R O Y A L C O M M I S S I O N I N T O W H E T H E R T H E R E H A S B E E N A N Y C O R R U P T O R

C R I M I N A L C O N D U C T B Y W E S T E R N A U S T R A L I A N P O L I C E O F F I C E R S

Western Australia Police Service

Information Management and Security

DISCUSSION PAPER

February 2003

Table of Contents

Page No.

Terms of Appointment of the Royal Commission 1

1. Purpose of the Discussion Paper 3

2. Background 4

3. Collection and Collation of Information 6

4. WAPS Information Management Systems 8

5. Illicit Markets for Information 11

6. The Nature of the Misconduct 13

7. Information Protection and the Law 16

8. Issues of Concern 21

9. Submissions 22

10. References 23

TERMS OF APPOINTMENT OF THE ROYAL COMMISSION

1

2

1 PURPOSE OF THE DISCUSSION PAPER: Terms 3 and 4 of the Commission’s Terms of Appointment require the Commission to:

• Inquire into and report on the effectiveness of existing procedures and statutory provisions in investigating and dealing with corrupt or criminal conduct by WA police officers, and

• Inquire into and report on whether changes in the laws of the State or in investigative or administrative procedures are necessary or desirable for the purpose of investigating or dealing with, preventing or exposing, corrupt or criminal conduct by WA police officers.

To carry out these inquiries, a number of group consultation meetings (Round Table Conferences) will be conducted. The purpose of the Round Table Conferences is to receive submissions from interested and invited parties, to discuss issues that affect the Commission’s final report, to outline proposed approaches to issues that may necessitate action prior to the production of the Commission’s final report and to assist in the preparation of the final report. The first Round Table Conference was held in November 2002 and canvassed the external civilian oversight of the Western Australia Police Service (WAPS). A summary of the first Round Table Conference proceedings is available for viewing on the Commission’s website: www.police.royalcommission.wa.gov.au. A second Round Table Conference will be held on 14 March 2003 to canvass information management issues including:

• Intelligence collection, collation and access • Unauthorised access and associated misconduct • The market for information • Information protection through system modifications, and • Information protection through legislation and Commissioner’s

Instructions. To assist in this process, the Commission has produced this discussion paper with the intention of raising the issues with nominated stakeholders and the general public and to stimulate discussion. Matters raised for discussion in this paper should not be considered as necessarily representing the position of the Commission on any particular matter. Rather, they are offered for the benefit of discussion.

3

2 BACKGROUND As policing becomes more intelligence driven, the role of information management acquires more importance for efficient and effective administrative and operational functioning. It is an inescapable conclusion that any deficiency in information management systems is likely to have far reaching consequences. In this context, it is of concern to learn that some of the problems identified in Fitzgerald (1989) and Wood (1997) have been identified to this Commission as continuing problems within WAPS. The ‘best practice’ for information security can be found in the Australian and New Zealand Standard AS/NZS ISO/IEC 17799:2001 Information Technology – Code of Practice for Information Security Management. This standard states that information is a vital asset to any organisation, and that the protection and security of information is of prime importance to many organisations. Similarly, the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002) advise that the extent of the use of information systems and networks and the entire information technology environment requires that government, businesses and other organisations place a much greater emphasis on security. Given this context, it is reasonable to expect that large government agencies which create and hold vast quantities of sensitive and confidential information, such as WAPS, will have controls and systems in place to guard this information. It is proposed to investigate whether this is the case. The WAPS systems store large amounts of information of a personal and confidential nature. This includes, amongst others, names, addresses, criminal records, vehicles owned, driver’s and firearms licences. New information technology has vastly increased both the ability to store such information and the ability to access it. Whilst this can greatly assist in the delivery of services to the community, it creates new and emerging risks. Recognition of the importance of protecting confidential and private information has a concomitant, that is that the information can have value to those without lawful access to it. In particular, those who have a need to locate people are conscious of the great advantages of police databases. Such people come from a wide spectrum - from the acquaintance of a police officer who is trying to locate, for example, the owner of another vehicle involved in a traffic accident, to the debt-collection agency trying to locate absconding debtors, to private inquiry agents wanting to use databases to assist their investigations, to organised criminals trying to get early warning of police operations or to find a protected witness.

4

There is, and will always be, those who seek to tempt police officers to release such information. The motives of police officers who succumb may vary from a mere desire to assist a friend to greed - the selling of information. Similarly, conduct may range from a single unauthorised access and disclosure to an on-going corrupt relationship. Evidence that has been given before, and information otherwise gathered by, the Commission indicates that unauthorised access of WAPS information data bases has continued to occur in a variety of circumstances and with varying degrees of harm flowing. Not all unauthorised access incidents have the same significance, but they do share one feature in that there is a breach of the trust placed in police officers and WAPS by the citizens of Western Australia. The Wood Royal Commission (1997:436) reported that instances of unauthorised access and disclosure of information commonly occurred in the following circumstances:

• The release of information to private inquiry agents and persons in similar occupations (usually former police officers) in exchange for payment;

• Casual interest curiosity searches for information on persons appearing in the media or other public figures;

• Searches on behalf of friends or family in relation to family and marital disputes, motor vehicle accidents and the like; and

• Searches made to assist criminals in relation to the status of current investigations, or criminal records.

A recent survey of trends in police corruption in the United Kingdom revealed that disclosure of information was the most prevalent corrupt activity currently under investigation (Miller 2003). There is every indication that Western Australia has followed the same trend.

5

3 COLLECTION AND COLLATION OF INFORMATION With the implementation of various measures over recent years which have been designed to ‘sterilize’ the investigation process, such as more stringent informant management, filming of searches and electronic recording of interviews, there is no doubt that the task of police in solving crime and successfully prosecuting offenders has become more challenging. More than ever, police officers require resources and technology to assist them in their difficult task. One tool which is of undoubted value is intelligence. Information is valuable in relation to the investigation of a wide range of offences of varying degrees of gravity across the many areas of the Police Service - not just in relation to serious or organised crime or corruption related offences. It is important to ensure that a system exists whereby all officers of the Police Service are encouraged to contribute information to a centralised database to which investigators can then have efficient and timely access. It is therefore vital that the information technology maintained by the Police Service is structured or configured in a way in which information may be received and analysed and accessed with maximum utility. 3.1 Collection of Intelligence The Bureau of Criminal Intelligence (BCI) is the Criminal Information and Intelligence Management Centre for the Police Service and, according to the COPS manual, has the following objective: To provide a centre for collecting, collating, analysing and disseminating intelligence in

relation to crime and criminals, to assist Police personnel conducting investigations and to report on those matters relating to pattern, syndicated and organised crime, predicted criminal activity, targeted criminals and existing or emerging criminal groups (AD-7)

The primary source of information for the BCI is the system for the submission of Field Reports, which is regulated by the COPS manual (AD-7.1) and Criminal Intelligence pursuant to an apparently informal arrangement whereby officers may submit reports relating to information concerning criminal activity. In addition, Offence Reports and Traffic Reports are required to be submitted, and are accessible on the system. The lodgment of Field Reports and Information Reports is a matter of discretion and consideration needs to be given to whether it is desirable to take steps to impose mandatory obligations to report, or to broaden the range of information entered on the database. Field Reports and Information Reports relate to information concerning criminal activity. Other information which does not directly concern criminal activity which may be gathered by police officers daily as a result of a wide range of operational activities may also be usefully included in the system. For example, patrol vans maintain Action Report Books in multiple copy format, but the information contained is not lodged

6

electronically. Police on patrol and in the field accumulate information daily as a result of the discharge of their duties, which is currently not processed under the COPS system and goes to waste. A purpose of the Conference to be held on 14 March 2003, is to consider whether the system for the collection of information may be improved. 3.2 Collation of Intelligence Information put into the Police Service databases should be stored in a manner by which it is accessible in a way in which it is of greatest utility, and its use regulated to provide maximum security. The security issues to be discussed will be dealt with later in this paper but, in addition, it is proposed to direct attention to the structure of the WAPS IT system to determine whether the databases currently used or proposed under planned changes, are arranged in a manner which best captures and then utilises the intelligence available. On general principles, apart from some specialist databases with requirements for higher levels of security, such as the BCI, OCI, WITSEC and IAU, it would seem that the most efficient arrangement for the WAPS computer system is the use of a mainframe incorporating all fields in which WAPS receive relevant information, in order that it may be efficiently collated, analysed and then accessed by officers who can use it. This does not seem currently to be the case. It is very difficult to draw a WAPS database map of all the fields currently maintained. A number of fields are maintained separately and unconnected to the mainframe. To access or extract information from them requires separate connections. It is intended to consider whether the proposed IMS system will achieve an appropriate arrangement by which a number of fields may be merged or linked. Efficient and timely access to intelligence assists major investigations of serious or organised crime or corruption and operations, by uniformed and plain clothes officers, of a more routine nature. The need for such access is even more acute in relation to corruption investigations, either internally or externally. For proper risk assessments, information is required to establish the behaviour patterns of officers, either individually or in groups. Similarly, to properly base integrity tests, access to criminal information is essential. When the intelligence system is properly maintained, analysts are better equipped for carrying out proactive investigations for the purposes of target identification and operational planning.

7

4 WAPS INFORMATION MANAGEMENT SYSTEMS This discussion paper also seeks to canvass possible system and procedural inadequacies in WAPS information management and security systems, with a view to seeking submissions on risk-reduction and risk-prevention methodologies. This is particularly so, but not exclusively, in regard to unauthorised access and disclosure of information. There is also an issue of physical security that requires attention. For example, to what extent has the police service recognised the need to limit the dangers of theft of information? In particular, this arises in respect of how much information can be downloaded to disks that are portable, and how much information can be stored on laptop computers, which are being increasingly used by police services. There are also issues to be considered in regard to visitor access restrictions and the extent to which visitors can come into areas where they can see screens that display confidential information. A primary issue of concern, however, is to examine the appropriateness and effectiveness of the systems and practices employed by WAPS to prevent, detect and deter unauthorised access and disclosure of information. There is a program called Auditrak, which is the method by which accesses to the WAPS system are (intended) to be audited. That system also enables ‘trapping’ to be activated, that is, warnings can be delivered to police officers, including the Internal Affairs Unit, when certain information is accessed. But the important aspect of Auditrak is the extent to which it enables an audit to be conducted of a police officer's accesses to the system. Questions have been arisen as to the capacity of the Auditrak system. In particular:

• whether this system adequately enables a particular terminal to be identified as having been accessed by a particular user;

• whether it records that printouts have been undertaken - that is, whether a screen has been dumped to a printer;

• whether a recording is made of all accesses that have been undertaken • whether it shows all loggings on and off by police officers; and • whether there are means by which confidential personal information can

be accessed and yet leave no audit trail. There is also some interest in the degree of attention that is given to the issue of preventative auditing. Irrespective of the type of system used to store confidential information, be it computer based or paper based, it is essential that an adequate system of internal audit be practised to ensure that breaches of security protocol are prevented, detected or deterred. In doing so, it is of obvious benefit to conduct both random and reactive audits in response to complaints about unauthorised accesses or other breaches.

8

The police service is currently in the process of introducing and trialling a new computer system – the Information Management System or ‘IMS’. This system is to replace the existing Auditrack system, which has a number of identified weaknesses. It has been suggested that a system of alerts that notify extraordinary events, such as when a police officer goes beyond an expected level of usage, or attempts to gain access to information in excess of level of privilege, would be of significant benefit. There is also an issue of computer security policy and whether WAPS adequately addresses the development of policy and compliance. An issue that has arisen during the Commission’s hearings concerns the attitude of investigators called upon to investigate suspected unauthorised accesses and disclosures of confidential information. It is understood that the majority of investigations are conducted in the first instance by WAPS Internal Investigations Unit or the Internal Affairs Unit. Other agencies - the Anti-Corruption Commission, the Ombudsman and the Public Sector Standards Commission - may become involved subsequently, but the first two units are primarily responsible. The question has arisen as to the priority or seriousness placed on suspected breaches, and whether the police officers who are conducting investigations are inclined to take a different view of the gravamen of access to and disclosure of personal information than would members of the public whose personal information is affected. This, of course, leads to further questions as to how breaches should be viewed and dealt with in terms of disciplinary action or criminal action, and how these decisions are made. Some may believe that there is an inconsistency or inadequacy in the way in which some breaches have been handled. The WAPS Information Management System is, like many others in the broader public service, evolving as a consequence of new technology, which in turn is acting in response to even greater requirements for information storage, management and retrieval. Consideration will be given to whether the new IMS currently being ‘rolled-out’ will have advanced safeguards that meet contemporary community expectations. The OECD (2002) has identified nine principles of information security:

Accountability The responsibilities and accountability of owners, providers and users of information systems and other parties concerned with the security of information systems should be explicit.

Awareness

In order to foster confidence in information systems, owners, providers and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices and procedures for the security

9

of information systems.

Ethics Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.

Multidisciplinary Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints, including technical, administrative, organisational, operational, commercial, educational and legal.

Proportionality Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm, as the requirements for security vary depending upon the particular information systems.

Integration Measures, practices and procedures for the security of information should be coordinated and integrated with each other and with other measures, practices and procedures of the organisation so as to create a coherent system of security.

Timeliness Public and private parties, at both national and international level, should act in a timely coordinated manner to prevent and to respond to breaches of security information systems.

Reassessment The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time.

Democracy The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society.

These principles provide a useful framework for any subsequent evaluation of the degree of fit between the WAPS Information Management System and contemporary practices. They may also be of benefit to those persons making submissions to the Commission on this topic.

10

5 ILLICIT MARKETS FOR INFORMATION It is fair to say that, if not for a ‘demand’ for information, there would not be a market created to ‘supply’ such information. It follows, then, that in addition to efforts to reduce the illegal supply of information, some attention must be given to the forces driving the demand for information that is held or is accessible by police officers. The fact that police officers, even very junior members and support staff, have ready access to information which is valuable to private investigators and organised crime figures exposes them to the real risk of being corrupted. Investigations by the NSW Independent Commission Against Corruption (ICAC) found that the principal participants in the illicit trade in information were:

• Police, Roads and Traffic Authority officers and other New South Wales public officials, who have corruptly sold confidential information entrusted to their care;

• Insurance companies, banks and other financial institutions, which have provided a ready market for that information, and have been major contributors to the thriving trade which developed; and

• Private inquiry and commercial agents, who have acted as brokers and retailers, providing the necessary link between anxious buyers and ready sellers (ICAC, 1992).

This information is consistent with the findings of the Queensland Criminal Justice Commission (now Crime and Misconduct Commission) (“CJC”) in its report Protecting Confidential Information (2000). This report found that the end-users of illicitly obtained police information – those persons who employed private investigators – were:

• Insurance companies, • Solicitors, • Leasing companies, • A range of private sector organisations (eg real-estate agents), • Other private investigation firms, and • Individuals.

It is reasonable to assume that the majority of end-users of illicit information - in legal firms and corporations – must, or ought to be, aware that the information has been obtained illegally. It is not sufficient for such persons to hide behind a cloak of ignorance stating that ‘they do not themselves gather the information and are unaware how it is being obtained’. At best, this can be considered as a form of ‘corporate blindness’, although it ought more properly be considered as a criminal offence. The actions of those seeking the disclosure of information may constitute an offence such as procuring the commission of an offence, and perhaps ought to more frequently be treated as such.

11

It must be said, however, that, with the noted exception of information provided to assist criminals in relation to the status of current investigations etc, much of the information illegally obtained is used for lawful purposes. In considering this matter, the CJC heard from the Queensland Law Society and the Institute of Mercantile Agents which both provided examples of where information on criminal records, addresses, vehicle registrations, etc. was required for legitimate purposes. This raises the question of whether or not there is some lawful means that can be used to provide the information sought so as not to create the ‘demand’ to which police and public officers succumb. It has been suggested that one of the ways that this could be achieved is by means of ensuring that there is a single gateway through which any information can lawfully pass. It is understood that WAPS has taken some positive moves in this regard in relation to introducing the position of a Chief Information Officer. It is perhaps timely that a review be undertaken looking into the range of information that is held on police databases with a view to identifying the potential for some of this information to be made more freely available, and the circumstances under which this should occur. Such a review would be in keeping with the principle enunciated by the OECD regarding ‘reassessment’, whereby ‘the security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time’. For some time, the Australian Institute of Professional Investigators has been campaigning for the establishment of a system whereby approved investigators could be registered and given a confidential PIN number which would permit access to records under strictly controlled conditions and upon payment of an appropriate fee. It is pointed out that private industry is now investigating some aspects of criminal activity which were traditionally the province of the police. With increasing demands on the resources of police services, commercial organisations have either established their own security or investigative unit, or retain private investigators to investigate internal criminal activity. This is a situation which is convenient for the Police Service. From a community perspective, it may also be acceptable provided that the conduct of criminal proceedings is primarily the function of the Police Service and the Director of Public Prosecutions. Consideration should be given to adopting the procedure advocated by the AIPI. A similar system has been instituted in Queensland to enable online access to vehicle registration information by authorised investigators. It appears to be functioning satisfactorily. There obviously may be revenue advantages available to the Police Service.

12

6 THE NATURE OF THE MISCONDUCT The need to ensure confidentiality of personal information and integrity in its use is also important in maintaining public confidence in the Police Service. There is broad public awareness and concern about the amount of personal information that is being stored by government instrumentalities. In the case of the Police Service, there is an acceptance that police officers should have access to such information in order for them to carry out their work quickly and effectively. On the other hand, citizens increasingly seek assurance that their confidential information will only be used for proper policing purposes, and that their ‘right to privacy’ will be respected. Police officers are, in a very real sense, in positions of trust in respect of the confidential information available to them. It is a trust which can easily be assumed, taken for granted, abused, and therefore lost. In the course of its inquiries, the Commission has become aware of a significant number of unlawful accesses to, and disclosures of, confidential police information. On occasions, such conduct forms part of a larger pattern of corrupt behaviour and, indeed, may be an indicator of such behaviour. It is submitted that any breach of the OECD principles of information security can be treated as a breach of privacy. Breaches of privacy are contrary to international and Australian standards that, over the last 10 years, have been increasingly strengthened. Furthermore, breaches of privacy involving confidential information may imperil safety or the rights of the person affected. Finally, if uncontrolled, such breaches can permit corrupt relationships to develop. ICAC (1992) found as a result of its investigations that there was a wide-spread trade in confidential information and that this had been standard practice for many years, with a great many persons and organisations found to have engaged in, or encouraged, corrupt conduct by police officers. In a subsequent investigation, ICAC (1994) reported that a direct cause of the illicit trade in confidential information was due to the failure of public officials to comply with honesty standards required of them. Whilst there was an acknowledgement of the role of systems failures to facilitate this dishonesty, it nonetheless regarded the attitude of the individual as a major contributing, if not equal, factor. The motivation for individual police officers to engage in the trafficking of information is varied, although it would appear that many, if not most, of the transactions involve no exchange of pecuniary benefit or any corrupt intent . Again relying on the CJC report of 2000, many of the police officers exposed have claimed to have been acting for valid purposes in aid of the pursuit of justice, albeit in the knowledge that doing so was contrary to departmental

13

instructions and the law. Reasons cited to justify the actions of disclosing confidential information included:

• The person to whom the information was being supplied was an ex-police officer and could be afforded a higher level of trust than was normally the case.

• There was a common goal shared by the person requesting the information and the subject officers, as the person in question was often performing tasks (e.g. serving court documents) in relation to individuals who were avoiding their lawful obligations.

• The person requesting the information, in the opinion of the subject officer(s) was of good character and had good intentions.

• To conduct a probity check on an acquaintance. (CJC, 2000:29) Although there is a variance in the reasons claimed as justification, the fundamental issues of breaches of privacy, of the law, of the trust placed in police by the public remain. There is also an additional issue in that many of the persons whose records and private details have been accessed will never be aware that this has occurred. The ethics of undertaking these disclosures of information without the ‘offended’ party being aware of such is a further factor that needs to be considered given the concerns of a ‘big brother’ type police state that are held by many. It follows that, as a potential complainant is not aware of this invasion of his/her privacy, he/she is unable to lodge a complaint. Thus the actual incidence of the unauthorised disclosure of confidential information can only be guessed. The identification of those persons who have engaged in the illegal and unauthorised dissemination of police information is not without difficulty. Both this Commission and the CJC (2000:28) have been frustrated in attempts to require officers to account for their computer transactions by seemingly stock responses including:

• They are unable to recall why they performed the transaction and their duty book, which might have assisted them to remember, cannot be located;

• There is a common practice to leave computer terminals open and it must

have been someone else who used their user-ID; and

• They could have been using the computer and someone else requested them to perform a transaction on their behalf but have no recollection as to who that person might have been.

The potential for abuse of a computer system that lacks the robustness to identify with certainty the user at any point in time is self-evident. The lack of a fear of detection in the first instance and the availability of acceptable excuses in

14

the second militates against efforts to control these illegal practices. Even when otherwise compelling information is available, the use of these stock responses makes the prosecution of the individual officers a difficult, time consuming and costly business. It would seem axiomatic that the elimination of the excuses listed above through the application of enhanced security protocols on computer systems would do much to aid in prevention, detection and deterrence.

15

7 INFORMATION PROTECTION AND THE LAW In considering information protection and the law, it is necessary to give attention to both sides of the dissemination transaction. It is necessary to consider the law in relation to those persons within the police service who make the information available, and those persons, both intermediaries and end-users, who procure the information from police officers for both legal and illegal purposes. The Criminal Code at s.81(1), which deals with the disclosure of official secrets – provides that:

Any person who, being employed in the Public Service, publishes or communicates any fact which comes to his knowledge by virtue of his office and which it is his duty to keep secret, or any document which comes to his possession by virtue of his office and which it is his duty to keep secret, except to some person to whom he is bound to publish or communicate it, is guilty of a misdemeanour, and is liable to imprisonment for 2 years.

This section makes illegal any passing of information, computer based or otherwise, by a police officer to an intermediary or an end-user. This has been the substance of some of the evidence given before this Commission. This offence, of course, relies upon the existence of a duty to keep secret information available to the officer and is thus dependent upon the existence and clarity of police regulations. Regulation 607 of the Police Force Regulations provides:

A member or cadet shall not (a) give any person any information relating to the Force or other information which has been furnished to him or obtained by him in the course of his duty as a member or cadet, or (b) disclose the contents of any official papers or documents that have been supplied to him in the course of his duties as a member or cadet or otherwise, except in the course of his duty as a member or cadet.

A number of directions have been issued by the Commissioner of Police. The first of these is Administrative Direction 11.8, that relates to the release of information in regard to civil litigation and provides that in the case of personal injury claims, upon receipt of a written request and on payment of a prescribed fee, citizens may obtain certain specified information from the police service. This disclosure of information is undertaken for the purpose of facilitating a personal injury civil litigation claim. However, the procedure for releasing that information is strictly controlled and can only be supplied by a member of sergeant rank or above. The information that can be released only relates to the particulars of the police officers concerned, names and addresses of civilian witnesses, of vehicle particulars if applicable, and a photocopy of the occurrence book where appropriate.

16

Administration Direction 17, in particular 17.6, deals with access to information on the police computer system:

It is the policy of the Western Australia Police Service to only authorise restricted access to the police service computer system to police service personnel and other persons as authorised by the Commissioner of the Police.

The purpose is to maintain the security of information contained within the Police Service computer system. The procedures there laid down are of particular importance and in particular, the following procedures are set out:

• that a log-in identification that is issued to each police user is personal to them; that a user's log-on ID and password must not be supplied for use by a third party;

• that access by all users is limited to that information which has a direct relationship to their work area, and associated work functions; and

• that access is strictly prohibited to that information which is not related to those work tasks of a user, and with certain exceptions, it is prohibited to disseminate computer information outside the police service.

There is also a warning:

Unauthorised access of information or use of a computer account for which a person is not authorised will be viewed very seriously and may result in prosecution under the Criminal Code, with penalties up to and including a term of imprisonment.

Administrative Direction, AD85, which was introduced in January of 2002, relates to information sharing. This is a policy which has been the result of a review of information release and sharing by WAPS, with a view to ensuring that the operational needs of passing information to other government bodies is permitted within the constraints that are necessary to respect citizens' privacy. That direction, in particular, provides that access to information will normally be granted to individuals who, upon written application, wish to examine their personal information held by the police service. It is stated that:

The purpose of allowing access to personal information is to ensure its accuracy

and give individuals the opportunity to amend any false or misleading information.

The intention is that citizens will be able to access their own information and that those acting for them - for example, insurance companies or legal representatives - will also be able to access this information. But the position in respect of third parties remains the same.

17

Section 83 of the Criminal Code, which deals with ‘corruption’, makes the disclosure of information in exchange for benefit an offence:

Any public officer who, without lawful authority or a reasonable excuse – (a) acts upon knowledge or information obtained by reason of his office or

employment; (b) acts in a matter, in the performance or discharge of the functions of his

office or employment, in relation to which he has, directly or indirectly, any pecuniary interest; or

(c) acts corruptly in the performance or discharge of the functions of his office or employment,

so as to gain benefit, whether pecuniary or otherwise, for any person, or so to cause a detriment, whether pecuniary or otherwise, to any person, is guilty of a crime and is liable to imprisonment for 7 years.

It has been reported that in order to prevent or thwart detection, some police officers have resorted to using the user-IDs of other officers when accessing computerised information systems for unauthorised purposes. In addition to the sections of the Criminal Code referred to above, it is likely that the provisions of s.440A, unauthorised use of computer systems could also be available for situations where the user-ID of another person is used to gain information stored on a computer system:

(2) A person who without proper authorisation –

(a) gains access to information stored in a restricted-access system; or (b) operates a restricted-access system in some other way, is guilty of an

offence and is liable to imprisonment for one year or a fine of $4000.

Hacking was one of the issues that was addressed when this legislation was introduced and was used as an example in the Minister's second reading speech, but a plain reading of section 440A indicates that it extends beyond instances of hacking. It extends to those situations where an otherwise authorised user of a computer system seeks access to it for what was an improper purpose - that is, to obtain information for private, non-police reasons. This offence was inserted into the Criminal Code in 1990 and a question arises as to whether it has been used appropriately for police unauthorised accesses or, indeed, whether it has been used at all. Having established that there are legal options available for the prosecution of police officers who gain unauthorised access to computer systems for the purpose of disclosing confidential information, consideration is now given to those avenues available for dealing with intermediaries and end-users of the information thus obtained. A person who entices a police officer to commit an offence such as the disclosure of confidential information for reward may commit an offence of

18

‘Bribery of a Public Officer’. This offence is provided in s.82 of the Criminal Code:

Any public officer who obtains, or seeks or agrees to receive, a bribe, and any person who gives, or who offers or promises to give, a bribe to a public officer, is guilty of a crime and is liable to imprisonment for 7 years.

Both parties to the transaction, the person who pays the bribe and the public officer who receives it, are guilty of the same offence. In addition, intermediaries and end-users, who are parties to the offences detailed in s.81 and s.83 dealt with above, may also become subject to prosecution of this offence by virtue of s.7 of the Criminal Code regarding Principal Offenders. Section 7 provides that:

When an offence is committed, each of the following persons is deemed to have taken part in committing the offence and to be guilty of the offence, and may be charged with actually committing it, that is to say –

(a) Every person who actually does the act or makes the omission which constitutes the offence;

(b) Every person who does or omits to do any act for the purpose of enabling or aiding another person to commit the offence;

(c) Every person who aids another person in committing the offence; (d) Any person who counsels or procures any other person to commit the

offence. In the fourth case he may be charged either with himself committing the offence or with counselling or procuring its commission. A conviction of counselling or procuring the commission of an offence entails the same consequences in all respects as a conviction of committing the offence. Any person who procures another to do or omit to do any act of any nature that, if he had himself done the act or made the omission, the act or omission would have constituted an offence on his part, is guilty of an offence of the same kind, and is liable to the same punishment as if he had himself done the act or made the omission; and he may be charged with himself doing the act or making the omission.

It seems clear that legislation is available to deal with all parties involved in the unauthorised access of information systems and with the disclosure of information contained therein, but have been rarely, if ever, used. The adequacy of these laws and provisions will best be tested by whether they work. What is not clear is to what extent this legislation has been used in dealing with those police officers and others who have been uncovered engaging in these illegal practices. In considering this same matter, the CJC (2000, 110) found that, although similar legislation was available, it was generally “inadequate for prosecuting the individuals who attempt to procure, receive, obtain or possess classified government information when a financial benefit paid to the public sector employee in exchange cannot be demonstrated”. Perhaps with a similar concern in mind, Fitzgerald (1989) had

19

earlier advocated for the sale of police information to be made a specific criminal offence. It would be of interest to this Commission to hear of any similar difficulties experienced by authorities in attempting to use the relevant legislation to prosecute any of the parties to the offences discussed in this section. It is, however, to be recognised that there is a general trend towards the adoption of privacy legislation. Should such legislation be introduced in Western Australia and include specific offences relating to unauthorised access of police information systems and disclosure of confidential information, it would likely prove of decided benefit in the prevention, deterrence and prosecution of these types of offences.

20

8 ISSUES OF CONCERN From the information made available to the Commission so far, a number of issues of concern have been identified below. It is expected that many of these matters will be discussed during the Round Table Conference and it is hoped that they will be addressed in submissions from WAPS, relevant stakeholders and from the public in general.

• The Corporate Response To Breaches Of Information Security

• Improving The Collection Of Intelligence • An Enhanced System Which Can Analyse And Assist Criminal And

Corruption Investigations

• Preventing Inappropriate Access To Police Service Computer Systems • Preventing Use Of Another User-ID • Addressing The Issue Of Associations Between Police Officers And

Private Inquiry Agents

• Investigators Or People In Similar Occupations

• Technology For Information Security

• Systematic And On-Going Internal Audit

• Recoding The Reason For Transaction

• Raising Awareness Of Information Security And Individual Accountability

• Access To Criminal History, Driver’s Licence And Vehicle Registration

Records

• Making It An Offence To Obtain Or Try To Obtain From Government Records Any Confidential Information About Any Other Person, However It May Be Held.

21

9 SUBMISSIONS The Commission invites written submissions from individuals and organisations on matters relating to information management and security arrangements within the Western Australia Police Service. Submissions should be lodged no later than Friday, 7 March 2003 and addressed to: Research, Policy and Reform Unit Royal Commission Into Whether There Has Been Any Corrupt or Criminal Conduct by Western Australian Police Officers PO Box Z5318 PERTH WA 6831 Submissions can be forwarded electronically to: info@police.royalcommission.wa.gov.au

22

10 REFERENCES COPS Manual, Western Australia Police Service. Criminal Code (WA), State Law Publisher, Perth. Criminal Justice Commission, 2000, Protecting confidential information, CJC, Brisbane. Independent Commission Against Corruption, 1992, Report on the unauthorised release of government information, ICAC, Sydney. Independent Commission Against Corruption, 1994, Report on the investigation into matters relating to police and confidential information, ICAC, Sydney. Fitzgerald, G.E., 1989, Report on a commission of inquiry pursuant to orders in council, Government Printer, Brisbane. Organisation for Economic Co-operation and Development, 2002, OECD Guidelines for the security of information systems and networks : Towards a culture of security, at http://www.oecd.org/pdf/M00034000/M00034292.pdf Standards Australia & New Zealand Standards, 2001, AS/NZS ISO/IEC 17799:2001 Information technology – code of practice for information security management, Standards Australia, Strathfield. Wood, J.R.T.,1997, Royal Commission into the New South Wales police service, Government of the State of New South Wales, Sydney.

23