection 46A(2) to allow the applicant to make two valid SHEV visa applications then on both occasions in October 2015 and 22 April 2016 the First Respondent had two days to act in accordance with section 75 of the Act and either grant or refuse the associated bridging visa;

   c. As the First Respondent has failed to make and notify the applicant of his decision in relation to the associated bridging visa, the applicant seeks a declaration to the First Respondent for the determination of the applicant’s SHEV visa application’s associated bridging visa in accordance with law;

   d. Alternately, the First Respondent has acted unreasonably in delaying to make and notify his decision not to exercise his power under subsection 46A(2) of the Act to grant the associated bridging visa applications made in October 2015 and 22 April 2016. The applicant seeks a declaration to the First Respondent to determine the applicant’s SHEV visa applicant’s associated bridging visa in accordance with law.

   6. The Second Respondent erred in not providing the new information obtained about the data [b]reach to the applicant in accordance with s473DE of the cCt and erred in treating the information as falling within the exception created by s473DE(3)(a).”

   [Errors in original.]

   I note that in the written submissions there is a “proposed additional ground” for which leave was granted at the hearing for the applicant to rely on, and which subsequently became ground 6.

6. Before the Court, the applicant indicated that grounds 1 and 5 were not being pressed. Leave was granted for the applicant to proceed on the grounds of the further amended application.

7. Ground two was explained by the applicant as follows. First, the applicant was denied procedural fairness by the delegate, whose decision to refuse the applicant a protection visa, was the subject of review by the IAA. This failure was said to arise because the applicant was not given the unabridged KPMG report.

8. The context for this complaint arises from the inadvertent release of some of the applicant’s “identifying information” on the internet (on the Minister’s departmental website), also described as the “data breach” incident. The applicant was one of a number of persons whose information was disclosed in this fashion. The Minister’s department commissioned a report from KPMG about this matter. An abridged version of this report was publicly released. However, that report did not contain information about who accessed the data breach information while it was available on the Internet. The applicant was not otherwise told who had accessed the data breach information.

9. Before the Court, the applicant explained the legal basis for the above argument as follows. In SZSSJ v Minister for Immigration and Border Protection [2015] FCAFC 125; (2015) 234 FCR 1, the Federal Court found, in circumstances similar to the current case, that procedural fairness required that information pertaining to who accessed the data breach information be disclosed to the applicant. Subsequently, the High Court in Minister for Immigration and Border Protection v SZSSJ; Minister for Immigration and Border Protection v SZTZI [2016] HCA 29; (2016) 333 ALR 653 (“SZSSJ”), held that any proposed failure of procedural fairness was not material in circumstances where, as in SZSSJ, the decision-maker proceeded on the basis that those from whom the applicant claimed to fear harm had accessed the person’s information that had been released on the internet (the “assumption”).

10. The applicant’s argument is that the current circumstances can be distinguished because the delegate, that is, the person who made the primary decision in relation to the applicant, had not proceeded on this basis. Given that the publicly available abridged KPMG version did not contain information as to who accessed this information, and the unchallenged unabridged version was not given to the applicant, he was denied the opportunity to comment on the consequences of any access by claimed persecutors on his risk of harm. Therefore, the applicant submits he was denied procedural fairness by the delegate as the primary decision-maker.

11. This part of the applicant’s submissions was plainly focused on the delegate’s decision. In essence, both in respect of the argument set out above, and in relation to the development of the argument as explained below, the applicant invites the Court to review the delegate’s decision and to conclude that that decision was affected by a failure of procedural fairness.

12. The Court has no power in the circumstances of this case to review the delegate’s decision for jurisdictional error. The Court’s jurisdiction in migration matters is derived from s.476 of the Migration Act 1958 (Cth) (“the Act”). As is set out at s.476(2)(a) of the Act, this Court has no jurisdiction to review a “primary decision”. That term is defined at s.476(4) of the Act, and includes, at s.476(4)(c) of the Act, a decision “that has been, or may be, referred for review under Part 7AA (whether or not it has been reviewed).”

13. There is no doubt that the delegate’s decision was caught by this provision. In the current case, not only was the delegate’s decision reviewable by the IAA, it was in fact reviewed.

14. However, the applicant’s ground as pleaded in the further amended application, makes no mention of the delegate’s decision but asserts a failure on the part of the IAA to apply the same “assumption” identified in SZSSJ.

15. On a fair reading of the IAA’s decision record, that contention must be rejected. The IAA’s consideration of the “data breach” issue is set out at [29] – [32] of its decision record (at CB 204 to CB 205).

16. The IAA noted that before the delegate, the applicant had claimed that his personal information was included in the data breach, and that the Sri Lankan Criminal Investigation Department (CID) would be aware of this information and “would easily be able to track him down” ([29] at CB 204).

17. The IAA also took into account “new information” in relation to the data breach. It found (at [30] at CB 204):  

    “As noted above, I considered new information in relation to the data breach. That information states the private details of some people in immigration detention mistakenly were made publically available in a document on the website of the department (“the Document”) for a period of approximately 14 days in February 2014 (“the data breach”). The applicant did not provided any correspondence from the department to demonstrate his details were on the document, but delegate’s decision concedes the applicant’s details were included in the data breach and therefore I give the applicant the benefit of the doubt that is the case. The facts before the Full Court Federal Court in SZSSJ are that the Document was accessed 123 times and in its report to the department following the data breach, KMPG stated it was not possible to discount the authorities in another country may have accessed the Document. I therefore am open to accepting the possibility the Sri Lankan authorities have accessed the Document. The applicant claims because of the data breach, he will be identifiable by the Sri Lankan authorities as having applied for asylum in Australia.” 

    [Errors in original.]

18. The IAA ultimately concluded that as the applicant had made the application considered by the delegate after the date of the data breach, it was not possible that details of his claims to protection would have been accessed by the Sri Lankan authorities ([31] at CB 205).

1. In his submissions, the applicant made reference to that part of the IAA’s analysis where the IAA said ([30] at CB 204):

   “…The facts before the Full Court Federal Court in SZSSJ are that the Document was accessed 123 times and in its report to the department following the data breach, KMPG stated it was not possible to discount the authorities in another country may have accessed the Document. I therefore am open to accepting the possibility the Sri Lankan authorities have accessed the Document. The applicant claims because of the data breach, he will be identifiable by the Sri Lankan authorities as having applied for asylum in Australia.”

   [Emphasis added.][Errors in the original.]

2. The argument appears to be that there was a denial of procedural fairness because the applicant had never seen the KPMG report. He submits now that he therefore lacked notice of “the issue”, and was denied the “opportunity to comment” on it (see [35] of the applicant’s written submissions filed on 13 February 2017).

3. In context, “the issue” appears to be the IAA statement as follows ([31] at CB 205):

   “…I do not consider there to be any material significance to the applicant’s risk of harm that his personal details were included in the data breach I consider the Sri Lankan authorities would be able to identify the applicant applied for asylum in Australia from the circumstances of the his departure from return to Sri Lanka.”

   [Errors in original.]

4. If the complaint is that the IAA found that the Sri Lankan authorities would be able to identify the applicant because he had applied for asylum in Australia from the circumstances of his departure from Sri Lanka, then this is a finding of fact made by the IAA which was reasonably open to it. This complaint really seeks impermissible merits review.

5. In terms of a denial of procedural fairness, on the available evidence before the Court, the circumstances of the applicant’s departure from Sri Lanka were not in dispute. The IAA accepted that the applicant departed Sri Lanka illegally without a passport, and had therefore committed an offence under the relevant Sri Lankan departure laws (see [33] at CB 205).

6. In oral submissions before the Court, the applicant’s further argument developed a new iteration, or at least a sharper focus to the complaint expressed in the terms of ground two.

7. The argument was that the IAA had no statutory jurisdiction in relation to the applicant’s matter, because the “primary decision was in fact no decision at all”.

8. This was explained as follows. The common law obligations of procedural fairness applied at the primary stage. The applicant was not told, and did not know, in circumstances where he was not given the unabridged version of the KPMG report, the IP addresses of those who had accessed the data breach information.

9. In SZSSJ, the High Court, unlike the Full Federal Court, found that in the circumstances of that case, the applicant’s lack of access to information about who accessed the data breach material, was not material to the decision because the relevant decision-maker assumed, for the purposes of the assessment of the risk of harm, that those persons from whom the applicant in that case claimed to fear harm, had in fact accessed the data breach information (that is, the “assumption”, see above at [9]).

10. The argument in the current case is that the primary decision-maker did not make any such “assumption”. The applicant therefore was denied the opportunity to access, and to know of, a relevant and material matter that affected the outcome of the primary decision. That denial of procedural fairness meant that the primary decision was not a “decision”, and the IAA therefore lacked jurisdiction to conduct a review of that “decision”. Nor was the defect, that is, the lack of procedural fairness, cured by the IAA decision. That is because the IAA had no jurisdiction in the first place.

11. The applicant’s argument was that a finding by this Court, that the IAA was “not seized” of jurisdiction over the “primary decision”, did not require this Court to assume jurisdiction over the “primary decision”. In the context of this particular argument, the applicant acknowledged that this Court had no jurisdiction to adopt such a course (see above at [11] – [12]). That is, the applicant was not seeking remedies in relation to the “primary decision”. Rather, the applicant argued that the IAA lacked jurisdiction, and a consideration of what had occurred at the primary stage would reveal the reason for this (I will return to this below).

12. As set out above, the applicant’s argument is that the primary

    
    

    decision-maker, and the IAA, did not make the “assumption” identified in SZSSJ. This was explained as follows.

13. In his decision record, the primary decision-maker stated ([59] at CB 158):

    “The applicant was subject to the ‘Data Breach’ incident in January or February 2014. The Applicant was in Immigration detention on 31 January 2014 so may have been inadvertently affected by the unintentional access to personal information in the public domain. I accept that the Applicant’s claims on this point are plausible.”

14. The applicant also submitted that the delegate considered the data breach issue as follows ([107] at CB 163):

    “As mentioned above, I accept that the Applicant was one of those identified as having their personal information inadvertently released on the internet by the Australian government during January 2014. In considering this, I note the Applicant was one of approximately ten thousand such people, and personal information that may lead to them being identified was only briefly available on the internet. I do not accept that the Applicant has any prior profile as a person of adverse interest to the Lanza group or the authorities in Sri Lanka. The Applicant departed Sri Lanka unlawfully by boat to Australia, but he holds a valid passport that he had previously obtained and he also has a birth certificate and national identity card that appear to conform to what I would expect of genuine documents of this kind. The fact the Applicant obtained a passport before he departed Sri Lanka suggests that it is possible that he

    
    

    pre-planned his departure from Sri Lanka some months prior to his claims of having been detained, beaten and raped by the Lanza group. On the basis that the Sri Lankan authorities have not targeted the Applicant’s family and I do not accept the Applicant is personally known to Nimal Lanza by name or sight, I find that there is no real chance the Applicant would face Convention based serious harm as a result of the ‘Data Breach’ incident in early 2014.”

15. The applicant’s explanation of the “materiality” of the data breach to his case was as follows. A substantial part of the applicant’s claims to protection arose from his fear of harm from “Lanza”, now a member of the Sri Lankan Parliament and representing a political party opposed to the political party in respect of which the applicant claimed to have been politically and actively involved.

16. The primary decision-maker erred in not assuming (in relation to what was said in SZSSJ), that “Lanza” had accessed the data breach material. This error was not “cured” by the IAA.

17. There are a number of answers to the applicant’s argument. First, as set out above, the delegate’s decision, the “primary decision”, is excluded from this Court’s jurisdiction by the operation of s.476(2)(a) of the Act and s.476(4)(c) of the Act.

18. That is, the Court has no jurisdiction to review a “primary decision” (s.476(2)(a) of the Act). A “primary decision” is defined in s.476(4)(c) as a “privative clause decision or purported privative clause decision”, “that has been, or may be, referred for review under Part 7AA (whether or not it has been reviewed)”.

19. “[P]rivative clause decision” is defined in s.5 and in s.474(2) of the Act as follows:

    “Section 474

    Decisions under Act are final

    …

    (2) In this section:

    ‘privative clause decision’ means a decision of an administrative    character made, proposed to be made, or required to be made, as the case may be, under this Act or under a regulation or other instrument  made under this Act (whether in the exercise of a discretion or not), other than a decision referred to in subsection (4) or (5).”

20. “Purported privative clause decision” is defined at s.5E of the Act as follows:

    “Section 5E

    Meaning of purported privative clause decision

    (1) In this Act, purported privative clause decision means a decision purportedly made, proposed to be made, or required to be made, under this Act or under a regulation or other instrument made under this Act (whether in purported exercise of a discretion or not), that would be a privative clause decision if there were not:

    (a) a failure to exercise jurisdiction; or

    (b) an excess of jurisdiction;

    in the making of the decision.

    (2) In this section, decision includes anything listed in subsection 474(3).”

21. Notwithstanding his assertions to the contrary, the applicant’s argument depends on the proposition that this Court is able to consider the delegate’s decision, and if it does so in the current case, would find that that decision was affected by a failure to properly exercise jurisdiction. Further, that the IAA’s subsequent failure to consider that, meant it fell into error in not finding that the delegate’s decision was “no decision at all”.

22. In his submissions, the applicant did not seek to explain the distinction between a “privative clause decision” and a “purported privative clause decision”. Nor did the applicant attempt to explain how his argument can be sustained in light of the statutory scheme described above.

23. In short, for current purposes, a “purported privative clause decision” is a decision affected by jurisdictional error (see also Plaintiff S157/2002 v Commonwealth [2003] HCA 2; (2003) 211 CLR 476). In this light, the applicant’s argument, in the context of the statutory scheme explained above, is that such a decision is not a “privative clause decision” but a “purported privative clause decision”. The statutory scheme does not give jurisdiction to this Court to review such a decision in circumstances where, as in this case, it has been referred for review by the IAA.

24. Second, as the Minister correctly submitted, it was not possible for the IAA to determine whether the primary decision-maker fell into jurisdictional error, thus making that decision “no decision at all”. Such a determination, that is, that the delegate’s decision was affected by jurisdictional error and therefore is a “purported privative clause decision” is for a Court, exercising jurisdiction pursuant to Chapter 3 of the Constitution. The IAA is not such a Court. It is an administrative inquisitorial body (Abebe v Commonwealth [1999] HCA 14; (1997) 197 CLR 510, Re Refugee Tribunal; Ex parte Aala [2000] HCA 57; (2000) 204 CLR 82 and Re Minister for Immigration and Multicultural Affairs; Ex parte Applicant S154/2002 [2003] HCA 60; (2003) 201 ALR 437).

25. Third, and further, as the Minister submits, even if there were some defect in the delegate’s decision, this would not mean that the IAA had no decision to review.

26. The Minister referred to the Full Federal Court judgment in SZGME v Minister for Immigration and Citizenship [2008] FCAFC 91; (2008) 168 FCR 487 (“SZGME”) at [25] to support this proposition:

    “Secondly, the well-known line of cases beginning with Collector of Customs (NSW) v Brian Lawlor Automotive Pty Limited [1979] FCA 21; (1979) 41 FLR 338 supported the proposition that the review process which imported merits review by an administrative body operated (subject to statute to the contrary) on valid and invalid decisions alike. It is the decision that has in fact been made that is reviewed. After Yilmaz, Zubair [2004] FCAFC 248; (2004) 139 FCR 344, Ahmed [2005] FCAFC 58; (2005) 143 FCR 314 and Uddin [2005] FCAFC 218; (2005) 149 FCR 1 reiterated this proposition : see, in particular, Ahmed at 322 [36]. The fact that some defect (even one leading to jurisdictional error) can be ascertained in the decision subject to review, does not prevent a review body exercising the powers and discretions of the person who made the decision: see, here, the Migration Act, s 415. This can be illustrated by understanding what occurred in each of these cases.”

    [Emphasis added.]

27. The IAA’s jurisdiction to review certain decisions is found in s.473CC of the Act as follows:

    “Section 473CC

    Review of decision

    (1) The Immigration Assessment Authority must review a fast track reviewable decision referred to the Authority under section 473CA.

    (2) The Immigration Assessment Authority may:

    (a) affirm the fast track reviewable decision; or

    (b) remit the decision for reconsideration in accordance with such directions or recommendations of the Authority as are permitted by regulation.”

28. While the Full Federal Court in SZGME was concerned with the jurisdiction of the former Refugee Review Tribunal to review a delegate’s decision, what was said in SZGME (and see further the analysis at [26] – [34] of that judgment) in my respectful view, applies equally to the current circumstances.

29. Even if some “deficienc[y]” had “invalidated the primary decision”, such deficiency did not affect, given the relevant statutory terms (see in particular s.473CC of the Act), the authority of the IAA to make a “fresh decision” (see SZGME at [34]). In short, in the absence of any contrary statutory intention, the exercise of the IAA’s merits review jurisdiction would operate equally on a “valid” or “invalid” decision of the delegate.

30. Fourth, and as set out above, the applicant’s argument, ultimately with emphasis on the IAA’s decision, was that the delegate had failed to apply the “assumption” (with reference to SZSSJ and see above at [9] and [27]), and that the IAA had approached the review in the same way.

31. While there were references in the applicant’s submissions to procedural fairness at common law (as was the relevant situation in SZSSJ), in the current case, I agree with the Minister, that the basis for the IAA’s procedural fairness obligations was statutory.

32. Section 473DA of the Act is in the following terms:

    “Section 473DA

    Exhaustive statement of natural justice hearing rule

    (1) This Division, together with sections 473GA and 473GB, is taken to be an exhaustive statement of the requirements of the natural justice hearing rule in relation to reviews conducted by the Immigration Assessment Authority.

    (2) To avoid doubt, nothing in this Part requires the Immigration Assessment Authority to give to a referred applicant any material that was before the Minister when the Minister made the decision under section 65.”

33. In this light, I agree with the Minister that the applicant’s argument, which depends on what is said to be the lack of the “assumption” as described in SZSSJ, does not assist him in the current case.

34. As was set out in SZWAJ v Minister for Immigration and Border Protection [2016] FCA 1173 (“SZWAJ”) and SZWCH v Minister for Immigration and Border Protection [2016] FCA 1551 (“SZWCH”), both matters on appeal from this Court, the references to procedural fairness in SZSSJ were directed to a different process (an ITOA process), to that currently the subject of this Court’s consideration (the IAA decision). In essence, the circumstances in SZSSJ were directed to the exercise of certain Ministerial powers.

35. I should note that in the current case, the applicant also referred to the letter sent to the applicant dated 12 March 2014 from the then Secretary of the Minister’s department, concerning the data breach matter (see “AE1”). However, this appeared to be relevant to ground one which was not pressed before the Court.

36. The argument appeared to be that the letter makes reference to the Minister’s department’s intention to “assess any implications” for the applicant as part of its “normal processes”.

37. Given what was subsequently said in SZWCH (see in particular at [27]) and SZWAJ (at [24]), the ground, if pressed, would not have succeeded. The argument in these cases was that the letter contained an undertaking that the data breach claims would be dealt with in a departmental process. The process that ultimately led to the referral to the IAA was not such a process. The Court did not accept this argument.

38. To the extent that elements of the applicant’s arguments in relation to ground two appear to be intertwined with the abandoned ground one, these aspects of the argument do not assist the applicant in explanation, or support, of ground two.

39. Fifth, while I find for the reasons set out above that it was not part of the IAA’s statutory procedural fairness obligations to make the “assumption” described in SZSSJ, I am satisfied, having regard to a fair reading of the IAA’s decision record, that it did, in any event, apply the “assumption” that the Sri Lankan authorities had accessed the data breach material.

40. As set out above, the IAA’s consideration of the data breach matter is at [29] (at CB 204) to [32] (at CB 205) of its decision record. This analysis, must be read fairly, but must also be read in the context of the entirety of the IAA’s decision record (see also [14] (at CB 201) to [18] (at CB 202) of the IAA’s decision record).

41. This aspect of the applicant’s argument focused on the words “open to accepting the possibility” as they appear at [30] (at CB 204) of the IAA decision record. The contention is that while the IAA may have expressed a willingness to be “open”, it did not apply that possibility. That is, it did not make the relevant assumption, in its analysis and as revealed in its findings.

42. In my view, a fair and holistic reading of what the IAA reasoned was that while “open” to the possibility that the data breach information had been accessed by the Sri Lankan authorities, in the circumstances of this case, any such possible access would not reveal a real risk of harm. This is because the applicant’s claims to protection, and therefore the details of his claims, were made after the data breach event occurred, and therefore all that was available to be accessed by the Sri Lankan authorities was certain personal data that may identify the applicant as having sought asylum in Australia.

43. The IAA found that this was not of any material significance to the risk of harm because the Sri Lankan authorities would be able to ascertain this, in any event, from the circumstances of the applicant’s departure and return to Sri Lanka. The IAA went on to consider the circumstances and the consequences of the applicant’s “[i]llegal departure and pretending to be a Tamil” at [33] (at CB 205) to [43] (at CB 207).

44. In this light, the IAA did make the “assumption” the applicant asserts it failed to make. The applicant’s argument in these circumstances really is a complaint that the IAA found that any such access would not have resulted in any material significance to the risk of harm. This finding was reasonably open to the IAA and no legal error is revealed. In all, ground two is not made out.

45. Ground three asserts that the Secretary of the Minister’s department breached the obligation in s.473CB(1)(c) of the Act because he failed to send the applicant’s personal information, which had been disclosed in the data breach, to the IAA. This is said to have caused the constructive failure by the IAA to consider the data breach claim. [This ground was originally pleaded with reference to s.418(3).]

46. Section 418(3) of the Act plainly applies to the AAT and not the IAA. However, the applicant’s written submissions, explain that the complaint relates to s.473CB(1) of the Act, which is in the following terms:

    “Section 473CB

    Material to be provided to the Immigration Assessment Authority

    (1) The Secretary must give to the Immigration Assessment Authority the following material (review material) in respect of each fast track reviewable decision referred to the Authority under section 473CA:

    (a) a statement that:

    (i) sets out  the findings of fact made by the person who made the decision; and

    (ii) refers to the evidence on which those findings were based; and

    (iii) gives the reasons for the decision;

    (b) material provided by the referred applicant to the person making the decision before the decision was made;

    (c) any other material that is in the Secretary’s possession or control and is considered by the Secretary (at the time the decision is referred to the Authority) to be relevant to the review;

    (d) the following details:

    (i) the last address for service provided to the Minister by the referred applicant for the purposes of receiving documents;

    (ii) the last residential or business address provided to the Minister by the referred applicant for the purposes of receiving documents;

    (iii) the last fax number, email address or other electronic address provided to the Minister by the referred applicant for the purposes of receiving documents;

    (iv) if an address or fax number mentioned in subparagraph (i), (ii) or (iii) has not been provided to the Minister by the referred applicant, or if the Minister reasonably believes that the last such address or number provided to the Minister is no longer correct -- such an address or number (if any) that the Minister reasonably believes to be correct at the time the decision is referred to the Authority;

    (v) if the referred applicant is a minor -- the last address or fax number of a kind mentioned in subparagraph (i), (ii), (iii) or (iv) (if any) for a carer of the minor.”

1. The applicant’s argument is as follows. On “any” construction of this subsection, the IAA should have been provided with details of the data breach as it related to the applicant. This included identification of what information had been disclosed, and who had accessed it. This could only have been achieved by giving the unabridged version of the KPMG report to the applicant. This error would have been rendered immaterial if the IAA had proceeded on the “assumption” as explained in SZSSJ.

2. There are effectively two elements in answer to the applicant’s ground. First, there are a number of authorities dealing with s.418(3) of the Act which provide direction and guidance in dealing with s.473CB(1) of the Act, given that for current purposes they are “relevantly” identical (see WAGP v Minister for Immigration and Multicultural and Indigenous Affairs [2006] FCAFC 103; (2006) 151 FCR 413 at [64] and SZOIN v Minister for Immigration and Citizenship [2011] FCAFC 38; (2011) 191 FCR 123 (“SZOIN”) at [54] – [63] and [93]).

3. Under both provisions, the Secretary to the Minister’s department is required to form an opinion as to the relevance of the material to the review (SZOIN at [55]). However, even if some error by the Secretary in the performance of the function under s.418(3) (s.473CB(1)) of the Act had occurred, it would not, without something more, result in jurisdictional error (SZOIN at [64] and see at [65] - [66], SZNZK v Minister for Immigration and Citizenship [2010] FCA 651; (2010) 115 ALD 332 and Applicant S1693 of 2003 v Refugee Review Tribunal [2004] FCA 1512).

4. I cannot see, in the circumstances of this case, that the applicant has made out that a particular document was not given by the Secretary of the Minister’s department to the IAA, and that that document was so critical to the review, that it could be said the Secretary did not discharge his “obligation to form a view” in respect of that document (SZOIN at [54]).

5. As I ultimately understood the applicant’s submissions, the document that should have been considered by the Secretary of the Minister’s department and given to the IAA, was the unabridged version of the KPMG report which may have shown the IP addresses of those who accessed the applicant’s data breach information.

6. The difficulty for the applicant is that he has not satisfactory explained, in the circumstances of this case, how that document could be said to have been critical. As the High Court stated, albeit with reference to the “assumption” (see above at [9] and [27]) in SZSSJ at [90]:

   “…the true extent of access to the personal information of each affected applicant must in practical terms have been unknowable. Once downloaded from the Department’s website, the document containing the personal information of the 9,258 visa applicants could have been forwarded to and interrogated by anyone, anywhere and at any time. Attempting to make a finding about precisely who had obtained access to the personal information of any one of them, and when, might be expected to have been a hopeless endeavour.”

7. There is nothing before the Court now to suggest that the applicant was not one of the 9,258 applicants referred to by the High Court.

8. The second element in answer to the applicant’s ground is that, as set out above, the IAA, when its decision is fairly read, did assume the Sri Lankan authorities accessed the data breach material. The IAA’s finding, reasonably open to it, that any such access would not have been material in the applicant’s circumstances, places this case in that light, and stands in answer to the applicant’s ground that the “constructive” failure by the Secretary of the Minister’s department related to a matter of substance in the disposition of the review. Therefore, ground three is not made out.

9. Ground four states that the IAA asked itself the wrong question and/or “made” an irrelevant consideration.

10. In written submissions, the legal error was said to be that the way in which the IAA dealt with the data breach issue, meant that it had failed to deal with integers of the applicant’s claim to fear harm. This is explained in written submissions as follows. The question of whether the Sri Lankan authorities would perceive that the applicant was a failed asylum seeker was only one aspect of the data breach claim.

11. The written submissions appear to argue that the other integers not considered by the IAA, were “inferences that might be drawn” by the Sri Lankan authorities, from information about the boat in which the applicant left Sri Lanka, the fact of the applicant’s detention (in Australia), and the length of time of that detention.

12. In oral submissions, the applicant made clear that the allegation of legal error was a failure to consider certain integers of the applicant’s claim to fear harm because he had left Sri Lanka by boat, and had been detained in Australia for some time.

13. The applicant’s submissions again direct attention to the IAA’s reasoning in relation to the data breach. The submission was that the IAA, in considering the real risk of harm arising from the data breach, confined itself to the question, with reference to whoever may have accessed the data breach material, as to whether the applicant was a failed asylum seeker. The IAA was required to go further.

14. The applicant sought to make this contention with reference to “AE2”, being the applicant’s data which was the subject of the data breach.

15. The applicant’s argument was that that information shows that the applicant had been in immigration detention for 454 days. This gave rise to what was said to have been an integer of the applicant’s claim to fear harm on return to Sri Lanka. That is, that the Sri Lankan authorities who may have accessed this material, “perhaps” formed adverse views in relation to the applicant. In short, the length of detention may have given rise to the view that Australia had “some sort of adverse interest in the applicant”, because it was necessary to detain him for that lengthy period.

16. There is no doubt that a failure to consider a claim to fear harm as presented in evidence or submissions which is expressly made or clearly arising, or a failure to address a substantial, clearly articulated argument relying on established facts, may lead to revelation of jurisdictional error (WAEE v Minister for Immigration and Multicultural and Indigenous Affairs [2003] FCAFC 184; (2003) 236 FCR 593, Htun v Minister for Immigration and Multicultural Affairs [2001] FCA 1802; (2001) 194 ALR 244, NABE v Minister for Immigration & Multicultural & Indigenous Affairs (No 2) [2004] FCAFC 263; (2004) 144 FCR 1 (“NABE (No 2)”) and Dranichnikov v Minister for Immigration and Multicultural Affairs [2003] HCA 26; (2003) 197 ALR 389 ).

17. Similarly, the Minister referred to NAVK v Minister for Immigration and Multicultural and Indigenous Affairs [2004] FCA 1695 at [15]. In NABE (No 2) the Full Court also said at [58]:

    “The review process is inquisitorial rather than adversarial. The Tribunal is required to deal with the case raised by the material or evidence before it – Chen v Minister for Immigration and Multicultural Affairs [2000] FCA 1901; (2000) 106 FCR 157 at 180 [114] (Merkel J). There is authority for the proposition that the Tribunal is not to limit its determination to the ‘case’ articulated by an applicant if evidence and material which it accepts raise a case not articulated – Paramananthan v Minister for Immigration and Multicultural Affairs [1998] FCA 1693; (1998) 94 FCR 28 at 63 (Merkel J); approved in Sellamuthu v Minister for Immigration and Multicultural Affairs [1999] FCA 247; (1999) 90 FCR 287 at 293 – 294 (Wilcox and Madgwick JJ). By way of example, if a claim of apprehended persecution is based upon membership of a particular social group the Tribunal may be required in its review function to consider a group definition open on the facts but not expressly advanced by the applicant – Minister for Immigration and Multicultural Affairs v Sarrazola (No 2) [2001] FCA 263; (2001) 107 FCR 184 at 196 per Merkel J, Heerey and Sundberg JJ agreeing. It has been suggested that the unarticulated claim must be raised ‘squarely’ on the material available to the Tribunal before it has a statutory duty to consider it – SDAQ v Minister for Immigration and Multicultural and Indigenous Affairs [2003] FCAFC 120; (2003) 199 ALR 265 at 273 [19] per Cooper J. The use of the adverb ‘squarely’ does not convey any precise standard but it indicates that a claim not expressly advanced will attract the review obligation of the Tribunal when it is apparent on the face of the material before the Tribunal. Such a claim will not depend for its exposure on constructive or creative activity by the Tribunal.”

18. It is clear, on the evidence before the Court, the claim articulated now by the applicant’s counsel, was not a claim expressly made before the IAA, or for that matter, the delegate.

19. Nor can this “claim”, expressed now before the Court, be said to clearly arise from the applicant’s circumstances, as ultimately presented to the IAA. The articulation of this “claim” given to the Court was, even at its highest, dependent on speculation and assumption. This “claim” articulated for the first time before the Court, cannot be said to “clearly arise” from the circumstances presented to the IAA. Ground four is not made out.

20. Ground six of the further amended application asserts that the IAA fell into legal error because it referred to “new information” about the data breach, and did not provide this “new information” to the applicant in accordance with s.473DE of the Act. The IAA was also said to have erred in treating this information as falling within the exception set out at s.473DE(3)(a) of the Act.

21. Section 473DE of the Act is in the following terms:

    “Section 473DE

    Certain new information must be given to referred applicant

    (1) The Immigration Assessment Authority must, in relation to a fast track reviewable decision:

    (a) give to the referred applicant particulars of any new information, but only if the new information:

    (i) has been, or is to be, considered by the Authority under section 473DD; and

    (ii) would be the reason, or a part of the reason, for affirming the fast track reviewable decision; and

    (b) explain to the referred applicant why the new information is relevant to the review; and

    (c) invite the referred applicant, orally or in writing, to give comments on the new information:

    (i) in writing; or

    (ii) at an interview, whether conducted in person, by telephone or in any other way.

    (2) The Immigration Assessment Authority may give the particulars mentioned in paragraph (1)(a) in the way that the Authority thinks appropriate in the circumstances.

    (3) Subsection (1) does not apply to new information that:

    (a) is not specifically about the referred applicant and is just about a class of persons of which the referred applicant is a member; or

    (b) is non-disclosable information; or

    (c) is prescribed by regulation for the purposes of this paragraph.

    Note: Under subsection 473DA(2) the Immigration Assessment Authority is not required to give to a referred applicant any material that was before the Minister when the Minister made the decision under section 65.”

22. The applicant’s argument was explained as follows. The IAA had regard to “new information”.  At [5] of its decision (at CB 198), the IAA stated:

    “I have had regard to new information I obtained relevant to the issue of the data breach. I considered it necessary to obtain that new information in order to determine this issue and in my view, there is insufficient information before me regarding the data breach for me to be able to properly assess the claim. For these reasons, I am satisfied there are exceptional circumstances to justify my considering that new information under s.473DD. Further, I consider that new information is not specifically about the applicant and is just about a class of persons of which the applicant is a member, namely people whose information was included in the data breach, for the purpose of s.473DE(3)(a).”

23. That “new information”, was a newspaper article about the data breach. At [31] (at CB 204 to CB 205), the IAA had regard to this “evidence”, and found the data released as a result of the data breach, “did not include anything regarding the nature of any of the applicant’s claims” to fear harm. That “evidence” is described by the IAA at footnote 4 (at CB 205) of the decision record as follows:

    “The Australian Information Commissioner Investigation Report sets out the personal information included in the data breach consisted of: full names; gender; citizenship; date of birth; period of immigration detention; location; boat arrival details and reasons why the individual was deemed to be unlawful. See: Office of the Australian Information Commissioner, ‘Department of Immigration and Border Protection: Own motion investigation report’ (November 2014) …”

24. In short, the applicant’s argument is that the “new information” was not just information about a class of persons, because it was not information relevant to a class of persons, but relevant to the applicant’s own circumstances because he had been the subject of a release of his personal information.

25. The Minister referred this Court to AFK16 v Minister for Immigration and Border Protection (No 2) [2016] FCCA 1827 (“AFK16 (No 2)”) at [31] for the proposition that s.473DE(3) of the Act is a cognate provision to s.424A(3)(a) of the Act. Although with respect, the description of s.473DE(3)(a) of the Act as a cognate provision to s.424A(3)(a) of the Act is not explained in AFK16 (No 2), it is, in my respectful view, a reasonable conclusion to reach, given the similar language used in both subsections, and the similar role played by each in their respective statutory context.

26. In his submissions, the Minister referred to SZBYR v Minister for Immigration and Citizenship [2007] HCA 26; (2007) 81 ALJR 1190; (2007) 235 ALR 609 (“SZBYR”) at [17], to submit that the data breach information did not disclose in its terms a “rejection, denial or undermining of the applicants claims”. In this light, it was not “information”, for the purposes of s.473DE(1) (applying the reasoning in SZBYR to s.473DE(1) of the Act as it is a cognate provision to s.424A of the Act).

27. That may be accepted. However, it is important to distinguish between the two pieces of “information” to which the applicant’s ground appears to seek to relate.

28. The first is the data breach information itself. The second is the information obtained from the Australian Information Commission Investigation Report on the data breach (“AICIR”).

29. The IAA found that “exceptional circumstances” existed such that it should, pursuant to s.473DD of the Act, have regard to “new information” about the data breach issue ([5] at CB 198).

30. The IAA referred to one piece of “new information” to find that the private information of some people held in immigration detention had mistakenly been made publicly available on the Minister’s departmental website. That “new information”, was identified as a newspaper report (see [30] at CB 204), and see footnote 2 (at CB 204) which is in the following terms:

    “P. Farrell, ‘Scott Morrison ensured asylum seeker data breach probe failed, court finds’, 18 September 2015 ‘The Guardian’ (folio 165).”

31. The applicant had claimed that because of this data breach he would be identified by the Sri Lankan authorities as having applied for asylum in Australia. The IAA considered this claim, and the applicant’s claim made during an interview with the delegate that he would be considered to be a terrorist and harmed in jail on return, because the Sri Lankan authorities were aware that he had made fraudulent claims to the New Zealand authorities that he was a Tamil (see [31] at CB 204 to CB 205).

32. It was in this regard that the IAA found that, as the applicant had applied for protection after the data breach, the protection claims would not possibly have been included in the data breach. Further, having regard to the AICIR, the data breach did not include anything regarding the nature of the applicant’s claims.

33. Taking each piece of information separately. First, I agree with the Minister that the data breach information itself was not “information” that in its terms constituted a “rejection, denial or undermining” of the applicant’s claims to fear harm. Therefore it was not “information” for the purposes of s.473DE(1) of the Act.

34. Second, the IAA’s finding that the data breach did not contain anything regarding the nature of the applicant’s protection claims, as it applied to both the data breach and the AICIR (“the evidence”), was an expression of the IAA’s reasoning process that identified a “gap” in the evidence before it. The IAA’s reasoning in this regard is not “information” for the purposes of s.473DE(1) of the Act (SZBYR at [18] and see also Minister for Immigration and Citizenship v SZLFX [2009] HCA 31; (2009) 238 CLR 507).

35. Third, and further, even if the information (both pieces of information) were caught by s.473DE(1) of the Act, the information, as explained by the IAA, on which it relied is about a class of persons of which the applicant is a member, and is not specifically about the applicant.

36. The “new information” to which the IAA said it had regard was, first, the “[d]ocument” made available on the Internet (CB 204). The “new information” was not about the release of each individual’s details, but the collective expression of “the private details of some people”. That is, a class of people of which the applicant was a member.

37. The second piece of “new information” was the AICIR. Again, the IAA found that, based on that evidence, the data breach document did not disclose “the nature of the applicants’ claims” ([31] at CB 205). I note the positioning of the apostrophe on “applicants’”. That is, it is plural, and is consistent with the IAA’s earlier reference at [30] (at CB 204), that the “document” stated that “the private details of some people” (again plural) were disclosed.

38. On a fair, if not plain reading, the IAA’s reference to “new information” was about the character of the data breach, as it applied to all persons, whose private details were released, not just the applicant. Therefore s.473DE(3)(a) of the Act operates to exclude the “new information” from the operation of s.473DE(1) of the Act. The fact that the IAA subsequently made findings about the applicant’s own situation does not alter the nature and character of that new information. Ground six is not made out.

Conclusion

1. None of the grounds advanced in the further amended application are made out. No jurisdictional error has been established in the decision of the IAA. Therefore it is appropriate to dismiss the application. I will make the appropriate order.

I certify that the preceding one hundred and three (103) paragraphs are a true copy of the reasons for judgment of Judge Nicholls

Date: 3 July 2017