The Australian government has been ordered to compensate almost 1,300 asylum seekers whose details were mistakenly exposed online in one of the country’s most shocking privacy breaches.
After almost six years investigating, the privacy regulator has finally released a report into a 2014 privacy breach that caused a database of almost 10,000 asylum seekers’ personal details to be exposed on the then Department of Immigration and Border Protection’s website.
The error, revealed by the Guardian, made public 9,258 asylum seekers’ full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons which led to them to “becoming an unlawful non-citizen under the Migration Act 1958”.
Every person held in mainland detention and on Christmas Island at the time was identified in the database.
Children’s details were also published and thousands more in community detention were also exposed.
It is still regarded as one of the most serious privacy breaches in Australia’s history and asylum seekers feared the disclosure of their identities would subject them to retribution in their countries of origin, should they be forced to return.
The Guardian’s investigation prompted a complaint to the Office of the Australian Information Commissioner in August 2015. The complainants requested an apology from the Australian government and compensation.
The final report supports the claim for compensation.
It ordered the department pay compensation to 1,297 participating complainants. But, despite the length of time the inquiry took, the OAIC has left the amount up to the department.
The regulator has created five categories of loss or damage, depending on the severity of the impact, which the department will need to award to various asylum seekers.
Category one is for those who experienced “general anxiousness”, embarrassment or trepidation from the breach, while category four is for those who suffered “the development or exacerbation of a mental health condition” which resulted in a referral or treatment.
Category five is reserved for those who suffered “extreme loss or damage”. No further detail is provided for what might constitute such a case.
Compensation might range from $500 to $20,000. That process will add yet another chapter to the saga and again leaves room for further disagreement between the complainants and the department.
If the department and the complainant do not agree on the amount, the department can reassess it and seek agreement from the individual. If they can’t agree on which category of harm the complainant fits into, each party will require further submissions and expert assessments.
Angelene Falk, the privacy commissioner, said the compensation would be paid on a case-by-case basis.
“This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach,” she said.
“It recognises that a loss of privacy or disclosure of personal information may impact individuals and depending on the circumstances, cause loss or damage.”
Slater and Gordon and the Refugee Advice and Casework Service, who represented the asylum seekers pro bono, welcomed the privacy regulator’s decision.
Slater and Gordon associate Ebony Birchall said in a statement the ruling was “unprecedented” and the first time in Australian history that compensation had been ordered for a mass privacy breach.
“This is the most significant use of the representative complaint powers in the Privacy Act to date, and appears likely to result in the largest compensation figure ever to be determined for a privacy claim in Australia,” Birchall said.
“It is an important reflection of the fact that privacy breaches are not trivial or consequence-free mistakes, and that increasingly, individuals who suffer loss as a result of a breach should expect to be able to obtain redress.”
RACS principal solicitor Sarah Dale said she was “pleased to see it publicly recognised that the Department of Home Affairs breached the fundamental right to privacy of thousands of people seeking asylum in Australia”.
Dale said no decision would alleviate the distress of those “who have already experienced so much pain”.
“This breach meant that any person searching the internet could access the personal information surrounding thousands of people applying for protection in Australia,” Dale said. “This includes authorities and indeed even the perpetrators of the persecution, in the countries from which they fled.”
Australia’s privacy principles charge government agencies with ensuring records are protected by enough “security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure”.
At the time of the breach, then immigration minister Scott Morrison described it as “unacceptable” and sought assurances from the department that it would not happen again.
He ordered then department secretary Martin Bowles to investigate the matter and brought in consulting giant KPMG to conduct a review.
“The information was never intended to be in the public domain,” Morrison said at the time. “I am advised the department has ensured all possible channels to access this information are closed, including Google and other search engines.”
It is unclear why the OAIC took six years to resolve its investigation. The office was defunded considerably under Tony Abbott’s government – to the point in which its commissioner was working from home – and has only just returned to reasonable resourcing levels for its privacy work.
The Australian Lawyers Alliance said the delays were concerning.
“It is deeply concerning that a claim for compensation is only decided upon seven years after the breach – some asylum seekers will have left Australia,” said ALA spokesman Greg Barns. “It is yet another failure of the federal government to protect the rights of asylum seekers and it is an expensive one.
“Given that recently NSW ambulance workers – 108 of them – were awarded $275k in a settlement for breach of privacy – the amount in this case will be well into the millions of dollars.”