Document 1 82211) Enis $221) ;822(1) ‘DBN4/00000 - FW: URGENT: Privacy breach [DLM=Serstive] “Tuesday, 11 November 2014 2:11:41 PM ivacy Breach Report = DIRP 7 Now 2044 doce igh Please register this as a new DBN asap. Do not send the standard confirmation email Regards, From: s 22(1) Sent: Friday, 7 November 2014 5:11 PM To: s 22(1 a) ‘Subject: URGENT; Privacy breach [DLM=Sensitive] ‘Importance: High Sensitive He" ‘As discussed, attached are details of a Privacy Breach that occurred this morning. | would be grateful for urgent advice from the office of the Privacy Commissioner given the sensitivities involved, Thank you for your time, $ 22(1) $ 22(1) Director Visa Services Support and Major Events: Department of Immigration and Border Protection Telephone:s 22(1) Mobile:s 22(1) Emails 22(1) Sensitive ‘This document may contain ‘personal identifiers’ and ‘personal information’ as defined under the Migration Act 1958 or Australian Citizenship Act 2007, and can only be used. for purposes under these Acts. Important Notice: If you have received this email by mistake, please advise the sender and delete the message and attachments immediately. This email,including attachments, may contain confidential, sensitive, legally privileged and/or copyright information. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. DIBP respects your privacy and has obligations under the Privacy Act 1988. The official departmental privacy policy can be viewed on the department's website at www.immi.gov.au. See: ‘hitp.JAvwww.immi,gov.au/functional/privacy.htmFOR OFFICIAL USE ONLY SENSITIVE, Step 1: Breach Containment and Preliminary Assessment Document 1 - ‘Attachment In relation to the breach, I,$ 22(1) Director, Visas Services Support and Major Events Section, Department of Immigration and Citizenship, am leading the initial investigation. ‘An email was sent on 7 November 2014 containing the personal information, including passport details and visa status, of Leaders coming to the G20 Leaders’ Summit. The purpose of the email was to advise oneS 22(1) _ within the Department of the status of Leader's visa applications to assist in the Department's overall management of visas for the event. 's 22(1) Assistant Director, Visa Services Support and Major Events Section, accidently sent the email to aS 22(1) who works for the Asian Cup Local Organising Committee instead of S 22(1) This breach relates to one email and one email address. The matter was brought to my attention directly byS 22(1) immediately after receiving an email from$ 22(1) informing her that she had sent the email to the ‘wrong person. This was less than ten minutes after the original email was sent. In his, response to “2("),§ 22(1) advised that he had deleted the email. Subsequently, on the same day, the Asian Cup Local Organising Committee advised = writing that 22(1) had emptied his deleted items folder and: The retention period on deleted items was set to 0 to purge the item completely; There is no record of it be forwarded; and The email was not copied to a backup as these only run overnight, ‘The Asian Cup Local Organising committee do not believe the email to be accessible, recoverable or stored anywhere else in their systems. Step 2: Evaluation of the Risks Associated with the Breach (i) Personal Information Involved ‘The personal information which has been breached is the name, date of birt, title, position, nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie, Prime Ministers, Presidents and their equivalents) attending the G20 Leaders Summit on 15 and 16 November 2014. FOR OFFICIAL USE ONLY SENSITIVE,FOR OFFICIAL USE ONLY SENSITIVE, 31 people were affected by this breach. Given the steps taken to contain the breach outlined above, it is unlikely that the information is in the public domain. Further, the absence of associated personal data, such as address or other contact details, limits significantly the potential risk of this breach. It should also be noted that the personal details of these individuals, including their names, positions and dates of birth are generally already available in the public domain given their prominent positions. The fact that these delegates are coming to Australia for the G20 Leaders’ Summit is also well known in the public domain. While the passport information could potentially be used for unknown purposes by the other party who inadvertently received the email, there are no circumstances that I am aware of which make me consider that likely. i) Cause and extent of the breach ‘The cause of the breach was human error. S22(1) failed to check that the auto-fill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. ‘This led to the email being sent to the wrong person. The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach. That said, I intend to take this opportunity to reinforce to all staff within my office the need to be vigilant with regard to how we treat personal data at work. (iii) Individuals Affected by the Breach 32 individuals were affected by the breach. The first 31 individuals were the G20 leaders whose information was released to the Asian Cup Local Organising Committee. The 32 was the person who inadvertently received the email but was not a departmental officer. (iv) Foreseeable Harm from the Breach As discussed above, the only connection that links the unintended recipient of the ‘email is through an email sent to him on 7 November 2014. There is no further ‘category that either links all the clients with one another, nor individual clients with one another. ‘Whilst the recipient is not a professional body or other institution which might have a professional or legal obligation to treat the data in one way or another, there is nothing to suggest that he would deal with it inappropriately, not least of all because of the limited information that has been disclosed and the fact that the unintended recipient immediately contacted the Department to report receipt of the email. FOR OFFICIAL USE ONLY SENSITIVE,FOR OFFICIAL USE ONLY SENSITIVE, Step 3: Notification On 7 November 2014, the Privacy and FOI Section within the department advised that the office of the Minister for Immigration and Citizenship should be notified of the breach. This occurred on 7 November 2014. Given that the risks of the breach are considered very low and the actions that have been taken to limit the further distribution of the email, I do not consider it necessary to notify the clients of the breach. Step 4: Prevention of Future Breaches ‘As mentioned above, this was an isolated example of human error, but I will nonetheless take the opportunity to remind staff of their obligations in relation to private client data and how to treat this. I will also reinforce the need to double check email recipients before sending emails. FOR OFFICIAL USE ONLY SENSITIVE,