Victoria Police may have breached their privacy obligations by failing to provide any privacy-specific training to its members for more than a year, according to an examination by the Office of the Victorian Information Commissioner (OVIC).
As of February 2022, Victoria Police had not made any privacy training available for more than a year, partly due to the staffing shortages within its Security, Information and Privacy Division (SPID).
The SPID Security, Education and Compliance unit, as well as its Privacy unit which oversees guidance and education on privacy and information handling, had no staff employed as of February 2022. Recruitment for a single VPS4 role in the Privacy unit and in the Education unit was underway at the time.
Despite the lack of privacy training, Victoria Police does require sworn members to take online training packages relating to information security and on cyber security during recruit training or at the start of a new role. The report noted that personnel “knowledge may not be current” as there is no requirement for them to refresh their knowledge.
However, the report found that since the Royal Commission into Family Violence report was released in 2016, Victoria Police have “done extensive work on family violence training” including on how to handle sensitive data in this context.
Victorian Information Commissioner Sven Bluemmel said this demonstrates that Victoria Police are capable of delivering “effective training on handling sensitive and personal information when this is prioritised and appropriately resourced”.
OVIC released its examination report into privacy and information handling training at Victoria Police on Monday.
The objective was to examine if the training provided to Victoria Police personnel met Information Privacy Principle 4.1 under the state’s Privacy and Data Protection Act. This principle “outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure”.
Mr Bluemmel said that “a lack of appropriate training in privacy and information handling can increase the risk of misuse, loss, unauthorised access, modification, and disclosure of this information”.
The report made three recommendations to Victoria Police including that it give “appropriate resourcing to the Privacy unit and Education unit”, and develop and deliver training on the privacy obligations of sworn members that it should refresh periodically.
Victoria Police has also been told to implement a system enabling all privacy complaints by operational areas to be reported to the Privacy unit.
Acting Victoria Police chief commissioner Ross Guenther said he accepts the findings of the OVIC examination and will “strive to implement all recommendations”.
“In the spirit of continuous improvement, Victoria Police will review further privacy and information handling education on an annual basis to ensure up to date knowledge is maintained across the organisation in this key area,” Mr Guenther said.
“Further resourcing has recently been onboarded into the Vitoria Police Privacy team. This uplift in resourcing will further assist in refreshing training materials and maturing existing processes and guidance materials around the privacy and information handling for all Victoria Police personnel.”
While the recommendations are a good start, chair of the Australian Privacy Foundation David Vaile believes the examination did not express sufficient urgency.
“Standing from outside, it’s a bit alarming for me, watching the choices that were made during the pandemic. It shows that privacy is not treated as a priority within Victoria Police, even when they are dealing with people who are already in vulnerable positions,” Mr Vaile said.
“This was exactly at the moment when all of a sudden everything was online. There’s a whole array of online digital data risks that was closer to everybody’s life, and I’m not sure I saw anything in the report that actually expressed enough concern.
“The report seems to be treating the examination like a formulaic and bureaucratic exercise that needs to be gotten out of the way. Whereas it should’ve stressed the point that police officers that do not receive proper data privacy training could be putting people at fatal risk, particularly when they collect sensitive personal data.”
Do you know more? Contact James Riley via Email.