The personal details of Victorian firearm owners are not kept safe by police, who have failed repeatedly to properly secure information in their database.
A review of the state’s firearm licensing and registration database (LARS) is expected to reveal a series of security issues in the system as well as management and cultural behaviour in the force that increases the risk of information falling into the wrong hands.
The report by the Commissioner for Law Enforcement Dada Security has not yet been published but the commissioner’s annual report highlighted the most significant areas of non-compliance:
- security documentation that was incomplete and out of date;
- a lack of an effective security classification system;
- poor management of particularly sensitive information;
- gaps in logging and monitoring of system events; and
- no business continuity plans or disaster recovery capability.
LARS data includes shooters’ names, addresses, licence details and firearm details, among other highly sensitive information, and it was one of several databases assessed by CLEDS.
“All of the reviewed systems raised serious concerns regarding the assessment of the sensitivity of the information held in each system and the adequacy of the security controls employed to protect that data in accordance with its sensitivity,” the report said.
It also found police culture and work practices added to the problems.
During an on-site assessment of police at work, CLEDS found “three risk areas – a lack of formal documentation, the widespread use of personal devices and problems with compartmentalising information”.
“These risk areas were exacerbated by other factors, such as a high member turnover, inconsistent station induction training and members relying on ‘common sense’ more than official policy,” it reported.
It uncovered pointers to “insufficient support for information management and security at middle management level” and suggestions that “policy alone is an ineffectual tool for improving Victoria Police’s information management/security practices”.
Minor security breaches are believed to be very common.
“When the incidence of information security breaches reported by respondents is extrapolated across the Force on a yearly basis, the results indicate significant numbers of simple security breaches, such as breaches of ‘clear desk/clear screen’ policy, go unreported. This suggests that such breaches are simply accepted as routine and is indicative of the lack of an effective information security culture within Victoria Police.”
The security concerns raised over Victoria’s police database come only weeks after NSW police management dismissed worries that data from the NSW Firearms Registry was being obtained by criminals and fuelling gun theft around the state.