NSW Police Employee Charged with Accessing Restricted Data Without Authority
A civilian employee of the New South Wales Police Force is facing court over allegations he unlawfully accessed restricted data contained in the police computer system.
In May 2024, officers attached to Lake Illawarra Police District commenced investigations regarding access to restricted computer systems.
At around 8am on Monday, 15 July 2024, police arrested the 27-year old man at Shellharbour and conveyed him to Illawarra Police Station, where he was charged with unauthorised access to or modification of restricted data.
He was refused bail at the police station and brought before Port Kembla Local Court where a bail application was made on his behalf.
The application was successful and the man was granted conditional bail.
Orders were made for the service of the police brief of evidence and the matter was adjourned for reply to brief in the same court on Wednesday, 21 August 2024.
The man’s employment status is expected to be reviewed.
The COPS system
The New South Wales Police Force Computerised Operational Policing System (COPS) database holds more than 40 million records.
The NSW Police Force has its own internal policies with regard to the management and use of the dastabse, and says it is “committed to responsibly and properly managing the personal and health information we collect, protecting the privacy of members of the public and our staff.”
The offence of unauthorised access to or modification of restricted data
Unauthorised access to, or modification of, restricted data held in a computer is an offence under section 308H of the Crimes Act 1900 (NSW), which carries a maximum penalty of 2 years in prison.
To establish the offence, the prosecution must prove beyond reasonable doubt that:
- You caused access to, or modification of, data held in a computer,
- You did so intentionally,
- You were not authorised to cause that access or modification,
- The data was restricted data, and
- You knew the data was restricted data.
‘Data held in a computer’ means data that is:
- Entered or copied into a computer,
- Held in any removable storage which was in a computer for a time, or
- Held in any data storage device on a computer network of which a computer forms a part.
A ‘data storage device’ is any thing, including a disk or file server, which contains or is designed to contain data for use by a computer.
‘Access’ to data held in a computer means:
- The display of data by the computer or any other output of the data,
- The copying or moving of the data to any other place in the computer or to any data storage device, or
- The execution of any program.
‘Modification’ of data held in a computer means the alteration or removal of data, or the addition of data.
Your actions were ‘unauthorised’ if you were not entitled to cause them however, your actions are not unauthorised merely because you had an ulterior motive for them, or if:
- You were an ‘authorised person’ such as a police or other law enforcement officer,
- The computer disk, credit card or other device was in your lawful custody, and
- Your actions were to preserve, or to prevent the concealment, fabrication, destruction or loss of, evidence of any offence.
‘Restricted data’ means data held in a computer to which access is restricted by an access control system associated with a function of the computer.
Time limit for commencing proceedings
Proceedings for the offence must be commenced no later than 12 months from the date of the alleged commission of the offence.
Legal defence
The most frequently used defence to the charge is duress, which is where you acted due to threats of death or really serious harm to you or your family member, and the threats were of such a nature that a person of ordinary firmness and strength of will, of your maturity and sex and in your position, would have given in to them and committed the crime demanded of you.
If you are able to raise evidence of duress, the onus then shifts to the prosecution to prove beyond a reasonable doubt that the defence does not apply in the circumstances.
You are entitled to an acquittal if the prosecution is unable to do this.
Accessing and protecting personal information
Each of us have rights under the Government Information (Public Access) Act 2009, Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002 to access and amend personal information held by The New South Wales Police force.
The Privacy and Personal Information Protection Act mentioned above is the legislation which stipulates what an organisation must do to notify anyone affected when a data breach has occurred.
Data breaches are not uncommon
There have long been concerns about the amount of data that is available to all police officers in New South Wales, how the data is stored, and how it is used.
Individual privacy concerns have been highlighted on numerous occasions, perhaps one of the most well-known cases is that Julie* who finally won her case against Queensland Police and a Queensland Police Officer who unlawfully accessed the QPrime database to get her address, and then gave it to his friend, her former abusive partner.
Julie’s case also highlighted the QLD police force’s ‘weak’ internal discipline system. The officer involved, Neil Punchard, finally resigned in 2021 – however he remained on the QPS payroll while the full legal case played out, despite being suspended and stood down in 2018.
Needless to say, data breaches of any kind, can have detrimental, long term effects for victims.
In recent years many victims of police data breaches have come forward – these types of offences are not uncommon. In 2019, a New South Wales single mother became aware her ex boyfriend had received information held on a COPS file.
She suspected her ex-boyfriend’s neighbour — a policeman — had some involvement in the matter. Her complaint was upheld after an internal investigation comfirmed there had been “unusual access to her file.” The investigation determined that a false record had been created against her name.
Complaints about invasion of privacy
If you have a concern that the privacy of your data has been compromised in any way, or if you would like to know what information the NSWPF has on file, you can contact the Privacy Manager, Communication Services Command.
If you have a complaint about the way your data has been used, you can contact the Information and Privacy Commission of NSW.