cpdp victoria police · pdf filedon’t want to compromise longer term prospects...

CPDP – Victoria Police

Wave 1 & 2 Key Takeouts

CPDP – Victoria Police Wave 1 & 2 – results (abridged)

EY Sweeney Contacts: Jennifer Hodges, Matt Bond

SR Project No. 24651

Date: 2nd March 2015



Contents

Background to the Study 3

Key take outs – Wave 1 & 2 7

The Scenarios (deleted content) 21

Conclusions and considerations 22

Appendix 25

The following document has been edited to protect the privacy of individuals involved and also to ensure the 2016 research wave is not compromised.

This report is subject to the disclaimer detailed at the end of the document.

EY Sweeney is accredited under the International Standard, ISO 20252.

All aspects of this study has been completed in accordance with the requirements of that scheme.

Also please note that EY Sweeney Research Pty Limited’s liability is limited by a scheme approved under professional standards legislation. A copy of the scheme can be obtained from us upon request”.

The report contains some Victoria Police imagery sourced by CPDP courtesy of the Victoria Police Image Library



Background to the Study



Background

► At the vanguard… Since 2008, the Victoria Police have been at

the vanguard of implementing a program of behaviour change to

ensure the appropriate management of data security amongst

sworn members.

► A range of initiatives… Have been introduced by the

Information Management, Standards and Security Division

(IMSSD) including; training, marketing, policy changes and a program of awareness building.

► Measuring effectiveness… To ensure ongoing learning and

improvement, staff surveys have been conducted to assess the effectiveness of the programs in 2012 (pre- program) and 2014

(after 12 months of activity).

► Increased awareness… The 2014 results demonstrate that the

cultural change program has had a positive impact in terms of

overall awareness of practices and the perceived value in

building data security awareness.

► Attitudes static… However, it is also apparent that except for

the more extreme scenarios, general behaviours and attitudes

toward data security have not altered.

► Question marks… This raises the question of whether there is

confusion in members’ understanding of what constitutes a data

security issue or if the results are a due to a nuanced interpretation of the scenarios presented.

Project purpose… To maximise the effectiveness of the

policy development, training programs and questionnaire

design for the 2016 Monitor, the project team seek greater

insight into the current mindset amongst sworn members and

drill down into the findings from the previous Monitor.



Research Objectives

The Specific Objectives

Overall Research Aim

► To understand the attitudes and behaviours toward law

enforcement data security amongst sworn members of

Victoria Police.

Data security policies • Gain a broad understanding of the knowledge levels of the

Victoria Police data security policies

• Explore the perceived relevance of these policies

Data security management

• Understand the attitudes amongst sworn members toward

data security management

• Identify the key influences on attitudes and behaviours in

relation to data security management

• Explore the motivators and barriers to adopting appropriate

behaviours

Data security priority areas

• Discover the attitudes and behaviours on data security in

relation to....

− Personally owned devices

− Data Storage

− Working off-site

− Disclosure of classified information

Monitor scenarios (content deleted)

• Highlight the interpretation of the 2014 Monitor scenarios

• Identify the range of considerations in interpreting the 2014

Monitor

1

2

3

4



Sample

► Two waves

► Total of 8 group sessions amongst sworn members

► 1.5 hour duration each

► Conducted in station

► Participants recruited by Victoria Police

► Split by…

- Uniform and Detectives

- Metro and Regional

Wave 1 (26th – 27th November 2014)

Metro Rural

Uniform 1 group 1 group

Detective 1 group 1 group

Total 2 groups 2 groups

Wave 2 (2nd – 3rd February 2015)

Metro Rural

Uniform 1 group 1 group

Detective 1 group 1 group

Total 2 groups 2 groups



Key take outs– Wave 1 & 2 Constraint

Focus group discussions/depth interviews evolve creative ideas and generate hypotheses. They are not intended to be a precise and definitive index of what happens in the marketplace. This report should be interpreted with that constraint in mind.



Overall take outs

► Digital versus dark ages… A belief that Victoria Police is facing increasing

pressure from the demands of the digital data environment in which it operates

► Distrust… In the systems to securely manage data… fuelling the tendency for

self management

Disconnect

► Data security… In their appreciation of the importance of data security and

compliance overall

► Management… In their rationale for when they ‘work around’ the system

► Understand broad implications… For colleagues, themselves and the

organisation

Overall confidence & awareness

► Trust and integrity… In their colleagues, personal intent, broad station security

► Defining data sensitivity… An overarching issue of what data requires diligence

► Knowledge deficit… Some are clearly struggling with understanding digital

devices, direction is needed

► Champion critical… To help progress cultural change, bridge the gap and create

consistency

Core issues

► Interpretation… (deleted)

► Comprehension… (deleted) Scenarios



Some key mindsets apparent

A few points on the audience

► Younger… 3 months to 6 years in

Victoria Police

► Academy conscious… Learning still

influencing the newest recruits

► Data exposure… Consider most of

the data they engage with is relatively

low level seriousness

► Induction… Sentiment that they need

to transition to the ‘real world’ of

policing – adapt the academy learning

► CIU… 6-20+ years in Victoria Police

► Implication sensitive… Little more

sensitive to reputation implications –

personal, professional, organisational

► Experience savvy… Reality over

theory re. incidents

► Adapting… Over conforming to

impractical protocols

Uniform CIU

► Conscious choice… To establish their

own system of storage, buy back ups

etc.

► IT savvy… Relative to others

► Distrust… Most acute distrust of the

data systems

► Attempting… To do the right thing

► Assume… Behaviours are appropriate

- Align with others

- Seem reasonable

► Uncertain… If they are doing the right

thing – generally less IT savvy

► Frustrated… With their uncertainty

► Follow… Largely just follow what

others are doing or what seems to be

accepted behaviours

► High internal trust levels

► Not too concerned… Beyond the

basics i.e. will delete data that is no

longer required at their discretion, not

too concerned over USB left in PC

Controllers Triers Relaxed



Some attitudes to information

► Are somewhat predisposed to

keep information

- For reference… To make

future jobs easier

- For back up… In case it may

be needed to cover themselves

- Because too hard… To sort

through!

Hoarders

► Of throwing out something that

may be needed in the future

- Going through old files,

considered an onerous and

time intensive task – easier to

throw but don’t want to

Fear

► By the back log of hard copy

information

- Especially when they have to

re-locate stations or change

roles

Overwhelmed

► In the Victoria Police

information…

- Storage systems

- Management systems

Distrust

• Managing historical data is as challenging as managing current information



Attitude to data security

► Colleagues first… Protecting their work

‘family’ is a top of mind issue

► Real… Recognise the physical threat to

colleagues’ safety is genuine

► Job security… Equally important is

impact on their job - a key factor that

drives compliance

Ramifications are

real and understood

Personal

► Reputation… Strong sense of professional

pride

- Embarrassed… Don’t want to feel foolish

- Values… Don’t want integrity

compromised, trust amongst colleagues

- Career… Don’t want to compromise

longer term prospects

Professional

► Not immediate concern… But sensitive

to this aspect

► Protective… Do care about Victoria

Police organisational standing

► Broader impact… Damaging

organisation reputation just makes their

job harder overall

► Harsh direct consequences… Can

result in personal disciplinary action

Organisational

Important

Drummed in at the academy

A focus of the organisation

Reflects a changing world



Law enforcement data (LED) – what is it?

► Broadly consistent views, just differ on top of mind considerations

► LED management dynamics…

► A function of the personal

disposition of the individual

- Their knowledge

- Their ability / desire to comply

Individualistic

► Between stations

► Between individuals in the station

Inconsistent

► Culture of the station over

the culture of the organisation

Station centric

• Although inconsistent and idiosyncratic practices were prevalent, all worked to the general rule…

If you use your best judgement and can justify your actions – you’re ok!

► Internal data systems…

Information on LEAP, Interpose

► External sources… Official sources

accessed i.e. phone, medical

► Information for investigations…

Any documents, photos etc.

► Only a few mentions

► Any information… They use

► Vague… More a reflection of

uncertainty on how to define LED

Formal data Evidence Everything???



Tools used

► Accepted work tool… especially amongst Uniform

► Photos commonplace… for appropriate material.

Recognise need to delete

► Internet access… to sites that are not allowable

through Victoria Police

Smart phones

► Personal, non encrypted prevalent

► Victoria Police issued USBs are not readily

accessible for some - impractical

► Use encrypted USBs for storing briefs, back-up

files, photos

USB’s

► Via phone or home PC

► Some realisation that risky but not by all…

- A pragmatic option when can’t

get onto PC, or want a quick transfer of data

- PC’s won’t accept smart phone connection

Email

► Only for the most controlling

► Mainly for storing CCTV

► Also backup of projects

Personal hard drives

► Range of Apps used

- Apps used… Postcode, infringement codes,

courtlink, lawonline, liquor licensing

► Snapchat… known to be used (rare)

Apps

► A couple of mentions…

- In the car

- In the watch house

Go pro recording devices



Tools used

► Two considerations…

Role of phone…

► Brief discussion but worth considering

- Context specific… Clearly work tool whilst on the job,

but role and relevance diminishes once at home

- Security softens… Do have passwords in place but

generally softening of attitude

Cloud confusion…

► Most not connected due to concerns over security

- Cloud risk discussed at the academy

- Most assumed that they weren’t automatically uploading

to the cloud

- Some simply didn’t know – assumed/hoped not

- Lack of certainty about how to manage this



Data security – the tensions

► Forces ‘best judgement’ solution

► Delivery takes precedence ► Trust is a cultural anchor and

data security safety net

► Core objective… Get the job done

► Lack of knowledge… Means ‘work

arounds’ are not always sufficient

► Equipment… Old, not working or

unduly restrictive

► Systems… Disorganised

► Hard centric… Soft data not

accounted for

Us + the inner circle

Us versus them

Priority Facilities Culture of trust



► Procedural ‘work arounds’ relied upon… to get the job done

when expected

- Especially when under time pressure to complete

► Recognising that…

− The compromises made are not significant

- Are easily resolved

- Effort is made to comply where possible i.e. come in to work

to use compliant PC’s when off-duty

► Key challenge… Some members admit they are not IT savvy

- Moreover, digital terrain is constantly changing

► Direction v. directive… A noted frustration that they need

guidance on how to manage their data via personal devices

Data security tension: priority

► USB sticks… Will use their own, non encrypted versions

► Passwords… Will be shared to support a trusted colleague in

a reasonable work related request

− Details of request recorded

− Then password changed

− Won’t share all passwords i.e. LEAP

► Personal back up drives… To store larger amounts of data

e.g. CCTV / file back up storage not adequate

► Clear desk policy… Considered impractical if operating in a

secure area

- No / limited options for storing hardcopy documents

- Documents kept on desk as visual reference

- Limited real value

- Some frustration around adherence

Core objective – get the job done! Prepared to compromise

• The unintentional risk is apparent, as members feel they are generally complying



Data security tension: facilities

► Limited facilities…

- Shared spaces – other peoples files

in your lockers

- Lack of locks for lockers

- No physical storage for files

► No set desk… Required to move

desks constantly and keep information

on hand (uniform)

► Cleaners and contractors… Noted as

a constant concern, yet accepted part

of their environment

Physical environment

► Lack of… Or inadequate equipment

(Uniform)

- Cameras don’t work at night /

constantly dead batteries

- Encrypted USB sticks not provided

- PCs won’t play CCTV

► Unduly restrictive… Personal storage

for data

► Unsecured radio (Regional)…

- Try to hide information, introduce

code references, not use the radio

Equipment

► Disorganised… Management of data

files i.e. unable to find photos once

downloaded

► Double entry… Car computer doesn’t

link up to Station software, so requires

double handling – revert to official diary

► Inadequate systems for tracking…

Store CCTV but then don’t track who

borrows it, dates etc.

► No system for soft data… Insufficient

or unworkable storage for CCTV

Systems/procedures

► There were seen to be a plethora of internal circumstances that forced reliance on working ‘outside’ of the system

• The facility and process disconnect undermines the seriousness of the data security and forces a

continual ‘best judgement’ solution



Us (the police) Them

Data security tension: trust

► Trust… Common and strongly held belief that they could trust

their colleagues and can have a degree of trust within the

sanctum of the station as a whole

► Measured… Does not mean that discretion isn’t used – won’t

breach obvious boundaries i.e. trust doesn't mean blatant

disregard for policy

► Restrictions already in place… Uniform don’t access the

Detective area, restricted access to sensitive data

► Constant… Approach by external parties

► The general public... The ‘need to know’ rule is firmly

embedded

► The media... The days of ‘off the record’ are over

Vs

• The primary threat is seen to be external

• Internal control is relatively tight with trust being built over time and direct relationship

Inner circle

► Your crew… The colleagues you know and work with on a

daily basis, in your area

► Your Seniors… Who you know and/or report to

+



Data security – the tensions

► Forces ‘best judgement’ solution

► Delivery takes precedence ► Trust is a cultural anchor and

data security safety net

Priority Facilities Culture of trust

► Training on digital devices generally

► Practical management strategies e.g.

- How to delete photos properly

- Minimising personal email risk etc.

► Can’t avoid the behaviour, if facilities

won’t alter

► Can no longer be hard data centric,

integrate digital data

► Create permission to act appropriately

in more than the extreme situations

► Create mechanisms to facilitate

appropriate response i.e. log in details

of request

► Challenge the sanctity of the station i.e.

focus on differences within

Help them do the right thing Acknowledge the reality Minimising trust risk



Champion of Change

► A champion of data security would play a strong role…

− To set the standard

− Keep the behaviours top of mind

− Demonstrate commitment to ALL behaviours, not just the

obviously risky ones

− To provide advice / be a point of contact

− To help create station specific solutions

− Ensure policies are understood / act as another point of

contact on this front

Practical solutions for everyday activities, considered low

risk e.g. using personal email, not deleting photos

immediately etc.

Direction for ‘non-standard’ activities requests by others

Build consistency across the organisation

• Will play a pivotal role in building understanding, commitment and consistency across Victoria

Police – the bridge between policy and practical needs to minimise compromise



The Scenarios (Scenarios deleted)



Conclusions and considerations




► Understand but conflicted… Members recognise that

data security is a critical aspect in their job. They are

cognisant of the range and potential severity of implications

inherent in poor data security

► But the disparity between the facilities and processes in

place make it difficult to comply. As such, they lean heavily

on the accepted idea of …’ justifiable decision making’ –

whilst not necessarily being aware or mindful of the full risk

► Individual versus Victoria Police culture… On a daily,

hourly, basis under standard circumstances and the

extremes, they are having to juggle the primary demand of

their role with the tools they have

- Short cuts are made

- Non-protocol behaviours have become accepted

► But it’s not due to contempt for policy or procedure – it is the

compromise deemed necessary to deliver

► There is a lack of coherent and consistent culture and

practise for anything outside of the most extreme scenarios

i.e. where the job security, physical safety and

organisational disrepute is at clear risk




► Bridge the gap… The challenge is how to best manage

and work with the limitations of the system – their everyday

reality, without creating a culture of excessive compromise

► There are some very real barriers to compliance –

- There is no consistent understanding of solutions and

behaviours required

- The bridge between policy and the every day demands

of the job needs to be recognised

- General training on digital is as important as policy

communication… help them understand the risk and how

to manage it

► This is not to say that there aren’t moments of laziness,

forgetfulness and apathy or those who may wish to

establish their own personal information management

systems

► The intent to comply… is present, it just needs the support

► Practical pathway… so best judgement resourcefulness

doesn’t dilute to the easiest option! The role of the

champion will be fundamental to this

► Scenarios… are largely well understood. A few tweaks

required to ensure the intent is clear



Appendix (Wave 1 content)



Data Security Means

Behaviours guided by…

Common Sense…

► Learnt… from others, from

experience, from academy

► Within bounds… of standard

behaviours

► Logic… feels reasonable,

justifiable

► Use caution… ‘play it safe’

mentality to safeguard against

error

► Assume alignment… with

policy

• If you use your best judgement and can justify your actions – you’re ok!

► Confident… there is policy -

inundated with policies,

constantly changing

► Negligible exposure… Most

had not seen or read

- Too busy… to seek out

- Believed to be common

sense (Detectives)

► Rely on others… Sergeants

to disseminate any pertinent

changes or general word of

mouth

• Get the job done • Keep your job

Over…

Policy…



Disclaimer

This report was prepared at the request of the Commissioner for Privacy

and Data Protection (hereafter “the Client”) solely for the purposes

stipulated in the report titled CPDP – Victoria Police Wave 1 & 2 results

(abridged) and it is not appropriate for use for other purposes.

The Client and any other party, other than the Clients, who access this

report shall only do so for their general information and this report should

not be taken as providing specific advice to those parties on any issue, nor

may this report be relied upon in any way by any party other than the

Clients. A party other than the Clients accessing this report should

exercise its own skill and care with respect to use of this report, and obtain

independent advice on any specific issues concerning it.

In carrying out our work and preparing this report, Ernst & Young has

worked solely on the instructions of the Clients, and has not taken into

account the interests of any party other than the Clients. The report has

been constructed based on information current as of 2 March 2015, and

which have been provided by the Clients. Since this date, material events

may have occurred since completion which is not reflected in the report.

Ernst & Young, nor the parties which have endorsed or been involved in

the development of the report, accept any responsibility for use of the

information contained in the report and make no guarantee nor accept any

legal liability whatsoever arising from or connected to the accuracy,

reliability, currency or completeness of any material contained in this

report. Ernst & Young and all other parties involved in the preparation and

publication of this report expressly disclaim all liability for any costs, loss,

damage, injury or other consequence which may arise directly or indirectly

from use of, or reliance on, the report.

SYDNEY

L1, 30-32 Market Street

Sydney NSW 2000

T 61 2 9262 3266

F 61 2 9262 5774

MELBOURNE

L1, 90 York Street

South Melbourne VIC

3205 T 61 3 9699 8466

F 61 3 8199 0172