Camera surveillance – OIC’s recent audit findings
Queensland government agencies that operate camera surveillance systems must manage the associated personal information in line with their legislative obligations, under the Information Privacy Act 2009 (IP Act) and the Right to Information Act 2009 (RTI Act).
This includes how they collect, store, access, use and disclose personal information.
In a recent audit of Bundaberg Regional Council (BRC), the OIC found that council’s policy on accessing CCTV footage meant they would only release data and images to the Queensland Police Service (QPS) and no one else.
This kind of practice goes against the very aims of the Acts.
BRC’s policy was to refer requests from the public for access to footage, about a police matter, directly to the QPS.
Under the Acts, agencies physically possessing or having legal control of the information must consider the application and give the applicant a written notice of the decision, regardless of whether another agency could provide the information.
The IP Act allows agencies to disclose personal information to law enforcement agencies, including the QPS, if they are reasonably satisfied that the personal information is necessary for a law enforcement activity. Agencies should assess each request on a case-by-case basis.
Under the Memorandum of Understanding in place at the time of the OIC’s audit, the QPS could extract footage directly from certain cameras within the council’s network without having to request access.
This represented a significant risk of unmanaged disclosure from the council’s perspective. It left BRC exposed to a breach of its information privacy obligations.
Council did not know when and what footage police extracted. It was therefore unable to satisfy itself that the extraction was reasonably necessary for a law enforcement activity.
Key findings from OIC’s audit:
- BRC operates 427 fixed surveillance cameras.
- QPS had direct access to footage from 127 cameras.
- BRC did not know if disclosure was necessary for law enforcement purposes.
- Inadequate policies and procedures created additional risks of non-compliance.
In late 2019, the OIC’s compliance audit report of BRC was tabled in Parliament, noting 12 recommendations. Council intends to implement these recommendations and the OIC will monitor its progress.
Previous OIC sector-wide audits have found many agencies have work to do to ensure appropriate policies, systems and practices are in place for camera surveillance, including CCTV, drones, body worn cameras, smart devices and robots.
These guidelines include a checklist for camera surveillance systems, allowing agencies to review current systems and see if they are meeting their legislative obligations.
There is also a form that agencies can fill out each time they receive an information request from the QPS or other law enforcement agency. It is designed to help gather and record the information needed to assess the request.