



The Office of the Australian Information Commissioner (OAIC) ​​has ordered the Department of Home Affairs, formerly the Department of Immigration and Border Protection, to determine the amount owed to each individual and to pay compensation for "erroneously" disclosing personal information of 9,251 asylum seekers. Australian Information Commissioner and Privacy Commissioner Angelene Falk determined that the federal government at the time had "interfered" in the privacy of these individuals by accidentally publishing their full names, nationalities, countries, dates of arrival and shipping information on its website in 2014 Following the publication of their personal information, the asylum seekers initiated legal action against the department. Asylum seekers in New South Wales, Western Australia and the Northern Territory claimed the violation exposed them to persecution by authorities in their home countries. A total of 1,297 applications were filed as part of the legal issue requiring compensation to be paid because those affected suffered loss or damage due to data breach. The commissioner said the compensation to be paid to members of the participating class will range from AU 500 to more than $ 20,000 and will be determined on a case-by-case basis. "This issue is the first representative action where we have found compensation for non-economic loss payable to individuals affected by a data breach," she said. "She acknowledges that a loss of privacy or disclosure of personal information may affect individuals and, depending on the circumstances, may result in loss or damage." The compensation process is expected to take up to 12 months to complete. This will include ensuring that individuals agree on their reimbursed amount. If the department and the individual cannot agree on the amount of compensation, there will be an opportunity to revalue the amount payable, the OAIC said. The OAIC said it would also publish the design information in 21 languages ​​to make sure all participating class members are informed about the process so they can finalize their claims. Last week, the OAIC requested that changes be made to Privacy Act 1988 which would update its regulatory powers and remove exclusions as for political parties. In a 150 pagesubmission[PDF] in the Attorney General's review of the Act, the OAIC made a number of recommendations, including increasing its ability to regulate, which it said would bring its competencies in line with "community expectations". The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, reconciliation and determination. The OAIC has described the nearly 33-year-old post as obsolete. "This reflects the context in which the Privacy Act was first introduced. In the digital environment, privacy breaches can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, "there needs to be a greater ability to pursue privacy risks and systematic disregard through regulatory action," she said. "While Australia's current framework provides some enforcement powers, these need to be strengthened and rebalanced to prevent misconduct and to ensure that practices are corrected."

