Turn back the files: Privacy Act cops rap for federal anachronisms

Turn back the files: Privacy Act cops rap for federal anachronisms

Summary: The Australian Department of Immigration and Border Protection says the Privacy Act forces it to ask holders of confidential electronic documents to return them to the department.

SHARE:

While the chief objective of the Department of Immigration and Border Protection for this parliamentary term will be to "stop the boats", that has not prevented the department from treating digital files as physical on-water vessels that can be returned to their place of departure as though they have not been disseminated across the internet.

Two weeks ago, the department called in KPMG to conduct an audit as to how a document with a link to an underlying data source containing personal information on detained asylum seekers used within Immigration had appeared online.

The data source gave anyone in the report's possession access to the full names, nationalities, locations, arrival dates, and boat arrival information of nearly 10,000 asylum seekers, including children, detained in a mainland or Christmas Island detention facility.

One of the journalists who broke the story, Asher Wolf, subsequently received a letter from the department in which it asked her to return the documents.

"I further ask that you immediately return all hard and soft copies of the information, including copies on any storage device in your possession and control," said the letter dated February 21 from department secretary Martin Bowles.

It's a request that remains useful in the instances of printed documents or closely distributed electronic information, but surely not one that has any validity for a document that appeared on the public internet, and, according to Wolf, was still accessible almost a week later, despite assertions from Immigration Minister Scott Morrison that his department had ensured the documents were made inaccessible.

The approach of the department raises a number of questions, were Wolf to comply with the request, which she clearly said she was not going to.

Given that electronic files can be trivially copied, moved, deleted, and manipulated, what process would the department have enacted to verify that Asher Wolf returned the files?

Would the department be able to determine whether they have been sent all copies of a file, and not simply a copy, while Wolf or anyone who downloaded the file while it was publicly available retained innumerable other copies?

How does the department intend to have other copies not in Asher Wolf's possession returned to it?

In response to this set of questions, a spokesperson for the Minister for Immigration and Border Protection told ZDNet that its actions and request for the return of information had been in accordance with the provisions of the Privacy Act.

"The department's obligations under the Privacy Act 1988 include taking whatever steps are necessary, in accordance with the Australian Information Commissioner's data breach guidelines, to contain the breach and to ensure that any personal information which has been improperly disclosed is returned or otherwise dealt with in a fashion that minimises the impact that its disclosure may have," the spokesperson said.

Now, I am not a Queens Counsel, Senior Counsel, or even a lawyer, but I would have thought that "or otherwise dealt with in a fashion that minimises the impact that its disclosure may have" was the pertinent part of the clause in the case of electronic documents, and could have been handled with an undertaking from Wolf to delete any copies in her possession and to end any distribution that may have been happening.

To answer that question, I turned to the expert in matters of privacy and government, the Office of the Australian Information Commissioner (OAIC), which is currently conducting an investigation into the original data breach from the Immigration department.

However, due to the existence of its investigation, OAIC refused to comment on the matter, but did refer ZDNet to OAIC's Guide to Information Security, which at the time was returning errors that included the SQL query used for inserting rows into its session tracking table.

That the monitor of the government's data breaches is itself helping the dissemination of information that should remain unseen with its informative SQL-laden error messages would normally be absurd, but it now follows a pattern of behaviour that is almost expected with this level of government.

From the attorney-general looking to impose a three-strikes copyright infringement scheme on internet service providers, whether they want it or not — nevermind what the High Court had to say on this issue previously — to the continuing embarrassment of the government, and its reaction as Snowden's documents increasingly reveal what our intelligence agencies have been doing in our name; expecting a well-considered approach to technology is fast becoming the wish of a fool.

Take the pinnacle of this mindset: The Inspector General of Intelligence and Security, in an effort to keep the amount of sensitive data leaked at a minimum, often conducts external communications on paper, and the office of the inspector general is not connected to the internet at all.

Which does raise one more burning question.

How does one even return documents to the government? Does the government accept a copies delivered in the mail? Or will faxing the electronic copies suffice?

Topics: Government AU, Privacy, Security, Australia

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Mr Magoo Morrison pantsed again.

    What a laugh. Mr Magoo Morrison has done it again. Only a bumbling fool wouldn't check and make sure that the information had been removed from the site before commenting on it. There he was yet again, going off half cocked assuring us the information had been taken off the website when it hadn't. The arrogance and stupidity of this numb skull Immigration minister is beyond belief.
    When information such as this is compromised electronically, it's compromised forever. Morrison can't even secure a bit of information let alone our borders.
    Lastofthegoodguys
  • Under what Authority? Oh there isn't one!

    I note that the Departmental Secretary (that is the CEO of a Commowealth agency) has not cited any head of power that gives him authority to enforce Ms Wolf's return of the material hence Mr Bowles has used terms like "ask" and "request".

    Unlike a public servant, Ms Wolf is not compelled to comply with the various public service secrecy provisions that are in many instruments. And no, Australia does not have an Official Secrets Act.

    Furthermore, if the released material was not marked with security classification markings one has to wonder under what instrument could Ms Wolf be prosecuted, if that is an avenue that the Commonwealth pursues? Any lawyers (real ones, please) with a answers on that?
    Nulligravida
  • Magoo Morrison is so Typical .... !

    Another bubbling bureaucratic pinhead who has no clue how the Internet works & worse how his department functions.

    Give a fool absolute power & he'll screw us,..totally.
    Huntsman.ks