OAIC finds copy and paste behind Immigration Dept privacy breach

A report from the Office of the Australian Information Commissioner (OAIC) has found that the Department of Immigration and Border Protection (DIBP) was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers in February.

The report found that a document containing the full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be "unlawful" was available on the DIBP web site for around eight and a half days, as well as remaining available on Achive.org for approximately 16 days.

"This incident was particularly concerning due to the vulnerability of the people involved," said Australian Privacy Commissioner Timothy Pilgrim in a statement.

The source of the privacy breach was determined to be the copying and pasting of a chart from Microsoft Excel into Microsoft Word by a DIBP staff member, which resulted in the underlying data to render the chart being embedded in the Word document. The OAIC found this action to be contrary to departmental policy to export charts as images, but that the policy did not explain why this direction existed, or what risks would be negated in following it.

"The Commissioner found that had DIBP appropriately trained departmental staff involved in the creation of the Detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error," the report (PDF) said.

Despite the document being reviewed by seven people, the OAIC found that the majority of reviewers and the publisher of the document were unaware of the ability to embed Excel data in Word documents. Consequently, the document was not checked for such data.

"This breach may have been avoided if DIBP had implemented processes to de-identify data in situations where the full data set was not needed," Pilgrim said.

"I have made a number of recommendations about how DIBP could improve their processes, including requesting that they engage an independent auditor to certify that they have implemented the planned remediation. I have asked DIBP to provide me with a copy of the certification and the report by 13 February 2015."

The OAIC said it has received over 1,600 privacy complaints so far as a result of the breach, and complaints continue to be received.

In the Coalition government's Budget, brought down in May, it was announced that the OAIC would be disbanded at the end of 2014, and its functionality split amongst the Australian Human Rights Commission, Administrative Appeals Tribunal, Commonwealth Ombudsman, Attorney-General's Department, and soon-to-be-established Office of the Privacy Commissioner.

At the time, the government said the move would save AU$3.3 million in direct funding this financial year, then approximately AU$10.4 million each year thereafter.

Last month, the OAIC published its final annual report, which showed that the office had handled more than 4,000 privacy complaints during the financial year ending June 2014, with the 183 percent surge largely the result of new privacy laws.

"OAIC commissioners and staff have acted promptly to implement the government decision. We nevertheless have great pride in the OAIC's substantial record of achievement," Australia Information Commissioner professor John McMillan said in October.

"The OAIC's vision has been an Australia where privacy and information access rights are respected, and public sector information is managed in the public interest. We look to that vision being taken forward by others, and the establishment of the Office of the Australian Privacy Commissioner from January 1, 2015."