Garvey v Australian Information Commissioner [2026] FCA 614

Garvey v Australian Information Commissioner [2026] FCA 614 is a Federal Court decision about the limits of judicial review in freedom of information disputes. The applicant, a former ANU PhD candidate, believed ANU held documents that would support serious allegations about misuse of his personal information, interference with his academic freedom, hacking of his email account and consequences of a 2018 cyber-attack. He brought two separate judicial review proceedings under the Administrative Decisions (Judicial Review) Act 1977 (Cth).

One proceeding concerned a 2019 FOI request and a later Administrative Review Tribunal decision. The other concerned a 2023 FOI request and an Information Commissioner decision. The Court dismissed both proceedings with costs. It also refused leave to issue proposed subpoenas, refused a stay sought in connection with those subpoenas, and refused a suppression order by pseudonym.

The applicant was Benjamin Patrick Garvey, a former PhD candidate at the Australian National University. He believed his records and personal information were targeted in a 2018 cyber-attack in which a sophisticated actor gained access to part of ANU's network, including systems relating to human resources, finance, student administration and enterprise e-forms. He also believed ANU documents would show that he had been experimented on without consent, that his academic freedom had been infringed, that his email account had been hacked and used to send emails in his name, and that his personal information had been used to blackmail the ANU Vice-Chancellor.

He wanted access to documents he considered necessary to bring legal action about those matters. To pursue that, he made FOI requests in 2019 and 2023. The two requests were different, and the later court proceedings were different too, so it is important not to collapse them into one dispute.

The 2019 FOI request sought access to any email, file, text document, sound recording, image or video written, composed or held by the office of the Vice-Chancellor, including anything written or composed by Professor Brian P Schmidt, that concerned the applicant, his conduct, his scholarship or a necessity to infringe his academic freedom. ANU identified 31 documents. A later Information Commissioner decision dealt with 28 of those documents, being documents ANU had either not released or had released in part with redactions on the basis of irrelevance or conditional exemption.

When that matter reached the Administrative Review Tribunal, the Tribunal treated it as raising two issues. First, whether the Information Commissioner decision about the 28 documents was wrong. Second, whether ANU had withheld further documents related to the applicant and his academic freedom. The applicant argued that key documents existed and should be produced, including a film from Hong Kong, a letter or document said to have been written or signed by the former Vice-Chancellor, and emails he said had been sent after his account was hacked. The Tribunal found there was no documentary evidence, independent of the applicant's own supposition or inference, supporting the conclusion that those key documents existed, that ANU could reasonably be expected to have access to them if they did exist, and that they ought to be produced.

The 2023 FOI request was framed differently. It sought any document in the applicant's student file or otherwise held by ANU showing that his privacy had been breached, that documents or files relating to him had been stolen, altered or otherwise interfered with, or that there had been a data breach concerning his personal information or student file, for the period from 1 November 2017 to 20 March 2023. ANU refused that request under the FOI Act on the basis that relevant areas had been contacted and searches conducted, but no relevant paper or electronic documents could be located.

Even though ANU refused the 2023 request, it provided an incident report about the cyber-attack and additional information from its Chief Information Security Officer. That material said it was not possible to confirm what records were taken or which specific enterprise systems were affected, but set out ANU's assessment of the incident and the low probability of adverse impact to members of its community.

The central issue was not whether the applicant's allegations were true. The Court had to decide whether the Tribunal decision in the 2019 matter and the Information Commissioner decision in the 2023 matter were affected by reviewable administrative error under the ADJR Act. The pleaded grounds included that the decisions were not authorised, involved improper exercise of power, involved error of law, were induced or affected by fraud, or were otherwise contrary to law.

That required the Court to apply the familiar distinction between judicial review and merits review. Judicial review is concerned with legal error in the exercise of power. It is not a fresh hearing about whether a different factual conclusion should be reached. In practical terms, the Court had to ask whether the applicant had identified a legal flaw in the decision-making process, not whether the Court itself should decide that more documents existed or should have been produced.

The subpoena issue raised a related but separate procedural question. The applicant sought leave to issue subpoenas to ANU for production of documents including the alleged film, documents said to have been written or signed by the former Vice-Chancellor, emails said to have been sent after hacking of his account, positive evaluations of his PhD research, and records of information provided to ANU by a solicitor he had consulted. The Court had to decide whether those subpoenas had a legitimate forensic purpose in the judicial review proceeding.

The Court also had to deal with an application for a suppression order under the Federal Court of Australia Act 1976 (Cth) by grant of a pseudonym. The applicant sought that order to avoid distress and humiliation and to protect privacy and safety. The Court was not satisfied that the statutory threshold had been met.

Justice Longbottom dismissed both originating applications. In the 2019 matter, the Court held that the applicant had not discharged his burden of establishing the pleaded grounds of review. The judgment records that his written submissions did not address the pleaded grounds and instead referred to the subpoena requests and other material that did not provide a discernible basis for judicial review. At the hearing, when asked to explain why the Tribunal decision was affected by administrative error, he did not identify a proper judicial review basis for setting it aside.

The Court accepted that the applicant was self-represented and noted the need to ensure fairness to a litigant appearing in person. But the Court also said that leniency to a self-represented litigant cannot go so far as to confer an advantage. The applicant had been given the opportunity, both orally and in writing, to explain why the Tribunal decision was affected by administrative error, and the matters he raised did not support the pleaded grounds.

The Court's core conclusion was that the applicant was asking it to do what it could not do on judicial review. He wanted the Court to decide afresh whether ANU held additional documents within the scope of the 2019 FOI request and whether the identified documents that were withheld in whole or part were irrelevant or conditionally exempt. That is merits review, not judicial review. The Court also rejected reliance on the principle of legality because no issue of statutory construction had been identified that made the principle relevant.

As to allegations that the decision was induced or affected by fraud or illegality, the Court held that bare assertion was not enough, especially given the seriousness of those allegations. The Court was not satisfied that the applicant had discharged the burden of proof on that issue.

On the subpoena issue, the Court refused leave to issue the proposed subpoenas and declined to grant a stay pending reconsideration of them. The Court said the subpoenas lacked a legitimate forensic purpose for two main reasons. First, they were not directed to whether the Tribunal decision involved administrative error. Instead, they sought documents the Tribunal had found did not exist, or documents said to provide context for the significance of those alleged documents. Second, to the extent the subpoenas were said to support allegations of fraud, they amounted to a fishing expedition because there was no evidence, beyond the applicant's assertions, to suppose the key documents existed.

The Court also refused the application for a suppression order by pseudonym. It was not satisfied that the threshold for such an order had been met. Finally, the Court applied the ordinary rule on costs and dismissed both proceedings with costs orders against the applicant in the terms set out in the orders.

For business owners, the most practical part of this case is not the unusual factual allegations. It is the Court's treatment of documents, searches and process. In records disputes, a party may strongly believe more documents exist. But a court on judicial review will not usually step in just because someone disagrees with the factual outcome. What matters is whether the decision-maker followed the law and whether there is evidence to support serious allegations such as fraud or deliberate concealment.

That is why search records and decision reasons matter. If your organisation receives a request for documents, whether under a statutory access regime, a privacy complaint process, a regulator inquiry or ordinary litigation, you should be able to show what systems were checked, who was asked, what date ranges were used, what was found, and why any material was withheld, redacted or said not to exist. A vague assurance that a search was done is much less useful than a documented search process.

The 2023 branch of the case also highlights the importance of cyber incident documentation. ANU's response, as described in the judgment, referred to an incident report and additional information from its Chief Information Security Officer. That kind of material can become important later, even where the organisation cannot conclusively identify every record affected. Businesses should preserve incident reports, internal assessments, communications with technical teams, and any explanation given to affected individuals or regulators. Consistency matters. If your explanation changes over time without a clear reason, that can create avoidable risk.

The subpoena ruling is another practical lesson. A subpoena is not a general tool for searching for evidence that might support a broad theory of wrongdoing. The documents sought must have apparent relevance to a real issue in the proceeding. If the case is about legal error in a decision-making process, a subpoena aimed at proving a separate factual narrative may fail because it does not serve a legitimate forensic purpose.

Most private businesses will never be respondents to a Commonwealth FOI request in the same way a university may be. Even so, the case has broader value because the same habits matter across privacy disputes, cyber incidents, employee investigations, customer complaints and court processes. Good governance often looks ordinary when it is created, but becomes critical when someone later says records were hidden, altered or mishandled.

The first lesson is to separate process from outcome. A person may be convinced your organisation has more documents than it has identified. If the matter reaches a review body or court, your best protection is usually not rhetoric. It is a defensible process. Show what was searched, who was consulted, what records were found, and how the decision was made. If there are exemptions, redactions or gaps, explain them clearly and contemporaneously.

The second lesson is to treat serious allegations carefully. Fraud, hacking, blackmail and deliberate concealment are grave claims. Courts expect evidence, not just suspicion. If your business needs to make such an allegation, get advice early about what proof is required. If your business is on the receiving end of such allegations, respond with evidence and process, not just denial.

The third lesson is to understand the forum you are in. Judicial review is not the same as a merits appeal, an internal review, a regulator investigation or a damages claim. The available arguments and evidence will differ depending on the forum. Businesses can waste time and money if they approach a judicial review as though it were a fresh factual hearing.

The judgment was delivered on 20 May 2026 by Justice Longbottom in the Federal Court of Australia. The hearing took place on 30 September 2025. The two proceedings were QUD 587 of 2024 and QUD 61 of 2025. In QUD 587 of 2024, the respondents were the Australian Information Commissioner and ANU. In QUD 61 of 2025, the respondents were ANU and the Administrative Review Tribunal.

This page is published as a reviewed case explainer. It focuses on the parts of the judgment that are clearly available, especially the 2019 FOI dispute, the subpoena ruling, the refusal of a suppression order and the overall outcome. The discussion of the 2023 FOI branch in the material available here is incomplete, so this page does not go beyond what is clearly stated about that part of the case.