Victoria Police have poor privacy practices. Who would have thought.
August 17, 2022 |
The Victorian Information Commissioner undertook an examination of the privacy and information handling and training of the Victoria Police. To anybody familiar with the Victoria Police’s dismal history of privacy breaches the Commissioner found that Victoria Police provided inadequate training. In fact there had been no training for over a year and Victoria Police had starved its Privacy and Education Unit of funding. As a result the Commissioner found the Victoria Police non compliant with its obligations under IPP 4.1.
I have posted regularly on privacy issues involving Victoria Police because they are so serious and so regularly occurring. A Victoria Policeman took photographs of Dani (Dean) Laidley while he/she was in custody, and distributed them to other serving officers which resulted in Laidley suing the Victoria Police. In 2016 the Victorian Commissioner for Privacy and Data Security set out in his annual report 453 information security incidents and a 30% increase of incidents year on year. Police were caught misusing the LEAP database in 2015. And in 2014. In 2006 the ABC reported on 18 Victoria Police being disciplined for misuse of the the LEAP database.
The Commissioner’s media release provides:
Part of OVIC’s role as Victoria’s privacy regulator includes oversight of Victoria Police and its management of law enforcement data.
On 30 September 2021, OVIC commenced an examination into the privacy and information handling training at Victoria Police.
The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle (IPP) 4.1 under the Privacy and Data Protection Act 2014 (Vic).
IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.
During this examination, OVIC staff gathered information from relevant Victoria Police personnel on how training is developed, delivered, and evaluated at Victoria Police, with an interest in information handling and privacy both generally and within the context of family violence investigations.
“In performing its law enforcement functions, Victoria Police collects, manages, and uses sensitive and personal information of Victorians, including delicate information related to some of the most vulnerable members of the community” said Information Commissioner Sven Bluemmel.
“A lack of appropriate training in privacy and information handling can increase the risk of misuse, loss, unauthorised access, modification, and disclosure of this information.”
The examination found that as of February 2022, Victoria Police had not provided any privacy-specific training available for its members for more than a year. The examination also found a lack of resources within its Privacy unit and Education Unit.
While no dedicated privacy training was available to Victoria Police members, there was a range of training available to Victoria Police personnel that touched on information handling principles including cyber security and information security.
Due to a lack of dedicated privacy training and awareness provided, the examination found that Victoria Police may not be compliant with its obligations under IPP 4.1.
In contrast, the examination found that since the 2016 report of the Royal Commission into Family Violence, Victoria Police has done extensive work on providing family violence training to its personnel, including providing comprehensive guidance about handling information gathered in a family violence context.
“Victoria Police’s response to the Royal Commission into Family Violence demonstrates it can deliver effective training on handling sensitive and personal information when this is prioritised and appropriately resourced” said Mr. Bluemmel.
Victoria Police has accepted the findings of the examination and has provided further resourcing to its privacy team. It has also undertaken to review privacy and information handling education annually.
OVIC will continue its engagement with Victoria Police to promote, support, and ensure reasonable steps are taken to protect the personal information of Victorians.
The Reports executive summary provides:
Executive Summary
1. Victoria Police sworn members collect, use, and manage large amounts of Victorians’ personal information every day. Victoria Police is also responsible for managing sensitive and delicate information for many of Victoria’s most vulnerable populations, including victims and survivors of family violence.
2. Poor information handling practices by Victoria Police has the potential to cause significant harm to individuals. This is particularly important in family violence investigations where the risk of physical and emotional harm to a victim survivor caused by the inappropriate disclosure of information is high.
3. One of the foreseeable risks to information handling for Victoria Police is whether staff understand and employ good information handling practices in the performance of their roles. A way to address this risk is by ensuring adequate training is provided to staff so that they understand their obligations regarding privacy and information security.
4. Under the Privacy and Data Protection Act 2014 (Vic) (PDP Act), Victoria Police has obligations to
uphold the privacy and information rights of Victorians. Victoria Police is required to ensure these
obligations are understood by its personnel by implementing effective policies and training, and
through embedding respect for upholding information rights into its organisational culture.
5. OVIC conducted an examination into how Victoria Police trains personnel in privacy and information handling. The examination also considered what privacy and information handling training is provided to staff in relation to family violence investigations.
6. The objective of the examination was to ascertain whether the training provided meets the requirements of Information Privacy Principle (IPP) 4.1 under the PDP Act. IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.
What privacy and information handling training are provided to sworn members?
7. The examination found that as of February 2022, Victoria Police had not provided any privacy specific training available for its members for more than a year. This is in part due to the lack of staff resources within the Security, Information and Privacy Division (SIPD).
8. SIPD has a dedicated Security, Education and Compliance unit (Education unit), and a Privacy unit,
which are responsible for guidance and education in the privacy and information handling space. However, the examination found that – as of February 2022 – no staff were employed in these teams,
although recruitment was underway.
9. While no dedicated privacy training was on offer to Victoria Police members, the examination found there was a range of training materials that touched on information handling principles, and were supportive of privacy, including training packages on cyber security and information security. All Victoria Police sworn members are required to undertake an online training e-package relating to information security, and another on cyber security, during recruit training or when beginning a new role. However, personnel are not required to refresh their knowledge by re-completing e-packages after initial completion during recruit training. This means that their knowledge may not be current.
What privacy and information handling training are provided to sworn members involved in family violence investigations?
10. The examination found that since the Royal Commission, Victoria Police has done extensive work on family violence training. The recommendations from the Royal Commission, and the government funding that accompanied them, allowed Victoria Police to build a family violence training infrastructure that supports appropriate information handling. This demonstrates the positive and lasting changes that can be made at Victoria Police when focus and resourcing are provided.
How is training developed and delivered at Victoria Police?
11. Sworn members receive significant amounts of training through the recruit and Foundation training program (Foundation program) at the commencement of their policing careers. This training includes principles of information security, confidentiality, and disclosure obligations. There is also a focus on ethical decision making through several different face-to-face and online modules.
12. The current training environment provides instruction on information handling in the initial stages of officers’ careers. However, as an officer’s career progresses, there is instead a heavy reliance on the interpretation of ethical standards to guide information handling, information security, and privacy obligations.
13. Victoria Police does not require staff to re-take certain core training e-packages periodically. As a result, staff may not have up to date knowledge. Currency of knowledge about privacy and information handling is important as the interpretation of the IPPs and amendments to the PDP Act continue to shift the privacy and information security landscape. Having up to date knowledge means that personnel are better able to understand their obligations and manage personal information appropriately.
14. OVIC also found that those sworn members who progress through the ranks of Victoria Police, or
specialise in specific roles, encounter more training opportunities through promotional, specialist, or
leadership programs. However, there are limited opportunities for continued training for those who
stay at the same rank throughout their career. Most Victoria Police sworn members are made up of the more junior ranks.
15. The only regular training that all sworn members undertake is the biannual Operational Safety and Tactics training which focuses on practical skills like firearms safety and other tactical and operational training.
Recommendations
16. OVIC made three recommendations to Victoria Police:
Recommendation 1:
• Victoria Police should allocate appropriate resourcing to the Privacy unit and Education unit. This will ensure Victoria Police can perform its functions, including providing information handling education and training to sworn members.
Recommendation 2:
• Victoria Police should develop and deliver training to sworn members about their obligations:
o under the PDP Act and the Information Privacy Principles, and under internal policies relating to privacy, including the Privacy Policy and Privacy Complaints Handling Policy.
• This training should be refreshed periodically to ensure staff have up to date knowledge and
understanding of developments in privacy and information handling.
Recommendation 3:
• Victoria Police should implement a system requiring all privacy complaints received by operational areas (such as local stations) to be reported to the Privacy unit. This will ensure that operational areas can handle complaints with appropriate privacy expertise; increase awareness of the Privacy unit’s functions; and assist the Privacy unit to identify trends that will inform the development of training and guidance.
The It News has covered the report in Victoria Police had no staff to run privacy training for over a year which provides:
Low privacy complaint numbers made new hires hard to justify.
Victoria Police provided no privacy training to its members for more than a year, because the central team responsible for education had no staff.
The lack of staff in one of Victoria’s largest government agencies, also contributed to the near-collapse of an internal information handling community of practice of nearly 650 people, because there was no one to keep the community engaged.
A report [pdf] released by the Office of the Victorian Information Commissioner (OVIC) on Monday revealed a problematic cycle of events at Victoria Police: a lack of staff to run education programs; a lack of specific training to members, whose knowledge may be years out of date; and an apparent lack of privacy complaints to justify increased staffing levels.
OVIC found that “as of February 2022, Victoria Police had not provided any privacy-specific training … for its members for more than a year.”
“This is in part due to the lack of staff resources within the Security, Information and Privacy Division (SIPD),” the commissioner found.
“SIPD has a dedicated security, education and compliance unit (education unit), and a privacy unit, which are responsible for guidance and education in the privacy and information handling space.
“However, the examination found that – as of February 2022 – no staff were employed in these teams. All positions in both the education unit and the privacy unit were vacant.
“The staff shortages within these two teams seriously diminished the training and guidance function of Victoria Police around information handling and privacy.”
Police said that in February it had approval to recruit one person into each of the privacy and education units at a VPS 4 level, which has a pay range between $90,067 and $102,192.
“Following this recruitment, the privacy unit would still be at 50 percent capacity,” OVIC said.
“Effective resourcing of the privacy unit – over and above the two roles envisaged – will provide greater confidence and support to sworn members, and the public, that sensitive and delicate personal information is being handled appropriately.”
Justifying headcount
The way privacy complaints are handled by Victoria Police contributed to the staffing issues, OVIC found.
As it stands, “any Victoria Police officer can receive a privacy complaint from a member of the public” and can exercise discretion to manage it locally.
Only complaints that can’t be resolved locally are passed to the SIPD, meaning the central unit likely does not have the full picture of complaints received across the force. It reports low double-digit numbers every year via a central register.
The low privacy complaints numbers made it difficult to justify staffing in the central privacy unit.
“Victoria Police discussed the implications of low recorded numbers of privacy complaints on bids for resourcing,” OVIC said.
“It was noted that low privacy complaint numbers reduced the likelihood of making a successful business case for increased resourcing.”
Community of practice ‘inactive’
The lack of resourcing also caused other information handling initiatives to become inactive.
The largest of these is the protective security portfolio holder (PSPH) network, over 650 people that act “as a liaison between SIPD and the sworn member cohort.”
“Victoria Police told OVIC that the network has been inactive and ‘treading water’ for over a year … due to a lack of staff in the education unit to maintain the network through regular engagement,” OVIC reported.
“It was noted that reinvigoration of the PSPH network would require considerable effort given the network had been inactive for so long.
“Victoria Police also noted that the reinvigoration of the PSPH network would involve re-requesting existing staff, or seeking new portfolio holders, to undertake the role due to the length of inactivity.”
OVIC said the network – effectively a community of practice – could “be highly valuable”, and that without it, SIPD had issues engaging with sworn members in the regions on information protection and privacy topics.
“More resources in the education unit would ensure that the PSPH network is maintained and able to carry out its function of providing guidance and resources to staff about privacy and information security,” OVIC said.
In an annexure to the report, dated August 11, Victoria Police’s acting chief commissioner Ross Guenther agreed to focus efforts in privacy training, and said that the privacy team had been given a recent “uplift in resourcing”, though current staffing levels weren’t disclosed.
Family violence the exception
OVIC did note that while “no dedicated privacy training was available to Victoria Police members” for over a year, “there was a range of training available to Victoria Police personnel that touched on information handling principles including cyber security and information security.”
It also found that Police were well-drilled on information handling practices regarding family violence cases, as a result of “extensive work” since a 2016 Royal Commission.
Information Commissioner Sven Bluemmel said that showed Victoria Police “can deliver effective training on handling sensitive and personal information when this is prioritised and appropriately resourced.”
A Victoria Police spokesperson said the force had accepted OVIC’s findings ” and will strive to implement all recommendations.”
“Victoria Police is committed to protecting the personal and health information of anyone it interacts with,” the spokesperson said.
“We’ve improved and have committed to reviewing privacy and information handling education annually to ensure up-to-date knowledge is maintained across the organisation.
“Additionally, we have improved resourcing for Victoria Police’s privacy team.
“This is on top of the significant uplift in privacy and information handling training Victoria Police has already achieved in the area of family violence as favourably noted in the examination’s findings.”
The Victoria Police response, that it “..will strive to implement all recommendations.” At best equivocal. That response partly reflects the limited power the Information Commissioner has in taking enforcement action against government agencies. It also shows the Victoria Police’s determination to do things its way. Given the ineffective enforcement mechanism in the Privacy and Data Protection Act there is not much the Commissioner can do beyond moral suasion. And good luck with that when dealing with the Victoria Police.