However the decision that CCTV cameras in the street installed and operated by a local council breached privacy legislation had the Premier, the Prime Minister and the Federal Opposition all rushing to defend the practice and promising a legislative fix if needed to solve any legal problem.
Judicial Member Montgomery in SF v Shoalhaven City Council [2013] NSWADT 94
found the Council contravened the obligation imposed on it by sections 10, 11(a) and 12(c) of the NSW Privacy and Personal Information Act.
There is a lot in the decision on the full range of information privacy principles. Judicial Member Montgomery found in favour of the Council on a number.
The following extracts relate to the findings concerning breach of three principles. They turned on the evidence rather than anything else. Nothing has been said about an appeal so far. Other councils are putting on the thinking hat and the politicians seem ready to roll in any event.
Notice
Section 10 requires that the subject of an information collection is made aware of the implications for their privacy of the collection process, and of any protections that apply prior to or at the time of collection.
149. Section 10 is explicit in regard to the details of which the individual to whom the information relates are to be made aware. In the circumstances of this matter, the Council has collected the Applicant's personal information, and that of other individuals, and provided some signage in an effort to make people aware that images were being collected. I accept that the signage is sufficient to inform a majority of individuals that the cameras are in operation and, by implication, that personal information is being collected. It is not sufficient to inform individuals of the purposes for which the information is being collected.An exemption to Section 10 where information is collected for law enforcement purposes did not apply. Police Officers are able to view a live feed of the images collected from the cameras and an arrangement is in place between the Police and the Council whereby an authorised Police Officer may apply for access to particular information.
150. Not all cameras have a sign near them. Increased signage would increase the likelihood that more individuals become aware that the cameras are in operation and that personal information is being collected.151. I am not satisfied that the signage is sufficient to ensure that individuals are made aware of all of the information addressed by section 10.
Judicial Member Montgomery said [156] a "small proportion of the information is used for law enforcement purposes however that is not the purpose for which it is collected. The information is collected for 'crime prevention' purposes" adding: " In the circumstances it is also doubtful that the Applicant's personal information was collected for 'crime prevention' purposes given that the Applicant was a private citizen going about his private business in a lawful manner." [157]
(Comment: the interpretation of these terms may involve legal argument if the matter goes further.)
Relevant not excessive information
Section 11(a) requires an agency to take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete.
162. In my opinion, the vast majority of the information collected under the Council's CCTV program is 'collateral information' and is not relevant to the 'crime prevention' purpose. All of the Applicant's personal information is 'collateral information' and is not relevant to the 'crime prevention' purpose. Further, there is no suggestion that Police made any use of the collected information for law enforcement purposes.Reasonable security safeguards
163. In my view, the evidence is clear that the images and footage collected in relation to the Applicant are of such poor quality that, in any event, the information would be of little assistance for law enforcement purposes. Because of the poor quality of the footage it cannot be said that the information collected is complete. A high proportion of the frames were omitted giving the false impression that the Applicant was skipping rather than walking.164. The expert evidence suggests that CCTV does little to prevent crime. The data available for the Nowra CBD suggests supports the Applicant's argument that the Council has not demonstrated that filming people in the Nowra CBD is reasonably necessary to prevent crime. In fact, available data suggests that since the Council's CCTV program was implemented crime has increased in the Nowra CBD in the categories of assaults, break and enters and malicious damage.165. It seems to me that, at least at the time the Applicant's personal information was collected, the equipment used in the Council's CCTV program was unable to provide any meaningful data that would be able to assist in a general 'law enforcement' context.166. In my view, the Applicant's personal information that has been collected is not relevant to the purpose of crime prevention, and is excessive, inaccurate and incomplete. In the circumstances, I agree with the Applicant that the Council has not complied with the obligation imposed on it by section 11 of the PPIP Act.
Section 12(c) of the PPIP Act provides that an agency holding personal
information must ensure that the information is protected by taking
reasonable security safeguards against loss, unauthorised access and
misuse.
169.... It is common ground that the collected data is only available to Council staff and Police Officers. In my view, the Council has developed sufficient safeguards, as are reasonable in the circumstances, to protect the personal information collected and are therefore sufficient to meet the requirements of section 12(c). The system as designed requires that the (Police) duty officer enter a user name and password at the commencement of their shift, to log into the 'live feed' monitor. However, the evidence suggests that this process has not been followed.
170. I agree with the Applicant that the use of a generic password rather than an individual user name and password for each authorised user means that there is no way of checking who is and isn't using the live monitor at the Nowra Police Station. There is no way of knowing whether those who are accessing the monitor have been appropriately trained. Section 12(c) provides that the agency 'must ensure' adequate protection of the collected information. While the system design would achieve this objective, the Council has not monitored compliance with the safeguards that are in place. As a consequence, the Council's CCTV program is open to unauthorised access and misuse and therefore fails to comply with section 12(c) of the PPIP Act. At a minimum, compliance would require appropriate training and monitoring of the use of individual user names and passwords to provide an audit trail of users of the system.
The orders are:
1. The Council is to refrain from any conduct
or action in contravention of an information protection principle or a
privacy code of practice;
2. The Council is
to render a written apology to the Applicant for the breaches, and
advise him of the steps to be taken by the Council to remove the
possibility of similar breaches in the future.
No comments:
Post a Comment