The Department of Immigration and Border Protection (DIBP) breached the Privacy Act when it failed to “adequately protect” the personal information of approximately 9,250 asylum seekers, said Privacy Commissioner Timothy Pilgrim today.
The privacy breach, which was revealed by <i>The Guardian</i> in February, took place when a confidential file containing the personal details of asylum seekers held in detention, including names, country of origin and date of arrival, was made available on the DIBP’s website.
The department removed the report from its website within an hour of being notified. However, the report had been available on the website for approximately eight and a half days.
According to Pilgrim, the breach occurred when statistical data was mistakenly embedded in a Word document that was published on DIBP’s website. The report was accessed a number of times, and was republished by an automated archiving service.
“This incident was particularly concerning due to the vulnerability of the people involved,” said Pilgrim in a statement.
The Office of the Information Commissioner's investigation found that the DIBP was aware of the privacy risks of embedding personal information in publications, but the department's systems and processes did not address those risks.
This meant that departmental staff did not detect the embedded information when the document was created or before it was published, said Pilgrim.
“This breach may have been avoided if DIBP had implemented processes to de-identify data in situations where the full data set was not needed,” he said.
“I have made a number of recommendations about how DIBP could improve their processes, including requesting that they engage an independent auditor to certify that they have implemented the planned remediation.”
The immigration department will have to provide a copy of the certification and report to Pilgrim by 13 February 2015. Pilgrim added that the OAIC has received over 1600 privacy complaints about the incident.
In its findings (PDF), KPMG found a number of factors that may have led to the incident including “time pressures, unfamiliarity with certain functions of Microsoft Word and limited awareness of IT security risks associated with online publishing".
At the time, KPMG recommended that the department implement procedures so that when data is extracted for analysis, it is cleaned in a secure environment to ensure any personal information is removed.
The department should also hold “online publishing workshops involved IT security, Web operations and governance", recommended the report.
The immigration department has been approached for comment.
Follow Hamish Barwick on Twitter: @HamishBarwick