Prioritising privacy to keep victims safe
A review of the disclosure of domestic and family violence victims’ addresses to offenders by the Queensland Police Service
On 25 July 2024, media reported that the Queensland Police Service (QPS) had given out the address of a domestic and family violence victim survivor to an offender.
The matter was raised in a Queensland Parliamentary oversight committee. The Hansard transcript of the Estimates Committee hearing on 26 July 2024 stated that the QPS had provided victim addresses in court documents. The then Acting Deputy Police Commissioner said that QPS’s computer system, the Queensland Police Records and Information Management Exchange system (QPRIME), had automatically imported information in QPRIME directly into forms. The then Acting Deputy Commissioner explained that it was up to police officers to redact the victim information.
A privacy breach of this nature is unquestionably serious, as it risks further harm to victims from perpetrators of domestic and family violence, including physical and psychological harm. Given this serious risk to victims, the Information Commissioner commenced a review on 17 December 2024 under section 135(1) of the Information Privacy Act 2009 (Qld) (the Review).
The Review found that the QPS breached the Information Privacy Act when addresses of domestic and family violence victims were disclosed to offenders. This put the victim’s safety and security at risk, and in some cases, enabled the offender to commit further harm. The QPS’s policies, procedures and systems failed at both a technical and administrative level.
The QPS was aware of the privacy risks associated with QPRIME’s auto population function since at least 2017.
The Review considered the Information Privacy Principles (IPPs) that were in effect prior to 1 July 2025 and found that the QPS breached the following three IPPs:
- IPP 4 – the QPS did not have adequate security safeguards to provide the level of protection for the personal information it was handling that could reasonably be expected to be provided
- IPP 9 – the QPS used personal information beyond what was directly relevant to the specific purpose
- IPP 11 – the QPS was not satisfied on reasonable grounds that the disclosure of the victims’ addresses was necessary for a law enforcement purpose.
After considering the QPS’s whole-of-business solutions to minimise the risk of victims’ personal information from being disclosed to offenders, the Information Commissioner determined that it was not necessary to issue a compliance notice.
The Information Commissioner’s Review recommendations aim to strengthen privacy protections for victims’ personal information held by the QPS. They also seek to provide clearer guidance for front-line police officers and improve QPS support for the public making a privacy complaint.
This report reminds agencies to review information handling practices where systems auto populate forms with personal information they hold.
