Police improperly access police database, but don't audit its use

Thinking of ways to see how VicPD monitors critics, last year I FOI'd records about myself. I learned a VicPD officer and Saanich PD employees accessed my personal info in their database after I filed previous FOIs. The Office of the Information and Privacy Commissioner (OIPC) has now found those look-ups were unauthorized.

In 2017, I FOI’d VicPD “Crime Prevention Through Environmental Design” (CPTED) reports. On February 9, at 2:01 pm, VicPD's FOI staff sent a request for records to an officer involved in that program. At 2:23 pm, they looked me up in PRIME.

The PRIME database can include your contact info; 911 calls; police reports you’re mentioned in; etc. There is no reason to look for that information when someone files a general FOI. I filed a complaint, and the OIPC found the VicPD officer’s access was “not authorized.”

In 2019, I filed an FOI for Saanich PD street check data. Two days later, an SPD staff member looked me up in PRIME. One day after they sent me the records, a different employee looked me up. The OIPC found SPD’s access was “not authorized.”

VicPD and the first SPD staffer said they didn’t know why they looked me up, but neither gave a reason it would have been okay. If you FOI an Island Health program, a doctor can’t just decide to look up your medical records.

VicPD’s records showed they recommended defensive architecture to displace people from BC Housing and government buildings. The SPD street check data became part of this piece.

I filed a complaint with the OIPC to put it on record that what they did is a problem. I also suggested the OIPC have the departments review other inappropriate access (e.g. officers looking up FOI applicants, critics, journalists, councillors, and officers’ personal contacts).

No luck there. The OIPC said the people involved failed or chose not to follow privacy training and policies, but the remedy was to address their conduct internally, and for regular privacy training to protect individuals’ personal information from unauthorized access.

I requested info on whether police looked me up (as opposed to others) because unlike the police, I can only access my own personal info. We know local police target and surveil Indigenous, Black and Muslim people, which would also involve PRIME queries.

Through FOI I also saw VicPD’s $727,000 PR shop spends time monitoring my social media. Here they were concerned I knew something that happened in public but which was not in a VicPD press release. They called the tea “liquid,” perhaps because it sounds more harmful than “tea.”

Watching for anyone off-message to protect their public image and budget is problematic, but it’s what they do. VicPD went after the teachers’ association on SLOs; led an outrage campaign over the Bastion Square mural; and “reamed out” Black Press for an article they didn't like.

Police carry incredible power, including power to do harm. They should not be able to access your personal information just because they feel entitled to it. But there is no sign anyone will review how often these types of police privacy violations are happening, and to who.

This is what I FOI'd if you want to replicate (cc past Victoria councillors). You can then try to match queries to reports, if any. If there are reports/calls that you don't want to re-live, you may want to leave out "info held in PRIME" and reports. Relevance of "emails" may vary.

If you file a similar FOI, you may see you were looked up on or after the date you filed. It's likely the FOI analyst who did so to find the records, but you can ask the PD to provide the name/title of the person behind the ID number to confirm. Also, date range is up to you!

Update: As a follow-up, I FOI’d VicPD for any audits on PRIME usage they’d done since 2017. They said “no audits have been conducted of PRIME usage.” I also asked for stats on officers not giving a reason for looking people up. They said you can’t list a reason in PRIME. So, 100%, then.

Hundreds of employees with access to a sensitive database where they don’t have to say why they accessed someone’s personal information, and their employer never looks to see if anyone is doing something they shouldn’t. What could go wrong? (lots is probably going wrong)