In February, we learned of a horrific privacy breach involving almost 10,000 asylum seekers. This breach is on my personal Top 10 Worst Breaches of 2014 because of the risk of harm to those exposed. A detention file created by Australia’s Department of Immigration and Border Protection (DIBP) accidentally exposed detainees’ personal details and was subsequently downloaded in about 16 countries, putting those asylum seekers at even greater risk should they have to return home.
Today, Chris Duckett of ZDNet reports that a report by the Office of the Australian Information Commissioner reveals how the breach occurred:
The source of the privacy breach was determined to be the copying and pasting of a chart from Microsoft Excel into Microsoft Word by a DIBP staff member, which resulted in the underlying data to render the chart being embedded in the Word document. The OAIC found this action to be contrary to departmental policy to export charts as images, but that the policy did not explain why this direction existed, or what risks would be negated in following it.
“The Commissioner found that had DIBP appropriately trained departmental staff involved in the creation of the Detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error,” the report (PDF) said.
Read more on ZDNet.
The breach described above was the first breach in 2014 affecting asylum seekers. There was also a second breach.
So apart from requiring DIPB to get its security and training act together, what is the government doing for the asylum seekers in the way of mitigating harm from the breaches?
By way of mitigation, the OAIC’s report mentions that the DIBP undertook an internal risk assessment to assess the risk of harm to the listed individuals, and commenced a process of notifying the listed individuals.
But is that it in the way of mitigation? Is that all they did? What did DIBP do if their internal risk assessment determined that there was a significant risk of harm to a listed individual? Did the individual then get asylum or were they sent back to a country where they might now be at even greater risk?
In June, the immigration minister, Scott Morrison, was asked whether the breach and where the file was downloaded would have any impact on the consideration of asylum requests:
Morrison said: “Not necessarily. Every single individual case of a person’s asylum claim is assessed on its individual merits, and any factors that are relevant to that assessment are taken into account and the extent to which those matters may be relevant will be considered at that time.
“There have already been a number of those cases where that issue has been raised and it has been dismissed.”
I see media reports from AU that say DIBP was asked for a comment on the OAIC report. I cannot find any reporting on what happened to these asylum seekers. Has any AU media outlet filed under FOI to get detailed results? If so, please let me know or point me to their coverage.
BTW, when you search DIBP’s website for news on “asylum seekers” or “asylum” for 2014, do you know what you get?
“Sorry, your search returned no results.”
I’d apply for a “media kit,” but they don’t seem to have any online, and if you try to register for their newsroom, they ask you, “How do you plan to use the content?”
I wonder what they’d do if I answered, “Probably somewhat disdainfully.”