QLDC denies serious CCTV privacy breach

Thousands of CCTV images of Queenstown drivers and cars are able to be viewed online and downloaded, but the Queenstown Lakes District Council says it's "comfortable" the processes it has in place protect the privacy of individuals.

Last week, a member of the public facing a parking fine contacted Crux concerned he’d discovered he was easily able to access images related to parking infringements dating back months.

Not just the images attached to his own $40 parking fine, either.

By simply changing a sequential number on the council's "Parking Ticket Waiver Request" online form, he discovered he could pull up a vast number of images in the system, some from as far back as July.

In many of them, car registrations and drivers were clearly identifiable.

In addition, he discovered in a couple of quite simple steps he could also see images captured by CCTV that appeared to have not been among the selection supplied to the individuals by the council along with their parking infringement notice – often because they included identifiable images of bystanders - but were still somehow attached to the council file on the incident.

His estimation: there's more than 15,000 images he's unauthorised to access are at his disposal.

He approached Crux after alerting the QLDC to the issue, and waiting two days without a response.

Crux followed up, asking council staff if they were aware of the privacy breach and whether a fix was required.

The response, on Friday, from a council spokesperson: “We have consulted with the Office of the Privacy Commissioner and can confirm there has been no breach of privacy. We have advised the member of the public who raised their concerns earlier this week.”

So, what does the Privacy Commissioner have to say about best practice for any organisation, like the council, that uses CCTV images?

“Because CCTV captures images of people, which can be used, stored, manipulated, and disseminated, those who operate the systems need to be aware of how to manage privacy issues,” the commissioner’s online guidance says.

The commissioner advises an organisation to plan for how any recorded footage will be kept safe and secure, and that includes controlling who has access.

In addition, any information that is collected needs to be securely disposed of once it’s no longer needed for the organisation’s purpose, it says.

In its own CCTV policy, the council says it will not keep recorded images for more than 90 days, unless required for evidential purposes.

And, if it does have to keep any images for longer than that three-month window, "servers and other technology devices containing recorded footage will be housed in a secure location with access by authorised personally only". Plus, the images, generally, are not allowed to be downloaded.

Also in the council’s policy: images will not include any information that could identify a person uninvolved with an infringement. So, identifiable images of bystanders and vehicle registration numbers of third party vehicles are a no-no.

Despite assurances from QLDC its system has received a thumbs-up from the Privacy Commissioner the member of the public who raised the issue with Crux continues to believe the privacy concerns he's raised with the council are valid.

He claims the system is "shonky", especially when compared to those of other local authorities that require two pieces of information - a car registration and an infringement number, for example - to access file images captured on CCTV.

"It does not prevent unauthorised access - I am not authorised to access it, but I can."

There's one more bizarre thing to note since Crux approached the council about the alleged privacy breach. On Saturday, the member of the public was in touch to say it appeared the council had changed its way of operating. 

The QLDC says it's made no changes to how it stores CCTV images related to parking infringements online in recent days, despite several users noting photos have, at times, been unavailable (Image: Supplied screen grab)

Using the web portal for parking infringements, images no longer appeared as they had as recently as last week. Instead, the user was asked to email the council to request images be supplied. It was the same on numerous devices in the user's household - and for a friend in Christchurch and another in Wellington, who the user also asked to check it out.

So, why the seemingly abrupt change in process, when the council’s response to Crux and the user who first raised the issue was that it was “comfortable” it was doing nothing wrong?

We put the question to the council, and a spokesperson replied saying: "No changes have been made to the system in recent days and photos are appearing as normal at our end after testing by both the parking and IT teams."

Crux also tested the system and, as was the case for the council staff, found images to still be available online.

However, we were supplied with a screen grab of the "Please contact QLDC for your photo" experience of the public user of the online parking ticket waiver portal.

Yesterday, Crux approached the Privacy Commissioner for comment. We received a follow-up phone call, but no official response to the matters raised had been supplied by time of publication.

In February Crux reported the council had received $11.8 million through parking fines, parking meters and permits, issuing more than 124,000 parking tickets, between January 2019 and December 2021.

At the time, Crux also raised concerns about privacy breaches as two parking tickets issued to a Crux vehicle involved CCTV images of the wrong person and vehicle, the wrong time and the wrong parking zone. 

Main image: A randomly selected photo, which was captured by CCTV in downtown Queenstown and viewed and dowloaded by Crux using the QLDC's online services for parking infringements. A spokesperson for the council says it's 'comfortable' with how its system protects the privacy of members of the public and its position is backed up by the Privacy Commissioner.