For the first time in Australian history, the Office of the Australian Information Commissioner (OAIC) has found victims of a mass data breach should receive compensation for non-economic loss.

the data breach & the OAIC investigation

In early 2014, the Department of Home Affairs (DHA) unintentionally released a detention report on the DHA website which disclosed personal information of 9,251 asylum seekers. This included information such as: names, gender, citizenship, why the detainee was detained, and where they were being detained.

Every person held in detention on Christmas Island at the time was identified. Given this, the following complaints were made to Australia’s privacy regulator, the OAIC:

  • an individual complaint, on 25 March 2014; and
  • a joint complaint by 1,297 affected asylum seekers, on 30 August 2015.

Consequently, the OAIC commenced an investigation into the practises of the DHA (formerly the Department of Immigration and Border Protection), on 23 April 2014.

consequences of the breach

After almost six years of investigating, the OAIC reached a decision on 11 January 2021 and determined that the Secretary to the DHA breached the Privacy Act 1988 (Cth) by:

  • disclosing personal information on a publicly available website, in breach of Information Privacy Principle (IPP) 11; and
  • failing to take such security safeguards as it is reasonable in the circumstance to take, in breach of IPP 4.

In other words, the unauthorised publication of information interfered with individuals’ privacy.

Accordingly, the DHA was ordered to compensate almost 1,300 asylum seekers. Compensation amounts will range between $500 to more than $20,000, which will be paid on a case-by-case basis for those who are able demonstrate loss or damage as a result of the data breach.

key takeaways

Privacy breaches are taken seriously by the OAIC and as a result, businesses should always ensure they correctly handle personal information.

Remember, a simple incorrect or unintentional upload can have significant and long-lasting ramifications, as this case showed.