Asylum seeker data breach assessment 'procedurally unfair'

The Full Court of the Australian Federal Court has ruled in favour of two asylum seekers whose details were unlawfully leaked by the Department of Immigration and Border Protection (DIBP), saying that the assessment of the impact of their breach of privacy by the federal government department was "procedurally unfair".

In February last year, the department accidentally published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

The information was available on the department's website for just over eight days, remaining on its archive site for 14 days, and was removed from both sites only once publication The Guardian had alerted the department of the breach.

The breach occurred due to a DIBP staff member had copied and pasted a Microsoft Excel chart into a Word document, with the underlying data rendering the chart in Excel then embedded in the Word document.

"The commissioner found that had DIBP appropriately trained departmental staff involved in the creation of the detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error," the department's own report into the matter [PDF] said.

KPMG's investigation into the breach [PDF], commissioned by the DIBP, found that the document had been accessed 123 times from 104 IP addresses before being pulled down, with a report by the Office of the Australian Information Commissioner (OAIC) in November finding that this constituted a breach of the Privacy Act.

"This incident was particularly concerning due to the vulnerability of the people involved," Australian Privacy Commissioner Timothy Pilgrim said.

Several asylum seekers affected by the breach lodged legal claims against the DIBP in March last year. The asylum seekers argued in their claims that the government had disregarded its own fairness obligations, as the department's letters notifying them of the breach and the investigation into the breach had not provided sufficient information about what mitigation measures had been taken, who had accessed the information, and what effects this could have on the risk to the individuals.

"The 27 June and 11 October 2014 letters were insufficient to discharge the department's procedural fairness obligations, because they failed to provide information held by the department necessary to enable the applicant to make meaningful submissions on the data breach, and did not identify the nature and content of the 'process' by which an assessment of Australia's non-refoulement obligations towards the applicant would be made or the applicant's involvement in that process," the solicitors representing the asylum seekers said in a letter to DIBP's counsel.

During the initial trial in the Federal Circuits Court, the DIBP, on the other hand, claimed that it owed neither non-refoulement obligations -- an international law obligation under which a victim of persecution must not be surrendered to their persecutor -- nor procedural fairness to the asylum seekers, because they were unlawful non-citizens of Australia.

That court ruled in favour of the government department, saying that international non-refoulement obligations had not been engaged.

In the appeal, SZSSJ v Minister for Immigration and Border Protection, the Federal Court pointed out that publishing those details had risked authorities in the countries from which the asylum seekers had sought protection finding out their location and status in Australia.

This, according to the Federal Court, contravened s91X of the Migration Act 1958, along with international law obligations arising out of several treaties ratified by Australia, including the International Covenant on Civil and Political Rights, the Convention Against Torture, and the Convention Relating to the Status of Refugees.

"In cases such as these, involving persons whose claims for protection have failed, the public revelation of their identities that could have been accessed by the very persons from whom the failed protection seeker feared harm, conceivably might have some potential to expose him or her, on refoulement, to what he or she feared," said Justices Rares, Perram, and Griffiths in their unanimous judgment.

The Federal Court stated that the department's conduct in undertaking investigations into the data breach in itself activated its procedural fairness and non-refoulement obligations.

"The conduct of the department was sufficient in itself to trigger an obligation of procedural fairness," the court said.

Rares, Perram, and Griffiths JJ pointed out that it was also a conflict of interest for the department to be assessing whether it had non-refoulement obligations arising out of its own wrongful conduct in the first place.

"No argument was addressed to us that the bias rule had the effect of wholly barring the department from addressing that issue, but at the very least, in a practical way, it undermines fairness to suggest that in such an unusual situation, the department does not have to reveal the full circumstances so that the person affected can assess, with full information, whether some adverse impact occurred or may have occurred on which he or she wishes to be heard."

The Federal Court concluded that the affected asylum seekers, without being given access to the KPMG report in its entirety, could not assess the risk of the data breach to their safety.

"We conclude that those procedures were unfair to a significant degree."

As a result, the court declared the process to have been "procedurally unfair", and placed an injunction on the DIBP, saying the asylum seekers could not be removed from the country until 14 days after the completion of their own risk assessment of the breach, having reference to the complete, unabridged KPMG report. The DIBP was also ordered to pay costs for both trials.

In April this year, the DIBP established a task force into its own its own accountability and information management practices after a similar gaffe where the passport numbers, dates of birth, and visa information of world leaders attending last year's G20 summit in Brisbane -- including those of US President Barack Obama and Russian President Vladimir Putin -- were accidentally emailed to a member of the Asian Cup Local Organising Committee.

The department, however, did not deem it necessary at the time to inform those involved that their privacy had been breached -- despite the mandatory data-breach notification laws of some of those involved.

"Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach," the DIBP staff member was reported to have written.