Close to 10,000 asylum seekers affected by a data breach of personal information four years ago by the Department of Immigration and Border Protection are invited to provide evidence of loss or damage to the Office of the Australian Information Commissioner (OAIC).
Considered one of the most serious privacy breaches in Australia’s history, the data breach occurred on 10 February 2014, when the department published, in error, a detention report on its website that contained embedded personal information, as revealed in The Guardian at the time.
At the time, personal information from a vast database was revealed on the department’s website including full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons which led to the individual becoming an unlawful non-citizen under the Migration Act 1958, according to the OAIC.
The data breach sparked concerns that the identities of the asylum seekers may have been compromised and subsequently revealed to their countries of origin, putting them at risk of persecution. This risk of being compromised, along with the response of the department came under question and prompted court action.
On 30 August 2015, a representative complaint was made to OAIC on behalf of all persons (group members) whose information was published by the department in error.
In the latest development, OAIC is now seeking information - including a statutory declaration or signed statement - from individuals who were in immigration detention (including Immigration detention centres, community placements, and alternative places of detention) on 31 January 2014, and suffered any loss or damage as a result of the data breach involving the Department of Immigration and Border Protection (now the Department of Home Affairs) on 10 February 2014.
“You may also include any evidence you have from the time of the data breach, or when you first found out about the data breach, (such as medical reports) that contain details about how you reacted to the data breach, and any treatment you received as a result of the data breach’s impact on you,” OAIC said in the submission request notice.
“Any medical reports prepared after the date of this notice will be given little weight, as will statutory declarations or letters provided on your behalf which are not in your own words.”
Once the information is submitted, the commissioner will decide - as per section 52 of the Privacy Act 1988- whether a remedy, including any compensation, should be awarded to any individual group member who has suffered loss or data as a result of the data breach.
The online response form to provide evidence, or to opt out of the representative complaint, closes April 19, 2018 at 4:00 pm.
In earlier news, in June 2016 The Guardian reported the High Court of Australia had found that two asylum seekers affected by the data breach that disclosed their personal details had their refugee claims fairly assessed by the immigration department.
“This particular case was appealed by the Australian government after a scathing full federal court decision found that the former immigration minister Scott Morrison instructed his department to set up a process for asylum seekers affected by the breach that was guaranteed to fail. The high court case centred around two key asylum seeker plaintiffs affected by the breach,” the article noted.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.