OAIC orders Home Affairs to compensate asylum seekers over data breach

The order comes seven years after the legal action against the Australian government for leaking details of nearly 10,000 asylum seekers first commenced.

The Office of Australian Information Commissioner (OAIC) has ordered the Department of Home Affairs, formerly the Department of Immigration and Border Protection, to determine the amount owed for each individual and pay compensation for "mistakenly" releasing the personal information of 9,251 asylum seekers.

The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, determined that the federal government at the time had "interfered" with the privacy of these individuals by accidentally publishing their full names, nationalities, locations, arrival dates, and boat arrival information on its website in 2014.

Following the publishing of their personal information, the asylum seekers launched legal action against the department. The asylum seekers in New South Wales, Western Australia, and the Northern Territory claimed the breach exposed them to persecution from authorities in their home countries.

A total of 1,297 applications were lodged as part of the legal case requesting that compensation be paid because those affected suffered loss or damage due to the data breach.

The commissioner said the compensation to be paid to participating class members would range from AU$500 to more than $20,000 and would be determined on a case-by-case basis.

"This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach," she said.

"It recognises that a loss of privacy or disclosure of personal information may impact individuals and depending on the circumstances, cause loss or damage."

The compensation process is expected to take up to 12 months to complete. It will involve ensuring that individuals agree to their compensated amount. If the department and the individual cannot agree on the compensation amount, there will be opportunities to re-assess the payable amount, the OAIC said.

The OAIC said it would also publish information about the determination in 21 languages to ensure all participating class members are informed about the process so they can finalise their claims. 

Last week, the OAIC requested for amendments to be made to the Privacy Act 1988 that would update its regulatory powers and remove exemptions such as for political parties. 

In a 150-page submission [PDF] to the Attorney-General's review of the Act, the OAIC made a handful of recommendations, including enhancing its own ability to regulate, which it said would bring its powers in line with "community expectations". 

The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, conciliation, and determination. The OAIC has described this nearly 33-year-old function as outdated. 

"This reflects the context in which the Privacy Act was first introduced. In the digital environment, privacy harms can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, there must be a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action," it said.

"While Australia's current framework provides some enforcement powers, these need to be strengthened and recalibrated to deter non-compliant behaviour and ensure practices are rectified." 

Related Coverage