Privacy considerations for CCTV, Privacy Commissioner David Watts

Privacy considerations for CCTV, Privacy Commissioner David Watts


A couple of years ago I had the opportunity
to visit the UK Home Office scientific research facility on the outskirts of London to have
a look at how CCTV had been used in tracking and for law enforcement purposes in relation
to the 7/7 bombers. It’s a daunting experience going to the UK Home Office scientific facility.
The cab can’t approach it within about half a kilometre so it’s quite a long walk in the
rain, very high fences and I remember on that particular occasion the fences were patrolled
by dogs who looked at me with very great suspicion. But once inside I had the opportunity to look
at the way CCTV had been stitched together right across England to track the movements
of the suicide bombers from the moment they entered the train carriages basically to their
doorstep when they left home that morning. I watched them park their cars, I watched
them enter train stations at Reading and across the Midlands and the north of England. Quite
an incredible demonstration of the effectiveness of CCTV in relation to law enforcement. Back
then I think it was around about this time in 2009, the Metropolitan Police had used
many, many members visually looking at CCTV footage to try and recognise the suicide bombers.
These days I think my iPhone would probably be able to accomplish that task, which just
shows how fast technology has moved in this particular area and how important it is to
take into account. If you leave with no other key message today
from me, please leave it with this. Privacy doesn’t prevent appropriate community safety
measures like CCTV. Good privacy and security practices enables best practice and the design
and implementation of systems that enhance safety, privacy and security and provide a
foundation for community confidence in CCTV systems.
CCTV surveillance has become a common feature of our daily lives. Our images are caught
on numerous CCTV cameras as we move about the city, suburbs, visit shops and shopping
centres, attend offices and sporting arenas, travel on the road and on the public transport
network. Although the use of CCTV continues to enjoy general public support, it necessarily
involves intrusion into the lives of ordinary individuals as they go about their day to
day activities. The public expects CCTV systems to be used
responsibly with effective safeguards in place. Maintaining public trust and confidence in
its use is essential if its benefits are to be realised and its use is not to be viewed
with suspicion or cynicism. In the past because most CCTV systems were
fairly poor quality, the images they captured were not considered to qualify as being personal
information and privacy legislation was not generally considered to apply to them. The
situation has now changed with advances in and the lower cost of camera and recording
technologies. In Victoria any public sector organisation that deploys modern CCTV systems
is likely to be using equipment that’s of sufficient quality to capture personal information
and thus bring it within the jurisdiction of the Information Privacy Act.
The Information Privacy Act is principles-based and technology neutral and it governs the
collection, use, disclosure and handling of personal information, including the security
of personal information. It establishes fundamental privacy safeguards through a set of ten principles
that are derived from international benchmarks that have been adopted by many jurisdictions
across the world. I thought I might touch on some of the most
fundamental. So IPP1 is one of the critical principles that’s necessary to take into account
and it sets out principles such as an organisation must not collect personal information unless
it’s necessary for one or more of its functions or activities. It must collect personal information
only by lawful and fair means and not in an unreasonably intrusive way.
And it goes through notice requirements. At or before the time personal information is
collected, the organisation must take reasonable steps to ensure individuals are aware of issues,
such as the identity of the organisation and how to contact it, the fact that he or she
is able to gain access, the purpose for which the information is collected, to whom it’s
usually disclosed, any law that requires the particular information to be collected and
any consequences if it’s not provided. That particular requirement can be addressed
through a combination of sharper signage and policy either on websites or available in
local offices. The information privacy principles also deal with the security of personal information
through Information Privacy Principle Four, which says an organisation must take reasonable
steps to protect personal information it holds from misuse and loss from unauthorized access,
modification or disclosure. The Department of Justice has provided high-level
guidance about how to address these issues and to operationalise them in its Guideline
to Developing CCTV for Public Safety in Victoria. The guide sets out ways in which issues such
as privacy and security can be operationalised into the design, deployment and management
of CCTV systems. It’s important to consider what some of those guiding principles are.
They start by saying that people are entitled to a reasonable expectation of privacy when
in public places. That owners of CCTV in public places should act responsibly and consider
the reasonable expectations of an individual’s privacy. Owners of CCTV should take reasonable
steps to inform people of the use of the devices. Use of CCTV should be for a legitimate purpose
related to the activities of the organisation managing it.
CCTV surveillance should be proportional to its legitimate purpose. This means the use
of CCTV in public places must be limited to a set of clearly defined purposes or objectives
in identified areas. Reasonable steps should be taken to protect information gathered through
public place surveillance from misuse and inappropriate disclosure. Owners of CCTV systems
must be known and accessible to the public, must be accountable for its proper use.
The guide establishes clear linkages with privacy requirements when it states objectives
with CCTV projects should align with the guiding principles set out in the guide. At this point
organisations need to consider the following two principles. That your CCTV project is
for a legitimate purpose and relates to the activities of your organisation, and the level
of surveillance is proportionate to its legitimate purpose.
A legitimate purpose requires a direct connection between the organisation’s operations and
the surveillance practice. The connection should not be trivial or incidental. A proportionate
response is one that uses the least intrusive means to achieve its purpose. Those really
are the fundamental rules and the fundamental principles that need to be addressed in establishing
CCTV systems. Some of the information that Chris went through
in the previous presentation echo or hook back in or link with those sorts of principles
in terms of the funding for CCTV systems. One of the things that I wanted to do in this
context is briefly refer to the comparatively recent New South Wales case SF against Shellhaven
Council. The New South Wales Administrative Decision Tribunal found that a CCTV operating
system in Nowra failed to comply with the New South Wales equivalent to the Information
Privacy Act. As you’d all be aware the case caused widespread concern and prompted the
New South Wales Government to urgently amend its privacy law.
It was a very curious piece of legal reasoning. The Tribunal found that insufficient notice,
and I just go back to what I said a few moments ago about notice and notice requirements,
that insufficient notice had been given of the equivalent New South Wales requirements
to Information Privacy Principle 1.3, and suggested that individuals need to be made
actually aware of the relevant notice requirements. From my perspective it’s just incredibly difficult
to see how that is a correct piece of legal reasoning. Both the New South Wales requirement,
or at least the one that existed at the time, and the Victorian requirement do not require
actual notice, but they do require is that orgnisations take reasonable steps to ensure
that individuals are aware of the relevant requirements.
More relevant was the finding that there were no reasonable safeguards in place to secure
the personal information collected by the CCTV system. Although there was a process
in place to require the entry of a username and password to login to the live feed, the
practice was to use generic passwords which meant that monitoring and auditing of system
use was impeded. In addition there was no training given to staff about appropriate
security practice. A breach of the equivalent of IPP4 in Victoria
was found. In that sense the breach highlights the need for basic security processes and
procedures to be implemented as part of good CCTV practice. This can be done quite easily
and inexpensively through computer processes that require the entry of computer passwords,
the changing of passwords on a periodic basis. I think we’re all used to that as common practice,
and through basic security training and awareness. If you want a further analysis of the Shellhaven
case from my perspective or from Privacy Victoria’s perspective, quite a lengthy analysis of it
was done in the most recent edition of Privacy Aware, which can be found on the Victorian
Privacy Commissioner’s website which is privacy.vic.gov.au. If you look under Publications and then look
for the most recent issue of Privacy Aware you’ll find an analysis and you’ll find that
we were quite puzzled by the Shellhaven Council decision. I really don’t think that that could
happen in Victoria. Let me go back to my original message to you,
that neither privacy or security impede or prevent the proper use of CCTV. They’re both
important in providing the community with the assurance that CCTV will be used responsibly
and transparently and that it is and remains fit for purpose. In this context privacy and
security are most appropriately conceptualised as enabling the development and implementation
of appropriate CCTV systems, not as preventing it.
Do the privacy laws come into force on a private property? I’m thinking about a retail shop
with a camera. Something like that. There’s a Federal privacy law called the Privacy
Act 1988 which applies to the private sector. The Victorian Information Privacy Act, the
one that I administer applies to the public sector, so a Council-run CCTV system is covered
by my legislation. For a private sector retailer that’s covered by Commonwealth legislation,
which has very similar privacy principles, although they’re about to change a bit in
early 2014. What you need to understand though is there’s
an exemption for small business in the Federal legislation, so unless you have a turnover
exceeding three million dollars, it doesn’t apply to you

Leave a Reply

Your email address will not be published. Required fields are marked *