The Australian government may be liable for tens of millions of dollars in compensation to asylum seekers after it posted their personal details online while they were in immigration detention.
The mass data breach, discovered by Guardian Australia in 2014, resulted in information being used, in some cases, to allegedly threaten asylum seekers, or persecute and even jail their family members.
Of the nearly 10,000 asylum seekers whose privacy was breached nearly a decade ago, those who suffered “extreme loss and damage” will each be eligible for more than $20,000 in compensation after a decision from the Administrative Appeals Tribunal.
The total cost to the commonwealth could run to tens of millions of dollars, but not all of those whose privacy was breached will be allowed to claim compensation.
In 2014, Guardian Australia discovered that the details of every person then held in immigration detention by Australia had been posted online in an Excel spreadsheet by the then immigration and border protection department (now home affairs).
The Guardian did not publish any details or the information’s whereabouts, and alerted the department to the breach. The department took the personal details – which included full names, citizenship, dates of birth, location and period in immigration detention – offline.
The information of 9,528 asylum seekers, more than 2,500 of them children, was available online for 17 days and accessed more than 100 times, including from IP addresses in China, Russia, Egypt and Pakistan, and from masked anonymous locations.
Documents before the AAT show that in some cases, the data breach was used against asylum seekers and led to their families in their home countries being threatened.
In one case, a verdict in an Iranian court explicitly referenced the data leaked on the Australian government website as evidence that an asylum seeker’s relative – still in Iran – had helped the asylum seeker flee the country. The asylum seeker’s relative was jailed for five years.
In another case, the family of a Sri Lankan asylum seeker was repeatedly harassed by members of Sri Lanka’s CID, who said they knew the asylum seeker was in immigration detention in Australia.
The AAT decision also cited in certified documents from China. One, from the Xuanshan Villagers’ Committee in Zhanggong, China, stated an asylum seeker’s father was stabbed by another family after they learned “from the township government” that the asylum seeker was in Australia.
And a certificate issued by a funeral parlour in Sichuan province stated that when “public security officers” learned an asylum seeker “had escaped to Australia to seek protection” they searched the house of the asylum seeker’s grandmother. “During a struggle, the [asylum seeker’s] grandmother suffered a fatal injury,” the AAT decision says.
On Wednesday, more than nine years after the breach, the AAT deputy president, Justice Melissa Perry, ruled that those who suffered loss and damage were eligible for compensation, and ordered an independent law firm be appointed to administer the compensation process.
Those who suffered “major loss or damage”, such as prolonged anxiousness, stress, fear, pain and distress which had caused psychological harm, would be eligible for up to $12,000.
Those with more severe loss or damage, such as the development or exacerbation of a diagnosed psychological condition, can claim up to $20,000. For “extreme” loss or damage, claimants can be awarded more than $20,000.
However, only those people who had already made submissions, or make submissions in coming months, demonstrating their suffering and distress were entitled to compensation, Perry ruled. Nearly 1,300 people had already made those submissions.
A 2021 decision by the Office of the Australian Information Commissioner (OAIC) had limited compensation claims to those who had already responded to a 2018 notice regarding the data breach.
Acting pro bono, Slater and Gordon, along with the Refugee Advice and Casework Service (RACS), appealed that OAIC decision to the AAT, arguing that all people affected by the breach should have an opportunity to claim compensation, and that the department should not be appointed to assess compensation given a clear conflict of interest.
Slater and Gordon’s associate in class actions, Meg Lessing, said while it had been nearly 10 years since the data breach, “we hope it will finally provide an opportunity for victims to now bring their claims for compensation”.
“Given the amount of time that has already passed, we expect the department to accept the ruling, and work with all relevant stakeholders including victims of the data breach so that they can bring their claim without further delay or unnecessary costs and complexity,” Lessing said.
Lessing said while the AAT appeal represented “an attempt to seek fairness … we recognise it will never take away the threat and harm the breach caused to thousands of vulnerable people seeking asylum”.
The RACS principal solicitor, Sarah Dale, said the impacts of the data breach, on an already vulnerable population, were profound.
“This data breach identified people at risk of persecution, torture and death and who were engaging with a foreign government seeking safety. The stress, the trauma and the concern this created for our community, at a time when many were still detained, cannot be underestimated.”
A home affairs spokesperson told Guardian Australia the department was aware of the AAT’s decision and was considering its implications.
“The Department of Home Affairs has robust procedures in place for the handling of personal information it collects to undertake its functions. The department regularly reviews and improves procedures to ensure the personal information it collects is protected.”