DFAT issues apology over emails exposing identities of Australians stranded overseas

The contact details of at least 15 Australian citizens were reportedly included in the 'Cc' field of an email.

Australia's Foreign Minister Marise Payne has issued an apology after identities of Australians who are stranded overseas were accidentally exposed in an email.

"I am very sorry these events have occurred," Payne said, speaking to ABC Radio on Friday morning.

This latest incident is the third privacy breach in three months.

This time around, according to initial reports by Guardian Australia, the incident occurred when the Australian embassy in Paris sent an email to Australians who had registered with the Department of Foreign Affairs and Trade (DFAT) to return home. In the email, the contact details of at least 15 Australian citizens were reportedly included in the "Cc" section.

"It is not an ideal situation at all," Payne continued.

"I've spoken with the secretary of my department about this. We know this is an issue that needs to be addressed. We understand the secretary is taking it up with officials to endeavour to ensure it doesn't happen again.

"It's not something I like to see. I know we try to be very careful with people's personal information, as we should be, and observe our privacy obligations."

A DFAT spokesperson told ZDNet that as soon as the Australian embassy in Paris was made aware of the error, affected citizens were informed and the department ramped up security to prevent a recurrence. 

"As soon as the embassy became aware of the error, staff contacted recipients to apologise for the disclosure and asked that they delete the message and refrain from forwarding it," the spokesperson said. 

"The department has now implemented further managerial and IT safeguards to strengthen how we protect privacy."

Earlier this month, DFAT issued a similar apology for accidentally revealing the email addresses of nearly 3,000 stranded Australians by including them in the "To" field in an email, instead of the "Bcc" field, according to Guardian Australia.

More than 32,000 Australians remain stranded overseas. There is currently a weekly cap of 6,000 international arrivals.

Repatriation flights have been organised by the Australian government. The first flight from London will arrive on Friday in Darwin where passengers will spend two weeks in quarantine.

Last year, the personal data of 300 Australian visa applicants was accidentally leaked to an incorrect address as a result of a "typo".

The report by the ABC detailed that the email containing information on 317 individuals was incorrectly sent to a member of the general public in 2015.

In 2014, the Office of the Australian Information Commissioner (OAIC) found that Home Affairs -- formerly the Department of Immigration and Border Protection (DIBP) -- was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers.

A document containing the full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be "unlawful" was available on the DIBP website for around eight and a half days, as well as remaining available on Achive.org for approximately 16 days.

The source of the privacy breach was determined to be from the copying and pasting of a Microsoft Excel chart onto Microsoft Word by a DIBP staff member, resulting in the underlying data that renders the chart being embedded into the Word document.

Updated 26 October 2020 8:57am (AEDT): DFAT comments added.

Related Coverage