Last updated: 12 March 2024

Update: Notice to class members about the Administrative Appeals Tribunal’s (AAT) decision in HYYL and Privacy Commissioner [2023] AATA 2961, which was handed down on 13 September 2023.

Following the Tribunal’s decision in HYYL and Privacy Commissioner [2023] AATA 2961 on 13 September 2023, Norton Rose Fulbright Australia (NRFA) has been appointed as the independent scheme administrator to assess loss or damage suffered by individuals affected by the breach and provide payment of compensation to those individuals who have suffered loss or damage by reason of the data breach. As the OAIC will not be assessing the compensation claims of class members, all enquiries should be directed to NRFA by emailing auscas@nortonrosefulbright.com or calling +61 2 9330 8006. A link to the notice can be found below.

Further information on the Immigration Data Breach Privacy Complaint.

Read the Notice sent to class members in relation to the AAT Compensation Assessment Scheme to be administered by NRFA.

Read the Tribunal’s decision.

Read the Determination.

Background

On 10 February 2014, the Department of Immigration and Border Protection (now the Department of Home Affairs) (Department) published, in error, a detention report on its website that contained embedded personal information (Data Breach). The report contained the personal information of all 9,258 persons who were in immigration detention on 31 January 2014.

On 30 August 2015, a representative complaint was made to the Office of the Australian Information Commissioner (OAIC) on behalf of all persons whose information was published by the Department in error (Class Members). The complainant requested the Department provide an apology and compensation.

On 9 February 2018, the original representative complainant’s solicitor advised the OAIC that their client had passed away. On 10 October 2018, the Commissioner made a decision to replace the original representative complainant with another Class Member pursuant to s 38B(1) of the Privacy Act 1988 (Cth) (Privacy Act).

On 24 January 2018, the Commissioner gave notice that if Class Members believed they had suffered loss or damage because of the Data Breach and wanted the opportunity to potentially recover compensation for that loss or damage, they needed to provide information about their loss or damage to the OAIC by 19 April 2018. The due date for responding to the Commissioner was extended to 19 October 2018, although the OAIC granted further extensions on the due date to some Class Members and submissions were finalised on 22 April 2019.

On 11 January 2021, the Commissioner issued a determination under s 52 of the Privacy Act (the Determination). The Determination found that:

  • as a result of the Data Breach, the Department had engaged in conduct that interfered with the privacy of an individual; and
  • Class Members who made submissions and/or provided evidence of loss or damage in response to the Commissioner’s request for information are to be paid compensation in the manner determined by the Commissioner.

On 24 February 2021, a Class Member filed an application with the AAT seeking a review of the Determination on behalf of all persons whose interests were affected by the Determination.

On 13 September 2023, the AAT handed down its decision in HYYL and Privacy Commissioner [2023] AATA 2961. In its decision, the AAT ordered that a Compensation Assessment Scheme be established with the purpose of assessing compensation claims. The AAT ordered that the Compensation Assessment Scheme be administered by a ‘scheme administrator’ that is an independent law firm appointed by the Department of Finance.

NRFA has been appointed as the independent scheme administrator to assess loss or damage suffered by individuals affected by the breach and provide payment of compensation to those individuals who have suffered loss or damage by reason of the data breach.

Further information

If you have any general enquiries about this matter, you may contact the OAIC Enquiries Line on telephone 1300 363 992 (between 10am–4pm Australian Eastern Standard Time), or by email to repcomplaint@oaic.gov.au.

However, please note that as the OAIC will not be assessing the compensation claims of Class Members, all enquiries about the compensation scheme should be directed to NRFA by emailing auscas@nortonrosefulbright.com or calling +61 2 9330 8006.

Assistance in languages other than English

If you require further assistance about this matter in a language other than English, please call the Translating and Interpreting Service on 131 450 then ask for 1300 363 992.

Note: These calls can be made for a local call cost from fixed residential landlines anywhere in Australia, but calls from mobile and pay phones may incur higher charges.

As outlined above, on 24 January 2018, the Commissioner published a notice requesting information from individuals who believed they had suffered loss or damage because of the Data Breach. Submissions were finalised on 22 April 2019 and the Commissioner issued the Determination on 11 January 2021.

Historical links

As outlined above, on 24 January 2018, the Commissioner published a notice requesting information from individuals who believed they had suffered loss or damage because of the Data Breach. Submissions were finalised on 22 April 2019 and the Commissioner issued the Determination on 11 January 2021.

Below are the translations of the OAIC’s historical notice from 2018 (and please note that this is different to the Notice issued by NRFA in relation to the AAT Compensation Assessment Scheme):