The Australian Department of Immigration and Border Protection (DIBP) has established an accountability task force and is revamping its information management practices, after an employee accidentally sent personal details of G20 world leaders to Asian Cup organisers.
It emerged earlier this week that the passport numbers, visa details, and dates of birth of world leaders attending the G20 summit in Brisbane last November, including United States President Barack Obama and Russian President Vladimir Putin, were accidentally emailed by a DIBP employee to a member of the Asian Cup Local Organising Committee.
The breach was put down to human error, according to the department. It has been revealed in a document (PDF) published by the Office of the Australian Information Commissioner that an unchecked email address recipient auto-fill function in Microsoft Outlook was to blame for the mistake, which was overlooked by the employee until after the email had been sent.
While a subsequent email, obtained under Freedom of Information (FOI) by The Guardian, revealed that the breach was reported less than 10 minutes after the email was sent, it was not disclosed publicly, and nor were the world leaders notified that their details had been shared.
In a statement published on its website on April 1, the DIBP said that it is making "significant changes" to its information management practices, after a number of external and internal reviews into its processes and practices.
The department also revealed that it had established an "External Accountability Task Force" within the department's Integrity, Security, and Assurance Division in order to strengthen its privacy and information management.
"All recommendations from these reviews have been adopted," it said. "This includes establishing built-in safeguards to ensure that sensitive information is not inadvertently or deliberately released externally. The department is also working with its contracted service providers to prevent any breaches by their staff.
"Media reporting of privacy breaches outlined in the documents released under FOI has focused on apparent differences in the approach taken by the department to notifying parties affected by the breaches," it said.
The DIBP came under fire in February last year, when it was revealed that a database containing the full names, nationalities, locations, arrival dates, and boat arrival information of nearly 10,000 asylum seekers had been accidentally published by the department on its website.
"The department takes its obligations under the Privacy Act very seriously. It thoroughly investigates privacy breaches as soon as they are identified," the DIBP said in its statement released on Wednesday. "All matters are notified voluntarily to the privacy commissioner and, if appropriate and required under law, to the Australian Federal Police."