Australian Department of Immigration data breach – another court decision

Data security breaches can cause much more than financial harm to affected individuals. In February 2014 the Australian Department of Immigration accidentally disclosed personal information about almost 10,000 asylum seekers. The asylum seekers became concerned that if their request for asylum was denied and they were removed from Australia to their country of origin, they may face persecution if the authorities in their country of origin had become aware of their asylum request as a result of the data security breach.

We first blogged about this data security breach in November 2014 when the Privacy Commissioner published the results of his investigation into the breach, which found that the Department had contravened the Privacy Act. The Commissioner undertook that investigation on his own motion and before his office had received any complaints from affected asylum seekers.   The complaints have subsequently been received by his office. Given the Commissioner’s earlier finding of a contravention of the Privacy Act, the focus of his investigation of the many complaints will, to a large degree, be on the extent of damage suffered by the affected individuals. However, the Privacy Commissioner has no power to affect the immigration status of the asylum seekers – the decision as to whether the individuals should be granted asylum or removed from Australia rests with the Minister for Immigration. The Commissioner’s powers are, in substance, limited to awarding compensation (including for emotional distress) and requiring the Department to take steps to mitigate the risk of a similar contravention occurring in future.

The data security breach has spawned a series of cases in the Federal Circuit Court against the Minister for Immigration and appeals to the Full Federal Court. Some were mentioned in our original blog. We followed up with a further post in March 2015, reporting on a decision to restrain the Minister from removing an affected asylum seeker from Australia pending determination of an administrative law challenge focussed on the impact of the data security breach.

The latest development occurred in early September 2015 when the Full Court of the Federal Court of Australia held that the Minister of Immigration had failed to afford two asylum seekers procedural fairness when assessing the potential impact of a data security breach on those individual asylum seekers.

At the heart of the asylum seekers’ argument was the contention that the Department had refused to give them enough information about the extent of the security breach to allow them a fair opportunity to explain their concerns about the potential impact of that breach on their safety if they were to be returned to their country of origin. The Department had only provided the asylum seekers with a redacted version of the forensic report prepared by KPMG into the circumstances and extent of the data security breach. So they were not in a position to know who accessed the leaked data and, as a result, argued that they could not make an informed submission about the extent of the risk of persecution flowing from the data security breach.   The Full Court accepted this argument and found that the process followed by the Department was “unfair to a significant degree”.

Although formal orders implementing the decision of the Full Court have not been made at the time of writing, it seems likely that the Minister will be restrained from removing the two asylum seekers from Australia until the Minister discloses much more information about the data security breach to them, and gives the asylum seekers have a fair opportunity to make submissions about the likely impact of the unauthorised disclosure of their personal information on their safety if they were to be removed to their countries of origin. The Department can be expected to treat other asylum seekers whose personal information was disclosed inadvertently by the Department in a similar manner.

As is the case with the vast majority of administrative law cases, this latest decision is about the process of decision making more than the outcome. It is entirely possible that these legal challenges will simply delay the removal of the asylum seekers, and will not result in a decision granting them a right to reside in Australia.

Readers with an interest in this data security breach should follow the media coverage in The Guardian Australia. It was journalists from that publication who discovered the security breach and reported it to the Department. See Paul Farrell’s article of 18 September, which includes links to earlier coverage.