Home Affairs ordered to compensate asylum seekers over 2014 data breach

The Department of Home Affairs has been ordered to compensate almost 1300 asylum seekers for inadvertently publishing their personal information online in 2014.

It comes six years after the then Department of Immigration and Border Protection was originally found to have breached the Privacy Act over the data leak that impacted a total of 9250 individuals.

The breach occurred when the department accidentally made public a database containing the personal information of all individuals held on Christmas Island and in a mainland detention facility.

Information, including full names, nationalities, dates of birth, gender and boat arrivals, was accessible for eight days on the department's website and a further seven days on Archive.com before it was removed.

In a determination [pdf] published on Wednesday, privacy commissioner Angelene Falk said 1297 asylum seekers would be paid compensation for non-economic loss or damage arising from the data breach.

The department is said to have “interfered with the privacy of 9251 detainees” by releasing the information, though only 1297 asylum seekers who made submissions to the Office of the Australian Information Commissioner (OAIC) will be compensated.

Compensation is expected to range from $500 to more than $20,000 for “extreme loss or damage”. There are five categories of loss or damage in total.

This suggests a total bill of between $650,000 and $25.94 million for Home Affairs as a result of the disclosure.

Falk said compensation for economic loss would be paid on a case-by-case basis.

“This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach,” she said.

“It recognises that a loss of privacy or disclosure of personal information may impact individuals and, depending on the circumstances, cause loss or damage.”

The compensation process is expected to be conducted over the next 12 months, though the bulk of the claims will likely be resolved in a much shorter timeframe.

The department will assess each claim by taking into account “the submission and/or evidence of loss or damage they provided and in accordance with a table of categories”.

It will then communicate this figure and the evidence for this to each of the claimants – or their representative – to seek agreement on the amount of compensation.

If the department and claimants are unable to agree, further submissions will be obtained, with the privacy commissioner to declare the compensation amount for any claims that remain unresolved.

Slater and Gordon and the Refugee Advice and Casework Service (RACS), who represented the asylum seekers on a pro-bono basis, welcomed the OAIC compensation ruling.

Senior associate Ebony Birchall said the ruling was the first time in Australian history that compensation has been ordered for a mass privacy breach.

“This is the most significant use of the representative complaint powers in the Privacy Act to date, and appears likely to result in the largest compensation figure ever to be determined for a privacy claim in Australia,” Birchall said in a statement.

“It is an important reflection of the fact that privacy breaches are not trivial or consequence-free mistakes, and that increasingly, individuals who suffer loss as a result of a breach should expect to be able to obtain redress.

“Organisations holding personal or sensitive data need to take their obligations seriously, and the presence of meaningful consequences and compensation rights following breaches is a significant development.”

RACS director and principal solicitor Sarah Dale said the centre was "pleased to see it publicly recognised that the Department of Home Affairs breached the fundamental right to privacy of thousands of people seeking asylum in Australia.”

“We also acknowledge, however, that no decision or result such as this will alleviate the distress caused to people who have already experienced so much pain,” she said.