VicPD gave someone access to the entire police database

Last year, the Executive Director of Restorative Justice Victoria said they’d had access to PRIME — B.C.’s police database — but “this created too many privacy related concerns.” Behind the scenes, emails show when VicPD privacy staff had found out, they panicked over the “privacy breach.”

B.C.’s municipal police forces and the RCMP use PRIME. If your name is in a police report, e.g., that report could be found by looking you up in PRIME. The Auditor General said PRIME contains “highly sensitive and confidential data and should be protected.” Access is a big deal.

The Executive Director of Restorative Justice said she’d asked Deputy Chief Laidman for PRIME access to review files that could be eligible for a restorative justice response. VicPD authorized access in December 2019, seemingly without consulting with internal privacy staff, or the Info and Privacy Commissioner.

VicPD privacy staff found out about her access over a year later. Based on her access to PRIME, if she clicked a button two below the one she was supposed to, she could have looked up any person, business or vehicle in B.C., reviewed police reports, etc.

VicPD privacy staff also found out she had access to their media drive as well, which contains video, audio, interviews and more. Unlike PRIME, they said there was no way to track what was viewed. Privacy staff weren’t involved in the decision to grant access.

VicPD staff were panicked, and initially thought she had greater access to PRIME than officers (which turned out to be false). They contacted Deputy Chief Laidman, and talked to the Executive Director of Restorative Justice, who said she had limited access, although staff said she could have queried any name.

Acting on their concerns about outside access to PRIME, VicPD privacy staff had the IT department remove her access. It seems like they preserved VicPD’s ability to review anything she might have looked at, although there’s no evidence they did such an audit.

To be clear, while arguably VicPD shouldn’t have given her access, there’s no reason to believe — and no evidence in these records to suggest — that the Executive Director of Restorative Justice ran any queries or did anything outside her intention to use PRIME access to support the Restorative Justice program.

What these records show is VicPD granting access to a database the Auditor General says “should be protected with multiple layers of security,” and VicPD’s internal drive, without consulting their privacy team, who deemed it a “privacy breach.” That seems like a fair assessment.

The access VicPD thought they provided was already problematic and a privacy breach of their own making — offering up files for perusal shows a lack of thought re: potential harm. It’s fitting they made it worse by mistakenly providing access to the full database at the same time.