Peter A Clarke

The story of a data breach by the Department of Immigration by the Guardian has resulted in the Privacy Commissioner launching an investigation.  The Commissioner issued a statement providing:

The Office of the Australian Information Commissioner (OAIC) is aware of this data breach. I have spoken to the Department of Immigration and Border Protection and have been assured that the information is no longer publically available. This is a serious incident and I will be conducting an investigation into how it occurred. As part of this investigation, the Department has undertaken to provide me with a detailed report into the incident. Further, the OAIC will be working with the Department to make sure they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated.

It is quite a restrained response.  It is not a serious incident.  It is a catastrophic one.  More than working with a department is required.  One can only hope this approach has been taken is because the powers of the Commissioner are so limited at this stage.  After 12 March when the Privacy Commissioner’s powers are enhanced one can only expect that he will be much more assertive.  A breach of this nature in the United Kingdom would attract a monetary penalty of thousands of pounds. I have posted on the ICO’s actions here, here and here. The inquiries will work their way through the records but the overwhelming likelihood is that human error will play a large part, if overseas experience is any guide.  That will be compounded by poor data handling practices and inadequate data security.

The story has been picked upon by the Age which provides:

The Privacy Commissioner and the Immigration Department have launched investigations into how details of thousands of asylum seekers in Australia were inadvertently made accessible online.

The breach could potentially see thousands of asylum seekers in Australia who were previously ineligible for refugee status have their claims validated, one legal expert says.

Refugee lawyer David Manne said the law was “crystal clear that identification of a person seeking protection can result in them being granted protection on that basis itself”.

“It’s a fundamental principle of refugee law that a person seeking asylum should be free to make their claim free of disclosure of their identity to the authorities in their home country,” he said, describing the reported revelation as one of the most “grave and dangerous breaches of privacy in Australian history”.

Guardian Australia reported on Wednesday that the personal details of a third of asylum seekers held in Australia – making up about 10,000 people – were revealed on the Immigration Department’s website.

Privacy Commissioner Timothy Pilgrim announced on Wednesday afternoon that he had spoken to Immigration and had “been assured” that the information was “no longer publicly available”.

Describing the breach as a “serious incident” Mr Pilgrim said he would investigate how it occurred. He added that Immigration would provide a detailed report about the incident as part of the investigation.

Later on Wednesday, Immigration Minister Scott Morrison released a statement confirming that an “immigration detention statistics report” released on the department’s website on February 11 “inadvertently provided access to the underlying data source used to collate the report content which included private information on detainees”.

Mr Morrison welcomed Mr Pilgrim’s investigation and said Immigration Department’s secretary Martin Bowles had also tasked KPMG to review how the breach occured, with an interim report due next week.

He said the “unacceptable incident” was a “serious breach of privacy” by the department.

“I have asked the department Secretary to keep me informed of the actions that have been initiated, including any disciplinary measures that may be taken, as appropriate,” Mr Morrison said.

The Immigration Minister said that immediate steps had been taken to remove the documents from the department’s website after media alerted it of the breach.

“The information was never intended to be in the public domain, nor was it in an easily accessible format within the public domain,” he said.

Mr Morrison also told Sky News it was still to be seen whether the release of the information would have implications for the protection claims of the asylum seekers involved.

‘‘All people’s protection claims are considered individually on the merits of each specific case,’’ he said.

‘‘There would be no general rule that would apply to these sorts of things.’’

A report by Guardian Australia said the information online included all asylum seekers held in a mainland detention facilities, on Christmas Island and several thousand in community detention. Children were also included.

Despite the federal government’s insistence about the need for greater secrecy when it comes to immigration and border protection, the full names, nationalities, location, arrival date and boat arrival information was reportedly revealed on the department’s website.

Guardian Australia has not identified where the database was located online and said it told the department about the information before it reported the breach.

Refugee Council of Australia president Phil Glendenning said the release of asylum seekers’ information was “outrageous” and unprecedented.

“We are deeply disturbed by this,” he told Fairfax Media.

Mr Glendenning said the breach ran the risk of exposing people who were already vulnerable to “very serious danger”.

This not only included reprisals if asylum seekers were sent back to their country of origin, but their families – either in home countries, or transit countries in between.

The Refugee Council is also seeking particular assurances about the safety of people in community detention who may have had their location revealed.

Labor’s immigration spokesman Richard Marles said the report was an “enormous concern”. “Let’s be clear – this is a government with a culture of secrecy but it is utterly unable to manage secrecy,” he told reporters in Canberra.

Coalition MP Jane Prentice told Sky News that the breach was a “shocking mistake” and that the “full ramifications” would have to be examined

Today’s PM radio program also ran a story Personal details of thousands of asylum seekers accidentally published online which provides:

MARK COLVIN: In the worlds of Napoleon, ‘it was worse than a crime, it was a blunder’. For at least two decades journalists dealing with the Immigration Department have been told as an article of faith how important it is that asylum-seekers not be personally identified before their cases are decided.

One reason: that if their identities are known, and they subsequently get sent back, the identification itself could put their lives in danger.

But today it emerged that the Immigration Department published the personal details of thousands of asylum seekers on its website – and left them there for several days.

The leak – confirmed by the Immigration Minister Scott Morrison – has been described as one of the gravest and most dangerous breaches of privacy in Australia’s history.

Jane Norman reports from Canberra.

JANE NORMAN: The Immigration Department closely guards the identities and details of asylum seekers. But, in a serious breach of privacy, a database containing the personal details of about 10,000 asylum seekers in detention was accidently published on the Department’s website.

The Immigration Minister Scott Morrison has told Sky News the breach is unacceptable.

SCOTT MORRISON: And we’re getting to the bottom of that; KPMG will give us some interim findings on that next week, and that will provide the ability to ensure that there’s no repeat of these things. I do find it unacceptable; I’ve made it very clear to the department secretary, and to the extent that disciplinary action is required and appropriate, then I would expect that to be taken.

JANE NORMAN: According to the Guardian Australia website, the database contains the full names of asylum seekers, as well as their nationalities, location in Australia, arrival date and boat arrival information.

The Immigration Department has released a statement saying the information was never intended to be made public, and it admits the file was vulnerable to unauthorised access. The Department says the database has since been removed, and it’s investigating how it occurred.

SCOTT MORRISON: It was put… placed there inadvertently, it wasn’t readily accessible, it required quite a number of things for any user to do to obtain access to that information, but there is no excuse for that information to have been there in a way that could be potentially accessed.

The Opposition’s immigration spokesman is Richard Marles.

RICHARD MARLES: This is of enormous concern. This is a Government with a culture of secrecy which can’t even get secrecy right. And so we need to understand how this has happened; obviously we need to make sure this doesn’t happen again.

JANE NORMAN: Greens Senator Sarah Hanson-Young is calling on the Minister, Scott Morrison, to explain.

SARAH HANSON-YOUNG: The Minister needs to clarify how this occurred, how he will stop it happening again, and how he will ensure that the thousands of asylum seekers whose lives have now been put at risk will be protected because of this huge security breach.

JANE NORMAN: The Privacy Commissioner has launched his own investigation. Timothy Pilgrim has released a statement describing it as a ‘serious incident’. It reads:

STATEMENT FROM TIMOTHY PILGRIM (voiceover): As part of this investigation, the Immigration Department has undertaken to provide me with a detailed report into the incident. Further, the Commission will be working with the Department to make sure they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated.

JANE NORMAN: The Executive Director of the Refugee and Immigration Legal Centre, David Manne, says the consequences could be enormous.

DAVID MANNE: Oh look, this constitutes one of the moment grave and dangerous breaches of privacy in Australian history. I mean, there are very strict laws in Australia to ensure that the personal identity details of people seeking protection from persecution are not disclosed.

JANE NORMAN: What are the legal implications of a breach like this?

DAVID MANNE: Under law, it is crystal clear that revealing a person’s identity when they’re seeking protection can result in a heightened risk of persecution if they were returned to their home country, and could result in that person needed to be protected as a refugee here.

JANE NORMAN: So are you suggesting then that this could potentially benefit some asylum seekers’ claims?

DAVID MANNE: Well look, the central question for every person seeking asylum in Australia is whether or not they face a real chance of being persecuted if returned to their home country. Now if the revealing of their identity publicly has heightened the risk of that person being harmed if returned, that could well result in that person needing to be protected in Australia.

JANE NORMAN: From privacy breaches to territorial ones. Late this afternoon Customs and Defence released a joint report confirming Australian border protection ships entered Indonesian waters six times between December last year and January.

The review found the ships inadvertently entered Indonesian territory, contrary to Government policy. Indonesia has been briefed on the report, but it’s unlikely the country will be satisfied.

Last week Indonesia’s top navy spokesman told the ABC that in this day and age the navigational equipment of war vessels is very modern and it is baseless to say what happened was unintentional or a form of ignorance.

MARK COLVIN: Jane Norman. And we’ve been asking Scott Morrison, the Immigration Minister for an interview on this program about the leak, about the Navy’s breaches of Indonesia’s borders and about Manus Island, he’s not been available.