Document 1
82211)
Enis
$221) ;822(1)
‘DBN4/00000 - FW: URGENT: Privacy breach [DLM=Serstive]
“Tuesday, 11 November 2014 2:11:41 PM
ivacy Breach Report = DIRP 7 Now 2044 doce
igh
Please register this as a new DBN asap.
Do not send the standard confirmation email
Regards,
From: s 22(1)
Sent: Friday, 7 November 2014 5:11 PM
To: s 22(1
a)
‘Subject: URGENT; Privacy breach [DLM=Sensitive]
‘Importance: High
Sensitive
He"
‘As discussed, attached are details of a Privacy Breach that occurred this morning. | would be
grateful for urgent advice from the office of the Privacy Commissioner given the sensitivities
involved,
Thank you for your time,
$ 22(1)
$ 22(1)
Director
Visa Services Support and Major Events:
Department of Immigration and Border Protection
Telephone:s 22(1)
Mobile:s 22(1)
Emails 22(1)
Sensitive
‘This document may contain ‘personal identifiers’ and ‘personal information’ as defined
under the Migration Act 1958 or Australian Citizenship Act 2007, and can only be used.
for purposes under these Acts. Important Notice: If you have received this email by
mistake, please advise
the sender and delete the message and attachments immediately. This email,including attachments, may contain confidential, sensitive, legally privileged
and/or copyright information. Any review, retransmission, dissemination
or other use of this information by persons or entities other than the
intended recipient is prohibited. DIBP respects your privacy and has
obligations under the Privacy Act 1988. The official departmental privacy
policy can be viewed on the department's website at www.immi.gov.au. See:
‘hitp.JAvwww.immi,gov.au/functional/privacy.htmFOR OFFICIAL USE ONLY
SENSITIVE,
Step 1: Breach Containment and Preliminary Assessment
Document 1 -
‘Attachment
In relation to the breach, I,$ 22(1) Director, Visas Services Support and
Major Events Section, Department of Immigration and Citizenship, am leading the
initial investigation.
‘An email was sent on 7 November 2014 containing the personal information,
including passport details and visa status, of Leaders coming to the G20 Leaders’
Summit. The purpose of the email was to advise oneS 22(1) _ within the
Department of the status of Leader's visa applications to assist in the Department's
overall management of visas for the event.
's 22(1) Assistant Director, Visa Services Support and Major Events Section,
accidently sent the email to aS 22(1) who works for the Asian Cup Local
Organising Committee instead of S 22(1)
This breach relates to one email and one email address.
The matter was brought to my attention directly byS 22(1) immediately after
receiving an email from$ 22(1) informing her that she had sent the email to the
‘wrong person. This was less than ten minutes after the original email was sent. In his,
response to “2("),§ 22(1) advised that he had deleted the email.
Subsequently, on the same day, the Asian Cup Local Organising Committee advised
= writing that 22(1) had emptied his deleted items folder and:
The retention period on deleted items was set to 0 to purge the item
completely;
There is no record of it be forwarded; and
The email was not copied to a backup as these only run overnight,
‘The Asian Cup Local Organising committee do not believe the email to be accessible,
recoverable or stored anywhere else in their systems.
Step 2: Evaluation of the Risks Associated with the Breach
(i) Personal Information Involved
‘The personal information which has been breached is the name, date of birt, title,
position, nationality, passport number, visa grant number and visa subclass held
relating to 31 international leaders (ie, Prime Ministers, Presidents and their
equivalents) attending the G20 Leaders Summit on 15 and 16 November 2014.
FOR OFFICIAL USE ONLY
SENSITIVE,FOR OFFICIAL USE ONLY
SENSITIVE,
31 people were affected by this breach. Given the steps taken to contain the breach
outlined above, it is unlikely that the information is in the public domain. Further, the
absence of associated personal data, such as address or other contact details, limits
significantly the potential risk of this breach. It should also be noted that the personal
details of these individuals, including their names, positions and dates of birth are
generally already available in the public domain given their prominent positions. The
fact that these delegates are coming to Australia for the G20 Leaders’ Summit is also
well known in the public domain.
While the passport information could potentially be used for unknown purposes by
the other party who inadvertently received the email, there are no circumstances that I
am aware of which make me consider that likely.
i) Cause and extent of the breach
‘The cause of the breach was human error. S22(1) failed to check that the
auto-fill function in Microsoft Outlook had entered the correct person’s details into
the email ‘To’ field. ‘This led to the email being sent to the wrong person.
The risk remains only to the extent of human error, but there was nothing systemic or
institutional about the breach. That said, I intend to take this opportunity to reinforce
to all staff within my office the need to be vigilant with regard to how we treat
personal data at work.
(iii) Individuals Affected by the Breach
32 individuals were affected by the breach. The first 31 individuals were the G20
leaders whose information was released to the Asian Cup Local Organising
Committee. The 32 was the person who inadvertently received the email but was
not a departmental officer.
(iv) Foreseeable Harm from the Breach
As discussed above, the only connection that links the unintended recipient of the
‘email is through an email sent to him on 7 November 2014. There is no further
‘category that either links all the clients with one another, nor individual clients with
one another.
‘Whilst the recipient is not a professional body or other institution which might have a
professional or legal obligation to treat the data in one way or another, there is nothing
to suggest that he would deal with it inappropriately, not least of all because of the
limited information that has been disclosed and the fact that the unintended recipient
immediately contacted the Department to report receipt of the email.
FOR OFFICIAL USE ONLY
SENSITIVE,FOR OFFICIAL USE ONLY
SENSITIVE,
Step 3: Notification
On 7 November 2014, the Privacy and FOI Section within the department advised that
the office of the Minister for Immigration and Citizenship should be notified of the
breach. This occurred on 7 November 2014.
Given that the risks of the breach are considered very low and the actions that have
been taken to limit the further distribution of the email, I do not consider it necessary
to notify the clients of the breach.
Step 4: Prevention of Future Breaches
‘As mentioned above, this was an isolated example of human error, but I will
nonetheless take the opportunity to remind staff of their obligations in relation to
private client data and how to treat this. I will also reinforce the need to double check
email recipients before sending emails.
FOR OFFICIAL USE ONLY
SENSITIVE,