Kant v Australian Information Commissioner (No 3) [2026] FCA 51

This proceeding began with a broad and unusual approach to the OAIC. Mr Kant sent material through an OAIC webform for general enquiries and attached a letter asking the Commissioner to investigate what he described as interference with rights protected by the ICCPR. His letter did not point only to one agency or one event. It referred to multiple entities, including a university, health practitioners, police bodies, intelligence agencies, the Department of Defence, members of parliament and other public bodies.

The attachments mattered. They included material connected with intelligence agencies, including a letter to ASIO requesting access to records, a complaint to the Inspector-General of Intelligence and Security about repeated interferences with privacy by one or more intelligence agencies, and related correspondence. So the material did include ASIO-related content, but it was not confined to that topic on its face.

The OAIC first acknowledged the matter as an enquiry. It later sent a pro forma email that appeared to treat the matter as a privacy complaint. Mr Kant then sent a further document concerning ASIO’s handling of his request for access to personal information. After that, an OAIC delegate wrote on 12 September 2023 saying, in substance, that the complaint was about ASIO mishandling personal information and that ASIO was exempt for Privacy Act purposes. On that basis, the OAIC said it could not investigate and closed the file.

Mr Kant then sought judicial review in the Federal Court. His central complaint was that the OAIC had narrowed his August 2023 matter into something smaller and different from what he had actually lodged. That framing issue became the decisive point in the case.

The court was not deciding whether every allegation made by Mr Kant was correct. Nor was it conducting a merits review of the complaint itself. The real question was whether the OAIC delegate made a jurisdictional error when refusing to investigate.

That issue turned on characterisation. Was it reasonably open, on the material before the OAIC, to treat the complaint or enquiry as being exclusively about ASIO’s mishandling of Mr Kant’s personal information? If that characterisation was not open, then the refusal may have been based on the wrong legal question.

The reasons show that the case also involved arguments about the structure of the Privacy Act, including Part V, section 7, section 12B, section 36 and section 40, as well as the ICCPR. Mr Kant argued, among other things, that section 12B had significance independent of the ordinary complaint framework. The Commissioner also addressed the operation of exemptions relating to ASIO and intelligence agencies. But the decisive issue identified by the court was narrower and more practical: the OAIC had first to identify what complaint or enquiry it was actually dealing with.

The judge considered this point important enough to seek further written submissions from the parties on whether it was reasonably open for the delegate to characterise the matter as being exclusively about interferences with privacy by ASIO, and why that mattered. That procedural step itself shows how central the framing issue became.

Justice Snaden held that the Commissioner erred by characterising the complaint or enquiry as pertaining solely to conduct attributable to ASIO. The reasons expressly state that this was accepted as a jurisdictional error. That finding was enough to justify prerogative relief.

The court therefore made orders quashing the OAIC decision of 12 September 2023 and requiring the Commissioner to determine the complaint or enquiry according to law. In formal terms, the court issued certiorari and mandamus. The respondent was also ordered to pay the applicant’s costs, with the amount to be assessed if not agreed.

Just as important is what the court did not decide. The reasons expressly say that the other grounds relied on by Mr Kant were not made good. The judgment did not finally determine the underlying privacy allegations. It did not hold that the complaint must succeed. It did not decide that exemptions under the Privacy Act are irrelevant. The result was procedural: the OAIC’s decision was undone because the matter had been framed incorrectly, and the complaint or enquiry must now be dealt with according to law.

Administrative decisions often rise or fall on how the decision-maker frames the issue. Here, the OAIC’s refusal depended on the proposition that the matter was a complaint about ASIO mishandling personal information. Once the matter was framed that way, the OAIC could rely on ASIO’s exempt status and close the file. But if the original material was broader than that, the refusal rested on a false starting point.

That is why this case should not be read as a substantive ruling on the privacy status of intelligence agencies alone. The court’s concern was that the OAIC had prematurely narrowed the scope of what had been lodged. The error was not simply about choosing the wrong statutory provision. It was about identifying the wrong subject matter for decision.

For businesses, this is a familiar operational problem. A complainant may send one long email that mixes together a data access issue, a disclosure concern, dissatisfaction with customer service, allegations involving a related entity, and references to broader rights or grievances. If your team picks only one thread, labels the whole matter by that thread, and closes the file, you may create avoidable risk. Even if one part of the complaint is weak or outside scope, another part may still require a response.

The case also shows that broad or difficult correspondence should not be dismissed merely because it is hard to categorise. A complaint can be overbroad, legally ambitious or poorly organised, but the decision-maker still needs to identify what is actually being raised before deciding what can and cannot be done about it.

Most businesses will never deal with the exact statutory setting in this case, but the complaint-handling lesson is widely applicable. If your organisation handles personal information, you should have a process for identifying the scope of a complaint before deciding whether it falls inside or outside your obligations.

Start with the documents and conduct. What exactly did the person send? Was it a complaint, an enquiry, an access request, or a mixture of all three? Did they attach earlier correspondence that broadens the issue? Did they name multiple entities, business units, service providers or incidents? If so, your first task is to map the allegations, not to search immediately for the quickest basis to close the matter.

Next, separate the issues. One part of a complaint may concern your own handling of personal information. Another may concern a third party. Another may be a request for access or correction. Another may be outside your process entirely. Treating those as distinct issues helps you avoid the mistake highlighted in this case.

Then explain your characterisation in writing. If you understand the complaint in a particular way, say so and invite correction. That gives the complainant a chance to clarify and gives your business a record showing that you did not simply assume the narrowest possible version of events.

Finally, be careful with exemptions and threshold points. If you think part of a complaint is outside scope, ask whether that conclusion applies to the whole matter or only one part. A partial limit is not always a complete answer.

The published reasons are especially useful because they show how the court reconstructed the dispute from the correspondence itself. The judge referred to the original letter sent through the OAIC webform, the attachments to that letter, the OAIC acknowledgement emails, the later ASIO-related document sent by Mr Kant, and the delegate’s refusal letter. That sequence mattered because it showed how the matter evolved and how the OAIC came to describe it.

For business owners and managers, this is a reminder that complaint handling is often evidence-driven. The words used in the original complaint, the labels used in your internal systems, and the wording of your response letter can all become important later. If your CRM or ticketing system reclassifies a matter, make sure the reclassification matches the substance of what was actually received.

It is also worth noting that the OAIC correspondence used both an enquiry reference and a complaint reference. In a business setting, similar shifts can happen when a matter moves from customer support to privacy, legal or compliance. Those handovers are common points where the scope of a complaint can accidentally narrow. A disciplined intake and triage process reduces that risk.

The judgment was delivered on 6 February 2026 by Justice Snaden in the Federal Court of Australia. The proceeding was determined on the papers after earlier interlocutory steps and case management. The orders quashed the OAIC decision made on 12 September 2023 and required the Commissioner to determine the complaint or enquiry according to law.

The case should be read as a procedural judicial review decision. It does not provide a final answer to the underlying allegations raised by Mr Kant. Its practical value lies in the court’s treatment of complaint characterisation, jurisdictional error and remittal.

This page is based on the published Federal Court reasons in Kant v Australian Information Commissioner (No 3) [2026] FCA 51. The available text clearly identifies the orders, the procedural history, the key factual background and the court’s conclusion that the OAIC erred by characterising the complaint or enquiry as solely about ASIO.

Some of the published text available for review is incomplete. Because of that, this page focuses on the parts of the decision that are clear from the reasons, especially the procedural nature of the outcome and the complaint-characterisation issue. Anyone relying on the case for a detailed statutory analysis should check the complete judgment.