Over the 2019-2020 financial year, the Office of Australia Information Commissioner reported 1055 notifiable data breaches.
For 84% of those breaches, fortunately this meant no more than a release of for example phone numbers, email addresses and 1300 numbers, with no ability to confirm one’s identity from the data.
Contrasted to the approximately 9,000 asylum seekers in 2014, whose data was inadvertently released by the Federal Government – the lapse in the safeguarding of their data meant a potential lapse in the safeguarding of their lives. The data breach exposes these asylum seekers to a risk of persecution by having their identities whereabouts, and attempts to seek asylum made known public.
In what the then Minister for Home Affairs, Mr Scott Morrison, described as a ‘serious breach of privacy by the Department of Immigration and Border Protection’, the details of asylum seekers made publicly available via the Department’s website in 2014 included:
- Full names
- Dates of birth
- Period of detention
- Boat arrival details and
- Reasons for the immigration status
The Federal Government is bound to keep private the personal details of all visa applications, with asylum seekers afforded greater protection (by way of anonymity, s 91X Migration Act 1958 (Cth)), by reason of their vulnerable status.
In cognisance of the 2014 breach, the Australian Information Commissioner and Privacy Commissioner on 27 January 2021 acknowledged that the Department had admitted its breaches and confirmed that it:
- Failed to put in place reasonable security safeguards to protect personal information that it held against loss, unauthorised access, use, medication or disclosure and against other misuse; and
- The publication of personal information of the listed individuals was an unauthorised disclosure.
The Commission accordingly ordered the Department of Home Affairs to pay compensation to more than 1300 asylum seekers who registered as impacted by the breach.
The Commissioner recommended a redress matrix, with categories grouping compensation to those who have consulted either a specialist, general practitioner, health practitioner or no one at all in response to their mental injuries resulting from the breach, including anxiousness, fear, distress, suffering, loss of sleep, etc.
Impacted persons can receive greater than $20,000.00 if they can establish “extreme loss or damage resulting from the Data Breach”.
The extremity of consequences flowing from the data breach is death to an asylum seeker. A deceased asylum seeker cannot make a claim.
Any other damage nearing the edge of this extremity will pose difficulty for the applicant in establishing a causal nexus given the difficulties the alleged perpetrator of harm and their access to the data (which was online for a total of 16 days).
Save for a relaxation of the boat arrival bar (which prevent unauthorised maritime arrivals from making valid visa applications) – the Federal Government is not being held truly accountable for its egregious error.
Thus with little practical recourse available to asylum seekers, the compensation awarded may ultimately be of little utility.