Queensland government agency systems which involve the collection and storage, use or disclosure of personal information are subject to the privacy obligations in the Information Privacy Act 2009 (Qld) (IP Act). These obligations do not prevent an agency using camera surveillance for legitimate business activities; they will, however, affect the policies and practices associated with how the camera surveillance system operates.
This guideline outlines the privacy impacts agencies1 must consider when implementing or extending a camera surveillance system.2 The checklist in Appendix A will help you assess your agency’s camera surveillance system for privacy compliance. In this guideline ‘camera surveillance’ includes any equipment used to observe and record images of individuals, such as closed circuit television (CCTV), temporary or fixed cameras (such as automatic number plate recognition cameras), body-worn video and unmanned aerial vehicles3.
Personal information is any information or opinion, whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.4
If the camera surveillance footage is of sufficient quality, a person with the necessary knowledge will be able to reasonably ascertain the identity of an individual from the footage.
Quality is determined by factors including the image size and resolution, position of the person to the camera, and the degree to which the individual’s face or other identifying characteristics are visible.
If the person in the footage is identifiable, the footage will reveal information about that individual, for example that they were present in that space at that time. As such, camera surveillance footage potentially contains personal information and the obligations in the privacy principles apply.
An agency must not collect personal information unless the information is necessary to fulfil a purpose directly related to a function of the agency.5 Before installing a camera surveillance system, you must determine what the proposed camera surveillance is intended to achieve and be able to clearly articulate the agency function or activity this relates to. Once the purpose is identified, you must consider whether camera surveillance is necessary to achieve this purpose.
Is there research available that supports the use of camera surveillance for your identified purpose?
Have you considered whether there is an alternative strategy to achieve this purpose, or whether camera surveillance would be more effective as part of a suite of strategies, such as upgraded lighting?
Agencies must ensure personal information they collect is relevant to the purpose for which it was collected and that the collection itself does not unreasonably intrude into the personal affairs of the individual.6 This means you need to carefully consider the location and position of cameras—as well as the technical specifications of the equipment you choose—to ensure the cameras only collect necessary and relevant personal information in a way that does not unreasonably intrude into someone’s personal affairs.
Your agency has identified that camera surveillance is needed to deter property crime and assist in the investigation and prosecution of criminal offences. To ensure that the collection of personal information is necessary and relevant for this purpose, you may need to consider:
You must take reasonable steps to make individuals aware of the purpose and legislative authority (if any) for collecting personal information and any entities to which the agency usually discloses information of that kind.7
An effective way of meeting this obligation is to place a prominent sign at the entrance to the camera surveillance system’s area of operation and reinforce this with further signs near each camera. This allows people to know about the camera surveillance system before they are close enough to be captured and should prevent claims the surveillance is occurring unfairly. Signs should also identify which agency operates the cameras. Camera footage can be applied for under the Right to Information Act 2009 and Chapter 3 of the IP Act, but this right can only be exercised if it is clear which agency operates the cameras.
Camera surveillance operates in this area to ensure public safety and for the investigation and prosecution of criminal offences. Footage will only be accessed by persons authorised to do so. Should an incident occur, footage may be provided to the Queensland Police Service for law enforcement purposes. Your information will not be given to any other person or agency unless authorised or required by law.
Enquiries may be directed to [Agency Name] by calling [agency number].
You should consider whether additional steps can be taken to make people aware of camera surveillance in use by your agency, such as:
Documented policies and procedures which address the privacy considerations of using camera surveillance will help ensure compliance with the requirements of the IP Act, clarify responsibilities, and ensure consistency in decision making and operational practices.
Agencies are required to provide information to the public about the personal information they hold, what it is used for, and how it can be accessed.9 This is often done through a privacy plan or information digest located on an agency’s website. It may be necessary to update your agency’s personal information holdings to include camera surveillance footage.
Personal information must be adequately protected against misuse, loss, and unauthorised access, use and disclosure.10 This means protecting both stored camera footage and areas where monitoring of camera surveillance takes place. Potential security measures include physical, technical and operational safeguards.
Physical safeguards include suitable housing for digital recorders, placing cameras out of reach, using locks and swipe cards for access to control rooms and data storage areas, positioning monitors or using barriers and screens so live footage cannot be viewed by unauthorised persons.11
Technical safeguards include using password protection to manage staff access to stored footage, transmitting and storing footage in encrypted form, encrypting any footage stored on portable storage devices, and securely deleting or writing over footage you no longer need.
Operational safeguards involve establishing documented policies and practices about access to footage such as:
Whether a safeguard is adequate will depend on the type and amount of personal information being collected and the nature of the equipment. For example, body worn video cameras that attach to the outside of clothing may require additional controls such as password protection and encryption software to protect recorded footage from unauthorised access should the device be lost or stolen.
If you are using or intend to use a cloud-based service to store camera footage, you should consider whether the security measures of the cloud provider provide an adequate level of protection. If the cloud service provider’s servers are located overseas, you will also need to consider section 33 of the IP Act, which set out the circumstances in which an agency may transfer personal information outside of Australia.
Keeping personal information for no longer than is necessary, and disposing of it appropriately, will help protect personal information from misuse, loss and unauthorised access, modification or disclosure.12
Camera surveillance footage created by agencies may be a public record. As such, you need to consider your agency’s recordkeeping obligations under the Public Records Act 2002 (Qld) and associated recordkeeping regulatory requirements. Footage that is a public record must be retained for at least the minimum retention period specified in the General Retention and Disposal Schedule for Administrative Records or an agency or sector specific Retention and Disposal Schedule that has been approved by the State Archivist.
An extract or copy of camera surveillance footage is created as part of an investigation into a workplace accident. It is likely that the agency will need to manage the extracted or copied footage as a public record.
Queensland State Archives can give you more information about retention requirements that may affect camera surveillance footage.13
Under the IP Act, you can only use personal information for the purpose for which it was obtained, unless one of the exceptions applies.14 These include using it with the individual’s consent, under a legislative authority, for law enforcement purposes or to prevent risks to for health and safety.
If your agency is not a health agency, you can only use that part of the camera surveillance footage that is directly relevant to what you are trying to achieve15. For example, if you have multiple footage of an individual involved in a specific incident and the footage needs to be used by the agency, you must only use those portions of the footage surrounding, or relevant to, the incident.
The IP Act contains rules for when you can disclose16 personal information to a third party.17 This includes where the individual was reasonably made aware that this would occur (for example, there was a sign near the camera which said the disclosure would occur), where the individual consents, under a legislative authority, for law enforcement purpose or to prevent risks to health and safety. It can also be applied for under the Right to Information Act 2009 or Chapter 3 of the IP Act.
The IP Act allows agencies to disclose personal information to law enforcement agencies, including the Queensland Police Service (QPS), if the personal information is ‘reasonably necessary’ for a law enforcement activity.18 This includes personal information contained in surveillance footage.
Each request must be assessed on a case-by-case basis. Using a request form like the ones set out in Appendix B (for non health-agencies) or Appendix C (for health agencies) will help you gather and record the information needed to assess the request. If your agency regularly provides footage to another agency, such as QPS, consider developing an agreement, such as a Memorandum of Understanding, that sets out how both agencies will meet their privacy obligations.19
When footage is disclosed for law enforcement purposes, the IP Act requires that a record of the disclosure is included with the footage.20 One way to meet this requirement is to keep a copy of the footage and include with it a record of the agency’s compliance with the request.
If your agency receives a subpoena or other court order to produce footage, the disclosure is authorised or required by law.21 However, this only applies to the footage covered by the description in the subpoena.
If an individual requests access to camera surveillance footage, and the footage shows only that individual, you may be able to release the footage administratively.
If there are other identifiable people in the footage, or an organisation or company requests access to footage containing identifiable people, it may not be possible to release the information administratively unless the footage can be securely redacted to remove personal information. In these circumstances, a formal application under the IP Act or RTI Act will be required.
In some circumstances an agency must take all reasonable steps to bind a contracted service provider to comply with the privacy principles.22 This will generally be required where:
The Contracted Service Provider checklist23 will help you decide whether you have to bind the contracted service provider to comply with the privacy principles. Once bound, the contracted service provider is responsible for any breach of the privacy obligations in the IP Act and an individual is able to make a privacy complaint against the contracted service provider.24
If the contracting agency does not take all reasonable steps to bind the contracted service provider, the contracting agency will be responsible for any breach of privacy arising from the actions of the contracted service provider.25 For more information about the privacy considerations when outsourcing, please see Agency Privacy Obligations When Entering into Contracts and other Agreements.26
The IP Act contains exemptions from, and exceptions to, the rules for law enforcement agencies. Agencies, or activities of agencies, that fall within these exceptions and exemptions may be entitled to disregard some of the privacy principles when conducting camera surveillance. For example:
See Privacy and Law Enforcement Agencies27 for more information.
The following checklist is a summary of the privacy considerations outlined this guideline. You may wish to use this checklist to satisfy yourself that your agency’s camera surveillance system meets the obligations in the Information Privacy Act 2009 (Qld).
|Camera Surveillance Checklist||Yes||No|
|Is camera surveillance right for you?|
|Can you articulate how this purpose relates to a function or activity of your agency?|
|Can you show how the use of camera surveillance will achieve the identified purpose?|
|Have you considered whether there are other options that could achieve the identified purpose more effectively than camera surveillance, or that could be used alongside camera surveillance to make it more effective?|
|Is the camera surveillance system fit for purpose?|
|Are the cameras located and positioned so that they only view areas relevant to the intended purpose?|
|Are the cameras located and positioned in a way that will not intrude to an unreasonable extent on the privacy of individuals, for example, by avoiding private property or an entrance to a doctor’s office?|
|Are the cameras capable of capturing the required image size and quality necessary to achieve the intended purpose?|
|What do I have to tell people about the camera surveillance system?|
|Is there prominent signage that notifies individuals of the reason and legislative authority (as appropriate) for using camera surveillance, and any entities to which the agency usually discloses footage?|
|Is it clear who owns and operates the camera surveillance system?|
|Can the community easily find out further information about how your agency handles personal information captured via camera surveillance including the potential to access footage?|
|Has your agency’s list of personal information holdings been updated to include camera surveillance footage?|
|How do I secure footage collected by camera surveillance?|
|Are safeguards in place to protect control rooms or areas where monitoring of camera surveillance occurs?|
|Are safeguards in place to protect stored footage?|
|Is there a standardised auditable process for when access is granted to stored footage?|
|What if I want to use a cloud-based service to store camera footage?|
|Have you checked whether the servers are located overseas (even where the provider is an Australian company)?|
|If the servers are located overseas, have you checked which provisions in section 33 of the IP Act can be relied on to authorise the transfer of personal information outside Australia?|
|Do the security measures applied by the cloud service provider provide an adequate level of protection?|
|When can I delete the footage?|
|Is camera surveillance footage regularly overwritten or otherwise disposed of when it is no longer required by your agency?|
|Is information on your agency’s retention and disposal of camera surveillance footage communicated to the community?|
|Does your agency have a process for ensuring compliance with IPP 10/NPP 2 when it wishes to use camera surveillance footage for a purpose other than that for which it was initially obtained?|
|When can I disclose footage?|
|Does your agency have policies and procedures about when and under what conditions camera surveillance footage may be disclosed to third parties?|
|Does your agency have policies and procedures for individuals to request access to camera surveillance footage that includes their images?|
|Is information publicly available on how individuals can request access to camera footage?|
|Are documented business processes in place which establish how your agency will satisfy itself that footage is ‘reasonably necessary’ for a law enforcement activity and the steps that must be taken to make a record of this disclosure?|
|What if I want to outsource management of the camera surveillance system?|
|Will the contracted service provider in any way deal with personal information for your agency, or involve an exchange of personal information between your agency and the contracted service provider?|
|If yes, have you taken all reasonable steps to contractually bind the contracted service provider to compliance with the privacy principles?|
Current as at: November 1, 2019