Local governments have enthusiastically boarded the public CCTV bandwagon in recent years, snapping up federal and state grants to set up security cameras in towns and cities nationwide, but have they done enough to manage the potential intrusion on individual privacy?
Five Victorian councils have not, according to auditor-general Andrew Greaves.
“The councils we examined in this audit could not demonstrate that they are consistently meeting their commitments to the community to ensure the protection of private information collected through CCTV systems,” Greaves concludes in a recent report.
Councils “have good awareness of the privacy issues associated with the use of CCTV systems” but, according to the report, efforts to address those issues have consistently fallen short of compliance with privacy legislation and the relevant Victorian public sector guidelines, which are broadly in line with responsibilities of other councils interstate.
“If councils cannot demonstrate this [compliance], they risk losing public confidence,” Greaves comments.
A particular blindspot in Victoria is a large number of security cameras installed to monitor council buildings and property, as opposed to street cameras that are supposed to enhance general public safety by deterring criminals or at least making them easier to catch.
The councils focused their “monitoring and assurance” activities on the public-safety CCTV systems, which actually represent only 20% of the total.
Whose cameras are really hindering privacy?
The far more numerous “corporate” cameras actually pose the greater privacy and data security risk, in the auditor-general’s view, as they are widely dispersed around the council areas and covered by “local operating practices that are not guided by robust procedures” – these security cameras and what they record are not considered a matter of any special public concern, but they should be.
“Local councils are using advances in surveillance technology legitimately to collect information about people’s daily activities,” writes Greaves.
“In parallel, they need to fulfil their responsibility to respect individuals’ right to privacy, by ensuring that the information from their surveillance devices is securely collected, stored and transmitted.
“The absence of community objections to surveillance in public places does not diminish this responsibility, and councils need to demonstrate organisational leadership through robust policies, strong management and controls, and effective oversight.”
His sample included the City of Melbourne, a slice of its eastern suburbs in Whitehorse City and a section of its north-western fringe (Hume City), as well as the bustling Horsham Rural City and the vast East Gippsland Shire. Collectively, the five local governments have about 1200 security cameras, with more on the way.
None reported any “inappropriate use of surveillance systems or footage” to the auditors and the Office of the Victorian Information Commissioner had received no complaints of the sort, either.
Greaves accepts it is a positive sign that no specific privacy breaches were confirmed, but reports this is “doesn’t provide strong assurance” that the systems have not been misused. The councils did too little to review and monitor the use of their CCTV systems in practice, and security controls were too weak, to be sure.
He found insufficient signage, management and oversight meant none of the local governments could demonstrate compliance with Victoria’s privacy and data protection legislation, either in the use of their CCTV or in how the video footage is protected from unauthorised disclosure.
Government surveillance systems are now extremely widespread and responsibility for how they are used, and what happens to the footage they capture, is spread across hundreds of separate council bureaucracies.
Funding has come mainly from state and federal coffers through programs like the dubious Safer Streets grants, which drew credible accusations of pork barelling that were further bolstered by a highly critical report from the Commonwealth auditor-general. There has often been considerable pressure on councillors to take up the offer from state or federal MPs keen for a tough-on-crime joint announcement. This leaves the councils saddled with ongoing costs for maintenance and management that have become a burden in some cases.
Crime prevention use overstated
Surprisingly little hard evidence has emerged to show public-safety CCTV systems actually reduce crime rates very much over the many years they have been proliferating, even in communities where crime is rare. The cameras are a powerful political totem, however, as they make some people — especially small business owners — feel safer and add to a sense that governments are doing something about crime.
Greaves reports there is no register of how many council-owned CCTV cameras are watching over Victorian communities, but there is a clearly a split between those which see public surveillance as a key role for local government, and those which see it as an unnecessary ongoing expense:
“The councils we examined are increasing, rather than decreasing, their use of surveillance devices, with some using or considering the use of drones and body‐worn cameras for particular purposes.
“In contrast, some other councils have decided not to use CCTV systems, citing concerns about their effectiveness and the ongoing costs of maintenance, upgrade and replacement.”
All the councils covered by the Victorian audit could point to their ongoing spending on their CCTV but none were “regularly tracking and monitoring” the costs.
The specific findings in relation to each council were a mixed bag; none shone above the rest in either administrative oversight, access control or physical and data security:
“All of the audited councils use generic user logins for corporate CCTV systems, and some do not use system activity logs to track usage. These practices increase the risk of inappropriate use occurring and going undetected. There are similar issues with public safety CCTV systems.
“Improving physical security and access controls will better enable the councils to protect information collected from council surveillance activity from unauthorised disclosure.”
Victoria Police is the state’s major user of public safety CCTV footage, which typically isn’t directly accessible by the councils, except for the City of Melbourne, which has people watching the cameras 24-7 and gives the police permanent access. The police will only take information from councils with a fairly standard memorandum of understanding governing the responsibilities of each party, but Greaves found four out of five weren’t keeping up their end:
“Apart from Melbourne, none of the councils have adequately used their agreements with Victoria Police to ensure proper oversight of and accountability for the use of public safety CCTV systems.
“The agreements between police and councils require the councils to establish a steering committee and an audit committee to oversee and review these systems. These oversight committees varied in their effectiveness—typically, they meet rarely and when they do they focus on operational issues such as camera location and functionality rather than privacy and data security.”
The five audited councils all accepted the auditor-general’s recommendations, two of which were targeted at the Whitehorse City and Horsham Rural City councils respectively.
Nine more apply across the board and at least the first eight of those could form a handy checklist for other councils all over Australia that find themselves managing large and growing collections of public-facing cameras.
- Review and update CCTV policies in line with the state’s privacy legislation.
- Retrospectively assess all CCTV systems installed before the CCTV policy came into effect to ensure compliance with the policy.
- Assess the privacy impacts of proposals to install any new or additional CCTV surveillance devices in public places.
- Develop site-specific operating procedures for corporate CCTV systems in line with the state’s privacy legislation.
- Allocate responsibility for CCTV oversight to an appropriate senior manager and implement regular reporting on key aspects of CCTV system use.
- Include a periodic audit of CCTV system use and data security in forward planning for internal audit programs.
- Review and update the content and position of all signage in locations with corporate CCTV systems to reflect better practice.
- Review and address access control and data security weaknesses for corporate CCTV systems.
- Ensure regular audits and evaluations of public safety CCTV systems and hold the oversight committees for these systems to account for their responsibilities under agreements with police.
Any feedback or news tips? Here’s where to contact the relevant team.