FEDERAL COURT OF AUSTRALIA

SZTVA v Minister for Immigration & Border Protection [2019] FCA 1245

ORDERS

THE COURT ORDERS THAT:

1.    The appeal be dismissed.

2.    The appellant pay the first respondent’s costs.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

Background

1    The appellant is one of the victims of a so-called data breach by the Department of Immigration and Border Protection which was the subject of the High Court’s judgment in Minister for Immigration and Border Protection v SZSSJ; Minister for Immigration and Border Protection v SZTZI (2016) 259 CLR 180. In short, in early 2014, the Department disclosed on its website the names and certain personal details of 9,258 people in immigration detention. The appellant was one of those people.

2    The appellant is an Indian national of Gurkha ethnicity. He arrived in Australia in July 1998 on a student visa. After overstaying his visa, he was taken into detention. Thereafter, he applied for a protection (class XA) visa, claiming to fear persecution in India by reason of his public involvement between 1986 and 1992 in agitation for the establishment of a separate Gurkha (or Gorkha) state. After a delegate of the Minister decided not to grant his application, the appellant applied for merits review to the Refugee Review Tribunal (the functions of which are now carried out by the Administrative Appeals Tribunal). The Tribunal affirmed the delegate’s decision. The appellant then sought judicial review in the Federal Circuit Court but his application was summarily dismissed. That decision was set aside on appeal and remitted to the Tribunal for determination according to law: SZTVA v Minister for Immigration and Border Protection [2014] FCA 1334. The appellant was no more successful the second time. A differently constituted Tribunal again affirmed the delegate’s decision. Once more, he applied to the Federal Circuit Court for judicial review. On this occasion his complaint was limited to the way the Tribunal dealt with the information concerning the data breach. That application was also dismissed. This is an appeal from that decision.

The data breach

3    In the usual course of things, the Department publishes certain statistics on its website. In February 2014, the routine report published on the Department’s website contained embedded information disclosing the identities of a number of applicants for protection visas. This information remained on the website for around two weeks.

4    The evidence in SZSSJ disclosed that the departmental response to the data breach was to institute processes known as “International Treaties Obligations Assessments” (ITOA) conducted in accordance with standardised procedures set out in the Department’s publicly available Procedures Advice Manual. The purpose of conducting the ITOA was to assess the effect of the data breach on Australia’s international obligations with respect to affected applicants. The particular international obligations to which the ITOA were directed were Australia’s non-refoulement obligations under the Refugees Convention, the Convention against Torture, and the International Covenant on Civil and Political Rights.

5    The Department retained the services of the firm KPMG to investigate the data breach. KPMG prepared a report and an abridged version of the report was provided to the affected applicants. The abridged version of the report recorded that the document disclosing the identities of the visa applicants had been accessed 123 times from 104 unique internet protocol (IP) addresses during the time it remained on the website, but did not record those IP addresses or give the precise times of access.

6    As part of the departmental process, each of the affected applicants was sent a letter:

    identifying the information disclosed as a result of the data breach;

    stating that the Department would assess any implications for the individual applicant as part of “its normal processes”;

    advising that an ITOA process had been started in order to assess the effect of the data breach on Australia’s non-refoulement obligations with respect to him or her; and

    enclosing country information proposed to be taken into account in the ITOA.

7    On 12 March 2014 the Secretary of the Department wrote to the appellant expressing “deep regret” for the data breach and notifying him of the information that was disclosed as part of the breach:

The information that it was possible to access was your name, date of birth, nationality, gender, details about your detention (when you were detained, reason and where) and if you have other family members in detention.

The information did not include your address (or any former address), phone numbers or any other contact information. It also did not include any information about protection claims that you or any other person may have made, and did not include any other information such as health information.

8    The letter went on to state:

The department will assess any implications for you personally as part of its normal processes. You may also raise any concerns you have during those processes.

If you would like to seek more information about the incident, talk to your case manager.

9    This was a pro forma letter, apparently sent to all victims of the data breach. The Full Court in SZSSJ v Minister for Immigration and Border Protection (No 2) (2015) 234 FCR 1 remarked (at [101]):

In the absence of further information, this was procedurally unfair because it did not tell SZSSJ anything as to the precise content of those processes, more than that some unidentified activity would occur in which he could express concerns. In particular, how could SZSSJ explain his concerns if he did not know what the Department was looking at with its as yet unspecified “processes”.

10    The Full Court also observed at [111] that it was apparent from the letter that the information that was capable of being accessed “was such as readily to identify with precision individuals who had applied for protection visas”.

11    On 27 June 2014 the Department wrote again to the appellant noting that he had filed an application for judicial review and inviting him to put in writing any concerns he might have about the impact of the data breach on him personally.

12    In SZSSJ at [102] the Full Court said that this letter was no better than the 12 March letter:

It invited submissions on an unidentified subject of inquiry, through an unidentified process by an unidentified decision-maker.

13    Apparently the appellant replied to this letter in writing on 2 July 2014, but for some unexplained reason the letter was not included in the appeal book and was not before the primary judge.

14    The Department sent a third letter to the appellant on 23 December 2014. It referred to its earlier assurance that the Department would “assess any implications” of the data breach for the appellant personally “as part of its normal processes”, but then reneged, stating:

On 27 June 2014 the department sent you a letter to [sic] requesting that, if you have any concerns about the impact of the data breach on your ability to return to your home country or country of usual residence, you should give specific reasons as to why you cannot return. You replied to this letter in writing on 2 July 2014.

On 16 June 2014 you sought judicial review of the department’s decision to refuse you a Protection visa. On 9 December 2014 the Federal Court has remitted this matter to the Refugee Review Tribunal (RRT) for reconsideration.

As the RRT will now be reconsidering your claims for protection, the RRT is the appropriate forum for you to raise any protection claims you may have in regard to the unintentional release of your personal information on the department’s website. The department will no longer be considering the concerns you have raised in your letter, dated 2 July 2014, against Australia’s protection obligations. Should you have any protection claims in relation to the privacy data breach, including any information you provided to the department in your letter, the department now considers it your responsibility to submit them to the RRT.

(Emphasis added.)

15    On 2 February 2015, the appellant’s advisor wrote a submission to the Tribunal in relation to the matter to the following effect. The Department possessed all information in relation to the data breach, in particular the unabridged KPMG report which contained details of IP addresses and number of accesses to the information. Procedural fairness required that all relevant information be provided to the appellant before preparation of a reply, since, without having access to that information, he could not effectively and competently prepare his claim that he was a refugee sur place. A refugee sur place, I interpolate, is a person who is not a refugee when they left their country of origin but becomes one as a result of events occurring after their arrival in Australia. If the Department did not provide that information, the advisor submitted, the only course of action open to the Tribunal would be to recognise the appellant as a refugee sur place. The advisor went on to submit that the Tribunal could not complete its task without having full disclosure of the information that was in the possession of the Department.

The Tribunal decision

16    The Tribunal accepted the appellant’s claims that, with other supporters of the Gorkha National Liberation Front (GNLF), he committed acts of violence against Communists. It also accepted his claims that, in 1987, he had nearly been shot by police and was detained for two days and seriously mistreated. But it did not accept that he would be drawn or dragged into agitation or activities in support of the GNLF or Gorkhaland if he were to return to India or that he would face a real chance of persecution or was at risk of significant harm at the hands of the authorities, the GNLF, his old rivals, the Communists, ‘anti-supporters’, separatists, Gorkhaland Movement, or anyone else. Indeed, the Tribunal was not satisfied that anyone in India had any adverse interest in him. The Tribunal was particularly influenced by two facts: first, that nothing had happened to the appellant while he remained in India between 1988 and 1998, a period during which he did not claim to have been in hiding, and second, that he had waited more than 15 years from his arrival in Australia before applying for a protection visa.

17    None of these findings was challenged in the court below or in this appeal.

18    The Tribunal acknowledged the nature of the data breach and the information that was released on the Department’s website, stating that it was prepared to accept that this information might have been accessed in India. It did not accept, however, that the appellant had established any claim to fear harm on that basis, disposing of the claim as follows (without alteration):

37.    At the second hearing, when the applicant was to expand on his claims relating to the department’s data breach, he said he would be unable to comment until he knows what the information in relation to the data breach is. When asked if he was claiming that he would be subjected to harm as a result of the data breach, he said he could not comment.

38.    In her submission of 2 February 2015, the applicant’s representative submitted that that [sic] the department possesses all the information in relation to the data breach and that the applicant would be unable to prepare his claims or respond without having access to that information. If the department does not give the applicant access to the information, the only course of action open to the Tribunal is to recognise the applicant as a ‘refugee sur place’. The Tribunal does not agree with this proposition. As it was discussed with the applicant at the second hearing, the information that was inadvertently disclosed was his name, date of birth, nationality, gender and details about his detention. There is no evidence before the Tribunal to suggest that any information in relation [to] his claims for protection was published or accessed by anyone. Even if the Tribunal were to accept that the publication of the applicant’s personal information somehow identified him as having sought protection in Australia, as discussed with him, there is no evidence to suggest that Indian nationals face adverse treatment, following their return to India, for reason of having applied for refugee status abroad.

(Footnote omitted.)

19    The Tribunal proceeded to find that, on the evidence, there was “no real chance that the applicant will face serious harm for a Convention reason” and that there was “no real risk” that he would face significant harm as a consequence of the publication of aspects of his personal information or because he had applied for protection in Australia.

The proceeding in the Federal Circuit Court

20    The application to the Federal Circuit Court raised two grounds of review. Both grounds arose from the Minister’s failure to provide him with further information in relation to the data breach. The legal foundation for his application was the Full Court’s decision in SZSSJ, which, by the time of the primary judge’s decision, had been overturned by the High Court.

21    In the first ground, the appellant complained that, as a result of not receiving the information he had sought, he did not get a fair hearing before the Tribunal as required by ss 422B and 425 of the Migration Act 1958 (Cth). In the second ground, which overlapped with the first, he complained that the Tribunal failed to conduct the review required by the Act because it undertook that review when it was “fully aware that there was credible, relevant and significant information in the possession” of the Department which the appellant had not seen.

22    The primary judge dismissed both grounds.

23    As to the first ground, his Honour reasoned as follows.

24    First, the premise for the appellant’s claim for access to the documents was that he faced a risk of harm as a result of the data breach but the premise was not made out. The appellant did not reply to the Tribunal’s query as to whether he was claiming he would be subjected to harm as a result of the data breach.

25    Secondly, the appellant’s submission that the Department held information that “was credible, relevant and significant” was unsupported.

26    Thirdly, it was not suggested the Tribunal possessed the information claimed. The appellant could have requested the Tribunal to summon a person to produce documents in relation to the data breach (under s 427(3)(b) of the Act). It may be that the Tribunal would have refused such an application; but it could not be said that the Tribunal acted unfairly, or made any jurisdictional error, by not considering information that was not in its possession, or by not considering a request that was not made to it that it should summon the Department to produce the information.

27    Fourthly, nothing in SZSSJ supported the appellant’s argument that he should have been provided with the information relating to the data breach, including the unabridged KPMG report, and that, since he was not, he was denied procedural fairness. His Honour reasoned (at [25]):

The applicant in the case before me was not offered an ITOA assessment. In its letter dated 23 December 2014, however, the Department informed the applicant that if he had any protection claims in relation to the data breach, it was the applicant’s responsibility to submit those claims to the Tribunal. Just as in Minister for Immigration and Border Protection v SZSSJ, therefore, the applicant before me was given notice of the data breach and of the means by which the applicant could pursue a claim that, because of the data breach, Australia owed the applicant protection obligations. Further, given the Tribunal was prepared to assume that the data breach in fact identified the applicant as having sought protection in Australia, and the applicant was not prepared to inform the Tribunal of the harm the applicant feared would or might occur to him as a result of the data breach, it is not possible to say how the availability to the applicant of the unabridged KPMG report and any other Claimed Information could have assisted the applicant.

28    Fifthly, the common law duty to accord procedural fairness, which was in issue in SZSSJ, did not apply in this case because of s 422B of the Act. Section 422B(1), I interpolate, provides that Pt 7 Div 4 is taken to be an exhaustive statement of the requirements of the natural justice hearing rule in relation to the matters it deals with. His Honour then proceeded to consider whether there had been a breach of s 425 or the Tribunal had not acted in a way that was fair and just as required by s 422B(3). His Honour held that the applicant, by which his Honour obviously meant the Tribunal, did not fail to comply with s 425 of the Act or otherwise act unfairly. He noted that the appellant was invited to attend a hearing to give evidence and present arguments and the Tribunal specifically invited him to make submissions about whether he claimed Australia owed him protection obligations as a result of the data breach.

29    The primary judge disposed of the second ground briefly as follows (at [29]):

The Tribunal did review the applicant’s case according to law. It asked the applicant to expand on claims he had based on the data breach, and specifically asked the applicant whether he was claiming he would be subjected to harm as a result of the data breach. The Tribunal considered the material before it. It cannot be said the Tribunal did not review the applicant’s case because it did not consider information that was not before it.

The appeal

30    The amended notice of appeal pleaded six grounds, only three of which (grounds 2, 4 and 6) were pressed. Grounds 2 and 4 are related. In ground 2, the appellant alleged that the primary judge erred by failing to find that the Tribunal did not apply the assumption that all of his personal information, which I take to mean the personal information released as a result of the data breach, had been accessed by all the persons or entities from whom or which he feared persecution or other relevant harm “as held by the High Court … in [SZSSJ]”. In ground 4, he alleged that the primary judge did not give him the opportunity to make submissions on the implications to his case of the decision in SZSSJ. In ground 6, the appellant complained that he was denied procedural fairness because he was not advised of the existence of the s 438 certificate.

31    In submissions filed on the appellant’s behalf by his then lawyers in May 2018, grounds 2 and 4 were collapsed into one:

[T]he way in which the Tribunal dealt with the ‘data breach’ issue occasioned a want of procedural fairness such as to amount to jurisdictional error, which was erroneously not recognised by the Court below.

32    This contention was particularised later in the submissions as follows:

The appellant submits that the department and/or Tribunal (s418(3) required the Secretary to forward all relevant documentation to the Tribunal) failed to provide him with the KPMG report, failed to provide him with sufficient information relating to the breach and failed to apply the assumption considered by the High Court in SZSSJ to have remedied the want of procedural fairness occasioned by the lack of disclosure of the report and the appellant’s actual disclosed information to cause the Tribunal to constructively fail to provide the appellant with an opportunity to be heard under s425 of the Act.

33    The Tribunal’s decision record contains a list of documents that were submitted by the appellant. One of those documents is described as a “[c]opy of a report prepared by KPMG …”. It is common ground, however, that the appellant has never seen the unabridged KPMG report. In the circumstances, the reference to the KPMG report in the appellant’s submission to the Tribunal should be taken to be a reference to the unabridged report and the reference in the Tribunal’s decision should be taken to be a reference to the abridged report.

34    The appellant’s submissions effectively recast ground 2, although the Minister made no complaint about that. No argument was advanced to support the proposition in ground 4 (that the appellant had been denied procedural fairness in the court below because he was not given an opportunity to make submissions on the High Court judgment in SZSSJ). In these circumstances I take that point not to have been pressed.

35    Ground 6 was added to the original notice of appeal following the decision in Minister for Immigration and Border Protection v Singh (2016) 244 FCR 305. Since the point was not raised before the Federal Circuit Court, it is common ground that leave is required to argue it.

36    In an affidavit filed on 9 June 2017, Michaela Byers, a solicitor who then acted for the appellant but who has since ceased to act, deposed that the s 438 certificate was not included in the Court Book in the Federal Circuit Court and that she only discovered its existence on 10 November 2016 while preparing for the hearing.

37    Leave to rely on the additional ground was not opposed provided that the Minister was permitted to read an affidavit of Svetlana Zarucki to which was exhibited the certificate and the documents the subject of the certificate. For the reasons given in Minister for Immigration and Border Protection v SZMTA [2019] HCA 3; 163 ALD 38 at [50], this evidence would have been admissible in the hearing in the court below.

38    Leave was granted on those terms.

The issues

39    The questions raised by what remains of the amended notice of appeal are these:

(1)    Did the primary judge err in failing to find that the Tribunal denied the appellant procedural fairness in the way in which it dealt with the data breach issue?

(2)    Did the Tribunal deny the appellant procedural fairness by not disclosing the existence of the s 438 certificate and, if so, was its decision affected by jurisdictional error?

SZSSJ

40    Before dealing with any of these questions, it is necessary to say something more about SZSSJ.

41    In separate proceedings SZSSJ and SZTZI sought declaratory and injunctive relief from the Federal Circuit Court alleging that they had been denied procedural fairness in the Department’s conduct of its response to the data breach. Their applications were dismissed, in SZSSJ’s case for want of jurisdiction, in SZTZI’s on its merits. The Full Court allowed appeals in both matters. It held that the Federal Circuit Court did have jurisdiction to hear SZSSJ’s application, that the ITOA was required to afford procedural fairness, and that the process was unfair.

42    The Full Court reasoned that the applicants were denied procedural fairness on two bases. First, the ITOA process had not been adequately explained to the visa applicants and, secondly, because the unabridged KPMG report had not been provided to them. In dismissing the Minister’s submission that procedural fairness did not require the supply of the unabridged report because his only obligation was to disclose adverse materials, the Full Court said this (at [118]):

The Department is requiring affected individuals to make submissions to it about the consequence of its own wrongful actions in disclosing their information to third parties without revealing to them all that it knows about its own disclosures. Whilst it is certainly true that the obligation of a decision-maker is generally only to disclose information which is adverse to a claimant, the requirements of natural justice fluctuate with the circumstances of each case: Russell v Duke of Norfolk [1949] 1 All ER 109 at 118; Lam at [37].The particular circumstances of this case take it far outside the realm of the ordinary.

43    Later, at [120], the Full Court made the following observations which provided the basis for the position taken by the appellant in the present case:

The Data Breach occurred in the Department on or through its computer equipment. The individuals, such as SZSSJ, affected by the Department’s conduct could not know or ascertain anything as to its potential to affect their interests which the Department did not disclose to them. In those circumstances, the Department’s assertion that it has disclosed what, it considered, might adversely affect the relevant individual(s), cannot be evaluated by that individual or those individuals because they do not have, and cannot access, the full picture in the presently limited disclosure in the process that the Department has afforded. In cases, such as these, involving persons whose claims for protection have failed, the public revelation of their identities that could have been accessed by the very person(s) from whom the failed protection seeker feared harm, conceivably might have some potential to expose him or her, on refoulement, to what he or she feared.

44    The Full Court considered that the want of procedural fairness in failing to provide the information included in the unabridged KPMG report, presumably redacted from the abridged version provided to SZSSJ and SZTZI, was not ameliorated by the assumption the reviewers undertaking the assessments were instructed to make, namely that the information that was inadvertently released “may have been accessed by the authorities in the receiving country”.

45    The Full Court allowed each appeal, set aside the orders of the Federal Circuit Court, substituted declarations that the process conducted to assess the implications of the data breach for both appellants had been procedurally unfair, and granted an injunction restraining the Minister and the Secretary of the Department from removing SZSSJ until after the determination of the process.

46    SZSSJ and SZTZI appealed by special leave to the High Court.

47    The High Court judgment was published on 27 July 2016, while the judgment of the primary judge was reserved.

48    The High Court dealt with three issues: whether the Federal Circuit Court had jurisdiction to entertain the proceedings; whether SZSSJ and SZTZI were owed procedural fairness as part of the ITOA process; and whether they had been denied procedural fairness. The High Court held that, while the Full Court had been right to conclude that the Federal Circuit Court had jurisdiction and that SZSSJ and SZTZI were owed procedural fairness in the ITOA process, it had been wrong to conclude that they had been applicants who had been denied procedural fairness as part of that process.

49    On the procedural fairness question, the High Court stated:

82    [C]ompliance with an implied condition of procedural fairness requires the repository of a statutory power to adopt a procedure that is reasonable in the circumstances to afford an opportunity to be heard to a person who has an interest apt to be affected by exercise of that power. The implied condition of procedural fairness is breached, and jurisdictional error thereby occurs, if the procedure adopted so constrains the opportunity of the person to propound his or her case for a favourable exercise of the power as to amount to a “practical injustice”.

83    Ordinarily, affording a reasonable opportunity to be heard in the exercise of a statutory power to conduct an inquiry requires that a person whose interest is apt to be affected be put on notice of: the nature and purpose of the inquiry; the issues to be considered in conducting the inquiry; and the nature and content of information that the repository of power undertaking the inquiry might take into account as a reason for coming to a conclusion adverse to the person. Ordinarily, there is no requirement that the person be notified of information which is in the possession of, or accessible to, the repository but which the repository has chosen not to take into account at all in the conduct of the inquiry.

84    Extraordinary as they are, the circumstances of the Data Breach do not warrant a departure from those ordinary requirements. That the Department was responsible for its occurrence is regrettable. That the Department was responsible for its occurrence nevertheless provides no foundation for apprehending that an officer of the Department tasked with assessing the consequences of the Data Breach for an individual applicant would not bring an impartial and unprejudiced mind to the conduct of an assessment. Nor does that circumstance provide a principled foundation for converting the ordinary requirement of procedural fairness that an affected person be given notice into a duty that the Department reveal “all that it knows” about the Data Breach.

    (Footnotes omitted.)

50    The High Court held at [86] that SZSSJ and SZTZI were squarely put on notice of the nature and purpose of the assessment and of the issues to be considered in conducting the assessment from the time of the formal notification to each of them of the commencement of the ITOA process. The High Court also held at [92] that neither of them was deprived of any opportunity to submit evidence or to make submissions relevant to the subject matter of the ITOA process as a result of not having the further information as might be inferred was contained in the unabridged KPMG report. First, the manner in which the data breach occurred and the reasons for its occurrence were not relevant to the question of whether one or more of Australia’s non-refoulement obligations were engaged in respect of them. Secondly, regardless of what the unabridged KPMG report might say about the identities of the IP addresses from which the document had been accessed during the fortnight in which the data breach took place, once it had been downloaded the personal information of the two appellants could have been accessed by anyone. Thus, even if the unabridged KPMG report might have allowed SZSSJ and SZTZI to prove that one or more of those IP addresses were associated with persons or entities from whom they feared harm, it would not advance their cases any further than the assumption already made in their favour.

51    Consequently, the Court considered that the appellants were not deprived of any opportunity to submit evidence or to make submissions relevant to the subject matter of the ITOA process as a result of not having the further information potentially contained in the unabridged KPMG report.

Did the primary judge err in failing to find that the Tribunal denied the appellant procedural fairness in the way in which it dealt with the data breach issue?

52    Section 425 of the Act imposes an obligation on the Tribunal to invite the applicant to a hearing “to give evidence and present arguments relating to the issues arising in relation to the decision under review”. In the present case, one of those issues was whether the appellant was at risk of significant harm as a result of the disclosure by the Department of some of his personal information. The invitation must be “real”, not illusory, and it must be “meaningful”: Minister for Immigration and Multicultural and Indigenous Affairs v SCAR (2003) 128 FCR 553 at [37]-[38].

53    The appellant contended that the primary judge did not turn his mind to compliance with s 425 or give adequate reasons “relating to complying with s 425”. The appellant submitted that it was “the reality of this robust and beneficial assumption of fact that the High [C]ourt found rendered immaterial any want of procedural fairness occasioned by the failure to disclose the [unabridged] KPMG report” and, unlike SZSSJ and SZTZI, he was not given the benefit of that assumption. Consequently, the appellant argued, he should have been supplied with the report. Since he was not, he argued, the Tribunal’s invitation to attend a hearing to give evidence on the data breach was an empty one and the primary judge should have found that the Tribunal constructively failed to exercise its jurisdiction under s 425.

54    The assumption the High Court said was made in SZSSJ was not made by the Tribunal in the present case. While ITOA assessors were instructed to assume that the personal information of the affected visa applicants may have been accessed by authorities in the countries from which SZSSJ and SZTZI had fled, the High Court held that the assumption was interpreted and applied much more broadly. The High Court observed at [91]:

Sensibly interpreted and applied in the context of making an assessment of whether the Data Breach engaged Australia’s non-refoulement obligations with respect to them, the assumption was not simply that some of their personal information might have been accessed by some authorities. The assumption was rather that all of their personal information had been accessed by all of the persons or entities from whom they feared persecution or other relevant harm. That is how the assumption was in fact interpreted and applied by the officer who conducted SZTZI’s ITOA and how it could reasonably be expected to be interpreted and applied in the conduct of SZSSJ’s ITOA.

55    In the present case, the Tribunal proceeded on a different basis. It stated at [36] of its reasons that it was prepared to accept that the information disclosed as a result of the data breach might have been accessed in India but at the same time stated that there was no evidence before the Tribunal to suggest that any of that information had been published or accessed by anyone. If the Tribunal had proceeded on the same basis as the High Court considered the ITOA had proceeded in SZSSJ, the absence of access or publication in India would have been immaterial; the Tribunal would have assumed that the information had been accessed. What is more, it would not merely have assumed that the information would have been accessed in India, but that it would have been accessed by all those persons and entities from whom or which the appellant feared persecution or significant harm in India.

56    Contrary to the underlying premise of the appellants’ submissions, however, the Tribunal was not obliged to make this assumption. SZSSJ was concerned with a different process in which decision makers were instructed to make an assumption. The Tribunal was not under such an instruction either expressly or impliedly. And nothing in SZSSJ suggests that the Tribunal was required to make the same assumption. Consequently, the failure by the Tribunal to do so did not amount to a denial of procedural fairness in the appellant’s case: see, for example, AVB16 v Minister for Immigration and Border Protection [2017] FCA 241 at [33]–[36] (Markovic J).

57    Furthermore, contrary to the appellant’s submission, there is no doubt that the primary judge turned his mind to compliance with s 425 and I am not satisfied that his Honour’s reasons were relevantly deficient. The appellant was given a real and meaningful opportunity to give evidence and present arguments on the implications for him of the data breach. He had been given notice before the hearing that any protection claims he might have arising from the unintentional release of his personal information on the Department’s website should be raised with the Tribunal. He was invited by the Tribunal to expand upon the matter. The Tribunal assumed that the information that was disclosed during the data breach might have been accessed in India, but, as the primary judge observed at [18], when the appellant was specifically asked whether he was claiming he would be subjected to harm as a result, he declined to comment.

58    For these reasons, I am not persuaded that the primary judge was wrong to find that the Tribunal had not failed to comply with s 425.

59    In any event, the Tribunal found that there was no evidence to suggest that Indian nationals face adverse treatment following their return to India because they had applied for refugee status abroad. In these circumstances, even if the failure of the Tribunal to make the SZSSJ assumption or to give the appellant an opportunity to comment on the unabridged KPMG report amounted to non-compliance with s 425, the error could not have affected the result. It follows that any such error would not have been jurisdictional: see SZMTA at [44]–[45] (Bell, Gageler and Keane JJ); Hossain v Minister for Immigration and Border Protection [2018] HCA 34; 92 ALJR 780; 359 ALR 1 at [31] (Kiefel CJ, Gageler and Keane JJ); [76]–[77] (Edelman J).

Did the Tribunal deny the appellant procedural fairness by not disclosing the existence of the s 438 certificate?

60    The appellant submitted that the certificate was invalid and the Tribunal failed to correctly apply the provisions of s 438. This, he said, was “the” jurisdictional error. He argued that “the purported issue of an invalid certificate … infected the process or procedure adopted by the Tribunal” in relation to the documents covered by the certificate. He submitted that in acting on the invalid certificate, the Tribunal would necessarily have been influenced by an incorrect belief in the application of s 438 and that the Tribunal’s consideration of its obligations and functions under the section must have been affected by the false premise that the certificate was valid.

61    At the time of the Tribunal’s decision, s 438 of the Act provided as follows:

438 Refugee Review Tribunal’s discretion in relation to disclosure of certain information etc.

(1)    This section applies to a document or information if:

(a)    the Minister has certified, in writing, that the disclosure of any matter contained in the document, or the disclosure of the information, would be contrary to the public interest for any reason specified in the certificate (other than a reason set out in paragraph 437(a) or (b)) that could form the basis for a claim by the Crown in right of the Commonwealth in a judicial proceeding that the matter contained in the document, or the information, should not be disclosed; or

(b)    the document, the matter contained in the document, or the information was given to the Minister, or to an officer of the Department, in confidence.

(2)    If, in compliance with a requirement of or under this Act, the Secretary gives to the Tribunal a document or information to which this section applies, the Secretary:

(a)    must notify the Tribunal in writing that this section applies in relation to the document or information; and

(b)    may give the Tribunal any written advice that the Secretary thinks relevant about the significance of the document or information.

(3)    If the Tribunal is given a document or information and is notified that this section applies in relation to it, the Tribunal:

(a)    may, for the purpose of the exercise of its powers, have regard to any matter contained in the document, or to the information; and

(b)    may, if the Tribunal thinks it appropriate to do so having regard to any advice given by the Secretary under subsection (2), disclose any matter contained in the document, or the information, to the applicant.

(4)    If the Tribunal discloses any matter to the applicant, under subsection (3), the Tribunal must give a direction under section 440 in relation to the information.

62    On 17 December 2014, Elizabeth Hepper, a delegate of the Minister, issued a certificate and notification regarding information about the appellant contained in folios 126–127 of the Department’s file. The certificate was in the following terms:

I certify that paragraph 438(1)(a) of the Migration Act 1958 applies to the information in folios 126-127 of file number CLF2013/242849.

The disclosure of this information would be contrary to the public interest because:

In my view, this information should not be disclosed to the applicant or the applicant’s representative because folios 126-127 contain information relating to an internal working document and business affairs.

The Refugee Review Tribunal’s use and disclosure of this information is subject to the provisions of subsections 438 (3) and (4) of the Migration Act 1958.

63    It is common ground that neither the information nor the existence of the certificate was disclosed to the appellant. The Minister offered an innocent explanation for this omission which was not challenged and which I accept.

64    In MZAFZ v Minister for Immigration and Border Protection (2016) 243 FCR 1 at [29] Beach J held invalid a certificate purportedly issued by a delegate of the Minister under s 438(1)(a) of the Act which stated that the disclosure of the information “would be contrary to the public interest because it contains internal working documents”.

65    His Honour held (at [35]–[36]) that the phrase in s 438(1)(a) — “the basis for a claim by the Crown in right of the Commonwealth in a judicial proceeding that the matter contained in the document, or the information, should not be disclosed” — is a reference to public interest immunity and (at [37]) that the reason given in the certificate (that the information contained internal working documents) was neither a necessary or sufficient basis for public interest immunity. In the absence of evidence to the contrary, his Honour concluded (at [40]–[43]) that the Tribunal acted “in some unspecified way” on the invalid certificate in relation to the documents to which it related, may not have properly turned its mind to whether it ought to have disclosed certain matters to the applicant under s 424AA or s 424A of the Act and whether the documents in fact supported the applicant’s visa application, and disclosure should have been made in any event. His Honour went on to hold (at [44]) that, by proceeding or acting on an invalid certificate, the Tribunal fell into jurisdictional error.

66    His Honour also held (at [50]) that procedural fairness required that the Tribunal disclose to the applicant the existence of the certificate, give him an opportunity to make submissions on its validity, tell him to what extent, if any, it was going to take into account information covered by the certificate or, at least whether the information was favourable, unfavourable or neutral to the applicant, and at least give him an opportunity to seek a favourable exercise of the discretion under s 438(3)(b). His Honour held that the obligation was not excluded by s 422B, which relevantly provides that Pt 7 Div 4 of the Act and s 438, in so far as it relates to that Division, is taken to be an exhaustive statement of the requirements of the natural justice hearing rule “in relation to the matters they deal with”.

67    In Singh, the Full Court (Kenny, Perram and Mortimer JJ) approved MZAFZ in the context of a certificate issued under the analogous provision, s 375A, confirming the decision of the Federal Circuit Court to grant Mr Singh relief and remitting the application to the Tribunal on the ground that procedural fairness required the Tribunal to disclose to the applicant the existence of the certificate.

68    In Minister for Immigration and Border Protection v CQZ15 (2017) 253 FCR 1 at [65] the Full Court (Kenny, Tracey and Griffiths JJ), like Beach J in MZAFZ, said that, in the absence of evidence to the contrary, it could be assumed that, in coming to its decision, the Tribunal had had regard to any document said to be covered by the s 438 certificate. In this context, the Court explained, “to say a decision-maker has had ‘regard’ to or ‘acted on’ a document is to say that the decision-maker has treated the document as material in some way to the decision on review”. The Court pointed out, however, that non-disclosure will not always give rise to a denial of procedural fairness. In every case, it is necessary to examine “all the circumstances and the consequences for the applicant of the non-disclosure”. In the event that the documents were found on inspection to be incapable of having any bearing on the Tribunal’s decision, the Court continued at [69], then, irrespective of whether the certificate or notification was valid, in all likelihood, non-disclosure could not have deprived the applicant of an opportunity to advance his or her case.

69    In SZMTA, the Minister conceded that a notification by the Secretary to the Tribunal that s 438 applies to a document or information is sufficient to imply an obligation on the part of the Tribunal as a matter of procedural fairness to disclose the fact of the notification to the applicant for review unless the obligation is specifically excluded by the statutory scheme. Bell, Gageler and Keane JJ said at [27] that the concession was correctly made for the reasons set out at [29]-[31] of the judgment. In short, the provision of the certificate changed the procedural context in which the opportunity to present evidence and make submissions is routinely afforded and the context in which the applicant’s entitlement (conferred by s 423) to present written argument relating to the issues arising in relation to the decision under review falls to be exercised. As their Honours explained at [31]:

The entitlement under s 423 extends to allowing the applicant to present a legal or factual argument in writing either to contest the assertion of the Secretary that s 438 applies to a document or information, or to argue for a favourable exercise of one or both of the discretions conferred by s 438(3). This entitlement, at least in those specific applications, is capable of meaningful exercise only if the applicant is aware of the fact of a notification having been given to the Tribunal.

70    Their Honours said at [38] that, because procedural fairness requires disclosure of the fact of notification, without more, non-disclosure of the fact of notification is a breach of the Tribunal’s implied obligation of procedural fairness. But their Honours went on to say that, for such a breach to amount to jurisdictional error on the part of the Tribunal, it must give rise to a “practical injustice”. In other words, “the breach must result in a denial of an opportunity to make submissions and that denial must be material to the Tribunal’s decision”. A breach is material “only if compliance could realistically have resulted in a different decision”: SZMTA at [44]–[45] (Bell, Gageler and Keane JJ).

71    The Minister conceded that the certificate was invalid. Nevertheless, he submitted that Singh and MZAFZ are both distinguishable because, consistently with the decision in SZMTA at [38], the information the subject of the certificate was irrelevant to any issue in the review, such that the failure to disclose the certificate caused the appellant no practical injustice.

72    The Minister is correct.

73    There was a denial of procedural fairness here. The appellant should have been informed of the notification. But for the reasons given by the plurality in SZMTA, the failure to inform the appellant does not give rise to jurisdictional error.

74    The information the subject of the certificate was disclosed by Ms Zarucki in the exhibit to her affidavit. The information it contained was completely anodyne. Apart from revealing the names and, in one case, the contact details of departmental officers involved in the processing of his application, the documents told the appellant nothing more than he knew already. They merely summarised the progress of his litigation. None of that information had any bearing on the subject-matter of the review. The information was properly, if not generously, described by the Minister as having “no more than passing contextual relevance” to the appellant’s application. It afforded the appellant no foundation for making submissions and compliance could not conceivably have resulted in a different decision. It follows that the denial of procedural fairness was not material to the Tribunal’s decision so that no practical injustice was occasioned to the appellant by the failure to disclose the certificate and no jurisdictional error arises.

Conclusion

75    For these reasons the appeal should be dismissed.

76    Costs should follow the event.

Associate:

Dated:    9 August 2019