Victorian Education dept accidentally publishes parent and student details online

The personal information associated with parents' submissions on proposed regulations for Victorian schools was accidentally published online by the state's education department, it has been revealed.

The Victorian Department of Education has revealed that it accidentally published the personal details of up to 115 families who made submissions on proposed regulations for state schools.

According to the department, around 500 submissions were uploaded and published on its website on Friday, and remained online until Saturday.

Among the parents whose information was published included a domestic violence victim, as well as a parent who detailed how their dyslexic child is now being home schooled due to a history of self-harming, according to a report by The Age.

The Victorian Department of Education said it is "deeply sorry" for publishing the details online, but has not said how the breach of privacy occurred.

"The department took immediate action to take the submissions down as soon as the breach was discovered," a department spokesperson said in a statement on Wednesday.

"We understand the seriousness of this incident, and we are contacting those affected to apologise directly.

"We are commissioning an independent investigation to determine what went wrong, and to recommend steps to prevent it from happening again."

The department is now working with Google to remove all cached versions of the submissions -- some of which were still online as of 2pm on Wednesday.

This is not the first time an Australian government department has accidentally published personal details; back in 2014, the Department of Immigration and Border Protection (DIBP) accidentally published the details of almost 10,000 asylum seekers, including their full names, dates of birth, genders, nationalities, periods of immigration detention, locations, boat arrival information, and the reasons why an entrant was classified as having travelled into Australia "unlawfully".

The information was available on the DIBP's website for just over eight days, remaining on its archive site for 14 days, and was accessed 123 times from 104 IP addresses before being pulled down. A report by the Office of the Australian Information Commissioner at the time found that this constituted a breach of the Privacy Act.

The breach had occurred due to a DIBP staff member copying and pasting a Microsoft Excel chart into a Word document, with the underlying data rendering the chart in Excel then embedded in the Word document.

During the 2014 G20 summit in Brisbane, the passport numbers, visa details, and dates of birth of leaders attending -- including those of former United States President Barack Obama and Russian President Vladimir Putin -- were also accidentally emailed to a member of the Asian Cup Local Organising Committee.

Two reports into the 2016 Census debacle since then have also called the government out on its IT incompetence, after the eCensus application fell over during a series of distributed denial-of-service (DDoS) attacks last year that put Australians' personal details at risk.

In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws during its third attempt in February.

Under the Privacy Amendment (Notifiable Data Breaches) Act, people will in the near future begin to be alerted of their data being inappropriately accessed.

The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".

Notification laws would only apply to companies covered by the Privacy Act, and would exempt intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties from needing to disclose breaches. E-health providers are still subject to the mandatory data breach notification scheme under the My Health Records Act.

Upon a qualifying breach or on reasonable grounds to believe that a serious data breach has occurred, the impacted entity would need to notify the Australian Information Commissioner and affected individuals. In cases where it is not certain a breach has occurred, the entity has 30 days to investigate whether notification is needed.

Updated at 3.30pm AEST, April 12, 2017: Added detail about cached versions

With AAP