High Court rules on Department of Immigration 'data breach' cases

Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29 (27 July 2016)

On 10 February 2014 the Department of Immigration and Border Protection inadvertently published on its website the identifying details of 9,258 applicants for protection visas held in immigration detention (“Data Breach”). The Data Breach carried the risk that authorities in the named detainees’ countries of origin would become aware that they had sought protection in Australia, creating a new and independent risk of harm if those detainees were returned to those countries. The Department conducted International Treaties Obligations Assessments (“ITOAs”) to determine if the Data Breach affected Australia’s non-refoulement obligations with respect to the detainees.

The High Court unanimously found that the Federal Circuit Court had jurisdiction to review the ITOA process, and that the respondents were owed a duty of procedural fairness; but that procedural fairness had not been denied in this instance. This overturned the decision of the Full Federal Court, which held that the Department’s procedures were “unfair to a significant degree” and had the effect of guaranteeing the failure of protection claims based on the Data Breach.

SZSSJ, a Bangladeshi national, and SZTZI, a Chinese national, were the two respondents. Both had been taken into immigration detention in Australia when their visas expired, and both had been refused protection visas. At the time of the Data Breach they were both in detention awaiting removal from Australia.

On 10 February 2014, the Department published an electronic document on its website which contained embedded information disclosing the identities of 9,258 applicants for protection visas who were being held in immigration detention, including SZSSJ and SZTZI. The information disclosed the name, date of birth, nationality, gender, and details about the detention of detainees and if they had any other family members in detention. The document remained on the website until 24 February 2014.

The Department retained KPMG to investigate and prepare a report on the Data Breach. The KPMG report recorded that the document disclosing the detainees’ details had been accessed 123 times from 104 unique IP addresses. An abridged version of the KPMG report, which did not identify these IP addresses, was made publicly available.

The Department conducted ITOAs in respect of affected detainees including SZSSJ and SZTZI, to assess the effect of the Data Breach on Australia’s international non-refoulement obligations. Where non-refoulement obligations were engaged a case could be referred to the Minister to consider granting a visa or lifting a bar to applying for a protection visa. Departmental officers conducting the ITOAs were instructed to assume that a detainee’s personal information may have been accessed by authorities in the country in which the detainee feared persecution or harm. Requests by SZSSJ and SZTZI for an unabridged copy of the KPMG report were refused.

SZSSJ commenced proceedings in the Federal Circuit Court before his ITOA was completed, and SZTZI commenced proceedings in the FCC after her ITOA found that non-refoulement obligations were not engaged. Both respondents claimed they had been denied procedural fairness. The High Court rejected their arguments.

There were three issues which the High Court considered in finding that the respondents had not been denied procedural fairness:

  • whether the Federal Circuit Court had jurisdiction to hear the respondents’ claims;
  • whether procedural fairness was required in the ITOA process; and
  • whether the respondents had been afforded procedural fairness.

Jurisdiction of the FCC
In finding that the FCC had jurisdiction to consider claims related to the conduct of an ITOA, the High Court characterised the ITOAs as a statutory process undertaken by an officer of the Department.  Further, the Court found that the privative clause in section 476(2) of the Migration Act 1958 (Cth) (“Migration Act”), which ousts the jurisdiction of the FCC over decisions of the Minister, did not apply to the ITOAs.

The Migration Act confers on the Minster a personal non-compellable power to lift a bar to applying for a protection visa (s 48B) or to grant a visa (s 195A and 417). Such a power is exercised by the Minister making two distinct decisions: a procedural decision to consider whether to make a substantive decision to either lift the bar or grant the visa; and the substantive decision itself.

Where the Minister has first made the procedural decision to consider lifting a bar or granting a visa, and an ITOA is undertaken by the Department for the purposes of assisting the Minister to make the substantive decision of whether to lift the bar or grant the visa, the ITOA is an act preparatory to the making of a substantive decision. The ITOA is therefore a ‘decision’ within the meaning of s 474(3)(h) and falls within the FCC’s jurisdiction granted by section 476(1) of the Act. However, it is not a privative clause decision excluded from the FCC’s jurisdiction by s 476(2) because it is not a decision of the Minister within the narrower meaning of section 474(7). In short, conduct of an officer of the Department taken for the purpose of assisting the Minister’s consideration of the exercise of a non-compellable power, such as an ITOA, can be challenged in the FCC; a decision made by the Minister personally not to exercise the non-compellable power can only be challenged in the High Court.

Requirement for procedural fairness
The characterisation of the ITOA as a statutory process undertaken by an officer of the Department arising from the procedural decision of the Minister to consider exercising power under sections 48B, 195A and 417 also engages procedural fairness requirements. This is because of the common law principle that a statute conferring a power affecting an individual’s interests is presumed to confer that power on condition that it is exercised in a manner that affords procedural fairness. Because the ITOA process has the practical effect of prolonging immigration detention, procedural fairness is required in the conduct of an ITOA. Accordingly the High Court agreed with the Full Federal Court that while the Act displaces this presumption in its application to the personal exercise of power by the Minister, the presumption is not displaced in relation to the exercise of power by an officer of the Department.

Procedural fairness not denied
SZSSJ and SZTZI claimed they had been denied procedural fairness on two bases:

  • the ITOA process was inadequately explained; and
  • the unabridged KPMG report was not provided.

The High Court rejected both these arguments. The Court found that, although the Department was responsible for the Data Breach, there was no reason for apprehending that an officer of the Department would not bring an impartial and unprejudiced mind to the ITOA. Both SZSSJ and SZTZI were notified of the ITOA process, to be conducted in accordance with the Procedures Advice Manual available to them, and neither was deprived of any opportunity to submit evidence or make submissions. Finally, because the officers conducting the ITOAs had already assumed that the personal information may have been accessed by authorities in Bangladesh and China, even if the unabridged KPMG report revealed that the information was in fact accessed by these authorities it would not have advanced the respondents’ case.     

While the respondents in this case were unsuccessful, the judgment is significant for finding that an ITOA is reviewable by the FCC; and that because the ITOA has a statutory basis, common law principles requiring procedural fairness apply to the process. It is noteworthy that, while acknowledging that the Data Breach was ‘extraordinary’, ‘regrettable’, and that the Department was ‘responsible for its occurrence’, the High Court found that there was no foundation for apprehending that an officer of the Department assessing the consequences for an individual detainee would not be impartial or unprejudiced; or that the ordinary requirement of giving notice to an affected person be converted into a duty for the Department to reveal all that it knows about the Data Breach.

Georgia Boyce is a Solicitor at King & Wood Mallesons.