Home Affairs breaches privacy and ordered to pay compensation to asylum seekers

The Department of Home Affairs has been ordered to pay compensation to 1,297 asylum seekers after mistakenly publishing their personal information online in 2014.

The initial complaint arose eight years ago following the incorrect publication of a detention report on the department’s website in 2014 containing information on 9,258 individuals in detention. The report contained personal information that identified all persons in immigration detention as of 31 January 2014 and remained online for eight days until it was reported by a journalist.

This personal information consisted of full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons that led to the individual becoming an unlawful non-citizen under the Migration Act 1958.

The then Immigration Minister, Scott Morrison, called the incident “unacceptable” saying the information was “never intended” to be in the public domain. Australian Privacy Commissioner Timothy Pilgrim noted that the “incident was particularly concerning due to the vulnerability of the people involved”.

Mr Pilgrim said that investigations into the Department show that it was aware of the privacy risks of embedding personal information in publications, but that its systems and processes failed to adequately address those risks. This meant that staff did not detect the embedded information when the document was created or before it was published.

The Representative Complaint requested that the Department provide an apology and compensation for its error. The Commissioner established claims for 1,297 of the asylum seekers who were able to demonstrate that they suffered loss or damage resulting from the data breach. These members provided submissions or evidence to be granted monetary compensation for the non-economic loss.

Compensation ranged from $500 to more than $20,000 for cases of extreme loss or damage. Commissioner Falk expressed that compensation would be awarded on a case-by-case basis and recognises the strong implications of “loss of privacy or disclosure of personal information”. This remedy was considered appropriate for the Department’s breach of s 52 of the Privacy Act 1988.

Commissioner Falk said that payments should be determined and made within 12 months, and if class members do not agree on the assessed amount of compensation, it may be reassessed until agreeable.

This data breach also demonstrates the difficulties of effectively containing a breach where information has been published online, and highlights the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred. It is an important reminder to organisations that hold personal or sensitive data that the consequences of a breach could result in serious action.

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.

Related News

What happens if you, as an insurer, have not yet concluded whether or not to indemnify an insured, and a third party commences Court proceedings against your insured (with the indemnity decision still pending)?

When these types of claims arise, an insurer (and its panel firm) can continue to act for an insured on a “reservation of rights” basis.

Read More

Can you sue if a “registered” company is “in liquidation”, “under administration” or has become “deregistered”? 

It is common to see Court proceedings commenced in the name of an individual or against an individual.   But sometimes, Court proceedings are commenced by

Read More

The Briginshaw-test

Did you know that the Briginshaw-test requires a higher standard of evidence in civil matters where serious allegations are made, such as fraud. This principle

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place