Privacy Commissioner report: the risk of embedding spreadsheets in documents

In an Own motion investigation report, the Australian Privacy Commissioner has found that the Department of Immigration and Border Protection (DIBP) contravened the Privacy Act when the Department accidentally published the personal details of almost 10,000 asylum seekers in a document that was intended to provide statistical information about the number and status of applications made for refugee status.

The investigation started after a media report about the availability of the database on the Department’s website and subsequent confirmation by the Department.

The investigation focused on whether DIBP had reasonable security safeguards in place to protect the asylum seekers’ information, and whether DIBP had disclosed the information in accordance with the Privacy Act 1988 (Cth).

The Commissioner came to the view that DIBP had breached the Privacy Act by failing to put in place reasonable security safeguards to protect the personal information it held against loss, unauthorised access, use, modification or disclosure and against other misuse. The Commissioner also found that DIBP had unlawfully disclosed personal information.

In preparing the Microsoft Word version of its monthly Detention report for web publication, DIBP embedded the Microsoft Excel spreadsheet that had been used to generate the statistics used in the Detention report. The spreadsheet included the personal information of approximately 9,250 asylum seekers and was accessible through the Detention report.

DIBP was notified about the breach by the Guardian Australia at 9.15am on 19 February 2014. DIBP removed the Detention report from its website by 10.00am on that date. The Detention report was available on DIBP’s website for about eight and a half days.

While creating the Detention report, Departmental staff copied charts and tables directly from the Microsoft Excel spreadsheet, resulting in the underlying data being embedded in the Microsoft Word version of the Detention report. This was contrary to the relevant Departmental policy, which stated that graphs should be copied and pasted as pictures into Microsoft Word documents.

Departmental policies specified that the Detention report should be cleared by seven reviewers in hard copy. Quality assurance reviews focused on writing style, grammar, spelling and the accuracy of the data in the Detention report. The policies did not require reviewers or publishers to check for data that had been inadvertently embedded, even though the Commissioner was satisfied this risk was known to DIBP. Further, the majority of reviewers and the publisher of the document were unaware that it was possible to embed Microsoft Excel data in a Microsoft Word document. As a result, the digital copy of the Detention report was not checked for this risk.

The DIBP response

DIBP advised that, once it became aware of the data breach, it took the following steps to contain the data breach:
• Removed the Detention report from its website. The report was available on DIBP’s website for about eight and a half days.
• Undertook a search engine analysis to confirm that the report was no longer available through public search engines, and checked DIBP’s website to ensure that all source information containing personal information was removed.
• Conducted a detailed examination of information obtained through DIBP’s website about the number of times the Detention report was accessed and the location of the IP addresses that attempted to retrieve the file.
• Obtained assurances from the journalists that had discovered the data breach that the information had not been, and would not be, disseminated further.
• Wrote to Archive.org to seek the removal of the Detention report. The report was available on Archive.org for about 16 days.

In addition to taking steps to contain the data breach, DIBP took the following steps to respond to the data breach:
• Engaged an external consultant (KPMG) to undertake a review of the data breach, including to identify departmental vulnerabilities, policies or management practices that contributed to the data breach, and provide recommendations to prevent recurrence.
• Undertook an internal risk assessment to assess the risk of harm to the listed individuals.
• Commenced a process of notifying the listed individuals.

DIBP advised that it has taken a number of steps to mitigate against future data breaches of this nature, including the following:
• Removed personal information from the underlying datasets prior to the immigration detention and community statistics reports being prepared. It also intended to implement the approach of analysing and reporting on ‘sanitised’ datasets that have personal information automatically removed.
• Reviewed all processes relating to the creation, review and publication of online content. DIBP notes that it intends to regularly update these processes. These materials will be available to all staff on DIBP’s intranet.
• Rolled out face-to-face staff training and an awareness campaign, to highlight the changes to the Privacy Act. Privacy e-learning training material is also being developed. It also intended to develop a new security training program and strengthen its existing mandatory security e-learning package, both focusing on issues such as the handling of private or sensitive data and associated risks.
• Conducted a research and evaluation forum for staff involved in research activities to cover specific privacy issues around client data handling.

Based on DIBP’s remediation activities, DIBP’s ongoing implementation of recommendations made by KPMG, and its intention to engage an auditor confirm its remediation steps, the Commissioner decided to close the investigation.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.