AFP investigates alleged asylum seeker data theft

The Immigration department has referred the reported theft of hard drives containing hundreds of asylum seekers' personal files in Nauru to the Australian Federal Police for investigation.

Immigration chief Mike Pezzullo today said the department had received reports that a number of devices had gone missing from the offshore detention facility, as first reported by SBS in September and The Guardian Australian on Saturday.

The storage devices were reportedly not password protected and were stolen from inside an ‘unlockable’ tent on the island.

They are said to contain the individual files of hundreds of asylum seekers, including their medical histories, the details of their protection claims and accusations of mistreatment at the hands of detention centre operators.

Pezzullo’s deputy Mark Cormack today confirmed to a senate estimates committee that the department had received “very strong claims” the events had occurred.

“We have received a report from a service provider about the loss of computers and hard drives. To the extent that [the service provider] is telling the truth, this has formed the basis of our concerns," he said.

“The allegation is that a USB drive and some hard drives have been misplaced and possibly stolen."

The disclosure of the unauthorised release of the information had been reported to the Australian Federal Police, Pezzullo said.

The claims will also be investigated as part of an independent review currently being conducted into the administration of the Nauru detention centre by former integrity commissioner Phillip Moss, whose terms of reference specifically point to the issue of data security.

“If there has been any kind of theft of data in the terms described, whether it is by a service provider, someone else with privileged access to this kind of information or – god forbid – an official of the Immigration department, then that is completely unacceptable and will be dealt with as such,” Pezzullo said.

He also stressed that the latest security breach was not linked to the inadvertent publishing of information relating to 10,000 asylum seekers via a publicly available PDF earlier this year.

But the close timeframe  two high-profile incidents occured prompted opposition Senator Kim Carr to ask Pezzullo what he was doing “to protect the privacy of the people who are in your custody?”

Pezzullo said he had a “philosophical commitment” to the notion that “everyone deserves an appropriate level of confidence that their personal data is protected”.

Deputy secretary of the department’s business services group, Liz Cosson, said the department had introduced new training and procedures for staff - specifically for those uploading information to the internet - based on the advice of a KPMG review it commissioned into the first data breach.

An automated process to sanitise any information being published online had also now been implemented, she said.

The first breach is also currently being investigated by the Office of the Information Commissioner.