Department of Home Affairs Breaches Privacy Act – A Lesson and Reminder

‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr 2 (11 January 2021)[1] – DHA Breaches Privacy Act

Earlier this month, the Office of the Australian Information Commissioner (AOIC) determined and declared that the federal Department of Home Affairs (DHA) had breached the privacy of 9,258 individual asylum seekers living in various detention centres. The DHA had breached multiple provisions of the Privacy Act 1988 (Cth) and in doing so was made to compensate 1,297 of the victims (“the participating class members”) for amounts determined on a case-by-case basis. The findings of the AOIC are a stark reminder for all agencies, companies and firms vested with sensitive information to maintain scrutinous administration of material which has the potential to harm those made vulnerable through undue or mistaken disclosure.

The privacy breach occurred on 10 February 2014 when the DHA published on its website a Microsoft Word document which had embedded within it an Excel spreadsheet outlining details of detainees’ personal information. It had been common practice that the DHA publish ‘The Immigration Detention and Community Statistics Summary’ report which was the original reason for uploading the Word document. However, the inclusion of the spreadsheet was an oversight that inadvertently made its way into the public domain. Information within the spreadsheet included (among other things) the names, locations, arrival details and reasons for detention of the detainees and was made publicly accessible for a total of sixteen days. The DHA only became aware of the publication when a journalist notified the department 9 days after its publication.

The AOIC found that the DHA had breached key principles of the Privacy Act, current at the time of the privacy breach. These were the Information Privacy Principles 4 and 11[2], as follows:

Principle 4

Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

  1.  that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

  2. that if necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably withing the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 11

Limits on disclosure of personal information

  1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless: [for reasons which were not applicable to this case] …

The participating class members’ right to compensation was reasoned by the AOIC through the consideration of both the members’ and DHA’s submissions in respect of economic and non-economic loss.

Under section 52(1)(b)(iii) of the Privacy Act, an evidentiary basis is required to make a declaration that a complainant is entitled to compensation, particularly in respect of non-economic loss which is “of an inherently personal nature”[3]. Summarised by the Administrative Appeals Tribunal (AAT) in Rummery[4], principles for awarding compensation include:

  1. The application of legislation which contemplates some form of redress in the ordinary course;
  2. Awards should be restrained but not minimal;
  3. The ultimate guide for measuring compensation is in the words of a statute; and
  4. Regard must be had to the complainant’s reaction and not to the perceived reaction of the majority of a community or ‘of a reasonable person’.

These principles were applied in the current case to determine and declare that participating class members’ individual entitlement to compensation is to be “determined on a case-by-case basis[5]”. The AOIC categorised the members by the degree to which they suffered non-economic loss, assessing the members’ injury to feelings, humiliation and psychological medical conditions.

The Australian Lawyers Alliance has told the media that the case will likely cost the DHA millions in compensation[6] – an indication of the gravity of this case and its importance for agencies, firms and organisations to take note. The implication for organisations is clear – privacy and information storage must remain tightly controlled in the administration of private and sensitive service provision.

Generally speaking, companies should take interest in ensuring (without limitation):

  1. Organisational confidentiality is communicated and understood by all staff and teams;
  2. Internal processes are designed with the right checks and balances to avoid potential breaches; and
  3. Confidential information is stored in safe, reliable and securely accessible databases both online, offline and offsite.

To read further on private company implications of data breaches and confidentiality disputes, read our take on the recent case of  ASIC v RI Advice Group.

To further understand how your company can remain vigilant in data and information protection and obligations, contact our expert legal team for the most up-to-date and practical advice.

[1] http://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmr//2021/2.html

[2] Note that the Information Privacy Principles have now been superceded by the more comprehensive Australian Privacy Principles

[3] At [54].

[4] Rummery and Federal Privacy Commissioner and Department of Justice and Community Safety [2004] AATA 1221.

[5] At [83].

[6] https://www.sbs.com.au/news/home-affairs-ordered-to-pay-compensation-after-breaching-the-privacy-of-almost-10-000-asylum-seekers

Authors: James Tan & Kerry Copley

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on email
Email it to your friend