More needs to be done to prevent officers from misusing information in sensitive police databases, privacy specialists have told the ABC.
The warnings come a day after the ABC revealed 178 officers have faced complaints about the misuse of Victoria Police's sensitive Law Enforcement Assistance Program (LEAP) database in the past five years.
Of those, only eight police were charged, 65 police were disciplined, and no action was taken against 79 officers.
Allegations against 32 police are still being investigated.
The LEAP database stores confidential information about people, including their addresses, contact details, and alleged criminal involvement.
Three women who spoke to the ABC about the devastating impact of alleged privacy breaches by police are now calling for better oversight of the LEAP database.
On Thursday, Victorian Premier Daniel Andrews said he would not make any announcements about the oversight of Victoria Police.
"As to breaches of the LEAP database, that's completely unacceptable," the premier said.
"I'd have confidence that Victoria Police and other integrity agencies now, and will always, take that very, very seriously."
Good privacy is good policing
In August 2022, the Office of the Victorian Information Commissioner (OVIC) released a report into Victoria Police's privacy and information training.
Under the 2014 Privacy and Data Protection Act, Victoria Police is required to take reasonable steps to ensure information security.
OVIC Commissioner Sven Bluemmel said the office's examination found Victoria Police's privacy training was not being done "sufficiently well".
OVIC found there was no dedicated privacy training on offer and, as of February 2022, Victoria Police had not provided any privacy training for its members in more than a year.
Mr Bluemmel said without regular privacy training it was difficult to ensure all of Victoria Police's 21,000 employees understood their privacy obligations.
"If you don't know what your obligations are, as an individual officer in an agency, it's pretty hard to actually comply with them," he said.
Mr Bluemmel said how people stored and accessed information had drastically changed in recent years and police training needed to keep up.
"We do recognise officers at Victoria Police have to be trained in all sorts of things, and that there is limited time," he said.
"But … the value of the information to which they have access and the potential for inappropriate use is just so great that it requires a strong focus."
Although Victoria Police have a dedicated security, education and compliance unit, and a privacy unit, as of February 2022 no staff were employed in these teams.
Mr Bluemmel said protecting people's privacy was not a "nice to have".
"It is core police work in itself," he said.
"Because you need to have that trust between police and the community for police to be able to do its job as effectively as possible."
OVIC's report made three recommendations:
- Victoria Police allocate appropriate resourcing to the privacy and education units
- Victoria Police develop and deliver regular training to sworn members about their legal privacy obligations and internal privacy policies
- Victoria Police implement a system requiring all privacy complaints received by operational areas (such as local stations) to be reported to the privacy unit
All OVIC recommendations accepted
Victoria Police said it had accepted all of OVIC's recommendations.
"Already we've improved resourcing for both the privacy and education units, which each now have one full-time staff member," a Victoria Police spokesperson said.
"They are supported by trainers at the Victoria Police Academy and a network of more than 200 specialist portfolio holders who assist and provide advice to senior police at a local level to drive cultural change, behaviours, and improved practices around information security and privacy."
Victoria Police said it now regularly conducted privacy training and centrally recorded all privacy complaints.
The OVIC report is one of a number published over the years criticising how Victoria Police manage information, including the LEAP database.
In December 2021, Victoria's anti-corruption watchdog IBAC published a special report called Operation Dawson, which said "the unauthorised access and disclosure of police information is a significant concern for IBAC".
The investigation found a superintendent wrongly accessed and disclosed confidential information held on LEAP and Victoria Police failed to appropriately manage conflicts of interest.
IBAC recommended a section of the Victoria Police Act be amended "to impose a clear, stand-alone obligation" on officers to keep police information confidential and to only access information directly related to their current duties.
The amendment passed parliament in September this year.
Since Operation Dawson, Victoria Police has reviewed and updated its conflict of interest policy in consultation with IBAC.
Building in privacy from the outset
Nicole Stephensen, a privacy expert at consultancy IIS Partners, said she was concerned Victoria Police was not doing enough to ensure authorised employees did not wrongly access personal information.
"Police officers are in a position of power and influence in the community," she said.
"Knowing they are restricted from accessing personal information without authorisation and a clear and proper purpose is foundational to maintaining community trust."
Ms Stephensen said best practice in privacy protection was a concept known as "privacy by design" — a way of operating that put privacy at the centre of everything an organisation did.
For example, it means when a new system is designed, privacy should be considered from the outset, rather than being added as an afterthought.
Privacy by design best practice
While privacy by design is not a particular group of solutions, Ms Stephensen said best practice could include:
- Limiting user access — only giving people access to personal information required for their role
- Routine monitoring of database activity — such as regular logging, auditing, and flagging of user access and activity
- Knowing the data and classifying it according to sensitivity — including additional steps for users to gain access to particularly sensitive information
- Having clear rules and communication about how data should be accessed — with training for staff about their privacy obligations and organisational policies and procedures
Taken together, Ms Stephensen said these approaches could help an organisation take proactive steps to protect people's privacy.
"What appears to be happening is that [Victoria Police] are taking a reactive and remedial approach to information security," she said.
"For example, they wait until there has been a complaint about unauthorised access.
"That is contrary to privacy-by-design principles."
Number of breaches 'relatively small'
Victoria Police said it had "stringent measures in place to ensure the proper use of LEAP".
"Victoria Police conducts both reactive and proactive monitoring of LEAP, restricts access to especially sensitive information, has tiered levels of access and continually reminds employees who access the system of their legal obligations," a spokesperson said.
"This strong oversight means the number of LEAP breaches is relatively small given the millions of legitimate uses every year."
Before a computer system went live, Victoria Police said they had a "range of processes to identify and mitigate any privacy risks".
"This includes a security risk assessment, information value assessment and privacy impact assessment," a spokesperson said.
"We are also continually improving our cyber defences."