The Australian information commissioner and privacy commissioner has ordered the Department of Home Affairs to pay compensation to 1,297 asylum seekers after the department accidentally published detainees’ personal information in 2014.
Commissioner Angelene Falk on Wednesday said an investigation had found the department had “interfered with the privacy” of more than 9,000 asylum seekers in immigration detention when it published a detention report on its website in February 2014.
An embedded spreadsheet within the report contained the personal information of 9,258 individuals who were in detention at that time, according to Falk’s determination. This included their full names, gender, citizenship, birth date, period of detention, location, boat arrival details, and reasons why the individual was considered an unlawful non-citizen.
The information was on the then Department of Immigration and Border Protection’s website for eight days, until a journalist notified the department of the error. In a statement in 2014, the department said it “deeply regrets inadvertently allowing unauthorised access to personal information”.
Nearly seven years after opening an investigation into a complaint about the incident made by an individual — who has since died — the Office of the Australian Information Commissioner has set out a process for 1,297 people who suffered loss or damage as a result of the data breach to be paid compensation.
Falk said compensation ranging from $500 to more than $20,000 would be paid on a case-by-case basis, and would be assessed using five categories of loss or damage, depending on the severity of the impact.
“This matter is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach,” Falk said.
“It recognises that a loss of privacy or disclosure of personal information may impact individuals and depending on the circumstances, cause loss or damage.”
Home Affairs will be responsible for deciding the amount of compensation for each person based on their evidence of loss or damage. They will then need to seek agreement on the amount with each asylum seeker or their legal representative, and reassess the compensation where there are disagreements. Falk said an “expert” would take over the assessment process where agreements cannot be made.
The compensation process is expected to be concluded within 12 months, at which point Falk will declare the amount of compensation payable for any claims that remain unresolved.
The commissioner said information about the determination would be published in 21 languages to ensure the affected asylum seekers are informed of the process for assessing and finalising their claims.
Falk’s ruling will likely result in the largest compensation figure ever to be determined for a privacy claim in Australia, according to Slater and Gordon senior associate Dr Ebony Birchall.
“It is an important reflection of the fact that privacy breaches are not trivial or consequence-free mistakes, and that increasingly, individuals who suffer loss as a result of a breach should expect to be able to obtain redress,” she said.
“Organisations holding personal or sensitive data need to take their obligations seriously, and the presence of meaningful consequences and compensation rights following breaches is a significant development.”
Slater and Gordon, the Refugee Advice and Casework Service, and other partners have been pursuing the incident over the past three years.