05 October 2018

CCTV Security and Privacy in Victoria

The Victorian Auditor General's report Security and Privacy of Surveillance Technologies in Public Places comments
 Local councils are using advances in surveillance technology legitimately to collect information about people’s daily activities. In parallel, they need to fulfil their responsibility to respect individuals’ right to privacy, by managing these systems well and in compliance with privacy requirements. 
Council’s CCTV surveillance systems fall into two main categories: Systems installed in public spaces for use by Victoria Police Systems installed in and around council facilities for use by council staff. In this audit, we assessed whether councils keep secure the information they collect from these CCTV surveillance systems and whether they protect the privacy of individuals. 
Specifically, we assessed the management and use of surveillance devices in public places by five councils to see whether they adhere to relevant privacy laws and appropriate use policies and whether they protect the information they collect from unauthorised disclosure. 
The councils we audited were: the
  • City of Melbourne 
  • Whitehorse City Council 
  • Hume City Council 
  • East Gippsland Shire Council 
  • Horsham Rural City Council.
Between them, these councils have more than 1 100 CCTV cameras and they are increasing their use of surveillance devices.
We made 11 recommendations—nine for all audited councils, one for Whitehorse City Council and one for Horsham Rural City Council.
The report states -
Across the public and private sectors, organisations use a range of technologies to observe or monitor individuals or groups, such as closed-circuit television (CCTV) surveillance systems. Some Victorian local councils, use CCTV for public safety and protecting council staff and assets. 
Councils' CCTV surveillance systems fall into two main categories: 
Public safety CCTV systems—councils install these systems to discourage and detect antisocial and criminal behaviour in public places. Victoria Police has direct access to monitor and review footage from these systems. The initial purchase costs are usually funded by grants from the state or Commonwealth governments, with councils funding ongoing maintenance and replacement costs.
Corporate CCTV systems—councils fund the installation of these systems and use them to monitor facilities that include public spaces, such as council offices, pools, libraries, performing arts centres and waste management facilities. These systems are typically managed onsite by council employees or contractors.
Surveillance systems in public places impact on the privacy of individuals, so it is important that councils can demonstrate to their communities that they are managing these systems well and in compliance with privacy requirements. If councils cannot demonstrate this, they risk losing public confidence. 
The Privacy and Data Protection Act 2014 (PDPA) sets out Information Privacy Principles that apply when public sector agencies, including councils, collect personal information that enables individuals to be identified, such as the images captured by CCTV systems. The Office of the Victorian Information Commissioner (OVIC), formerly the Commissioner for Privacy and Data Protection (CPDP), has a key role in implementing and supporting compliance with PDPA. Before OVIC was established, CPDP issued Guidelines to surveillance and privacy in the Victorian public sector in May 2017. We used this and other comprehensive guidance material on the use of CCTV in public places as criteria for our audit.
Local councils are using advances in surveillance technology legitimately to collect information about people's daily activities. In parallel, they need to fulfil their responsibility to respect individuals' right to privacy, by ensuring that the information from their surveillance devices is securely collected, stored and transmitted. The absence of community objections to surveillance in public places does not diminish this responsibility, and councils need to demonstrate organisational leadership through robust policies, strong management and controls, and effective oversight.
In this audit, we assessed whether councils keep secure the information they collect from their CCTV systems and whether they protect the privacy of individuals. Specifically, we assessed the management and use of surveillance devices in public places by five councils to see whether they adhere to relevant privacy laws and appropriate use policies, and whether they protect the information they collect from unauthorised disclosure.
The councils we audited were the City of Melbourne (Melbourne), Whitehorse City Council (Whitehorse), Hume City Council (Hume), East Gippsland Shire Council (East Gippsland) and Horsham Rural City Council (Horsham) . Between them, these councils have more than 1 100 CCTV cameras and they are increasing their use of surveillance devices.
Victoria Police was not included in our audit scope. However, as it is the key user of public safety CCTV systems, we examined council-owned CCTV systems in police stations and spoke to police officers involved in using these systems.
Conclusion
The councils we examined in this audit could not demonstrate that they are consistently meeting their commitments to the community to ensure the protection of private information collected through CCTV systems.
The audited councils advised that they have never found an incident of inappropriate use of surveillance systems or footage, and OVIC advised that it has never received a complaint about such use. However, given the weaknesses that we identified in security and access controls, and the lack of review of how CCTV systems are being used, the absence of evidence of inappropriate use of council CCTV doesn't provide strong assurance that no such incidents have occurred.
Gaps in councils' CCTV system signage, management and oversight mean the councils are unable to demonstrate that their CCTV activities adhere to the requirements of PDPA, including appropriate use and sufficient protection of the information collected from unauthorised disclosure. Where councils do undertake monitoring and assurance activities, they are largely restricted to public safety CCTV systems. This means that councils are not adequately scrutinising the operation and use of most of their CCTV systems.
Councils can improve the security of the personal information they gather through their CCTV systems to better protect the privacy of individuals.
Improving physical security and access controls will better enable councils to ensure that access to and use of these systems is appropriate and that the information collected from their surveillance activities in public places is protected from unauthorised disclosure. 
Findings 
Management and Oversight 
Except for Horsham, all the audited councils have a policy to guide their management of CCTV systems. However, in most cases, these policies focus on public safety CCTV systems, and councils do not have robust, documented operating procedures to support the sound management of their corporate CCTV systems.
Only East Gippsland could demonstrate that decisions to install new CCTV cameras in public places are informed by consideration of privacy impacts, and there was also only limited evidence of community consultation about new cameras at any of the councils. Apart from Melbourne, none of the councils have adequately used their agreements with Victoria Police to ensure proper oversight of and accountability for the use of public safety CCTV systems. The agreements between police and councils require the councils to establish a steering committee and an audit committee to oversee and review these systems. These oversight committees varied in their effectiveness—typically, they meet rarely and when they do they focus on operational issues such as camera location and functionality rather than privacy and data security.
Corporate CCTV systems arguably pose greater privacy and data security risks than public safety systems because they are dispersed across many locations and are subject to local operating practices that are not guided by robust procedures. Only Melbourne and East Gippsland had sufficient senior management involvement in the use of corporate CCTV systems, and none of the audited councils reported regularly on these systems.
In addition, none of the councils had formal committees or assurance processes to oversee the management and use of their corporate CCTV systems. As a result, senior management and councillors lack adequate assurance that their CCTV systems are managed appropriately.
Where formal monitoring and assurance activities do occur, they are largely restricted to public safety CCTV systems which typically make up 20 per cent or less of council CCTV systems. Councils do not routinely scrutinise the operation and use of their corporate CCTV systems. Regular reporting on key metrics for all corporate CCTV systems—such as the number of times council staff reviewed CCTV footage, saved or copied CCTV footage, and provided copies of footage to external parties—would make senior management aware of these surveillance activities, support a culture of appropriate use, and promote more active management.
Melbourne and East Gippsland are the only councils to provide regular public reporting on the use and management of their CCTV systems. However, even these councils report only on public safety CCTV systems rather than all their CCTV systems. 
Privacy and Data Security
It is positive that the audited councils have not found any instances of inappropriate use of surveillance systems or footage. We found that councils have good awareness of the privacy issues associated with the use of CCTV systems.
However, all five councils can improve the security of the personal information they gather through their CCTV systems to better protect the privacy of individuals. Key areas to address include improving physical security and access controls for corporate CCTV systems and regularly assessing whether those controls are working.
All of the audited councils use generic user logins for corporate CCTV systems, and some do not use system activity logs to track usage. These practices increase the risk of inappropriate use occurring and going undetected. There are similar issues with public safety CCTV systems.
Improving physical security and access controls will better enable the councils to protect information collected from council surveillance activity from unauthorised disclosure.
In addition, we found at least one site at each council where they operate CCTV in public spaces without adequate public signage. 
Recommendations 
We recommend that the City of Melbourne, Whitehorse City Council, Hume City Council, East Gippsland Shire Council and Horsham Rural City Council:
1. review and update their CCTV policies to address the requirements of the Privacy and Data Protection Act 2014 (see Section 2.2) 
2. assess all CCTV systems installed prior to the approval of a CCTV policy to ensure they comply with the policy (see Section 2.2) 
3. assess the privacy impacts of proposals to install new or additional CCTV surveillance devices in public places (see Section 2.3) 
4. develop site-specific operating procedures for their corporate CCTV systems to reflect the requirements of the Privacy and Data Protection Act 2014 and their policies (see Section 2.2) 
5. allocate responsibility for overseeing the operation of CCTV systems to an appropriate senior manager and implement regular reporting on key aspects of CCTV system use (see Section 2.4)
6. include a periodic audit of CCTV system use and data security in their forward internal audit programs (see Section 2.7)
7. review and update the content and position of all signage in locations with corporate CCTV systems to reflect better practice (see Section 3.2) 
8. review and address access control and data security weaknesses for corporate CCTV systems (see Section 3.3) 
9. ensure regular audits and evaluations of public safety CCTV systems and hold the oversight committees for these systems to account for meeting their responsibilities under agreements with Victoria Police (see Sections 2.5 and 2.6).
We recommend that the Horsham Rural City Council:\ 
10. establish and implement a policy to cover all council CCTV systems (see Section 2.2). 
We recommend that the Whitehorse City Council:
11. establish an agreement with Victoria Police for the public safety CCTV system at the Box Hill mall and laneways (see Section 2.5). 
Responses to recommendations 
We have consulted with the Melbourne, Whitehorse, Hume, East Gippsland and Horsham councils, and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions or comments. We also provided a copy of the report to the Department of Premier and Cabinet. The following is a summary of those responses. 
The full responses are included in Appendix A.
All councils accepted the recommendations.
Melbourne, East Gippsland and Horsham provided action plans noting their intended actions and timelines for addressing each recommendation. Whitehorse and Hume did not provide an action plan addressing each specific recommendation but provided information on how they will approach addressing the audit recommendations and the timelines for this work.are