The Department of Immigration and Border Protection has been found in breach of the Privacy Act after accidentally publishing the personal details of almost 10,000 asylum seekers in detention on its website in February.
The highly sensitive information was available to download for eight and a half days before it was removed, prompting legal claims from detainees.
Privacy Commissioner Timothy Pilgrim released findings of an investigation into the breach on Wednesday, stating that the Department had unlawfully disclosed personal information.
Mr Pilgrim said the information disclosed in the breach included full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons why the individual was deemed to be ‘unlawful’.
“This incident was particularly concerning due to the vulnerability of the people involved,” Mr Pilgrim said.
“This breach may have been avoided if [the Department of Immigration and Border Protection] had implemented processes to de-identify data in situations where the full data set was not needed.”
Mr Pilgrim said the report was accessed a number of times, as well as republished by an automated archiving service.
He said his office was still receiving privacy complaints from individuals affected by the breach, with more than 1600 privacy complaints received to date.
The February breach was followed by claims of multiple data breaches over a period of months from April 2014, when external hard drives containing the personal details of asylum seekers were allegedly stolen from the Nauru Immigration Detention Centre.
Internal correspondence between staff working at the centre obtained by SBS outlined that the external hard drives were reportedly kept in an unlockable office, which could be accessed by any member of staff within the Nauru centre.
