Significant data breach at the Federal Court of Australia revealing names of protection visa applicants

March 31, 2020 |

It was serendipitous that last Wednesday I presented a paper, via Zoom, at a Legalwise Seminar on Data Breaches: How to Respond, Notify and Remedy  given today’s report that there has been a significant data breach by the Federal Court, an agency for the purposes of the Privacy Act 1988.  The, to use the Federal Court’s spokesman’s description, “major systemic failure” involved the searchable database permitting the identity of 400 asylum seekers being disclosable. 

This breach would fall within Part IIIC of the Privacy Act 1988, the mandatory data breach notification regime. Going through the process would require an assessment of the breach, a determination as to whether the breach is likely to cause serious harm and, if so, the means of notifying the affected individuals.  Based on the ABC report of the breach there would be legal and practical issues to address with each step.  As to the assessment process it is concerning that the breach has been known for years through efforts of at least one lawyer advising the Court of the problem.  Two weeks ago the Attorney General was made aware of the problem by correspondence.  Regarding whether the breach is likely to cause serious harm that would be more straightforward if that information has been actually disclosed.  It would first be necessary to determine whether the personal information has in fact been accessed by third parties.  It is one thing for that information to be searchable it is another that it is disclosed.  There has been a breach of the Privacy Act in that the personal information has not been properly secured, a breach of Australian Privacy Principle 11.  If the personal information has not been accessed and is no longer searchable then the Federal Court may argue that it has remediated the problem so no notification is required.  If the personal information has been accessed then it would be prudent to determine the when and the who did the accessing.  Perhaps even the why.  Given an application for protection visa normally requiring a basis of a well founded fear of persecution if the application is sourced by malevolent actors or even persons unknown that may be a basis for arguing serious harm.  If the personal information was accessed by the applicants lawyers that may be a different issue.

According to the Federal Court Privacy Page it is possible to identify users.  The page relevantly provides:

Clickstream and site visit data

A record of your visit to the main pages of this site is made and the following information is logged for statistical purposes:

    • the user’s server address
    • the user’s top level domain name (e.g. com., gov., au., uk., etc.)
    • the date and the time of the visit to the site
    • the type of browser used
    • the operating system
    • the screen resolutions and screen colours
    • the previous site visited
    • the search engines and queries used to access this site.

No attempt is made to identify individual users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect the log file.

The exercise may be more difficult if the user was using VPN.

The final step, notification, may be straightforward in some and perhaps many cases where the applicant is legally represented and is in detention.  If the exercise is to be done properly it is quite complex and involved. This may be a case where an application could be made for an exemption to notify persons, assuming there was a basis for a notification.

So far the Federal Court’s response has been less than stellar with some remedial effort being attempted, with a disabling of the search function, but subsequently the personal information still being searchable until the ABC advised the Federal Court of the continuing problem. It was then permanently disabled for those individuals.

The other issue that this breach raises is that while the data breach is probably a breach of the Privacy Act 1988 it is also a likely breach of the Migration Act which prohibits identification of asylum seekers.  This data breach involved not only making the personal information accessible but also listed their pseudonyms together with their names.  As such the anonymisation has been rendered nugatory.

While information is incomplete, and probably will remain so, the Federal Court has breached Australian Privacy Principle 11, regarding data security.  The data breach was caused by internal error by, ultimately, the officer responsibility for maintaining the search facility of the Federal Court.  The Federal Court’s privacy policy relevantly provides:

Data security

The Internet is an insecure medium however, and users should be aware that there are inherent risks in transmitting information across the Internet. Information submitted unencrypted via email may be at risk of being intercepted, read or modified. If you do not want your message sent by email you can post it to the above address.

The Court takes all reasonable steps to protect the personal information it hold against loss, unauthorised access, modification or disclosure in line with the Australian Government’s Information Security Manual. These steps include the storage of personal information in secure facilities, taking regular encrypted backups of personal information we hold, audit and logging mechanisms and physical access restrictions to ensure only authorised government personnel have access to personal information.

It is doubtful that the Court took all reasonable steps to protect against unauthorised access, particularly when it was put on notice about the design flaw and did nothing.  If this breach occurred in the United Kingdom the regulator would do a root and branch review of all aspects of the Court’s data security obligations.  Often times that leads to more embarrassment, pain and cost than the original data breach.  Given the Australian Information Commissioner is a timid regulator it is unlikely that such an excruciating fate awaits the Federal Court.

The ABC report provides:

The names of hundreds of people seeking protection visas have been published on the website of the Federal Court in a catastrophic data breach that potentially puts asylum seekers at risk of harm.

The ABC has confirmed that for years, the Federal Court, through the searchable Commonwealth Courts database, has disclosed the names of people who have said they have been persecuted in their home countries.

In a statement, a Federal Court spokesman described the disclosure as a “major systemic failure” and said the court had identified 400 asylum seekers, so far, whose names had been published.

The spokesman also admitted it was an offence under Commonwealth legislation for the court to publish the names of protection visa seekers.

A day after the ABC raised the issue, the Federal Court disabled the search function on the database. The court then put the database back on online, but took it down again after being told by the ABC that names were still viewable.

Migration lawyer Daniel Taylor, who has acted for a number of people seeking protection visas, said he had clients who had been put at risk by the breach.

“[Authorities in foreign countries] can very well read in English, and they can read those names and they can identify the dates of birth and they can identify the claims,” Mr Taylor.

“Then they can match that information together with their own information, and they can put together a damning case against any number of these identified refugees and inflict serious harm on them if they come back to their country of origin.”

Federal Court was warned of breach years ago

Mr Taylor said he has repeatedly drawn the attention of the court to the data breach in individual cases, but the Federal Court failed to grasp the systemic nature of the problem and, as consequence, did not act to fix the problem.

Two weeks ago, Mr Taylor also wrote to the Federal Attorney-General, Christian Porter, to warn him of the data breach, but he said he received no reply.

“Over a few years, I’ve been raising this issue with the courts on a case-by-case basis, with varying levels of success, but more recently I’ve been writing to the court in every case that I’m finding,” Mr Taylor said.

“But what actually needs to happen is that there’s a fundamental problem with the whole system, and all the people whose names or identities have been published in connection with their claims for protection, those people need to be notified and warned that this has occurred so in the event that they go back or are sent back to their country of origin they’re ready for what’s going to come to them.”

Real names listed next to pseudonyms

In the publicly available Commonwealth Courts searchable database, the files of people who have applied for protection visas are listed by pseudonyms, which are usually a collection of letters and numbers.

But in a separate column, the full names of at least some of those applicants were also listed.

The ABC found instances of protection visa seekers from China, Sri Lanka, Vietnam, Egypt and a number of Middle Eastern countries whose full names had been disclosed.

In one case, an Egyptian man who arrived in Australia by boat made an application for a Safe Haven Enterprise visa on the grounds that he was a Shia Muslim at risk of persecution by the Sunni Muslim Brotherhood organisation in Egypt.

The application was denied by Immigration authorities and an appeal by the man was subsequently rejected by Judge Sandy Street of the Federal Circuit Court.

The man’s full name was published next to the file number on the Commonwealth Courts database.

In another case, a Chinese man applied for a protection visa on the grounds that he blew the whistle on corruption within the company he worked for in China.

The application was rejected and the Federal Circuit Court subsequently dismissed an appeal by the man, but his full name was published on the Commonwealth Courts website.

In a third case, a Vietnamese man applied for a Safe Haven Enterprise visa after arriving in Australia by boat, saying he was a Catholic and a member of a banned anti-communist political party in Vietnam.

His application was rejected and an appeal was subsequently also dismissed by the Federal Circuit Court, but the man’s full name was published on the Commonwealth Courts database.

Asylum seekers to be contacted ‘where possible’

In 2014, a huge data breach occurred when the personal details of more than 9,200 asylum seekers were published on the website of the then Department of Immigration and Border Protection.

According to Mary Crock, a professor of public law at the University of Sydney and an accredited specialist in immigration law, what happened in the wake of that earlier data breach means asylum seekers are unlikely to be able to find out whether unfriendly governments in their home countries have accessed their details.

“It went to the High Court and unfortunately the High Court ruled that although Home Affairs had commissioned KPMG to examine what had happened, that the actual detainees were not entitled to know chapter and verse about whether their particular records had been accessed,” Professor Crock said.

“I think a lot depends on how the Federal Court responds to this, but the law, at the moment, is not particularly helpful to individual asylum seekers whose records may have been accessed.”

In its statement, the Federal Court told the ABC it would contact asylum seekers whose names were published, or their lawyers, “where possible”, but it made no comment about whether it would tell the asylum seekers if their names had actually been viewed online and by whom.

Professor Crock also said asylum seekers needed ministerial permission to apply a second time for protection visas even if their circumstances, such as their names being published on the Federal Court website, changed while they were living in Australia.

“You can make a submission to the Minister saying ‘my identity has been disclosed and therefore I am particularly at risk from my home government’ but you’ve got to convince the Minister to do that basically off grid, so to speak,” Professor Crock said.

“The Minister is not obliged to consider your application at all and unfortunately the current behaviour of our ministers suggests they are not open to that.”

Leave a Reply

Verified by MonsterInsights