Federal privacy authorities have been called in after Centrelink left revealing personal and financial details of clients lying around at a suburban railway station last month.

Documents containing details of 23 clients’ full financial disclosures, including bank account numbers and details of property holdings, superannuation and investments, were left by an official from the welfare agency at Darra in the southern suburbs of Brisbane in mid-July.

Centrelink insiders say that sensitive and private information is now routinely carried around on trains, buses and officials’ cars, and often stored at public servants’ homes, after a system of transporting the material in government vehicles was abandoned to cut costs.

The lost documents also contained the dates of birth, phone numbers, relationship details, home addresses and phone numbers, and the loss was only discovered when a Queensland Rail worker called one of the people whose file was lost.

The Department of Human Services says it is taking the “unacceptable” incident seriously and that such data breaches are “extremely rare”.

But the department would not say if the rest of the 23 clients affected by the loss of their private information had been notified.

The Canberra Times believes that the senior Centrelink worker is now under investigation for a breach of The Privacy Act and a potential Australian Public Service Code of Conduct breach, but is still working with potentially sensitive client data.

The Office of the Australian Information Commissionerconfirmed on Monday that it had been notified of the breach but did not provide details of what action would be taken.

A DHS spokeswoman said the lost documents were recovered quickly and that the department was investigating the breach.

“While the information relating to 23 customers was quickly recovered by the department from a Queensland Rail employee, we do not dismiss the serious nature of the incident,” she said.

“Privacy and security of personal customer records is of paramount importance, and any incident of this nature is investigated under well-established privacy processes.

“Department staff deal with tens of thousands of customers every day and these types of incidents are extremely rare.

“However, any incident that places customer privacy at risk is unacceptable.”

The spokeswoman for the department defended its record on protecting client privacy.

DHS recorded 471 “substantiated privacy incidents” in the 2012-13 financial year, a 3 per cent decrease from 2011–12, from tens of millions of client interactions.