S 91X Migration Act Independent Review
Independent review of action taken by the Federal Court following a data breach contrary to Section 91X of the Migration Act 1958
Terms of reference
8 May 2020
Background to the Review
This review has been commissioned by the Federal Court of Australia after becoming aware that information was accessible from a Federal Court website that may have led to the publication of the names of litigants contrary to section 91X of the Migration Act 1958 (Cth).
The Federal Court, through senior officers of the Court, became aware in late March 2020 that the names of some litigants who had commenced protection visa proceedings in the Federal Court and the Federal Circuit Court could be accessed on the Commonwealth Courts Portal through Federal Law Search. Those web-based services are managed under the Federal Court of Australia Act 1976.
The access that could be obtained to the names of some litigants was or could be, if obtained, publication contrary to the Migration Act s 91X. That provision provides that a federal court must not publish (in electronic form or otherwise) the name of a person in a proceeding relating either to their application for a protection visa or related bridging visa, or to the cancellation of such a visa. This state of affairs is referred to in these terms of reference as a ‘data breach’ or ‘the data breach’.
Steps were taken by the Court on the day it was notified of the data breach to disable online access to information about individual court proceedings, while the cause and scope of the issue was examined. Limited and modified online access and search functions have since been restored. Some of the former online search functions remain disabled.
Steps have been taken by the Court to identify specific migration protection visa application proceedings that may be affected by the data breach, and to ensure compliance with s 91X.
The data breach was brought to the attention of the Chief Justices, Judges and Chief Executive Officers of both courts, the Attorney-General, the Attorney-General’s Department, the Audit Committee of the Federal Court, the Law Council, the Presidents of the Bar Associations and Law Societies, and was discussed with the Office of the Australian Information Commissioner.
The Court also responded to enquiries that it received about the data breach from a media organisation and from legal representatives and advocacy groups. A notice about the data breach was published on the Court’s website.
The Federal Court decided in April 2020 to commission an independent review of the circumstances relating to the data breach and the Court’s response.
Scope of the Review
The Review is
1. the nature, extent and cause of the data breach
2. whether the Federal Court responded in a timely and appropriate way upon becoming aware of the data breach, and in particular whether the Court has taken or is taking adequate steps:
a) to identify the cause of the data breach
b) to identify individual proceedings or parties that may be affected by the data breach
c) to ensure that the circumstances giving rise to the data breach have been rectified and that proscribed data exposure will not occur
d) to notify and consult the Attorney-General, Attorney-General’s Department and other relevant Australian Government agencies about the data breach
e) to respond to persons (or their legal representatives) who were concerned about whether they may have been adversely affected by the data breach
f) to consider the application of the Privacy Act 1988 (Cth) to the data breach and to the Court’s response
g) to implement suitable risk control and oversight mechanisms to prevent proscribed data exposure, and to ensure timely identification and response to any data breach that contravenes s 91X
h) to ensure that staff and officers of the Federal Court and Federal Circuit Court are properly aware of the Migration Act 1958 (Cth) s 91X, and of necessary measures to ensure compliance with that section.
The Review may consider any other matter that it considers relevant to the purpose or subject matter of the Review, even if it does not fall strictly within the terms of the scope of the review as set out above.
The Review may make recommendations as to any action that the Federal Court may take in response to the findings of the Review.
The Review may take notice of any deliberation occurring within the Federal Court or the Federal Circuit Court as to the effect (if any) that the data breach may have on individual proceedings before either court. However, the Review is not to make findings or express an opinion on any such issue, recognising that the conduct of proceedings falls within the judicial function of the courts.
Conduct of the Review
The Review is expected to commence in April 2020. The Reviewer shall provide a report to the Court within six weeks of commencing the Review.
The Review may consult:
- staff and officers of the Federal Court and the Federal Circuit Court
- members of the Audit Committee of the Federal Court
- the Attorney-General’s Department, the Office of the Australian Information Commissioner and any other Australian Government agency with a relevant interest in the matters being examined by the Review
- legal professional associations and other non-government associations with a relevant interest in the matters under review
- the legal representatives of parties who may have been adversely affected by the data breach and who contacted the Court about the matter
- any other person or body with a relevant interest in the Review
- and after consultation with the Chief Justices or Chief Judge, judges of their respective Courts.
The Review is not to contact any person or body external to the Court for the purposes of the Review without first advising the Court of its intention to do so. The Review will take account of any view expressed by the Court as to the suitability of a particular person or body being consulted, and as to how any such consultation should be arranged or may be undertaken.