Pseudolaw

Yet another judgment re pseudolaw. In Commonwealth Bank of Australia v Cahill & Anor [2025] VCC 1860 the Court notes 

The amended defences deny the existence of any lawful credit agreement between the parties, assert that CBA is a “corporate fiction,”and contend that no valid mortgage was created or that CBA lacks standing to enforce it. The defendants also dispute the quantum of the debt and demand production of “wet-ink” originals of various loan and title documents. Judge’s amended counterclaim makes bald and sweeping allegations that CBA engaged in misleading or deceptive conduct, relied on an unfair standard form contract contrary to the Australian Consumer Law, and “securitised” the mortgage in breach of the Corporations Act 2001 (Cth), thereby losing the right to enforce it. It further alleges that enforcement of the mortgage constitutes modern slavery and seeks, among other relief, the return of all payments made, the discharge of the mortgage, and damages.

In referring to 'Sovereign Citizens and pseudo law' the judgment  states

 The documents and submissions made by the defendants fall into a by now well-known quasi-philosophy known as the “sovereign citizen” movement. The guiding philosophy appears to be that these persons consider that they are not subject to the laws of the Commonwealth of Australia unless they have expressly “contracted” or consented to be so bound. This philosophy has no basis in law and has been rejected in many cases to date. All persons living under the protection of the Crown in right of the Commonwealth or State are, as a matter of law, subject to the laws of the Commonwealth. Any suggestion to the contrary is both dangerous and undermines the orderly arrangement of any society. The courts of this country will give no credence to such philosophy. 

The documents and submissions filed by the defendants are informed by half-baked statements that contain traces of legal tit-bits scraped from current and ancient sources otherwise also referred to as “ pseudo-law ”. They are legal gibberish and do not constitute proper statements of principles known to law. 

In Re Coles Supermarkets Australia Pty Ltd [2022] VSC 438, Hetyey Asj said the following of such submissions:

The defendants appear to be seeking to draw a distinction between themselves as ‘natural’ or ‘living’ persons, on the one hand, and their status as ‘legal’ personalities, on the other. However, contemporary Australian law does not distinguish between a human being and their legal personality. Any such distinction would potentially leave a human being without legal rights, which would be unacceptable in modern society. The contentions put forward by the defendants in this regard are artificial and have no legal consequence. 

I adopt the analysis of John Dixon J in Stefan v McLachlan [2023] VSC 501, dealing with the fictional concept of the ‘living man’, stating that:

The law recognises a living person as having status in law and any person is, in this sense, a legal person. Conceptually, there may be differences between the legal status of a person and that of an entity that is granted a like legal status, but whatever they might be they have no application on this appeal. In asserting that he is a ‘living man’, the appellant does no more than identify that he is a person, an individual. Every person, every individual, and every entity accorded status as a legal person is subject to the rule of law. There are no exceptions in Australian society. 

I also refer to AsJ Gobbo’s decision in Nelson v Greenman & Anor [2024] VSC 704 in which her Honour gives a comprehensive treatment of the fallacies underlying the sovereign citizen and pseudo law movements. I concur with and adopt her Honour’s treatment of the subject at paragraphs [53] – [78].

Security

The NSW Auditor General December 2025 report on Cyber security in Local Health Districts states 

 NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber secuements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information. eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters.  

The report states 

 The New South Wales (NSW) public health system includes more than 220 public hospitals, community and other public health services. 15 Local Health Districts across NSW administer the hospitals and other health services. eHealth NSW was established in 2014 to provide statewide leadership on the planning, implementation and support of information communication technologies (ICT) and digital capabilities across NSW Health. Health service delivery is increasingly reliant on digital systems, which in turn requires the effective management of cyber security risks. Cyber attacks can harm health service delivery and may include the theft of information, breaches of private health information, denial of access to critical technology or even the hijacking of systems for profit or malicious intent. These outcomes can adversely affect the community and damage trust in government. 

Audit objective 

This audit assessed whether NSW Health is effectively safeguarding clinical systems, required to support healthcare delivery in Local Health Districts, from cyber threats. The audit assessed this with the following questions: Do relevant NSW Health organisations effectively manage cyber security risks to clinical systems? Do relevant NSW Health organisations effectively respond to cyber attacks that affect the clinical systems that are essential for service delivery? To focus the audit, 4 of the 15 Local Health Districts were selected for audit. These districts are referred to as ‘the audited Local Health Districts’ throughout this report. The audit further focused on one facility in each of the audited Local Health Districts that provided a common type of healthcare service. The names of the audited Local Health Districts, selected facilities and healthcare services are not disclosed. 

Conclusion 

NSW Health is not effectively managing cyber security risks to clinical systems that support healthcare delivery in Local Health Districts. In addition, Local Health Districts have not met the minimum NSW Government cyber security requirements that have been outlined in NSW Cyber Security Policy since 2019. Local Health Districts are not adequately prepared to respond effectively to cyber security incidents. Systemic non-compliance with NSW Government cyber security requirements, including maintaining adequate cyber security response plans, business continuity planning and disaster recovery for cyber security incidents, means that Local Health Districts could not demonstrate that they are prepared for, or resilient to, cyber threats. This exposes the risk that a preventable cyber security incident could disrupt access to healthcare services and compromise the security of sensitive patient information. eHealth NSW has not clearly defined or communicated its roles and the expected roles of Local Health Districts regarding cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery), and identifying and mitigating critical vulnerabilities, threats and risks. Local Health District management of cyber security is hampered by a lack of support, coordination and oversight from eHealth NSW in cyber security matters.

Key findings are 

  Local Health Districts do not manage cyber security risks effectively 

Local Health Districts generate, use and maintain large volumes of sensitive personal and health information about patients. The NSW Cyber Security Policy sets out an expectation that cyber security efforts are commensurate with the potential effect of a successful cyber breach. Under NSW Health policy, Local Health Districts, in collaboration with eHealth NSW, are responsible for managing cyber security and resourcing a fit-for-purpose cyber security function. The current NSW Cyber Security Policy 2023–2024 recognises that agencies providing critical or high-risk services, such as Local Health Districts, should implement a wider range of controls and aim for broader coverage and effective implementation of additional controls. However, the audited Local Health Districts have not complied with the minimum requirements of the NSW Cyber Security Policy since it was introduced in 2019. None of the four districts had effective cyber security plans. Local Health Districts that do not have effective cyber security plans cannot articulate their approach to managing cyber security risks and are not adequately prepared to respond to and manage cyber security risks and incidents. 

Local Health Districts do not have plans and processes in place to respond effectively to a cyber attack 

None of the audited Local Health Districts had effective cyber security response plans. Nor did Local Health District business continuity plans and disaster recovery plans consider cyber security risks. Local Health Districts that do not have effective cyber security response, disaster recovery or business continuity plans that include considerations of cyber security, may not be able to safeguard clinical systems against potential cyber security incidents. This may also hamper responses during an incident because roles and responsibilities may not be understood, and actions to address cyber security incidents may not be undertaken as quickly as required, affecting the delivery of services to patients. 

NSW Health has not clearly communicated cyber security roles and responsibilities amongst NSW Health organisations 

eHealth NSW coordinates cyber security matters within NSW Health. However, eHealth NSW has not clearly defined and communicated its roles and the expected roles of Local Health Districts for cyber security. This has led to confusion amongst Local Health Districts on the cyber security risks they manage, including for crown jewel assets (the ICT assets regarded as valuable or operationally vital for service delivery) and identifying and mitigating critical vulnerabilities, threats and risks. eHealth NSW does not provide Local Health Districts with sufficient support to manage cyber security risks, and Local Health Districts have not applied the tools provided by eHealth NSW to all clinically important systems eHealth NSW has developed and distributed cyber security frameworks, guidance and training to all Local Health Districts. eHealth NSW has developed whole-of-system tools to meet key requirements of the NSW Cyber Security Policy and improve the effectiveness of Local Health Districts’ cyber security activities. These tools include risk assessment frameworks. However, eHealth NSW has not ensured that its tools have been implemented in Local Health Districts, nor whether Local Health Districts have the capability or capacity to do so. In the audited Local Health Districts, the effectiveness of eHealth’s cyber threat identification tools is hampered by incomplete application to all clinically important ICT assets. This means that critical systems used by Local Health Districts to deliver, or support the delivery of, clinical treatment are not effectively protected from cyber security incidents. 

Local Health Districts do not have an effective cyber security culture 

In all audited Local Health Districts, critical cyber security controls are not consistently applied by clinical staff who perceive a tension between the urgency of clinical service delivery and the importance of cyber security policies. This has led to normalisation of non-compliance with cyber security controls. This audit observed clinical staff non-compliance at all audited Local Health Districts with multiple cyber security controls that Local Health Districts had put in place. Despite known systemic non-compliance by clinical staff, the audited Local Health Districts have not assessed the effectiveness of the controls they have put in place, nor have they identified any alternatives that might balance the need for clinical urgency with effective cyber security practice. In addition, they have not considered investing in alternative ICT solutions that better meet the needs of clinical staff while also addressing cyber security concerns. 

NSW Health’s Cyber Security Policy attestation lacks transparency on the level of cyber security capability within the health system 

The NSW Cyber Security Policy requires an agency head to attest to the agency’s compliance with the policy. In 2023, eHealth NSW surveyed all NSW Health organisations, including Local Health Districts, on their self-assessed maturity against the NSW Cyber Security Policy in developing a summary assessment for NSW Health to inform its attestation of NSW Cyber Security Policy compliance. That summary showed that Local Health Districts had immature cyber security controls, including for the Essential Eight controls – the most effective set of controls identified by the Australian Cyber Security Centre. However, in 2024, the survey was not completed, so NSW Health aggregated its assessment of whether NSW Health organisations had met NSW Cyber Security Policy requirements. This audit identified systemic Local Health District non-compliance with NSW Cyber Security Policy. The 2024 attestation therefore obscures the risks that exist in Local Health Districts. If NSW Health continues to attest to Cyber Security Policy compliance in the aggregate, the risk is that neither NSW Health nor Cyber Security NSW fully understand where and what the cyber security risks are across NSW Health organisations. 

Recommendations 

The Ministry of Health should: 

by October 2025, collate and validate information on compliance with NSW Cyber Security Policy by each entity that reports to or via the Ministry of Health prior to annual attestation by December 2025, finalise and communicate cyber security roles and responsibilities within the NSW Health system. 

By December 2025, eHealth NSW should: 

work with the Ministry of Health to develop clear guidance for Local Health Districts on the obligation to manage the need to deliver clinical services while meeting critical cyber security requirements determine and apply sufficient resources to support the Privacy and Security Assessment Framework and Cyber Security Risk Assessments in Local Health Districts support Local Health Districts to improve cyber security capability by articulating a whole-of-health cyber security risk appetite statement providing direct assistance to localise centrally developed tools and frameworks ensuring all Local Health District crown jewel assets are monitored by the Health Security Operations Centre. 

By December 2025, Local Health Districts should: 

design and implement a fit-for-purpose cyber security risk management framework incorporating: an enterprise cyber security risk appetite statement, which aligns with the whole-of-health statement complete up-to-date cyber security and cyber security response plans, which are regularly tested and updated investment in establishing and maintaining the Essential Eight cyber controls cyber security controls that identify and address the root causes of non-compliance and balance the need for clinical urgency with effective cyber security consideration of cyber security needs in the implementation of any new clinical systems.