Privacy Law and Policy Reporter
The progressive implementation of the Computerised Operational Policing System (COPS) commenced on 4 April 1994. COPS centralises a great deal of information which has previously been held in separate files or in less accessible databases.
The Privacy Committee of NSW first approached the NSW Police Service about COPS in July 1991, after noticing a reference to the project in the Police Service Annual Report. In response to Committee concerns, the Police have since implemented a number of measures to minimise inherent privacy risks including the development of a Code of Best Practice which specifically addresses privacy issues and the upgrading of security safeguards.
Stage 1 consists of a central index and sub-systems for events, intelligence and management information. The central index is used for inquiries and searches about people, organisations, vehicles and locations.
The events sub-system contains details of all incidents which have been reported to police, whether or not the incident involved the commission of an offence. In addition to reports about crime, it includes reports on traffic accidents, lost and found property, false alarms, neighbourhood disputes, apprehended violence orders, missing persons, firearm licensees and so on. Every person who is involved in an incident or event in a relevant way, for example as a witness, person reporting, victim or suspected offender, is allocated a CNI (central names index) number. This is designed to facilitate the linkage of information about the person within the system.
The intelligence sub-system records any information which may be of interest to police in performing their duties, including information about people suspected of being involved in criminal activity. Finally, the management information sub-system produces reports from COPS about activities and trends within police patrol districts.
Further stages of COPS are planned which will include charge management and criminal records.
Notwithstanding the Police Service's efforts to protect privacy, the Committee continues to have serious concerns about the potential for misuse of information stored on COPS.
COPS makes it possible for any one of the 13,000 police officers in NSW, regardless of rank, to have instantaneous access to information stored in the central index, the events sub-system and information classified as ''restricted' in the intelligence sub-system.
It will be possible to obtain information about any person who has come into contact with the police, based on a search using either their name, address, or physical description or the time and location of a particular incident.
A simple example is sufficient to illustrate the potential for invasion of privacy inherent in COPS. A newspaper may report that a woman was sexually assaulted in a particular park on a particular day. Although the newspaper suppressed her identity in its report, it will be possible for any police officer in the State to access the report of the assault and the victim's identity. It is true that the Code of Best Practice states that officers should only access reports on COPS when they have a ''need and right to know', and that access is logged, but in view of the high volumes of activity on COPS, unauthorised access will not always be detected.
The Committee advised the Police Service that it believed that a system as powerful and potentially harmful to privacy rights as COPS should not proceed in the absence of effective data-protection legislation.
The Committee also advised that COPS should not be introduced without an independent, external auditing and review body, which should report on a regular basis to a parliamentary committee.
In addition to independent review, the Committee recommended that further system safeguards be developed to limit the potential for misuse. Areas which still require urgent attention include the following:Restrictions on access
At present, all police will have access to the entire incident/events system and all intelligence information with a basic classification of ''restricted'. This is analogous to every health professional in the State having access to everyone's medical history. The Committee believes that there should be internal barriers to prevent officers searching COPS outside their own areas of responsibility.Sensitive information
There need to be greater restrictions on access to particularly sensitive types of information, such as identifiable information relating to victims of sexual assault and child abuse.Persons of interest
If COPS classifies a person as a ''person of interest', then it will automatically link information about that person. The definition of person of interest is too broad, and will include missing persons, people who have very old convictions and all people who have been issued with firearms licences. The definition needs to be narrowed further, a matter first raised with the Police Service in September 1992.Threat analysis
The COPS system should be subjected to a comprehensive threat analysis, which should identify the value of the information which it will store as well as the potential for unauthorised access to, and misuse of, information.
Since the Privacy Committee made its latest recommendations to the Police Commissioner, the Privacy and Data Protection Bill 1994 has been introduced into the NSW Parliament. However, the Bill is seriously defective in a number of significant respects. One of the most serious defects is that Data Protection Principles 9 and 10 contain extremely broad exemptions to promote the gathering of criminal intelligence. The exemptions are so broad they might even be mis- used as an alternative to warrants or subpoenas. For example, if a public agency questioned the authority of police to demand certain information, the police may try to argue that the disclosure is ''authorised by law' because disclosure for criminal intelligence purposes is identified as a legitimate purpose of disclosure, and the agency would not be liable for offences under the privacy and data protection law.
No steps have yet been taken to set up an independent audit and review body for COPS, and the system safeguards recommended by the Committee have been referred to the COPS project team for further consideration