book a virtual meeting Search Search
brisbane

level 16, 324 queen st,
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

level 21, 20 bond st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Mass data breach by the Australian Government – how almost 10,000 asylum seekers had their privacy compromised

01 March 2021
sara demetrios
Read Time 2 mins reading time

For the first time in Australian history, the Office of the Australian Information Commissioner (OAIC) has found victims of a mass data breach should receive compensation for non-economic loss.

the data breach & the OAIC investigation

In early 2014, the Department of Home Affairs (DHA) unintentionally released a detention report on the DHA website which disclosed personal information of 9,251 asylum seekers. This included information such as: names, gender, citizenship, why the detainee was detained, and where they were being detained.

Every person held in detention on Christmas Island at the time was identified. Given this, the following complaints were made to Australia’s privacy regulator, the OAIC:

  • an individual complaint, on 25 March 2014; and
  • a joint complaint by 1,297 affected asylum seekers, on 30 August 2015.

Consequently, the OAIC commenced an investigation into the practises of the DHA (formerly the Department of Immigration and Border Protection), on 23 April 2014.

consequences of the breach

After almost six years of investigating, the OAIC reached a decision on 11 January 2021 and determined that the Secretary to the DHA breached the Privacy Act 1988 (Cth) by:

  • disclosing personal information on a publicly available website, in breach of Information Privacy Principle (IPP) 11; and
  • failing to take such security safeguards as it is reasonable in the circumstance to take, in breach of IPP 4.

In other words, the unauthorised publication of information interfered with individuals’ privacy.

Accordingly, the DHA was ordered to compensate almost 1,300 asylum seekers. Compensation amounts will range between $500 to more than $20,000, which will be paid on a case-by-case basis for those who are able demonstrate loss or damage as a result of the data breach.

key takeaways

Privacy breaches are taken seriously by the OAIC and as a result, businesses should always ensure they correctly handle personal information.

Remember, a simple incorrect or unintentional upload can have significant and long-lasting ramifications, as this case showed.

we are here to help

If you have any questions regarding Australian privacy laws, please contact a member of Macpherson Kelley’s Trade Team.

stay up to date with our news & insights

Mass data breach by the Australian Government – how almost 10,000 asylum seekers had their privacy compromised

01 March 2021
sara demetrios

For the first time in Australian history, the Office of the Australian Information Commissioner (OAIC) has found victims of a mass data breach should receive compensation for non-economic loss.

the data breach & the OAIC investigation

In early 2014, the Department of Home Affairs (DHA) unintentionally released a detention report on the DHA website which disclosed personal information of 9,251 asylum seekers. This included information such as: names, gender, citizenship, why the detainee was detained, and where they were being detained.

Every person held in detention on Christmas Island at the time was identified. Given this, the following complaints were made to Australia’s privacy regulator, the OAIC:

  • an individual complaint, on 25 March 2014; and
  • a joint complaint by 1,297 affected asylum seekers, on 30 August 2015.

Consequently, the OAIC commenced an investigation into the practises of the DHA (formerly the Department of Immigration and Border Protection), on 23 April 2014.

consequences of the breach

After almost six years of investigating, the OAIC reached a decision on 11 January 2021 and determined that the Secretary to the DHA breached the Privacy Act 1988 (Cth) by:

  • disclosing personal information on a publicly available website, in breach of Information Privacy Principle (IPP) 11; and
  • failing to take such security safeguards as it is reasonable in the circumstance to take, in breach of IPP 4.

In other words, the unauthorised publication of information interfered with individuals’ privacy.

Accordingly, the DHA was ordered to compensate almost 1,300 asylum seekers. Compensation amounts will range between $500 to more than $20,000, which will be paid on a case-by-case basis for those who are able demonstrate loss or damage as a result of the data breach.

key takeaways

Privacy breaches are taken seriously by the OAIC and as a result, businesses should always ensure they correctly handle personal information.

Remember, a simple incorrect or unintentional upload can have significant and long-lasting ramifications, as this case showed.

we are here to help

If you have any questions regarding Australian privacy laws, please contact a member of Macpherson Kelley’s Trade Team.