cpdp victoria police · pdf filedon’t want to compromise longer term prospects...
TRANSCRIPT
Page 1 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
CPDP – Victoria Police Wave 1 & 2 – results (abridged)
EY Sweeney Contacts: Jennifer Hodges, Matt Bond
SR Project No. 24651
Date: 2nd March 2015
Page 2 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Contents
Background to the Study 3
Key take outs – Wave 1 & 2 7
The Scenarios (deleted content) 21
Conclusions and considerations 22
Appendix 25
The following document has been edited to protect the privacy of individuals involved and also to ensure the 2016 research wave is not compromised.
This report is subject to the disclaimer detailed at the end of the document.
EY Sweeney is accredited under the International Standard, ISO 20252.
All aspects of this study has been completed in accordance with the requirements of that scheme.
Also please note that EY Sweeney Research Pty Limited’s liability is limited by a scheme approved under professional standards legislation. A copy of the scheme can be obtained from us upon request”.
The report contains some Victoria Police imagery sourced by CPDP courtesy of the Victoria Police Image Library
Page 3 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Background to the Study
Page 4 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Background
► At the vanguard… Since 2008, the Victoria Police have been at
the vanguard of implementing a program of behaviour change to
ensure the appropriate management of data security amongst
sworn members.
► A range of initiatives… Have been introduced by the
Information Management, Standards and Security Division
(IMSSD) including; training, marketing, policy changes and a program of awareness building.
► Measuring effectiveness… To ensure ongoing learning and
improvement, staff surveys have been conducted to assess the effectiveness of the programs in 2012 (pre- program) and 2014
(after 12 months of activity).
► Increased awareness… The 2014 results demonstrate that the
cultural change program has had a positive impact in terms of
overall awareness of practices and the perceived value in
building data security awareness.
► Attitudes static… However, it is also apparent that except for
the more extreme scenarios, general behaviours and attitudes
toward data security have not altered.
► Question marks… This raises the question of whether there is
confusion in members’ understanding of what constitutes a data
security issue or if the results are a due to a nuanced interpretation of the scenarios presented.
Project purpose… To maximise the effectiveness of the
policy development, training programs and questionnaire
design for the 2016 Monitor, the project team seek greater
insight into the current mindset amongst sworn members and
drill down into the findings from the previous Monitor.
Page 5 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Research Objectives
The Specific Objectives
Overall Research Aim
► To understand the attitudes and behaviours toward law
enforcement data security amongst sworn members of
Victoria Police.
Data security policies • Gain a broad understanding of the knowledge levels of the
Victoria Police data security policies
• Explore the perceived relevance of these policies
Data security management
• Understand the attitudes amongst sworn members toward
data security management
• Identify the key influences on attitudes and behaviours in
relation to data security management
• Explore the motivators and barriers to adopting appropriate
behaviours
Data security priority areas
• Discover the attitudes and behaviours on data security in
relation to....
− Personally owned devices
− Data Storage
− Working off-site
− Disclosure of classified information
Monitor scenarios (content deleted)
• Highlight the interpretation of the 2014 Monitor scenarios
• Identify the range of considerations in interpreting the 2014
Monitor
1
2
3
4
Page 6 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Sample
► Two waves
► Total of 8 group sessions amongst sworn members
► 1.5 hour duration each
► Conducted in station
► Participants recruited by Victoria Police
► Split by…
- Uniform and Detectives
- Metro and Regional
Wave 1 (26th – 27th November 2014)
Metro Rural
Uniform 1 group 1 group
Detective 1 group 1 group
Total 2 groups 2 groups
Wave 2 (2nd – 3rd February 2015)
Metro Rural
Uniform 1 group 1 group
Detective 1 group 1 group
Total 2 groups 2 groups
Page 7 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Key take outs– Wave 1 & 2 Constraint
Focus group discussions/depth interviews evolve creative ideas and generate hypotheses. They are not intended to be a precise and definitive index of what happens in the marketplace. This report should be interpreted with that constraint in mind.
Page 8 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Overall take outs
► Digital versus dark ages… A belief that Victoria Police is facing increasing
pressure from the demands of the digital data environment in which it operates
► Distrust… In the systems to securely manage data… fuelling the tendency for
self management
Disconnect
► Data security… In their appreciation of the importance of data security and
compliance overall
► Management… In their rationale for when they ‘work around’ the system
► Understand broad implications… For colleagues, themselves and the
organisation
Overall confidence & awareness
► Trust and integrity… In their colleagues, personal intent, broad station security
► Defining data sensitivity… An overarching issue of what data requires diligence
► Knowledge deficit… Some are clearly struggling with understanding digital
devices, direction is needed
► Champion critical… To help progress cultural change, bridge the gap and create
consistency
Core issues
► Interpretation… (deleted)
► Comprehension… (deleted) Scenarios
Page 9 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Some key mindsets apparent
A few points on the audience
► Younger… 3 months to 6 years in
Victoria Police
► Academy conscious… Learning still
influencing the newest recruits
► Data exposure… Consider most of
the data they engage with is relatively
low level seriousness
► Induction… Sentiment that they need
to transition to the ‘real world’ of
policing – adapt the academy learning
► CIU… 6-20+ years in Victoria Police
► Implication sensitive… Little more
sensitive to reputation implications –
personal, professional, organisational
► Experience savvy… Reality over
theory re. incidents
► Adapting… Over conforming to
impractical protocols
Uniform CIU
► Conscious choice… To establish their
own system of storage, buy back ups
etc.
► IT savvy… Relative to others
► Distrust… Most acute distrust of the
data systems
► Attempting… To do the right thing
► Assume… Behaviours are appropriate
- Align with others
- Seem reasonable
► Uncertain… If they are doing the right
thing – generally less IT savvy
► Frustrated… With their uncertainty
► Follow… Largely just follow what
others are doing or what seems to be
accepted behaviours
► High internal trust levels
► Not too concerned… Beyond the
basics i.e. will delete data that is no
longer required at their discretion, not
too concerned over USB left in PC
Controllers Triers Relaxed
Page 10 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Some attitudes to information
► Are somewhat predisposed to
keep information
- For reference… To make
future jobs easier
- For back up… In case it may
be needed to cover themselves
- Because too hard… To sort
through!
Hoarders
► Of throwing out something that
may be needed in the future
- Going through old files,
considered an onerous and
time intensive task – easier to
throw but don’t want to
Fear
► By the back log of hard copy
information
- Especially when they have to
re-locate stations or change
roles
Overwhelmed
► In the Victoria Police
information…
- Storage systems
- Management systems
Distrust
• Managing historical data is as challenging as managing current information
Page 11 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Attitude to data security
► Colleagues first… Protecting their work
‘family’ is a top of mind issue
► Real… Recognise the physical threat to
colleagues’ safety is genuine
► Job security… Equally important is
impact on their job - a key factor that
drives compliance
Ramifications are
real and understood
Personal
► Reputation… Strong sense of professional
pride
- Embarrassed… Don’t want to feel foolish
- Values… Don’t want integrity
compromised, trust amongst colleagues
- Career… Don’t want to compromise
longer term prospects
Professional
► Not immediate concern… But sensitive
to this aspect
► Protective… Do care about Victoria
Police organisational standing
► Broader impact… Damaging
organisation reputation just makes their
job harder overall
► Harsh direct consequences… Can
result in personal disciplinary action
Organisational
Important
Drummed in at the academy
A focus of the organisation
Reflects a changing world
Page 12 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Law enforcement data (LED) – what is it?
► Broadly consistent views, just differ on top of mind considerations
► LED management dynamics…
► A function of the personal
disposition of the individual
- Their knowledge
- Their ability / desire to comply
Individualistic
► Between stations
► Between individuals in the station
Inconsistent
► Culture of the station over
the culture of the organisation
Station centric
• Although inconsistent and idiosyncratic practices were prevalent, all worked to the general rule…
If you use your best judgement and can justify your actions – you’re ok!
► Internal data systems…
Information on LEAP, Interpose
► External sources… Official sources
accessed i.e. phone, medical
► Information for investigations…
Any documents, photos etc.
► Only a few mentions
► Any information… They use
► Vague… More a reflection of
uncertainty on how to define LED
Formal data Evidence Everything???
Page 13 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Tools used
► Accepted work tool… especially amongst Uniform
► Photos commonplace… for appropriate material.
Recognise need to delete
► Internet access… to sites that are not allowable
through Victoria Police
Smart phones
► Personal, non encrypted prevalent
► Victoria Police issued USBs are not readily
accessible for some - impractical
► Use encrypted USBs for storing briefs, back-up
files, photos
USB’s
► Via phone or home PC
► Some realisation that risky but not by all…
- A pragmatic option when can’t
get onto PC, or want a quick transfer of data
- PC’s won’t accept smart phone connection
► Only for the most controlling
► Mainly for storing CCTV
► Also backup of projects
Personal hard drives
► Range of Apps used
- Apps used… Postcode, infringement codes,
courtlink, lawonline, liquor licensing
► Snapchat… known to be used (rare)
Apps
► A couple of mentions…
- In the car
- In the watch house
Go pro recording devices
Page 14 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Tools used
► Two considerations…
Role of phone…
► Brief discussion but worth considering
- Context specific… Clearly work tool whilst on the job,
but role and relevance diminishes once at home
- Security softens… Do have passwords in place but
generally softening of attitude
Cloud confusion…
► Most not connected due to concerns over security
- Cloud risk discussed at the academy
- Most assumed that they weren’t automatically uploading
to the cloud
- Some simply didn’t know – assumed/hoped not
- Lack of certainty about how to manage this
Page 15 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Data security – the tensions
► Forces ‘best judgement’ solution
► Delivery takes precedence ► Trust is a cultural anchor and
data security safety net
► Core objective… Get the job done
► Lack of knowledge… Means ‘work
arounds’ are not always sufficient
► Equipment… Old, not working or
unduly restrictive
► Systems… Disorganised
► Hard centric… Soft data not
accounted for
Us + the inner circle
Us versus them
Priority Facilities Culture of trust
Page 16 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
► Procedural ‘work arounds’ relied upon… to get the job done
when expected
- Especially when under time pressure to complete
► Recognising that…
− The compromises made are not significant
- Are easily resolved
- Effort is made to comply where possible i.e. come in to work
to use compliant PC’s when off-duty
► Key challenge… Some members admit they are not IT savvy
- Moreover, digital terrain is constantly changing
► Direction v. directive… A noted frustration that they need
guidance on how to manage their data via personal devices
Data security tension: priority
► USB sticks… Will use their own, non encrypted versions
► Passwords… Will be shared to support a trusted colleague in
a reasonable work related request
− Details of request recorded
− Then password changed
− Won’t share all passwords i.e. LEAP
► Personal back up drives… To store larger amounts of data
e.g. CCTV / file back up storage not adequate
► Clear desk policy… Considered impractical if operating in a
secure area
- No / limited options for storing hardcopy documents
- Documents kept on desk as visual reference
- Limited real value
- Some frustration around adherence
Core objective – get the job done! Prepared to compromise
• The unintentional risk is apparent, as members feel they are generally complying
Page 17 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Data security tension: facilities
► Limited facilities…
- Shared spaces – other peoples files
in your lockers
- Lack of locks for lockers
- No physical storage for files
► No set desk… Required to move
desks constantly and keep information
on hand (uniform)
► Cleaners and contractors… Noted as
a constant concern, yet accepted part
of their environment
Physical environment
► Lack of… Or inadequate equipment
(Uniform)
- Cameras don’t work at night /
constantly dead batteries
- Encrypted USB sticks not provided
- PCs won’t play CCTV
► Unduly restrictive… Personal storage
for data
► Unsecured radio (Regional)…
- Try to hide information, introduce
code references, not use the radio
Equipment
► Disorganised… Management of data
files i.e. unable to find photos once
downloaded
► Double entry… Car computer doesn’t
link up to Station software, so requires
double handling – revert to official diary
► Inadequate systems for tracking…
Store CCTV but then don’t track who
borrows it, dates etc.
► No system for soft data… Insufficient
or unworkable storage for CCTV
Systems/procedures
► There were seen to be a plethora of internal circumstances that forced reliance on working ‘outside’ of the system
• The facility and process disconnect undermines the seriousness of the data security and forces a
continual ‘best judgement’ solution
Page 18 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Us (the police) Them
Data security tension: trust
► Trust… Common and strongly held belief that they could trust
their colleagues and can have a degree of trust within the
sanctum of the station as a whole
► Measured… Does not mean that discretion isn’t used – won’t
breach obvious boundaries i.e. trust doesn't mean blatant
disregard for policy
► Restrictions already in place… Uniform don’t access the
Detective area, restricted access to sensitive data
► Constant… Approach by external parties
► The general public... The ‘need to know’ rule is firmly
embedded
► The media... The days of ‘off the record’ are over
Vs
• The primary threat is seen to be external
• Internal control is relatively tight with trust being built over time and direct relationship
Inner circle
► Your crew… The colleagues you know and work with on a
daily basis, in your area
► Your Seniors… Who you know and/or report to
+
Page 19 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Data security – the tensions
► Forces ‘best judgement’ solution
► Delivery takes precedence ► Trust is a cultural anchor and
data security safety net
Priority Facilities Culture of trust
► Training on digital devices generally
► Practical management strategies e.g.
- How to delete photos properly
- Minimising personal email risk etc.
► Can’t avoid the behaviour, if facilities
won’t alter
► Can no longer be hard data centric,
integrate digital data
► Create permission to act appropriately
in more than the extreme situations
► Create mechanisms to facilitate
appropriate response i.e. log in details
of request
► Challenge the sanctity of the station i.e.
focus on differences within
Help them do the right thing Acknowledge the reality Minimising trust risk
Page 20 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Champion of Change
► A champion of data security would play a strong role…
− To set the standard
− Keep the behaviours top of mind
− Demonstrate commitment to ALL behaviours, not just the
obviously risky ones
− To provide advice / be a point of contact
− To help create station specific solutions
− Ensure policies are understood / act as another point of
contact on this front
Practical solutions for everyday activities, considered low
risk e.g. using personal email, not deleting photos
immediately etc.
Direction for ‘non-standard’ activities requests by others
Build consistency across the organisation
• Will play a pivotal role in building understanding, commitment and consistency across Victoria
Police – the bridge between policy and practical needs to minimise compromise
Page 21 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
The Scenarios (Scenarios deleted)
Page 22 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Conclusions and considerations
Page 23 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Conclusions and considerations
► Understand but conflicted… Members recognise that
data security is a critical aspect in their job. They are
cognisant of the range and potential severity of implications
inherent in poor data security
► But the disparity between the facilities and processes in
place make it difficult to comply. As such, they lean heavily
on the accepted idea of …’ justifiable decision making’ –
whilst not necessarily being aware or mindful of the full risk
► Individual versus Victoria Police culture… On a daily,
hourly, basis under standard circumstances and the
extremes, they are having to juggle the primary demand of
their role with the tools they have
- Short cuts are made
- Non-protocol behaviours have become accepted
► But it’s not due to contempt for policy or procedure – it is the
compromise deemed necessary to deliver
► There is a lack of coherent and consistent culture and
practise for anything outside of the most extreme scenarios
i.e. where the job security, physical safety and
organisational disrepute is at clear risk
Page 24 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Conclusions and considerations
► Bridge the gap… The challenge is how to best manage
and work with the limitations of the system – their everyday
reality, without creating a culture of excessive compromise
► There are some very real barriers to compliance –
- There is no consistent understanding of solutions and
behaviours required
- The bridge between policy and the every day demands
of the job needs to be recognised
- General training on digital is as important as policy
communication… help them understand the risk and how
to manage it
► This is not to say that there aren’t moments of laziness,
forgetfulness and apathy or those who may wish to
establish their own personal information management
systems
► The intent to comply… is present, it just needs the support
► Practical pathway… so best judgement resourcefulness
doesn’t dilute to the easiest option! The role of the
champion will be fundamental to this
► Scenarios… are largely well understood. A few tweaks
required to ensure the intent is clear
Page 25 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Appendix (Wave 1 content)
Page 26 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Data Security Means
Behaviours guided by…
Common Sense…
► Learnt… from others, from
experience, from academy
► Within bounds… of standard
behaviours
► Logic… feels reasonable,
justifiable
► Use caution… ‘play it safe’
mentality to safeguard against
error
► Assume alignment… with
policy
• If you use your best judgement and can justify your actions – you’re ok!
► Confident… there is policy -
inundated with policies,
constantly changing
► Negligible exposure… Most
had not seen or read
- Too busy… to seek out
- Believed to be common
sense (Detectives)
► Rely on others… Sergeants
to disseminate any pertinent
changes or general word of
mouth
• Get the job done • Keep your job
Over…
Policy…
Page 27 CPDP – Victoria Police
Wave 1 & 2 Key Takeouts
Disclaimer
This report was prepared at the request of the Commissioner for Privacy
and Data Protection (hereafter “the Client”) solely for the purposes
stipulated in the report titled CPDP – Victoria Police Wave 1 & 2 results
(abridged) and it is not appropriate for use for other purposes.
The Client and any other party, other than the Clients, who access this
report shall only do so for their general information and this report should
not be taken as providing specific advice to those parties on any issue, nor
may this report be relied upon in any way by any party other than the
Clients. A party other than the Clients accessing this report should
exercise its own skill and care with respect to use of this report, and obtain
independent advice on any specific issues concerning it.
In carrying out our work and preparing this report, Ernst & Young has
worked solely on the instructions of the Clients, and has not taken into
account the interests of any party other than the Clients. The report has
been constructed based on information current as of 2 March 2015, and
which have been provided by the Clients. Since this date, material events
may have occurred since completion which is not reflected in the report.
Ernst & Young, nor the parties which have endorsed or been involved in
the development of the report, accept any responsibility for use of the
information contained in the report and make no guarantee nor accept any
legal liability whatsoever arising from or connected to the accuracy,
reliability, currency or completeness of any material contained in this
report. Ernst & Young and all other parties involved in the preparation and
publication of this report expressly disclaim all liability for any costs, loss,
damage, injury or other consequence which may arise directly or indirectly
from use of, or reliance on, the report.
SYDNEY
L1, 30-32 Market Street
Sydney NSW 2000
T 61 2 9262 3266
F 61 2 9262 5774
MELBOURNE
L1, 90 York Street
South Melbourne VIC
3205 T 61 3 9699 8466
F 61 3 8199 0172