Seven serious AFP breaches of privacy revealed in documents obtained by Guardian Australia that disclose errors in handling personal information

This article is more than 4 years old

This article is more than 4 years old

The Australian federal police accidentally revealed the personal details of an assault victim to the alleged perpetrator, risking the safety of the complainant and his family, according to an AFP risk assessment.

The lapse is one of seven serious privacy and security breaches the AFP has suffered since 2012. Details of the breaches, which have all been referred to the privacy commissioner, have been obtained under freedom of information laws (FoI) by Guardian Australia.

The referrals reveal a number of errors in the handling of personal information, some of which appear to have stemmed from failure by AFP officers to properly redact or handle personal information.

The federal government’s mandatory data retention laws, which came into force in October, allowed law enforcement and other government agencies to collect much more digital personal information.

A draft bill of new data breach laws, released in December, will also require organisations and government agencies to make compulsory notifications to the privacy commissioner.

The most serious lapse revealed in the AFP documents is a June 2012 disclosure of the middle name and surname of a victim of an assault to the alleged perpetrator.

Metadata retention: what will happen to your phone and web records now? Read more

The disclosure was accidentally made in documents released in response to an FoI request by the alleged perpetrator, which had been incorrectly redacted.

Risk of harm

An AFP officer wrote to the privacy commissioner: “Unfortunately in the process of making amendments to the redactions on the documents to give the FoI applicant access to the further information released, the redaction of one reference to the name of one of the third parties was inadvertently moved or deleted in the AFP’s electronic document redaction system.

“The nature of the alleged incident [redacted] and the fact that the FoI applicant was the alleged perpetrator and the third party a member of the family who were the alleged victims of the alleged assault creates a risk that the disclosure of the information might cause harm to the third party and/or his family.”

The AFP officer assessed the breach as potentially high risk to the alleged victims of the assault. “There is a significant risk the FoI applicant will be able to identify the individual and also potentially make the connection that they are one of the alleged victims.

Following the breach the AFP notified the alleged victim, and asked whether they would like the police to attempt to retrieve the information from the alleged perpetrator.

The AFP told the privacy commissioner it would “undertake a review of its document handling practices” to ensure such errors would not be repeated.

An AFP spokesman said the agency dealt with thousands of reports each year containing personal information, and had self-reported breaches in all instances where a breach was identified.

“Given this large volume of private data being dealt with, the AFP takes its information-handling obligations very seriously, including with respect to personal information,” he said.

“Information-handling practices are a continual area of focus and emphasis across the AFP, including making changes should instances occur.”

The Greens senator Scott Ludlam said the continual breaches were a serious concern.

“There needs to be very strong procedures in place when agencies access and secure personal information,” Ludlam said.

“I think you would hope that as a result of having to report these sort of breaches that they’d undertaken their own reviews. If they are well aware of these issues and are taking the trouble to report to the regulators, then there are data-handling problems.”

He said it further bolstered the case for mandatory data breach notification laws, and much stronger safeguards for the handling of personal information. The absence of mandatory reporting meant that the AFP’s disclosures were likely just the “tip of the iceberg” across government.

Multiple breaches

Six further breaches have occurred since the first breach in 2012, some of which relate to similar issues of document handling.

There was a serious error from an AFP contractor who managed national police check applicants in October 2012. The data breach led to 117 people receiving applications for police checks that did not belong to them.

This information included their names, addresses, contact details, driver’s licences and credit card details. The individuals were notified of the breach, and an internal investigation was set up.

The AFP assessed there was a “significant risk” the personal details of police check applicants had been disclosed to other individuals.

In March 2012, an AFP officer accidentally sent the wrong documents to a person requesting access to their AFP files. The officer had mixed up two FoI requests and sent through welfare checks from another FoI applicant, who had been homeless at the time. The risk was assessed as minor by the AFP.

In June 2012, the AFP sent sensitive information about an AFP professional standards matter to the commonwealth ombudsman via registered post.

The letter was received by the ombudsman but was believed to have been previously opened by an unknown person. The AFP said sending sensitive personal information via registered post was considered a very low risk for privacy intrusions and that a review could not identify any other mitigation strategies.

Federal police mistakenly publish metadata from criminal investigations Read more

In October 2015, the AFP notified the information commissioner of a possible privacy breach involving a person who received a short video interview of another criminal matter in error. It was unclear whether the AFP was responsible for the breach, and the incident sparked a professional standards investigation.

The AFP spokesman said a subsequent internal investigation found the breach was caused “by human error”.

Two of the other breaches have been previously reported after being discovered by Guardian Australia. In September 2014, the AFP made a notification to the privacy commissioner about the accidental disclosure of metadata from criminal investigations.

In December 2014, a notification was made when the AFP mistakenly named two people who were involved in a criminal investigation by failing to redact material released under FoI.

In relation to the training of officers the AFP spokesman said: “All AFP personnel undergo mandatory online training with respect to their handling of personal information, and the operation of the Australian privacy principles under the Privacy Act 1988”.

“Redactions to AFP-held documents are done by the AFP’s freedom of information team in consultation with relevant business areas.”