Plug the Leak: Australian Regulator Orders Australian Government Agency to Compensate Victims for Unlawful Personal Information Disclosure
On 10 February 2014, the Australian Department of Home Affairs (DHA) inadvertently published the personal information of 9,258 detainees in immigration detention.
A report was subsequently made to the Office of the Australian Information Commissioner (OAIC).
On 11 January 2021, the OAIC released its determination, ordering compensation on a categorial loss basis, ranging from AU$0 to in excess of AU$20,000.
In 'WP' and Secretary to the Department of Home Affairs (Privacy)  AICmr2 (1 January 2021) (the Decision), the Australian Information Commissioner and Privacy Commissioner (AICPC), Angelene Falk, determined that the DHA had interfered with the privacy of the 9,258 individuals whose personal information had been unwillingly disclosed.
On 10 February 2014 the DHA published on its website a document titled 'The Immigration Detention and Community Statistics Summary' (the Report).
The Report was typically published by the DHA on a monthly basis , in both Word and PDF formats. However, this time the Word version of the Report contained an embedded Microsoft Excel spreadsheet that was used to prepare the Report.
The embedded spreadsheet included the following personal information of 9,258 individuals who, at the time, were in immigration detention:
- full names;
- date of birth;
- period of immigration detention;
- boat arrival details; and
- reasons why the individual had been considered an unlawful non-citizen.
At 9:15am on 19 February 2014, a journalist notified the DHA about the data breach. The Report with the embedded personal information remained online and publicly available for approximately 8 days.
The Report, and its embedded personal information, was also available on another website, the Internet Archive (a not for profit digital archiving service), from 11 to 27 February 2014.
Following an investigation by the OAIC, the AICPC ordered compensation for a total 1,297 participating class members out of the 9,258 compromised individuals, save for 7 who opted out under s38B(2) of the Privacy Act 1088 (Cth) (Privacy Act).
In making the order, the AICPC held that the DHA had breached s 13(a) of the Privacy Act and had interfered with the privacy of the class members by:
- disclosing their personal information on a publicly available website in breach of Information Privacy Principle (IPP) 11, (which related to the limits on the disclosure of personal information); and
- failing to take such safeguards as was reasonable in the circumstances to take, against loss, unauthorised access, use, modification or disclosure and against other misuse in breach of IPP 4.
The IPPs were replaced by the Australian Privacy Principles – or APPs – in March 2014.
The AICPC also declared:
- the DHA's conduct interfered with the privacy of class members in contravention of IPPs 4(a) and 11, and must not repeat such conduct; and
- those class members (participating class members) who made submissions and/or provided evidence of loss or damage to the OAIC within the specified timeframe are to be paid compensation for loss or damage arising from that publication (under s 52(4)(a) of the Privacy Act).
The Decision is the first penalty of its kind against an Australian federal government agency and tends to confirm the benefit of cooperating with the OAIC.
As reflected in the decision, the DHA's cooperation (amongst other factors) was appreciated by the AICPC in contemplating (and ultimately deciding against) any further actions against the DHA, including awarding aggravated damages. Whilst the current legislative regime does not provide for penalties for failure to cooperate, the Australian Attorney-General, on 24 March 2019, announced a new penalty regime under the Privacy Act (see announcement; the new regime remains to be implemented). Under the proposed amendments, organisations can be issued with an infringement notice of up to AU$63,000 for failure to cooperate with efforts to resolve minor breaches. The new penalty regime will also significantly increase the maximum penalties for serious or repeated breaches of the Privacy Act (for example, the current maximum for companies of $2.1m will be increased to $10m or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company's annual domestic turnover – whichever is greater).
The Decision additionally clarifies that claims for compensation in respect of loss or damage suffered by any alleged unpermitted disclosure of personal information made under s 52(1)(b)(iii) of the Privacy Act must first satisfy an evidentiary basis before a complainant can be entitled to compensation. Further, matters of compensation may be guided by the principles of tort law, although the AICPC will remain ultimately guided by the language of the statute.
Ultimately, compensation should be assessed by having regard to the complainant's reaction, rather than the "perceived reaction of the majority of the community or of a reasonable person in similar circumstances" (Decision, para 55).
Organisations should accordingly adopt a sensitive and tailored approach in addressing potential complainants as a matter of priority following identification of any potential data breaches.
In conclusion, the Decision serves as a timely reminder to organisations to ensure their data protection systems remain secure, functional, and regularly audited to avoid any unwilling disclosures which bear pecuniary and reputational harm. Where any such breaches do occur, measured and urgent responses are recommended as an immediate priority.