Search This Blog

Wednesday, March 01, 2006

Major Victorian report on privacy breach

The Victorian Privacy Commissioner has released a report on the investigation of a complaint concerning the handling of personal information by the Office of Police Integrity which involved a range of issues concerning the Law Enforcement Enhancement Program (LEAP) the main data base used by Victorian Police in carrying out their functions.

The Age has prominently reported the Commissioner’s findings.

This report is about the complaints lodged by “Jenny” but the Privacy Commissioner is also conducting a broader examination of issues associated with the management of personal information in the LEAP data base.

A couple of issues of interest from a NSW perspective.

In Victoria, the Police are subject to privacy laws whereas in NSW, the Police (the Police Integrity Commission and others) are only subject to privacy legislation in respect of their educative and administrative functions. This has led to fine legal points about what constitutes the functions covered by privacy legislation and those that are not, an issue that does not arise in Victoria.

A classic illustration was OQ v Commissioner of Police (2005) NSWADT 240 decided by the ADT last October. The Tribunal found that information maintained in the NSW equivalent of LEAPS (Computerised Operational Policing System – COPS) related to core responsibilities and was not subject to the NSW privacy legislation. In this case, while the Police regretted the inconvenience caused, the complainant whose personal information was mishandled by the Police had no recourse available.

The Victorian Privacy Commissioner’s report includes details about the imposition of a compliance notice on the Office of Police Integrity requiring action within a specified period to ensure compliance with the data security principle. The order is the first issued since the Victorian Act commenced.

The NSW Act does not appear to contain powers for a similar order.

Another interesting aspect is that the Victorian Privacy Commissioner is of the view that the legislation in that state requires an agency to notify those concerned if there has been an unauthorised disclosure of personal information, although in this case involving disclosure of information in LEAPS concerning 90 people, he has decided that this is not appropriate. His view is based on the objects of the Act.

The NSW Act does not contain a similar statement of objects.

No comments:

Post a Comment