Another expose about abuse of the Victorian Police LEAP database, involving litigation this time and yes, another call for an inquiry. A chronic abuse of privacy that stubbornly is not properly addressed.

December 16, 2022 |

The misuse of the Victorian Police’s database, known as LEAP, has been chronic and systemic for many years.  The reports of those misdeeds by sworn officers are regular.  I posted on them on 9 February 2014 with Leakage of LEAP data an ongoing privacy issue …. for so long. on 18 May 2015 with Another problem with the Victorian Police, the LEAP database and privacy, on 16 October 2016 with Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour,  IBAC released a 33 page report on Unauthorised access and disclosure of information held by Victoria Police.

The key findings of that IBAC report were:

    • Unauthorised access and disclosure of information are key enablers of other corrupt behaviour. These corruption risks are often overlooked as risks by agencies. This is evident in the lower than expected number of reports made to IBAC, and in the behaviours uncovered in investigations undertaken by IBAC and other public sector agencies. It is expected that as the understanding of information misuse as an enabler of corruption increases, this will help detection and investigation by Victoria Police.
    • Unauthorised disclosures to the media is a risk across public sector agencies, including Victoria Police which frequently deals with issues of high public interest. These incidents are difficult to substantiate due to the source of the information leaks often being difficult to identify.
    • Sharing information with approved third parties also presents many corruption risks. Although policies may be in place to control information access and disclosure by third parties, the proactive detection and enforcement of information misuse by agencies owning the information is difficult. This is especially relevant for Victoria Police, which holds significant private personal details about citizens.
    • Increased use of personal devices and smart phones in the workplace has made unauthorised disclosure of information much easier. This is particularly the case for those Victoria Police employees who use their personal mobile phones to conduct their work duties,5 including using cameras to capture evidence or using applications to take notes or recordings.
    • IBAC intelligence suggests information misuse is under-reported across the entire public sector, including Victoria Police. This may be due to it being under-detected, an under-appreciation for information security and privacy rights, or a lack of awareness that information misuse and disclosure may constitute an offence in itself.
    • The number of reports of information misuse made to IBAC related to Victoria Police is higher than from other public sector agencies but is also declining. The higher number of reports may be due to Victoria Police employees and members of the public having a higher level of awareness of the risks related to information misuse, due to the large amount of sensitive information their organisation holds. The declining number of reports over time may reflect under-reporting and the difficulties in detection. A recent spike in reported incidents in 2017-18 may reflect improving information security practices by Victoria Police and its employees.
    • Victoria Police and IBAC often do not detect information misuse until they are investigating other misconduct or corrupt actions. This is partly due to information security systems, which have not been fully developed, and a lack of proactive monitoring and auditing processes in place to detect unauthorised information access.
    • Customised auditing of information access is under-utilised by Victoria Police and its benefits are under-appreciated. A program of proactive, extensive and repeated auditing could be used to identify and deter unauthorised access of information.
    • The introduction in 2016 of the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS) across the public sector is expected to reduce unauthorised information access and disclosure. For Victoria Police, the VPDSS does not represent a materially higher standard for information security than the previous Standards for Law Enforcement Data Security. However the VPDSS represents a shift from prescriptive standards to a more flexible risk-based approach.

It is also relevant to note that the Victorian Information Commissioner, not the strongest or most rigorous privacy regulator, handed down a critical report on the privacy and information handling at the Victoria Police.  The 15 August report, Examination report into privacy and information handling training at Victoria Police published, find that the Victoria Police did not comply with its privacy obligations.  The media release provides:

Part of OVIC’s role as Victoria’s privacy regulator includes oversight of Victoria Police and its management of law enforcement data.

On 30 September 2021, OVIC commenced an examination into the privacy and information handling training at Victoria Police.

The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle (IPP) 4.1 under the Privacy and Data Protection Act 2014 (Vic).

IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.

During this examination, OVIC staff gathered information from relevant Victoria Police personnel on how training is developed, delivered, and evaluated at Victoria Police, with an interest in information handling and privacy both generally and within the context of family violence investigations.

“In performing its law enforcement functions, Victoria Police collects, manages, and uses sensitive and personal information of Victorians, including delicate information related to some of the most vulnerable members of the community” said Information Commissioner Sven Bluemmel.

“A lack of appropriate training in privacy and information handling can increase the risk of misuse, loss, unauthorised access, modification, and disclosure of this information.”

The examination found that as of February 2022, Victoria Police had not provided any privacy-specific training available for its members for more than a year. The examination also found a lack of resources within its Privacy unit and Education Unit.

While no dedicated privacy training was available to Victoria Police members, there was a range of training available to Victoria Police personnel that touched on information handling principles including cyber security and information security.

Due to a lack of dedicated privacy training and awareness provided, the examination found that Victoria Police may not be compliant with its obligations under IPP 4.1.

In contrast, the examination found that since the 2016 report of the Royal Commission into Family Violence, Victoria Police has done extensive work on providing family violence training to its personnel, including providing comprehensive guidance about handling information gathered in a family violence context.

Victoria Police’s response to the Royal Commission into Family Violence demonstrates it can deliver effective training on handling sensitive and personal information when this is prioritised and appropriately resourced” said Mr. Bluemmel.

Victoria Police has accepted the findings of the examination and has provided further resourcing to its privacy team. It has also undertaken to review privacy and information handling education annually.

OVIC will continue its engagement with Victoria Police to promote, support, and ensure reasonable steps are taken to protect the personal information of Victorians.

The ABC reports in Victoria Police allegedly use LEAP database to pursue, stalk, harass women prompting calls for inquiry that the problem continues but now legal action is being taken against the Victoria Police.  It provides:

Rachel Wilks was just 15 when Jayden Faure used his position as a police officer to try to pursue a relationship with her. 

Ms Wilks had been assaulted by a family member. She was alone in the city with no phone or train ticket home when she came into contact with police.

“I was in a super vulnerable place,” she said.

“Instead of being comforted, I was preyed upon.”

Ms Wilks said Faure accompanied her back to a police station and gave her his business card, telling her to contact him when she arrived home safely.

Faure was not the officer responsible for investigating her case, so there was no official reason why Ms Wilks should contact him.

When Ms Wilks texted Faure, he asked for her Snapchat.

“At first [the contact was] caring and professional, even though it was on a platform that shouldn’t have been used,” Ms Wilks said.

“But then, yeah, quickly changed to like … grooming, flirtatious.

“It got a bit more full-on when he was inviting me to come down to Melbourne to see him.”

What Ms Wilks didn’t know was that at the same time Faure was messaging her, he was also checking the details of one of her family members on the police LEAP database without any legitimate reason.

Hundreds of complaints

The ABC can reveal 178 police officers have faced complaints about the misuse of LEAP in the past five years.

Of the complaints, 32 files remain active, 65 officers were disciplined, and no action was taken in relation to 79 officers while another eight were charged with misusing LEAP in that time.

Officers may be facing multiple allegations.

Where no action was taken, the ABC understands the member has resigned or retired, the statute of limitations has been exceeded, or the complaint was withdrawn.

Faure is one of the officers charged over the misuse of the LEAP database.

Earlier this year, Faure pleaded guilty to four charges of misconduct in public office and one charge of attempting to pervert the course of justice.

Two charges related to how he interacted with Ms Wilks.

The former officer was sentenced to a three-year community corrections order.

He is the only officer to be convicted for misusing LEAP in the past five years.

‘Shouldn’t have happened’

The ABC has spoken to three women who allege they are the victims of privacy breaches — all three are pursuing civil action against Victoria Police.

Ms Wilks, 22, is now a youth worker. She said the fact an officer used his position to contact her and send messages with a “sexual overtone” was incredibly concerning.

After the ABC successfully applied to the County Court to vary a suppression order, Ms Wilks was able to speak publicly about her experience for the first time.

“Now that I deal with young people who are vulnerable and a similar age to what I was, I get very upset; I get very angry, protective,” she said.

“It just shouldn’t have happened.”

Alongside other victims of alleged police misconduct and lawyers, Ms Wilks is calling for systemic changes to be made to the way Victoria Police manage sensitive information so other people are protected.

Fears unauthorised access is widespread

The Law Enforcement Assistance Program (LEAP) is an online database that catalogues a person’s interactions with Victoria Police, including alleged crimes, family violence incidents, and missing persons reports.

It includes details about the locations and people involved.

In 2019, Victoria’s anti-corruption watchdog IBAC investigated unauthorised access of information held by Victoria Police.

They found “information misuse remains widely misunderstood by both police and the community”.

“This leads to it not being detected or reported,” the IBAC report said.

“The lack of identification or recognition of information misuse in turn makes it difficult for Victoria Police to manage this issue.”

The ABC asked IBAC how many police officers have allegedly had unauthorised access of the LEAP database.

They didn’t answer the specific question, but said every complaint IBAC received was assessed in accordance with the law.

“IBAC must prioritise investigating allegations of serious or systemic corruption and misconduct, which account for a small number of the complaints/notifications received,” a spokesperson said.

“When IBAC refers police misconduct allegations to Victoria Police for investigation, it is because IBAC has assessed that Victoria Police is the more appropriate body to investigate.”

Jeremy King, a lawyer and principal at Robinson Gill, said the fact IBAC wouldn’t say how many complaints they had received about unauthorised access of LEAP was a big part of the problem.

“Police seem to use LEAP as their own personal search engine,” Mr King said.

“I’m pretty concerned people’s privacy is being breached by police all the time, but nobody knows about it because police are left to police themselves.”

His firm has dealt with at least 10 cases of police officers allegedly misusing police information.

Of all the complaints made to IBAC about Victoria Police, the vast majority (more than 95 per cent) are sent back to police for investigation.

Mr King said this represented an unacceptable conflict of interest.

He has called for independent oversight of access to police databases.

“The checks and balances are not in place when it comes to LEAP,” he said.

“Police need to urgently implement better systems to make sure that when there is unauthorised access of LEAP, it’s immediately reported [to the person] and reported to an independent ombudsman.”

Appropriate safeguards in place

Victoria Police say they have “stringent measures” in place to ensure the proper use of LEAP, including keeping detailed records about how the system has been used indefinitely.

This means any breach can be investigated even years after it happened.

“Victoria Police conducts both reactive and proactive monitoring of LEAP, restricts access to especially sensitive information, has tiered levels of access, and continually reminds employees who access the system of their legal obligations,” a spokesperson said.

“This strong oversight means the number of LEAP breaches is relatively small given the millions of legitimate uses every year.”

Victoria Police rejected the need for independent oversight.

“Any independent oversight is unnecessary and would indeed create additional security risks and challenges,” a spokesperson said.

“All breaches are fully investigated and result in the consideration of criminal and disciplinary charges.”

Officer investigated, but not charged

A year after Jane’s (not her real name) husband died suddenly of cancer, she decided to change her daughter’s middle name in his honour.

Jane needed to get a document witnessed, so she went to the local police station — that’s when she met officer Simon (not his real name).

“After that, he started popping up everywhere,” she said.

“He just happened to show up at my workplace, he would pop police cards in my letterbox.”

Within a couple of years, a relationship developed.

“He was actually still married at the time, but he told me he’d separated,” Jane said.

“After we broke up, I found out that he’d had another girlfriend and had had quite a few during that time.”

While the infidelity hurt, for Jane the trauma intensified when she got a call from Taskforce Salus — a Victoria Police unit that investigates complaints of sexual assault, harassment, and predatory behaviour by police.

She said Taskforce Salus told her Simon had accessed her LEAP file, and the files of her family and friends, about 50 times.

After she made an official statement against Simon, Jane says police were so worried about her safety that they installed new locks and CCTV at her house.

Learning about the level of surveillance she and her family had been under left Jane feeling sick.

“I was an absolute mess; it’s an awful feeling,” she said.

“I look over my shoulder a lot; I’ve had to have counselling and I take anti-anxiety medication.”

Despite an extensive investigation, Jane was told Simon would not face court to answer allegations he used police data to stalk her and other women because the period during which charges could be laid had run out.

“They need to change the law so that you can be prosecuted after a certain time,” she said.

“To make it clear that stalking women is not OK.”

LEAP ‘weaponised’ against women

Lauren Caulfield is the coordinator of Beyond Survival — a project that works with survivors of family violence perpetrated by police officers.

She said despite being a “very small” project, nearly all the women they worked with said LEAP had been weaponised against them as a tool to control and abuse.

“If we are seeing this tactic used in the majority of cases, we know that what we’re looking at is really just the tip of the iceberg,” she said.

“In the hands of abusive police, the police intelligence database is effectively a purpose-built tool for stalking and coercive control — and that’s how it’s being used.”

Ms Caulfield said the impact of these unauthorised searches could not be overestimated.

“There are already enormous power differentials between police who perpetrate violence, and the women that they target,” she said.

“It’s part of what makes police-perpetrated violence incredibly high risk, and incredibly difficult for women to escape.

Now too afraid to call police

Stella (not her real name) first met Victoria Police officer Paul (not his real name) when he came to her workplace to investigate a crime. After they met, she started getting text messages.

She now believes Paul got her phone number from the police database to pursue a relationship with her. Stella said that at the time, she was vulnerable.

“He could see the cracks, he knew of my struggles,” she said.

Paul’s strategy worked. He struck up a friendship with Stella and they eventually started seeing each other.

Once the relationship started, Stella believes the unauthorised access of LEAP did not stop.

“There were times where I changed my number or my licence, I’d move house and he’d ring,” Stella said.

A subsequent police investigation has alleged Paul accessed Stella’s information dozens of times.

Learning that Paul allegedly used the police database to stalk her has devastated Stella.

“To find out 10 years later that there were [many] other women that he used the same predatory behaviours on,” Stella said.

“It just massively ruined, pretty much the last three and a half years.”

Stella now has trouble trusting men and police and struggles with her mental health.

“I have a fear of him ‘getting me back’, so to speak,” she said.

Paul has now left the force and is before the courts.

Call to end ‘police self-investigations’

Ms Caulfield said there needed to be a public inquiry into police-perpetrated family violence and misuse of police information.

She said there was a “culture of impunity” around unauthorised access of police databases and was calling for an “end to police self-investigations”.

“The oversight system we have in place in Victoria is absolutely toothless, and it’s riddled with bias and conflict of interest,” she said.

“The risk and the harm to victims of police-perpetrated violence is absolutely acute, it’s ongoing, and it’s deeply unacceptable.”

Ultimately the only real way in which the abuse of the LEAP database can be prevented is to have some form of outside oversight by a regulator.  In the United States the Federal Trade Commission would enter into a consent agreement of 10 – 20 years duration which specifies actions to be taken and reviews to be had by third party experts.  Heavy fines also focuses the mind.  And finally a statutory tort of interference with privacy which gives victims a more effective way to bring a claim.

Leave a Reply