This investigation found that the Department of Immigration and Border Protection breached the Privacy Act 1988 by failing to adequately protect the personal information of approximately 9,250 asylum seekers.
On 21 February 2014, the Australian Information Commissioner opened an own motion investigation into the Department of Immigration and Border Protection (DIBP) following a media report that a database containing the personal information of approximately 10,000 asylum seekers was available on DIBP’s website. DIBP confirmed this was the case.
The investigation, led by the Australian Privacy Commissioner (the Commissioner), on behalf of the Office of the Australian Information Commissioner (OAIC), focused on whether DIBP had reasonable security safeguards in place to protect the asylum seekers’ information, and whether DIBP had disclosed the information in accordance with the Privacy Act 1988 (Cth) (Privacy Act).
After considering the facts of the case, submissions from DIBP, and the relevant provisions of the Privacy Act, the Commissioner came to the view that DIBP had breached the Privacy Act by failing to put in place reasonable security safeguards to protect the personal information it held against loss, unauthorised access, use, modification or disclosure and against other misuse. The Commissioner also found that DIBP had unlawfully disclosed personal information.