Some Lessons from OAIC v Serco

The OAIC’s determination in a recent case involving Serco and the systems it used in operating immigration detention facilities provides insight not only into Australia’s detention system but also how a poorly operated system can have significant impacts on vulnerable people. 

It’s a timely reminder on the importance of keeping objectively accurate records, supported by evidence and the care that should be taken when recording sensitive information that can have a significant impact on the data subject.


Serco runs a number of Australia’s immigration detention centres.  Part of the Serco operational model is to compile a Security Risk Assessment Report (SRA Report) for each detainee in its centres.  The report is used for management purposes within the Immigration Detention Network. Among other things, the SRA Report contains a list and description of incidents involving detainees as reported by Serco staff.

Include in the report is a risk rating (ostensibly assessing the risk for escape or violence).  This rating is calculated by an algorithm as part of a Security Risk Assessment Tool – or SRAT. The SRAT calculates a detainee’s “risk” based on more than 30 different incident types that may occur in detention, such as abusive or aggressive behaviour, assault, possessing contraband or the refusal of food or fluids. (More detail of what is included in the standard SRA Report is in the Appendix.)

Detainees are also rated for an overall placement and escort risk, which may determine how they are treated while being transported, such as whether they are placed in handcuffs, and where they are housed inside a detention centre.

Detainees are not told of the existence of the report, assignment of the rating, how it is calculated or the impact of an assessment on their treatment or rights.

He was released from detention in 2020 after a tribunal found he was “of good character” and had “contributed positively to the Australian community”, but his fight over the SRAT dragged on for three years after he made a privacy complaint against Serco to the Office of the Australian Information Commissioner.

OAIC Investigation

The OAIC considered the SRA Report of one detainee in a recent decision.

The complainant in that case first became aware of the SRA report when they were provided with a copy during the processing of a complaint they lodged with the Australian Human Rights Commission (AHRC) sometime prior to January 2020.  The complaint related to the complainant being handcuffed unlawfully. In response to that complaint, Serco produced the SRA Report as justification for the handcuffing.

After receiving a copy of the SRA Report that Seco had compiled on him, the detainee made a privacy complaint to the OAIC.  The complaint alleged that Serco had:

  • failed to take reasonable steps to ensure the personal information it collected about the complainant was accurate, up-to-date and complete, in breach of Australian Privacy Principle (APP) 10.1
  • failed to provide the complainant with a written notice including the mechanisms available for the complainant to complain about the respondent’s refusal to correct their personal information, in breach of APP 13.3.

Over three years later, in October 2023, the OAIC found that Serco had beached the complainant’s privacy in failing to ensure his personal information “was accurate, up-to-date and complete”, among other breaches of the Privacy Act.  Serco was ordered to issue an apology and pay $1,500 in compensation.

Issues with The SRA Report

The issues raised by the complainant about the SRA Report included the following:

  • Identification of the complainant as the ‘alleged offender’ including an alleged sexual assault incident, a soccer incident involving injury to a detainee, an alleged assault involving other detainees, and a series of aggression incidents where the complainant was allegedly abusive towards staff; and
  • Incidents where the complainant was identified as being ‘Involved’ in ‘Abusive/Aggressive Behaviour’ including acts of aggression towards staff and other detainees.

The complainant contended that Serco did not take reasonable steps to ensure the accuracy of their personal information because the above entries were not supported by evidence. 

The entries largely contained a statement with little further substance and often misleading terminology.   As an example, one of the incidents where the complainant was called the ‘alleged offender” related to an incident summary which provided: 

“Detainee sustained minor injury while playing soccer yesterday and reported to Serco today.”

Another example is of an incident characterised as ‘Abusive/Aggressive Behaviour’ and is categorised as ‘minor’. The incident summary provides simply that:

Detainee became aggressive toward Serco officers.

These entries do not identify who the officers were. The description ‘aggressive’ is not objective but rather expresses an opinion and does not identify what the officer saw or otherwise observed to form this view.

Another example of ‘Abusive/Aggressive Behaviour’ is that the Detainee swore at Serco officers.

Accuracy of SRA Report

Serco stood by the accuracy and completeness of its reports. Serco produced training manuals that set out in detail how reports were to be completed, with a focus on relying on evidence and not using opinion.

The OAIC noted that there was no information “on the extent to which these training manuals were operationalised at the time of the acts and practices.” In the absence of that information, the OAIC was unable to conclude that Serco has taken reasonable steps to ensure the accuracy of the personal information it generated and used on the SRA report.

Reasonable Steps To Ensure Accuracy

The issue at the heart of the case was whether Serco took reasonable steps to ensure the accuracy of the personal information collected by the officers, and used on the SRA report.  In determining what was reasonable in the circumstances, it was relevant to consider both the level of sensitivity of the personal information and the consequences if its accuracy is not ensured.

In determining that Serco had not taken reasonable steps, the Commissioner pointed to the lack of evidence of  ‘the extent to which these training manuals were operationalised at the time of the acts and practices.’

There was no information regarding:

  • which officers were provided the training manuals, 
  • the way in which training was delivered, 
  • how frequently officers were given refresher training 
  • how the respondent monitored compliance with the practices and procedures as set out in the manuals
  • how the information from notebooks, officer’s reports and SIRs is entered onto the SRA report

Without that information, the Commissioner could not conclude that Serco as taken reasonable steps to ensure the accuracy of the personal information it generated and used on the SRA report, based on the steps it has set out.

What can we learn?

What can we learn from the findings in this case?

The messages from this case are relevant to any organisation that maintains records of incidents or other behaviour.

The more sensitive the information in your records and the more significant the impact on relevant individuals –the higher the bar in terms of the reasonable steps you will be expected to take to ensure the accuracy of those records.

It’s clear you’ll need more than just a training manual that tells how the report should be completed.  Evidence will also be required of:

  • Who was trained;
  • When and how frequently the training was delivered;
  • What reviews of the records were conducted to make sure that the records were being completed in accordance with the training manual.

Other steps to consider:

  • Is it appropriate to share the record with the relevant individuals and record their view;
  • Do the staff completing the records have the right level of skills to be able to complete the report (recognising that often the record keepers don’t have English as a first language or highly developed technology skills). If not, what additional support might be required.

Ultimately, don’t lose sight of the fact that whatever is recorded is not only accessible by the individual but may also have significant impacts on their rights.


What is in the SRA Report 

The SRA report contains a main page setting out the following information in relation to the individual:

  • Name and ‘Service ID’
  • ‘Personal Details’ including their date of birth, citizenship, language and marital status and facial image
  • ‘Pathway Details’ including reason for detention, time in detention and an ‘immigration pathway’ status
  • ‘Placement’, indicating their location in the immigration detention centre
  • ‘Incident History’, being a table setting out ‘Incident Types’, the ‘Total’ number of each incident type and the number of incidents for ‘Last 3 Months’
  • ‘Behavioural Risk Indicators’, setting out indicators such ‘Aggression’, ‘Criminal History’, ‘Damage’, ‘Demonstration’, ‘Disorder’, ‘Escape’, ‘Self-Harm’, ‘Violence’ and ‘Voluntary Starvation’ with colours indicating risk levels
  • ‘Criminal History’, setting out types such as ‘Serious Violence’, ‘Mild Violence’, ‘Property Offences’ indicating frequencies such as ‘NIL’, ‘SINGLE’, ‘MULTIPLE’
  • ‘Escape Indicators’ setting out types such as ‘Time in Community’, ‘Access to Resources’, ‘Escape Tools’, indicating ‘YES’ or ‘NO’
  • ‘Medical Risk Indicators’, with a free field to report ‘Medical Considerations’
  • ‘Security Intelligence Reports’, setting out incident types such as ‘Alcohol Related’, ‘Prohibited Item’, ‘Disorder-Unrest’, ‘Threats Against Detainees’, ‘Threats Against Staff’, ‘Security Issue’
  • ‘Intelligence Comments’
  • ‘Additional Comments’
  • ‘Associates’.

What is in the Security Risk Assessment

The SRA report includes a table titled ‘Security Risk Assessment’ which sets out the following risks and indicates whether the risk is ‘LOW’ or ‘HIGH’:  

  • ‘Demonstration’
  • ‘Escape’
  • ‘Self Harm’
  • ‘Aggression/ Violence’
  • ‘Criminal Profile’
  • ‘DSP Placement Risk’
  • ‘DSP Escort Risk’
  • ‘Override Placement’
  • ‘Override Escort’.

Incident History

The SRA report includes a section titled ‘Incident History’ which sets out information in relation to specific incidents. The information provided for each incident includes:  

  • Incident Number
  • Incident Date
  • ‘Incident Type’, with examples including: ‘Use of Force – Planned’, ‘Accident/Injury – Serious’, ‘Accident/Injury – Minor’, ‘Abusive/aggressive behaviour’, ‘Assault – Minor’, ‘Damage – Minor’, ‘Disturbance – Minor’, ‘Contraband Found’, ‘Theft’
  • ‘Incident Level’, with examples including ‘Minor’, ‘Critical’, ‘Category 1 – Minor Incident’, ‘Category 2 – Major Incident’, ‘Category 3 – Critical Incident’
  • ‘Participation Type’, with examples including ‘Involved’, ‘Alleged Victim’, ‘Alleged Offender’
  • ‘Incident Location’
  • ‘Incident Summary’ which includes short free text, with some of the fields setting out information such as the fact that the individual was ‘aggressive towards Serco  staff member’.


Keen to receive updates like this directly to your inbox?

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.