CCTV and privacy

As tech law specialists we frequently advise on data privacy and security matters. CCTV monitoring has caught the attention of several clients, specifically how to respond to requests for CCTV footage.

In this article, we review the Privacy Act, the Privacy Commissioner’s CCTV guidelines and a company’s security policy for considerations on the topic.

Do we have to provide copies of CCTV footage should it be requested?

Firstly our response would be, “No”, but you may, in some circumstances, consider allowing the requestor to see the relevant footage(without taking a copy), provide the requester with an extract from the footage with other individuals “blurred” out so as not to be identifiable (if reasonably possible to do), or provide still shots from the footage (but again on a blurred-out basis).

The Privacy Commissioner points out in its Guidelines that in general people have a right to access images of themselves. To start with, access need only be provided if “readily retrievable”. Further, when providing access, the company must not intrude on the privacy of others who are also shown in the footage. 

The Commissioner goes on to say that the “starting point is to give access in the way the individual wants. However, this is not always possible or desirable: 

Giving someone a copy of the footage has different privacy impacts from just allowing someone to come in and view the footage. For instance, it may not be a problem to let someone view a tape. However, there may be a good reason not to provide a copy if the information could be damaging or embarrassing for others who are pictured if it is put on the internet.

If you have the technology to blur or pixelate the faces of the other people on a copy of the footage, this is a good way to protect others’ privacy.

If you cannot provide access to the footage without unreasonably breaching others’ privacy, you could provide the individual with a written description of what they are doing in the footage.”

The Commissioner says that a company should generally treat CCTV footage as confidential to the company and not disclose unless that is one of the company’s purposes in operating a CCTV system. 

Exceptions

Principle 11 of the Privacy Act states that an agency that holds personal information shall not disclose the information to another agency unless one of the listed exceptions applies, including for example:

a)     disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained;

b)     disclosure is to the individual concerned; or

c)     disclosure is authorised by the individual concerned.

The Privacy Commissioner’s CCTV guidance confirms the application of Principle 11 to CCTV. The guidance applies to non-covert CCTV in ‘public spaces’ (spaces that are completely accessible to the public) and ‘semi-public spaces’ (spaces that, even if privately owned, are accessible to the public during opening hours). The guidance stipulates that CCTV footage should only be used or disclosed for the original purpose for which it was collected.

What can companies do to help manage such requests?

Companies may determine their own policies with respect to CCTV and whether access to its footage will be made available. It may be that such a policy might say that “Requests for access to the system from interested parties will be denied unless good cause is given, and the Company formally approves the requested access”.  

In assessing any request for access, the Company should have regard to the relevant Privacy Principles under the Act (in this case Principle 5 which protects personal information from unauthorised access, Principle 6 under which Individuals have the right to access personal information the Company holds about them, Principle 7 which allows correction of incorrect information, and Principle 11 which deals with the disclosure of personal information).  

The Company should also have regard to the Privacy Commissioner’s guidelines and also to the Company’s own policies and the purposes behind the use of a camera surveillance system.

It should be considered too that any request made to a Government organisation (e.g. ministry, police, public hospital, school) for access to information captured by the CCTV system is also to be treated as an Official Information Request and so the timelines need to be respected and so the Company’s CCTV team involved from an early stage.

Should you find yourself on the receiving end of CCTV requests or need support on privacy matters we can help.