Privacy case note: damages in class action

In ‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr2 the Department of Home Affairs (formerly the Department of Immigration and Border Protection) has been found to have interfered with the privacy of 9,251 detainees in immigration detention by mistakenly releasing their personal information.

The Privacy Commissioner has ordered the department pay compensation for non-economic loss to 1,297 participating class members who have demonstrated that they suffered loss or damage as a result of the data breach, under five categories of loss or damage, depending on the severity of the impact, as set out in the table below.

The representative complaint followed the publication of a detention report on the department’s website in 2014, in error. The Microsoft Word document contained embedded personal information in a Microsoft Excel spreadsheet that identified all persons in immigration detention on 31 January 2014.

The Spreadsheet contained the following categories of personal information about class members: full names; gender; citizenship; date of birth; period of immigration detention; location; boat arrival details; and reasons why the individual had been considered an unlawful non-citizen.

The Detention Report, including the Spreadsheet, was available on the Department’s website for approximately 8 days. The Detention Report was also available on The Internet Archive for approximately 16 days.

The Privacy Commissioner determined that the Department interfered with the privacy, as defined in section 13(a) of the Privacy Act, of the class members by:

  • disclosing the personal information of class members on a publicly available website, in breach of Information Privacy Principle (IPP) 11, and
  • failing to take such security safeguards as it is reasonable in the circumstance to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse, in breach of IPP 4.


Non-economic loss categories 

Category 0

The individual has not provided a submission and/or evidence that substantiates loss or damage resulting from the Data Breach

Category 1

General anxiousness, trepidation, concern or embarrassment, resulting from the Data Breach

Category 2

Moderate anxiousness, fear, pain and suffering, distress or humiliation, resulting from the Data Breach, which may cause minor physiological symptoms, such as loss of sleep or headaches, and may result in a consultation with a health practitioner

Category 3

Significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation, resulting from the Data Breach, which may cause psychological or other harm, and may result in a prescribed course of treatment from a general practitioner

Category 4

The development or exacerbation of a mental health condition as a result of the Data Breach, resulting in a referral to a mental health specialist for treatment

Category 5

extreme loss or damage resulting from the data breach

Non-economic loss categories
Category 0: $0
Category 1: $500 – $4000
Category 2: $4001 – $8000
Category 3: $8001 – $12 000
Category 4: $12 001 – $20 000
Category 5: > $20,000

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.