Australia's privacy commissioner is inviting asylum seekers held in detention that were affected by a catastrophic data breach in 2014 to contact his office, in a landmark case that could see millions in compensation awarded to people affected by the breach.
In February 2014 the Guardian revealed the immigration department had accidentally disclosed the personal details of almost 10,000 people held in detention. The immigration minister at the time, Scott Morrison, described the breach as "unacceptable".
The details included the names, nationalities, location, arrival date and identification number. It included every person held in a mainland detention facility and on Christmas Island, as well as several thousand in community detention.
An investigation by the privacy commissioner Timothy Pilgrim found that the department breached Australia's privacy laws in several ways, and had failed to develop procedures and safeguards for publishing information online.
A representative complaint - similar to a class action - was lodged with the privacy commissioner's office in August 2015. The commissioner's office will soon make a determination on the case, which could include compensation for those affected by the breach. The commissioner is inviting those affected by the breach to contact his office.
The notice states: "If you resided in immigration detention on 31 January 2014, and you suffered any loss or damage as a result of the department’s data breach, you will need to provide the Commissioner with information about this."
Based on an analysis of recent determinations by the privacy commissioner, each determination where compensation was awarded has averaged roughly $10,000.
If asylum seekers who were exposed to the breach were awarded compensation in this range, the immigration department may be facing up to $100m in costs.
A large number of court cases have been run in the federal court outlining the risks to asylum seekers who are returned home. A recent decision progressed to the high court, where the court court that the two asylum seekers affected had their claims appropriately reassessed. This may be one of the grounds that asylum seekers could be entitled to seek compensation for in the privacy case.
Documents released under freedom of information laws revealed that the file containing the personal information was downloaded dozens of times, included in countries such as China, Russia and Egypt.
The closing date for submissions to the privacy commissioner is 19 April 2018.