CCTV Laws in Australia: 5 Tips for Managing CCTV Privacy Issues
Privacy has been in the headlines recently following the CHOICE investigation into the use of facial recognition technology at certain Kmart, Bunnings, and The Good Guys stores. Since the publication of the CHOICE article, the Good Guys have now put their facial recognition testing on hold pending the OAIC investigation. For many, this begs the question: are there CCTV Laws in Australia? If so, when can an organisation use CCTV, legally?
CCTV Laws In Australia
The Privacy Act 1988 and CCTV
Organisations covered by the Privacy Act must comply with the Australian Privacy Principles when collecting personal information, including that collected via surveillance devices. This means that the organisation must (amongst other things):
- Tell you your image may be captured before they record you;
- Have a reasonable purpose for collecting the personal information;
- Ensure recorded personal information is secure; and
- Destroy or de-identify personal information when it is no longer needed.
The Privacy Act does not cover the private use of security cameras by individuals.
State CCTV Laws in Australia
State CCTV laws in Australia vary state by state – and they aren’t covered by comprehensive privacy legislation in each state either. Instead, they’re included in a patchwork of laws – including the Criminal Code.
Queensland’s Criminal Code, for example, makes it an offence to video record people without their consent in places where they would expect privacy. This includes bathrooms, bedrooms, and changerooms, for example.
If you need specific details about CCTV laws in your state, reach out to a lawyer.
Tips for Managing CCTV Privacy Issues
The Use of Facial Recognition Should Be Carefully Considered
The use of facial recognition technologies come with significant risk to individuals. There is potential for racial profiling (malicious or unintended), as well as discrimination and misidentification.
There’s also risk for the company introducing the facial technology, since it is likely to negatively impact customer trust.
“Using facial recognition technology in this way is similar to Kmart, Bunnings or The Good Guys collecting your fingerprints or DNA every time you shop. Businesses using invasive technologies to capture their customers’ sensitive biometric information is unethical and is a sure way to erode consumer trust.” – CHOICE consumer data advocate, Kate Bower.
In terms of legal risk, organisations will need to balance the benefits of introducing facial recognition technologies with the legal risk. We noted in our post detailing our analysis of recent OAIC determinations that the OAIC is homing in on the over-aggressive use of faceprint and CCTV data.
The legal risk stems from the organisation being required to put customers on notice of the collection of sensitive information, as well as the increased risk associated with collecting and storing that information.
Faceprints and other biometrics are considered sensitive information under the Privacy Act 1988. Generally speaking, organisations covered by the Privacy Act need to obtain consent before collecting sensitive information. (A quick note: the requirements to obtain consent may be more stringent in the future if the proposed amendments to the Privacy Act go through.)
Referring to the example of facial recognition technologies in Bunnings, Kmart, and The Good Guys, Kate Bower notes that the signs putting customers on notice were small and inconspicuous. As a result, the companies may have been in breach of the Privacy Act.
Australian organisations should carefully consider whether the legal, reputational, and security risks outweigh the (usually limited) benefits of introducing facial recognition technologies.
Avoid CCTV with Audio
Certain state laws prohibit the audio recording of private conversations that you are not involved in. Audio recordings picked up by CCTV recordings would breach these laws.
To comply with these laws, organisations should generally avoid CCTV with audio. If you feel you need to collect audio recordings, you should seek legal advice.
Ensure Your Customer Notice is Adequate
Australians generally expect companies and organisations to use CCTV. In fact, CCTV and video recordings are so ubiquitous that the public is typically frustrated where no footage exists exposing inappropriate and illegal behaviour.
However, organisations should be sure to put people on notice that they are being recorded. This should be in the form of a visible, legible, and clearly-written signage, alongside easy access to organisational privacy policies. You might also consider ensuring that the CCTV cameras are clearly visible – particularly if customer trust is a priority for you.
Undertake a Privacy Impact Assessment Before Implementing CCTV
Privacy impact assessments are an underutilised tool that organisations can use to enhance data protection and reduce privacy risk.
When used as part of your ‘business as usual’ processes, organisations can use PIAs to:
- Comply with privacy laws.
- Improve internal privacy and information security frameworks.
- Increase transparency.
- Improve consumer trust and confidence.
- Reduce risk of future costs from legal exposure.
- Minimise the risk of reputational damage following a breach.
- Enhance internal processes.
- Improve information management.
- Strengthen organisational privacy maturity.
- Increase staff and community awareness of privacy issues.
Comply with Relevant Workplace Laws
Outside of the Privacy Act, Australian workplace surveillance laws are covered by a patchwork of federal and state or territory laws that relate to the use of monitoring and recording devices and the installation and use of CCTV. In addition to these general surveillance laws, NSW and the ACT have specific surveillance laws that apply specifically to workplace surveillance. And Victoria limits the use by employers of surveillance devices in certain parts of the workplace (e.g. washrooms).
Complying With CCTV Laws in Australia
Don’t hesitate to reach out for assistance navigating your privacy obligations before implementing CCTV in your organisation. Privacy 108’s lawyers are available to provide training and guidance about your legal obligations in an increasingly privacy-conscious world.