The Office of the Australian Information Commissioner (OAIC) today announced that the Department of Immigration and Border Protection (DIBP) breached the Privacy Act in February 2014.
A ‘database’ containing the personal information of ‘almost 100,000’ asylum seekers was publicly accessible via the DIBP website for approximately eight days before being removed by DIBP upon being alerted by the OAIC. This information consisted of full names, gender, citizenship, date of birth, period of detention, location, boat arrival details and reasons why DIBP deemed the individual ‘unlawful’.
This breach occurred when statistical information was inadvertently embedded in a MS-Word document published on DIBP’s website. The report was accessed multiple times while it was live on the website and was republished by an automated archiving service.
The OAIC announced that the Privacy Commissioner found that DIBP had breached two Information Privacy Principles, namely IPP 4 (security of personal information) and IPP 11 (disclosure of personal information).
The Information Privacy Principles, which applied to Commonwealth Government departments and agencies, were replaced by the Australian Privacy Principles on 12 March 2014.
The Privacy Commissioner found that:
- while DIBP had numerous procedures and policies at the time of the breach governing the compilation, clearance and publication of its reports, such policies and procedures lacked the necessary detail to mitigate against the risk of a data breach;
- DIBP staff were not adequately trained on how to implement the procedures outlined in the policies and the importance of following them correctly in order to safeguard personal information that DIBP held.
- DIBP breached IPP 4 by failing to implement reasonably security safeguards to protect the personal information it held against loss, unauthorised access, use, modification or disclosure and against other misuse;
- DIBP disclosed the compromised information within the meaning of IPP 11 because the information was publicly accessible via DIBP’s website, that none of the statutory exceptions to the obligations in IPP 11 applied and DIBP acknowledged that the information should not have been publicly available.
The Commissioner recommended that DIBP monitor internal compliance and establish new processes to ensure that internal compliance procedures are consistently followed, and asked DIBP to engage an independent auditor to certify that DIBP has completed its planned remediation steps (including staff training). The DIBP was also instructed to present to the Commissioner the Auditor’s Report by 13 February 2015.
- revised its privacy procedures and has commenced updating its IT infrastructure;
- created an internal working group to provide formal governance for online publishing and updated its online publishing material with particular emphasis on checking for embedded or hidden data; and
- engaged KPMG to review DIBP’s policies, procedures and culture regarding the handling and management of sensitive data and DIBP will also engage an independent auditor to certify to the OAIC that it has taken the remediation steps recommended by the Commissioner and by KPMG.
A copy of the Commissioner’s decision can be accessed here.