19 February 2014

Refugee Data Breach

The Guardian has revealed that there has been a serious data breach involving the Department of Immigration and Border Protection.
The personal details of a third of all asylum seekers held in Australia – almost 10,000 adults and children – have been inadvertently released by the Department of Immigration and Border Protection in one of the most serious privacy breaches in Australia’s history. 
A vast database containing the full names, nationalities, location, arrival date and boat arrival information was revealed on the department’s website, raising serious concerns that thousands of asylum seekers have had confidential details made public.
Every single person held in a mainland detention facility and on Christmas Island has been identified in the database, as well as several thousand who are living in the community under the community detention program. A large number of children have been identified in the release, which also lists whether asylum seekers are part of family groups. 
The breach raises serious questions about whether those identified could be placed at risk of retribution if they are returned to their countries of origin. ... 
Guardian Australia has chosen not to identify the location of the data and made the department aware of the breach before publication. 
The Department of Immigration has released a statement saying the information was never intended to be in the public domain. 
“The department acknowledges that the file was vulnerable to unauthorised access. The department is investigating how this occurred to ensure that it does not happen again,” it said.
So far there has been no statement from the Office of the Australian Information Commissioner, which has been promoting the amendments to the Privacy Act 1988 (Cth) that come into effect next month. The Office has been recurrently criticised in scholarly and civil society organisation literature for its dilatory and permissive response to serious data breaches.

The Commissioner will presumably lament that the Office is under-resourced and under-authorised … and that in dealing with the breach it is inappropriate to take any action until all information is available.

I have argued elsewhere that the Commissioner can and should offset resource problems - or lack of power pending establishment of the amendments - by use of its moral authority.

A quick and public response that condemns bad behaviour - including behaviour, such as egregious invasions of privacy by media organisations, that are permitted by the Act - may be just as effective as any imposition of a financial penalty.

So far there hasn't been a peep from the Office. That's a lost opportunity.

If the Office wants to signal that it is engaged, is vigilant, is positive, and is credible why not issue a media release indicating that the Commissioner notes with concern reports regarding a major unauthorised disclosure of sensitive information about vulnerable people. Indicate that investigation is underway. Don't wait until directed by the Minister. Don't delay for six months.

The Guardian aptly notes that
At a news conference last November, the immigration minister, Scott Morrison, outlined the government’s responsibility to protect the identities of asylum seekers in its care. 
“What the Australian government has an obligation to do, though, is ensure that we take all steps necessary so as not to violate their identity,” he said. 
“Now, it is important that people who are making claims about asylum can do so in a discreet way and a private way. And we need to take all reasonable steps under our duty of care to ensure that we don’t expose people to that situation.” 
Both the current and previous governments have said the secrecy surrounding Australian detention facilities is necessary to protect asylum seekers’ privacy.
If that is the case, let's be seen to be providing protection. More broadly, since all people - refugees or otherwise - have a right to privacy - let's see the Office announce that the matter is being investigated. Such an announcement doesn't involve a condemnation of the Department or an endorsement of claims by media organisations that are now echoing the Guardian. It does however tell us something about the Office's culture and about the importance of privacy.

As a colleague noted, it takes ten minutes to make a call to the Department, a few words for a short media release and only a few keystrokes to let the world know that exploration is underway. All in all, not very hard. All in all, cost effective. All in all, the responsiveness and initiative that we can reasonably expect from some quite well-paid bureaucrats but alas have not been seeing.
  • update 1: the Commissioner
In a welcome development the OAIC has released the following statement -
Personal information of asylum seekers — Statement from Privacy Commissioner 19 February 2014 
The Office of the Australian Information Commissioner (OAIC) is aware of this data breach. I have spoken to the Department of Immigration and Border Protection and have been assured that the information is no longer publically available. This is a serious incident and I will be conducting an investigation into how it occurred. As part of this investigation, the Department has undertaken to provide me with a detailed report into the incident. Further, the OAIC will be working with the Department to make sure they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated.
Past public reports by the OAIC into data breaches have been slow to appear, far less detailed and more permissive than reports by ACMA (notably regarding the latest Telstra data breach). Let us hope that the OAIC acts with vigour.
  • update 2: the Minister
The Minister for Immigration subsequently released the following media statement
Unacceptable breach of privacy 
I am advised that an immigration detention statistics report released on the Department of Immigration and Border Protection's website on 11 February 2014 inadvertently provided access to the underlying data source used to collate the report content which included private information on detainees. 
This is an unacceptable incident. I have asked the department Secretary to keep me informed of the actions that have been initiated, including any disciplinary measures that may be taken, as appropriate. 
Immediate steps were taken to remove the documents from the department's website immediately after the department became aware of the breach from the media. 
The information was never intended to be in the public domain, nor was it in an easily accessible format within the public domain. 
The department Secretary has engaged KPMG to review how this occurred and an interim report is expected to be provided next week. 
As part of that investigation the department has tasked KPMG to review all data publications and to ensure that proper mechanisms will be in place to make sure it doesn't happen again. 
I am advised the department has ensured all possible channels to access this information are closed, including Google and other search engines. It appears the personal information underlying the report cannot be accessed through search engines. 
This is a serious breach of privacy by the Department of Immigration and Border Protection. 
I have received a brief on this matter and have sought assurances that this will not occur again. 
I also welcome the privacy commissioner's investigation into this breach. 
My department will also be requesting that the media organisation that published this data advise if they have disseminated the information to any other parties and to return all copies of the information to the department.
The Guardian responded
[T]here are a few points in the immigration minister’s statement which require a response. 
Morrison says the information was not “in an easily accessible format within the public domain”. Guardian Australia can confirm that the document was freely available for download from a public area of the department’s website, along with many other public files. The document and the data contained within it were straightforward to access. 
In his statement, Morrison reveals details about the document, including the date of its publication and the type of file. In a subsequent television interview, he named the document. Guardian Australia has not released the name or date of the document, to ensure no further breach of privacy. 
Morrison concludes his statement with this paragraph: “My department will also be requesting that the media organisation that published this data advise if they have disseminated the information to any other parties and to return all copies of the information to the department.” 
No such requests have yet been received by Guardian Australia from the department, but we can confirm that we have never published the data, including in our original story; that we have refused all requests for the data from other news organisations, to protect the privacy of those named; and that we have not disseminated the data in any way. 
Guardian Australia notified the department of the breach before publication, and did not publish until the document had been removed from the department’s website. We also notified the privacy commissioner of the breach.
My item in The Conversation, with Benjamin Smith and concentrating on privacy aspects rather than broader duties to vulnerable people under the Migration Act and international law, is here.