Internal correspondence between staff working at the centre obtained by SBS outlines claims of multiple data breaches at the centre over a period of months from April 2014, when external hard drives containing the personal details of asylum seekers were allegedly stolen.
SBS cannot verify the authenticity of the documents, but can confirm that the allegations raised in them are being investigated by Save the Children, the organisation responsible for the stored data.
The external hard drives were reportedly kept in an unlockable office, which could be accessed by any member of staff within the Nauru centre.
A staff member working at the centre claims that a number of hard drives were stolen in separate incidents, one reported only a week after an earlier theft.
The highly sensitive information could put asylum seekers in significant danger, according to lawyer David Manne.
“The real fear is that this information could fall into hands of potential persecutors – regimes or people they have fled from in fear for their lives,” he said.
“The real fear is that this information could fall into hands of potential persecutors."
“This is even more serious than an ordinary breach of privacy. With asylum seekers, the distinct issue is that disclosure of identity to a third party could result in a heightened risk of persecution."
A source from within the centre told SBS that the data contained on the hard drives included information on asylum claims as well as reports of torture and trauma from hundreds of asylum seekers.
“It would affect every single individual in the family camp,” the source said.
The source said the hard drives – one of which had a post-it note attached reading “Do Not Steal” – also included information on complaints and investigations involving providers within the camp.
“If a child had complained against a security guard for instance, it would have been in there,” the source said.
One of the hard drives had a post-it note attached reading “Do Not Steal”
The revelation follows allegations of sexual, physical and verbal assaults of asylum seeker children by Nauru detention centre staff, detailed as part of submissions to an Australian Human Rights Commission inquiry.
SBS understands the asylum seekers allegedly affected by the breach have not been informed.
The source told SBS that they had serious concerns regarding the security of data within the centre.
The source said that as of May 2014, hard drives containing personal data were not password protected and people had “unfettered access” to the information due to lack of security measures in place when Save the Children first took over management of the family camp.
“In the room, there was no lock on the door,” the source said.
“There were no locking filing cabinets – there were no filing cabinets at all. Clients’ files were kept on a desk… [Paper files] were just strewn on tables.”
The source acknowledged that some improvements to security had been made in recent weeks.
NGO investigating the claims
SBS put questions to Save the Children regarding the claims, but has not yet received answers.
In a statement, a Save the Children spokesman said a “thorough investigation into this very serious matter” was being conducted.
“Once we have completed our investigation our findings will be shared with the Department [of Immigration] and should it be determined that we need to implement recommendations we will do so,” it read.
SBS also put questions regarding the allegations to the Immigration Minister Scott Morrison.
In a statement, a spokesman for the Minister for Immigration and Border Protection said Mr Morrison had been advised of the investigation into the claims.
“The Minister will not pre-empt those investigations,” it read.
“It is the Minister’s and department’s expectation that service providers take care to keep personal information relating to detainees and transferees secure.”
‘More serious than an ordinary security breach’
Executive director of the Refugee and Immigration Legal Centre David Manne said if the claims were true, the highly sensitive information held about asylum seekers could potentially end up in the hands of regimes they were escaping.
"It’s a well-established principle under refugee law that unauthorised disclosure of someone’s personal identity details when they’re seeking asylum could place them at a heightened risk of danger," he said.
Mr Manne said it was a fundamental principle of refugee law that a person seeking asylum should be free to make their claim free of disclosure of their identity to the authorities in their home country.
He said the alleged breach could have serious implications for the claims of any asylum seekers affected.
“It may be that it could create additional fears for people of being persecuted, if the evidence indicates that there’s a real likelihood that the information has been has been disclosed to third parties,” he said.
“It’s crystal clear that identification of a person seeking protection can result in them being granted protection on that basis itself."
Security breach in February
The alleged breach follows an incident in February when the Department of Immigration and Border Protection inadvertently published a file containing the personal data of about 10,000 asylum seekers in detention.
The highly sensitive information was available to download for more than a week before the Department removed it.
Mr Manne said that breach represented “one of the most grave and dangerous breaches of privacy in Australian history”.
He said the Department of Immigration was writing to affected asylum seekers, giving them an opportunity to comment on any concerns or fears that they may have resulting from the data breach.
“Fears of danger arising from the data breach could also constitute independent grounds for being granted protection,” he said.
An updated response was requested from the Department of Immigration, but no response was received by time of publishing.