Media release: Review finds the Queensland Police Service did not take reasonable steps to protect domestic violence victims’ personal information from offenders
Today, the Information Commissioner tabled a report in Parliament about the Queensland Police Service’s (QPS) personal information handling practices and the disclosure of domestic and family violence victims’ personal information in court documents.
On 25 July 2024, the media reported that the QPS had disclosed the address of a domestic and family violence victim survivor to an offender.
On 26 July 2024, in a Queensland Parliament Estimates Committee hearing, the then Acting Deputy Police Commissioner informed the Committee that this occurred due to the Queensland Police Records and Information Management Exchange system (QPRIME) automatically importing the information stored in QPRIME directly into forms that the QPS provided to offenders and presented in court.
Following subsequent preliminary inquiries made with the QPS, the Information Commissioner commenced a review in December 2024 using powers under section 135 of the Information Privacy Act 2009 (Qld) (the Review).
The Information Commissioner’s report: ‘Prioritising privacy to keep victims safe: A review of the disclosure of domestic and family violence victims’ addresses to offenders by the Queensland Police Service’ sets out the findings and recommendations.
The Review concluded the QPS:
- disclosed domestic and family violence victims’ addresses to offenders, contrary to their legal obligations
- was aware of the privacy risks associated with QPRIME’s auto population function since at least 2017 and was slow to mitigate the risks associated with QPRIME’s auto-population function
- policies, procedures and systems failed at both a technical and administrative level
- should improve the transparency of its privacy complaint handling and take a more victim-centric approach to ensure that victims are aware of their privacy rights and how the QPS will handle their complaint under the Information Privacy Act 2009 (Qld).
The Review considered the Information Privacy Principles (IPPs) that were in effect prior to 1 July 2025 and found that three IPPs were breached, namely:
- IPP 4 – the QPS did not have adequate security safeguards to provide the level of protection for the personal information it was handling that could reasonably be expected to be provided
- IPP 9 – the QPS used personal information beyond what was directly relevant to the specific purpose
- IPP 11 – the QPS was not satisfied on reasonable grounds that the disclosure of the domestic and family violence victims’ addresses was necessary for a law enforcement purpose.
Since August 2024, the QPS has made a concerted and comprehensive effort to implement whole-of-business solutions to mitigate the risk of further unauthorised disclosures.
The report makes specific recommendations to the QPS in relation to prioritising information privacy practices. These recommendations will:
- further strengthen the privacy protections of personal information held by the QPS including the personal information of victims
- provide greater guidance to front-line police officers; and
- enhance the support provided by the QPS to members of the public making a privacy complaint.
The QPS is committed to ‘ongoing meaningful evolution and improvement of its systems and processes’. The Information Commissioner welcomes the QPS’s commitment to engaging cooperatively with the Office of the Information Commissioner and determining a suitable action plan, including feasibility assessment for the recommendations.
Quotes attributable to Queensland’s Information Commissioner, Ms Joanne Kummrow:
‘A privacy breach of this nature is unquestionably serious as it risks further physical and psychological harm to victim survivors from perpetrators of domestic and family violence. While the disclosure of victims’ addresses to offenders by the QPS was unintentional, prioritising privacy is paramount in keeping victims safe from further harm.’
‘The QPS was aware of the privacy risks associated with QPRIME’s auto population function since at least 2017. However, the review identified that the QPS was slow to act before the privacy concerns were publicly reported in August 2024.’
‘Despite finding the QPS’s actions breached the Information Privacy Act, after considering the QPS’s whole-of-business initiatives and actions taken by the Victim Address Working Group since August 2024, I determined it was not necessary to issue the QPS with a compliance notice. I am satisfied that the QPS is aware of and actively addressing the risks associated with QPRIME’s auto population function.’
‘My report also makes recommendations to enhance the support the QPS provides to members of the public to ensure they can exercise their right to make a privacy complaint.’
Media contact: Steve Haigh
Phone: 3234 7373