[BreachExchange] Australia - Asylum seekers invited by OAIC to speak out about data breach

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 26 14:14:40 EST 2018

Close to 10,000 asylum seekers affected by a data breach of personal
information four years ago by the Department of Immigration and Border
Protection are invited to provide evidence of loss or damage to the Office
of the Australian Information Commissioner (OAIC).

Considered one of the most serious privacy breaches in Australia’s history,
the data breach occurred on 10 February 2014, when the department
published, in error, a detention report on its website that contained
embedded personal information, as revealed in The Guardian at the time.

At the time, personal information from a vast database was revealed on the
department’s website including full names, gender, citizenship, date of
birth, period of immigration detention, location, boat arrival details, and
the reasons which led to the individual becoming an unlawful non-citizen
under the Migration Act 1958, according to the OAIC.

The data breach sparked concerns that the identities of the asylum seekers
may have been compromised and subsequently revealed to their countries of
origin, putting them at risk of persecution. This risk of being
compromised, along with the response of the department came under question
and prompted court action.

On 30 August 2015, a representative complaint was made to OAIC on behalf of
all persons (group members) whose information was published by the
department in error.

In the latest development, OAIC is now seeking information - including a
statutory declaration or signed statement - from individuals who were in
immigration detention (including Immigration detention centres, community
placements, and alternative places of detention) on 31 January 2014, and
suffered any loss or damage as a result of the data breach involving the
Department of Immigration and Border Protection (now the Department of Home
Affairs) on 10 February 2014.

“You may also include any evidence you have from the time of the data
breach, or when you first found out about the data breach, (such as medical
reports) that contain details about how you reacted to the data breach, and
any treatment you received as a result of the data breach’s  impact on
you,” OAIC said in the submission request notice.

“Any medical reports prepared after the date of this notice will be given
little weight, as will statutory declarations or letters provided on your
behalf which are not in your own words.”

Once the information is submitted, the commissioner will decide - as per
section 52 of the Privacy Act 1988- whether a remedy, including any
compensation, should be awarded to any individual group member who has
suffered loss or data as a result of the data breach.

The online response form to provide evidence, or to opt out of the
representative complaint, closes April 19, 2018 at 4:00 pm.

In earlier news, in June 2016 The Guardian reported the High Court of
Australia had found that two asylum seekers affected by the data breach
that disclosed their personal details had their refugee claims fairly
assessed by the immigration department.

“This particular case was appealed by the Australian government after a
scathing full federal court decision found that the former immigration
minister Scott Morrison instructed his department to set up a process for
asylum seekers affected by the breach that was guaranteed to fail. The high
court case centred around two key asylum seeker plaintiffs affected by the
breach,” the article noted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180126/afe9d72f/attachment.html>

More information about the BreachExchange mailing list