As yet there has been no statement by the Office of the Australian Information Commissioner and, alas, on past performance we are likely to wait some time before the OAIC acknowledges that there are concerns or leverages the incident to raise awareness (eg by highlighting the need for mandatory data breach reporting) and reinforce its fading legitimacy.
The statement reads -
The Department of Immigration and Border Protection continues to take steps to strengthen controls over private information held by the Department.
Documents outlining a number of privacy breaches by the Department have been released by the Office of the Australian Information Commissioner (OIAC). The documents are available on the OAIC's website here. [note: the statements relate to the refugee data breach]
The Department takes its obligations under the Privacy Act very seriously. It thoroughly investigates privacy breaches as soon as they are identified. All matters are notified voluntarily to the Privacy Commissioner and, if appropriate and required under law, to the Australian Federal Police. [not, dare I say, a major achievement]
In addition, the Department is making significant changes to its information management practices, following a number of external and internal reviews into its processes and practices. All recommendations from these reviews have been adopted.
This includes establishing built-in safeguards to ensure that sensitive information is not inadvertently or deliberately released externally. The Department is also working with its contracted service providers to prevent any breaches by their staff.
An External Accountability Task Force, specifically focused on strengthening privacy and information management, has been established within the Department's Integrity, Security and Assurance Division.
Media reporting of privacy breaches outlined in the documents released under FOI has focussed on apparent differences in the approach taken by the Department to notifying parties affected by the breaches.
As outlined in the released documents, decisions on whether or not to notify individuals or groups whose information was released are based on a case-by-case risk assessment.
This risk assessment takes into account a range of factors, including the known distribution of the material, whether it could be retrieved, deciphered or readily understood if found, and likelihood of harm being suffered as a result of the breach.
For example, in relation to the loss of payroll data, the Department sought advice from external financial institutions and was advised that no information disclosed could be used to access individuals personal accounts.
The Department has ongoing reviews of its arrangements for managing information access and will continue to develop and adopt best-practice approaches in this area.To adapt the words of Mandy Rice-Davies, well, they would say that, wouldn't they.