Read on Twitter
It's taken *seven years* - so long that the original lead plaintiff actually died - for the OAIC to rule on the immigration department's catastrophic data breach where it published the personal information of almost 10,000 people in detention. https://www.oaic.gov.au/updates/news-and-media/information-commissioner-orders-compensation-payable-by-home-affairs-for-breaching-detainees-privacy/
This was the original report we published back in February 2014 after we notified the Department and the OAIC of the breach https://www.theguardian.com/world/2014/feb/19/asylum-seekers-identities-revealed-in-immigration-department-data-lapse
It was at the time a very significant breach, although it's been far eclipsed by others since then. @oliverlaughland and I also reported that the file containing these details was downloaded in China, Russia, Egypt and other nations https://www.theguardian.com/world/2014/jun/19/file-containing-asylum-seekers-data-downloaded-in-china-russia-and-egypt
The Information Commissioner has ruled today that those asylum seekers and others in detention who suffered harm from the breach should be compensated....but hasn't actually awarded monetary amounts to any individuals.
Instead, the Commissioner has ordered that a process should be created where the department - which it should be noted was responsible for the breach - gets to assess where individuals sit in a range of compensation from $500 to $20,000. Those assessments can be contested.
I suspect that some of the individuals involved will be looking for an explanation though - why did it take seven years to arrive at a conclusion that doesn't actually resolve the compensation claims of any of the individuals involved?
And is outsourcing the determination on compensation to the same agency that is responsible for the breach really the best approach to assessing complex mass data breaches like these?
I am not aware of any similar process being employed in past data breaches in Australia (or elsewhere for that matter) It raises some very interesting questions about the future course of data breach class action determinations in Australia.
For instance - will Facebook be asked to ultimately assess the compensation awarded for individuals involved in the OAIC matter that is progressing against it?
Plenty to ponder in this determination and what it means for the future direction of privacy actions in Australia heard by the OAIC.
