Posted on May 20, 2013 by Stuart Simington
NSW Government acts to overturn Shoalhaven City Council CCTV decision
On 17 May 2013, the NSW Government gazetted a new Regulation to overcome the most troublesome aspects of the recent CCTV decision of the Administrative Decisions Tribunal in SF v Shoalhaven City Council  NSWADT 94.
Judicial Member S Montgomery held on 2 May 2013 that Shoalhaven City Council breached several of the Information Protection Principles in the Privacy and Personal Information Protection Act 1998 relating to its use of CCTV cameras in the Nowra Town Centre. The ADT ordered the Council to cease the conduct and provide a written apology to the Applicant for the breaches, and advise him of the steps to be taken by the Council to remove the possibility of similar breaches in the future.
In the Shoalhaven case, the Applicant had contended that it was not lawful for the Council to collect personal information indiscriminately, in circumstances where a very small proportion of the collected information might be of assistance to the Police for law enforcement purposes.
The CCTV cameras recorded images in the Nowra Town Centre. The images were retained on a computer hard drive located at the Nowra Police Station. The cameras and computer equipment were owned and operated by the Council however Police officers at the Nowra Police Station were also able to view a live feed.
The Tribunal held that the personal information comprising the vision of the Applicant was not being collected by the CCTV cameras for ‘exmpted’ law enforcement purposes. Although Police Officers were able to view the live feed and an arrangement was in place between the Police and the Council whereby an authorised Police Officer could apply for access to particular information, there was nevertheless only a small proportion of the information that was used for law enforcement purposes. The Tribunal held that it was not appropriate to characterise the purpose of the collection of the information as ‘law enforcement’.
Further, the Tribunal held that it was even doubtful that the Applicant’s personal information was being collected for ‘crime prevention’ purposes given that the Applicant was a private citizen going about his private business in a lawful manner.
The new Regulation makes it clear that local councils are exempt from certain provisions of the PPIP Act relating to the use of CCTV cameras, specifically as follows:
- A local council is exempt from section 11 of the Act with respect to the collection of personal information by using a CCTV camera that the council has installed for the purpose of filming a public place if the camera is positioned so no other land is filmed (unless it is not reasonably practicable to avoid filming the other land when filming the public place).
- The local council is also exempt from section 18 of the Act with respect to the disclosure to the NSW Police Force of personal information by way of live transmission from such a CCTV camera.
It is important to note that the Regulation does not overcome all of the obligations of the Council said to have been breached in the Shoalhaven case, in particular:
- under section 10 of the PPIP Act, to provide certain information to persons about the collection and purpose for collection of the personal information;
- under section 12, to ensure that the information is protected by taking reasonable security safeguards against loss, unauthorised access and misuse.
In relation to section 10, the Tribunal accepted in the Shoalhaven case that the signage provided by Council was sufficient to inform a majority of individuals that CCTV cameras were in operation and, by implication, that personal information was being collected.
However, it was not sufficient to inform individuals of the purposes for which the information was being collected. Presumably, for example, it would be necessary for the signage to clearly identify that the live footage is to be disclosed to the NSW Police Force.
In relation to section 12, the Tribunal held that the Council’s procedures were insufficient for security because the computer system utilised a generic password rather than an individual user name and password for each authorised user which meant that there was no way of checking who was and wasn’t using the live monitor at the Nowra Police Station and the Council had not monitored whether persons who had access had appropriate training. At a minimum, the Tribunal held that compliance would require appropriate training and monitoring of the use of individual user names and passwords to provide an audit trail of users of the system.