A simple copy and pasting error caused the Department of Immigration to accidently reveal the private information of over 9,000 detainees, putting it in breach of the Privacy Act and potentially allowing third parties to identify the names, age, gender, nationality, birthday, and period of detention of the asylum seekers involved.
A report by the Australian Privacy Commissioner has found that the sensitive details were made publicly accessible after staff in the Department copied data from Microsoft Excel to Microsoft Word documents, meaning the underlying data was still contained in the final documents, published on the Department’s website.
The breach was only realised after Guardian Australia discovered the error and reported it to the Department. The Department says it removed the data within an hour of being notified, but it had already been accessible for eight and a half days.
The incident raised serious questions about the long-term safety of asylum seekers in Australian detention centres, whose personal information potentially could have been accessed by the hostile governments and regimes they have fled.
Reporters covering asylum seeker issues in Australia could also be forgiven for seeing a little irony in the breach, given the Australian government has severely limited press access to those held in detention over the past decade on the basis that their privacy must be protected.
Once publicly revealed, the incident sparked a wave of court actions on behalf of affected detainees and the Office of the Australian Information Commissioner said it had received over 1,600 complaints from individuals affected by the disclosure.
The report handed down today by the Privacy Commissioner found Immigration Department staff had failed to comply with internal protocols.
“The Commissioner was particularly concerned about this information being publically available due to the vulnerability of the listed individuals,” it said.
In a press release, Australian Privacy Commissioner Timothy Pilgrim said the report containing the sensitive data had been accessed “a number of times” and that the Department had been aware of the privacy risks associated with embedding personal information in publications.
‘This breach may have been avoided if DIBP had implemented processes to de-identify data in situations where the full data set was not needed,” Pilgrim said.
In response to recommendations contained in the report, the Department has agreed to take a number of actions, including commissioning KPMG to conduct a second review into its “procedures and culture regarding the handling and management of sensitive data, both electronic and hardcopy”.
After an almost decade-long campaign, the Privacy Commissioner was recently granted powers to force compliance in regards to its recommendations, and pursue those who breach the Privacy Act in the Federal Court.
However, in a small piece of good fortune, the Department of Immigration has avoided this possibility, as the breach took place in February, just one month before the new powers came into effect.
This means the Commissioner will not be able to pursue the Department via the courts, should it fail to comply with the recommendations in the report.
Aside from the response already received, the Privacy Commissioner has asked the Department to respond with its own report by February 13, 2015.