Andrew Chalet and Peytee Grusche

Careful what you attach: How an excel document could cost the Department of Home Affairs millions in data breach damages

Andrew Chalet and Peytee Grusche

29 April 2021

Confidentiality and Privacy Data Breach

Earlier this year, the Information and Privacy Commissioner Angelene Falk (Commissioner) made a landmark determination on a data breach by the then Department of Immigration and Border Protection (DIBP) that resulted in the sensitive information of 9,258 asylum seekers being made publicly available.

The million dollar mistake

In February 2014, as was the practice at the time, the DIBP uploaded its monthly “Immigration Detention and Community Statistics Summary” online.  What was not usual practice, however, was to mistakenly embed within it an Excel document that contained highly sensitive information on all individuals being held in mainland detention and on Christmas Island.  This included reasons why those individuals were considered to be unlawful non-citizens by the DIBP.  The information was publicly available for eight days until the DIBP was notified by a journalist about the data breach, and for another eight days after that on an archive website.

Breaches of the Information Privacy Principles found

As the breach occurred in February 2014, the Commissioner examined the Privacy Act 1988 (Cth) in operation at that time, which contained the Information Privacy Principles (IPPs).  The DIBP was obligated to comply with the IPPs at the time of breach. Following amendments to the Privacy Act 1988 (Cth) in March 2014, the IPPs were replaced by the Australian Privacy Principles (APPs).

In examining the breach in relation to the IPPs, the Commissioner determined that DIBP had breached:

  • IPP 11 (most similar to APP 6) in improperly disclosing the personal information of detained individuals on a publicly accessible website; and
  • IPP 4 (most similar to APP 11) in failing to implement reasonable safeguards to protect personal information from loss, unauthorised access, use, modification or disclosure or other misuse.

Pay up: the OAIC’s largest non-economic loss award to date

The Office of the Australian Information Commissioner (OAIC) considered evidence from victims of the data breach, and created a scale of non-economic loss ranging from $500 for “general anxiousness” all the way up to $20,000 for “extreme loss or damage”.   Compensation will be assessed according to this scale on an individual basis by the Department of Home Affairs.

Cumulatively, compensation may be anywhere from $648,500 to almost $26 million, and represents an unprecedented shift from the OAIC’s traditional hesitancy to award non-economic loss for data breaches.

Notifiable data breaches also on the rise

In the same month in which this determination was handed down, the OAIC released the July to December 2020 Notifiable Data Breaches Report in which the Australian Government entered the top 5 industry sectors for the first time.

Of these five sectors, the Australian Government had the lowest rate of detection within 30 days at 61% and was also reported to have the lowest rate of notifying the OAIC within 30 days at 58%.

As in the data breach involving asylum seekers, of the 33 data breaches reported to the OAIC between July to December 2020, 29 were attributable to human error.  During this period, overall breaches increased by 5% to 539.

Unfortunately, data breaches appear to be commonplace, regardless of the sector in which they occur.  Only this month, Swinburne University made a public apology after names, emails and phone numbers of 5,200 individuals were made available on the internet.

Need assistance?

If you need advice on data breaches or general privacy obligations for your business, please contact a member of Thomson Geer’s National Intellectual Property team for a confidential discussion.


Andrew Chalet | Partner | +61 3 8080 3542 |

Dr Peytee Grusche | Special Counsel | +61 8 9404 9161 |

Stephanie McHugh | Lawyer | +61 3 8080 3554 |

Emma Halliday | Law Graduate