Federal Court of Australia

Madzikanda v Australian Information Commissioner [2023] FCA 1445

ORDERS

THE COURT ORDERS THAT:

1.    The application for judicial review is dismissed.

2.    Subject to order 3 the applicant pay the respondent’s costs of the proceeding.

3.    The respondent’s costs of the proceeding, prior to 9 May 2022, be disallowed as between party and party.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

WHEELAHAN J:

1    The Privacy Act 1988 (Cth) gives effect to 13 Australian Privacy Principles, which are referred to as APPs. Australian agencies and organisations covered by the Act (collectively, APP entities) must not engage in any act or practice that breaches an APP: ss 6(1), 15. The APPs are contained in Schedule 1 to the Act. They include, inter alia, principles relating to –

    the use or disclosure of personal information (APP 6);

    the security of personal information (APP 11); and

    access to personal information (APP 12).

2    Unlike general law rights of action and remedies that are available for a breach of confidence, or a threatened breach of confidence, individuals are unable to take direct action under the Privacy Act for remedies arising from interferences with their privacy. Rather, it is an object of the Act “to provide a means for individuals to complain about an alleged interference with their privacy”: s 2A(g). Consistently with this object, the Act provides a mechanism for an individual to lodge a complaint to the Australian Information Commissioner: s 36. The Commissioner may decide to investigate a complaint, and is able to exercise various information-gathering and other investigative powers. The Commissioner may also decide to cease the investigation of a complaint: see Part V, Div 1. Following an investigation, the Commissioner has the power to make a determination dismissing the complaint, or to make a finding that the complaint is substantiated, and may make determinations including, inter alia, a declaration that the complainant is entitled to a specified amount of compensation, or that the respondent must take certain remedial action: s 52. If the Commissioner makes a determination, proceedings may be brought by a complainant or the Commissioner in this Court, or the Federal Circuit and Family Court of Australia (Division 2) for an order to enforce a determination: s 55A. On such an application, the Court is to deal, by way of a hearing de novo, with the question whether the person or entity in relation to which the determination applies has engaged in conduct that constitutes an interference with the privacy of an individual: s 55A(5).

3    On 16 July 2019, the applicant made a complaint to the Commissioner about the conduct of his former employer, Mecrus Pty Ltd (the employer). The applicant complained that the employer had used personal information that was held on his work laptop computer, namely passwords that were stored on the computer that had enabled the employer to access his personal email, iCloud, and OneDrive accounts. Further, the applicant complained that the employer failed to hand over his personal data, such as copy personal emails, upon his request. More than two years later, on 19 July 2021 and after unsuccessful conciliation, an investigation officer of the Commissioner notified the applicant and the employer that the Office of the Commissioner intended to investigate the matter. Following a period of correspondence and initial investigation, on 15 September 2021 a delegate of the Commissioner advised the applicant, in terms which I will summarise later, that he was of the view that there was no interference with the applicant’s privacy under the relevant APPs, and that otherwise he was satisfied that the applicant’s complaint should not be investigated further because it would be an inefficient and unproductive use of the Commissioner’s resources and powers and therefore further investigation was not warranted.

4    The applicant brings this proceeding seeking an order of review under the Administrative Decisions (Judicial Review) Act 1977 (Cth) (ADJR Act) in respect of the Commissioner’s decision to close the investigation of his complaint. Specifically, by his originating application the applicant seeks the following orders –

1.    A declaration that the Respondent’s decision was unjust and improper.

2.    An order referring the matter to which the decision relates to the person who made the decision for further consideration, subject to such directions as the court thinks fit

3.    Any further orders or relief as this Court deems just.

5    Upon an application for relief under the ADJR Act, the Court is concerned with the legality of the Commissioner’s decision not to proceed further by reference to one or more of the grounds of review that are advanced, and not with the merits of the applicant’s underlying claims: Simjanovska v Department of Human Services [2019] FCA 499 at [108]-[117] (Perry J); Jones v Office of the Australian Information Commissioner [2014] FCA 285 at [19]-[22] (Greenwood J). No doubt the applicant feels that the delegate did not give sufficient weight to his claims, and erred by placing weight on the employer’s responses to those claims. But in assessing the legality of the delegate’s decision nothing follows from that. The question in issue is whether the applicant has made out one or more of his grounds of review under the ADJR Act.

The applicant’s complaint to the Commissioner

6    The following is a summary of the applicant’s complaint set out in his privacy complaint form, and supplemented by further correspondence with the Commissioner –

(a)    On 7 June 2019, the applicant was suspended from his employment and was required to surrender his work laptop computer.

(b)    The applicant had used his work laptop computer for some years, and he had stored personal information on the computer including passwords to online accounts such as banking, private email accounts, and his personal OneDrive and iCloud accounts.

(c)    Upon surrendering his computer, the applicant asked the employer if he could download and delete the personal information from the computer, and referred to a proposal that he would consult a privacy lawyer in relation to how he could protect his information.

(d)    The applicant claimed that the employer advised him that it had no intention of accessing his personal information until 11 June 2019 and after the applicant had obtained legal advice, and claimed that the employer agreed that he could come to the office to download the personal information from the computer.

(e)    The applicant claimed that on 7 June 2019, and after he was suspended, he received a confirmation that his iCloud account had been accessed from the computer, and noticed that his personal email accounts had been accessed.

(f)    On 8 June 2019, the applicant wrote to the employer stating that he knew that it was accessing his private information, but received no response.

(g)    On 13 June 2019, the applicant received a letter from the employer which the applicant claimed contained admissions that the employer had accessed the applicant’s private email accounts because it referred to a conversation that appeared only in a private email. The tenor of the letter from the employer was that the applicant was working on other projects in competition with the employer, and contained the following passages –

…

The evidence we have to hand shows you have used a substantial amount of work time in sending [sic] receiving emails and phone calls referred to in emails during company time. The other companies you own/work in are in direct competition with Mecrus [the employer], in particular water, mining and agriculture and you seeking work through your company is regarded as competition to our companies

…

We have also seen emails referring to our government grants that you were disappointed we received and that your project did not.

…

(h)    The applicant also claimed that officers of the employer had made verbal admissions of having accessed his personal information.

(i)    On 17 July 2019, the applicant was dismissed from his employment. The applicant claimed that the letter of termination, which referred to private projects on which the applicant had worked, must have been the product of information contained in his private emails and iCloud account.

(j)    The applicant claimed that he had been highly inconvenienced and distressed because the information contained on the computer related to personal business on which he had been working.

(k)    By his complaint form lodged with the Office of the Australian Information Commissioner the applicant sought the following remedies –

1.    Allow me to download all my personal information from the laptop.

2.    Delete all personal information from the laptop and any copies made.

3.    Compensation for the inconvenience and distress caused.

(l)    Subsequently, the applicant brought a proceeding in the Fair Work Commission against the employer claiming that he had been unfairly dismissed. On 31 October 2019, and after mediation, he reached a settlement agreement with the employer regarding the termination of his employment. On 3 December 2020, the applicant provided the Office of the Commissioner with a copy of the settlement agreement which provided that each party would return to each other their property and personal information. The applicant claimed that while the agreement outlined a resolution, the Fair Work Commission had advised that the privacy aspect of the settlement would continue to be handled by the Office of the Australian Information Commissioner. The applicant claimed that the respondent had failed to return his personal information pursuant to this agreement. It is convenient here to set out the relevant term of the settlement agreement –

3.11    The Respondent will return to the applicant any property, including personal data contained on the company laptop, belonging to the applicant.

(m)    On 15 August 2021, the applicant provided to the Office of the Commissioner an itemised list of the personal information to which he was seeking access. That information covered four personal email accounts, his iCloud account, and his OneDrive account. The applicant claimed that the data relating to one email account were entirely lost, because he did not have a backup. In relation to the other three email accounts, the applicant claimed that he was able to recover some but not all of the emails from the servers. And in relation to the two cloud accounts, there was no loss of data, because he was otherwise able to recover the files from the cloud.

(n)    The applicant claimed that he did not believe that the respondent had a privacy policy or IT policy relating to the use of company computers, but if it did, the policy was not policed. The applicant claimed that documents that the employer had provided to the Office of the Commissioner, purporting to be an Employee Handbook, a Privacy Policy, and a Computing and Communication Policy, had been falsified by the employer. In relation to two of the documents, the applicant referred to metadata in evidence before the Court which the applicant claimed indicated that the documents had been created after the cessation of the applicant’s employment. As to the Computing and Communication Policy, the applicant claimed from personal knowledge that no such policy existed during the period of his employment.

7    In the course of its investigation, the Office of the Commissioner corresponded with the applicant and the employer. The employer’s initial response to the complaint was by letter from the employer’s managing director, Mr Barry Richards, to an investigations officer of the Commissioner dated 14 November 2019. That letter stated in part –

The information investigated by the company was data stored on a company laptop and was in line with our company policy. The information was retrieved by the company IT specialist and viewed by the HR manager (Denise Rejda) and myself the Managing Director (Barry Richards). No private banking information was retrieved or viewed.

Mr Madzikanda then followed his termination with an application to fair work for an unfair dismissal case. Through mediation and arbitration a settlement agreement was reached which included the returning of private and company information between the two parties.

8    The complaint was then referred to an early resolution process conducted by the Office of the Commissioner, and failed to resolve. The complaint was then placed in a queue of matters awaiting investigation by the Commissioner’s Office.

9    In December 2020, the Office of the Commissioner turned its attention again to the applicant’s complaint. By an email dated 3 December 2020, an investigations officer requested that the applicant respond to a number of questions, which the applicant did by reply email dated 4 December 2020. In a document attached to that email, the applicant responded to the investigation officer’s request for a response and reinforced a number of aspects of his complaint that personal information such as passwords, documents on cloud storage, and personal emails had been accessed by the employer. In addition, the applicant stated –

•    Mecrus [the employer] did not have a policy on storing personal information on company computers.

•    If they did, they never used it or policed it. It was never a part of the policy induction for new employees. I was never shown this policy during my over 5 years at Mecrus.

•    For about 4 years at Mecrus, I supervised the IT department.

•    During this time, I did the induction for 2 IT Coordinators and 3 Commercial Officers, but never showed them an IT Policy on storing personal information on company computers, because it never existed.

10    On 22 June 2021, an investigations officer of the Commissioner, to whom I will refer hereafter as the delegate, advised each of the applicant and the employer by email that the matter had been referred to the investigation team for assessment as to whether an investigation should be commenced or continued under s 40 of the Act, or whether it should not be investigated further pursuant to s 41 of the Act, in which case the applicant and the employer would be given an opportunity to comment on the reasons.

11    By a letter dated 11 August 2021, the Office put to the employer for comment a summary of the submissions that had been made by the applicant and sought responses to a number of questions. The employer’s response took the form of an email from Mr Barry Richards, the Managing Director of the employer, that attached a PDF copy of the letter from the Office of the Commissioner to which were attached electronic sticky notes with his responses. In summary –

(a)    The employer agreed that on 7 June 2019 the applicant was suspended from his employment and required to surrender his company laptop computer.

(b)    Mr Richards denied that to his knowledge personal information saved on the laptop computer was used to access the applicant’s online accounts.

(c)    In relation to the applicant’s claim that by a letter from the employer dated 13 June 2019 the employer had admitted accessing his email account, Mr Richards responded with the note, “Mecrus email account”.

(d)    As to the applicant’s claim that the employer did not have a privacy policy or IT policy relating to the use of company computers, Mr Richards stated “attachment A”. Attached to the email was a copy of a document titled “Mecrus Policy Computing and Communication” which was dated 23 July 2013.

(e)    Mr Richards agreed that the applicant’s employment was terminated on 17 July 2019, and agreed that on 31 October 2019 following a mediation with the Fair Work Commission the employer and the applicant reached an agreement in relation to the termination of his employment. Mr Richards disputed that the Fair Work Commission had advised that the privacy aspect of the settlement was a matter for the Office of the Information Commissioner.

(f)    Mr Richards disputed that the employer had not provided the applicant with the information that he requested, stating that the employer had delivered all requested information with the exception of one set of emails which he claimed were on a cloud-based service to which the applicant had access from anywhere, and in respect of which the file was too large to download onto a “pen drive”. Mr Richards claimed that the applicant had received all information that he had requested and which was practicable to deliver to him. He attached to his email as Attachment B an email chain terminating with an email from the applicant to the employer dated 4 July 2019 by which the applicant had acknowledged receipt of the information save for emails on one account which I assume was the account that Mr Richards claimed it was not practicable to download and deliver and which were otherwise available on the cloud.

12    In response to a series of questions raised by the Office of the Commissioner, Mr Richards provided some additional information, which included –

(a)    When a computer was returned to the IT manager of the employer and there was no further use required by the previously assigned user, the employer’s practice was to re-format the computer before re-assigning it.

(b)    The laptop computer in question was no longer held by the employer, as it was stolen from its premises on 31 May 2021, with the consequence that the employer no longer held any personal information of the applicant contained within data from the computer. Mr Richards annexed a police crime scene property sheet which listed a number of electronic devices, which included a laptop identified as the one surrendered to the employer by the applicant.

(c)    Mr Richards again denied that, to his knowledge, the employer had used personal information that was the subject of the applicant’s complaint, stating that the information had remained on the laptop and was only processed so as to provide a copy to the applicant.

13    By a further email, which was dated 25 August 2021, Mr Richards sent two additional documents to the delegate. The first was a document titled “Mecrus Group Employee Handbook”, which contained a section on privacy. The second document was titled “Employee Privacy Policy”.

14    The delegate sent the employer’s responses to the applicant for comment. By an email to the delegate dated 26 August 2021, the applicant disputed the authenticity of the Employee Handbook and the Privacy Policy. In relation to the Employee Handbook, the applicant claimed that the Handbook had been developed by another company, Calibre Workforce, in March 2018, and could not have been given to him in March 2014 when his employment commenced. The applicant further noted that the Employee Handbook contained a provision for the acknowledgement of receipt by an employee, and that the employer had not produced a copy containing the applicant’s acknowledgement. In relation to the Privacy Policy, the applicant submitted to the delegate that it purported to have come into place on 1 January 2017, but that at the time he was a senior manager with the employer, and that no such policy was developed or implemented at that time. The applicant also disputed the employer’s claim that it had returned all information to him in July 2020. He stated that the information that was returned on the USB device was corrupted, but that this was not critical information because he had managed to retrieve some of it from the servers. The applicant claimed that the employer did not return the information that he needed. The applicant also pointed to the apparent anomaly that on 21 October 2019 the employer had executed terms of settlement of his Fair Work claim (see [6(l)] above) by which it agreed to return to him any property, including personal data from his laptop.

The Commissioner’s decision

15    Following the receipt of the written information from the applicant and the employer, the delegate proceeded in two stages. The first stage was that he sent a letter dated 3 September 2021 which stated the delegate’s view that further investigation into the complaint should not occur. The letter set out the delegate’s reasons for this opinion and invited a response from the applicant before the delegate proposed making a decision not to investigate further the complaint. The second stage was a letter dated 15 September 2021 by which the delegate advised that he was satisfied that the conditions for the exercise of discretion to cease an investigation were engaged and advised that the file was closed.

The 3 September 2021 letter

16    The 3 September 2021 letter from the delegate summarised key elements of the applicant’s complaint and the employer’s response. There were a number of threads to the delegate’s reasoning, which I summarise as follows –

(a)    The delegate stated that it was his view that the employer had not interfered with the applicant’s privacy, as defined by the Act. The delegate referred to the exemption relating to “employee record” in s 7B(3) of the Act, stating that –

An employee record means a record of personal information relating to the employment of the employee. Examples include records about the employee’s personal contact details and records about the employee’s performance or conduct. To the extent that the personal information involves records of sites or accounts that you visited, using the work computer, I am satisfied that this amounts to a record of personal information relating to your conduct during your employment.

(b)    The delegate also stated that he was not satisfied that the applicant’s passwords amounted to his “personal information” as defined in the Act (see s 6). The delegate stated that it was not clear in what form the passwords appeared on the records, or whether they amounted to information “about you”.

(c)    The delegate stated that on the available information he considered that the matter related to the applicant’s current or former relationship with the employer. The delegate stated that a work computer had been issued to the applicant by the employer for the purpose of carrying out employment duties, which was then returned to the employer upon termination of the employment.

(d)    The delegate referred to the copy of the employer’s Computing and Communication Policy dated 23 July 2013 and its reference to the employer being able to “view, access, retrieve, print, copy/and or distribute any material or data that is accessed or stored or transmitted on IT systems”. The delegate also referred to the copy of the Employee Handbook that the employer had supplied, stating that it indicated that all data created, stored or transmitted upon its systems was considered “work product”. The delegate referred also to the employer’s IT and Computer Policy and a provision in it that was concerned with monitoring –

v)    Monitoring

The Employer considers any and all data created, stored or transmitted upon the systems (the Systems) as work product and as such, expressly reserves the right to monitor and review any data upon the Systems, including your usage and history, on an intermittent basis without notice.

(e)    The delegate acknowledged the applicant’s claim that no IT policies existed at the time of his employment, and noted that the copy Employee Handbook was undated. However, in forming his conclusions the delegate referred to and relied on the employer’s policies –

However, I have formed the view that these circumstances support a finding that such records were employee records as the respondent indicated a clear intention to monitor your use of its equipment, a work computer, provided to you for the performance of your duties of employment.

I consider that you were aware that the work computer was not your private property, and that any data saved to the computer may have formed part of your employee records, as it was subject to routine monitoring and review.

The respondent does not require your consent to access or use the equipment that it issued to you, to perform your employment duties. As the computer was a tool the respondent provided to you to carry out your employment duties, it remains the property of the respondent.

My view in this instance is that as the data you saved on the work computer is required to be monitored in accordance with the respondent’s policy, and contravention of such policy would reflect on your performance or conduct as an employee. Therefore, I consider the data to be an employee record.

As such, I am reasonably satisfied that the information collected on the respondent’s equipment while it was in your possession constitutes employee records as defined by the Privacy Act.

I consider the respondent’s actions in handling your personal information, contained in the work equipment it provided to you, was:

•    directly related to your employment relationship with the respondent at the time; and

•    directly related to the employee records and relating to you.

The act or practice about which you complain is the respondent taking receipt of a work computer on which you have stored your personal information, including passwords for your personal email addresses, and failing to provide you with your personal information on request. Additionally, you say that the respondent used your password to access your personal email account. I am satisfied that the acts or practices relate to employee records ‘held’ by the respondent relating to you.

Therefore, I consider the respondent’s acts and practices, in relation to the records it held, are not covered by the APPs in the Privacy Act, and that the respondent has not interfered with your privacy under APP 6, APP 11 or APP 12 in this instance.

As such, I am satisfied that the information stored on the work computer were [sic] employee records and that the ‘employee records’ exemption applies.

(f)    Importantly, the delegate then stated that in any event he was not satisfied that the employer had breached the APPs.

(g)    In relation to APP 12, the delegate referred to an email from the employer to the applicant dated 25 June 2019 which listed data that were sent to the applicant on USB storage devices, and an email from the applicant to the employer dated 4 July 2019 in which the applicant advised that he had received the data, save for the data associated with one email address. In relation to that data, the employer had asserted that it was available to the applicant in the cloud. The delegate concluded –

Based on the above, there is a reasonable argument that the respondent has complied with APP 12 by providing you with access to the personal information in compliance with APP 12.1 or, in the alternative, that the respondent has complied with APP 12.5 by taking reasonable steps in the circumstances to give access in a way that meets the needs of both the entity and the individual, namely by pointing you to an alternative means of accessing the information – via the cloud.

(h)    In relation to APP 6, which related to the applicant’s claim that the employer had used his passwords to gain access to his personal email accounts, the delegate noted that the employer denied this claim, and had stated that the only email account which it had accessed was the applicant’s work email account. The delegate concluded –

There is currently no evidence before me to suggest that the respondent has accessed your personal email account.

(i)    In relation to APP 11, which involved the applicant’s claim that the employer had used his personal data without his permission, the delegate concluded that there was no evidence that it did so.

(j)    Additionally, the delegate stated that he was of the view that further investigation was unlikely to provide the applicant with the remedy that he sought, which the delegate identified as access to the outstanding file, which I understand to mean the data associated with the private email account which was not returned on a USB device and which the employer claimed was available to the applicant on the cloud. The delegate relied on the advice of the employer that when a computer was returned, its hard drive would be re-formatted, and that in May the laptop computer had been reported by the employer to the police as having been stolen, together with other items. For these reasons the delegate accepted that the employer was unable to provide the applicant with access to the information which he sought.

(k)    Further, the delegate expressed the opinion that an investigation was not warranted. The delegate referred to the Office of the Australian Information Commissioner’s “Privacy Regulatory Action Policy” and the following circumstances –

•    there has been no interference with your privacy, as defined by the Privacy Act, as the employee records exemption applies

•    even if the employee records exemption does not apply, there are reasonable arguments that the respondent has not breached APP 6, APP 11 or APP 12

•    the respondent no longer holds the personal information you have requested, so any further remedy on that claim is unlikely to be achieved

•    there is no evidence to support further investigation of the APP 6 and APP 11 claims

•    an investigation is unlikely to elicit any further information or remedies.

(l)    The delegate concluded that further investigation of the applicant’s complaint was not warranted in all the circumstances, and foreshadowed his intention to exercise the Commissioner’s discretion under s 41(1) of the Act not to investigate the complaint further. The delegate stated that before making that decision, he invited the applicant to provide a response to the letter, should he wish to do so.

The applicant’s response of 6 September 2021

17    The applicant responded in detail to the delegate’s letter of 3 September 2021. In summary –

(a)    The applicant disputed the application of the exemption in s 7B(3) of the Act of “employee record” from acts or practices subject to the Act. The applicant stated that his personal information that was the subject of his claim did not fall within the definition of “employee record” in s 6 of the Act because his personal emails and data were created outside his employment, and had no direct or indirect connection to his employment.

(b)    As to the delegate’s reference in his 3 September 2021 letter to personal information involving records of sites or accounts that the applicant had visited using the work computer (see [16(a)] above), the applicant responded that his private emails and iCloud drive data did not meet that description. The applicant claimed that while an employer may collect records by requesting them from the employee and the employee then providing them voluntarily, there was no provision in the Act that empowered an employer to collect personal information “by confiscation”.

(c)    In relation to the format in which his passwords were stored, the applicant stated that they were saved in his Chrome browser, and could be exported to Excel. The applicant gave an illustration of the fields that were stored, and claimed that his personal email address made him identifiable by the information.

(d)    The applicant stated that the main dispute regarding the passwords was the fact that they were used to access his personal emails and iCloud data. The applicant stated that his personal passwords were not related in any way to his employment, and related to his digital footprint outside his work, and included private banking, real estate, travel, social media, and his children’s schools. The applicant stated that he had been inconvenienced by having to change over 100 passwords upon learning that the employer had accessed his passwords.

(e)    The applicant then turned to the IT and Computer Policy and Employee Handbook to which the delegate had referred. The applicant set out extracts from information published by the Office of the Australian Information Commissioner concerning workplace monitoring and surveillance. That information included –

If an employer keeps a record of their monitoring then the Australian Privacy Principles may apply. For example, a CCTV video recording or a computer record of emails that doesn’t directly relate to your employment.

(f)    The applicant stated to the delegate that the Office’s own literature gave as an example a matter that was the subject of his claim. The applicant stated that the employer had kept computer records of his personal emails that did not directly relate to his employment.

(g)    The applicant also referred to State laws, namely the Surveillance Devices Act 1999 (Vic) and the Victorian Information Privacy Principles contained in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic). The applicant stated that the Surveillance Devices Act did not authorise the employer to access personal information, but protected “private activity”, which the applicant stated was defined by the Act as meaning an activity carried on in circumstances that may reasonably be taken to indicate that the parties to it desire it to be observed only by themselves: see s 3(1). The applicant stated that his private emails and iCloud data were created mainly in the privacy of his home, with a reasonable expectation that they would not be monitored. The applicant claimed that provisions of the employer’s policies, such as the provision of the IT and Computer Policy concerning monitoring to which the delegate had referred (see [16(d)] above) could not override federal and state workplace laws. The applicant referred to the Victorian Information Privacy Principles, and to APP 5, the latter of which had the effect that the employer was required to notify the applicant of certain matters upon collecting personal information.

(h)    Moreover, the applicant stated that he disputed that the policies were in existence during the term of his employment. The applicant stated that he had provided evidence to the delegate in this regard, which he claimed the delegate did not consider. The applicant then referred again to the evidence upon which he relied to support his claims about the authenticity of the documents that the employer had provided to the delegate, the main points of which were as follows –

(i)    when he commenced employment in 2014, he was not provided with copies of any of the policies;

(ii)    the Employee Handbook was not in existence during the term of his employment;

(iii)    the copy of the Employee Handbook which the employer had provided to the delegate contained no acknowledgment of receipt by the applicant for which provision was made in the document, and nor had the employer produced any other evidence, such as a covering email, that the Employee Handbook had been given to the applicant;

(iv)    the Employee Handbook had been copied from that of another organisation, Calibre Workforce in Geelong, and had been developed in March 2018, and the applicant provided a download link to the Calibre Workforce document;

(v)    when he was employed by the employer as Commercial Manager, part of his purview was IT, and he was not aware of the existence of the IT and Computer Policy, and it was never provided to any new employees during their induction process;

(vi)    the applicant was a senior manager of the employer during his period of employment, and he stated that no privacy policy was developed or implemented during his time;

(vii)    the applicant would not have stored his personal information on his company laptop if he had known that the employer had a privacy policy that permitted the employer to monitor that information; and

(viii)    the applicant claimed that the delegate was too eager to dismiss his complaint, doing so on flawed bases, suggesting that the Commissioner did not have sufficient resources to dedicate to resolving cases.

(i)    In relation to the delegate’s conclusions concerning whether there was a contravention of the APPs that were identified, the applicant provided his responses –

(i)    As to APP 12, the applicant reminded the delegate that he had stated in his email of 15 August 2021 that he did not have a backup of the data related to the email account which the employer did not return to him. The applicant also referred to a telephone conversation that he had with the delegate on 2 September 2021 in which he stated to the delegate that for that particular email server, once the emails were received they were automatically deleted from the server, and that the copies on the laptop were his only copies. The applicant also pointed to discrepancies in the employer’s claim that the information was available to the applicant via the cloud, questioning how the employer could know, and challenging the employer’s claim that it could not hand over what was only 4GB of data on a USB device in circumstances where the information before the delegate showed that the employer had handed over a set of data comprising 5GB on one USB device. The applicant reinforced his claim that the employer had contravened APP 12 by not providing him with access to his data relating to one email account that he had requested.

(ii)    As to APP 6, the applicant challenged the delegate’s opinion that there was no evidence that the employer had accessed his personal email account. The applicant referred to the claims on which he had previously relied, namely the contents of the employer’s letter of termination dated 13 June 2019, which he claimed contained information that could only have been derived from his private emails. The applicant stated further that during a meeting that he had with the employer on 17 June 2019 the employer brought up issues that could only have been derived from documents stored in his personal iCloud account. The applicant stated that he had further evidence that the employer had accessed files in his iCloud account, being a screenshot showing that his account was being viewed from his work laptop after he had left the employer. However, he could not locate the screenshot.

(iii)    As to APP 11, the applicant reinforced his complaint that the employer had accessed his personal emails and iCloud data in contravention of its obligation to protect the information from loss. The applicant relied on the employer’s failure to return the information to him in the period between the termination of his employment in June 2019 and the theft of the laptop in May 2021. The applicant claimed in the alternative that the employer had intentionally lost the information when it chose to reformat the computer.

(j)    The applicant submitted to the delegate that the fact that the employer had lost his personal information should not lead to no consequences, and pointed to the remedies of compensation and an apology for abusing his private information. The applicant submitted that the delegate was therefore wrong to consider that any further remedy was unlikely to be achieved.

(k)    The applicant concluded by submitting to the delegate that the circumstances warranted the matter being investigated further.

The 15 September 2021 letter

18    The delegate determined to close the applicant’s complaint, stating that while he had taken the applicant’s response into account, there had not been an interference with the applicant’s privacy, and that further investigation was not warranted in the circumstances. There were a number of layers to the delegate’s reasons, as follows.

19    First, the delegate maintained his view that the information on the applicant’s laptop computer was an employee record, and was therefore subject to the exemption in s 7B(3) of the Act. This was essentially because the data were entered by the applicant onto his laptop computer which was subject to monitoring in accordance with the employer’s policy. In support of that view, the delegate stated that he found that the information such as the passwords that the applicant voluntarily saved onto the laptop computer was an unsolicited collection of the information by the employer which was required to be monitored in accordance with the employer’s policy. For this reason, the delegate considered that the data comprising the applicant’s passwords were an “employee record”. The delegate considered that the employer’s actions in handling the applicant’s personal information contained in the work laptop computer that was provided to him was: (a) directly related to the applicant’s employment relationship with the employer at the time; and (b) directly related to the employee records relating to the applicant. For this reason, the delegate considered that the employer’s acts and practices were not subject to the APPs in the Privacy Act.

20    Second, as to the applicant’s passwords, the delegate was not satisfied that they amounted to “personal information” as defined by the Act. That was because it was not clear in what form they appeared in the records, or whether they were information “about you”. The delegate stated that there was no evidence other than the applicant’s assertion that the passwords were saved in a particular format that amounted to information “about you”.

21    Third, the delegate acknowledged the applicant’s claims that the employer’s IT policies did not exist at the time of his employment. In relation to the employer’s Computing and Communication policy dated 23 July 2013, which the applicant disputed, the delegate stated that even if he were to accept that the applicant did not agree to that policy, he was of the view that a reasonable person would assume that there would be a distinction made by an employer between appropriate and inappropriate use of IT systems and computer equipment during the course of one’s employment, and that the use of the equipment would be monitored.

22    Fourth, in any event, the delegate was not satisfied that the employer had in fact breached the relevant APPs –

(1)    APP 6: as to the claimed breach of APP 6, the delegate was not satisfied on the evidence that there had been a breach. The delegate did not consider that the employer’s letter of 13 June 2019 on which the applicant relied (see [6(g)] above) indicated that the employer had used the applicant’s passwords. And the delegate did not place weight on other evidence on which the applicant relied, such as the inference that he contended arose from the fact that the employer could only have become aware of certain information if it had accessed the applicant’s personal emails and accounts using his passwords, stating that the employer had argued it did not. Nor did the delegate place weight on a screenshot of an access log to the applicant’s iCloud account on which the applicant relied but could not locate (see [17(i)(ii)] above).

(2)    APP 11: the delegate maintained his view that that for the reasons set out in his letter of 3 September 2021 (see [16] above) there had been no interference with the applicant’s privacy as defined by the Act.

(3)    APP 12: the delegate did not resolve the competing submissions in relation to the applicant’s claim that the employer did not hand over all of his data when he requested it. The delegate stated that there was no evidence as to what was held by the employer and what was not held, other than opposing claims by each party, noting also that the employer claimed that the data on the laptop computer had been deleted and was subsequently the subject of a report by the employer to the police as being stolen. The key passages in the delegate’s decision letter on this issue were as follows –

The respondent has provided you with the information it held at the time of your request, based on evidence of files sent to you by post. You acknowledged that you had received this information, with the exception of one file.

The respondent advises that it did not hold this file but suggests you can access material contained within the file via the cloud, while you advise that you cannot, and question why the respondent may know this.

In any regard, there is no evidence as to what was held and what was not held, other than opposing claims by each party. While I respect that it would make little sense for you to pursue this complaint without a reasonable belief that the respondent held your information as claimed, the respondent has advised that it in accordance with its policy, it has deleted all information it held on the work computer, which has since been reported stolen to police.

There is no new evidence that the respondent holds your information at this time, or that there has been a breach of APP 12. As such, my view remains as set out in my letter of 3 September 2021. I find there is no interference with your privacy, as defined by the Privacy Act.

23    Fifth, the delegate affirmed his view that an investigation was not warranted, stating that for the reasons set out in the letter and in the earlier letter of 3 September 2021 the applicant’s complaint had little prospect of further practical or satisfactory resolution, and that it would be an inefficient and unproductive use of the Commissioner’s resources and powers to investigate the complaint further.

The grounds of the application

24    By his originating application, the applicant advanced five grounds of review, which were accompanied by particulars. The fourth and the fifth grounds, which allege fraud, will be considered together. The applicant’s particulars, which were contained in a separate document, included a sixth ground, claiming that the Commissioner’s decision was unreasonable for the purposes of s 5(2)(g) of the ADJR Act. However, this claim was not developed by the applicant in written or oral submissions, and during the course of the hearing the applicant clarified that he did not seek to advance it.

Ground 1 – breach of the rules of natural justice

25    Section 5(1)(a) of the ADJR Act provides, as a ground of review, a breach of the rules of natural justice in connection with the making of the decision. There are conventionally two limbs to the rules of natural justice, or procedural fairness as it is now more commonly labelled. The first is the right to be heard, and the second is to have a decision made free of bias: see, Plaintiff S157/2002 v Commonwealth of Australia [2003] HCA 2; 211 CLR 476 at [25] (Gleeson CJ). There may be overlap between a failure to afford an opportunity to be heard, and a reasonable apprehension of bias on the ground of pre-judgment, because the former may give rise to the latter. Nonetheless, the two limbs give rise to different considerations. The applicant put his case to the Court on both bases.

26    In relation to the claimed breach of the rules of natural justice, the applicant relied on the following matters –

(1)    The applicant challenged the delegate’s reliance upon the policy documents provided to the respondent by the employer, the authenticity of which he disputed. The applicant claimed that he had provided evidence to the delegate that the documents were fraudulent. The applicant submitted that the delegate did not “require[e] the employer to prove the validity of the documents, or investigat[e] the discrepancies highlighted”.

(2)    The applicant submitted that the delegate had chosen not to accept his evidence in relation to the employer’s alleged contravention of APP 6, regarding the use or disclosure of personal information. As I have mentioned, this evidence was said to exist as an inference which arose from the fact that the 13 June 2019 letter from the employer to the applicant disclosed information which the applicant said could only have been derived as a result of the employer accessing the applicant’s personal emails and data. The applicant said that the delegate failed to make further inquiries of the employer to determine how, if not through accessing his personal emails, the employer had come to compose the impugned parts of the 13 June 2019 letter.

(3)    In relation to the employer’s alleged breach of APP 11, regarding security of personal information, the applicant claimed that the delegate ignored the fact that the employer had lost the applicant’s personal information when the applicant’s former work laptop was stolen. The applicant said that the theft occurred some 24 months after the applicant had made a request to the employer that the personal information be returned, yet this request was ignored by the delegate with no reasonable explanation.

(4)    In relation to the employer’s alleged breach of APP 12, regarding access to personal information, the delegate accepted the employer’s evidence that the applicant could access the relevant personal information via cloud storage, which the applicant said amounted to ignoring his evidence to the contrary.

(5)    The applicant submitted that the delegate’s determination involved a misinterpretation of the “employee record” exemption in s 7B(3) of the Privacy Act, and that this also amounted to a breach of the rules of natural justice.

27    As to bias, the applicant confirmed during the hearing that he alleged apprehended bias, and not actual bias. The applicant submitted that he believed that there was bias by the delegate in not accepting evidence that he gave, and in not pursuing obvious questions that were raised, including further investigations into the applicant’s claims that challenged the authenticity of some of the documents that the employer had placed before the delegate.

Consideration of Ground 1 – breach of the rules of natural justice

28    Generally, administrative decision-makers owe a duty to afford natural justice, or procedural fairness, absent a clear legislative intention to the contrary: Minister for Immigration and Border Protection v WZARH [2015] HCA 40; 256 CLR 326 at [30] (Kiefel, Bell, and Keane JJ). No contrary legislative intention is disclosed by the Privacy Act.

29    In relation to the right to be heard, the content of the duty to provide a fair opportunity to be heard is a function of the relevant statutory regime and the context of the relevant decision-making. As Mason J stated in Kioa v West [1985] HCA 81; 159 CLR 550 at 585 –

In this respect the expression “procedural fairness” more aptly conveys the notion of a flexible obligation to adopt fair procedures which are appropriate and adapted to the circumstances of the particular case. The statutory power must be exercised fairly, that is, in accordance with procedures that are fair to the individual considered in light of the statutory requirements, the interests of the individual and the interests and purposes, whether public or private, which the statute seeks to advance or protect or permits to be taken into account as legitimate considerations.

(Citations omitted.)

30    An obligation to afford procedural fairness is therefore concerned with a fair procedure, and not with a fair outcome: SZBEL v Minister for Immigration and Multicultural and Indigenous Affairs [2006] HCA 63; 228 CLR 152 at [25] (Gleeson CJ, Kirby, Hayne, Callinan and Heydon JJ). What is involved includes a general requirement to give a person who is the subject of a decision the opportunity to put information and submissions to the decision-maker in support of an outcome that supports his or her interests, including “to rebut or qualify … adverse material from other sources which is put before the decision maker”: Commissioner for Australian Capital Territory Revenue v Alphaone Pty Ltd [1994] FCA 293; 49 FCR 576 at 591–2, cited with evident approval in SZBEL at [29] and in BRF038 v Republic of Nauru [2017] HCA 44; 349 ALR 67 at [59] (Keane, Nettle and Edelman JJ). Further, the concept of fairness is grounded in practical justice, as explained by Gleeson CJ in Re Minister for Immigration and Multicultural Affairs; Ex parte Lam [2003] HCA 6; 214 CLR 1 at [37] –

Fairness is not an abstract concept. It is essentially practical. Whether one talks in terms of procedural fairness or natural justice, the concern of the law is to avoid practical injustice.

31    It became clear at the hearing that the nature of the applicant’s essential complaint, as advanced by his arguments, was that, broadly speaking, he claimed that the delegate had not properly investigated his complaint, or had not been searching enough in relation to evaluating the evidence. The applicant’s complaint, therefore, was not directed at having been denied the opportunity fairly to be heard. Rather, having been heard, he claimed that the decision of the delegate disclosed a denial of procedural fairness. The denial was said to consist in the delegate basing his decision –

(a)    on information which the applicant submitted should have been rejected because it was concocted by the employer;

(b)    on information which the applicant submitted should have been rejected because the applicant asserted that his claims should have been preferred to the employer’s claims; or

(c)    on an allegedly incorrect construction of the phrase “employee record” as that phrase appears in the Privacy Act.

32    I have referred in some detail to the course of correspondence passing between the delegate and the applicant during the course of the investigation. The delegate provided the applicant with a fair opportunity to be heard, which went so far as providing the applicant with an opportunity to respond to the delegate’s preliminary reasons. In my view, having regard to the delegate’s functions to investigate, and to determine whether an investigation should continue, the delegate afforded the applicant an ample opportunity to be heard. As Hill J stated in Enichem Anic Srl v Anti-Dumping Authority [1992] FCA 882; 39 FCR 458 at 469 (Gummow J and O’Connor J agreeing) –

Decision-making is a function of the real world. A decision-maker is not bound to investigate each avenue that may be suggested to him by a party interested. Ultimately, a decision-maker must do the best on the material available after giving interested parties the right to be heard on the question.

33    It cannot be expected that the delegate will conduct the most searching of inquiries with respect to each and every argument or allegation put by a complainant. Such a dogged search for truth would be inapposite to the function of real world administrative decision-making. This is especially so where the discretion exercised here, in respect of which it is alleged that an error has been made, is one related to whether to investigate further a complaint or, instead, to terminate that complaint.

34    The applicant has not demonstrated that the delegate failed to adopt fair processes, and has not demonstrated that the delegate did not give the applicant a full opportunity to be heard. The fact that the delegate did not weigh the information before him in a way that favoured continuation of the investigation does not indicate a failure to afford procedural fairness.

35    As to the second way in which the applicant alleged that there was a breach of the rules of natural justice, namely apprehended bias, the relevant principles are well-established. The test of apprehended bias is whether “a fair-minded lay observer might reasonably apprehend that the [decision-maker] might not bring an impartial mind to the resolution of the question the [decision-maker] is required to decide”: Ebner v The Official Trustee in Bankruptcy [2000] HCA 63; 205 CLR 337 at [6] (Gleeson CJ, McHugh, Gummow, and Hayne JJ). This test may be adapted to administrative decision-makers so as to recognise differences between the type of decision-making having regard to the relevant statutory provisions under which a decision is made, the attributes of the person upon whom the decision-making function is conferred, and the procedures to which the decision-maker is subject: see, Minister for Immigration and Multicultural Affairs v Jia Legeng [2001] HCA 17; 205 CLR 507 at [98] –[100] (Gleeson CJ and Gummow J) and [179]–[180] (Hayne J).

36    In Isbester v Knox City Council [2015] HCA 20; 255 CLR 135 at [20], Kiefel, Bell, Keane, and Nettle JJ referred to the prospective nature of the inquiry as to whether there was a reasonable apprehension of bias, and also the importance of context –

The question whether a fair-minded lay observer might reasonably apprehend a lack of impartiality with respect to the decision to be made is largely a factual one, albeit one which it is necessary to consider in the legal, statutory and factual contexts in which the decision is made.

(Emphasis added.)

37    It is clear from the emphasised words in the preceding extract that a reasonable apprehension of bias generally occurs prior to a decision-maker making the decision. See also, in a curial context, Michael Wilson & Partners v Nicholls [2011] HCA 48; 244 CLR 427 at [67]. Decision-making necessarily involves a risk that the interests of some persons affected by the decision are not preferred. It is therefore unusual for a court to find that that there has been apprehended bias merely by reference to particular findings or conclusions disclosed by the reasoning of a decision-maker. As North and Lander JJ observed in Minister for Immigration and Citizenship v SZNP [2010] FCAFC 51; 115 ALD 303 at [18] –

It is a rare case in which a Court will find that a decision maker has breached the natural justice hearing rule by exhibiting bias based simply upon the decision maker’s reasons: SBBS v Minister for Immigration and Multicultural and Indigenous Affairs (2002) 194 ALR 749 at [44]. The same is the case in relation to apprehended bias. Ordinarily a party would need to show some conduct on the behalf of the decision maker, apart from the decision maker’s expression of the decision maker’s reasons, which would indicate that the decision maker has been guilty of pre-judgment or was in any way biased.

38    On the other hand, there may be some cases, of which NADH of 2001 v Minister for Immigration and Multicultural and Indigenous Affairs [2004] FCAFC 328; 214 ALR 264 (NADH) is an example, where fact-finding has been conducted in a manner which in substantial respects is so unreasoned, or lacking rational or reasoned foundation, or plainly and ex facie wrong, that in combination with the way a hearing was conducted, a reasonable apprehension of bias arises. NADH involved a review by the Refugee Review Tribunal of the refusal of an application for a protection visa where there were features of the hearing before the Tribunal which strengthened the apprehension of bias that arose from the Tribunal’s reasons. The present case concerns a decision whether to continue an investigation. It has not been shown that the delegate’s preliminary reasons which were made available to the applicant for comment, and the subsequent decision letter possess the sort of attributes referred to by Allsop J in NADH at [115]. I do not accept that a fair-minded lay observer, aware of the role of the delegate as an administrative decision-maker determining whether or not to investigate further the applicant’s complaint, might have concluded that the delegate might not have brought an impartial mind to making that determination. As I have recounted, the delegate provided the applicant with an opportunity to make his case, to see the material put against him, and to respond to the delegate’s preliminary reasons. There was nothing in that process or in the decision itself that indicated a reasonable apprehension that the delegate might not have been impartial. The applicant’s arguments were directed to the delegate’s decision and to allegations of failure to scrutinise the evidence further. The applicant has not established that there was a breach of the rules of natural justice, and Ground 1 is therefore rejected.

Ground 3 – error of law

39    I will consider the applicant’s Ground 3 before considering Ground 2. That is because the resolution of Ground 3 will inform the consideration of Ground 2.

40    The applicant alleged that there were errors of law by the delegate, and relied on 5(1)(f) of the ADJR Act as a ground of relief. First, the applicant claimed that the delegate made an error of law regarding the interpretation of the term “employee record”, which is a term defined by s 6 of the Privacy Act. The applicant said that that alleged error meant that the delegate had not validly formed the state of satisfaction required for deciding to exercise discretions not to investigate further his complaint. The applicant submitted that the error was that the delegate had concluded that the applicant’s personal emails and other relevant data were employee records for the purposes of the Privacy Act. The applicant submitted that the Commissioner’s own literature and website suggest otherwise, citing the following passage from the Commissioner’s website –

Employers may not be able to assume that all the information they hold that relates to an individual employee would be an employee record. For example, whilst an employee’s bank details may form part of an employee record, emails an employee receives from their financial institution via their work email account may not necessarily be part of an employee record as they may not relate to the employment of the employee.

41    The applicant cited a further passage from the Commissioner’s website –

If an employer keeps a record of their monitoring then the Australian Privacy Principles may apply. For example, a CCTV video recording or a computer record of emails that doesn’t directly relate to your employment.

42    In addition, the applicant submitted that the delegate was wrong to rely on the employer’s policies regarding workplace monitoring to conclude that emails received on his private email accounts, behind password protection, fell within the definition of “employee record”. The applicant contended that “[t]he fact that the personal information the subject of this application was created outside of the employment relationship, mainly in the [a]pplicant’s home” meant that that information did not form part of an “employee record”. The applicant submitted that the relevant information was “unrelated to [his] employment relationship” with the employer. Accordingly, the applicant claimed that the delegate’s conclusion to the contrary was in error.

43    The applicant submitted that the finding that his relevant information was part of an employee record was an “erroneous classification” which formed the “basis of the Respondent’s ‘satisfaction’ ”. By this, I take the applicant to submit that the delegate’s state of satisfaction that there had been no interference with his privacy, as defined by the Act, was affected by legal error.

44    Second, as to the claimed contravention of APP 12, the applicant submitted that the delegate had made an error of law by stating in his letter of 3 September 2021 that there was a reasonable argument that the employer had complied with APP 12 (see [16(g)] above). The applicant submitted that this conclusion was incorrect in circumstances where the information could not be accessed via the cloud, because the reason for this inaccessibility, said the applicant, was the existence of a limit upon the amount of data which his email service would host. The applicant submitted that the delegate was in error in preferring the employer’s claim, which he described as “baseless”.

45    Third, the appellant submitted that the delegate had made an error of law by concluding that personal information which the applicant had saved on his work laptop computer was a collection of “unsolicited personal information” for the purposes of APP 4.

Consideration of Ground 3 – error of law

46    There are nine separate discretionary grounds in s 41(1) of the Privacy Act upon which the Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint which has been made under s 36. The Commissioner submitted that the delegate relied upon two of the discretionary grounds in s 41(1) as alternative paths to arriving at the decision not to investigate further the applicant’s complaint. Those two discretionary grounds were s 41(1)(a) and (da), which relevantly provide –

41    Commissioner may or must decide not to investigate etc. in certain circumstances

(1)    The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that:

(a)    the act or practice is not an interference with the privacy of an individual; or

…

(da)    an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances; or

…

47    The discretion to terminate an investigation is to be considered in the context of the Commissioner’s powers should an investigation continue to completion. Those powers are contained in s 52 of the Act and include the power to make a determination dismissing the complaint, and the power to find that a complaint is substantiated and to make a determination that includes one or more declarations, which include –

(a)    that the respondent has engaged in conduct constituting an interference with the privacy of an individual and must not repeat nor continue such conduct: s 52(1)(b)(i)(B);

(b)    that the respondent take specified steps within a specified period so that the conduct the subject of the complaint is not repeated: s 52(1)(b)(ia);

(c)    that the respondent perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant: s 52(1)(b)(ii);

(d)    that the respondent is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint: s 52(1)(b)(iii); and

(e)    that it would be inappropriate for any further action to be taken: s 52(1)(b)(iv).

48    Therefore, even where an individual’s complaint is found to have been substantiated, the Commissioner may determine that no further action be taken in a matter. As I mentioned at the outset, under s 55A of the Act a complainant or the Commissioner may bring proceedings to enforce a determination of the Commissioner.

49    The ground in s 41(1)(da) of the Privacy Act upon which the Commissioner may decide not to investigate a complaint further is broad, permitting the Commissioner not to investigate further where satisfied that further investigation is not warranted having regard to all the circumstances: see, Rana v Australian Information Commissioner [2022] FCA 817 at [58] (Banks-Smith J), the appeal from which was dismissed in Rana v Australian Information Commissioner [2023] FCAFC 17. Paragraph 41(1)(da) was not a part of s 41 as originally enacted. It was inserted by Item 85 of Sch 4 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), and commenced on 12 March 2014. The Minister’s second reading speech in support of the Bill which became the 2012 amending Act, referred to the recommendations of the Australian Law Reform Commission in ALRC Report 108 that was titled For Your Information Report: Australian Privacy Law and Practice. The new ground in s 41(1)(da) of the Act reflected recommendation 49-1 in the report. In support of the recommendation the ALRC referred at [49.10]-[49.13] to the tension that existed in striking a balance between systemic issues and issues that have no implications beyond the immediate actions and rights of the parties to a complaint. At [49.11] of the report the ALRC stated –

A compromise needs to be made between addressing individual complaints and addressing systemic issues. The compromise recommended by the ALRC is to give the Commissioner more discretion not to investigate individual complaints in certain circumstances. First, the Commissioner should be given a discretion not to investigate an act or practice if he or she is satisfied that an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances. This discretion would enable the Commissioner to dismiss trivial complaints, or complaints that have no prospect of a practical or satisfactory resolution. …

50    The scope of s 41(1)(da) of the Privacy Act starts with its text, while at the same time having regard to its context and purpose. Context should be regarded at the first stage and not at some later stage and it should be regarded in its widest sense: SZTAL v Minister for Immigration and Border Protection [2017] HCA 34; 262 CLR 362 at [14] (Kiefel CJ, Nettle, Gordon and Edelman JJ). Here, the extrinsic material in the form of ALRC Report 108 is part of that context. As I remarked at the outset, the Privacy Act does not create a directly-enforceable action by individuals for the infringement of privacy. The Act provides for a means of complaining about an alleged interference with privacy. The role of the Commissioner is as an administrative gatekeeper of complaints about interferences with privacy. The Commissioner has powers of investigation, but a discretion on a number of grounds not to investigate, or not to investigate further. The powers of investigation include powers to obtain information and documents, the power to hold a hearing, the power to conduct a compulsory conference, and the power to examine witnesses: ss 43-45. However, unlike a court, the Commissioner has no duty to adjudicate rights: the statutory powers of investigation are tempered by the discretion to terminate the investigation.

51    The words of s 41(1)(da) must therefore be construed in light of the gatekeeping role given to the Commissioner. There is nothing in the text, structure, or purpose of the Act that detracts from giving s 41(1)(da) the broad meaning that the text of the provision bears on its face. The factors upon which the Commissioner may rely in reaching the state of satisfaction provided for by s 41(1)(da) are therefore wide, and it is axiomatic that the weight to be ascribed to such factors is a matter for the Commissioner. For present purposes, it is sufficient to say that I consider that the words “having regard to all the circumstances” in s 41(1)(da) are broad enough to entitle the Commissioner to take into account –

(a)    the strength of the evidence concerning a claimed interference with privacy advanced by the applicant in his s 36 complaint;

(b)    the weight to be given to any legal arguments;

(c)    the practical utility of pursuing an investigation; and

(d)    the efficient allocation of the Commissioner’s resources and powers.

52    I turn now to the delegate’s decision, which invoked satisfaction as to the matter referred to in s 41(1)(da) as one of the grounds on which to terminate the investigation. The delegate’s decision letter of 15 September 2021 stated that for the reasons set out in that letter and in the letter of 3 September 2021 the delegate was satisfied that an investigation was not warranted having regard to all the circumstances. As I have indicated, there were a number of layers to the circumstances to which the delegate referred which are set out at [16(k)] above. I summarised the delegate’s reasons for his decision at [19]-[23] above. It is important to recognise that the delegate was not obliged to make findings, because he was not engaged in a process that involved the adjudication of rights, but only an administrative decision whether to continue to investigate. It is also important not to read too much complexity into the delegate’s reasons for deciding not to continue the investigation, and not to scrutinise the delegate’s reasons in an over-zealous manner with any eye keenly attuned to the detection of error: Minister for Immigration and Ethnic Affairs v Wu Shan Liang [1996] HCA 6; 185 CLR 259 at 272 (Brennan CJ, Toohey, McHugh and Gummow JJ).

53    Simply put, there were two types of data that the applicant claimed had been the subject of breaches by the employer of the relevant APPs: (1) his personal emails that had been downloaded from the email server and saved onto his work laptop computer copies of which the applicant sought to have returned to him; and (2) passwords that he had saved on the work computer for personal email and personal cloud-based file services that the applicant claimed that the employer had used to obtain access to his private data. In relation to the first type of data, the delegate was not able to prefer the applicant’s claims over the respondent’s opposing claims. I set out the relevant passages from the delegate’s reasons at [22(3)] above. As such, the delegate was not satisfied, relevantly, that there had been a breach of APP 12, expressing the view that there were reasonable arguments that there had been no breach. In relation to the second type of data, namely the passwords, the delegate was not satisfied that the employer had used the passwords. I summarised the delegate’s reasons at [22(1)] above. These findings did not turn on whether the employee record exception in the Privacy Act applied, and the delegate’s reasons were not dependent upon that conclusion. That was because –

(a)    even if the employee records exception did not apply, the delegate considered that there were reasonable arguments that the employer had not breached APP 6, APP 11 or APP 12;

(b)    the employer no longer held the personal information that the applicant had requested, so any further remedy on that claim was unlikely to be achieved;

(c)    there was no evidence to support further investigation of the claims of breach of APP 6 and APP 11; and

(d)    an investigation was unlikely to elicit any further information or remedies.

54    No reviewable error of law in the delegate relying on the above matters so as to form his state of satisfaction for the purposes of s 41(1)(da) has been shown.

The employee record exemption

55    For the above reasons, no error of law alleged by the applicant in relation to the delegate’s opinion that the “employee record” exemption was engaged was material to the legality of the delegate’s decision. It is therefore unnecessary that I consider the applicant’s arguments in relation to the proper construction of the term “employee record”, and whether the delegate acted on a misunderstanding of that term, as the resolution of those issues is not relevant to my path of reasoning.

The APP 12 argument

56    The applicant’s second argument in respect of Ground 3 was that the delegate had erred in concluding that there was a reasonable argument that the employer had complied with APP 12. I summarised this second argument at [44] above. I do not accept that this is an error of law, or that there is any substance to the argument. The delegate’s opinion in his letter of 3 September 2021 that there was a “reasonable argument” that the employer had complied with APP 12, which was confirmed in the decision letter of 15 September 2021, was an appraisal of the weight of the factual material before the delegate. It is not for the Court to substitute its own appraisal. That is even more so where, as I have noted, the decision of the delegate is not one which determines rights as between the parties but is a decision about whether to investigate further a particular complaint. The applicant’s APP 12 argument does not allege an error of law, and must fail at the threshold.

The “unsolicited personal information” argument

57    The applicant’s third argument in respect of Ground 3 was that the delegate had made an error of law by concluding that personal information which the applicant had saved on his work laptop computer was a collection of “unsolicited personal information” for the purposes of APP 4. The delegate did not make express reference to APP 4 in either the 3 September 2021 or the 15 September 2021 letter. Nor did the delegate use the phrase “unsolicited personal information”, which appears in the text of APP 4. Instead, the delegate used the phrase “unsolicited collection”. However, I am prepared to accept that the delegate alluded to APP 4 by use of that phrase, because APP 4 variously employs the word “collected” and therefore invokes the notion of “collection”. The delegate referred to “unsolicited collection” in relation to personal passwords which the applicant claimed to have saved on his laptop computer. I referred to the delegate’s consideration of this issue in the 15 September 2021 decision letter at [20] above. The delegate invoked the unsolicited collection of information to buttress his conclusion that the applicant’s passwords, if stored on his former work computer, fell within the meaning of the “employee record” exemption which, as I have explained, was only an alternative and not a necessary element of the delegate’s path of reasoning.

58    Further, the delegate later concluded that the applicant’s complaint had little prospect of further or satisfactory resolution and that further investigation would be an inefficient and unproductive use of the Commissioner’s resources and powers, supporting his state of satisfaction that further investigation of the complaint was not warranted having regard to all the circumstances. All this was an independent and logically sufficient path of reasoning for the conclusion of the delegate not to investigate further, and therefore any claimed error of law in the delegate’s consideration of what was “unsolicited personal information” for the purposes of APP 4 was not material.

59    For the above reasons, Ground 3 is rejected.

Ground 2 – failure to take into account a relevant consideration, or taking into account an irrelevant consideration

60    The applicant based his second ground of review on s 5(1)(e) and s 5(2)(b) of the ADJR Act. The applicant’s particulars to Ground 2 were as follows –

34.    According to the Respondent,

“The Privacy Act 1988 doesn’t specifically cover surveillance in the workplace. However, an employer who conducts surveillance or monitors staff must follow any relevant Australian, state or territory laws”.

35.    The Respondent took as authority the employer’s monitoring policy, as a basis of their Decision.

36.    The Respondent did not take into consideration whether the monitoring policy followed the relevant Australian or state laws.

61    The applicant’s submissions extended beyond these particulars. First, the applicant claimed that the delegate did not take into account the Surveillance Devices Act 1999 (Vic), which the applicant claimed prohibited the surveillance of “private activity”. The applicant submitted that his personal emails and iCloud data were created mainly in the privacy of his home, with a reasonable expectation that they would not be monitored. The applicant had made these claims in his letter to the delegate of 5 September 2021. The applicant submitted that the delegate did not take into account that the entry of his data was “private activity” when considering the effect of the employer’s computing policy. In this context, the applicant claimed that the delegate had failed to take into account whether the employer’s policies were valid given the relevant State legislation, and made reference to the Victorian Information Privacy Principles, which are contained in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic). The applicant had also alluded to these principles in his letter to the delegate of 5 September 2021. All these submissions were coupled with the applicant’s submission that the policies produced by the employer were fraudulent, which I will address separately under Grounds 4 and 5.

62    The applicant advanced a second argument in support of Ground 2, claiming that the delegate had failed to take account of the requirements of APP 4. The applicant –

(a)    noted the delegate’s conclusion that the personal information, which the applicant had saved so as to be accessible via his former work laptop, constituted an “unsolicited collection” of personal information by the employer and that that collection occurred at the moment that the information was saved by the applicant on the laptop;

(b)    alleged that the delegate failed to consider whether, for the purposes of APP 4.1, the employer had determined “within a reasonable period after receiving the information … whether the personal information could have been collected … under APP 3”;

(c)    noted the obligation to “destroy the information or ensure that the information is de-identified”, in APP 4.3, if it were to be determined that the employer could not have collected the personal information within the scope of APP 3;

(d)    alleged that his personal information had been stored on the laptop computer over some five years and that the employer had not destroyed nor de-identified that information and that the employer must therefore have concluded that it was entitled to collect the personal information pursuant to APP 3; and

(e)    said that if the employer had come to the conclusion just outlined, then the terms of APP 4.4 made it such that APPs 5 through 13 applied in relation to the personal information.

63    The applicant submitted that the matters referred to above were relevant considerations that the delegate failed to take into account. At the hearing, the applicant developed this argument and appeared to submit that the delegate had failed to consider a claimed lack of evidence as to the employer’s compliance with APP 4.

64    A third argument was raised by the applicant at the hearing in relation to Ground 2. That argument was that the delegate had failed to take into account that the applicant sought, by way of remedy, compensation in relation to the employer’s treatment of his personal information. The applicant submitted that his complaint before the delegate was not limited to seeking the return of, or access to, his personal information.

Consideration of Ground 2 – failure to take into account a relevant consideration or the taking into account of an irrelevant consideration

65    A claim under s 5(1)(e) and (2)(a) and (b) of the ADJR Act that the making of a decision under an enactment was an improper exercise of power on the ground that a relevant consideration was not taken into account involves establishing that the decision-maker was bound by the statute to take the matter into account. This can arise as a result of the express terms of the statute, or by necessary implication. Conversely, a challenge on the ground that an irrelevant consideration was taken into account involves establishing that the decision-maker was precluded from taking the matter into account. Judicial review on these grounds is not an invitation to a court to take account of different considerations, or to place more weight on or no weight on considerations that were taken into account. The principles were discussed by Mason J in Minister for Aboriginal Affairs v Peko-Wallsend Ltd [1986] HCA 40; 162 CLR 24 at 39-40 and by Gleeson CJ in Neat Domestic Trading Pty Ltd v AWB Ltd [2003] HCA 35; 216 CLR 277 at [20]. The ground of satisfaction in s 41(1)(da) of the Privacy Act upon which the Commissioner may decide to terminate an investigation is broad, as I have indicated above.

66    In relation to the applicant’s reliance on the Victorian Surveillance Devices Act and Privacy and Data Protection Act, it is not at all clear how this legislation could be relevant to delegate’s investigation of claimed breaches of the APPs under the Commonwealth legislation, still less how the State legislation constituted considerations that the Commissioner was bound to take into account. The applicant did not develop any argument that pointed to their relevance. The Surveillance Devices Act contains provisions concerning listening devices, optical surveillance devices, tracking devices, and the use of data surveillance devices by law enforcement officers. The applicant did not point to any provision of the Surveillance Devices Act that would be applicable to an employer’s use of data stored by an employee on a computer owned by the employer. As for the Privacy and Data Protection Act, that Act and the Information Privacy Principles to which it gives effect are concerned with public sector organisations, as s 13 of the Act provides and as other provisions of that Act indicate. Moreover, there was no express or implied requirement of the Privacy Act that the Commissioner was bound to take account of State legislation in determining whether to terminate the investigation of the claimed breaches of the APPs. And there was no coherence about the applicant’s claims to the delegate about the State legislation that required the delegate to give them any attention in his reasons for determining not to continue the investigation further.

67    As to the applicant’s second argument, concerning the employer’s compliance with APP 4, this was not raised by the applicant in his correspondence with the delegate such that it required consideration. Further, it was not material to the delegate’s path of reasoning that gave rise to the state of satisfaction that engaged s 41(1)(da) of the Privacy Act. The relevance of the unsolicited collection by the employer of information that the appellant had saved on his laptop computer was to the delegate’s conclusion that the employee record exemption applied. The delegate’s satisfaction that s 41(1)(da) was engaged was an independent and alternative path of reasoning.

68    As to the applicant’s third argument in support of Ground 2, namely that the delegate had failed to take into account that the applicant sought compensation as a remedy against the employer in relation to the employer’s alleged treatment of the applicant’s personal information, I do not accept this argument. The applicant’s letter to the delegate dated 6 September 2021 referred to the possibility that remedies available to the applicant could include compensation and an apology. A declaration that a complainant is entitled to a specified amount by way of compensation for any loss or damage suffered is amongst the determinations that the Commissioner is empowered to make under s 52(1)(b)(iii) of the Act. There is no express provision by which the Commissioner can declare that an apology should be made. The delegate’s decision letter of 15 September 2021 stated that he had taken the applicant’s response in his letter of 6 September 2021 into consideration. On the hypothesis that the delegate was required to take account of the whole of the applicant’s response, it does not follow that every individual matter raised was a mandatory relevant consideration that required separate consideration by the delegate in his reasons. Nor does the failure to address specifically every argument necessarily support an inference that the argument was not considered: Applicant WAEE v Minister for Immigration and Multicultural and Indigenous Affairs [2003] FCAFC 184; 236 FCR 593 at [46] (French, Sackville and Hely JJ); Steed v Minister for Immigration and Ethnic Affairs [1981] FCA 197; 37 ALR 620 at 621 (Fox, McGregor and Morling JJ). In this case, it was not mandatory for the delegate to give separate consideration to the possible remedies open to the applicant should an investigation result in the complaint being substantiated. That was because the question of remedies was subsumed by the delegate’s view that he was not satisfied that there had been a contravention of the relevant privacy principles such as to warrant the continuation of the investigation. Upon that state of satisfaction being reached, no occasion arose to consider whether the applicant had suffered any loss or damage, or whether he was entitled to an apology assuming, without deciding, that this was within the powers of the Commissioner to compel.

Grounds 4 and 5 – fraud

69    The applicant’s fourth and fifth grounds were based on s 5(1)(g) of the ADJR Act. Essentially, the applicant claimed that materials provided to the delegate by the employer had been concocted and were therefore fraudulent. These materials were the Employee Handbook, the Privacy Policy, and the Computing and Communication Policy to which I referred earlier, the authenticity of which the applicant disputed. Insofar as the delegate based his decision not to investigate further the applicant’s complaint on that evidence, the applicant submitted that the delegate’s decision was induced or affected by fraud.

Consideration of Grounds 4 and 5 – fraud

70    An administrative decision may be affected by jurisdictional error where the decision-maker exercises powers fraudulently, and where a decision-maker is defrauded in the exercise of statutory powers: Minister For Home Affairs v DUA16 [2020] HCA 46; 271 CLR 550 at [15] (Kiefel CJ, Bell, Keane, Gordon and Edelman JJ). A ground of this type requires a focus upon the manner in which the fraud adversely affected the exercise of the relevant statutory powers. Section 5(1)(g) of the ADJR Act provides for a statutory ground of review on the ground that “the decision was induced or affected by fraud”. Fraud, for the purposes of s 5(1)(g), involves a deliberate misrepresentation: Burragubba v Queensland [2017] FCAFC 133; 254 FCR 175 at [27], [29] (Dowsett, McKerracher and Robertson JJ). In the case of third party fraud on a decision-maker, what is required to make out the ground is that there be actual inducement or affectation by fraud: Wati v Minister for Immigration and Ethnic Affairs [1996] FCA 1043; 71 FCR 103 at 111-112 (Lindgren J), cited in SZFDE v Minister for Immigration and Citizenship [2007] HCA 35; 232 CLR 189 at [25]-[26], concerning the cognate provision in s 476(1)(f) of the Migration Act 1958 (Cth), as then in force.

71    I make no findings as to whether the documents presented to the delegate by the employer had been concocted. For one thing, for the purposes of s 140(2) of the Evidence Act 1995 (Cth) that would require a degree of satisfaction commensurate with the principles essayed in Briginshaw v Briginshaw [1938] HCA 34; 60 CLR 336 at 362-363 (Dixon J). Second, the employer is not a party to this proceeding, and in the circumstances if I thought such a finding was necessary and on the cards, I would not entertain making such a finding without giving it an opportunity to be heard. Moreover, it is unnecessary that I make any finding as to whether the employer deliberately concocted documents for the purpose of misrepresenting its position to the delegate. That is because the documents were not a necessary element of the delegate’s decision and therefore there was no actual inducement or affectation by fraud. The only policy of the employer on which the delegate relied in his 15 September 2021 decision letter was the Computing and Communication Policy. However, the delegate acknowledged the applicant’s claims that some of the documents did not exist, and in relation to the Computing and Communication Policy there was an alternative path of reasoning that even if the applicant did not agree to that policy, a reasonable person would assume that use of computer systems would be monitored, and that inappropriate use would reflect on the applicant’s performance and conduct (see [21] above).

Conclusion

72    The application will be dismissed.

Associate:

Dated:    24 November 2023