Govt scolded over another Immigration data leak

The federal opposition has accused the Immigration department of contravening data breach disclosure guidelines and developing a reputation for poor data protection after a staff member was revealed to have emailed the personal details of world leaders to the wrong recipient.

Labor immigration spokesman Richard Marles today called on Minister Peter Dutton to explain the incident and the Government’s failure to notify the world leaders - such as US President Barack Obama and Chinese President Ji Xinping - affected by the breach.

The Guardian yesterday revealed that an Immigration employee had accidentally sent the passport numbers, visa details and other personal information of all of the world leaders attending the November G20 Summit to the organisers of the Asian Cup football tournament.

The error was blamed on the autofill function within the email address field in Microsoft Outlook.

In response, Immigration CIO Matthew Yannopoulos told The Guardian he had shut down the autocomplete function across the whole agency so employees now had to fully type out email addresses for each message they sent.

He acknowledged that the provision would make communications “torturous” for employees.

The department decided not disclose the breach to the parties involved once it became aware of the issue, which Marles today claimed went against the advice of the Office of the Australian Information Commissioner (OAIC).

In its non-mandatory guidelines for such incidents, the OAIC states that “in general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified”.

Privacy Commissioner Timothy Pilgrim advised that he had looked into the matter when it was brought to his attention in November, and was satisfied with the measures Immigration had put in place to prevent such a breach occurring again.

Greens Senator Scott Ludlam said the incident was an example of the fallibility of enterprise data protections, and in turn the risk posed by the Government’s data retention scheme, which passed through Parliament last week.

“You can’t protect against human error,” he argued in a statement.

“If the information of world leaders can be breached, then what will happen when thousands of people from a range of agencies have access to the metadata of 23 million Australians as a result of the government and opposition’s data retention regime?”

This is not the first time Immigration has been brought to the Privacy Commissioner’s attention.

Pilgrim ruled last year that the agency had breached the Privacy Act when it inadvertently published details of thousands of asylum seekers in an online PDF.