April 16, 2019

Privacy & Electronic Law

In February 2014 an employee of the Queensland Police Service (QPS), Neil Punchard, gave the residential address of a domestic violence victim (ZIL) to a childhood friend who was ZIL’s ex-partner.

From February 2014 until May 2016 ZIL’s ex-partner allegedly used this information to further breach domestic violence orders.

As a result of this, ZIL and her children had to relocate to an address unknown to her ex.

ZIL brought legal action seeking compensation from QPS for the costs involved in having to relocate her family after her private information was leaked.

The Queensland Civil and Administrative Tribunal (QCAT) has now concluded that QPS breached various Privacy Principles as a result of the police officer’s actions.[1]

What happened?

In 2014 Senior Constable Neil Punchard text ZIL’s residential address to a childhood friend, who was ZIL’s violent ex-partner.

Punchard easily located ZIL’s address by logging on to the QPrime, the database that stores information held by QPS.  

After leaking this information (that was subject to protection through various domestic violence orders) Punchard made a number of “inflammatory comments” about the negative effect this would have on ZIL’s mental health now that her ex-partner knew where she lived.

How was the breach detected?

What was of considerable concern to QCAT was that the breach was only uncovered by happenstance.

In 2016 ZIL’s son found a mobile phone at the ex-partner’s house which confirmed Punchard had leaked the information and revealed Punchard’s inflammatory comments.  

Before this time QPS had failed to detect any unauthorised access of the information had occurred.

How was this able to happen?

It has come to light that the address of ZIL was not given any special protection by the QPrime system.

The evidence presented at the QCAT hearing made clear that the information was as easily accessible as any other information stored in the QPrime database, information that was not protected by various domestic violence orders.

It appears anybody with a login to the QPrime system could access ZIL’s information.

QCAT observed that the protection of information stored by QPS was predicated on the “moral fibre” of police officers with access to the QPrime system being trusted not to abuse their authority.

Punchard and a number of other officers have demonstrated they should not engender such trust.

The decision of QCAT also notes that if ZIL’s son had not found the mobile phone, QPS may have never been alerted to the breach. Due to an absence of systematic auditing within the QPrime system, privacy breaches are generally only uncovered if a complaint is made or an incident occurs.

What did Queensland Police fail to do?

QCAT held that QPS did not take all reasonable steps to prevent Senior Constable Punchard from using or disclosing ZIL’s personal information.

Emphasis was placed on the lack of additional measures being in place to protect the information of domestic violence victims who had sought courts orders to protect their privacy.

QCAT stated “QPS could have added to their QPrime systems to allow restricted access to the information about this vulnerable group”.

QPS was ultimately held to have breached Privacy Principles 4 and 10 of the Privacy Act.

What next?

Senior Constable Punchard was only very recently charged with nine counts of computer hacking. His actions did not come under the cover of the Privacy Act despite being so clearly demonstrable of an invasion of privacy. ​​​​​​​

QPS and other entities who collect private information should take note that there will be circumstances where special kinds of information will need to be protected through additional security measures to ensure they are compliant with the requirements of the Privacy Act.

Entities should have systems in place to identify when a privacy breach occurs, rather than waiting for a complaint to be made.

While technology is changing the way people lead their everyday lives it is meaning a greater amount of private information is stored in an electronic capacity.

Entities responsible for storing private information will need to ensure they tailor their approach to suit the kind of information they hold in order to minimise the risk of falling foul of the Privacy Act.

If you would like assistance with any privacy related issues please do not hesitate to contact Principal, Trenton Schreurs.

 

[1] ZIL v Queensland Police Service [2019] QCAT 79.