A recent Human Rights Review Tribunal case has attracted some attention as a result of its colourful facts – bad feelings between previously friendly neighbours, allegations about vandalism, and a compensation bill of $7000.
It isn’t just a human interest story, though. This is the first Tribunal decision to consider CCTV, and the effect of privacy enhancing technologies, and it has set some clear legal boundaries.
Armfield v Naughton  NZHRRT 48 contains some straight-shooting advice from the Tribunal about how businesses need to set up and manage CCTV systems.
Briefly, a bed and breakfast owner had been having problems with property damage and set up eight CCTV cameras around his house. Three cameras overlooked his neighbour’s property. One camera was angled over the front garden with a children’s swing, the second pointed towards the neighbour’s side door, and the third covered an area of the backyard.
The relationship between the two men had become confrontational and the installation of the CCTV made it worse. The neighbour objected to what he saw as a significant intrusion into his family’s personal space. The bed and breakfast owner refused to talk to the neighbour about the camera system, and failed to respond to lawyers’ letters asking him to change the camera angles.
The Tribunal found the first camera breached the Act. The second and third were saved by the use of masking technology. There was also a breach of principle 3 (failure to notify) and principle 6 (failure to respond to a request for information). The Tribunal awarded $7000 after noting the neighbour’s request that the award should be moderate – but commented it would usually have been $15,000 or more.
Collecting or not collecting, that is the question
First, the Tribunal decided the Privacy Act applies to CCTV. It’s certainly the line that we have always taken (see our CCTV Guidelines). But at least one expert commentator has queried whether information gathered by CCTV is “collected” in terms of the Privacy Act because the camera system automatically captures everything within its range and does not solicit information from each individual.
The reason for the confusion is that the Privacy Act slightly unhelpfully defines “collect” in the negative – it “does not include the receipt of unsolicited information”. But the Tribunal has confirmed this doesn’t mean an agency has to ask for, or actively “solicit” information. Instead, “collection” is the “gathering together, the seeking of or acquisition of personal information.” [44.3]
So CCTV is clearly covered. The whole purpose of setting up a CCTV system is to gather together information within the range of the cameras. The Tribunal has firmly laid the ambiguity in the Act to rest.
Failed attempts to collect may now be covered
The Tribunal goes on to say that collection refers to the “framework or process for collection which must be in place before information is received”.  In other words, the agency has obligations before the cameras are switched on: in particular, the obligation to have a legitimate reason for setting up the camera system, which is necessary for some business purpose; the obligation to tell people the cameras are there and why; and the obligation to be fair and not unreasonably intrusive with how information is collected. Collection encompasses the actions that precede actually getting the information in one’s hand.
The logical upshot of this is that failed attempts to collect personal information might also breach the Act. This is a new angle for the Tribunal, though it had indicated there should be liability for attempts in an earlier case. The Law Commission has recommended that attempted collections should be covered, and the government has supported that recommendation. The stars are therefore lining up. Agencies need to be careful to set up their systems correctly from the start and not trust to luck.
The Tribunal acknowledged that CCTV can be a legitimate and valuable way to protect people and property. But it also has the capacity to cause significant intrusions into personal life. Complying with the privacy principles provides the right balance between the two. As part of this analysis, the Tribunal has usefully said that “leveraging technology to enhance privacy is a valuable approach and is to be encouraged.”  This is the role of “privacy enhancing technologies”, affectionately known to the profession as “PETs”.
The camera system here had a facility for cropping the field of vision, which was used on two of the cameras. Despite the apparent camera angle, the neighbour’s backyard and side door were not in fact visible to anyone watching the footage live and nothing in those areas was recorded to disc. Use of the masking technology saved those cameras from being in breach of the Act.
What we’ve got here is failure to communicate …
The problem for the neighbour, of course, was that it was not obvious whether the cameras were recording and, if so, what they were recording. All he could see was that they were pointed at his house. The Tribunal said this highlighted the importance of communication. Agencies need to give clear statements about what the cameras are there to do (and other matters listed in principle 3). This is a continuing obligation. If the field of vision, or other aspects of the system are changed, they need to notify affected people again. They also have to respond to reasonable requests by affected people to see the system and know what information it was recording, so that those people can be confident the system is working lawfully.