Home Affairs breaches privacy and ordered to pay compensation to asylum seekers

The Department of Home Affairs has been ordered to pay compensation to 1,297 asylum seekers after mistakenly publishing their personal information online in 2014.

The initial complaint arose eight years ago following the incorrect publication of a detention report on the department’s website in 2014 containing information on 9,258 individuals in detention. The report contained personal information that identified all persons in immigration detention as of 31 January 2014 and remained online for eight days until it was reported by a journalist.

This personal information consisted of full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons that led to the individual becoming an unlawful non-citizen under the Migration Act 1958.

The then Immigration Minister, Scott Morrison, called the incident "unacceptable" saying the information was "never intended" to be in the public domain. Australian Privacy Commissioner Timothy Pilgrim noted that the “incident was particularly concerning due to the vulnerability of the people involved”.

Mr Pilgrim said that investigations into the Department show that it was aware of the privacy risks of embedding personal information in publications, but that its systems and processes failed to adequately address those risks. This meant that staff did not detect the embedded information when the document was created or before it was published.

The Representative Complaint requested that the Department provide an apology and compensation for its error. The Commissioner established claims for 1,297 of the asylum seekers who were able to demonstrate that they suffered loss or damage resulting from the data breach. These members provided submissions or evidence to be granted monetary compensation for the non-economic loss.

Compensation ranged from $500 to more than $20,000 for cases of extreme loss or damage. Commissioner Falk expressed that compensation would be awarded on a case-by-case basis and recognises the strong implications of “loss of privacy or disclosure of personal information”. This remedy was considered appropriate for the Department’s breach of s 52 of the Privacy Act 1988.

Commissioner Falk said that payments should be determined and made within 12 months, and if class members do not agree on the assessed amount of compensation, it may be reassessed until agreeable.

This data breach also demonstrates the difficulties of effectively containing a breach where information has been published online, and highlights the importance of taking steps to prevent data breaches from occurring, rather than relying on steps to contain them after they have occurred. It is an important reminder to organisations that hold personal or sensitive data that the consequences of a breach could result in serious action.

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.