| Published by Craig Subocz
A ‘database’ containing the personal information of ‘almost 100,000’ asylum seekers was publicly accessible via the DIBP website for approximately eight days before being removed by DIBP upon being alerted by the OAIC. This information consisted of full names, gender, citizenship, date of birth, period of detention, location, boat arrival details and reasons why DIBP deemed the individual ‘unlawful’.
This breach occurred when statistical information was inadvertently embedded in a MS-Word document published on DIBP’s website. The report was accessed multiple times while it was live on the website and was republished by an automated archiving service.
The OAIC announced that the Privacy Commissioner found that DIBP had breached two Information Privacy Principles, namely IPP 4 (security of personal information) and IPP 11 (disclosure of personal information).
The Information Privacy Principles, which applied to Commonwealth Government departments and agencies, were replaced by the Australian Privacy Principles on 12 March 2014.
The Privacy Commissioner found that:
The Commissioner recommended that DIBP monitor internal compliance and establish new processes to ensure that internal compliance procedures are consistently followed, and asked DIBP to engage an independent auditor to certify that DIBP has completed its planned remediation steps (including staff training). The DIBP was also instructed to present to the Commissioner the Auditor’s Report by 13 February 2015.
A copy of the Commissioner’s decision can be accessed here.