Data security breach by Australian Immigration Department
The Australian Privacy Commissioner has found that the Department of Immigration and Border Protection contravened the Privacy Act when the Department accidentally published the personal details of almost 10,000 asylum seekers in a document that was intended to provide statistical information about the number and status of applications made for refugee status.
The contravention occurred in February 2014, just weeks before the commencement of amendments to the Privacy Act which made the legal consequences of data security breaches far more serious.
The accidental publication
The accidental publication was uncovered by journalists from the Guardian Australia, who found that a Microsoft Excel spreadsheet, containing identifying details of almost 10,000 asylum seekers, was embedded in the Microsoft Word version of the January 2013 issue of the Immigration Detention and Community Statistics Summary, dated 31 January 2014. The Commissioner found that the spreadsheet contained the following details:
“a) full names; b) gender; c) citizenship; d) date of birth; e) period of immigration detention; f) location; g) boat arrival details; h) reasons why the individual was deemed to be unlawful”.
The journalists contacted the Department shortly after becoming aware of the contents of the embedded spreadsheet, and the Department took the report down from its website. The Commissioner found that the report had been available on the Department’s website for about eight and a half days before it was taken down. The contents of the website had been archived automatically by the <archive.org> facility, and that copy remained available for about 16 days until it was taken down at the Department’s request. At the Department’s request, KPMG attempted to quantify the number of times the report had been accessed. They found that there had been 123 hits of the Department’s webpage containing the report from 104 unique IP addresses. No assessment could be made of the extent of any further distribution of the personal data by those who saw the report on the Department’s website, and neither the KPMG report nor the Commissioner’s findings canvass the extent to which the copy published on <archive.org> had been accessed.
The Commissioner found that the Department had contravened Information Privacy Principle 4(a) – the security principle – because the Department’s policies and practices failed to adequately address known security risks. The Department’s policies recognised the risk of inadvertent publication of personal information, but staff had not been made aware of why it was important to follow the policies, and how to do so.
The Commissioner also considered that there had been a breach of IPP 11 – the disclosure principle.
Legal consequence of these findings
The Commissioner undertook an own-motion investigation. Because the conduct occurred prior to March 2014, the Commissioner’s only power in the own-motion investigation was to publish adverse findings – no other legal consequence could flow from the investigation. The Department had voluntarily undertaken a range of steps to limit the further publication of the information about the asylum seekers, and to prevent future breaches of that kind re-occuring.
The Commissioner explained in his decision that he had received many complaints from individuals affected by the breach. In respect of those complaints, it will be possible for the Commissioner to award a financial remedy, provided that the affected individuals can establish that they have suffered loss of some kind. The Commissioner is continuing to investigate those complaints and has said that his findings in the own-motion investigation against the Department will be taken into account when dealing with the individual complaints. So this is clearly not the end of the matter for the Department.
The own-motion investigation and the complaints by the individuals to the Commissioner are not the first legal or administrative proceedings to have been commenced as a result of this data security breach. There has been a series of proceedings in the Federal Circuit Court (and two appeals to the Full Federal Court) in which individual asylum seekers have sought to challenge immigration decisions (including potential removal from Australia) because of the alleged adverse impact of the disclosure of their personal information. None of those proceedings sought remedies under the Privacy Act. See for example the SZTXY case at first instance and on appeal, the SZSSJ case at first instance and on appeal, and the SZUII case at first instance.
An observation on “disclosure” of information
Now for a personal bugbear. The Commissioner’s reasons (which are consistent with the position taken in his APP Guidelines – see paragraph B58) state:
“In general terms, an agency ‘discloses’ personal information when it makes the information accessible to others outside the agency and releases the subsequent handling of the personal information from its effective control.”
In my view, more should be required to make out that an entity has “disclosed” information.
On the Commissioner’s test, it does not matter whether anyone actually received the information – the mere fact of publication is sufficient. Of course, the likelihood of no-one viewing a document made available on the internet is low, but it is possible to conceive of an accidental publication of a document on a website which was taken down before anyone had viewed it (and evidence of that fact in the form of log files could be presented). Surely in that scenario there would be no “disclosure”.
In this instance (and probably in most others) this is an academic point, since there was evidence that there were 123 hits on the Department’s webpage containing the report, so the information was clearly transmitted by the Department to other parties.
The NSW Court of Appeal has held, in a case involving the Privacy and Personal Information Protection Act 1998 (NSW) that:
“The essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know.” (see Nasr v State of NSW  NSWCA 101 at  – )
In the APP Guidelines the Commissioner specifically states that there will be a disclosure “even where the personal information is already known to the recipient.” The guidelines do not acknowledge the existence of the Court of Appeal’s decision – no justification is given for the Commissioner’s approach, even though the decision was brought to his attention by the Law Council of Australia in the consultation process undertaken prior to release of the guidelines (a personal disclosure is appropriate here – I had a hand in the Law Council’s submission).
Because of his approach to the concept of disclosure, the Commissioner did not turn his mind in this investigation to whether or not the persons who obtained access to the report previously knew the facts or opinions about the affected individuals that were contained in the report. Again, in this instance, given the extent of the data and its relative secrecy, it would have been entirely reasonable for the Commissioner to infer that readers of the report were not previously aware of some or all of the personal information contained within it. However, in other cases (such as the Nasr case in the NSW Court of Appeal) this point could make a big difference. Given the Commissioner’s approach, it seems that this will only be tested if a suitable case gets to court one day.