Another day, another data breach. The response to that breach tells us something about privacy law, the media and bureaucracies.
On Wednesday, The Guardian revealed that the Department of Immigration and Border Protection (DIBP) had unintentionally published the personal details of 10,000 people. Those people have been variously been characterised as refugees, asylum seekers or “illegals”. They are vulnerable people.
The information included names, gender, age and so forth. It apparently featured in information associated with a periodic statistics report. This was readily available on the department’s website, rather than disseminated on a “need-to-know” basis by email, kept behind a firewall that had been breached by a hacktivist, or buried so deep that even officials have trouble finding it.
The report is one of those documents that appears regularly and is scrutinised by legal scholars, civil society advocates and journalists. That is unsurprising. The culture of secrecy associated with the “stop the boats” rhetoric (for example, immigration minister Scott Morrison’s reluctance to go near a journalist) has fostered both suspicion and a hunt for what information is available.
The report is presumably also read by people engaged in human trafficking and by some of the nastier national security agencies whose activities result in people seeking refuge in Australia. Human rights advocates are rightly expressing concerns that disclosure will endanger asylum seekers and their families.
Other people are speculating that disclosure will strengthen the case made by people for asylum: the department has kicked an own goal. Others will note that refugees, in particular those who haven’t set foot in Australia, have no meaningful remedy under Australian law.
They are unlikely to get one, given that the government is unenthusiastic about the “privacy tort” proposal being examined by the Australian Law Reform Commission.
A bigger picture of privacy breaches
We can look beyond the potential human tragedies to see a broader picture.
One aspect is that unintended disclosure was foreseeable. Government agencies, businesses and NGOs have in the past lost information because they have assumed people won’t find files parked on publicly accessible servers or haven’t purged metadata from spreadsheets that are emailed or published on the web. Some of that information is innocuous, some is not.
Presumably audit firm KPMG, now investigating on behalf of the minister, will provide advice to the department. That advice should be shared with other government agencies, taken to heart and enshrined in enforceable standards. Let’s learn from the mistakes.
The incident shouldn’t be an excuse for the department to retreat further into its shell. Secrecy has reinforced management failures documented by the Palmer inquiry into the expensive “loss” in the system of Cornelia Rau.
The department is now in the unenviable position that Australian Taxation Office staff chortle that DIBP has replaced their agency as the most hated or despised part of the national public service. The right sort of sunlight would disinfect that reputation.
Disclosure comes at a time when the Office of the Australian Information Commissioner (OAIC) – an unhappy body that is reported to experience 25% annual staff turnover – is busy promoting amendments to the Privacy Act 1988. This is the core national statute dealing with information privacy.
In the past, the OAIC has been very slow to respond to unintended disclosures of information – what specialists characterise as data breaches. There is no mandatory scheme to report to consumers any unintended release of their information; a data breach bill died along with the Gillard government.
Australian and overseas organisations have experienced breaches involving millions of customers. In one egregious example, the OAIC disregarded shaming by privacy advocates until it was prompted to act by the minister. The office’s responses to data breaches have been notably permissive, in contrast to robust investigation and condemnation by the Australian Communications and Media Authority.
What should be done
On Wednesday, the OAIC announced that it would investigate the department’s disclosure. We should hope that its investigation will be vigorous and urgent – no six-month delay, no tolerance of departmental obfuscation or acceptance of “industry practice”.
We should also hope that it will provide the public with a detailed report rather than the traditional indication that an investigation has taken place, the offender has been reproved and nothing more needs to be done. Such reassurance has been unpersuasive in dealing with Telstra, which has had recurrent large-scale breaches.
What of media responsibility? The Guardian report was careful not to specify the particular document. The journalists’ caution wasn’t emulated by Scott Morrison, whose media statement late on Wednesday was more specific. We can assume that some people used that prompt to look at the department’s site (the document has been delated) and search for cached or archived copies (for example, using the “Wayback Machine” provided by the Internet Archive.)
We cannot bring the information back. We can make sure the problem doesn’t recur.