In brief: The Australian Privacy Commissioner has released a report into the Department of Immigration and Border Protection having breached the privacy of asylum seekers in February 2014. Partner Michael Pattison (view CV) and Associate Priyanka Nair report on the Commissioner's findings and the lessons for all organisations on taking 'reasonable steps' to protect the personal information which they hold.
HOW DOES IT AFFECT YOU?
- The report made a number of findings which should be considered by all organisations in assessing whether their practices and procedures comply with the obligations under the Privacy Act 1988 (Cth), as follows.
- It is not sufficient to have security policies that identify particular privacy risks unless the organisation also has processes and procedures in place to mitigate those risks.
- Where a security policy recommends that particular steps be taken, the reason for that recommendation should be given.
- Materials should be de-identified wherever possible so as to minimise the risks of the individual's identity being inadvertently revealed.
- Special care needs to be taken when any material is being prepared for publication in an online environment. Due to the nature of the online environment, once a privacy breach occurs it can be very difficult to rectify all the consequences of the breach.
- Prompt action will be needed in order to deal with the consequences of a privacy breach. The Commissioner was critical of the fact that the Department of Immigration and Border Protection (the Department) took 13 days to request the removal of the material from an internet archive.
In February 2014, the Department published a Microsoft Word version of its Immigration Detention and Community Statistics Summary (the Detention Report). The Word version contained a number of graphs. Unfortunately, the Excel spreadsheet used to generate those graphs was embedded in the report, making its details accessible by those who accessed the report. The embedded Excel spreadsheet contained the names and details of approximately 9,250 asylum seekers, including reasons why the individuals were deemed to be unlawful.
The Department was notified by the media that the Detention Report contained those details at 9.15am on 19 February 2014. The Department removed the Detention Report from its website by 10am that same day, by which time it had been available on the Department's website for 8½ days.
The Department subsequently discovered that the Detention Report was also available on Archive.org. The Department wrote to Archive.org on 24 February, seeking removal of the Detention Report. Archive.org complied with this request on 27 February, by which time the Detention Report had been available on Archive.org for about 16 days.
Although the incident occurred prior to the changes to the Privacy Act coming into effect on 12 March 2014, the relevant principles of law (other than for the ability to impose a penalty) are substantially the same as would apply under the changed Act.
On becoming aware of the breach, the Department had:
- removed the Detention Report from its website;
- used search engines to confirm that the Detention Report was no longer available through public search engines;
- attempted to determine who had accessed the Detention Report, through examining its records as to the number of times the Detention Report had been accessed and the location of the IP addresses that had attempted to retrieve the Detention Report;
- wrote to Archive.org seeking the removal of the Detention Report;
- engaged an external consultant to undertake a review of the data breach and to identify departmental vulnerabilities, policies or management practices that contributed to the breach; and
- commenced the process of notifying the affected individuals.
The Commissioner's investigation and report focused on determining whether the data breach represented a breach by the Department of Information Privacy Principle 4(a) (the data security principle), the IPP which required governmental organisations to ensure that records containing personal information are protected by such security standards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure or other misuse. The equivalent provision in the amended Privacy Act is APP 11. The Commissioner also considered the Department's compliance with IPP 11.1, requiring that a governmental agency not disclose personal information about an individual unless a listed exception applies. The equivalent provision under the changed Privacy Act is APP 6.1.
In relation to the data security principle, the Commissioner found that the breach was caused by the failure of a number of departmental policy documents to mitigate adequately against the known risks of embedded data. The risk of embedding data in documents had been recognised by the Department in its policy documents which instructed staff to paste pictures of graphs into Microsoft Word documents. However, the reason for this instruction was not given, nor were sufficient instructions given on how to carry it out.
The Commissioner was of the view that compliance with the data security principle and the relevant policy documents would have been more likely had staff understood why and how to comply with such a policy for preventing the disclosure of embedded data. The Commissioner pointed out that security policies will not amount to reasonable security safeguards where they are not understood by staff and therefore unlikely to be adhered to.
In addition to the mistake of including the embedded data in the Detention Report itself, the Commissioner found that a reasonable security safeguard would have been to de identify the information at an early stage in the process of compiling the Detention Report. The Department's failure to do so contributed to the breach of the data security principle.
Finally in this respect, the Commissioner found that part of complying with the data security principle was to take steps to ensure that staff understand how to, and are able to, adhere to the procedures outlined in the Department's data security policy. This includes ensuring that training is provided in relation to the policy.
The Commissioner found that by making the personal information available to the general public by publishing it on the Department's website, the Department had disclosed the information within the meaning of IPP 11/APP 6.1. As that disclosure was not for one of the purposes permitted by the Privacy Act, and none of the exceptions applied, the publication was an unauthorised disclosure and therefore a breach of IPP 11.
Most organisations now have security policies in place intended to protect the personal information that they hold. However, the Commissioner's comments on the required contents of these policies, and the need for other steps to be taken to ensure that they are given effect, provide additional guidance for organisations as to what the policies need to contain and what steps they need to take in order for the organisation to discharge its obligation to take reasonable steps to protect the personal information that it holds. In this respect the Commissioner's decision in this case is consistent with his finding in the earlier Telstra data breach report.