QLDC tightens CCTV privacy - but claims everything was fine before
The Queenstown Lakes District Council says it is a coincidence it has tightened its online systems just months after privacy concerns were raised regarding the way it was storing images, but the resident who initially flagged the issue says the change, which has been given a big tick by the country's privacy watchdog, provides him vindication.
Double verification is now required from individuals seeking to access CCTV images relating to parking infringements.
Both a parking infringement number and a vehicle registration number must now be entered before any stored images attached to a fine can be seen online.
The change is being welcomed by the Office of the Privacy Commissioner, who stepped in last November after the member of the public brought what he considered to be a lax approach to privacy by the council to its attention.
“We did talk with Queenstown Lakes District Council about their practices and as a result of our intervention and conversations with members of the public we have seen a change in how the council collects information for parking infringement notices," a spokesperson for the Office of the Privacy Commissioner says.
“The introduction of both the requirement for the infringement notice number, the car number plate and the Google reCAPTCHA test provides for privacy to be maintained and should prevent privacy creep.”
Yet the council continues to defend its former system, saying the changes that have been made are unrelated to any intervention by the Privacy Commissioner.
“The system in place at the time of your (Crux’s) original query met the requirement of the Privacy Commissioner and no changes were required,” council's parking team leader Carrie Edgerton says.
“However, we have since migrated to a new internal system that has been in development across different council departments for several months. This provided an opportunity for us to review the process and consider making our own changes.”
The new requirement for both an infringement number and vehicle registration to be entered to access data “is over and above current privacy requirements but we recognise will offer greater assurance for some users”, Ms Edgerton says.
However the member of the public who first flagged his concerns about the way the council was dealing with images captured on its CCTV cameras disagrees with the council’s take.
The Queenstown resident, who contacted Crux after going online to retrieve details of his own parking infringement and quickly realising he could see and download images dating back months and relating to thousands of other individuals, maintains the council’s former system was slack.
“If the QLDC wants to use a CCTV system to generate millions of dollars in revenue, for minor parking infractions, it needs to be secure.”
He says approximately 14,000 images were accessible - not an insignificant amount of images – and although in public there is no expectation of privacy, it is his view that does not negate the council’s responsibility to have stored the images securely.
He says he doesn’t think the council handled his criticism of its system well.
“I never got a reply from QLDC until I contacted Crux. I believe I laid out the issue clearly, in an easy to understand format. I gave adequate time to respond to my concerns. I believe I was being ignored. Then when I did get a reply it was just a throwaway ‘everything is fine’.”
The approach the council took with him, in his view, was a “bit gaslighty”.
“Reading QLDC's own CCTV policy, and the Privacy Commissioner's guidelines, the system was demonstrably bad, so I never second guessed myself.
“The change in system is an admission of sorts, which is vindicating.”
So, did he ever pay the $40 parking fine he was challenging back when Crux’s first coverage of this story began?
“Yes, I own my mistakes.”
Read more: QLDC denies serious CCTV privacy breach