This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Department of Immigration and Border Protection

Summary

The Department of Immigration and Border Protection (now Department of Home Affairs) accidentally published a detention report on its website containing the personal information of all 9,258 people in immigration detention. The report was publicly accessible for approximately eight and a half days before being removed, exposing highly sensitive information about asylum seekers including names, nationalities, detention locations and boat arrival details.

What Happened

On 10 February 2014, the Department published a routine detention statistics report on its website. However, the report contained embedded personal information that should have been removed before publication. The data included full names, gender, citizenship, dates of birth, period of immigration detention, location, boat arrival details, and the reasons why individuals were deemed to be unlawful.

The report remained publicly accessible on the Department's website until 19 February 2014, when Guardian Australia notified the Office of the Australian Information Commissioner that a database containing the personal information of almost 10,000 asylum seekers was available online. The Department removed the report from its website within an hour of being notified, but the information had been publicly accessible for eight and a half days.

The Australian Information Commissioner opened an own motion investigation on 21 February 2014 to examine how the breach occurred and whether the Department had breached privacy obligations.

Impact on Individuals

The breach had particularly serious consequences for asylum seekers, a highly vulnerable population:

  • Safety risks: Exposure of nationalities, boat arrival details and asylum claims could endanger individuals if the information reached authorities or groups in their countries of origin
  • Family safety: Information about asylum seekers could potentially identify and endanger family members still in origin countries
  • Stigmatisation: Public disclosure of immigration detention status and the reasons for being deemed unlawful exposed individuals to potential discrimination
  • Re-traumatisation: Many asylum seekers have experienced trauma, and having their personal circumstances publicly exposed could cause significant psychological distress
  • Legal implications: Details about individual cases and claims could potentially be used against asylum seekers in immigration proceedings

The sensitive nature of asylum seeker data meant even seemingly basic information like nationality or arrival method could have life-threatening implications if it reached the wrong parties.

On 30 August 2015, a representative complaint was filed with the Office of the Australian Information Commissioner on behalf of all persons whose information was published by the Department. The complaint requested an apology and compensation for affected individuals.

Norton Rose Fulbright Australia was appointed as the independent scheme administrator to assess loss or damage suffered by individuals affected by the breach and provide payment of compensation to those who had suffered harm. The Commissioner found the Department had unlawfully disclosed personal information and breached the Privacy Act 1988.

Organisational Response

The Department removed the report within an hour of being notified by Guardian Australia. The Department of Immigration and Border Protection was found to have breached the Privacy Act by failing to adequately protect the personal information of approximately 9,250 asylum seekers. A compensation scheme was established to provide redress to affected individuals, though participation required individuals to come forward and demonstrate the loss or damage they had suffered as a result of the breach.

Verification Source: View original statement