Review finds the Queensland Police Service did not take reasonable steps to protect domestic violence victims’ personal information from offenders
In August 2024, the Information Commissioner commenced preliminary inquiries into the Queensland Police Service’s (QPS) handling of personal information of domestic and family violence victims, after media reported that it had given out the address of a domestic and family violence victim to an offender.
The matter was raised in a Queensland Parliamentary oversight committee. The Hansard transcript of the Estimates Committee hearing on 26 July 2024 stated that the QPS had provided victim addresses in court documents. The then Acting Deputy Police Commissioner said that the QPS’s computer system, the Queensland Police Records and Information Management Exchange system (QPRIME), had automatically imported information stored in QPRIME directly into forms. The then Acting Deputy Police Commissioner explained that it was up to police officers to redact the victim information.
A privacy breach of this nature is unquestionably serious, as it risks further harm to victims from perpetrators of domestic and family violence, including physical and psychological harm. Given this serious risk to victims, the Information Commissioner commenced a review under section 135(1) of the Information Privacy Act 2009 (Qld).
Today the Speaker of the Queensland Legislative Assembly tabled in Parliament the Information Commissioner’s report, ‘Prioritising privacy to keep victims safe: A review of the disclosure of domestic and family violence victims’ addresses to offenders by the Queensland Police Service’.
The QPS breached three privacy principles when the addresses of domestic and family violence victims were disclosed to offenders. This put the victims’ safety and security at risk, and in some cases, enabled the offender to commit further harm. The Information Commissioner’s review found that the QPS’s policies, procedures and systems failed at both a technical and administrative level.
The QPS was aware of the privacy risks associated with QPRIME’s auto population function since at least 2017 and was slow to act to mitigate the privacy risks.
The Review considered the Information Privacy Principles (IPPs) that were in effect prior to 1 July 2025 and found that the QPS breached the following three IPPs:
- IPP 4 – the QPS did not have adequate security safeguards to provide the level of protection for the personal information it was handling that could reasonably be expected to be provided
- IPP 9 – the QPS did not use only parts of personal information that were directly relevant to fulfilling a particular purpose
- IPP 11 – the QPS was not satisfied on reasonable grounds that the disclosure of the victims’ addresses was necessary for a law enforcement purpose.
Since August 2024, the QPS has made a concerted and comprehensive effort to implement whole-of-business solutions to mitigate the risk of further unauthorised disclosures of victim’s personal information to offenders.
Based on the Review findings, the Information Commissioner determined that it was not necessary to issue a compliance notice.
Recommendations made by the Information Commissioner arising from the Review seek to strengthen the personal privacy protections of the personal information of victims held by the QPS. The recommendations also aim to provide greater guidance to frontline police officers and enhance the support the QPS provides to members of the public to make privacy complaints.
