Publication date: 1 November 2014

Overview

On 21 February 2014, the Australian Information Commissioner opened an own motion investigation into the Department of Immigration and Border Protection (DIBP) following a media report that a database containing the personal information of approximately 10,000 asylum seekers was available on DIBP’s website. DIBP confirmed this was the case.

The investigation, led by the Australian Privacy Commissioner (the Commissioner), on behalf of the Office of the Australian Information Commissioner (OAIC), focused on whether DIBP had reasonable security safeguards in place to protect the asylum seekers’ information, and whether DIBP had disclosed the information in accordance with the Privacy Act 1988 (Cth).[1]

After considering the facts of the case, submissions from DIBP, and the relevant provisions of the Privacy Act, the Commissioner came to the view that DIBP had breached the Privacy Act by failing to put in place reasonable security safeguards to protect the personal information it held against loss, unauthorised access, use, modification or disclosure and against other misuse. The Commissioner also found that DIBP had unlawfully disclosed personal information.

Background

On 19 February 2014, the OAIC received information that a database containing the personal information of ‘almost 10,000’ asylum seekers was available on DIBP’s website (the data breach).

Each month, DIBP publishes a document titled Immigration Detention and Community Statistics Summary on its website (www.immi.gov.au). The document includes statistics about asylum seekers. For accessibility reasons, DIBP publishes the document in Adobe PDF and Microsoft Word versions.

On 10 February 2014, DIBP published the Microsoft Word version of the January 2013 issue of the Immigration Detention and Community Statistics Summary, dated 31 January 2014 (the Detention report).

In preparing the Microsoft Word version of the Detention report for web publication, DIBP embedded the Microsoft Excel spreadsheet that had been used to generate the statistics used in the Detention report. The spreadsheet included the personal information of approximately 9,250 asylum seekers (the listed individuals) and was accessible through the Detention report.[2]

DIBP was notified about the breach by the Guardian Australia at 9.15am on 19 February 2014. DIBP removed the Detention report from its website by 10.00am on that date. The Detention report was available on DIBP’s website for about eight and a half days.

DIBP also identified that the Detention report was also available on The Internet Archive (Archive.org)[3] from 11 February 2014. DIBP wrote to Archive.org on 24 February, seeking removal of the report. Archive.org complied with this request on 27 February. The Detention report was available on Archive.org for about 16 days.

The categories of personal information compromised in the data breach consisted of:

  1. full names
  2. gender
  3. citizenship
  4. date of birth
  5. period of immigration detention
  6. location
  7. boat arrival details
  8. reasons why the individual was deemed to be unlawful.

The Commissioner was particularly concerned about this information being publically available due to the vulnerability of the listed individuals.

Relevant provisions of the Privacy Act

Until 11 March 2014, agencies covered by the Privacy Act were required to comply with 11 Information Privacy Principles (IPPs), contained in Division 2 of Part III of the Privacy Act. The IPPs were replaced by the Australian Privacy Principles (APPs) on 12 March 2014. DIBP was subject to the IPPs at the time of the data breach (February 2014).

The IPPs applied to the handling of ‘personal information’, which the Privacy Act defined as:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

The Privacy Act provisions relevant to this data breach are: IPP 4 (storage and security of personal information) and IPP 11 (limits on the disclosure of personal information).

In particular:

  • IPP 4(a) — an agency must ensure that records containing personal information are protected by such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure or other misuse.
  • IPP 11.1 — an agency must not disclose personal information about an individual unless a listed exception applies.

Findings

Security of personal information (IPP 4(a))

To assess whether DIBP had reasonable security safeguards in place, in accordance with IPP 4(a), the Commissioner considered information from DIBP and the report on the data breach by KPMG (the KPMG report)[4] about the security safeguards in place prior to the data breach, and what security safeguards would have been reasonable in the circumstances to protect the personal information held. This included considering DIBP’s particular circumstances, such as:

  • the sensitivity of the personal information held
  • the risk to the individuals concerned if the personal information is not secure
  • its information handling practices
  • the ease with which a security measure can be implemented.

The Commissioner also had regard to the guidance set out in the OAIC’s Guide to information security.[5]

Where there is a known risk to data security, IPP 4 would generally have required that reasonable steps be taken to mitigate that risk.

The Commissioner found that the data breach was caused by the failure of a number of Departmental policy documents to adequately mitigate against the known risk of embedded data. This included the failure of DIBP to make Departmental staff aware of the risk of embedded data. These failures led to the errors by Departmental staff who created and cleared the Detention report.

Further, this data breach may also have been avoided if DIBP had processes in place to de-identify data where particular areas of the agency do not require access to the full data set.

Publication policies

DIBP had a number of policies in place to provide guidance to staff for each stage in the process of creating, reviewing and publishing the Detention report. A number of instructions in these policy documents indicate that DIBP was aware of the risk of personal information being embedded in its publications.

Creating the Detention report

While creating the Detention report, Departmental staff copied charts and tables directly from the Microsoft Excel spreadsheet, resulting in the underlying data being embedded in the Microsoft Word version of the Detention report. This was contrary to the relevant Departmental policy, which stated that graphs should be copied and pasted as pictures into Microsoft Word documents.

The Commissioner found that had staff correctly followed DIBP’s policy when creating the Detention report, DIBP would likely have avoided the data breach.

However, the Commissioner also found that the relevant Department policy did not provide sufficient information about why this instruction to copy and paste graphs as pictures was necessary, or sufficient instruction on how to carry it out. If DIBP had explained the reason for this direction, staff may have better understood the risks of embedded data and why this instruction was necessary.

Similarly, the Commissioner found that had DIBP appropriately trained Departmental staff involved in the creation of the Detention report to understand the risks of embedded data and how those risks could arise, and in how to copy and paste graphs as pictures, the staff may have avoided making the error.

The Commissioner was of the view that, to assist the likelihood of complying with an instruction, staff should understand why they need to comply and how to comply.

Reviewing the Detention report

Departmental policies specified that the Detention report should be cleared by seven reviewers in hard copy. Quality assurance reviews focused on writing style, grammar, spelling and the accuracy of the data in the Detention report. The policies did not require reviewers or publishers to check for data that had been inadvertently embedded, even though the Commissioner was satisfied this risk was known to DIBP.

Further, the majority of reviewers and the publisher of the document were unaware that it was possible to embed Microsoft Excel data in a Microsoft Word document. As a result, the digital copy of the Detention report was not checked for this risk.

The Commissioner took the view that, in order for a policy to be effective in mitigating a risk, that policy must not only identify a risk but include processes and procedures to mitigate that risk. DIBP’s policies reflected that DIBP was aware of the risks of embedded data, however the clearance processes set out in the policies did not include steps to mitigate that risk. Had the policies included steps in the clearance process for checking that data had not been embedded in the Detention report, the issue may have been detected prior to publication of the report.

Further, the likelihood of the issue being detected by the document reviewers would have been increased if Departmental staff had a better understanding of the risks of embedded personal information, as well as knowledge about how and where to look for such embedded data.

Publishing the Detention report

The relevant Departmental policies required publishers to check that no personal information of staff or clients is included in the document prior to publication, and to removed ‘hidden’ data and personal information before uploading documents to the web. However, the examples of personal information that are provided in the policies primarily refer to the personal information of staff. The policies did not provide information about how to identify and remove embedded objects.

Had DIBP’s policies included more detail on how to check for unobvious sources of personal information, including embedded data, this, together with appropriate training, may have assisted Departmental staff to understand how to detect the embedded data in the Detention report prior to publication.

De-identification of information

Given the sensitivity of the data in question and the number of people involved in compiling, clearance and publication of the Detention report, the Commissioner found that a reasonable security safeguard in this situation would be to de-identify the information at an early stage in the process of compiling the Detention report.

Such a process would have removed the possibility of the identifying data inadvertently being disclosed at a later stage, and would have limited access to the personal information only to those employees that required access to enable DIBP to carry out the functions and activities for which the information is held.

IPP 4(a) conclusion — whether DIBP had reasonable security safeguards in place to protect the personal information it held

The Commissioner found that DIBP had a number of procedures and policies in place at the time of the breach for the compilation, clearance and publication of its reports.

The Commissioner found that aspects of DIBP’s policies implied that it was aware of the risk of embedded personal information. However, there was a lack of detail in the policies. There was also a lack of understanding amongst staff about how to undertake the procedures outlined in the policies, and the importance of following them correctly in order to safeguard the personal information held by DIBP.

The Commissioner concluded that these deficiencies in DIBP’s policies, procedures and training failed to adequately mitigate against the risk of a data breach. In order for policies and procedures to constitute a reasonable security safeguard, those policies and processes must adequately address known risks.

Further, to satisfy the requirements of IPP 4(a), reasonable security procedures must be implemented, and an agency must take steps to ensure that staff understand how to, and are practically able to, adhere to the procedures. This includes ensuring that:

  • staff are able to understand an agency’s policies and procedures
  • the policies provide sufficient information to enable staff to follow them
  • training is provided in relation to the policy.

Policies that are not understood by staff are unlikely to be adhered to, and are therefore unlikely to be a reasonable security safeguard.

Therefore, the Commissioner found that DIBP contravened IPP 4(a) by failing to put in place reasonable security safeguards to protect the personal information it held against loss, unauthorised access, use, modification or disclosure and against other misuse.

Disclosure of personal information (IPP 11)

As part of the investigation, the Commissioner considered whether there had been a breach of IPP 11. IPP 11 regulated the disclosure of personal information and states that an agency shall not disclose personal information to a person, body or agency unless an exception applies.

In general terms, an agency ’discloses’personal information when it makes the information accessible to others outside the agency and releases the subsequent handling of the personal information from its effective control. The release may be an accidental release or an unauthorised release by an employee.

The Commissioner found that DIBP ‘disclosed’ the compromised information within the meaning of IPP 11, as it made the personal information accessible to the general public by publishing it on its website.

Exceptions to the prohibition on disclosure in IPP 11 included where:

  • the individual concerned is reasonably likely to have been aware that information of that kind is usually passed to that person, body or agency
  • the individual concerned has consented to the disclosure
  • the disclosure is required or authorised by law.

The Commissioner did not receive any information to suggest that any of the exceptions in IPP 11 applied to the data breach incident. DIBP acknowledged that the personal information embedded in the Detention report should not have been publically available.

Accordingly, the Commissioner found that the publication of the personal information of the listed individuals was an unauthorised disclosure and therefore a breach of IPP 11.

Rectification

The Commissioner considered the information that DIBP provided about the steps that it took to respond to and contain the data breach, and to mitigate against future data breaches of this nature.

DIBP advised that, once it became aware of the data breach, it took the following steps to contain the data breach:

  • Removed the Detention report from its website. The report was available on DIBP’s website for about eight and a half days.
  • Undertook a search engine analysis to confirm that the report was no longer available through public search engines, and checked DIBP’s website to ensure that all source information containing personal information was removed.
  • Conducted a detailed examination of information obtained through DIBP’s website about the number of times the Detention report was accessed and the location of the IP addresses that attempted to retrieve the file.[6]
  • Obtained assurances from the journalists that had discovered the data breach that the information had not been, and would not be, disseminated further.
  • Wrote to Archive.org to seek the removal of the Detention report. The report was available on Archive.org for about 16 days.

In addition to taking steps to contain the data breach, DIBP took the following steps to respond to the data breach:

  • Engaged an external consultant (KPMG) to undertake a review of the data breach, including to identify departmental vulnerabilities, policies or management practices that contributed to the data breach, and provide recommendations to prevent recurrence.
  • Undertook an internal risk assessment to assess the risk of harm to the listed individuals.
  • Commenced a process of notifying the listed individuals.

DIBP advised that it has taken a number of steps to mitigate against future data breaches of this nature, including the following:

  • Removed personal information from the underlying datasets prior to the immigration detention and community statistics reports being prepared. It also intended to implement the approach of analysing and reporting on ‘sanitised’ datasets that have personal information automatically removed.
  • Reviewed all processes relating to the creation, review and publication of online content. DIBP notes that it intends to regularly update these processes. These materials will be available to all staff on DIBP’s intranet.
  • Rolled out face-to-face staff training and an awareness campaign, to highlight the changes to the Privacy Act. Privacy e-learning training material is also being developed. It also intended to develop a new security training program and strengthen its existing mandatory security e-learning package, both focusing on issues such as the handling of private or sensitive data and associated risks.
  • Conducted a research and evaluation forum for staff involved in research activities to cover specific privacy issues around client data handling.

The Minister for Immigration and Border Protection has announced that from 1 July 2015, the functions of DIBP and the Australian Customs and Border Protection Service will be integrated into a new department. DIBP advised that this process will include changes to its information management practices, which will be ‘managed as a discrete function separate to the ICT implementation function’. DIBP has further advised that ‘this organisational design feature’ will ‘create an internal checking mechanism to ensure that information and ICT practices occur in a way that is consistent with departmental and ICT policies and will… enhance the department’s performance with respect to meeting its privacy obligations’.

Recommendations

The Commissioner was satisfied that the measures that DIBP took in response to the data breach, and the steps that it intends to take, will assist DIBP to:

  • significantly strengthen its privacy framework
  • identify other privacy risks and vulnerabilities
  • establish a privacy protective culture, and
  • meet its obligations under Privacy Act and the APPs.

The Commissioner noted that it is essential that DIBP put in place measures to ensure that its revised policies are supported with staff training in the new procedures, IT security, privacy and appropriate information handling practices, particularly in a digital context.

The Commissioner also recommended that DIBP continue to monitor internal compliance with these new processes to ensure that they are being followed consistently over time.

The Commissioner requested that DIBP engage a suitably qualified independent auditor to certify that DIBP has implemented the planned remediation steps, including an ongoing program of updates to staff training, and provide to the OAIC the certification and a copy of the independent auditor’s report by 13 February 2015.

In response to the Commissioner’s recommendations, DIBP advised it has done the following:

  • Progressed its work to enhance its information and communications technology and generic privacy training regimes, drawing relevant connections between the two.
  • Formed a high-level working group to provide formal governance for online publishing and updated its online publishing material, with particular emphasis on checking for embedded or hidden data.
  • Engaged KPMG for a second management initiated review of DIBP’s policies, procedures and culture regarding the handling and management of sensitive data, both electronic and hardcopy.

DIBP also advised that it is currently:

  • Working to strengthen its policies and the understanding of staff about physical, IT and communications security and the appropriate handling of personal information.
  • Reviewing its privacy breach notification policy and will emphasise to staff that there is a need for proactive notification of all breaches, particularly those with significant implications for the individuals involved.

DIBP further advised that it intends to engage an independent auditor to certify to the OAIC that DIBP has taken the remediation steps recommended by the Commissioner and in the KPMG report.

Conclusion

The Commissioner found that:

  • DIBP breached IPP 4 by failing to put in place reasonable security safeguards to protect the personal information that it held against loss, unauthorised access, use, modification or disclosure and against other misuse, and
  • the publication of the personal information of the listed individuals was an unauthorised disclosure, in contravention of IPP 11.

This data breach demonstrates the difficulties of effectively containing a breach where information has been published online, and highlights the importance of taking steps to minimise the risk of data breaches occurring, rather than relying on steps to attempt to contain them after they have occurred.

The Commissioner found that DIBP took some steps to contain the data breach and put in place processes to assess and respond to the data breach. However, there are areas where the execution of these processes could have been improved.

The Commissioner expressed concern about the length of time it took DIBP to detect the cached copy of the Detention report on Archive.org and effect its removal.

The personal information involved in this data breach was disclosed in the context of DIBP voluntarily publishing statistical information on its website. Public sector information is a national resource,[7] and the Commissioner encourages agencies to proactively make public sector information publicly available. However, this data breach demonstrates the importance of agencies implementing appropriate information handling practices to facilitate open access to public sector information while also protecting the personal information that they hold.

The Commissioner noted that the OAIC has received a large number of individual complaints about this incident. This investigation focused on the systems failures that led to the breaches of the Privacy Act and the measures to be taken to prevent future breaches rather than the impact on individuals affected by the breach, as this will be dealt with as part of the complaints process. The Commissioner’s finding in this own motion investigation that DIBP breached IPP 4 and IPP 11 will be taken into account when investigating individual complaints.

Based on DIBP’s remediation activities, DIBP’s ongoing implementation of recommendations made by KPMG, and its intention to engage an auditor confirm its remediation steps, the Commissioner decided to close the investigation.

Acronyms and abbreviations

Commissioner — Australian Privacy Commissioner

DIBP — The Department of Immigration and Border Protection

IPPs — Information Privacy Principles (contained in s 14 of the Privacy Act 1988 (Cth), prior to 12 March 2014)

OAIC — Office of the Australian Information Commissioner

Privacy Act — Privacy Act 1988 (Cth)

Footnotes

[1] See Privacy Act, s 14, Information Privacy Principle 4 and Information Privacy Principle 11.

[2] Media Release by the Hon. Scott Morrison MP, Unacceptable breach of privacy, 19 February 2014 [dead link: www.minister.immi.gov.au/media/sm/2014/sm211907.htm].

[3] The Internet Archive (http://archive.org) is a non-profit organisation that was founded to build an ‘Internet library’ by archiving and preserving materials published on the internet; this is done in part by automated processes, which search for and capture new publications.

[4] Department of Immigration and Border Protection, Management initiated review: Privacy breach – Data management, Abridged report (PDF), 20 May 2014, Department of Immigration and Border Protection website, viewed 10 September 2014, <www.immi.gov.au/pub-res/Documents/reviews/kpmg-data-breach-abridged-report.pdf>.

[5] OAIC, Guide to information security, April 2013, OAIC website <www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-information-security>.

[6] I note that the KPMG report concluded that ‘with very limited exceptions, the [Department] will not be able to track or recover the data’, as DIBP would be unable to use the IP addresses to identify who accessed the document, and, ‘once the data is downloaded, it could then be emailed to anyone or posted anywhere’.

[7] See Freedom of Information Act 1982,s 3(3), Comlaw website <www.comlaw.gov.au/Series/C2004A02562>.