Legislative Council: Tuesday, November 15, 2016

Contents

South Australia Police

In reply to the Hon. S.G. WADE (24 February 2016).

The Hon. P. MALINAUSKAS (Minister for Police, Minister for Correctional Services, Minister for Emergency Services, Minister for Road Safety): I am advised:

1. As a South Australian Government agency, South Australia Police (SAPOL) is mandated to implement the Information Security Management Framework (ISMF), as published by the Office of Digital Government. The ISMF is largely based on the international standard for information security. The ISMF is implemented by SAPOL’s Information Security Management System which documents and tracks risk to information assets; provides methodology regarding security controls; and mitigates and treats risk (including risks to asset confidentially). SAPOL systems have a very high degree of inbuilt security measures and are able to log every access by every employee. Strict policies are in place in relation to accessing, managing and releasing information. SAPOL practice is that people only have access to systems that they require for work related purposes. Employee obligations, whether sworn or unsworn, are clearly reflected in training regimes.

2. SAPOL has log and audit practices generally at all levels of the agency, and particularly for operational policing IT systems. Policy and practice is that systems and records access is recorded against individual user credentials with actions searchable for audit purposes. Security controls are audited on a quarterly basis to measure compliance with the SA Government ISMF. Proactive random audits are done, particularly in relation to incidents of a significant profile having a 'curiosity' element. Any suspicious access identified is referred to the Ethical and Professional Standards Branch (EPSB) for investigation. In the 2014-15 year, seven matters relating to unauthorised access to criminal history records and three matters relating to unauthorised access to traffic history records were referred to EPSB.

3. The nature of the breaches range, for example, a relatively minor matter could be an employee checking on a SAPOL system to verify their own personal motor vehicle registration or their driver’s licence number. This is considered to be a breach of policy and is investigated and dealt with. More serious matters which would be of concern to the broader public would include police officers or employees accessing confidential information and potentially compromising investigations as a result of releasing that information. The range of penalties would extend from a reprimand on the basis that someone has committed the lowest order of offending against the disciplinary framework, right up to criminal prosecution for people who have accessed and released information for personal gain or to the benefit of another person. From an internal disciplinary perspective, people have had their access restricted or removed completely, been transferred to a position where they no longer require or have access to systems and could potentially receive a monetary fine as well. Should an officer be identified having accessed information for personal reasons in the most serious of circumstances, even if there is no breach of the criminal law, termination of employment would be a consideration in terms of how that matter would be dealt with.

SAPOL also manages an extensive complaints process in relation to access and release of information which may come from SAPOL employees and/or members of the public. The process and management framework involves the Police Ombudsman and ICAC where appropriate.