This case is not a simple privacy damages claim. It is a judicial review case about FOI decisions, searches for documents and the limits of what the Federal Court can do when someone is dissatisfied with an access process. The applicant believed important documents existed and had been wrongly withheld. ANU and the Information Commissioner said the Court was being asked to redo the merits of earlier FOI decisions, which is not the function of judicial review.
The story is useful for businesses because it shows how quickly a data or records dispute becomes a process dispute. The 2023 FOI request was refused because ANU said reasonable searches had been conducted and relevant documents were not located. The Information Commissioner accepted that all reasonable steps had been taken.
In Court, the applicant sought subpoenas and orders that would effectively force production or fresh factual findings about whether records existed and whether personal information had been affected by the cyber attack.
The Federal Court dismissed both proceedings. It held that the applicant had not established administrative error, that the subpoena requests lacked a legitimate forensic purpose, and that the proceedings impermissibly tried to convert judicial review into a fresh merits review. The Court also refused a pseudonym suppression order, emphasising the high threshold for restricting open justice.
For ordinary small businesses, the FOI Act will usually not apply unless the business is dealing with government-style access regimes. But the operational lesson is still valuable. If a customer, employee, contractor or regulator asks about data, cyber exposure or records, the business should be able to show what it searched, who searched it, what systems were checked, what documents were located, and what conclusion it reached.
In a cyber incident, careful wording matters: overpromising certainty can create later trouble, but vague or undocumented responses can make the organisation look evasive.