Another reported loss of personal information relating to asylum seekers this time lost by Save the Children
October 19, 2014 |
The Guardian reports in Asylum seekers’ personal details stolen in second immigration data breach reports on another breach of data security relating personal information of asylum seekers. This breach reportedly involves the loss of hard drives holding data which was not password protected. If the report is accurate the personal information would include sensitive information for the purposes of the Privacy Act. Information relating to mental health issues and minors is particularly sensitive. The loss also highlights the need to maintain proper security for mobile devices, whether they are USB stick/portable hard drives, flash drives, memory cards, phones or whatever means by which data are stored in a digital form. Password protection is a minimum as should be proper encryption. If a breach of this nature occurred in the United Kingdom, based on previous rulings, this form of transgression would attract close scrutiny from the Information Commissioner’s Office and possibly a Monetary Penalty Notice. An enforceable undertaking at the very least. This breach is certainly within the regulatory remit of the Privacy Commissioner.
The article provides
The personal details of hundreds of asylum seekers on Nauru have been stolen in a second major data breach within Australia’s immigration detention system.
At least two hard drives, not password-protected and containing the personal details of hundreds of asylum seekers, including children, have been stolen from detention camps this year.
The sensitive information stolen includes detainees’ complete personal details and case files, medical histories, as well as their protection claims detailing why they felt forced to leave their home country to claim asylum in Australia.
The stolen files also contain case worker notes on detainees, including mental health and behavioural issues, complaints about treatment and allegations of abuse, and the minutes of “vulnerable minors meetings” where the issues faced by children in detention were discussed.
None of the information has been recovered after several months.
Guardian Australia understands the asylum seekers have not been told their personal information has been stolen.
In February, Guardian Australia revealed the personal details of nearly 10,000 adults and children in immigration in detention had been inadvertently posted on a public website by the Department of Immigration and Border Protection.
This week, the immigration minister, Scott Morrison, said the department website would be secure in future.
“In that case, the weaknesses that were identified have been rectified,” Morrison said.
Morrison told Guardian Australia on Friday night he had been advised Save the Children was investigating and would report to his department.
“While I won’t pre-empt those investigations, it is my and the department’s expectation that service providers take care to keep personal information relating to detainees and transferees secure.
“I also note that any unauthorised disclosure of information by service providers form part of the matters under investigation of Philip Moss in his independent review of conditions and circumstances at the Nauru regional processing centre.”
The theft was first reported by SBS, but more details can now be revealed.
Internal correspondence seen by Guardian Australia says one of the Nauru hard drives was stolen from an office tent in a detention centre in April.
“Obviously this is concerning for several reasons. It contains documents with clients’ personal details … it highlights how unsecure the office tents are,” it says.
A series of emails highlights the lack of security in the camps, detailing that mobile phones, hard disks, laptops and fans have been stolen, including from locked cabinets.
“There is nowhere to store keys at the moment which means that the keys to our storerooms and shipping containers which have thousands of dollars worth of equipment in them are kept out in the open,” one email said.
A second hard drive, containing sensitive child protection information, was stolen less than a month later.
A manager from Wilson Security promised to review security in response to the thefts.
A spokeswoman for Save the Children said the protection and wellbeing of the children and families on Nauru was the organisation’s highest priority.
“We are therefore extremely concerned about the loss of data on Nauru. An internal investigation has been undertaken into what happened and how it happened,” she said.
“Save the Children continues to work closely with the Department of Immigration and Border Protection on measures to improve data security so as to best protect those in our care.”
Executive director of the Refugee and Immigration Legal Centre, David Manne, said the alleged loss of asylum seekers’ sensitive information was a “grave concern”.
“It is a fundamental principle of refugee law that a person who is seeking asylum must be free to make that claim without fear of their privacy being breached and without fear of disclosure of that personal information, possibly to their persecutors, the very people they are fleeing,” he said.
The disclosure of asylum seekers’ personal information, especially if it might be able to be accessed by the people, government, or group an asylum seeker is fleeing, could be grounds, of itself, for the granting of refugee protection, Manne said.
“We are aware of several cases where information people have given in their protection claim has fallen into the hands of agents of persecution, and that has put already vulnerable people at a heightened risk of persecution,” he added.
The reported response by Save the Children falls into the category of “boilerplate” response; expressions of not just concern but extreme concern about what has happened, that “..an internal investigation has been undertaken…” and concluding with the obligatory good citizen commentary that it “..continues to work closely with the Department of Immigration and Border Protection on measures to improve data security so as to best protect those in our care.” And within than general and wooly language pretty much anything can happen.
[…] Another reported loss of personal information relating to asylum seekers this time lost by Save the … […]