Vic Police found in potential breach of Privacy Act – OVIC

OVIC Victoria Police

Victoria Police has allegedly failed to provide dedicated privacy training to its staff members for more than a year, leaving it in potential breach of its obligations under the Privacy and Data Protection Act 2014.

Specifically, an OVIC investigation found that due to insufficient staff training Vic Police may have breached Section 4.1 of the Act’s Information Privacy Principles (IPPs), which holds that: “An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.”

The Information Commissioner, as part of its report, notes that appropriate information handling relies on staff understanding and employing good information handling practices in the performance of their roles.

“A way to address this risk is by ensuring adequate training is provided to staff so that they understand their obligations regarding privacy and information security,” OVIC wrote, with an added responsibility to “embed respect for upholding information rights into its organisational culture”.

OVIC found that insufficient privacy training was in large part the result of “resourcing constraints” within the police force’s Security, Information and Privacy Division (SIPD) – which itself heads a dedicated unit, the Protective Security Portfolio Holder (PSPH) network, for guiding and educating experienced staff in the privacy and information-handling matters.

As part of the investigation, Victoria Police informed OVIC that the network – which had at one point consisted of around 650 representatives – had been “inactive and ‘treading water’ for over a year” due to a lack of staff within its education unit.

“The network can be highly valuable due to the PSPH’s role as a touch point for guidance and education on privacy and information handling within Victoria Police. However, the recent lack of engagement and maintenance of the network due to resourcing issues has led to its erosion in both capacity and effectiveness.”

Moreover, OVIC found that while extensive training is provided at the initial stages of officers’ careers, this falls away as an officer’s career progresses, with a “heavy reliance on the interpretation of ethical standards to guide information handling, information security, and privacy obligations”.

While there is currently no dedicated privacy training on offer to Vic Police staff, OVIC’s investigations found the force does have a range of relevant self-training materials (available in the form of ‘e-packages’ accessible via the online Victoria Police Learning Hub) that do touch on elements of information handling principles and are supportive of privacy. These include training packages on cybersecurity and information security.

Nevertheless, while there is some content crossover, neither the ‘Cyber Security’ nor ‘Information Security’ e-packages specifically deal with sworn members’ obligations under the PDP Act.

“The Cyber Security e-package has a focus on preserving personal privacy and the privacy of information held by Victoria Police when using electronic devices, however it does not explore the privacy implications for Victorians when information is misused,” OVIC wrote.

“Likewise, the Information Security e-package deals with how to protect information but does not canvas the IPPs under the PDP Act, nor does it provide guidance on Victoria Police’s Privacy Policy or Privacy Complaints Handling Policy.”

Further, not only were the lessons potentially out-of-date (being created and last updated in 2015) but there is no requirement for staff to re-take certain core training e-packages periodically. As a result, OVIC said, “staff may not have up-to-date knowledge”.

“Currency of knowledge about privacy and information handling is important as the interpretation of the IPPs and amendments to the PDP Act continue to shift the privacy and information security landscape.”

“Having up-to-date knowledge means that personnel are better able to understand their obligations and manage personal information appropriately.”

Victoria Police has recorded low numbers of privacy complaints annually over the last three years, OVIC confirmed. In 2021, the organisation recorded a total of 16 privacy complaints with 13 of those related to the IPPs.

However, these commendable complaint stats may have worked against Vic Police’s privacy education resourcing demands, with staff noting that such low numbers reduced the likelihood of making a successful business case for increased resourcing.

OVIC’s recommendations

As a result of its findings, OVIC made three recommendations to Victoria Police:

Recommendation 1:

  • Victoria Police should allocate appropriate resourcing to the Privacy unit and Education unit. This will ensure Victoria Police can perform its functions, including providing information handling education and training to sworn members.

Recommendation 2:

  • Victoria Police should develop and deliver training to sworn members about their obligations:

o under the PDP Act and the Information Privacy Principles, and

o under internal policies relating to privacy, including the Privacy Policy and Privacy Complaints Handling Policy.

  • This training should be refreshed periodically to ensure staff have up-to-date knowledge and understanding of developments in privacy and information handling.

 Recommendation 3:

  • Victoria Police should implement a system requiring all privacy complaints received by operational areas (such as local stations) to be reported to the Privacy unit. This will ensure that operational areas can handle complaints with appropriate privacy expertise; increase awareness of the Privacy unit’s functions; and assist the Privacy unit to identify trends that will inform the development of training and guidance.