The Australian Government has been ordered to pay out damages after the personal details of 10,000 asylum seekers were leaked online.
The ruling will compensate 1,300 asylum seekers whose personal details were accidentally shared in one of the government’s worst privacy breaches in history.
Australia’s privacy regulator has finally released their report after a six-year investigation into a 2014 breach, which saw each individual’s details published on the Department of Immigration and Border Protection’s website.
The mistake published 9,258 individual’s full names, citizenship, date of birth, gender, location, boat arrival details, length of immigration detention, and the reasons which drove them to “becom[e] an unlawful non-citizen under the Migration Act 1958.” The leak identified every single person who was held in mainland detention and on Christmas Island at the time.
Children were also among those whose information was published, alongside thousands from community detention. Many victims feared that the leaked information would cause retribution in their home countries if they were ever forced to return.
An investigation by The Guardian prompted an initial complaint to the Office of the Australian Information Commissioner in August 2015. The complaint requested both an apology and compensation from the Australian Government.
The concluding report supported the claim for compensation, ordering that the department award damages to 1,297 of the victims. However, the rewarded amount was not specified and left up to the department in the end. It is estimated that the damages will range from $500 to $20,000.
Aus govt ordered to pay 1,300 asylum seekers whose details were exposed in shocking privacy breach by immigration dept, which sparked fears they would be targeted for retribution. OAIC ordered compo but has not determined quantum for each complainant https://t.co/y5vVnAFcyn
— Christopher Knaus (@knausc) January 27, 2021
If both parties disagree on the amount, the department can reassess and seek agreement from the complainant. If they do not agree on which category of harm is best suited to the complainant, each party will need further submission and assessment.
The privacy commissioner, Angelene Falk, said compensation will be paid case-by-case. “This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach,” she said.
“It recognises that a loss of privacy or disclosure of personal information may impact individuals and depending on the circumstances, cause loss or damage.”
Australia’s privacy policies mandate that the government’s records be protected by “security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure.”
If you rearrange ScoMo, they actually spell out Tr*mp
— ALWAYS WAS, ALWAYS WILL BE ❤💛🖤 (@cienan_m) January 21, 2021
The immigration minister at the time, Scott Morrison, described the breach as “unacceptable” and demanded reassurance from the department that it would not happen again.
Morrison ordered then department secretary Martin Bowles to lead an investigation into the matter, bringing in consulting giant KPMG to hold a review.
“The information was never intended to be in the public domain,” said Morrison at the time. “I am advised the department has ensured all possible channels to access this information are closed, including Google and other search engines.”
It is still unclear as to why the investigation took six years to complete.