27 July 2016

HCA on the Refugee Data Breach

In Minister for Immigration and Border Protection and Anor v SZSSJ and Anor; Minister for Immigration and Border Protection and Ors v SZTZI [2016] HCA 29 the High Court has today unanimously held that DIBP's processes in response to the 2014 refugee data breach did not deny procedural fairness to two former protection visa applicants.

 The breach involved inadvertent provision on the Department’s site of a document with embedded information disclosing the identities of 9,258 detailed applicants for protection visas, highlighted here. The detained people whose personal information was exposed through the breach included SZSSJ and SZTZI. KPMG investigated the breach on behalf of the Department, identifying 104 unique IP addresses (including some in jurisdictions noted for disregard of human rights) from which the document had been accessed. The Department then notified applicants affected by the breach and initiated International Treaties Obligations Assessments (ITOAs) through standardised procedures prescribed in its Procedures Advice Manual - a publicly available document - to assess the effect of the breach on Australia's non-refoulement obligations.

Officials undertaking ITOAs were instructed to assume that an affected applicant's personal information may have been accessed by authorities in the country in which he or she feared persecution or other relevant harm. SZSSJ and SZTZI were informed that ITOAs were being undertaken in accord with the Manual in relation to their protection. SZSSJ and SZTZI requested unabridged copies of the KPMG Report, following release of a substantially edited version of the Report. Those requests were refused. SZSSJ then commenced proceedings in the Federal Circuit Court of Australia, seeking relief in respect of the breach before the specific ITOA had been completed. SZTZI commenced proceedings in the Court after an ITOA concluded that her claims did not engage Australia's non-refoulement obligations. Both those proceedings were dismissed. (Other litigation is noted here.)

 The Full Court of the Federal Court of Australia however allowed their appeals, holding that they were denied procedural fairness by virtue of the Department's failures to adequately explain the ITOA processes and to provide the unabridged Report. The Full Court also rejected a submission that the Federal Circuit Court's jurisdiction to hear claims by SZTZI's and SZSSJ's were excluded by s 476(2)(d) of the Migration Act 1958 (Cth). The Minister successfully sought special leave for appeals to the High Court.

The Court today held that SZTZI and SZSSJ were owed a duty to be afforded procedural fairness in the ITOA process. However they were not denied procedural fairness. The applicants has been informed of the nature and purpose of the ITOAs and of the issues to be considered.

 The Court held that instruction given to officers conducting ITOAs to assume that SZSSJ's and SZTZI's personal information may have been accessed by authorities in the countries of concern to those applicants meant that not providing the unabridged Report did not constitute a denial of procedural fairness. The High Court also held that the Full Court correctly concluded that the Federal Circuit Court had jurisdiction to hear SZSSJ's and SZTZI's claims.