Turn back the files: Privacy Act cops rap for federal anachronisms

The Australian Department of Immigration and Border Protection says the Privacy Act forces it to ask holders of confidential electronic documents to return them to the department.
Written by Chris Duckett, Contributor

While the chief objective of the Department of Immigration and Border Protection for this parliamentary term will be to "stop the boats", that has not prevented the department from treating digital files as physical on-water vessels that can be returned to their place of departure as though they have not been disseminated across the internet.

Two weeks ago, the department called in KPMG to conduct an audit as to how a document with a link to an underlying data source containing personal information on detained asylum seekers used within Immigration had appeared online.

The data source gave anyone in the report's possession access to the full names, nationalities, locations, arrival dates, and boat arrival information of nearly 10,000 asylum seekers, including children, detained in a mainland or Christmas Island detention facility.

One of the journalists who broke the story, Asher Wolf, subsequently received a letter from the department in which it asked her to return the documents.

"I further ask that you immediately return all hard and soft copies of the information, including copies on any storage device in your possession and control," said the letter dated February 21 from department secretary Martin Bowles.

It's a request that remains useful in the instances of printed documents or closely distributed electronic information, but surely not one that has any validity for a document that appeared on the public internet, and, according to Wolf, was still accessible almost a week later, despite assertions from Immigration Minister Scott Morrison that his department had ensured the documents were made inaccessible.

The approach of the department raises a number of questions, were Wolf to comply with the request, which she clearly said she was not going to.

Given that electronic files can be trivially copied, moved, deleted, and manipulated, what process would the department have enacted to verify that Asher Wolf returned the files?

Would the department be able to determine whether they have been sent all copies of a file, and not simply a copy, while Wolf or anyone who downloaded the file while it was publicly available retained innumerable other copies?

How does the department intend to have other copies not in Asher Wolf's possession returned to it?

In response to this set of questions, a spokesperson for the Minister for Immigration and Border Protection told ZDNet that its actions and request for the return of information had been in accordance with the provisions of the Privacy Act.

"The department's obligations under the Privacy Act 1988 include taking whatever steps are necessary, in accordance with the Australian Information Commissioner's data breach guidelines, to contain the breach and to ensure that any personal information which has been improperly disclosed is returned or otherwise dealt with in a fashion that minimises the impact that its disclosure may have," the spokesperson said.

Now, I am not a Queens Counsel, Senior Counsel, or even a lawyer, but I would have thought that "or otherwise dealt with in a fashion that minimises the impact that its disclosure may have" was the pertinent part of the clause in the case of electronic documents, and could have been handled with an undertaking from Wolf to delete any copies in her possession and to end any distribution that may have been happening.

To answer that question, I turned to the expert in matters of privacy and government, the Office of the Australian Information Commissioner (OAIC), which is currently conducting an investigation into the original data breach from the Immigration department.

However, due to the existence of its investigation, OAIC refused to comment on the matter, but did refer ZDNet to OAIC's Guide to Information Security, which at the time was returning errors that included the SQL query used for inserting rows into its session tracking table.

That the monitor of the government's data breaches is itself helping the dissemination of information that should remain unseen with its informative SQL-laden error messages would normally be absurd, but it now follows a pattern of behaviour that is almost expected with this level of government.

From the attorney-general looking to impose a three-strikes copyright infringement scheme on internet service providers, whether they want it or not — nevermind what the High Court had to say on this issue previously — to the continuing embarrassment of the government, and its reaction as Snowden's documents increasingly reveal what our intelligence agencies have been doing in our name; expecting a well-considered approach to technology is fast becoming the wish of a fool.

Take the pinnacle of this mindset: The Inspector General of Intelligence and Security, in an effort to keep the amount of sensitive data leaked at a minimum, often conducts external communications on paper, and the office of the inspector general is not connected to the internet at all.

Which does raise one more burning question.

How does one even return documents to the government? Does the government accept a copies delivered in the mail? Or will faxing the electronic copies suffice?

Editorial standards