Home | Databases | WorldLII | Search | Feedback Administrative Appeals Tribunal of Australia

You are here: 

HYYL and Privacy Commissioner [2023] AATA 2961 (13 September 2023)

Last Updated: 15 September 2023

HYYL and Privacy Commissioner [2023] AATA 2961 (13 September 2023)

Division: Freedom of Information Division

File Number(s): 2021/1143

Re: HYYL

APPLICANT

And WP

APPLICANT

And Privacy Commissioner

RESPONDENT

And Secretary, Department of Home Affairs

JOINED PARTY

DECISION

Tribunal: Justice Melissa Perry, Deputy President

Date: 13 September 2023

Place: Sydney

The Tribunal orders that:

1. Pursuant to s 43(1)(a) of the Administrative Appeals Tribunal Act 1975 (Cth), Declaration 4 of the Determination made by the respondent on 11 January 2021 (the Determination) is set aside and the following is made in its place:

The members of the class who:

(a) did not provide a submission and/or evidence to the Office of the Australian Information Commissioner (OAIC) within the timeframe specified by the OAIC, and who did not opt out; and

(b) do not provide a reasonable explanation for not making submissions or providing evidence in response to the January 2018 OIAC notice within 3 months of the publication of a notice by the scheme administrator as described in Annexure A;

have not substantiated that they have suffered loss or damage as a result of the conduct constituting an interference with the privacy of class members and subject of this Determination (the data breach). Pursuant to  s 52(1)(b)(iv)  of the  Privacy Act 1988  (Cth), the Tribunal declares that it would be inappropriate for any further action to be taken in relation to those individuals.

2. Pursuant to s 43(1)(c) of the Administrative Appeals Tribunal Act 1975 (Cth), Declarations 2 and 3 of the Determination are set aside and the following are made in their place:

Each of the participating class members, being:

(a) the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out; and

(b) the class members who establish, within the timeframe prescribed in order 1 above, that they have a reasonable explanation for not responding to the January 2018 OIAC notice and make submissions and/or provide evidence of loss or damage;

is to be paid an amount of compensation worked out in the manner specified in Annexure A to these orders.

3. Pursuant to ss 52(4) and/or 52(5) of the  Privacy Act 1988  (Cth), the Department of Home Affairs is to pay:

(a) the costs of the expert determination process described in Annexure A;

(b) the costs of translating communications relating to the assessment of compensation for loss and damage arising from the data breach;

(c) the costs of interpretation/translation services relating to the provision of evidence by those participating class members without a written language and communications with that cohort of class members relating to the assessment of compensation for loss and damage arising from the data breach; and

(d) for assessments conducted under the compensation assessment scheme described in Annexure A, up to $500 to each participating class member to obtain assistance from a legal practitioner to prepare the participating class member’s evidence or submissions for provision to an expert assessor (to be paid on the participating class member’s provision of an invoice from the legal practitioner).

4. There be liberty to apply to the Tribunal on the basis that the Compensation Assessment Scheme in Annexure A hereto has become incapable of effective implementation in whole or in part.

Annexure A: Compensation Assessment Scheme

1. Under  s 38B(3)  of the  Privacy Act 1988  (Cth), within 28 days of the appointment of the scheme administrator (as to which, see clause 6(a) below), the scheme administrator is to publish a notice inviting:

(a) the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC and who did not opt out (the existing participating class members), to make submissions or submit updated and/or supplementary submissions, and/or evidence of loss or damage to the scheme administrator; and

(b) class members who did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out (non-participating class members) to submit an application to participate in the compensation scheme described below (the scheme).

2. The notice referred to in clause 1 above is, among other things, to:

(a) be expressed in plain English in a manner intended to facilitate translation to other languages after consultation with one or more qualified and experienced translators;

(b) explain the scheme and relevant timeframes;

(c) give examples of compensable loss and damage, including explaining that non-economic loss for which compensation may be paid includes (but is not limited to) consequences such as fear, distress, anxiousness, loss of sleep, headaches, and mental illness;

(d) give examples of the kinds of evidence which a class member might provide in support of a claim for economic and/or non-economic loss or damage such as a statutory declaration from the class member explaining the impact of the data breach upon them, statutory declarations from family and friends explaining their observations as to the impact of the data breach upon the class member, financial documents supporting any claim of economic loss, and reports from relevant medical practitioners;

(e) explain that verbal evidence with the assistance of a qualified interpreter (if required) may be taken by the scheme administrator upon request by the class member if the class member does not possess the necessary written language skills; and

(f) explain the consequences if the invitation pursuant to clauses 1(a) or (b) above is not taken up by the class member.

3. Any existing participating class member who wishes to make submissions or provide updated and/or supplementary submissions, and/or evidence of loss or damage pursuant to clause 1(a) above is to do so within a period of 3 months of the publication of the notice, unless the existing participating class member requests an extension of time within which to do so and the scheme administrator considers that it is reasonable to allow the existing participating class member an extension of time.
4. Any non-participating class member who wishes to participate in the scheme must submit an application to the scheme administrator within 3 months of the publication of the notice, including:

(a) an explanation as to why the non-participating class member did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC; and

(b) the non-participating class member's name, date of birth, client ID and, if applicable, boat ID, to enable the Department of Home Affairs to confirm that the non-participating class member was affected by the data breach.

5. Upon receiving confirmation from the Department of Home Affairs that a non-participating class member who has submitted an application to participate in the scheme was affected by the data breach, the scheme administrator will consider the non-participating class member's application. If the scheme administrator is satisfied that the non-participating class member has provided a reasonable explanation for not making submissions or providing evidence to the OAIC within the timeframe specified by the OAIC, the scheme administrator is to declare them to be a participating class member (see clause 6 below) who is to be paid an amount of compensation for loss or damage arising from the data breach worked out in the manner described below.

6. Under  ss 52(1)(b)(iii)  and (4)(a) of the  Privacy Act 1988  (Cth), the existing participating class members, as well as class members identified through the process set out in clauses 1(b), 4 and 5 above (collectively referred to as the participating class members), are to be paid an amount of compensation for loss or damage arising from the data breach worked out in the following manner:

(a) A law firm which is independent of the Secretary of the Department of Home Affairs (Other Party) and of class members will be appointed to administer the scheme (the scheme administrator) through the following process:

(i) within 14 days of the publication of the Tribunal's decision, the Department of Finance will prepare a Request for Quote (RFQ) and provide it to the applicants' solicitors for comment;

(ii) the applicants' solicitors will provide any comments on the RFQ to the Department of Finance within 14 days of receipt of the information outlined in clause 6(a)(i) above from the Department of Finance;

(iii) the Department of Finance will consider any comments received from the applicants' solicitors in accordance with clause 6(a)(ii) above in finalising the RFQ;

(iv) within 14 days of receiving any comments from the applicants' solicitors in accordance with clause 6(a)(ii) above, the Department of Finance will issue the RFQ to each of the legal services providers that:

1. are appointed to the Whole of Australian Government Legal Services Panel in the areas of:

1. compensation, damages and personal injury; and

2. freedom of information, privacy and public interest disclosure; and

2. have not represented or advised the Other Party, or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship; and

100. have not represented or advised any class members in relation to this proceeding; and

(v) the Department of Finance will assess each response to the RFQ on a value-for-money basis, having regard to each provider's expertise and experience, and will identify a provider to act as scheme administrator.

(b) The scheme administrator:

(i) shall administer the scheme fairly, impartially, and reasonably according to its terms, with their duty owed to the Tribunal to take priority over any obligation to a participating class member; and

(ii) must not act as the solicitor for the Other Party, the Commonwealth or any class member in relation to any matter relating to the data breach.

(c) The scheme administrator shall conduct an assessment of each participating class member's submissions and/or evidence, allocate the participating class member into a non-economic loss category set out in the table at Annexure B, and identify the appropriate quantum of compensation (under the heads of economic loss and non-economic loss, where relevant) for the participating class member. For the avoidance of doubt, that quantum may be nil.

(d) On completion of the assessment for each participating class member, the scheme administrator is to provide the assessment and relevant evidence to the participating class member or their representative, and request a response from the participating class member as to whether the class member wishes to make a settlement offer to the Other Party, to be communicated by the scheme administrator. For the avoidance of doubt, the participating class member is not limited to making an offer in the proposed amount identified by the scheme administrator. If the participating class member’s settlement offer is not the same as the amount identified by the scheme administrator, the scheme administrator will provide both the settlement offer and its assessment to the Other Party.

(e) In the event that the participating class member, or their representative, fails to respond to the scheme administrator's assessment within 28 days, the scheme administrator will provide its assessment directly to the Other Party.

(f) Upon receipt of a settlement offer in writing of proposed compensation payable to the participating class member through the scheme, the Other Party may:

(i) accept the participating class member's offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or

(ii) make a counter-offer in writing, which the Other Party will provide to the scheme administrator with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.

(g) If the scheme administrator has provided its assessment directly to the Other Party in accordance with clause 6(e) above, the Other Party is to:

(i) consider the scheme administrator's assessment in the same way it would consider a settlement offer received from a participating class member or their representative; and

(ii) either accept the assessment or propose a different amount of compensation for the participating class member, with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.

(h) If the Other Party makes a counter-offer in accordance with clauses 6(f)(ii) or 6(g) above, the scheme administrator will provide the Other Party's counter-offer and statement of reasons to the participating class member by email and/or registered post, and will inform the participating class member or their representative in writing as to whether it considers the Other Party's counter-offer to be reasonable. The participating class member may:

(i) accept the Other Party's counter-offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or

(ii) request that the dispute concerning the participating class member's compensation entitlement be resolved by expert assessment. (The Tribunal notes that the Other Party has voluntarily undertaken to agree to have the participating class member’s claim resolved in this manner if the claim has not been settled by this point, meaning that the expert determination stage will be a consensual process adopted between the parties.)

(i) If the participating class member does not respond to the Other Party's counter-offer within 30 days of the counter-offer being sent by email or registered post to the participating class member or their representative, the participating class member will be taken to have agreed to the Other Party's counter-offer.

(j) If a participating class member's compensation entitlement is to be resolved by expert assessment, the scheme administrator will provide the expert with:

(i) the evidence and/or submissions provided by the participating class member to the OAIC;

(ii) the scheme administrator's assessment;

(iii) the participating class member's settlement offer to the Other Party; and

(iv) the Other Party's counter-offer, including the statement of reasons and any further information provided by the Other Party with its counter-offer.

(k) The experts to provide the assessments referred to in clauses 6(h)(ii) and (6)(j) above will be agreed upon by the Other Party and the solicitors for the applicants. Appropriately qualified counsel, with relevant skills and at least three years’ experience in legal practice in relevant areas of the law, would be suitable to appoint as an expert in accordance with Appendix D to the Legal Services Directions 2017 (Cth).

(l) The Other Party and the solicitors for the applicants may approach the respondent for assistance in resolving any dispute regarding the choice of experts or the terms of the experts' engagement.

(m) The Other Party is to pay the amount of compensation agreed between the Other Party and the participating class member, or identified by an independent expert pursuant to the process described above, within a reasonable period and to advise the scheme administrator in writing when payment to the participating class member has been made.

Annexure B: Categories of non-economic loss

....................................[SGD]....................................

Justice Melissa Perry, Deputy President

CATCHWORDS

HUMAN RIGHTS – privacy – data breach – where thousands of individuals in immigration detention had personal details inadvertently published online in an excel spreadsheet by the Department of Home Affairs – where majority of individuals subject to the data breach (class members) were people purporting to seek asylum in Australia – where Office of the Australian Information Commissioner (OAIC) found Department to be in breach of Information Privacy Principles 4 and 7 – where proceedings commenced under  s 52  of the  Privacy Act  as in force at the date of the data breach – where Department issued notice to class members setting out the process by which class members who believed they had suffered loss or damage could establish their eligibility for compensation – finding that notice was inadequate and insufficiently clear to inform class members of the compensation process – finding that a new notice should be issued to class members to provide those with a reasonable explanation for not responding to the previous notice with another opportunity to participate in the compensation scheme

COMPENSATION – whether it is necessary for class members to establish that they have suffered loss or damage for the purposes of compensation under  s 52  of the  Privacy Act  – whether there is power to award compensation merely on the assumption that class members have “objectively” experienced loss and damage as a result of the breach of privacy itself – finding that compensation requires class member to establish that they have suffered loss or damage and cannot be awarded simply by reason of the breach of the  Privacy Act  – finding that categories of non-economic loss are appropriate setting a range of amounts of compensation for each category save for the most extreme cases where compensation is uncapped

COMPENSATION – question of which law firm is the correct and preferable administrator of the compensation assessment scheme – whether the applicants’ lawyers (Slater & Gordon), Department’s lawyers (Clayton Utz) or an independent law firm should be scheme administrator – finding that scheme administrator should be an independent law firm with appropriate expertise in personal injury and privacy law – finding that scheme administrator should be selected by a procurement process from the Australian Government Legal Services Panel but not act for the Department or Minister for Immigration with respect to any matter arising from the data breach or in proceedings relating to visa applications and citizenship – where scheme should allow disputes over compensation assessments to be resolved by negotiation at first instance, and subsequently (if dispute is not resolved) be referred to expert determination – where Department is to pay for translation and interpretation assistance during operation of scheme

LEGISLATION

Administrative Appeals Tribunal Act 1975 (Cth) ss 30(1A), 35, 41(2), 43

Australian Human Rights Commission Act 1986 (Cth) s 46PO

Federal Court of Australia Act 1976 (Cth) Pt IVA, s 33ZF

Migration Act 1958 (Cth) ss 48A, 48B

 Privacy Act 1988  (Cth)  ss 14 ,  16 ,  36 ,  38B ,  52  (compilation start date of 1 July 2013)

 Privacy Act 1988  (Cth)  ss 52(3A) ,  96 

Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) Sch 6 items 14, 18

Public Governance, Performance and Accountability Act 2013 (Cth) s 15

Racial Discrimination Act 1975 (Cth)

Sex Discrimination Act 1984 (Cth)

Legal Services Directions 2017 (Cth)

Civil Liability Act 2002 (NSW)

Data Protection Act 2018 (UK)

Human Rights Act 1998 (UK)

CASES

Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) [2009] HCA 41; (2009) 239 CLR 27

Application 1421375 [2015] RRTA 59

Livingstone v Raywards Coal Company [1880] UKHL 3; [1880] 5 App Cas 25

Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63; (2001) 208 CLR 199

BMW Australia Ltd v Brewster [2019] HCA 45; 269 CLR 574

Campbell v MGN Ltd [2004] UKHL 22; [2004] 2 AC 457

Casey v DePuy International Ltd (No. 2) [2012] FCA 1370

Certain Lloyd’s Underwriters v Cross [2012] HCA 56; (2012) 248 CLR 378

Construction, Forestry, Maritime, Mining and Energy Union v Australian Building and Construction Commissioner (The Bay Street Appeal) [2020] FCAFC 192; (2020) 282 FCR 1

Frugtniet v Australian Securities and Investments Commission [2019] HCA 16; (2019) 266 CLR 250

Gulati v MGN [2015] EWHC 1482 (Ch)

Hall v A & A Sheiban Pty Ltd [1989] FCA 65; (1989) 20 FCR 217

Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333

March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506

Maynes v Casey [2011] NSWCA 156

Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29; (2016) 259 CLR 180

NWFQ and Privacy Commissioner [2019] AATA 1302

Pharm-a-Care Laboratories Pty Ltd v Commonwealth of Australia (No 6) [2011] FCA 277

Plenty v Dillon [1991] HCA 5; (1991) 171 CLR 635

R v Australian Broadcasting Tribunal; Ex parte Hardiman [1980] HCA 13; (1980) 144 CLR 13

Richardson v Oracle [2014] FCAFC 82; (2014) 223 FCR 334

Rummery v Federal Privacy Commissioner [2004] AATA 1221; (2004) 85 ALD 368

Sands v South Australia [2013] SASC 44

Vincentia MC Pharmacy Pty Ltd v Australian Community Pharmacy Authority [2020] FCAFC 163; (2020) 280 FCR 397

Wotton v State of Queensland (No 5) [2016] FCA 1457; (2016) 157 ALD 14

SECONDARY MATERIALS

Australian Law Reform Commission’s report on Australian Privacy Law and Practice (2008)

Jason Varuhas, Damages and Human Rights (2016) Ch 2

Judicial Council on Cultural Diversity, Recommended National Standards for Working with Interpreters in Courts and Tribunals (2^nd ed, 2022)

Onshore Protection Interim Procedures Advice No: 6/2015

REASONS FOR DECISION

Justice Melissa Perry, Deputy President


13 September 2023

1. INTRODUCTION

1. These proceedings concern an application for review of a decision of the respondent, the Privacy Commissioner, made on 11 January 2021 pursuant to s 52 of the  Privacy Act  1988 (Cth) (Determination). The Determination concerned a breach by the Secretary of the Department of Home Affairs (Other Party) of principles 4 and 7 of the Information Privacy Principles (IPPs) by reason of the online publication of personal information about individuals in immigration detention. The applicants and the Other Party to the proceedings both seek to set aside the Determination.
2. The applicants, HYYL and WP, are two individuals who were affected by the data breach. By an application for review of decision to the Administrative Appeals Tribunal dated 24 February 2021, the first applicant sought a review of the Determination on behalf of all persons whose interests are affected by the Determination. This was on the basis that the respondent’s Determination was wrong and not the correct and preferable decision for three key reasons:

   (a) the respondent erred in making Declaration 4 at [3] of the Determination, namely that it was inappropriate for any further action to be taken in relation to members of the class who did not provide a submission and/or evidence to the respondent within the timeframe specified;

   (b) the quantum of compensation in Declaration 2(a) is below the quantum that ought to be awarded in all the circumstances of the case, based on outdated examples of compensation awarded, and not in keeping with the expectations of the community for breaches of privacy; and

   (c) translation assistance ought to be provided by the respondent to class members so as to enable class members requiring translation assistance to access and participate in the compensation scheme.

3. The relief sought by the applicants is set out at [128] of the applicants’ updated Statement of Facts, Issues and Contentions (ASFIC) as follows:

   (a) that under s 43(1)(b)(i) of the Administrative Appeals Tribunal Act 1975 (Cth) (AAT Act), Declarations 2–4 of [3] of the respondent’s Determination are set aside and substituted with the following declarations;

   (b) that under  s 52(4)(a)  of the  Privacy Act , class members who register with the scheme administrator to participate in the compensation assessment scheme within six months of the publication of the notice to class members of this decision, or who have previously made submissions or provided evidence of loss or damage to the respondent, are to be paid compensation for loss or damage arising from the publication as assessed in the manner outlined in Attachment A of the ASFIC; and

   (c) that under  s 52(1)(b)(ii)  and/or  s 52(3A)  of the  Privacy Act , the Other Party, in respect of class members who made applications for protection visas and were refused (refused class members):

   (i) provide a reasonable opportunity for class members to provide further information in relation to the data breach; and

   (ii) reconsider refused class members’ applications for protection visas by way of a process directed to consideration of exercise of the power in s 48B of the Migration Act 1958 (Cth).

4. I consider material aspects of the compensation scheme proposed by the applicants as set out in Attachment A to the ASFIC, which were ultimately pressed, in the course of considering the appropriate scheme in these reasons.
5. On 6 April 2021, the Other Party made an application to the Tribunal under s 30(1A) of the AAT Act to be joined as a party to the review proceedings, for the reason that the (then) Department of Immigration and Border Protection would be affected if the Determination is set aside or varied. The Other Party submitted that such a decision was likely to result in an increase in the amount of compensation payable by the Department to the class members, and increase the Department’s total costs incurred. On 26 April 2021, the Tribunal was satisfied that the Department was affected by the decision under review, and made orders joining it as an ‘other party’ pursuant to s 30(1A) of the AAT Act.
6. On 10 June 2021, the representative complainant to the respondent’s Determination made a joinder application, submitting that the complainant would be entitled to claim compensation for loss and damage suffered arising from the interference with his privacy. On 21 June 2021, the Tribunal made orders joining the representative complainant as the second applicant, WP.
7. On 8 April 2021 and 21 June 2021, the Tribunal made pseudonym orders for the first and second applicants respectively, and their personal details were restricted from publication or disclosure, in accordance with s 35 of the AAT Act and on the basis that the applicants have previously made protection claims.
8. On 21 June 2021, the Tribunal made consent orders for the operation and implementation of the Determination to be stayed, in accordance with s 41(2) of the AAT Act, until the decision of the Tribunal on the application for review comes into operation or until further order of the Tribunal. This decision was made on the basis that there was a real prospect that the Tribunal may make different declarations as to the compensation assessment scheme.
9. The parties filed lengthy statements of facts, issues and contentions, which in the case of the Other Party and the respondent were helpfully amended by way of being updated prior to the hearing: the ASFIC, the respondent’s Updated Statement of Facts, Issues and Contentions (RSFIC), and the Other Party’s Further Updated Statement of Facts, Issues and Contentions (OPSFIC). The Tribunal is indebted to the parties’ legal representatives for their detailed and careful assistance, and to the parties for the making of appropriate concessions including in the course of the hearing.
10. The applicants rely on a tender bundle of documents referred to in the ASFIC. They also rely upon the following affidavits, which were the subject of rulings as agreed by the parties or otherwise upheld by me at the hearing:

    (a) the affidavit of Andrew Paull affirmed on 28 October 2021 (Paull affidavit);

    (b) the affidavit of Sarah Dale affirmed on 27 October 2021 (Dale affidavit); and

    (c) the affidavit of Andrew Paull affirmed on 2 December 2021.

11. The Other Party likewise relies upon a tender bundle of documents referred to in their OPSFIC and upon the following affidavit evidence, read without objections:

    (a) the affidavit of Tobias Gregg affirmed on 17 November 2021;

    (b) the affidavit of Ian Temby affirmed on 18 November 2021 (Temby affidavit);

    (c) the affidavit of Andrew Kiley affirmed on 18 November 2021;

    (d) the affidavit of Jackson Evans affirmed on 6 December 2021; and

    (e) the affidavit of Ian Temby affirmed on 12 December 2021.

12. Mr Kiley and Mr Temby were cross-examined on their evidence.

2. BACKGROUND

2.1. The data breach

13. On 10 February 2014, a Microsoft Word document dated 31 January 2014 entitled ‘The Immigration Detention and Community Statistics Summary’ (report) was published on the website of the Department (the data breach). The report had a Microsoft Excel spreadsheet embedded within it, which included the personal information of 9,258 individuals who were in immigration detention on 31 January 2014 (class members). The personal information included class members’ full names, gender, citizenship, date of birth, period of immigration detention, relevant detention facility, reason for detention, boat name and boat arrival details. The applicants submit that, of these 9,258 identified people, it could be inferred that the overwhelming majority were people purporting to seek asylum in Australia. The applicants, without dispute, claim that this inference could be drawn because one column of the excel spreadsheet designated a majority of class members as either an “irregular maritime arrival”, an “unauthorised maritime arrival” or an “irregular maritime arrival”. The applicants further submit that, from the published information (alongside other information), it is possible to infer that such persons were in Australia for the purpose of seeking protection from that country or those refugee-producing countries’ regimes even if some of those claims had not been accepted. I agree that this inference is appropriately drawn and do not understand this to have been in dispute.
14. The report was publicly accessible when published on the website on 10 February 2014. On 19 February 2014 at 9.15am, the Other Party was notified about the data breach by a journalist. By 10am that same day, the Other Party removed the report from its website. Consequently, the report was available for the public to access from the Other Party’s website for approximately eight days. While on the website, the report was accessed 123 times by 104 unique Internet Protocol (IP) addresses, although it is uncertain how many of these IP addresses had accessed the spreadsheet.
15. The Department subsequently identified that the report was also available on the Internet Archive from 11 February 2014. On 27 February 2014, the report was removed from the Internet Archive. The document was therefore accessible on the Internet Archive for a period of 16 days. It is not known how many times the report was accessed on the Internet Archive.
16. In total, therefore, the document was publically accessible from 10 to 27 February 2014, that being an overall period of 17 days.
17. It follows, as the High Court held in Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29; (2016) 259 CLR 180 at [4], that “On any view, the Data Breach was very serious”. Furthermore, as the High Court also held at [7], “there was obviously a risk that those in other countries from whom the applicants for protection visas claimed to fear persecution or other relevant harm might have gained access to the document containing the embedded information so as to become aware of the identities of applicants for protection visas in Australia.”

2.2 Privacy complaints in respect of the data breach

18. On 12 March 2014, the Department wrote to all individuals who were in immigration detention on 31 January 2014 to inform them that their personal information had been inadvertently disclosed, and to express the Department's regret in “inadvertently allowing potential unauthorised access to [the individuals'] personal information”. Subsequently, the Department engaged KPMG to initiate a forensic investigation into the data breach. The focus of the investigation was directed to identifying “how access to personal information was allowed by unauthorized person/s and any recommendations to prevent this occurring again”. The investigation did not concern the consequences of the breach for affected class members.
19. Between 21 March 2014 and 11 October 2017, 1,757 individual complaints were made under  s 36  of the  Privacy Act  to the Office of the Australian Information Commissioner (OAIC) in relation to the data breach. On 1 November 2014, the OIAC published the results of its investigation (investigation report). The investigation report found that the Department had breached principle 4 of the IPPs by failing to put in place reasonable security safeguards to protect personal information, and principle 11 of the IPPs as the publication of the personal information was an unauthorised disclosure. Based on the Department’s remediation activities, the Department’s ongoing implementation of recommendations made by KPMG, and the Department’s intention to engage an auditor to confirm its remediation steps, the respondent closed its investigation into the data breach.
20. On 30 August 2015, an individual formally lodged a representative complaint with the respondent. The complainant sought a declaration that the class members were entitled to an apology from the Other Party, compensation for economic and non-economic loss, and aggravated damages. The respondent attempted to resolve the representative complaint through conciliation, but was unsuccessful. On 9 February 2018, the respondent was advised that the representative complainant had passed away and, on 10 October 2018, the respondent replaced the original representative complainant with another class member, being the second applicant to this proceeding, WP.

2.3. Notification of class members and complaints procedure

21. Across January and February 2018, upon direction by the respondent, the Other Party sent a notice to 9,086 class members whose personal information was disclosed in the data breach (the notice). Of these:

    (a) 6,084 were sent in hard copy to class members for whom the Other Party had postal address details;

    (b) 3,002 were sent electronically to class members for whom the Other Party had email contact details; and

    (c) 172 were not sent a notice, because they were marked on the Other Party’s systems as either deceased, without a known forwarding address, or without known contact details.

22. The notice (a copy of which is reproduced at Appendix 1 to these reasons) set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation. Among other things, the notice advised (at [5]–‍[8]):

    Why is this notice important?

5. In order to make a determination about the Representative Complaint, including whether any of the persons whose personal information was published in the Data Breach are entitled to compensation for any loss or damage suffered, the Commissioner needs information from you.
6. If you were affected by the Data Breach and do not provide information of the kind described below, the Commissioner may conclude that he is not satisfied you have suffered any loss or damage as a result of the Data Breach and you may not receive compensation for the Data Breach.

   What do I need to do?

7. If you did not suffer any loss or damage as a result of the Data Breach, you will not be entitled to compensation and you can ignore this Notice.
8. If you believe you suffered loss or damage as a result of the Data Breach, and want the opportunity to potentially recover compensation for that loss or damage, you need to provide the Commissioner with information about your loss or damage[.]

   (Emphasis in original.)

23. On 24 January 2018, the respondent:

    (a) published the notice on its website in English and 20 non-English languages;

    (b) published the notice in the legal notices section of The Australian newspaper; and

    (c) sent a copy of the notice to class members who had previously contacted the respondent, the representative complainant’s lawyer and asylum seeker support organisations.

24. The deadline for providing information to the respondent for the purposes of establishing eligibility for compensation was originally stipulated to be on 19 April 2018. That deadline was subsequently extended on two occasions: first to 12 July 2018, and subsequently to 19 October 2018.
25. The respondent continued to accept responses after the 19 October 2018 deadline from class members who:

    (a) had outstanding information requests with the Other Party as at 19 October 2018; or

    (b) had not received a response to their request for information by 10 September 2018.

Class members within these categories were granted an extension for providing responses until 40 days after the receipt of the decision on their information request, and the material the subject of that decision.

26. On 20 December 2018, the respondent granted a further 40-‍day extension (i.e. up to and including 31 January 2019) to certain class members, namely those class members who needed to respond to a file released by the Department after 26 November 2018. For these class members, the final date for providing submissions was 22 April 2019. Seven class members opted out of the representative complaint process under  s 38B(2)  of the  Privacy Act , and 6,679 class members did not respond to the notice. A total of 2,579 individuals registered their interest as class members, and provided their contact details to the respondent. Of the class members who registered, 1,297 individuals provided submissions or evidence of loss or damage to the respondent, and 1,282 did not.
27. For those individuals who responded to the notice, but did not provide submissions on loss or damage, the Department submitted that the respondent had acknowledged receipt of each response and, where appropriate, had:

    (a) invited the class member to add to their submission if they wished;

    (b) noted that the class member had indicated that they wished to provide evidence of loss or damage but had not attached supporting information or evidence, and encouraged the class member to provide evidence;

    (c) noted that the class member had referred in their response to obtaining particular medical or other care, and invited them to provide evidence such as medical reports to assist with the class member's complaint; or

    (d) stated that to be considered a member of the class, the class member must demonstrate that they have suffered loss or damage as a result of the data breach and therefore invited them to provide evidence about the impact that the data breach had on them.

28. Further, of the 1,297 individuals who were included in the list of individuals and provided submissions on loss or damage, the Other Party provided unchallenged evidence that:

    (a) 2 entries on the list are duplicates;

    (b) 8 individuals were not in immigration detention on 31 January 2014, and were therefore not affected by the data breach;

    (c) 1,059 individuals were affected by the data breach (participating class members); and

    (d) further identifying information is required to confirm whether 228 individuals were affected by the data breach (and therefore potentially falling within the category of participating class members).

2.4. Respondent’s Determination of the representative complaint

29. The respondent has the power to make a determination in respect of a complaint pursuant to  s 52  of the  Privacy Act . That section, as in effect at the date of the data breach, relevantly provided that:

    (1) After investigating a complaint, the Commissioner may:

    (a) make a determination dismissing the complaint; or

(b) find the complaint substantiated and make a determination that includes one or more of the following:

(i) a declaration:

(A) where the principal executive of an agency is the respondent—that the agency has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; or

(B) in any other case—that the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;

(ii) a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;

(iii) a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;

(iv) a declaration that it would be inappropriate for any further action to be taken in the matter.

...

(4) A determination by the Commissioner under subparagraph (1)(b)(iii) on a representative complaint:

(a) may provide for payment of specified amounts or of amounts worked out in a manner specified by the Commissioner; and

(b) if the Commissioner provides for payment in accordance with paragraph (a), must make provision for the payment of the money to the complainants concerned.

(5) If the Commissioner makes a determination under subparagraph (1)(b)(iii) on a representative complaint, the Commissioner may give such directions (if any) as he or she thinks just in relation to:

(a) the manner in which a class member is to establish his or her entitlement to the payment of an amount under the determination; and

(b) the manner for determining any dispute regarding the entitlement of a class member to the payment.

30. The respondent made the Determination on 11 January 2021, finding that:

    (a) under  s 52(1)(b)(i)(A)  of the  Privacy Act , the Other Party has engaged in conduct constituting an interference with the privacy of class members in contravention of IPPs 4(a) and 11;

    (b) under  s 52(4)(a) , the participating class members are to be paid compensation for loss or damage in accordance with a procedure outlined in the Determination; and

    (c) class members who did not provide a submission and/or evidence to the respondent within the timeframe specified, and who did not opt out, have not substantiated that they have suffered loss or damage as a result of the interference with their privacy, and it would be inappropriate for any further action to be taken in relation to those individuals.

31. The second applicant, WP, provided a submission to the respondent and was, in accordance with the Determination, entitled to claim compensation. The first applicant, HYYL, did not provide a submission or evidence and so, in accordance with the Determination, was excluded from claiming compensation. While the applicants allege that HYYL never received a copy of the notice, the Other Party submits that the notice was sent to HYYL’s most recent address provided to the Department.

2.4.1. Contravention of Principles 4 and 11

32. Under s 16 of the  Privacy Act , as in force on 10 February 2014, an agency was prohibited from acting, or engaging in a practice, that breached the IPPs. The IPPs are contained in  s 14  of the  Privacy Act . Principle 4, entitled “Storage and security of personal information”, provides that:

    A record‑keeper who has possession or control of a record that contains personal information shall ensure:

(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record‑keeper, everything reasonably within the power of the record‑keeper is done to prevent unauthorised use or disclosure of information contained in the record.

33. Principle 11, entitled “Limits on disclosure of personal information”, relevantly provides that:
    1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

    (a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

    (b) the individual concerned has consented to the disclosure;

(c) the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

34. In response to the OIAC investigation report, the Department acknowledged that the data breach violated principles 4 and 11 of the IPPs. The respondent relied on that acknowledgment in making findings of breach in the Determination (Determination at [44]).

2.4.2. Calculation of quantum of compensation for loss or damage

35.  Subsections 52(4)  and (5) of the  Privacy Act , outlined above, govern the respondent’s powers with respect to determining compensation for loss or damage in a representative complaint. Pursuant to those subsections, the respondent, at [75] of the Determination, referred the matter of damages to a form of dispute resolution for the parties to negotiate on quantum, with any unresolved claims to be put before the respondent for her consideration. To that end, Addendum A of the Determination, which was constructed to reflect the claims made by class members, provided a method of calculating the quantum of compensation for non-economic loss, to assist parties in their negotiations. This addendum included various categories of non-economic loss, ranging from general anxiousness, trepidation, concern or embarrassment (with a compensation amount between $500 and $4000), to extreme loss or damage resulting from the data breach (with a compensation amount of over $20,000).
36. The respondent, from [79]–‍[83] of the Determination, outlined the principles governing damages for economic loss. The respondent found that economic loss must be determined on a case-by-case basis (at [83]), and is awarded to restore an individual to “the same position as [they] would have been in if [they] had not sustained the wrong for which [they are] now getting [their] compensation” (Determination at [80], quoting Livingstone v Raywards Coal Company [1880] UKHL 3; [1880] 5 App Cas 25). As the respondent further explained, the principles relevant to causation concerning economic loss were articulated by the High Court in March v Stramare (E and MH) Pty Ltd [1991] HCA 12; (1991) 171 CLR 506, and were not in dispute between the parties.
37. The respondent noted that the power to award damages included a power to award aggravated damages in addition to general damages (at [84]). However, in the circumstances of the case, the respondent reached the view that an award of aggravated damages was not justified (at [86]).

2.4.3. No compensation for non-participating class members

38. At [52] of the Determination, the respondent found that she is empowered under  s 52(1)(b)(iii)  of the  Privacy Act  to award monetary compensation only where a complainant has established that they, individually, have suffered loss or damage by reason of the Other Party’s interference with their privacy. The respondent considered that, because the wording of  s 52(1)(b)(iii)  only permits a declaration entitling a complainant to compensation “for loss or damage suffered”, class members must provide an evidentiary basis to establish their entitlement to compensation (Determination at [52]–‍[54]). In other words, the respondent determined that a causal link, supported by evidence, must first be established between the data breach and any non-economic loss class members claim to have incurred as a result, before the respondent is empowered to award monetary compensation (Determination at [59]). In light of these reasons, the respondent determined that only participating class members—being individuals who provided submissions or evidence of loss or damage to the respondent—are to be paid compensation for loss or damage arising from the interference with their privacy (Determination at [63]).
39. The respondent was further satisfied that there was no evidence that a serious procedural problem had occurred, or that such a finding of a procedural problem (if proven) would have led to an unjust outcome (Determination at [68]). The respondent reached this view for multiple reasons, including the respondent’s findings that (amongst others):

    (a) the requirements for class members to make a claim for loss and/or damage were clearly expressed in the notice;

    (b) numerous steps had been taken to ensure that the notice was effectively communicated to class members; and

    (c) class members were given a reasonable opportunity to provide submissions and evidence (Determination at [69]–‍[70]).

3. ISSUES FOR DETERMINATION AND SUMMARY OF CONCLUSIONS

40. The Tribunal must decide whether the Determination was the correct and preferable decision and should therefore be affirmed, or whether it should be set aside or varied in whole or in part.
41. The applicants and the Other Party agreed that the Determination required amendment but did not agree on all of the issues. The following matters were conceded or agreed (including as a result of the parties’ modifying their positions during and after the hearing):

    (a) The Other Party amended its proposed compensation scheme as follows:

    (i) Annexure B, category 4—‍replaced the reference to “medical specialist” with “health practitioner”;

    (ii) Annexure D, clauses 3(a)(i)(B),(ii) (the words “and the Respondent will identify the legal service providers that are acceptable to the Respondent as potential scheme administrators”) and (iv)(C) were not pressed.

42. The following issues arise for determination and are answered by me as summarised below in italics:

    (a) Which version of  s 52  of the  Privacy Act  applies to the Tribunal’s review in these proceedings?

The  Privacy Act  as at the date of the data breach.

(b) What is the proper construction of  s 52  of the  Privacy Act ? In particular:

(i) Is it necessary for class members to establish by evidence that they have suffered loss or damage for the purposes of s 52  Privacy Act ?

Yes.

(ii) Does the Tribunal have power to, and should the Tribunal, direct the Other Party to undertake an exercise of non-statutory power that might culminate in a submission to the Minister to consider lifting the bar which prevents refused class members from making a further protection visa application?

No. The respondent (and the Tribunal standing in the shoes of the respondent) has no power to make such a direction.

(c) As to Declaration 4 of the Determination: is it correct and preferable that a declaration be made under  s 52(1)(b)(iv)  of the  Privacy Act  that no further action be taken in relation to individuals affected by the data breach who did not provide a submission or evidence of loss or damage prior to the making of the Determination?

No.

As part of this issue:

(i) Is there power, under  s 52(1)(b)(iv)  of the  Privacy Act  or otherwise, to make a declaration in the terms of Declaration 4?

Yes.

(ii) Were class members given adequate prior notice of the consequences provided for in Declaration 4 to support the making of a declaration in those terms?

No. While the notice was widely disseminated, there were deficiencies in the notice itself as a result of which the notice failed to provide class members with a sufficient opportunity to have their claims considered in the respondent’s resolution of the representative complaint.

(iii) Should all class members be given a further opportunity to make submissions or provide evidence of loss or damage and, thus, to become class members who are eligible for an award of compensation in this representative complaint?

No. However, any class member who did not make submissions or provide evidence of loss or damage in response to the OIAC notice in 2018 but establishes to the satisfaction of the scheme administrator that they have a reasonable explanation for not doing so, should be given an opportunity to participate and provide evidence of loss or damage.

In addition, any existing participating class member who wishes to make submissions and/or provide updated and/or supplementary submissions and/or evidence of loss or damage is to do so within three months of the publication of the further notice unless granted an extension by the scheme administrator.

(d) As to Declaration 2 of the Determination: what is the correct and preferable method for assessing compensation for individuals affected by the data breach?

As part of this issue:

(i) Who is the correct and preferable administrator of the compensation assessment scheme?

A law firm with appropriate expertise which is appointed in accordance with [6(a)] of the new Determination in Annexure A to the orders, being (among other things) a law firm which: is independent of the Other Party and class members; has not represented or advised any of the class members in relation to this proceeding; is appointed to the Whole of Australian Government Legal Services Panel in relevant areas; and has not represented or advised the Other Party or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship.

(ii) What is the correct and preferable manner for working out class members’ compensation  (ss 52(1)(b)(iii) ,  52 (4)(a),  52 (5)(a)), and for determining any dispute regarding class members’ entitlement to compensation  (s 52(5)(b))? 

See Annexure B to the orders.

(iii) What are the correct and preferable categories of non-economic loss (both as to magnitude of harm and as to quantum) to which individual class members should be assigned for the purposes of assessing their compensation for the data breach?

Compensation for non-economic loss is to be determined as set out in Annexure B to the orders according to 5 categories ranging from: no compensation where the individual has not provided a submission or evidence substantiating any loss or damage resulting from the data breach; to compensation from $20,000 for extreme loss or damage resulting from the data breach, with the amount of compensation available for the last of these categories being uncapped. Categories 2 to 5 include examples of loss or damage falling within the category to assist in assessing the appropriate category.

(iv) What is the correct and preferable scheme for review of compensation decisions?

See Annexure B to the orders.

(e) Is it correct and preferable to direct that the Other Party pay for particular aspects of the compensation assessment process—specifically, access to translation and interpretation assistance during the operation of the compensation assessment process?

Yes, but only such expenses as are reasonably necessary to ensure that individual class members have a real opportunity to receive and understand information relevant to their claims, and to communicate their responses, concerning the implementation of the compensation assessment process (as the Other Party accepts).

43. In accordance with the principle in R v Australian Broadcasting Tribunal; Ex parte Hardiman [1980] HCA 13; (1980) 144 CLR 13, the respondent did not seek to be heard in relation to the determination of facts or identification of issues in the proceeding, with the exception of sub-paragraphs (a), (b) and (c)(i) above.

4. CONSTRUCTION OF THE  PRIVACY ACT 

4.1. Issue (a): Which version of  s 52  of the  Privacy Act  applies to these proceedings?

44. It is not in dispute that the Tribunal’s jurisdiction arises from  s 96  of the  Privacy Act  as in force on 11 January 2021 when the Determination was made. However, a question arises as to which version of the  Privacy Act  applies in the proceeding. This question is important because the applicants seek to rely upon s 52(3A) of the  Privacy Act  as currently in force even though the legislation applicable as at the time of the data breach did not contain that provision. The new  s 52(3A)  provides that:

A determination under paragraph (1)(b) or subsection (1A) may include any order that the Commissioner considers necessary or appropriate.

45. I accept the Other Party’s and respondent’s submission that by virtue of the transitional provisions to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Amending Act), the  Privacy Act  as at 10 February 2014 (with the compilation start date of 1 July 2013) applies, this date being the date of the data breach. It follows from this that the respondent attached the wrong version of  s 52  to her Determination, even though it is clear from the Determination itself that the respondent at [24]–[28] intended to apply the 2013 version.
46. First, item 18(1) in Schedule 6 to the Amending Act relevantly provides that the new s 52 applies if:

(a) before the commencement time, an act was done, or a practice was engaged in, by an agency or organisation; and

(b) the act or practice may be an interference with the privacy of an individual under  section 13  or 13A of the  Privacy Act  (as in force immediately before that time); and

(c) immediately before that time:

(i) the individual has not made a complaint about the act or practice to the Commissioner under  section 36  of that Act; and

(ii) the Commissioner has not decided to investigate the act or practice under subsection 40(2) of that Act.

47. Significantly, item 18(2) then provides that:

Despite the amendments of the  Privacy Act  made by this Act, the individual may, after the commencement time [i.e. 12 March 2014], complain to the Commissioner about the act or practice, and the complaint may be dealt with, under the  Privacy Act  as if those amendments had not been made.

(Emphasis added.)

48. The applicants’ submit that the use of the word “may” in item 18(2) confers a discretion on the respondent to apply the statute as in force either before or after the amendments of the Amending Act. However, read in context, the word “may” where it first occurs simply signifies that an individual may complain about an act or practice that occurred before the 2014 amendments despite those amendments having occurred and, if such a complaint is made, it “may” in the sense of ‘will’ be dealt with as though the amendments made by the Amending Act had not been made.
49. It follows, as the Other Party submitted, that the effect of item 18(2) is relevantly that, “where there is a post-Amending Act complaint in respect of a pre-Amending Act privacy breach, the Commissioner is to investigate and determine it by applying the provisions of the pre-Amending Act legislation” (emphasis omitted). This item applies to the present case given that the data breach pre-dated the commencement time, and the relevant complaints were submitted to the respondent after the commencement time. As to the latter, the respondent received an individual complaint on 25 March 2014 and the representative complaint on 30 August 2015: Determination at [11]–‍[13].
50. I also agree with the Other Party that no different result is required by item 14. That item provides that:

Paragraphs 96(1)(c), (e), (f) and (g) of the  Privacy Act , as inserted by Schedule 4 to this Act, apply in relation to a decision made after the commencement time.

51. As the Other Party submits, those paragraphs of s 96 relate only to the scope of the Tribunal's review jurisdiction and do not address the law which the Tribunal must apply in the exercise of its jurisdiction.
52. Secondly, I note that the respondent adopted the same position: Determination at [26]–‍[28]. In this regard, in exercising its power of review under s 43(1) of the AAT Act, the Tribunal “is subject to the same general constraints as the original decision-maker and should ordinarily approach its task as though it were performing the relevant function of the original decision-maker in accordance with the law as it applied to the decision-maker at the time of the original decision” (Frugtniet v Australian Securities and Investments Commission [2019] HCA 16; (2019) 266 CLR 250 at [14] (Kiefel CJ, Gageler, Keane and Gleeson JJ), subject to any legislative indication to the contrary. As the Other Party submits, there is no reason why the Tribunal reviewing the respondent’s decision and applying  s 52  of the  Privacy Act  should apply any different scheme for the remedies available to the complainants. Rather, the Tribunal effectively stands in the shoes of the respondent.

4.2. Issue (b): What is the proper construction of  s 52  of the  Privacy Act ?

4.2.1. Overview of  s 52  of the  Privacy Act 

53.  Section 52  of the  Privacy Act , as at the date of the data breach, has earlier been set out at [29] above.
54. Applying  ss 52(1)(b)(iii)  and (4)(a), the Tribunal (standing in the respondent’s shoes) may make a determination in the context of a representative complaint that includes a declaration providing for payment to class members of specified amounts, or amounts “worked out” in a specified way, by way of “compensation for any loss or damage suffered" by them.  Section 52(5)  then provides that, where the respondent makes a determination under  s 52(1)(b)(iii)  on a representative complaint, the respondent may give directions as to the manner by which a class member may establish her or his entitlement to payment of an amount under the determination and manner of resolving any disputes regarding the entitlement of class members to payment. It was not in issue that  ss 52(1)(b)(iii) , (4) and (5) are sufficiently broad to support a process of claim assessments and expert assessments by third parties, as the Other Party submitted.
55. It is also common ground between the parties that the respondent (and here the Tribunal) has power pursuant to s 52(4) to set out a scheme whereby payment of compensation to class members is worked out by reference to sub-s (1)(b)(iii). Evidently, it is not necessary in the context of a representative complaint for the Tribunal to specify an exact amount of compensation for each complainant; rather,  s 52(4)  authorises the Tribunal in a determination to provide a scheme whereby a specified amount of compensation for each complainant in a representative complaint can be worked out. The ultimate aim of the scheme, in other words, is to provide for a method of working out an amount by way of compensation for loss or damage that has been suffered for each class member.

4.2.2. Issue (b)(i): Is it necessary for class members to establish that they have suffered loss or damage for the purposes of  s 52  of the  Privacy Act ?

4.2.2.1 Relevant principles of statutory interpretation

56. The relevant principles of statutory construction are well-established. These were summarised by Perry and Stewart JJ in Vincentia MC Pharmacy Pty Ltd v Australian Community Pharmacy Authority [2020] FCAFC 163; (2020) 280 FCR 397 at [46]–‍[48]:

In Project Blue Sky Inc v Australian Broadcasting Authority (1998) 194 CLR 355 (Project Blue Sky), McHugh, Gummow, Kirby and Hayne JJ explained that:

69. The primary object of statutory construction is to construe the relevant provision so that it is consistent with the language and purpose of all the provisions of the statute. The meaning of the provision must be determined ‘by reference to the language of the instrument viewed as a whole’. In Commissioner for Railways (NSW) v Agalianos [(1955) [1955] HCA 27; 92 CLR 390 at 397], Dixon CJ pointed out that ‘the context, the general purpose and policy of a provision and its consistency and fairness are surer guides to its meaning than the logic with which it is constructed’. Thus, the process of construction must always begin by examining the context of the provision that is being construed.

The importance of starting with the statutory context and text was recently emphasised by Kiefel CJ, Nettle and Gordon JJ in SZTAL v Minister for Immigration and Border Protection [2017] HCA 34; (2017) 262 CLR 362 in the following passage:

14. The starting point for the ascertainment of the meaning of a statutory provision is the text of the statute whilst, at the same time, regard is had to its context and purpose [citing Project Blue Sky with approval]. Context should be regarded at this first stage and not at some later stage and it should be regarded in its widest sense. This is not to deny the importance of the natural and ordinary meaning of a word, namely how it is ordinarily understood in discourse, to the process of construction. Considerations of context and purpose simply recognise that, understood in its statutory, historical or other context, some other meaning of a word may be suggested, and so too, if its ordinary meaning is not consistent with the statutory purpose, that meaning must be rejected.”

Context “in its widest sense”, as referred to in this passage, includes “such things as the existing state of the law and the mischief which ... one may discern the statute was intended to remedy”: CIC Insurance Ltd v Bankstown Football Club Ltd (1997) 187 CLR 384 at 408 (Brennan CJ, Dawson, Toohey and Gummow JJ) (cited with approach [sic] in SZTAL at [14]). To have regard to context in this sense, as integral to the process of statutory construction irrespective of whether ambiguity or inconsistency exists in the literal text, accords with the mandate in s 15AA of the Acts Interpretation Act that the interpretation which best gives effect to the legislative purpose must be preferred to any other interpretation: Mills v Meeking [1990] HCA 6; (1990) 169 CLR 214 at 235 (Dawson J). As a result, as Dawson J also explained with respect to Victoria's equivalent to s 15AA, the approach required by interpretive provisions of this kind “allows a court to consider the purposes of an Act in determining whether there is more than one possible construction” (ibid); see also the discussion in Pearce D, Statutory Interpretation in Australia (9th ed, LexisNexis Butterworths, 2019) ... at [2.17]-[2.20]; Herzfeld P and Prince T, Interpretation (2nd ed, LawBook, 2020) ... at [7.20]-[7.30]. That said, it must also be borne steadily in mind that, as Hayne, Heydon, Crennan and Kiefel JJ cautioned in Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) [2009] HCA 41; (2009) 239 CLR 27, “[h]istorical considerations and extrinsic materials cannot be relied on to displace the clear meaning of the text. The language which has actually been employed in the text of legislation is the surest guide to legislative intention”.
(Emphasis in original.)

57. In Certain Lloyd’s Underwriters v Cross [2012] HCA 56; (2012) 248 CLR 378 (at [25]), French CJ and Hayne J elaborated upon the process by which the statutory purpose is ascertained, emphasising the objective nature of that inquiry:

Determination of the purpose of a statute or of particular provisions in a statute may be based upon an express statement of purpose in the statute itself, inference from its text and structure and, where appropriate, reference to extrinsic materials. The purpose of a statute resides in its text and structure. Determination of a statutory purpose neither permits nor requires some search for what those who promoted or passed the legislation may have had in mind when it was enacted. It is important in this respect, as in others, to recognise that to speak of legislative “intention” is to use a metaphor. Use of that metaphor must not mislead. “[T]he duty of a court is to give the words of a statutory provision the meaning that the legislature is taken to have intended them to have”. And as the plurality went on to say in Project Blue Sky:

Ordinarily, that meaning (the legal meaning) will correspond with the grammatical meaning of the provision. But not always. The context of the words, the consequences of a literal or grammatical construction, the purpose of the statute or the canons of construction may require the words of a legislative provision to be read in a way that does not correspond with the literal or grammatical meaning.

(Citations omitted; emphasis added.)

58. Accordingly, in ascribing meaning to text, a Court must have regard to the context and purpose of that provision, including having regard, where appropriate, to legitimate secondary material. As Allsop CJ explained in Construction, Forestry, Maritime, Mining and Energy Union v Australian Building and Construction Commissioner (The Bay Street Appeal) [2020] FCAFC 192; (2020) 282 FCR 1 at [4]–‍[5]:

... The principle is clear: Meaning is to be ascribed to the text of the statute, read in its context. The context, general purpose and policy of the provision and its consistency and fairness are surer guides to meaning than the logic of the construction of the provision. The purpose and policy of the provisions are to be deduced and understood from the text and structure of the Act and legitimate and relevant considerations of context, including secondary material.
There can be no doubt that the search for principle in the High Court reveals a settled approach of some clarity. The notion that context and legitimate secondary material such as a second reading speech or an Explanatory Memorandum cannot be looked at until some ambiguity is drawn out of the text itself cannot withstand the weight and clarity of High Court authority since 1985.
(Citations omitted.)

59. In Rummery v Federal Privacy Commissioner [2004] AATA 1221; (2004) 85 ALD 368, the Tribunal (Downes J (as President), Senior Member Constance and Member Miller) considered the principles relevant to the assessment of compensation in the context of a substantiated breach of the applicant’s privacy contrary to the Privacy Act. The Tribunal considered that there was no conflict between the principles enunciated by the Full Court in Hall v A & A Sheiban Pty Ltd [1989] FCA 65; (1989) 20 FCR 217 with respect to the award of compensation under the Sex Discrimination Act 1984 (Cth) and the provisions of  s 52  of the  Privacy Act  (at [41]). Based on this view, the Tribunal (at [36]–[41], [46] and [54]–[55]) identified the relevant principles as follows:

    (a) where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course;

    (b) compensation extends to damage in the form of injury to feelings, distress and humiliation;

    (c) awards should be restrained but not minimal;

    (d) in measuring compensation the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute;

    (e) in an appropriate case, aggravated damages may be awarded; and

    (f) compensation should be assessed having regard to the complainant’s (subjective) reaction to a breach of the  Privacy Act  and not by reference to the perceived (i.e. objectively assessed) reaction of the majority of the community or of a reasonable person in similar circumstances (applying, by analogy, the observations of Wilcox J in Hall that “a sexual harasser takes his victim as he finds her”).

60. I agree with this articulation of the relevant principles. Furthermore, as to (b) above, this statement accords with the approach of Mortimer J in Wotton v State of Queensland (No 5) [2016] FCA 1457; (2016) 157 ALD 14 at [1622] in the context of an action for compensation for a breach of s 9(1) of the Racial Discrimination Act 1975 (Cth) that:

It is true, as the applicants submit (and the respondents do not dispute) that compensation can be awarded for what May LJ in Alexander v Home Office called “injured feelings”: [1988] 1 WLR 968 at 975. However, this phrase is generally used interchangeably with descriptions such as “distress’, “humiliation”, “insult”, “anxiety” and “stress”. The dominant theme is a feeling, or emotional reaction, with discernible negative effects. In other words, they are all characterisations of feelings which carry a sense of injury, and therefore sufficient connection with the statutory concept of “loss” and “damage”. Without questioning their sincerity, feelings such as anger, outrage and a sense of injustice, without more, are not susceptible to a characterisations as an injury, or as damage. They may or may not be negative in character: in some cases they are emotions with considerable positive force. In my opinion, reactions and feelings of that kind should not occasion an order for compensation in the circumstances of this proceeding, where protest and outrage was a key component of the circumstances giving rise to some of the acts of unlawful discrimination.

4.4.2.2 Compensation requires proof of loss or damage

61. The applicants contend that all class members have necessarily suffered a “common”, i.e. non-individualised, loss which should be reflected in a base payment of $10,000 for each class member. The applicants contend that compensation should reflect common law principles and the text of  s 52  of the  Privacy Act  does not warrant any different approach.
62. The applicants’ submission cannot, with respect, be sustained. It is plain from the text and context of  s 52  of the  Privacy Act  that compensation can be awarded only where class members establish that they have suffered loss or damage for the purposes of  pa1988108 /s52.html" class="autolink_findacts">s 52 for the following reasons.
63. First, the circumstances in which “compensation” can be awarded turns upon the proper construction of  s 52(1)(b)(iii)  of the  Privacy Act . That section provides that “compensation” can be awarded to a complainant “for any loss or damage suffered by reason of the act ... the subject of the complaint” (emphasis added). Read according to its ordinary and natural meaning:

    (a) the word “for” links the award of compensation to the requirement for loss or damage to be suffered by reason of the act;

    (b) the verb “suffered” contemplates an actual experience of loss or damage by the class member; and

    (c) the words “by reason of the act” introduce a requirement of causation.

64. It follows that there is no foothold in the text of  s 52  for the proposition that there is power to award compensation merely on the assumption that class members have “objectively” experienced loss and damage as a result of the breach of privacy itself, as the applicants contemplate. To the contrary, the Parliament could not have expressed more clearly its intention to limit the power to award compensation under  s 52(1)  to cases where the class member establishes that they have personally suffered loss or damage which is causally connected to the breach. In this regard, the language actually employed in the text “is the surest guide to legislative intention”: Alcan (NT) Alumina Pty Ltd v Commissioner of Territory Revenue (NT) [2009] HCA 41; (2009) 239 CLR 27 at [47] (Hayne, Heydon, Crennan and Kiefel JJ).
65. This construction is supported by  s 52(1A)  of the  Privacy Act  which provides that the loss or damage referred to in  s 52(1)(b)  “includes injury to the complainant’s feelings or humiliation suffered by the complainant” (emphasis added). This serves to emphasise that  s 52(1)(b)(iii)  requires an individual complainant to have suffered actual loss or damage.
66. This construction is also supported by  s 52(5)(a)  which allows a respondent, should she make a determination, to give directions in relation to “the manner in which a class member is to establish his or her entitlement to the payment of an amount under the determination” (emphasis added). As the respondent submits, the word “establish” in this context conveys that the class member must establish by evidence that they personally have suffered loss or damage in order to prove their entitlement to a payment of compensation. If, however, that entitlement arose merely by reason of the breach of privacy itself, there would be no need to make provision for directions of the kind envisaged by  s 52(5)(a)  and that provision would be rendered otiose. In other words,  s 52(5)(a)  in terms presupposes that the class member must substantiate their loss in some way and cannot rely merely upon the fact of the breach in order to make good their claim to be entitled to compensation. The applicants’ submission that the award is for the vindication of the right itself, as submitted by the Other Party, is “quite antithetical to the scheme”.
67. Secondly, in support of their construction, the applicants rely on observations by Mortimer J in Wotton. Specifically, the applicants contended that:

The right to privacy is a substantive right, enforceable and ‘more than aspirational’ [citing Wotton at [1607]]. It is a norm and the community expects their affairs to be conducted consistently, as of ‘right’. The ‘nullification or impairment’ of that right is a form of loss and damage.

68. Wootton was a representative proceeding instituted under  Part IVA  of the Federal Court of Australia Act 1976 (Cth) (Federal Court Act). The applicants alleged contraventions of s 9(1) of the Racial Discrimination Act by reason of the conduct of members of the Queensland Police Service on Palm Island, Queensland, in November 2004 in the course of investigating the death of a resident of the island. The applicants relevantly sought compensation for non-economic loss and aggravated and exemplary damages under s 46PO of the Australian Human Rights Commission Act 1986 (Cth) (AHRC Act). That provision largely mirrors  s 52  of the  Privacy Act , including providing for “damages by way of compensation for any loss or damage suffered”. Particular reliance was placed by the applicants on the observations of Mortimer J (as her Honour then was) at [1627] as follows:

Eschewing any bright lines between human rights law as “public law” and torts as “private law”, Varuhas criticises developments in United Kingdom law which diminish the role and importance of damages in human rights cases. He criticises cases such as Anufrijeva v Southwark LBC [2003] EWCA Civ 1406; [2004] QB 1124 and R (Faulkner) v Secretary of State for Justice [2013] UKSC 47; [2013] 2 AC 254 which characterise damages as a remedy of last resort in human rights cases because “public law” remedies – bringing the breach of rights to an end for example – are the remedies which it is said should be given prominence. Varuhas instead contends that a “vindicatory” approach should be taken, by analogy with those torts which recognise the need to vindicate the importance of basic and fundamental rights by an award of damages for the infringement of the right itself.

69. However, Mortimer J expressly recognised at [1628] that Varuhas’ observations were made in a different legal context from that existing in Australia, explaining at [1628] that:

It should be said at once that Varuhas’ text is concerned principally with human rights law in jurisdictions with bills of rights, whether statutory or constitutionally entrenched. It should also be said that, as the authorities to which I refer at [1613] demonstrate (Richardson in particular), it is not the case that damages for breaches of statutory equality rights (as a subset of human rights) are approached by Australian courts from any secondary perspective, as if monetary compensation is less important than other remedies. Quite the opposite. In that sense, Varuhas’ concerns may not be apparent in Australian cases. Further, Varuhas criticises courts in the United Kingdom for tying the “quantum of awards for non-pecuniary loss to Strasbourg levels of awards, which are far lower than domestic scales for equivalent losses” (at p 95). The case law of the European Court of Human Rights, to which Varuhas refers, is far less of an influence on Australia law.

70. Furthermore, while Mortimer J observed at [1629] that Varuhas’ emphasis on the origins of many torts in the vindication of fundamental rights were “not without significance for the grant of relief under statutory provisions such as s 46PO”, her Honour then explained (at [1629]) that she did “no more than ask the question”, given that the applicants did not seek to develop the argument (at [1625]). It follows, as the applicants in this case correctly conceded, that her Honour’s observations were made in obiter in the context of a case where the issue was not the subject of argument. Nor was any other Australian authority cited by the applicants in support of the novel proposition for which they contend.
71. Moreover, there was no real dispute in Wotton regarding the applicable principles for an award of compensation under s 46PO(4), with both parties relying upon the decision in Richardson v Oracle Corporation Australia Pty Ltd [2014] FCAFC 82; 223 FCR 334, and the cases referred to therein (Wotton at [1599]). Thus, her Honour accepted that, while “tortious principles may be helpful to inform the fixing of compensation ... those principles are not the governing criteria: see Richardson at [30] and [95] per Kenny J; and at [131] per Besanko and Perram JJ”. Rather, as Mortimer J emphasised (at [1600]), “The power to order compensation for loss and damage suffered “because of” the conduct of a respondent is a statutory power, ... it is the words of the statute which provide the criterion for such an order, not common law principles”. It followed, as her Honour held, that she did not accept “that torts principles are the “starting point” for an assessment of damages” under s 49PO(4). Yet that is precisely, with respect, the error made by the applicants in this case.
72. Finally and in any event, while the door to a cause of action for invasion of privacy was left open by the High Court in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63; (2001) 208 CLR 199 (Lenah Meats), there is presently no such cause of action in Australia (as the Australian Law Reform Commission’s report on Australian Privacy Law and Practice (2008) at p. 25 recognised: see also the observations of Basten JA (with whose reasons Allsop P agreed) in Maynes v Casey [2011] NSWCA 156 at [34]–‍[35] holding that that case was an inappropriate vehicle to consider the issue). Nor do the statements of the majority in Lenah Meats “support the suggestion that the High Court in Lenah held out any invitation to intermediate courts in Australia to develop the tort of privacy as an actionable wrong”: Sands v South Australia [2013] SASC 44 at [614] (Kelly J). Thus, whatever the position in England, no actionable wrong for breach of privacy at common law has been recognised in Australia.
73. It follows for these reasons that it is necessary for class members to establish that they have in fact suffered loss or damage before any entitlement to compensation under  s 52  of the  Privacy Act  can arise. The applicants’ submission that the Tribunal may award a base payment to each class member irrespective of whether or not they have established any loss or damage is, with respect, untenable in light of the clear language of s 52.

4.2.3. Issue (b)(ii): Does the Tribunal have power to, and should the Tribunal, direct the Other Party to undertake an exercise of non-statutory power that might culminate in a submission to the Minister to consider lifting the bar which prevents refused class members from making a further protection visa application?

74. Initially, the applicants contended that a direction should be made to the Other Party to reconsider applications for protection visas by class members that were refused, following the respondent’s declaration that the Other Party had interfered with class members’ privacy as defined in the  Privacy Act .
75. This submission was narrowed in oral submissions for the applicants so as to be directed to the relief sought at [128] of the ASFIC. As reformulated, the applicants sought a direction from the Tribunal for an exercise of what was described as a “non-statutory power” by the Other Party, namely, that the Other Party “provide a reasonable opportunity for refused class members to provide further information in relation to the data breach” and to “reconsider refused class members’ applications for protection visas by way of process directed to consideration of exercise of the power in s 48B”. It was submitted that this exercise of power might ultimately culminate in the Minister lifting the bar imposed by s 48A of the Migration Act against any further protection visa applications being made by those class members who seek to make a further application.
76. In this regard, counsel for the applicants identified the relevant loss for the purposes of s 52 in the following terms:

the loss or damage is the loss of the opportunity to have a protection claim founded on the data breach properly considered. And by properly considered, I mean in the context of the evidence, which I will specifically take your Honour to, that it is not just as the policy directed decision-makers to consider it, not just that foreign authorities may have had access to this date, but, in fact, did have access to this data. And so that loss of a chance or that ability to confront a risk, as the respondent characterises it in her submissions, is still a loss that is suffered. And as your Honour knows, the very point of refugee law is about protection from a real chance or a real risk of harm.

The High Court tells us that in Chan, for example, full citation, Chan v Minister for Immigration and Ethnic Affairs [1989] 169 CLR 379. So refugee law is all about chances, all about risk, and so we go with how the Commissioner has characterised it that, at most, this is seeking to confront a risk. Well, yes, that is what is sought to be done, and the loss of that risk could lead to persecution.

(Emphasis added.)

77. The applicants also submitted that the evidence established that the information had been downloaded but that there was no real way of knowing how far it was disseminated. So much did not appear to be in issue. Further, I accept that, while some of the data which was downloaded might appear innocuous, the difficulty is that it may allow others to “join the dots” if that information is considered in conjunction with other information available to foreign actors and thereby place the individual at risk.
78. In support of this relief, the applicants rely first upon the “concession” by the Other Party that the Other Party is not aware of any decisions of the Refugee Review Tribunal or this Tribunal to date which have accepted that the data breach has led to a well-founded fear of persecution for the relevant protection visa applicant. An example is the decision of the (then) Refugee Review Tribunal in Application 1421375 [2015] RRTA 59 on which both the applicants and the Other Party relied. In that case, the Tribunal did not accept that the data breach would increase the risk of harm to the visa applicant. However, the Tribunal reached that view because of the limited nature of the personal details released and, in particular, the fact that there was no evidence that the applicant’s protection claims had been disclosed. It was for this reason that the Tribunal did not accept that there was a real chance that the visa applicant would be persecuted upon his return to his home country as a result of the public disclosure of his personal details by reason of the data breach (at [45]–[48]). Given that in the present case, it is common ground that only limited personal details of the same kind found by the Tribunal in 1421375 were released, it is difficult to see how this case supports the applicants’ contention that there is utility in any further decision by the Minister to lift the statutory bar in s 48A to permit a further protection visa application to be made.
79. Secondly, the applicants submit that it is not “speculative” to conclude that the authorities had accessed the data but rather, there was evidence that the data had in fact been accessed by the relevant country concerned, and that this had resulted in actual harm. The applicants relied upon the following examples:

    (a) a judgment from an Iranian Court, the Yazd’s Islamic Revolutionary Court, Branch 2, dated 21 July 2014 which stated that:

But according to the recent report of the Yazd’s Intelligence Agency that is based on information obtained from Australian Immigration Department’s Central Web site in February 2014 equivalent to month of Bahman 1392 in Iranian Calend[a]r, [the class member] is living in refugee camps in Australia and it is obvious that he has applied to the Australian Government for a refugee status. It is now clear to this court that [the class member] has left the country illegally...

The Iranian Court subsequently sentenced the class member’s father to five years’ imprisonment for “financially assisting and paving the way for the unlawful escape” of the class member;

(b) a statement from a class member, translated from Persian, which stated that “[a]ccording to the  Privacy Act , the personal details of people are protected but unfortunately, because of the negligence of Government[,] Immigration, they were revealed”. As a result of the data breach, the class member has been “overwhelmed by fear, anxiety and depression”;

(c) a statement from a class member from Sri Lanka which stated that:

I believe the Sri Lankan authorities are aware that I am in Immigration Detention in Australia and this is because of the data breach in 2014.

The CID of the current Sri Lankan Government have come to my house on two occasions. I am sorry but I have memory problems and cannot remember the exact dates. The first time they came they asked my wife where I was and asked my wife for my telephone number. My wife did not give my number as I don't have a telephone

On the second occasion they came to my house and said to my wife that they knew that I was in immigration detention in Australia.

The class member feared for his family’s safety and is “psychologically unwell”;

(d) a translated “certificate” from the Xuanshan Villagers’ Committee in Zhanggong, China which stated that the class member’s father was stabbed by another local family, who had “learned from the township government that his son was in Australia”; and

(e) a certificate issued by the Yilong County Funeral Parlour in Sichuan, China, which stated that, because “public security officers” discovered that the class member “had escaped to Australia to seek protection”, they searched the house of the class member’s grandmother. During a struggle, the class member’s grandmother suffered a fatal injury.

80. Given this evidence, the applicants submitted that the guidance given to decision-makers in the Onshore Protection Interim Procedures Advice No: 6/2015 (OPIPA) following the data breach was “far too circumspect”. The OPIPA provided guidance to departmental officers about processing and assessing protection claims for asylum seekers affected by the data breach whose applications for protection had otherwise been “finally determined” before they were afforded an opportunity to raise protection claims in relation to the data breach. Under the heading “Assessment of protection claims about the privacy data breach in an ITOA [International Treaties Obligation Assessment]”, the OPIPA stated that:

When assessing protection claims in relation to the privacy data breach, case officers are instructed to accept that the claimant's personal information released on the department's website may have been accessed by the authorities in the receiving country. The reason for this approach is that, although the KPMG privacy breach review found that there were relatively few internet users who accessed this document, it is not possible to discount the possibility that the authorities in another country may have accessed this document. Accordingly, an assessment of protection claims in relation to the privacy data breach should be undertaken on the assumption that this information may have been accessed by the authorities in the receiving country.

81. Given therefore the evidence of actual use of the data causing harm to the class members or their family members before the Tribunal, the applicants submit that the Tribunal ought to direct that a non-statutory task be undertaken so as (at least) to permit those affected class members who wish to do so, to have their protection claims reviewed again, namely, that the Other Party:

    (a) provide a reasonable opportunity for refused class members to provide further information in relation to the data breach; and

    (b) undertake an exercise of non-statutory power that might culminate in a submission to the Minister to consider the exercise of the power in s 48B of the Migration Act to lift the bar which prevents refused class members from making a further protection visa application.

82. The applicants submit that the Tribunal has the power to make such a direction under  s 52(1)(b)(ii)  of the  Privacy Act  even if (contrary to their primary submission)  s 52(3A)  in the new Act does not apply, on the basis that s 52(1)(b)(ii) provides a sufficient source of power to make incidental directions for the working out of the overall declarations. Section 52(1)(b)(ii) provides that there is power to make “a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant”, the loss alleged here being (as earlier explained) the loss of the opportunity to have a protection claim founded on the data breach properly considered.
83. In so submitting, the applicants rightly accept that the Tribunal lacks power under s 48B of the Migration Act to direct the Minister to lift the bar imposed by s 48A. However, the applicants sought to draw an analogy with an existing process within the Department, the International Treaties Obligation Assessment (ITOA) process.
84. The High Court in SZSSJ at [9] and [11]–‌[12] described the ITOA process as follows:

The departmental response [to the data breach] appears by then to have been channelled into processes known as "International Treaties Obligations Assessments" ("ITOAs") conducted in accordance with standardised procedures set out in the Department's publicly available Procedures Advice Manual. The purpose of conducting these particular ITOAs was to assess the effect of the Data Breach on Australia's international obligations with respect to affected applicants. The particular international obligations to which the ITOAs were directed were Australia's non-refoulement obligations under the Refugees Convention, the Torture Convention and the International Covenant on Civil and Political Rights.

...

Standard departmental instructions in the Procedures Advice Manual for the conduct of an ITOA indicated that a finding by an officer that a non-refoulement obligation was engaged in respect of a particular applicant might result in referral of that applicant's case to the Minister for decision by the Minister whether or not to exercise a power conferred by specified sections of the Act. Relevantly to an applicant in respect of whom a non-refoulement obligation might be found to be engaged as a consequence of the Data Breach, the sections specified included ss 48B, 195A and 417.

Common features of those sections are that they confer "non-compellable" powers on the Minister to grant a visa in the cases of ss 195A and 417 or to lift a statutory bar to the making of an application for a visa in the case of s 48B.

(Citations omitted.)

85. As the High Court also explained at [10], “Departmental officers conducting the ITOAs were specifically instructed to assess the effect of the Data Breach on Australia's non-refoulement obligations adopting the assumption that an applicant's personal information may have been accessed by authorities in the country in which the applicant feared persecution or other relevant harm.”
86. In the applicants’ submission, the practical outcome of the ITOA process is the same as the relief which they seek, namely, that a submission may be put to the Minister to consider lifting the statutory bar imposed by s 48A of the Migration Act for a particular individual to make a protection visa application in the exercise of the Minister’s non-compellable statutory power. As such, the applicants submit that the direction which they seek would simply “require the Secretary to engage a process he already undertakes, but just do it again in respect of the data breach for all those people who want it. ... It’s just asking the Secretary to follow his own process”.

4.2.4.1. Findings on Issue (b)(ii): the Tribunal lacks power to make the direction sought by the applicants

87. Contrary to the applications’ contentions, neither the respondent nor the Tribunal on review have any power under the  Privacy Act  to direct the Other Party to reconsider decisions made under the separate and distinct statutory regime for the grant of visas under the Migration Act.
88. First, s 52(1)(b)(ii) limits the power vested in the respondent to make a determination that includes, relevantly, “a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant”. Read in context, that redress can only be by reference to loss or damage suffered by the complainant caused by the breach of privacy: NWFQ and Privacy Commissioner [2019] AATA 1302 at [72] (DP Humphries). NWFQ involved the public release of a poorly redacted report into whether the applicant’s employment with Defence had caused her contraction of cancer. In that case, DP Humphries relevantly rejected the existence of a causal link between the breach of privacy and subsequently dealings by Defence with the applicant. Turning to the present case, as the respondent contends, it is not, with respect, tenable to suggest that the refusal by the Minister (or her or his delegate) to grant a protection visa application is loss or damage causally connected to the breach of privacy arising from the data breach.
89. This can be illustrated by the examples of ITOA assessments on which the Other Party relied.

    (a) On 28 June 2017, a class member deposed in a statutory declaration that he was a “dissident [redacted]” who converted from Islam to Christianity, and has “come to face additional problems” in Iran due to the release of his name and personal information by the data breach. While the decision-maker acknowledged and did not dispute the class member’s submissions with respect to the data breach, they granted protection on a different basis, as follows:

I therefore accept that the applicant has a subjective fear of harm on returning to Iran owing to the website disclosure and his belief that the fact of his detention in Australia is known to Iranian authorities. However, as aspects for this claim are not material for his claim for protection as a Christian convert, which form the basis of recommending that protection obligations are owed...

(b) On 19 August 2015, an ITOA assessed whether a class member whose information was released in the data breach “would be at risk of harm on return to Iran as he could now be identified as a person who has lived and claimed asylum in a western country”. However, the decision-maker found that there was no evidence to indicate, and no real chance, that the class member would be subject to serious harm for being a failed asylum seeker returning from a Western country. Therefore, despite considering the consequences of the data breach, the decision‑maker concluded that Australia did not have non-refoulement obligations with respect to this particular class member.

(c) The Tribunal in 1710327 (Refugee) [2018] AATA 1321 discussed the data breach issue in significant detail at [246]–‍[248] and accepted that the Iranian authorities may have accessed the information which was the subject of the breach. However, the Tribunal concluded that the applicants “do not have a real chance of serious harm arising from the data breach”, and ultimately rejected the application for reasons related to the applicants’ particular circumstances.

90. These examples illustrate that as a matter of course, protection visas may be refused for a number of reasons. While the data breach may factor into the reasoning process as an “indirect step” in determining whether a protection visa should be refused, it cannot logically follow that in every case where a class member’s protection visa was refused, the data breach itself resulted in or contributed to the refusal. Nor does it follow that the data breach was not taken into account by the decision-maker. The decision must ultimately depend upon the individual circumstances of each class member.
91. Secondly, the applicants’ contention (as modified during the course of the hearing) that there is some non-statutory process that could be invoked is untenable. The relief sought must draw from a sufficient source of the power in s 52(1)(b)(ii)—namely, that the act was connected to the loss or damage suffered by the class members. The applicants’ submission goes nowhere in terms of redressing the alleged loss of opportunity, unless it is accepted that in effect what is sought is a direction to the Minister to at least consider the exercise of the power. That being so, contrary to the applicants’ submission, the relief sought cannot be characterised as directed to a non-statutory process. Thus, by analogy, the High Court in SZSSJ at [54] and [56] held that the ITOAs were properly characterised as a process under and for the purposes of s 48B:

If the Minister has made a personal procedural decision to consider whether to make a substantive decision [under s 48B], a process undertaken by the Department to assist the Minister’s consideration has a statutory basis in that prior procedural decision of the Minister.

...

the Minister has made a personal procedural decision to consider whether to grant a visa under s 195A and s 417 of the Act or to lift the bar under s 48B in the case of each applicant for a protection visa affected by the Data Breach. The ITOA processes have been undertaken by officers of the Department to assist the Minister in that consideration. An ITOA is accordingly properly characterised as a process undertaken by an officer of the Department under and for the purposes of ss 48B, 195A and 417 of the Act.

92. Moreover, as Ms Winnett for the Other Party submitted, the direction for which the applicants contend:

also contemplate, in effect, directing what the secretary says the IOTA should find, because the key problem they identify is that the instructed assumption that data may or may not have been accessed by authorities. They want the Secretary to write an IOTA that says, in every case, it seems, “This information was accessed by authorities and, therefore, it must, you know, be considered as to whether it gives rise to protection claims”.

93. It follows that a direction of the kind contemplated by the applicants is beyond the power of the Tribunal to make. The effect would be to impose a duty on the Minister to consider whether to exercise power under s 48B of the Migration Act despite the fact that “the Minister has no duty to consider the exercise” of the power (as the High Court held in SZSSJ at [12]), and the direction would therefore constitute an impermissible interference in the statutory scheme of the Migration Act.
94. Thirdly and in any event, as the Other Party submits, relevant class members have in fact already been afforded the opportunity to raise a claim by reference to the data breach during the ITOA process, as the applicants’ witnesses accepted. For example, the Dale affidavit, deposed that “[c]lass members previously had an opportunity to raise in their visa applications that they were affected by the Data Breach and explain how this impacted their claims, safety, and family” (at [32]). Similarly, the Paull affidavit deposed that Ms Michaele Byers, a migration lawyer, told Slater & Gordon that she had liaised with approximately 1,200 class members, with “almost all of the group referencing the Data Breach as a factor in their protection visa applications as the breach increased their fears of persecution” (at [34]–‍[35]). Furthermore, as the High Court explained in SZSSJ, decision-‍makers were directed to assume in assessing claims pursuant to the ITOA process that authorities in the country of origin may have accessed the information from the data breach. If the ITOA concluded that the class member had a well-‍founded fear of persecution, the Department was required to reassess the protection finding, including potentially by way of a submission to the Minister for a lifting of the bar.
95. Fourthly, with respect to the applicants’ examples of actual access to the data by the relevant country concerned, I agree with the Other Party’s submissions that:

    (a) while the applicants tendered a judgment of one country indicating that personal information about one class member disclosed by reason of the data breach had in fact been accessed by the authorities in that class member’s country of origin, that does not prove that the personal information of any other class member has in fact been accessed by the authorities in the various countries of origin of the other class members;

    (b) in any event, and as explained above, Departmental officers undertaking the ITOA assessments were instructed to assume that foreign authorities may have accessed class members’ personal information; and

    (c) the examples referred to by the applicants were submissions and evidence submitted by class members in relation to the compensation scheme and produced by the Other Party which have not (yet) been assessed for authenticity or been subject of any kind of determination.

96. Finally, even if, contrary to my earlier findings, the new  s 52(3A)  of the  Privacy Act  does apply, it is nevertheless an insufficient statutory power to issue the direction sought by the applicants. As the respondent submits,  s 52(3A)  cannot be invoked to “do the work beyond that done by the specific provisions which the text and structure of the legislation show it was intended to supplement”: BMW Australia Ltd v Brewster [2019] HCA 45; 269 CLR 574 at [70] (by way of analogy to s 33ZF of the Federal Court of Australia Act). In circumstances where the  Privacy Act  already expressly provides for a grant of compensation  (s 52(b)(iii))  and for the respondent to perform any act or course of conduct to redress any loss or damage  (s 52(b)(ii)) ,  s 52(3A)  is not a “gap-‍filling” provision and would not therefore provide a source of power to make the orders sought by the applicants.

5. DESIGN OF THE SCHEME

97. The applicants’ updated compensation assessment scheme (applicants’ scheme) is found at Attachment A of the ASFIC.
98. The Other Party proposes that the compensation payable to class members be assessed following the process described:

    (a) in Annexure A to the OPSFIC if the Other Party's legal representatives are appointed as the scheme administrator;

    (b) in Annexure D to the OSFC if a firm that is independent of the parties to the proceedings is appointed (Other Party’s scheme).

99. As I explain below, I have taken the Other Party’s scheme at Annexure D to the OPSFIC as the starting point.

5.1 Issue (c): As to Declaration 4 of the Determination: is it correct and preferable that a declaration be made under  s 52(1)(b)(iv)  of the  Privacy Act  that no further action be taken in relation to individuals affected by the data breach who did not provide a submission or evidence of loss or damage prior to the making of the Determination?

5.1.1. Issue (c)(i): Is there power, under  s 52(1)(b)(iv)  of the  Privacy Act  or otherwise, to make a declaration in the terms of Declaration 4?

100. The Other Party submits that the power to declare that no further action be taken with respect to individuals who have not provided a submission or evidence of loss or damage (Declaration 4) arises from  s 52(1)(b)(iv)  of the  Privacy Act  read together with s 52(1)(b)(iii). It will be recalled that  s 52(1)(b)(iii)  provides that the respondent has power to make a declaration that a class member is entitled to a specified amount by way of compensation “for any loss or damage suffered by reason of” the data breach. As I have earlier found, a necessary precondition for making such a declaration in respect of an individual class member is that the respondent is satisfied that the class member has actually suffered some loss or damage as a result of (relevantly) the data breach. If a class member failed to provide any submissions or evidence of loss or damage, the respondent could not be so satisfied, and therefore the natural consequence would be to declare that it was inappropriate to take further action with respect to that class member, pursuant to  s 52(1)(b)(iv). 
101. While the applicants ultimately accepted that the respondent (and the Tribunal standing in the respondent’s shoes) had the power to make a declaration in terms of Declaration 4, they submit that the real question is whether the Tribunal should exercise that power and the circumstances in which it should do so. In their submission, whether such a declaration should be made hinges on the appropriateness of any notification or fresh notification to class members. If there is a notification which addresses the defects identified by the applicants (which I elaborate on below) then, provided that the notice is given, the applicants accept that it would be appropriate to make a declaration of that kind.
102. It is therefore not in dispute, and I am satisfied, that the Tribunal does have power to make a declaration to the effect of Declaration 4 of the Determination. However, as the Other Party submits, the applicants’ “real complaint” concerns the content and adequacy of the notice, which I discuss below.

5.1.2. Issue (c)(ii): Were class members given adequate prior notice of the consequences provided for in Declaration 4 to support the making of a declaration in those terms?

103. It will be recalled that the respondent directed the Other Party to disseminate the notice to the class members on 9 January 2018. I agree with the applicants that the 2018 notice was ineffective or inadequate.
104. Before I explain my reasons, it is convenient to set out some propositions by the Other Party with which I agree.
105. I accept the Other Party’s submission that the notice was widely disseminated, including by:

     (a) the respondent publishing the notice on its website, in 21 different languages;

     (b) the respondent causing the notice to be published in The Australian Newspaper;

     (c) the Department writing to class members at their last known address, nominated by those class members as the address for receiving correspondence from the Minister;

     (d) the respondent writing to Slater & Gordon and to Michaela Byers (who then represented the majority of class members who had indicated that they wished to pursue a complaint); and

     (e) the respondent writing to 11 refugee and other community support organisations, seeking their assistance to distribute the notice to class members whom they were able to contact.

106. I further accept that, as the Other Party submitted, the notice did enable the respondent to obtain evidence from those complainants who claimed to have suffered loss and damage as a result of the data breach, in order to provide an appropriate foundation for declarations as to compensation and to develop categories of loss. I also agree that practical difficulties are somewhat inevitable with a class size of 9,258 people and at least some difficulties in contacting those people were always bound to arise—given, in particular, the passage of time since the data breach and the movement of many class members out of immigration detention.
107. However, for the reasons given below, none of those features can remedy the inadequacy of the notice itself. This is particularly the case when regard is had to the vulnerability of the class members, which distinguish them from those comprising representative proceedings more generally. It is uncontentious that the class members in this proceeding have a greater degree of vulnerability than a “typical” class in other representative proceedings. This is because the characteristics of class members include lower overall familiarity with or fluency in English, higher rates of illiteracy, higher rates of children, less overall understanding of the Australian legal system, less access to lawyers or independent legal advice, higher rates of backgrounds featuring trauma and torture or other injuries, and higher rates of psychological symptoms or injuries: Paull affidavit at [51]–[54].
108. First, as the applicants correctly submit, while the 2018 notice explained that class members may be entitled to compensation for loss or damage suffered as a result of the breach, the notice did not define “loss or damage”. Nor did it provide examples of what may be considered a form of loss or damage. The Other Party has attempted to characterise the applicants’ contentions as merely “legalistic quibbles”, submitting that “loss” and “damage” are concepts that a layperson can understand without needing an explanation. However, laypersons may not necessarily have understood that loss or damage could include psychological impacts of the breach such as anxiousness, distress, or fear. This is especially so in circumstances where a high portion of class members were unlikely to have access to legal assistance.
109. Secondly, by analogy with the class action provisions in  Part IVA  of the Federal Court Act, I agree with the comments of Flick J in Pharm-a-Care Laboratories Pty Ltd v Commonwealth of Australia (No 6) [2011] FCA 277 at [9] that “[i]t is of importance that any notice [of a settlement scheme] be both accurate ... and expressed in as plain and simple language as is consistent with the information sought to be communicated”. The need for the notice to be expressed in clear and plain language in the present context is particularly acute given, the significant vulnerability of the class members. In short, as the applicants contend, “[b]ecause people seeking asylum and refugees are a multifaceted group with different language backgrounds and because many rely on formal and informal translation services, messages to this community need to be clear and to the point, put in the simplest terms possible”.
110. Bearing these matters in mind, with respect I do not consider that the notice was sufficiently clear to inform class members of the respondent’s proposed process, and as a result to provide them with a sufficient opportunity to have their claims considered in the respondent’s resolution of the representative complaint. In particular, and without necessarily being exhaustive, the following deficiencies in the notice are apparent.

(1) The notice stated at [6] that “If you were affected by the Data Breach and do not provide information the kind described below, the Commissioner may conclude that he is not satisfied that you have suffered any loss or damage as a result of the Data Breach and you may not receive compensation for the Data Breach” (emphasis added). That statement did not make it clear that failing to provide information of the kind described would preclude class members from obtaining compensation. Yet as I have earlier found, there is no power under  s 52  of the  Privacy Act  to award compensation if a class member fails to establish that they have suffered loss or damage as a result of the breach of privacy and that view was reflected in Declaration 4 made by the respondent. As such, the statement is apt to mislead a class member. I do not consider that that confusion is sufficiently clarified by the remainder of the notice and, in particular, by statements at [7] and [8] of the notice which might be regarded as inconsistent with the statement at [6]. The class member should not have to try and work out which statement accurately reflects the position. In this regard, I agree with the applicants’ submission in the ASFIC at [55] that:

A notice to class members that seeks to communicate notice of an intention to extinguish legal rights of class members must contain definitive terms in order to command the required level of attention. For example, an appropriately framed warning would read: ‘If you do not respond to this notice, you will lose any entitlements you have to compensation’.

(2) There is no clear description, or examples given, of the kind of loss or damage for which compensation may be awarded. The notice fails to explain that compensation may be awarded for financial loss or, for example, for emotional distress, anxiousness, stress, sleeplessness, or fear which may not amount to a diagnosable psychological or psychiatric condition. Indeed, the references to medical reports might well lead a class member to assume that compensation may be awarded only for diagnosable mental conditions.

(3) It was helpful for the notice to state that statutory declarations and signed statements should be in the class members own words and that those provided “in a standard form will be given little weight”. However, the notice would be improved if that statement were better expressed in lay terms such as, for example, explaining that standard form statutory declarations or signed statements in relation to a class member’s claim are not sufficient to establish that they have suffered loss or damage.

(4) The statement at [8(d)] that “Letters written on your behalf, which are not in your own words, will be given little weight” is ambiguous. The phrase could have a number of different meanings, including: letters written by another person on behalf of a class member which the class member then signs, letters written by a lawyer or other representative making a submission which accompanies a statement or declaration from the class member, or letters written by other persons who have personal knowledge of the impact of the data breach upon the class member in support of the class member’s claim for compensation. The potential for ambiguity is heightened where it is likely that the notice will have to be translated for the class member.

(5) While the notice at [8(a)] states that the class member should provide all the information which the class member considers to be relevant, it is not clear that this can include evidence from other people such as family and friends who may have observed the impact of the data breach on the class members. Indeed, the notice at [8] implies that the only documents which will be of relevance are statutory declarations or signed statements from the class member and medical reports. In particular, the statement at [8(d)] might be read as suggesting that evidence from other people aside from the class member will not be relevant (unless a medical professional). Yet there is no inherent reason as to why evidence of that nature could not be relevant and persuasive.

(6) In explaining that the information “may” be in the form of a statutory declaration or signed statement at [8(b)], the notice fails to make it clear that the information from a class member should in fact be provided in such a form, while at the same time [8(d)] introduces a further confusing element in referring to “letters”.

(7) The notice stated that “[m]edical reports prepared after the date of this Notice will be given little weight” (at [8(c)]), without there being any apparent justification for a blanket rule to that effect, as appears to have been accepted by the Other Party and the applicants. Indeed why, it might rhetorically be asked, should an expert medical report prepared by an independent professional be given less weight merely because it was prepared after the date of the notice? Courts and tribunals act on the basis of such evidence every day. It is also unrealistic to expect that class members will necessarily have obtained medical reports prior to receipt of the notice.

(8) The notice also confusingly states at [8(e)] that "The Commissioner may not consider information that is provided after the deadline below” while also stating at [10] that “You must send any information by: 4:00 pm on 19 April 2018” (emphasis added). While a discretion to receive information submitted after the deadline is a desirable feature, there was a tension between these statements which did not make the position clear.

111. In short, in these circumstances I agree with the applicants’ submission in the ASFIC at [63] that:

It is not appropriate to have assumed that class members understood the 2018 notice, were able to follow the instructions in it, or had sufficient information to enable them to effectively engage in the process.

112. Nor, I would add, was the notice correct or fair in certain fundamental respects, including with respect to statements as to the weight which would be given to certain kinds of evidence.
113. In so finding, I accept that the task of drafting a notice which is sufficiently clear and fair is a complex one, given the particular vulnerabilities and disadvantages from which members of the relevant class here are likely to suffer. For this reason, I also consider that the assistance of expert translators should be sought in order to ensure that the notice is expressed in plain English, having regard to those considerations which are likely to facilitate its translation into different languages: see e.g. the plain English strategies when working with interpreters identified in the Judicial Council on Cultural Diversity, Recommended National Standards for Working with Interpreters in Courts and Tribunals (2^nd ed, 2022), Standard 14 at pp. 49 and 92–‍94 (JCCD National Recommended Standards).
114. Thirdly, I accept the applicants’ submission that an inference can properly be drawn that it is likely that a substantial part of the class did not in fact understand the notice. That inference can reasonably be drawn having regard to the composition of the group and their particular vulnerabilities and disadvantages, the deficiencies in the notice itself, and the following factors:

     (a) the low proportion of class members who provided submissions or evidence (1,297), as opposed to the high proportion of class members who registered interest (2,579) and thereby indicated their initial intention to participate in the process; and

     (b) the high number of individual complaints received by the respondent regarding the data breach (being at least 1,757).

115. From this evidence, it is apparent that a substantial number of the individual complainants have not provided submissions or evidence in response to the notice; nor have they formally opted out, notwithstanding they took the initial significant step of lodging a complaint.
116. The Other Party disputes this inference given that, first, 73 class members asked for assistance from the OAIC via the phone number or email address provided on the notice. Therefore the notice was effective at directing class members who did not understand it to contact the respondent, who then provided further information and support. Secondly, the Other Party submitted that it does not follow that the notice was inadequate merely because there were fewer class members who provided submissions or evidence to the respondent as opposed to the number of class members who "registered interest" in response to the notice. Rather, the Other Party submitted that the smaller number of people who provided submissions or evidence could equally be attributable to a range of other factors, including that it would have taken class members too much time to prepare the material, they simply forgot to do so, or that they may not have had any evidence of loss or damage to provide.
117. However, with respect to the first submission, 73 queries across thousands of class members is not a safe basis on which to infer that most of the class members understood the notice, or understood that they could contact the respondent to seek further assistance.
118. With respect to the second submission, I accept that there may be a number of reasons why a low proportion of submissions were received. However, I also accept the applicants’ evidence that class members, who have lodged complaints or registered their interest without providing submissions or evidence, may have found it difficult to understand the notice for a number of reasons, including that:

     (a) they were unaware of the process, having never received the notice;

     (b) a significant amount of time had passed between the incident, notification of the incident, and the commencement of the respondent’s process;

     (c) they had misunderstood the process, including that they were unaware that they may be eligible to obtain financial compensation for harm or loss suffered by reason of the data breach, and that they would be required to take active steps to determine their eligibility;

     (d) they had believed that being directly informed that they had been affected by the data breach by the Department, or otherwise previously expressing their concerns directly to the Department, would have naturally included them in any such processes without requiring them to take further active steps;

     (e) those who were still having their protection visa applications being determined believed that making a submission would jeopardise the outcome of their visa applications, and were reluctant to be in a position where they may be challenging the same authority determining the fate of themselves and their family;

     (f) they believed that documentary evidence of egregious loss or harm was necessary for a successful outcome;

     (g) they did not have the physical or mental capacity to engage with another complex legal process that involved significant complexity and for which the benefit to be derived was uncertain, where they were otherwise overwhelmed with their protection visa process and/or other life circumstances; and

     (h) the legal representatives from whom they had sought assistance were resource constrained or lacked the relevant expertise to assist them in engaging with the process.

119. Based on the above evidence, and taken together with the vulnerable characteristics of the class, I agree with the applicants’ submission that it should not be inferred that those individuals who did not respond to the 2018 notice had elected not to pursue compensation. Rather, the lack of response is likely attributable at least in part to the inadequacy of the issued notice.

5.1.3. Issue (c)(iii): Should all class members be given a further opportunity to make submissions or provide evidence of loss or damage and, thus, to become class members who are eligible for an award of compensation in this representative complaint?

5.1.3.1 Whether it is inappropriate to issue a new notice to all class members

120. The Other Party disputes the applicants’ contention that there is utility in issuing a new notice as it did not accept that the 2018 notice was deficient and there was no evidence to suggest that a further notice would reach a larger number of class members than those notified in 2018. The applicants however submit that the Other Party’s contention ignores the deficiencies in the 2018 notice in properly advising those class members who did receive the notice of the process and their entitlements, as well as ignoring the circumstances of those class members who have since been made aware of the 2018 notice and/or the respondent’s Determination and have positively indicated that they wish to make a claim for compensation. In effect, the applicants submit that there is already a known cohort of class members who would substantially benefit from a further notification process.
121. Furthermore, class members would not be prejudiced by the further notification process. The position of class members who have provided submissions or evidence in response to the 2018 notice is already preserved. Additionally, class members who had not provided submissions and evidence in response to the 2018 notice would now have the opportunity to pursue a claim.
122. The applicants submit that the Tribunal should re-exercise the notification power, and include a consequent notice with additional and clearer information about the process and what class members need to do to establish an entitlement to compensation. However, keeping in mind the extensive steps that were taken by both the Department and the OAIC to disseminate the notice to class members, I agree with the Other Party that it is inappropriate to require further steps to be taken to try to compensate all of the class members who have not sought to articulate any loss or damage and fail to provide a reasonable explanation for failing to do so. Examples of a reasonable explanation might potentially include: a mistaken view under the 2018 notice that compensation was not available for fear, anxiety or distress, or financial loss; a mistaken view that a medical report prepared after the 2018 notice would not be given any weight; or illness which prevented the class member from being in a position to respond to the 2018 notice. However, it is important to emphasise that each case will turn upon its own individual circumstances.
123. It follows that I agree with the applicants’ alternative position whereby any ‘new’ claims would be limited to those class members who can provide a reasonable explanation for why they did not submit materials following the 2018 notice. This position essentially aligns with the Other Party’s alternative position, and is the preferable course to be taken for the reasons given below.

5.1.3.2. A new notice should be issued to class members to provide those with a “reasonable explanation” for not responding to the 2018 notice with another opportunity to participate in the compensation scheme

124. At the hearing, the Other Party accepted that there was no real difference between the text of a “reasonable excuse” and a “reasonable explanation”. I prefer the latter expression which does not convey any possible implication that class members who did not provide information in response to the 2018 notice might have been at fault. Accordingly I have adopted the wording of “reasonable explanation” in the Determination.
125. The elements of the new notice regime under the Determination are as follows.
126. First, non-participating class members who provide a reasonable explanation, together with those who already registered, should be permitted to take part in the scheme. The scheme administrator is to determine whether or not it is satisfied that a reasonable explanation has been given for the failure to participate in response to the 2018 notice.
127. I note that at one point, it was submitted by the Other Party that the question of whether a person has a reasonable explanation be remitted to the respondent. However, as the respondent submitted, it is by no means clear that the Tribunal would have power to remit a new issue to the respondent under s 43 of the AAT Act. In any event, that would not be the correct and preferable approach and was ultimately not pressed. The appropriate person to consider whether a non-participating class member has provided a reasonable explanation for not making a submission or providing evidence to the respondent is the scheme administrator.
128. Secondly, new members with a reasonable explanation will be given an opportunity to put on evidence to establish that they suffered loss or damage as a result of the data breach. Furthermore, with respect to those who have already put in evidence, the Other Party accepted that it was appropriate for those individuals to have the opportunity to put on further material should they so wish, noting that the new participating members would have the benefit of the new notice and given the lapse of time. I agree. In addition, as the applicants submitted, the opportunity to update or supplement material reflects the fact that personal injuries may have resolved, stabilised, worsened, or been diagnosed. Furthermore evidence might not have been previously available or the class member might not have considered it necessary to provide evidence. The key conceptual issue is that, while there is an opportunity to put on material, the onus is on the individual class member to do so should they so wish.
129. Thirdly, the Other Party correctly resisted the suggestion that the scheme administrator should review the class member’s material and decide whether their material is sufficient for the purposes of the scheme, or whether the class member should be afforded a further opportunity to present more information. An obligation to that effect would inevitably lead to dispute, and require the scheme administrator to adopt an inquisitorial role which would increase costs and take considerable time (see further at [190] below). Rather, as is almost invariably the case in the context of applications in the administrative law context, the onus should lie on an applicant (relevantly here, the class member) to identify the material on which they wish to rely and make submissions. This approach in turn emphasises the importance of ensuring that the notice provides clear information to class members about the process and what they need to do to establish an entitlement to compensation.
130. To conclude on this issue, I agree with the Other Party’s alternative position, and have included a direction in the orders to the following effect:

     (a) Within 28 days after the scheme administrator's appointment, the scheme administrator is to publish a notice inviting:

     (i) participating class members to make submissions or submit updated and/or supplementary submissions and/or evidence; and

     (ii) class members who did not respond to the 2018 notice to submit an application to participate in the compensation assessment scheme;

     (b) Non-participating class members who seek to participate in the compensation assessment scheme are to submit an application to the scheme administrator within three months of the scheme administrator publishing the notice. In their application to the scheme administrator, a class member would need to give a reasonable explanation as to why they did not respond to the 2018 notice, as well as sufficient identifying details to enable the Department to verify that they were subject to the data breach.

     (c) Declaration 4 is to be set aside and a declaration made in its place to the effect that class members who:

     (i) did not provide a submission and/or evidence to the respondent within the timeframe specified by the OAIC and did not opt out; and

     (ii) do not provide a reasonable explanation for not making submissions or providing evidence in response to the 2018 notice within the specified period;

     have not substantiated that they have suffered any loss or damage as a result of the interference with their privacy and it would be inappropriate for any further action to be taken in relation to those individuals.

131. Finally, I interpolate that the applicants also submitted that it was appropriate for the parties to confer on the contents of the notice and suggested that the Tribunal might approve the content of the notice once the parties have collaborated. However, I consider that that step would be unnecessary and productive of further delay. Rather, the scheme administrator should settle the notice, without any need to further involve the Tribunal. It is a matter for the scheme administrator to consider as to whether to involve the parties in settling on the terms of the notice.

5.2. Issue (d): As to Declaration 2 of the Determination: what is the correct and preferable method for assessing compensation for individuals affected by the data breach?

5.2.1. Issue (d)(i): Who is the correct and preferable administrator of the compensation assessment scheme?

132. The question of the appropriate scheme administrator raises issues of actual and perceived independence and impartiality, costs, efficiency, and appropriate expertise. In my view, the scheme administrator should (among other attributes) be a law firm that is independent of the Other Party and of class members:

     (a) with appropriate expertise in personal injury and privacy law;

     (b) which has not represented or advised the Other Party or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship;

     (c) which has not represented or advised any of the class members in relation to this proceeding; and

     (d) is appointed to the Commonwealth Whole of Australian Government Legal Services Panel in the areas of compensation, damages and personal injury, and freedom of information, privacy and public interest disclosure.

5.2.1.1. Applicants’ primary position: Slater & Gordon should be the scheme administrator

133. The applicants submit that their solicitors, Slater & Gordon, should be appointed as the scheme administrator.
134. The applicants’ initial position, found in the ASFIC and pressed until midway through the hearing, was that Slater & Gordon should be appointed scheme administrator while continuing to act as the legal representatives for the applicants. The applicants submitted by analogy that, in class actions under Part IVA of the Federal Court Act, it is “entirely orthodox” for the Court to appoint the law firm representing the lead applicant to be the administrator of a distribution scheme.
135. The applicants submitted that any suggestion of a conflict is exaggerated and can be “dealt with” or managed. However, with respect, it is difficult to see how the obvious conflict which appointing the solicitors for the applicants as scheme administrator could be suitably managed in circumstances where the scheme administrator is not merely, for example, distributing a set amount of compensation to each participating member of the class. Specifically, it is difficult to see how Slater & Gordon could simultaneously act in the best interests of their clients while at the same time discharging the role of scheme administrator in assessing individual claims in an independent and impartial manner.
136. In support of their submission, the applicants relied upon Casey v DePuy International Ltd (No. 2) [2012] FCA 1370 as a precedent for the appointment of the solicitors acting for class members as the scheme administrator. In Casey, the Federal Court approved a settlement scheme for a class action that did not set the total amount of compensation payable by the defendants. The class members sought compensation in relation to implants used in knee replacement surgery, which the plaintiff contended were not reasonably fit for purpose, were not of merchantable quality, and were negligently manufactured.
137. However, I agree with the Other Party that Casey is not a useful analogy in this instance, for the following reasons:

     (a) the scheme in Casey provided for a minimum amount of compensation to be paid to each class member, with higher amounts payable only where an objectively assessed consequence had resulted from the affected implant;

     (b) the loss and proof that formed the subject of the scheme in Casey, being whether an individual had surgery, is different in nature to the loss under the scheme being devised in the present proceedings. Thus, the scheme in Casey was based on the existence of objective facts and did not require a subjective assessment of credibility or consideration of other potential causes of injury. By contrast, the scheme administrator under the present scheme must, in each case where evidence of loss or damage is provided:

     (i) assess the credibility of the claimed loss or damage;

     (ii) make an evaluative judgment as to the weight (if any) to be given to particular evidence, and the degree of severity of loss and damage suffered, so as to determine the appropriate category of loss or damage; and

     (iii) ultimately fix upon a specific amount (if any) of compensation to be awarded;

     (c) under the scheme as determined by me, the number of participating class members may increase depending on whether the scheme administrator considers that a class member who failed to respond to the 2018 notice has provided a reasonable explanation for failing to do so. By contrast, the size of the class in Casey was restricted to a set number of class members, namely, those who had received the implants (of which 5,071 were used in Australia) and had not opted out. Thus, as the Other Party submitted, this feature of the class in Casey, combined with the limits on how compensation for a particular class member could be increased, restricted the capacity of the scheme administrator's approach to affect the outcome of the assessment of compensation for a class member; and

     (d) a detailed set of obligations applied with respect to the costs payable to the applicants’ solicitors in Casey, Maurice Blackburn, to administer the scheme.

138. As I have mentioned, the applicants’ position changed during the course of the hearing. In closing submissions, the position ultimately adopted by the applicants was that Slater & Gordon would cease to act for the applicants at the end of this current proceeding. The applicants submitted that this would eliminate the conflict of interest. In addition, the applicants updated cls 3.2 and 3.3 of their proposed scheme so as to provide that the scheme administrator was prevented from acting for any particular class member.
139. Notwithstanding the applicants’ change in position, I agree with the Other Party that their final position did not effectively address the conflict of interest. It remains the case that the scheme administrator must both be and appear to be impartial. This requirement of impartiality is necessary even in the absence of the scheme administrator taking an inquisitorial role in the scheme to review and determine the sufficiency of the material submitted by class members (as submitted by the applicants and explained above at [129]).
140. First, the concerns with respect to the appearance and reality of independence and impartiality of the scheme administrator do not evaporate upon Slater & Gordon ceasing to act for the applicants. As counsel for the Other Party correctly submitted, “in terms of Slater and Gordon’s role, they do currently act for class members or representative class members in these proceedings. They’re intimately connected with one side of the ledger in these proceedings”. That being so, it puts the firm in my view in an impossible position if the firm ceases acting for class members and then proceeds to make the kind of credibility and evaluative decisions about the claims made by class members to which I have averted. Further, given Slater & Gordon’s role in this proceeding, it is highly likely that class members would be confused as to its role if the firm were to cease acting for any class members and assume the role of scheme administrator with the attendant duties of independence and impartiality. In my view the likelihood of such confusion is also a compelling reason as to why it would not be desirable to appoint Slater & Gordon in this role.
141. Secondly, I accept that Slater & Gordon has substantial expertise in assessing damages for non-economic loss in the context of personal injury litigation, including in the Manus Island class action (noting that there, it also agreed not to act for any of the class members). However, in the Manus Island class action, Slater & Gordon’s role was to distribute an agreed total sum of compensation between class members; in other words, its assessment of loss could not impact the defendant's overall liability, whereas in this case, the assessment of a class member's loss is ultimately uncapped (depending on which category their loss or damage falls into) and the total amount of compensation payable to the class is uncapped.
142. Thirdly, I also accept that Slater & Gordon already has extensive knowledge of, and familiarity with, the matter, which would likely result in efficiency through implementation of the scheme. I also accept that Slater & Gordon has appropriate expertise. However, these considerations apply equally to Clayton Utz, who act for the Other Party in this proceeding, and do not outweigh the difficulties otherwise outlined with appointing Slater & Gordon as scheme administrator.
143. In the fourth place, the applicants submit that class members are likely to place greater trust in Slater & Gordon than the Department, such that it may encourage their engagement with the process, and discourage disputes of assessments. It is possible that Slater & Gordon assuming the role of scheme administrator might have these consequences for some class members. It is more likely however, in my view, that Slater & Gordon’s changed role would lead to confusion among class members as to Slater & Gordon’s precise role in the scheme (as I have earlier found). That is a matter on which I place greater weight together with the fact that the conflict of interest would not be effectively addressed simply by Slater & Gordon ceasing to act for any class members.

5.2.1.2. Other Party’s primary position: Clayton Utz should be scheme administrator

144. The Other Party contends that its external legal advisers, Clayton Utz, should be appointed as the scheme administrator. While there was also a suggestion by the Other Party that Gilbert + Tobin might be appointed together with Clayton Utz, submissions were not ultimately put by the Other Party in support of that position and it is not clear how that suggestion might logistically operate.
145. The Other Party submits that the Department’s legal representatives are best placed to administer the scheme, have the requisite experience, and have put in place systems to facilitate the assessment process such that, once the proceedings are determined and the compensation scheme is finalised, assessments will be able to occur, and compensation paid to class members, in an efficient and effective manner. In particular:

     (a) the Other Party's representatives have been advising the Department on this matter since October 2014, and therefore have a significant understanding of the factual and historical background to this matter;

     (b) the Other Party's representatives have developed an online document management platform tailored to undertaking assessments of loss or damage, and have drafted a suite of template correspondence to facilitate the assessment process, and are in a position to start undertaking the assessment process immediately;

     (c) the Department's legal representatives have considerable class action and  Privacy Act  expertise, including assessing claims for compensation under the  Privacy Act ; and

     (d) the Department itself does not intend to take an active role in the assessment of claims, such that the conflict of interest that the applicants suggest is inherent in the Department’s legal representatives administering the compensation scheme, does not arise.

146. I accept that each of the considerations in (a) to (c) above with respect to Clayton Utz. Further, with respect to (d), I accept that the Department will not have a role in assessing claims, that role being vested in the scheme administrator. However, I do not consider that Clayton Utz is an appropriate scheme administrator to assess class members’ entitlements to compensation, for two key reasons.

     (a) The apparent conflict arises because Clayton Utz acts for the Department which is the wrongdoer liable to pay compensation. As a consequence, if Clayton Utz were then to act as the scheme administrator, there would be a perceived conflict of interest and class members may be discouraged from participating in the process.

     (b) I agree that it is a favourable factor that the Department and, contractually, its representatives are subject to the model litigation obligations set out in the Legal Services Directions 2017. Additionally, it is also favourable that the Other Party (and its insurer) are required to ensure that the compensation assessment process is completed in an efficient, effective, economical and ethical way: s 15 of the Public Governance, Performance and Accountability Act 2013 (Cth). However, Clayton Utz is not the only law firm subject to those obligations. The same contractual obligation to provide services in accordance with the model litigant obligations ordinarily apply to any law firm chosen in a procurement process from the Panel which, as I explain below, is the correct and preferable approach.

5.2.1.3. Independent law firm selected from the Commonwealth Whole of Australian Government Legal Services Panel

147. The alternative positions of both the applicants and the Other Party is that the scheme administrator should be an independent law firm.
148. The Other Party contends that the firm should:

     (a) have appropriate expertise in personal injury matters and privacy law;

     (b) have sufficient resources to undertake the compensation assessment task in an efficient manner; and

     (c) be drawn from the Panel in accordance with the Commonwealth procurement processes which require, among other things an open tender and selection process according to value for money.

149. I agree that this is the appropriate and preferable approach, given that administration of the scheme involves the expenditure of public moneys and therefore the Commonwealth’s standard accountability mechanisms should apply. I am also satisfied that the essential method for appointing the scheme administrator suggested by the Other Party has appropriate protections in place to ensure that an appropriate, independent and impartial scheme administrator is appointed. The essential elements of that scheme include:

     (a) the Department of Finance is to prepare the request for quote (RFQ) after considering any comments from the applicants’ solicitors; and

     (b) the Department of Finance is to issue the RFQ and assess each response on a value for money basis, having regard to each provider’s expertise and experience, and to identify a provider to as the scheme administrator.

150. Furthermore, there are at least nine law firms on the Panel (with the exception of Clayton Utz) which meet the criteria of having personal injury experience and privacy law expertise, with a number of those firms being experienced in large scale litigation practice (second Temby affidavit at Annexure 12). This means that there are a number of firms available to participate in a procurement process.
151. I also accept that there are a number of key advantages in choosing a Panel firm to administer the scheme via the procurement process.
152. First, as I have already explained, these firms would be subject to the model litigant obligations and have experience in complying with them.
153. Secondly, these firms will have already agreed to certain government rates, which are ordinarily below the standard charge-out rate of law firms. This is especially significant where the scheme will involve the expenditure of public monies, as I have already explained.
154. Thirdly, I do not accept that the appointment of a Panel firm selected from a procurement process would give rise to any apprehension of bias simply because a Panel firm acts for government clients. The mere fact that a law firm acts for government clients does not of itself mean that they are precluded from acting for persons against the government.
155. Finally, I note for completeness that the Other Party proposed that, if an independent law firm is appointed as scheme administrator, the legal services provider should be acceptable to the respondent as a potential scheme administrator. However, the respondent did not consider that this proposal was either appropriate or necessary.

5.2.2 Issue (d)(ii): What is the correct and preferable manner for working out class members’ compensation (ss 52(1)(b)(iii), 52(4)(a), 52(5)(a)), and for determining any dispute regarding class members’ entitlement to compensation (s 52(5)(b))?

156. Two issues remained between the parties as to the manner of working out compensation for class members: (1) what are the tariffs and ranges for compensation; and (2) what scheme should be in place for review of decisions by the scheme administrator where the class members disagree with the proposed compensation assessed by the scheme administrator.
157. In the first instance, it is convenient to set out the principles underlying the process of assessing compensation in order to ensure that the awards are appropriate, are proportionate to the seriousness of the privacy breach in question, and are consistent with awards in other  Privacy Act  determinations. In that respect, the applicants and the Other Party approached the issue from opposite ends of the spectrum.
158. First, it is evidently necessary to consider the seriousness of the data breach. The applicants submit that this data breach is a particularly serious one, and the consequences of the breach may yet be particularly harmful and far-‍reaching, for the following reasons:

     (a) the personal information concerned is particularly sensitive and disclosure of that information may be harmful to the individuals concerned;

     (b) as earlier explained, the disclosure is essentially open-‍ended in that there is no certainty as to how far the information has disseminated, or who has access to it (or, indeed, who may gain access to it at some point in the future);

     (c) there is no effective way to remediate or prevent harms which might flow from the disclosure;

     (d) the disclosure of the personal information may not only adversely affect class members, but also family or friends of class members in ways that class members can do very little to mitigate or guard against; and

     (e) the effects or consequences of the disclosure of the personal information may arise at any time in the future if other parties have, or in the future gain, access to the information.

159. It is not in dispute that, in the most extreme cases, the data breach has the potential to cause significant harm. It is for this reason that both the applicants and the Other Party accept that compensation for the highest categories of loss should be uncapped. Equally, however, it has long been recognised that awards of compensation under the  Privacy Act  should be restrained, as the Other Party submits. In this case, there are a number of particular factors weighing in favour of restraint in the amount of compensation awarded, namely:

     (a) the nature of the information disclosed by the data breach was basic identification information;

     (b) it is not the case that any details of class members’ applications for protection claims were released online;

     (c) the accessibility of class members’ personal information to third parties was in practice more limited than in other cases, in that:

     (iv) class members’ personal information was disclosed in a spreadsheet, which contained information pertaining to 9,257 other individuals;

     (v) the spreadsheet was embedded in a report published on the Department’s website; and

     (vi) the spreadsheet was not viewable unless the viewer clicked on the specific table in the report which contained the embedded data;

     whereas in earlier cases, for example, the personal information was obvious on the face of the material disclosed which had been widely disseminated or the personal information was given directly to persons who knew, or knew of, the applicants;

     (d) the data breach was inadvertent, the result of human error and was not done to advantage the Department in any way;

     (e) the data breach disclosed the personal information of individuals for a total period of 17 days; and

     (f) the Department took steps to remove the content from public access within a very short time of being notified of the breach.

160. Secondly, the compensation assessment scheme established in this case should be broadly consistent with previous awards under the  Privacy Act . As DP Humphries, for example, stated in NWFQ at [83]:

it is incumbent on a decision-maker under this Act to calibrate any award of damages with similar awards made under the same Act, as opposed to, say, damages awarded in personal injuries cases. This reflects the reality that a different yardstick is required to measure loss or damage flowing from a breach of privacy from harm sustained under other areas of jurisprudence.

161. Thirdly, the applicants seek to rely upon the award made in the decision in Richardson which concerned a breach of the Sex Discrimination Act in support of the greater amounts of compensation sought by them. I agree with the Tribunal in Rummery that the principles governing the assessment of compensation under s 46PO of the AHRC Act, as articulated by the Full Court in Richardson, apply by analogy to  s 52  of the  Privacy Act  (as I have earlier discussed). However, it does not follow that awards of compensation for a breach of a discrimination law necessarily provide a guide to the amount which should be awarded for a breach of the  Privacy Act . To the contrary, I agree with the Other Party that the question of whether assistance can be gained from comparisons with damages awards made in different fields of law needs to be approached with caution. In this regard, as the Other Party submits, Richardson involved sustained and humiliating sexual harassment and demonstrated significant psychological effects. The Court held that there was a substantial historical disparity between typical compensatory damages provided to victims of sexual discrimination and harassment of the kind suffered by the appellant and those awarded to victims in situations not wholly unlike the appellant’s in other fields (at [109] (Kenny J) (with whose reasons Besanko and Perram JJ relevantly agreed at [119]). That disparity, the Court held was attributable to the failure for such awards to reflect the greater appreciation by the community of the hurt and humiliation which victims of sexual harassment suffer and the value of loss of enjoyment of life occasioned by mental illness or distress caused by such conduct (at [117] (Kenny J)). It was this reasoning which underpinned the substantial increase in the award of damages made in that case from $18,000 at first instance to $130,000 on the appeal. However, there is no analogy between the facts underpinning the Full Court’s assessment of the appropriate award of damages in Richardson and the present case; nor was the basis on which such an analogy should be drawn expanded upon by the applicants in submissions.
162. More generally, as the Other Party submits, privacy complaints (and particularly data breach complaints) occur in a different factual context to cases in other areas of law. As Lady Justice Arden held in Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 (at [26]) (with whose reasons Lloyd LJ at [38] and Ryder J at [49] agreed) in dismissing an appeal against the rejection of the appellant’s claim for substantial damages for distress by reason of a breach of the Data Protection Act 2018 (UK):

... the field of discrimination is, it seems to me, not a helpful guide for the purposes of data protection. Discrimination is generally accompanied by loss of equality of opportunity with far-‍reaching effects and is liable to cause distinct and well-known distress to the complainant.

163. Fourthly, to the extent that the applicants seek to rely on compensation awards made in other privacy cases, I agree with the Other Party’s submission that little guidance can be gleaned from authorities involving factual situations that are vastly different from the present. The $US5 billion penalty imposed on Facebook by the US Federal Trade Commission for the Cambridge Analytica data-mining scandal on which the applicants seek to rely, is an example in point, being self-evidently factually distinct.
164. Fifthly, it must be kept firmly in mind that the nature of damages under s 52(1)(b)(iii) is expressly “compensat[ory]”. It follows that I agree with the Other Party that it is not appropriate to structure the compensation assessment scheme made under the  pa1988108 /" class="autolink_findacts">Privacy Act by reference to larger awards simply because of increased “public awareness of and attention to matters of privacy”.
165. I now turn to the tariffs and ranges of compensation proposed by both the applicants and the Other Party.

5.2.3. Issue (d)(iii): What are the correct and preferable categories of non-economic loss (both as to magnitude of harm and as to quantum) to which individual class members should be assigned for the purposes of assessing their compensation for the data breach?

5.2.3.1. Applicants’ categories of non-economic loss and fixed amounts of compensation

166. The applicants submitted in closing that the Tribunal should specify fixed amounts of compensation for each category of non-economic loss and damage, as opposed to ranges of compensation within each category, for the following reasons:

The starting point is that this is a case where your Honour is empowered to order that compensation, as distinct from damages, be paid to class members. And damages assessments or assessments in compensation and non-economic loss are not exercises in precision, but instead, exercises in judgment.

The Commissioner cites an authority for that. We’ve provided Victoria v Turner [for]... that proposition as well compensation for non-economic loss is intended to be broad brush. Now, why I raise that point is because one of the criticism of the scheme proposed by the Secretary is the ranges issue. And ranges invite or require someone to arrive at a particular point in the range. And because of the designation of those ranges, it can yield a situation, and we submit does yield a situation as exemplified in AP4, where there’s a suggestion that the assessment is more precise than what it’s actually meant to be.

The way to solve that, we submit, and also balance the objectives of speed, efficiency and fairness, is to adopt the approach where there is just a fixed sum, as your Honour has seen in the table of the applicants. That fixed sum approach also is not a novel one ...

But this grid-style settlement distribution scheme is what often occurs in United States class action settlements and is what occurred in the knees implant class action settlement, which the learned authors discussed. So what the applicants propose in terms of zero, 5000, 10,000, 15,000 and so forth, that’s orthodox as well.

...

[This approach is] broadly consistent in the sense of the Secretary suggests a range, but we fix a particular number without need to spend any more time working out where in that range someone should land.

167. The applicants’ approach to assessing quantum, as outlined in its revised scheme, is relevantly as follows:

     (a) participating class members should be assessed for other non-economic loss (ie. ‘general damages’ or damages for pain and suffering) against a set number of categories capable of ready application by experienced personal injuries practitioners, but doing away with ranges which are productive of inconsistency and artificial distinctions, and which arise due to subjective judgment;

     (b) participating class members who demonstrate a physical or psychiatric injury of a sufficiently serious level (and meeting the statutory ‘by reason of’ causation test) should be compensated for that injury in accordance with ordinary common law principles; and

     (c) participating class members should be compensated for any substantiated economic loss (meeting the statutory ‘by reason of’ causation test) in accordance with ordinary common law principles.

168. The applicants propose that the scheme administrator assess a compensation amount for each participating group member in accordance with the categories below.

169. As to the base category proposed by the applicants, I have already rejected the applicants’ submission that participating class members should receive a base amount of compensation for non- economic loss in recognition of the fact that they have had their rights breached and which has caused loss and damage. As to category 5, I have earlier explained that it was common ground that the amount of compensation payable for those class members who have suffered loss or damage at the most extreme level should be uncapped.
170. While the Other Party accepted that the applicants’ categories 1–‍4 were substantially similar to those proposed by it, the Other Party took issue with a number of the applicants’ categories for the following reasons.

     (a) The amounts of quantum in each category set out in the applicants’ table are “out of step” with previous awards made under the  Privacy Act  (which are outlined in Annexure C of the OPSFIC).

     (b) Category 3 has a very low entry threshold in the sense that the class member does not need to have any physiological symptoms or harm and there is no gradation in the sense of moderate levels of anxiousness or any type of qualitative label. Further, it is illogical and idiosyncratic that an individual may fall within category 3 simply by consulting with a medical professional, without any requirements for physiological symptoms as required by category 2.

     (c) It is unclear what a “mental health condition” is in category 4. The Other Party submits that the its category 4 requiring a “diagnosed psychological or other medical condition” is clearer and more precise.

     (d) The requirement in category 5 for non-economic loss to be at least 15% of the most extreme case is “unwieldly and unclear”, and is a concept grounded in principles with respect to personal injury claims under the Civil Liability Act 2002 (NSW) rather than the  Privacy Act . In the Other Party’s submission, not only is this “importing into a  Privacy Act  scheme a concept from state legislation”, but determining 15% of the most extreme case is extremely difficult, unnecessary and confusing.

5.2.3.2. The Other Party’s categories of non-economic loss and ranges of compensation

171. The Other Party contends that the Tribunal should not adopt the applicants’ submission that compensation should be assessed on a different basis from past awards under the  Privacy Act  by having regard to the UK cases under the Human Rights Act.
172. Rather, the Other Party submits that the Tribunal should adopt the respondent’s ranges of non-‍economic loss as outlined in Addendum A of the original Determination, but with some amendments to the categories. In Annexure B of the OPSFIC (as amended by the Other Party’s Supplementary Note at [19(a)]), the Other Party proposes the following amounts in the five categories set out below. I note the Other Party’s proposed amendments to the respondent’s Determination are identified in underlining and strike-‍through, while additional amendments which I consider to be appropriate are indicated by italics or square brackets):

173. The Other Party further submits that its proposed ranges are consistent with past awards under the  Privacy Act  (see Annexure C of the OPSFIC which outlines such cases).
174. I interpolate that the Other Party places emphasis on the fact that Slater & Gordon has previously, on 14 October 2018, accepted that the respondent’s quantum ranges were appropriate and reflected previous decisions under the  Privacy Act . However, notably only five days later on 19 October 2018, Slater & Gordon revised their assessment and submitted to the respondent that the range of assessments were generally too low. In any event, as Slater & Gordon are self-evidently not bound by any position they may have taken in correspondence with the respondent, so that ultimately nothing turns on this argument.
175. I agree that, subject to the amendments in square brackets and italics indicated in the table above, the Other Party’s proposed ranges and categories are appropriate for the following reasons.
176. First, a range within each of these categories is the preferable option because it gives assessors flexibility to adapt the quantum to a particular claimant’s circumstances. Within each category, there may be a number of people falling within different points on that range. While a fixed figure may have benefits in terms of efficiency and consistency, this would be at the cost of a more flexible approach which would better calibrate the award to compensation to the loss or damage in fact suffered by the individual and therefore better reflect the requirement under the  Privacy Act  to award compensation for the loss and damage suffered by the person as a result of the breach.
177. Secondly, concerns as to consistency in awards of compensation under the  Privacy Act  are better addressed by the provision of more detailed categories so that the categories themselves give greater guidance and promote transparency about the approach to be adopted to calculating individual awards. In other words, while the categories are more generically labelled as “minor”, “moderate” or “major”, they include additional description which identify the differences between each label. To illustrate:

     (a) while category 1 is labelled “minor loss”, the parenthetical gives express guidance as to what that means, namely general anxiousness, fear, anger, stress, worry concern or embarrassment;

     (b) similarly, category 2 is premised on the aspect that “moderate loss” includes feelings of anxiousness and minor physiological systems such as some loss of sleep;

     (c) furthermore, the “major loss” in category 3 does not necessarily mean the class member has received a formal diagnosis of psychological or physiological harm, but describes three elements (prolonged symptoms, caused type of harm, and consulted health practitioner);

     (d) category 4 includes key aspects where there has been some evidence of treatment; and

     (e) category 5 is unlimited allowing extreme cases to be dealt with on their facts.

178. Thirdly, the more detailed and descriptive explanations of each category can also be more easily understood and readily translated into foreign languages, a matter which the Other Party accepted was of vital significance.
179. Fourthly, a consideration of awards made under the  Privacy Act  indicates that the ranges adopted for each category here are consistent and appropriate. They accord with an appropriately restrained approach to the award of damages in this field without being minimal.
180. Given my findings, it is not necessary to address the Other Party’s alternative submission, being that if fixed amounts were set, it would be appropriate to adopt the medium figure in each range and not the highest figure.

5.2.4. Issue (d)(iv): What is the correct and preferable scheme for review of compensation decisions?

181. The similarities between the applicants’ and the Other Party’s schemes are that both schemes:

     (a) commence with an initial assessment by the scheme administrator;

     (b) provide that an assessment will be conducted by an independent external assessor if either or both parties are dissatisfied with the initial assessment; and

     (c) require the production of a written assessment for each of the above-‍mentioned stages.

182. Evidently, both the schemes proposed by the applicants and the Other Party appropriately recognise the need to incorporate a process for resolving disputes between the Other Party and the class member as to the appropriate assessment of compensation (if any) for non-‍economic loss. However, there are also a number of key differences between the schemes. As I explain further below, the applicants prefer a process of external assessment which is more akin to arbitration, whereas the Other Party’s process leaves room for negotiation between the parties at first instance.
183. I consider the Other Party’s approach to be the correct and preferable one because it provides a greater opportunity for an agreed outcome to be achieved between the parties, as well as reducing costs and delays in the process.

5.2.4.1. Applicants’ process for external review

184. In the event that agreement cannot be reached, the applicants propose that an external reviewer will receive either:

     (a) a review request form completed by the participating class member which briefly sets out why the participating class member disagrees with the notice of assessment, and includes any further documents they rely upon for the purposes of the review; or

     (b) a written request from the Other Party for a review, briefly setting out why the Other Party disagrees with the notice of assessment.

185. The external reviewer under this proposed scheme would conduct a de novo review of the notice of assessment, and may stand in the shoes of the scheme administrator by exercising the powers, and following the process, set out in cls 4.3 to 4.7 of the applicants’ proposed scheme. The review should be completed within 30 days of referral or by such later time as the scheme administrator may direct.
186. The applicants further propose that, upon the external reviewer completing their review, the external reviewer would provide to the parties a notice of revised assessment, setting out the assessed compensation amount and brief reasons. The reasons would identify the amounts assessed for each category under cl 4.6 and explain why the class member has been assigned to the respective non-‍economic loss category under cl 4.7.
187. Initially the applicants submitted that the external reviewers must be barristers who:

     (a) during their appointment, are not briefed by either the scheme administrator or by any entity or agency of the Commonwealth for any matter whatsoever; and

     (b) have at least five years’ experience in personal injury matters.

However, at the hearing, the first requirement was not pressed insofar as it would preclude barrister from being briefed by the Commonwealth or any Commonwealth agency.

188. However, even with that concession, I agree with the Other Party that the applicants’ scheme includes a number of unnecessary steps that would likely increase costs, delay and the potential for dispute.
189. First, the process described in clls 4.3 to 4.7 of the applicants’ proposed scheme requires the scheme administrator to engage in a quasi-‍inquisitorial role of evidence seeking. For example, cl 4.5 provides that if the scheme administrator believes that a class member may have suffered a physical or psychiatric injury but does not have evidence of a formal diagnosis, the external reviewer must then “afford the Participating Class Member a reasonable opportunity to obtain such a diagnosis”. The applicants submit that this aspect of the proposed scheme is not intended to impose any requirement on the scheme administrator to facilitate the obtaining of any diagnosis. Rather, it is submitted that as a matter of procedural fairness, the process is intended to provide an opportunity to class members to do so, acknowledging the reality that a number of the particularly vulnerable class members will not understand the exact requirements of the scheme.
190. However, the scope of the procedural obligation upon the scheme administrator nevertheless appears to be unclear, and has the potential to significantly delay the process. Even if the class member had not put forward any material, the scheme obliges the scheme administrator to put that class member on notice and provide them with a reasonable opportunity to obtain evidence. The scheme is unclear about what obligations are placed on the scheme administrator to facilitate the obtaining of evidence, or whether a deadline should be set. I agree with the Other Party that the applicants’ scheme not only creates further delay, but “blurs the role of the scheme administrator with the role of an entity giving advice”. This proposition also, as I have earlier explained at [129] above, departs from the almost invariable rule that the onus lies upon an applicant in the administrative law context to establish their claim. The same difficulty would arise under the applicants’ proposed scheme at the external review stage given that under proposed cl 4.11, the external reviewer may exercise the powers of the scheme administrator and follow the process in cll 4.3 to 4.7 as if the external review stood “in the shoes” of the scheme administrator.
191. Secondly, the applicants’ scheme provides for an “ambulatory, ongoing supervisory role” for the Tribunal. Clause 9.1 allows for the scheme administrator to refer any issues relating to the scheme to the Tribunal for direction or determination, and cl 9.2 allows for the Tribunal to vary or amend the terms of the scheme. Similarly, cl 11.1 provides that the time for doing any act or thing under the scheme may be extended by direction of the Tribunal. The applicants, in reply submissions, characterised these clauses as “liberty to apply”, and submit that it is “entirely orthodox” for the Tribunal to have a supervisory role for scenarios which no one can presently contemplate. However, I consider that an ongoing ability to return to the Tribunal for determination on any issue (with no clarity on which issues are within the Tribunal’s power on such an application) would lead inevitably to disputes, delay and additional costs. As I explain below, in circumstances where something unforeseen arises in the course of implementing the scheme, it is for the respondent to give directions as she or he thinks fit under  s 52(5)  of the  Privacy Act .

5.2.4.2. Other Party’s process for review of decisions

192. The Other Party’s proposed process for review of decisions differs from the applicants’ process because it incorporates a series of steps facilitated by the scheme administrator to resolve claims by agreement, including agreement for the independent expert reviewer to resolve the compensation outcome. In this regard, the Other Party submitted that:

for example, in our annexure A, clause 1B, C and D, there is a process whereby after the initial assessment is done by the scheme administrator, there is, in effect, offers, there’s interchange between the class member and the Secretary as to whether they accept the quantum that has been identified or whether they don’t accept it. And we see that in our annexure D, which is our alternative scheme at 3(f), (g) and (h). So, for example, looking at our annexure D(3)(f), the class member can make an offer to the other party and the other party can either accept that, in which case the process comes to an end because they have agreed, or they can make a counteroffer. And if that process of interaction doesn’t produce agreement, then it goes to an independent external review to determine the final amount.

And we say this helps ensure outcomes that are satisfactory to both the Commonwealth and the class members, which is that the there is a clear final resolution on each claim and that there’s an efficiency, because there maybe some class members that want to – if their offer is accepted by the Commonwealth and they don’t want to go to external review because the time value of money or for whatever reason, they’re happy that they have that opportunity to have an efficient and quick outcome. ...

... we submit there is no asymmetry [in the Other Party’s proposed external review process] because it’s a highly-structured process where there’s an initial assessment by the scheme administrator which gives the class member an idea of the ballpark of what the claim may be worth. And they also have access to independent expert determination in the event of a dispute, which the Commonwealth undertakes to agree to the outcome of the independent assessor.

And we say as part of this, having an independent scheme administrator interwoven through each step will assist in the process in terms of keeping things on a neutral and even keel. So we say that is an advantage of our scheme and we submit that there’s no issue or power imbalance in that, particularly where, if you’ve got an independent scheme administrator who does the first assessment indicating what the scheme administrator says the claim is worth, then you have this structured offer and acceptance and then with the final expert determination, which the Commonwealth is bound by. The difference in the applicants’ scheme is there is no facility for negotiation or agreement between the parties.

Under their scheme, the scheme administrator issues a notice of assessment. The class member either agrees with it or disputes it and then it’s escalated straight up to an external reviewer. So we say this inbuilt ability for the parties to negotiate and agree with the safety net of an external reviewer if they can’t has the benefit of quick and efficient and is more likely to get people money earlier, noting it’s seven years after the data breach already.

193. The Other Party’s process comprises the following five steps:

     (a) The scheme administrator conducts the initial assessment of the class member's claim.

     (b) The scheme administrator will provide their assessment to the class member and request a response from the class member as to whether they wish to make an offer of compensation to the Other Party to be communicated by the scheme administrator. The offer (and, if it differs, the scheme administrator's assessment) is put to the Other Party for consideration.

     (c) Upon receipt of an offer by the class member, the Other Party may either accept the class member's offer, at which point the class member's claim will be resolved by agreement, or make a counter-‍offer. In the latter scenario, the Other Party will provide the counter-offer to the scheme administrator with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the class member's loss.

     (d) The scheme administrator will provide the Other Party's counter-‍offer and explanation to the class member, and inform the class member as to whether it considers the Other Party's counter-offer to be reasonable. The class member may either accept the Other Party's counter-‍offer, at which point the class member's claim will be resolved by agreement, or seek referral of the matter to an expert assessment.

     (e) If a class member requests that their dispute be resolved by expert assessment, the Other Party undertakes to agree to have the class member’s claim resolved in that manner if the claim has not been settled by this point. In other words, the expert determination stage will be a consensual process adopted between the parties. The scheme administrator will then provide both parties' submissions to an independent expert, who will assess the appropriate amount of compensation to be paid to the class member. The parties are free to seek to negotiate an agreement before the expert gives their assessment.

194. I agree with the Other Party’s approach. In my view that approach is likely to reduce costs and delays in the process. In particular, not only will the parties have greater participation and control over the process, and therefore be more likely to be satisfied with the result. This approach is also likely to reduce the number of disputes which need to be referred to the external assessor and therefore avoid the additional costs and delays inherent in the applicants’ scheme.
195. Finally, as I have noted above, there is power under  s 52(5)  of the  Privacy Act  for the respondent to give such directions as she or he thinks just. Such a power may be used in circumstances where something unforeseen arises in the course of implementing the scheme. I agree with the Other Party’s suggestion that the scheme should include a provision allowing the parties liberty to apply to the Tribunal in the event that a view is formed that the compensation assessment scheme has become incapable of effective implementation in whole or in part. Such a provision should only deal with unusual or unforeseen circumstances which are major in nature. All other minor issues, such as how a particular decision might be dealt with, should be directed to the scheme administrator for resolution at its discretion.

5.3. Issue (e): Is it correct and preferable to direct that the Other Party pay for particular aspects of the compensation assessment process—specifically, access to translation and interpretation assistance during the operation of the compensation assessment process?

196. The applicants submit that due to the vulnerabilities of the class members, who face language and cultural barriers as well as unfamiliarity with the Australian legal process, it will be necessary to provide interpretation services to class members who have queries regarding the compensation assessment scheme. In the applicants’ submission, not only is this a reasonable expense and a prerequisite for class members’ losses to be redressed, but it will also facilitate the smooth and efficient implementation of the compensation assessment scheme.
197. The Other Party accepted that  ss 52(4)  and (5) of the  Privacy Act  implicitly authorise the Tribunal to require the Department to pay such costs as are reasonably necessary for the purposes of administering the compensation scheme prescribed by determination under  pa1988108 /s52.html" class="autolink_findacts">s 52(1)(b)(iii). It also accepted that this category of costs included such expenses when they are reasonably necessary to ensure that individual class members have a real opportunity to receive and understand information relevant to their claims, and to communicate their responses, concerning the implementation of the compensation assessment process. I agree. I also agree with the submission by the Other Party that those costs should be proportionate to the compensation assessment process.
198. The Other Party agreed that it should pay costs that are reasonably necessary to ensure that class members have a real opportunity to participate in the compensation assessment process and as such, that it should be responsible for:

     (a) the translation costs set out at [136] of the OPSFIC; and

     (b) the interpreting assistance described at [136A] of the OPSFIC, in respect of class members with no written language skills.

199. Specifically, the Other Party confirmed in response to the Determination that it would:

     (a) write to all participating class members seeking confirmation as to the language they wish the scheme administrator to communicate with them in regarding the data breach out of the list of 21 languages into which the respondent translated the 2018 notice;

     (b) translate all correspondence to the participating class members into the language they chose from the letter in (a) above, and send them both English and translated versions to enable communication with their representatives; and

     (c) allow the class member to communicate with the scheme administrator in the language they chose from the letter in (a) above in responding to matters relating to the data breach.

200. The Other Party accepted that a cohort of approximately 100 class members do not have any written language skills, and therefore interpretation costs are reasonably necessary to enable this cohort of class members to participate in the compensation scheme. Accordingly, the Other Party has agreed to:

provide interpreters to the cohort of class members who do not have any written language skills to:

(a) inform the class member of the Tribunal’s decision, including the categories of loss and damage and the types of evidence that would establish a claim for compensation;

(b) receive information from the class member regarding their claim, and write that information in the statement;

(c) inform the class member of the assessment of their claim, obtain instructions to make an offer, and inform the class member of any counter-‍offer; and

(d) if the class member’s claim proceeds to external assessment, take instructions and prepare a submission to the expert, and inform the class member of the outcome of the external assessment.

201. I agree with these concessions subject to the following qualifications. First, the reference to “provid[ing] interpreters to the cohort of class members” should be amended in the orders to refer to “interpreters/translators”. Secondly, so as to reflect the proper role of interpreters (as identified in the JCCD National Recommended Standards at [115]), I consider that the concessions at (c) and (d) above would more accurately be expressed as follows:

     (c) translate the assessment of the class member’s claim for the class member, translate the class member’s offer, and translate any counter-offer for the class member; and

     (d) if the class member’s claim proceeds to external assessment, translate the class member’s submission to the expert reviewer, and translate the external assessment for the class member.

202. Finally, with respect to the engagement of interpreters, I consider that the Other Party should have regard to the standards articulated in the JCCD National Recommended Standards.

DECISION

203. The Tribunal orders that:

1. Pursuant to s 43(1)(a) of the Administrative Appeals Tribunal Act 1975 (Cth), Declaration 4 of the Determination made by the respondent on 11 January 2021(the Determination) is set aside and the following is made in its place:

The members of the class who:

(a) did not provide a submission and/or evidence to the Office of the Australian Information Commissioner (OAIC) within the timeframe specified by the OAIC, and who did not opt out; and

(b) do not provide a reasonable explanation for not making submissions or providing evidence in response to the January 2018 OIAC notice within 3 months of the publication of a notice by the scheme administrator as described in Annexure A;

have not substantiated that they have suffered loss or damage as a result of the conduct constituting an interference with the privacy of class members and subject of this Determination (the data breach). Pursuant to  s 52(1)(b)(iv)  of the  Privacy Act 1988  (Cth), the Tribunal declares that it would be inappropriate for any further action to be taken in relation to those individuals.

2. Pursuant to s 43(1)(c) of the Administrative Appeals Tribunal Act 1975 (Cth), Declarations 2 and 3 of the Determination are set aside and the following are made in their place:

Each of the participating class members, being:

(a) the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out; and

(b) the class members who establish, within the timeframe prescribed in order 1 above, that they have a reasonable explanation for not responding to the January 2018 OIAC notice and make submissions and/or provide evidence of loss or damage;

is to be paid an amount of compensation worked out in the manner specified in Annexure A to these orders.

3. Pursuant to ss 52(4) and/or 52(5) of the  Privacy Act 1988  (Cth), the Department of Home Affairs is to pay:

(a) the costs of the expert determination process described in Annexure A;

(b) the costs of translating communications relating to the assessment of compensation for loss and damage arising from the data breach;

(c) the costs of interpretation/translation services relating to the provision of evidence by those participating class members without a written language and communications with that cohort of class members relating to the assessment of compensation for loss and damage arising from the data breach; and

(d) for assessments conducted under the compensation assessment scheme described in Annexure A, up to $500 to each participating class member to obtain assistance from a legal practitioner to prepare the participating class member’s evidence or submissions for provision to an expert assessor (to be paid on the participating class member’s provision of an invoice from the legal practitioner).

4. There be liberty to apply to the Tribunal on the basis that the Compensation Assessment Scheme in Annexure A hereto has become incapable of effective implementation in whole or in part.

Annexure A: Compensation Assessment Scheme

1. Under  s 38B(3)  of the  Privacy Act 1988  (Cth), within 28 days of the appointment of the scheme administrator (as to which, see clause 6(a) below), the scheme administrator is to publish a notice inviting:

(a) the 1,295 class members who made submissions and/or provided evidence of loss or damage to the OAIC within the timeframe specified by the OAIC and who did not opt out (the existing participating class members), to make submissions or submit updated and/or supplementary submissions, and/or evidence of loss or damage to the scheme administrator; and

(b) class members who did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC, and who did not opt out (non-participating class members) to submit an application to participate in the compensation scheme described below (the scheme).

2. The notice referred to in clause 1 above is, among other things, to:

(a) be expressed in plain English in a manner intended to facilitate translation to other languages after consultation with one or more qualified and experienced translators;

(b) explain the scheme and relevant timeframes;

(c) give examples of compensable loss and damage, including explaining that non-economic loss for which compensation may be paid includes (but is not limited to) consequences such as fear, distress, anxiousness, loss of sleep, headaches, and mental illness;

(d) give examples of the kinds of evidence which a class member might provide in support of claim for economic and/or non-economic loss or damage such as a statutory declaration from the class member explaining the impact of the data breach upon them, statutory declarations from family and friends explaining their observations as to the impact of the data breach upon the class member, financial documents supporting any claim of economic loss, and reports from relevant medical practitioners;

(e) explain that verbal evidence with the assistance of a qualified interpreter (if required) may be taken by the scheme administrator upon request by the class member if the class member does not possess the necessary written language skills; and

(f) explain the consequences if the invitation pursuant to clauses 1(a) or (b) above is not taken up by the class member.

3. Any existing participating class member who wishes to make submissions or provide updated and/or supplementary submissions, and/or evidence of loss or damage pursuant to clause 1(a) above is to do so within a period of 3 months of the publication of the notice, unless the existing participating class member requests an extension of time within which to do so and the scheme administrator considers that it is reasonable to allow the existing participating class member an extension of time.
4. Any non-participating class member who wishes to participate in the scheme must submit an application to the scheme administrator within 3 months of the publication of the notice, including:

(a) an explanation as to why the non-participating class member did not make submissions or provide evidence of loss or damage to the OAIC within the timeframe specified by the OAIC; and

(b) the non-participating class member's name, date of birth, client ID and, if applicable, boat ID, to enable the Department of Home Affairs to confirm that the non-participating class member was affected by the data breach.

5. Upon receiving confirmation from the Department of Home Affairs that a non-participating class member who has submitted an application to participate in the scheme was affected by the data breach, the scheme administrator will consider the non-participating class member's application. If the scheme administrator is satisfied that the non-participating class member has provided a reasonable explanation for not making submissions or providing evidence to the OAIC within the timeframe specified by the OAIC, the scheme administrator is to declare them to be a participating class member (see clause 6 below) who is to be paid an amount of compensation for loss or damage arising from the data breach worked out in the manner described below.

6. Under  ss 52(1)(b)(iii)  and (4)(a) of the  Privacy Act 1988  (Cth), the existing participating class members, as well as class members identified through the process set out in clauses 1(b), 4 and 5 above (collectively referred to as the participating class members), are to be paid an amount of compensation for loss or damage arising from the data breach worked out in the following manner:

(a) A law firm which is independent of the Secretary of the Department of Home Affairs (Other Party) and of class members will be appointed to administer the scheme (the scheme administrator) through the following process:

(i) within 14 days of the publication of the Tribunal's decision, the Department of Finance will prepare a Request for Quote (RFQ) and provide it to the applicants' solicitors for comment;

(ii) the applicants' solicitors will provide any comments on the RFQ to the Department of Finance within 14 days of receipt of the information outlined in clause 6(a)(i) above from the Department of Finance;

(iii) the Department of Finance will consider any comments received from the applicants' solicitors in accordance with clause 6(a)(ii) above in finalising the RFQ;

(iv) within 14 days of receiving any comments from the applicants' solicitors in accordance with clause 6(a)(ii) above, the Department of Finance will issue the RFQ to each of the legal services providers that:

1. are appointed to the Whole of Australian Government Legal Services Panel in the areas of:

1. Compensation, damages and personal injury; and

2. Freedom of information, privacy and public interest disclosure; and

2. have not represented or advised the Other Party, or the Minister for Immigration, Citizenship and Multicultural Affairs with respect to any matter arising from the data breach or in proceedings related to the grant or refusal of a visa or Australian citizenship; and

100. have not represented or advised any class members in relation to this proceeding; and

(v) the Department of Finance will assess each response to the RFQ on a value-for-money basis, having regard to each provider's expertise and experience, and will identify a provider to act as scheme administrator.

(b) The scheme administrator:

(i) shall administer the scheme fairly, impartially, and reasonably according to its terms, with their duty owed to the Tribunal to take priority over any obligation to a participating class member; and

(ii) must not act as the solicitor for the Other Party, the Commonwealth or any class member in relation to any matter relating to the data breach.

(c) The scheme administrator shall conduct an assessment of each participating class member's submissions and/or evidence, allocate the participating class member into a non-economic loss category set out in the table at Annexure B, and identify the appropriate quantum of compensation (under the heads of economic loss and non-economic loss, where relevant) for the participating class member. For the avoidance of doubt, that quantum may be nil.

(d) On completion of the assessment for each participating class member, the scheme administrator is to provide the assessment and relevant evidence to the participating class member or their representative, and request a response from the participating class member as to whether the class member wishes to make a settlement offer to the Other Party, to be communicated by the scheme administrator. For the avoidance of doubt, the participating class member is not limited to making an offer in the proposed amount identified by the scheme administrator. If the participating class member’s settlement offer is not the same as the amount identified by the scheme administrator, the scheme administrator will provide both the settlement offer and its assessment to the Other Party.

(e) In the event that the participating class member, or their representative, fails to respond to the scheme administrator's assessment within 28 days, the scheme administrator will provide its assessment directly to the Other Party.

(f) Upon receipt of a settlement offer in writing of proposed compensation payable to the participating class member through the scheme, the Other Party may:

(i) accept the participating class member's offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or

(ii) make a counter-offer in writing, which the Other Party will provide to the scheme administrator with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.

(g) If the scheme administrator has provided its assessment directly to the Other Party in accordance with clause 6(e) above, the Other Party is to:

(i) consider the scheme administrator's assessment in the same way it would consider a settlement offer received from a participating class member or their representative; and

(ii) either accept the assessment or propose a different amount of compensation for the participating class member, with a brief statement of reasons explaining the counter-offer and any further information that the Other Party considers relevant to the assessment of the participating class member's loss or damage.

(h) If the Other Party makes a counter-offer in accordance with clauses 6(f)(ii) or 6(g) above, the scheme administrator will provide the Other Party's counter-offer and statement of reasons to the participating class member by email and/or registered post, and will inform the participating class member or their representative in writing as to whether it considers the Other Party's counter-offer to be reasonable. The participating class member may:

(i) accept the Other Party's counter-offer, at which time the parties will enter into a settlement deed, resolving the participating class member's claim by consent; or

(ii) request that the dispute concerning the participating class member's compensation entitlement be resolved by expert assessment. (The Tribunal notes that the Other Party has voluntarily undertaken to agree to have the participating class member’s claim resolved in this manner if the claim has not been settled by this point, meaning that the expert determination stage will be a consensual process adopted between the parties.)

(i) If the participating class member does not respond to the Other Party's counter-offer within 30 days of the counter-offer being sent by email or registered post to the participating class member or their representative, the participating class member will be taken to have agreed to the Other Party's counter-offer.

(j) If a participating class member's compensation entitlement is to be resolved by expert assessment, the scheme administrator will provide the expert with:

(i) the evidence and/or submissions provided by the participating class member to the OAIC;

(ii) the scheme administrator's assessment;

(iii) the participating class member's settlement offer to the Other Party; and

(iv) the Other Party's counter-offer, including the statement of reasons and any further information provided by the Other Party with its counter-offer.

(k) The experts to provide the assessments referred to in clauses 6(h)(ii) and (6)(j) above will be agreed upon by the Other Party and the solicitors for the applicants. Appropriately qualified counsel, with relevant skills and at least three years’ experience in legal practice in relevant areas of the law, would be suitable to appoint as an expert in accordance with Appendix D to the Legal Services Directions 2017 (Cth).

(l) The Other Party and the solicitors for the applicants may approach the respondent for assistance in resolving any dispute regarding the choice of experts or the terms of the experts' engagement.

(m) The Other Party is to pay the amount of compensation agreed between the Other Party and the participating class member, or identified by an independent expert pursuant to the process described above, within a reasonable period and to advise the scheme administrator in writing when payment to the participating class member has been made.

Annexure B: Categories of non-economic loss

.................................[SGD]..............................
Associate

Dated: 13 September 2023

APPENDIX 1: HISTORICAL NOTICE PUBLISHED BY THE OAIC IN 2018 TO CLASS MEMBERS AS TO THEIR ENTITLEMENT TO SEEK COMPENSATION UNDER THE OAIC DETERMINATION

TO ALL PERSONS IN IMMIGRATION DETENTION ON 31 JANUARY 2014

Background

1. On 10 February 2014, the Department of Immigration and Border Protection (Department) published a detention report on its website in error. The report contained the personal information of persons who, as at 31 January 2014, were in immigration detention facilities or in the community under residence determination, or alternative places of detention (Data Breach).

2. The personal information was removed from the Department’s website on 19 February 2014 and from The Internet Archive on 27 February 2014.

3. On 30 August 2015, a representative complaint was made to the Commissioner on behalf of all persons whose information was published by the Department in error (Representative Complaint).

What is a representative complaint?

4. A representative complaint is a complaint made by an individual under the  Privacy Act 1988  (Cth) on behalf of other individuals who have similar complaints about an act or practice that may be an interference with their privacy. The Commissioner may make a declaration that class members are entitled to compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint.

Why is this notice important?

5. In order to make a determination about the Representative Complaint, including whether any of the persons whose personal information was published in the Data Breach are entitled to compensation for any loss or damage suffered, the Commissioner needs information from you.

6. If you were affected by the Data Breach and do not provide information of the kind described below, the Commissioner may conclude that he is not satisfied you have suffered any loss or damage as a result of the Data Breach and you may not receive compensation for the Data Breach.

What do I need to do?

7. If you did not suffer any loss or damage as a result of the Data Breach, you will not be entitled to compensation and you can ignore this Notice.

8. If you believe you suffered loss or damage as a result of the Data Breach, and want the opportunity to potentially recover compensation for that loss or damage, you need to provide the Commissioner with information about your loss or damage:

(a) You should provide all the information you consider to be relevant to the loss or damage you suffered.

(b) The information may be in the form of a statutory declaration or signed statement in your own words. Statutory declarations or signed statements in a standard form will be given little weight.

(c) The information may include evidence from the time of the Data Breach or when you first found out about the Data Breach, such as medical reports, that contain details about how you felt or reacted to the Data Breach and any treatment you received. Medical reports prepared after the date of this Notice will be given little weight.

(d) Letters written on your behalf, which are not in your own words, will be given little weight.

(e) The Commissioner may not consider information that is provided after the deadline below.

9. You must upload this information on the Response Form at oaic.gov.au/repcomplaint. You can also provide the information by sending it to repcomplaint@oaic.gov.au or to GPO Box 5218, Sydney NSW 2001. You must provide sufficient information (including your full name and date of birth, and any relevant Department of Immigration identification number) to allow the OAIC and the Department to identify you.

10. You must send any information by: 4.00 pm on 19 April 2018.

Opting-out of the Representative Complaint

11. If you do not consent to the Representative Complaint being made on your behalf and do not want to be part of it, you can opt out of the Representative Complaint at any time by visiting the OAIC website at oaic.gov.au/repcomplaint and filling out the Response Form.

12. Opting out may affect your ability to obtain compensation in respect of the Data Breach. Please read the information on the Response Form carefully.

Questions and assistance

13. If you need assistance to understand or respond to this Notice, please contact OAIC on 1300 363 992 or email repcomplaint@oaic.gov.au.