Wednesday, 19 November 2014
Australian Information Commission finds Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers
Office of the Australian Information Commission, media release on Wednesday, 12 November 2014:Department of Immigration and Border Protection unlawfully disclosed personal information of asylum seekers
The Department of Immigration and Border Protection (DIBP) has been found in breach of the Privacy Act 1988, by failing to adequately protect the personal information of approximately 9,250 asylum seekers. They have also been found to have unlawfully disclosed personal information.
The Office of the Australian Information Commissioner (OAIC) was notified by the Guardian Australia on 19 February that a ‘database’ containing the personal information of 'almost 10,000' asylum seekers was available in a report on DIBP’s website. DIBP removed the report from its website within an hour of being notified. The report was available on DIBP’s website for approximately eight and a half days.
The categories of personal information compromised in the data breach consisted of full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be ‘unlawful’.
‘This incident was particularly concerning due to the vulnerability of the people involved,’ said Australian Privacy Commissioner, Timothy Pilgrim.
The breach occurred when statistical data was mistakenly embedded in a Word document that was published on DIBP’s website. The report was accessed a number of times, and was republished by an automated archiving service.
Mr Pilgrim said that OAIC’s investigation found that DIBP was aware of the privacy risks of embedding personal information in publications, but that DIBP’s systems and processes failed to adequately address those risks. This meant that DIBP staff did not detect the embedded information when the document was created or before it was published.
‘This breach may have been avoided if DIBP had implemented processes to de-identify data in situations where the full data set was not needed,’ he said.
This data breach also demonstrates the difficulties of effectively containing a breach where information has been published online, and highlights the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred.
‘I have made a number of recommendations about how DIBP could improve their processes, including requesting that they engage an independent auditor to certify that they have implemented the planned remediation. I have asked DIBP to provide me with a copy of the certification and the report by 13 February 2015’, Mr Pilgrim said.
The OAIC is still receiving privacy complaints from individuals affected by the breach. The OAIC has received over 1600 privacy complaints to date, and these complaints are on-going.
Media contact: Ms Leila Daniels 0407 663 968 firstname.lastname@example.org
As this breach occurred prior to 12 March 2014, the Privacy Commissioner’s powers under the Privacy Act 1988 were limited to making recommendations.
The full report can be accessed on the OAIC website: http://www.oaic.gov.au/privacy/applying-privacy-law/commissioner-initiated-investigation-reports/dibp-omi