Immigration breached Privacy Act with data leak

The Department of Immigration breached its obligations under the nation’s Privacy Act when it inadvertently published the personal details of 9250 asylum seekers online, the Commonwealth's privacy watchdog has found.

In February this year the department admitted it had accidentally made public a database of sensitive information including full names, nationalities, date of birth, gender and boat arrival dates of all individuals held on Christmas Island and in a mainland detention facility.

The data remained accessible on the Immigration website for nine days, and cached on an archived search engine for around 16 days.

The department pulled the document - titled the Immigration Detention and Community Statistics Summary, which is published monthly in PDF and Word versions - an hour after it became aware of the issue.

Soon after the breach was revealed, Privacy Commissioner Timothy Pilgrim promised to investigate the incident, and today handed down his conclusion [pdf] that the department had fallen foul of privacy law by failing to adequately protect the personal information of the asylum seekers, and by unlawfully disclosing personal information.

Pilgrim found a number of internal Immigration policy documents had failed to “adequately mitigate against the known risk of embedded data”, while the department had similarly failed to make its staff aware of the risk embedded data could pose.

“These failures led to the errors by departmental staff who created and cleared the detention report,” he reported today.

While preparing the document, Immigration staff copied charts and tables directly from the Microsoft Excel spreadsheet used to generate statistics for the report - resulting in the underlying data being embedded in the final Word version - rather than copying and pasting the charts as pictures into Word documents, as per department's detention report policy, Pilgrim said.

But he also found that the policy failed to properly explain why this particular instruction was important, and similarly did not give enough detail on how to carry it out. Immigration staff should also have been trained in the risks of embedded data, he said.

“If DIBP had explained the reason for this direction, staff may have better understood the risks of embedded data and why this instruction was necessary,” Pilgrim said.

“Further, this data breach may also have been avoided if DIBP had processes in place to de-identify data where particular areas of the agency do not require access to the full data set.”

While Immigration had measures in place to ensure sensitive reports were properly checked before publication, Pilgrim found that - despite being aware of the risk posed by embedded data - the department only appointed reviewers to check over a hard copy of the report.

The majority of those charged with checking and publishing the document were also unaware that Excel data could be embedded in a Word document, Pilgrim said.

“Given the sensitivity of the data in question and the number of people involved in compiling, clearance and publication of the detention report...a reasonable security safeguard in this situation would be to de-identify the information at an early stage in the process of compiling the detention report,” he stated.

“These deficiencies in DIBP’s policies, procedures and training failed to adequately mitigate against the risk of a data breach. In order for policies and procedures to constitute a reasonable security safeguard, those policies and processes must adequately address known risks.

“Policies that are not understood by staff are unlikely to be adhered to, and are therefore unlikely to be a reasonable security safeguard.”

Pilgrim said it was essential that Immigration couple the revised policies it has promised it is working on with staff training, as well as guidance on how to handle IT security, data and privacy in a digital context.

He also recommended that Immigration monitor internal compliance with any new processes to ensure they are consistently followed, and asked the department to engage an independent auditor to certify that it completes its planned remediation steps - which include ongoing staff training  - and present him with the auditor’s report by February 13 next year.

The department told the Privacy Commissioner it had started work on addressing its IT and privacy training for staff; formed a high-level working group to provide formal governance for online publishing; updated its online publishing guidelines to emphasise checking for embedded data; and intended to engage an auditor to review its relevant policies and procedures.

Pilgrim said based on the department's remediation efforts, ongoing implementation of recommendations from the KPMG report, and its intention to appoint an auditor to confirm its remediation activities, he had decided to close the investigation.

The data breach resulted in a hefty rise in the number of individual privacy complaints received by the OAIC in the past year.

In its last annual report before the agency is wound down, the OAIC reported receiving 904 complaints against the Immigration department as a result of the February leak. Pilgrim today said that number had since grown to over 1600, with the figure still increasing.

The commissioner said his jusdgement that the department had breached the Privacy Act would be taken into account when investigating individual complaints.

The Department of Immigration and Border Protection and the Immigration Minister have been contacted for comment.