• Finding a balance
• A scheme of regulation
• Elements of proposed legislation
• Principle 1: Overt surveillance should not be used in such a way that it breaches an individual’s reasonable expectation of privacy
• Principle 2: Overt surveillance must only be undertaken for an acceptable purpose
• Principle 3: Overt surveillance must be conducted in a manner which is appropriate for purpose
• Principle 4: Notice provisions shall identify the surveillance user
• Principle 5: Surveillance users are accountable for their surveillance devices and the consequences of their use
• Principle 6: Surveillance users must ensure all aspects of their surveillance system are secure
• Principle 7: Material obtained through surveillance to be used in a fair manner and only for the purpose obtained
• Principle 8: Material obtained through surveillance to be destroyed within specified period
• The Privacy Commissioner’s role
• The employment context

FINDING A BALANCE

Protecting the rights of all parties

4.1 The Commission has, throughout this reference, maintained the view that the practice of overt surveillance involves intertwining legitimate, albeit conflicting, interests. Consequently, any recommendations should reflect this and attempt to find a workable solution. These rights belong, on the one hand, to current or would-be users of overt surveillance devices, seeking justifiable protection of their interests. On the other hand, the general public assumes entitlement to some degree of privacy, irrespective of whether this finds explicit recognition in existing law.¹

4.2 Although concerned with potential privacy intrusions, the Commission’s recommendations are not primarily aimed at reducing the incidence of surveillance use, but rather attempt to steer the best course between the various interests involved. In any event, it appears futile in the short term to attempt proscribing surveillance use to any significant extent.² The appropriate result is one which allows surveillance users to pursue their legitimate interests, while leaving surveillance subjects confident that theirs are protected.

4.3 One possible course is to leave surveillance users to continue pursuing their interests, assuming little or no adverse impact upon the rights of surveillance subjects. After all, overt surveillance is, by definition, something known to be taking place. It is familiar and widespread, and is largely intended to act as a deterrent to socially harmful behaviour, thus offering a benefit to the public. It seems hardly to have been touched by regulation anywhere in the world. A sizeable industry has grown around its use both here and overseas, and it features prominently in security systems, from the smallest to the largest. Does it, therefore, require regulation? In the Commission’s view, the answer is yes, and for a number of reasons.

Protecting the privacy we have

4.4 Although individuals have a reasonable expectation that their lives will be free from undue monitoring and that they retain significant control over their personal information, it is suggested in some quarters that these desires are misguided or just too difficult to achieve.³ There are many and diverse benefits of information and surveillance technology, as outlined in Chapter 3. At the same time, the increasing sophistication of technology capable of being used for surveillance purposes, together with the convergence of this and other types of information technology, raise issues of serious concern. The time is opportune to act, for, as one commentator puts it, there is “a great deal of our privacy left to lose [and] considerable privacy to regain”.⁴

4.5 The full impact on privacy of technologies used in current surveillance and data collection practices will not be apparent until some future time. If, however, no action is taken now to try and preserve privacy, then we may indeed be needlessly surrendering that which we still have, without fully understanding the consequences. Furthermore, a complacent attitude with regard to implementing strong privacy safeguards may have unforeseen consequences for potential victims. A laissez-faire attitude to users of such information technology as data collection and surveillance may bring about a situation in which the onus is placed on individuals who have done nothing wrong, to prove their innocence or correct false impressions when surveillance is misused. To avoid electronic surveillance, an individual would have little alternative but to “opt out” of modern society altogether.

Existing protections inadequate

4.6 In the Commission’s view, leaving the area of overt surveillance unregulated ignores the socio-legal context of surveillance use, which has seen electronic surveillance flourish in a society whose laws (such as trespass) are underdeveloped to meet the technological challenge to privacy. The Commission disagrees with the suggestion⁵ that existing laws and codes of practice provide sufficient privacy safeguards against technologies which can access huge quantities of personal information, and which render traditional concepts on which many such laws are based (for example, property rights), irrelevant.

4.7 In the previous chapter the use of overt surveillance was likened to that of a fine mesh fishing net. The indiscriminate haul of information that can be obtained through using overt surveillance devices means that, even if the surveillance were undertaken for a legitimate purpose, not all of the information gleaned necessarily relates to that purpose. What should happen to that information is a serious concern.

Accountability

4.8 The Commission further sees a need for statutory regulation of this area in order to provide certainty, consistency and, above all, accountability, elements missing from self-regulatory schemes. Accountability is crucial to providing the necessary incentive to surveillance users to abide by codes of practice. This has benefits for both users and subjects of surveillance. The latter will have the reassurance of rights backed by the force of law. Concomitantly, these rights will be enforceable by means of prescribed sanctions. The former will have set down clear principles of behaviour, to assist them in upholding community expectations regarding privacy. The enactment of statutory provisions mean that no individual participant within an industry or sector can afford to ignore privacy concerns while benefiting from community assumptions that privacy codes of practice apply universally. In other words, those individual surveillance users who do not uphold the mandated standards cannot enjoy a free ride on the coat-tails of those who do, without risking penalty. Furthermore, the Commission believes that those surveillance users who are already voluntarily abiding by codes of practice will not be adversely affected by this recommendation, details of which are set out below.

Weighing up the interests

4.9 How can the objective of “balancing” the legitimate rights of both the users and the subjects of surveillance be given effect? “Balance” is, in fact, not the apposite term, if this implies a series of parallel rights, or a sort of “give and take”. After all, how real is privacy protection, if compromises of the type exemplified by the quotations appearing at para 3.47 are permitted? If, for every claimed countervailing right or benefit, privacy protections are traded off bit by bit, then the partial right to privacy which remains is, arguably, no right to privacy in any meaningful sense. Privacy breaches are, in effect, sanctioned if the price is right. The Commission agrees with the approach, but not the conclusion, of the Chamber of Manufactures of New South Wales, when it states:

Employers have never submitted that their interests must be balanced against employees’ rights to privacy. Employers have uniformly and consistently emphasised their fundamental right to protect their property, but that within the context of that right there should be protection of employees’ privacy.⁶

4.11 It is, furthermore, important to question the assumptions on which rest arguments favouring the compromising of privacy. Those in favour of, for example, the use of street cameras, accept their efficacy in reducing crime. However, there is no conclusive evidence that street cameras do reduce crime.⁷ The opportunity to introduce privacy protections should not be foregone in the face of what may prove to be illusory benefits.

4.12 This is far from saying that surveillance or other potentially intrusive practices ought to be outlawed. There is, however, in the Commission’s view, a strong argument for regulating privacy-threatening activities, by making surveillance users accountable for their practices and by giving a right of redress to an individual whose legitimate expectation of personal privacy is violated. Even in areas where most people accept they will have to reveal personal details, there is generally statutory protection of the confidentiality of those details, and outrage if this confidentiality is breached.⁸

A legislative response

4.13 New developments in surveillance technology reveal applications whose forms and capabilities are constantly changing. Attempting to regulate each new example of surveillance technology would prove an inefficient and fruitless exercise. Additionally, as we have noted elsewhere in this Report,⁹ the assumptions underpinning current controls on the use of surveillance devices no longer apply. These assumptions include the efficacy of common law protections, such as trespass, as well as hitherto accepted distinctions between “private” and “public”. Even the idea that surveillance is a discrete area, which can be demarcated for regulatory purposes, is no longer applicable, if indeed it ever truly was. Attempting to treat surveillance this way risks implementing obsolete solutions, as happened with the Listening Devices Act 1984 (NSW) (“LDA”), or a legislative patchwork, lacking unity. The enactment of legislation which either targets specific types of devices (and thus leaves gaps in coverage of other types), or, alternatively, renders it more complex through maze-like laws and regulations, is an ineffective means of addressing these issues.

4.14 At the same time, it is desirable that legislative requirements cause minimal disruption to responsible surveillance users, who have set up often costly systems, and are operating them fairly to protect their legitimate interests.

A SCHEME OF REGULATION

4.15 The Issues Paper¹⁰ sought suggestions for regulating overt surveillance. Responses are canvassed at para 3.80. As alluded to above, the Commission does not consider it desirable to leave overt surveillance unregulated, as it leaves unaddressed the interests of surveillance subjects. At the same time, the diversity of overt surveillance technologies renders it difficult to regulate. The same type of technology can be used in an infinite number of scenarios and on a greatly varying scale. A scheme of regulation for overt surveillance must accommodate the interests of the person in the street, a home dweller guarding the front door, media crews gathering material for the evening news, or a firm assisting with security for a major sporting event, to mention just a few examples. It needs to encompass both the global reach of a satellite tracking system and the intimacy of a fingerprint scanner. All forms of surveillance device have the potential to intrude on privacy in an unacceptable way. The Commission proposes, therefore, that legislation governing overt surveillance not be limited in the types of devices to which it applies.

4.16 There is one exception to this, and that is with regard to a small number of devices which fall within the definition of surveillance device and are, indeed, used to conduct surveillance, according to the definitions contained in Chapter 2, but which are not appropriate to regulate in this way. As discussed in the previous chapter¹¹ medical imaging equipment used for medical purposes is such an example. There may be others. Such devices should be listed in a schedule as being specifically exempted from the operation of the proposed Act.

Self-regulation or legislation?

4.17 The diversity in surveillance technology application requires some flexibility in regulation. As is mentioned elsewhere¹² , many surveillance users have implemented voluntary codes of practice to guide their employees or members. These are well-suited to provide flexibility, because they can be adapted to the circumstances of the particular business, industry or other concern. A code can take into account the realities of the environment in which the devices operate. This is a useful feature, to be discussed further below.¹³

4.18 However, in addressing the problems of protecting the privacy rights of the public in the face of inappropriate surveillance, the Commission does not believe that voluntary codes provide the best solution.¹⁴ The Australian Law Reform Commission had this to say on the subject of information privacy:

Would privacy be better served by legislation or by statements of guidelines without the authority of law behind them? Since its establishment, the Privacy Committee of New South Wales has relied heavily on “voluntary guidelines” drawn up, in most cases, in consultation with interest groups, particularly those representing individuals and organisations likely to engage in privacy-invasive activities. These guidelines have generally been based upon principles similar to those recommended in this report. They are purely informal “agreements” with only some of the participants in a limited number of areas of activity. Their impact has therefore been circumscribed. “Gentlemen’s agreements” of this sort, especially if reached only with representative industry bodies in particular industries, cannot prevent unacceptable interferences with privacy by those who either are not members of the representative group or who ignore all but the strict letter of the law. A further consequence of an approach that relies solely on guidelines is that it tends to concentrate on particular sectors of activity, particular areas of concern or particular problems that arise. There is the risk of a total lack of protection in areas not covered by up-to-date guidelines. More significantly, a sector by sector approach is likely to proceed on an ad hoc basis, leaving little time for the formulation of overall policies and principles.¹⁵

4.20 In the Commission’s view, the public’s reasonable expectation of some entitlement to privacy from overt surveillance should be protected by law. At the very least, individuals being recorded without their authorisation should be aware of the fact and of the identity of those responsible and of its purpose. Furthermore, those undertaking the surveillance should be held accountable. These matters can better be addressed through legislation, which applies universally, than through piecemeal voluntary codes or self-regulation lacking real accountability. The practice of overt surveillance should be included within the scope of the proposed Act. Use of overt surveillance, otherwise than in accordance with provisions contained within the proposed Act, would constitute a breach. As discussed earlier,¹⁶ recreational photography, the taping of lectures, and so on, would not be regarded as overt surveillance for the purposes of the proposed Act as these would not meet the legislative definition of surveillance.

4.21 Arguments to the effect that it is unfair to place restrictions on an individual’s right to employ surveillance devices to protect their property ignore the reality that other legislative controls operate to balance the enjoyment of private property with the amenity of others.¹⁷ Moreover, it is often the case that the place being monitored is legally frequented by the public, and may not even be the property of the surveillance user. It is already the case, and likely to become increasingly so, that public surveillance is carried out by private interests. Recent examples highlighted in the press have included the search for private security personnel prior to the Sydney Olympics,¹⁸ and the phenomenon, new to this country, of “gated suburbs”.¹⁹ In 1999,²⁰ Dr Peter Grabosky, director of research at the Australian Institute of Criminology, described the privatisation of crime control and public protection by “crime prevention entrepreneurs” who provide surveillance among their services. All this serves to highlight the diminishing relevance of the public/private dichotomy to a discussion of surveillance regulation.²¹

4.22 Some might argue that legislative measures are heavy-handed, given little hard evidence of abuses by overt surveillance operators. One response to this is that any abuse is impossible to quantify. From time to time examples have come to light.²² The potential for abuse of surveillance is, however, undeniable. As Kevin O’Connor, Australia’s first Federal Privacy Commissioner, has argued, personal information is a tradeable commodity in today’s society, providing the impetus for modern technology to put our privacy and confidentiality at greater risk than ever before.²³

4.23 In any event, many industries and public authorities²⁴ currently using overt surveillance have already formulated codes for their own use which reflect privacy concerns. In practice, therefore, the Commission does not expect that most surveillance users would need to modify their practices, so long as they are enforcing their own existing voluntary codes. The main change is to render enforceable practices which many surveillance users say they are engaged in already.

4.24 The Commission also gave consideration to the suggestion made in some submissions²⁵ for a system of licensing²⁶ to pertain to surveillance equipment. Additional cost and compliance measures which would result, both for users, and for government charged with policing such an extensive system, leads the Commission to the view that this is not a viable proposal. The Irish Law Reform Commission commented:

The demand for [surveillance] technology by private actors seems set to grow and not diminish. Restricting this market using traditional tools like import controls, a licensing regime for vendors, a licensing regime for users, etc, is unwieldy and likely to be piecemeal and ineffective.²⁷

Recommendation 17

The use of overt surveillance otherwise than in accordance with the proposed Surveillance Act, should be unlawful. This will entail compliance with the overt surveillance principles (see paragraph 4.38 and following).

The requirement to give notice

4.25 In Chapter 2,²⁸ we recommended that surveillance be considered overt, if prior or simultaneous notice of the surveillance were given to those likely to be “captured” by the device. Elements which will help satisfy this requirement are listed at paragraph 2.78. Further discussion of the notice provision will be found at para 4.48.

Exceptions to notice requirement

4.26 In some cases, it may not be practicable for notice to be given. However, according to the framework we propose, if no notice is given, then the surveillance is deemed covert. Yet there may be circumstances where, for public interest reasons, this is not a desirable outcome. For example, media coverage of newsworthy events could easily include footage of members of the public unaware they are being recorded. Much of the everyday activity of media organisations would be impossible or unduly cumbersome if notice to surveillance subjects were compulsory. So long as recording is carried out openly, and no attempt is made to actually conceal surveillance devices, it appears reasonable in such cases to dispense with notice requirements. This exemption would apply only in cases of genuine media use, for example to illustrate a news story, otherwise consent of the subject should be sought.

4.27 Home use of surveillance devices is another area which the Commission believes should be exempt from notice requirements. The Commission is reluctant to recommend introducing regulation in a domestic situation where the sole motivation is personal security, and does not extend to, for example, spying on neighbours or, for that matter, guests. The guiding principle is, therefore, that notification is not required if the surveillance is of a general non-targeting nature, and conducted purely for reasonable household security. Some people will choose to erect signs on their property, because they hope this will act as a deterrent. The presence of a sign should not, however, have the automatic effect of deeming a visitor to have consented to being monitored, especially in the case where he or she is part of a group specifically targeted, where the surveillance device is concealed, or where the surveillance is conducted for reasons other than security. For example, it will not be permissible to conceal a camera in a teddy bear to spy on a babysitter without having regard to the provisions contained in Chapter 7, dealing with employment relations. In other circumstances, it may be necessary to obtain a warrant in order to conduct household surveillance.

4.28 A third case in which it may be appropriate to waive notice requirements for the operation of overt surveillance devices is in correctional centres, as well as in vehicles used to transport offenders, and the like.²⁹ Public safety considerations must be given priority in such situations, and, furthermore, it is reasonable to assume that the surveillance targets would not be surprised to find themselves subject to monitoring in these circumstances. Exemptions from notice requirements for this and the other categories mentioned above should be specified in the proposed Act.

4.29 Surveillance users should exercise care in relying on an exemption from giving notice. Failure to give notice in circumstances where no exemption applies will result in the surveillance being deemed covert, and criminal sanctions may apply. In difficult cases users should be able to seek a ruling from the Privacy Commissioner.³⁰ It should be further noted that exemption from a requirement to give notice does not mean that the surveillance user is exempt from any other compliance measures.

Recommendation 18

In certain cases specified in the proposed Surveillance Act, surveillance will be regarded as overt, notwithstanding the absence of notification to potential surveillance subjects.

4.30 Ultimate responsibility for compliance with the scheme of regulation being proposed rests with the surveillance user. This is the individual or organisation with the authority to direct that surveillance be undertaken. This responsibility should not be delegable to an official within the organisation or to a security contractor, nor should it be claimed to reside in the general public or some such group, for whose benefit it is claimed the surveillance is undertaken. Within an organisation, however, some individual must be given authority to operate the surveillance system in accordance with the requirements of the proposed Act, or to hire a contractor to do so.

4.31 There may also be instances in which surveillance schemes are operated jointly by partners. For example, local government may form an alliance with local businesses to operate a surveillance system.³¹ The inclusion of the latter may well be necessitated by the high financial cost involved. In such cases, partners should be jointly responsible, so as to ensure complete accountability to the public.³²

Codes of practice

4.32 Although the Commission believes legislation is essential to underpin the use of overt surveillance, codes of practice have a very useful role to play. Formulating a code would require surveillance users to give consideration to the overt surveillance principles, discussed below, before incorporating them into the day-to-day operation of the system. While it is envisaged that such codes would be mandatory, they would operate essentially as an internal document to guide those managing the system. The failure to draft a code of practice in accordance with the proposed Act would constitute a breach. However, it is important to note that a breach by the surveillance user of its own code of practice is not intended to give rise to any right of action in another party.

4.33 Consistency in surveillance use assists both surveillance users and the general public, by allowing all parties to become accustomed to acceptable practices, and gain a better understanding of their respective rights and responsibilities. A code has the potential to facilitate consistency in practice across a number of surveillance systems operated by the one user (such as a supermarket chain), or across an entire industry (such as retail traders). The latter becomes more likely if industry umbrella organisations, with input from their members, draft industry-wide codes. This may increase consumer confidence in the surveillance practices of the particular industry, leading to benefits in both image and even profits.³³ It would be in the interests of the industry to apply pressure to rogue members who pay lip service only to the relevant code, or who choose openly not to subscribe. In this sense, there is a role for self-regulation within industries, with benefits flowing to the public.

4.34 A further advantage is that a code or set of operating principles is a useful tool by which regulators can measure compliance with the Act. If a code is deficient in its embodiment of one or more of the legislated principles, this may signal a failure in practice to comply with those principles.

4.35 Another important consideration in requiring certain surveillance users to formulate codes is that these are then available to any member of the public who is subject to the surveillance. This is consistent with the goals of furthering accountability, by making it possible to identify the surveillance user and the purposes of the surveillance.

4.36 The Commission is mindful of not imposing unnecessary or burdensome obligations on surveillance users. Many of the submissions from surveillance users indicated a desire to use codes, and indeed many already have codes of practice in place which could be adapted with little change for the use proposed here. The Office of the Privacy Commissioner can make an important contribution in assisting a surveillance user to draft a suitable code. It could also formulate a list of issues which codes need to address in order to comply with the overt surveillance principles.

Exceptions

4.37 For small surveillance users, such as family-run businesses or people seeking household protection, the need to formulate a code of practice would be cumbersome and of little practical use. Such users should be exempt from meeting this requirement. Only “relevant surveillance users” would be required to formulate and comply with a code of practice. Regulators, in consultation with users and the security industry, should develop criteria to establish who would fall within this category. One possible criterion is the total number of surveillance devices operated by the user, regardless of whether installed on one or more premises. Another criterion might be that businesses operating as part of a franchise be required to draft and adopt a common code. Of course, smaller users would be permitted to adopt a code, and could subscribe to one operating within the same industry. All surveillance users, whether or not required to implement a code of practice, would nevertheless be bound to comply with the overt surveillance principles.

Recommendation 19

“Relevant surveillance users” (defined in the proposed Surveillance Act according to criteria such as the number of devices operated) should be required to formulate and act in accordance with a code of practice consistent with the overt surveillance principles. A relevant surveillance user should make its code available for perusal by any member of the public subjected to its surveillance.

4.38 In its 1983 Report on Privacy,³⁴ the Australian Law Reform Commission reviewed a number of formulations of information privacy principles, such as those of the Organisation for Economic Co-operation and Development (OECD). The Report stated:

These and other attempts suggest that there are a number of fundamental themes that underlie all statements of information privacy principles. These themes can be made explicit.³⁵

4.40 The principles proposed by the Commission are set out below. There will be some degree of overlap between them. They are not designed to work in isolation, but to interact so as to allow for adjustment between conflicting interests. For example, while one principle allows overt surveillance to be used for specified purposes, the fact that this condition is satisfied does not preclude the subject from complaining that his or her reasonable privacy expectation was, nevertheless, breached, or that the manner in which the surveillance was conducted was inappropriate. Furthermore, it would not be permissible to derogate from these principles, for example, by means of contractual arrangements. Non-compliance with overt surveillance principles, unlike codes of practice, constitute a breach of the proposed Act.

PRINCIPLE 1: OVERT SURVEILLANCE SHOULD NOT BE USED IN SUCH A WAY THAT IT BREACHES AN INDIVIDUAL’S REASONABLE EXPECTATION OF PRIVACY

4.41 The expression “reasonable expectation of privacy” is used at para 1.13 as an intuitive measure of the acceptability of surveillance conduct. The Irish Law Reform Commission stated the view that privacy is a personal right, “following the personal space of the person”.³⁶ The Commission agrees, and believes that for this reason the right is not extinguished by entry into either a public space or onto another’s private property. While a person’s physical location will clearly have a bearing on whether his or her expectation of privacy was reasonable in the circumstances, it would not be just to make this the sole factor. Defining the limits of the right in objective terms such as “public” and “private” or “inside” and “outside” might seem to be expedient, but these are likely to lead to confusion. For example, into which category should the following fall: an open window at ground level, the same window covered by a net curtain, a balcony, a tent in a camping ground, a parked car, or a front yard?³⁷

4.42 Other factors³⁸ to consider in determining whether a person had a reasonable expectation of privacy include the nature or customary use of the location (eg a change room, or a room for mothers to breastfeed babies), the type of surveillance device being employed,³⁹ and even the timing of the surveillance.⁴⁰ Other considerations might include the behaviour and intention of the surveillance subject. For example, even in a setting normally regarded as private, if a person behaves in a way that unambiguously draws the attention of onlookers, he or she cannot claim to have had a reasonable expectation of privacy. By extension, people who for one reason or another willingly court publicity, such as some politicians and film stars, may be entitled to a lower expectation of privacy in some contexts than ordinary members of the public. This should not, however, lead to the consequence that people in the public eye thereby forfeit an expectation of privacy. In its adjudication⁴¹ on the Woods case, the Australian Press Council upheld a complaint against the newspaper. It rejected the public interest argument put forward by the newspaper, that the Senator “was a public figure involved in issues of legitimate interest to the public, who after all paid his salary, and his wife was involved in the issues being aired before the public.”⁴² The Council regarded publication of the photographs as “a breach of its principle relating to ‘respect for the privacy and sensibilities of individuals’ and [saw] no compelling public interest in the obtaining and publication of pictures of this kind”.

4.43 A reasonable expectation of privacy cannot be ousted through the provision of notice of surveillance. The giving of notice is required as a prerequisite for surveillance to be deemed overt, unless falling within one of the exceptions referred to at para 4.26 and following. Thus, surveillance users cannot subvert the privacy protection offered by this principle simply by mounting numerous signs declaring the area to be under surveillance. If this were permitted, then change rooms and the like could be treated no differently to pedestrian malls in terms of privacy protection.

PRINCIPLE 2: OVERT SURVEILLANCE MUST ONLY BE UNDERTAKEN FOR AN ACCEPTABLE PURPOSE

4.44 The legitimate uses of overt surveillance were discussed earlier.⁴³ As these can be identified, the Commission believes that overt surveillance should be permissible only for one or more of these specified purposes. They are:

1. protection of the person;

2. protection of property;

3. protection of the public interest;

4. protection of a legitimate interest.

4.46 Protection of the person and property are relatively straightforward. Protection of the public interest and protection of a legitimate interest are broader categories, created so as not to exclude overt surveillance for another socially acceptable purpose. Examples are road safety and coastal surveillance.⁴⁴ The taping of dealings between a person and that person’s client, where notified, is another possible example. Categories 3 and 4 cannot be overly prescriptive, and must be flexible enough to allow for a range of circumstances. Overt surveillance by the media is a case in point, where even “media” is an imprecise term. For example, there have been cases of camera crews trailing police and medical personnel in quest of real-life drama to capture for television. Examples have included individuals suffering heart attacks⁴⁵ or humiliating themselves while undertaking sobriety tests. Such instances of “real TV” might be regarded as protecting the public interest, or protecting a legitimate commercial interest, or neither of these, depending on the circumstances. Similar issues might arise when filming, for example, a beach scene. This could be for the purpose of illustrating a report on skin cancer, or the images of topless or scantily clad female beachgoers may be sold on the Internet without the consent, let alone payment, of the surveillance subjects.⁴⁶ In cases of doubt, recourse may be had to the Privacy Commissioner for a ruling as to whether the purpose is acceptable within the meaning of the proposed Act.⁴⁷ However, even if the “acceptable purpose” criterion is satisfied, surveillance users will still need to exercise care with regard to other principles, such as respecting the subject’s reasonable expectation of privacy.

PRINCIPLE 3: OVERT SURVEILLANCE MUST BE CONDUCTED IN A MANNER WHICH IS APPROPRIATE FOR PURPOSE

4.47 Earlier⁴⁸ we alluded to the revelation of video footage from Burswood Casino, which was evidence of the fact that one or more security camera operators, in the course of carrying out permissible surveillance, used the equipment’s capabilities in a quite improper manner by zooming in on female patrons’ apparel. In that case the surveillance was being undertaken for an acceptable purpose, but being conducted in a manner inappropriate to that purpose, and infringing on the subjects’ reasonable privacy expectations. This kind of monitoring, incorporating what might be termed a “perve” factor, is sufficiently disturbing when carried out as just described, but also has the potential to be used in a discriminatory fashion. Operators of street safety cameras, for example, have the capability to zoom in on, as well as the liberty to prolong surveillance of, an individual or group. While elderly women, as a statistical group, may be less likely than young males to commit crimes or engage in other unacceptable conduct, the onus must be on surveillance users to avoid targeting particular groups or individuals. Codes of practice or other guidelines should make this explicit. Otherwise, there is a risk that surveillance is conducted according to prejudices, such as those that dictate that members of particular minorities, or even groups of young people in general, are more predisposed than other sectors of society to behave in undesirable ways. Unless relevant to the legitimate purpose for which the camera is operated, such practices may well be excessive or discriminatory. Even if the attention of the camera operator is drawn by no more than idle curiosity, it should still be avoided as a distraction compromising the efficacy of the system.

PRINCIPLE 4: NOTICE PROVISIONS SHALL IDENTIFY THE SURVEILLANCE USER

4.48 If surveillance users are to be held accountable for their conduct, they must be readily identifiable. Part of the process of notifying surveillance subjects that they are under surveillance should involve providing information about the identity of the user. To the extent that subjects give their consent to being watched, the basic information needed to inform a decision must include the identity of the watcher. Even though consent is often meaningless in this context due to the unfeasibility of “choosing” to avoid surveillance in modern urban life, the public still has the right to know who is watching. The identity of the user should include an address at which the user can be contacted, otherwise a front name can be used to avoid accountability. Furthermore, members of the public and the Privacy Commissioner need to know where inquiries and complaints can be directed.

4.49 It is not envisaged that every notice advising that the area is under surveillance carry all of this additional information. A member of the public should, however, be able to discover this information without undue difficulty. With regard to media organisations, although it was proposed above⁴⁹ that they be exempt from the requirement to give notice of carrying out overt surveillance activities, their personnel should be readily identifiable by station logos while doing so.

PRINCIPLE 5: SURVEILLANCE USERS ARE ACCOUNTABLE FOR THEIR SURVEILLANCE DEVICES AND THE CONSEQUENCES OF THEIR USE

4.50 All surveillance users must be accountable for their devices and the activities undertaken with them. They must also be accountable for the records or output of those devices, such as videotapes. In practice, users should be held responsible for everything pertaining to the operation of surveillance devices, including the system’s proper operation, the conduct of security staff involved, and the misuse of any information or product generated by the surveillance. Responsibility cannot be delegated to others, such as security contractors.

4.51 Surveillance devices must be available for inspection by the Office of the Privacy Commissioner. This is to monitor for compliance with any prescribed standards, as well as to investigate complaints, such as the positioning of devices. This is discussed below at para 4.68 and following. To facilitate the task of inspection, it is recommended that all public sector surveillance users, as well as all relevant surveillance users (as described above at para 4.37), maintain a register containing details of the number, types and locations of all their overt surveillance devices, together with any other details from time to time required by the Privacy Commissioner, such registers being available for inspection by the Privacy Commissioner at any time.

Recommendation 20

All public sector surveillance users, as well as all “relevant surveillance users” operating within the private sector, should maintain a register containing details of the number, types and locations of all their overt surveillance devices, together with any other details from time to time required by the Privacy Commissioner. Such registers should be available for inspection by the Privacy Commissioner at any time.

4.52 Because of the public funding involved, the likely wider scale of coverage, and the possibility of information-sharing between them, when surveillance is undertaken by government departments, public authorities and the like, accountability provisions should be more stringent than those required of the private sector. This is not to imply that a lower standard of conduct from the private sector is acceptable, but merely to recognise that an undue burden may be placed on businesses and other private entities forced to comply with too many procedural requirements. Public bodies, such as local councils,⁵⁰ which may run surveillance systems in cooperation with private entities, should be under the same obligations regarding accountability as systems that are wholly publicly funded.

Annual reports

4.53 Government departments, statutory authorities, local councils and any other public body should be required to include in their annual reports⁵¹ information about their overt surveillance systems. In addition to statistical information concerning the extent of the system and its associated costs, the report should give an indication of the results believed to have been obtained through the use of such devices. It is acknowledged that this may not be information that can be objectively ascertained. For example, the fact that certain types of crime may have decreased may not necessarily be attributable all or in part to any particular strategy, such as the installation of street cameras. However, for the body in question to be truly accountable to its public, there must be some basis on which to justify both the ongoing surveillance, and its associated cost. A requirement to report may have a desirable flow-on effect, in helping prevent public sector surveillance users from becoming complacent about their existing systems. If surveillance systems are to be effective and credible, they must be properly maintained and their mode of operation reviewed from time to time.⁵²

PRINCIPLE 6: SURVEILLANCE USERS MUST ENSURE ALL ASPECTS OF THEIR SURVEILLANCE SYSTEM ARE SECURE

4.54 Users must ensure that the surveillance is carried out in such a way that there is no unauthorised access to equipment, recordings, or any other aspect of the process which could compromise the privacy of any of the surveillance subjects. Exemption from the requirement for a code of practice⁵³ does not release a surveillance user from the need to exercise care in relation to security. Where, however, a code of practice is in place, it needs to address a number of issues.

Staff

Qualifications

4.55 Under the Security Industry Act 1997 (NSW), a person must hold a licence in order to carry out a security activity.⁵⁴ A person carries on a “security activity” if, in the course of employment or of conducting a business, the person among other things patrols, protects, watches or guards any property (including cash in transit),⁵⁵ or installs, maintains, repairs or services security equipment.⁵⁶ “Security equipment” is defined as including “any mechanical, electronic, acoustic or other equipment designed or adapted to provide or enhance security or for the protection or watching of any property.”⁵⁷ It seems, therefore, that staff hired to monitor security cameras are required to hold a licence under the Act. The Commission believes this should be the case and that the Act be amended to reflect this. Under the Security Industry Act 1997, the Commissioner of Police cannot grant a licence if the applicant is not a fit and proper person,⁵⁸ and may refuse a licence if this is considered contrary to the public interest.⁵⁹ The Commission proposes that staff operating surveillance equipment in control rooms or similar circumstances must be licensed in accordance with the Security Industry Act 1997.

4.56 In the case of small businesses or other concerns where electronic surveillance is conducted on a smaller scale without the need for a control room and security personnel, the obligation to be licensed is dispensed with. This might arise where a person employed by the surveillance user to perform other duties, such as sales or management, is also given responsibility to operate the surveillance system. The main reason for the distinction regarding licensing requirements is that security personnel are engaged fully in activities such as surveillance and are likely to be conducting surveillance activities through real-time monitoring. This gives them a potentially greater impact on the privacy of surveillance subjects through their ability to control, for example, camera functions and targeting, than the employee occupied in other activities, or where real-time monitoring is not taking place.

Recommendation 21

Staff operating equipment in control rooms (or in similar circumstances) with which to conduct overt surveillance, should be licensed in accordance with the Security Industry Act 1997 (NSW). The Security Industry Act 1997 (NSW) should be amended to provide that “security activity” is defined as including the monitoring or operating of a surveillance device or system.

4.57 All staff involved in the operation of the surveillance equipment, or with access to it or to any tapes, recordings or other data produced by it, must be properly trained in procedural matters, whether or not they are licensed security personnel within the meaning of the Security Industry Act 1997 (NSW). Procedures for the use of surveillance will be set down in the code of practice applicable to that business or other concern. Where, due to an exemption, no code of practice applies, the surveillance user must be responsible for ensuring that such personnel are properly acquainted with the correct procedures and their responsibilities thereto. The Office of the Privacy Commissioner can play a very useful role in formulating easily comprehensible guides for such use, setting out the privacy objectives to be met, and the standard measures to be undertaken, such as protocols for the secure storage of tapes.⁶⁰

4.58 Staff must also be made aware of the possible consequences, including dismissal and even criminal liability, for incorrect or improper behaviour. Of course, these standards of behaviour also apply to surveillance users themselves, or to any person given responsibility for managing surveillance by the surveillance user. Any guides issued by the Privacy Commissioner, such as those just referred to, can also include a summary in plain English of the legal responsibilities and possible consequences for breach arising under the proposed Surveillance Act.

Surveillance material

4.59 In cases of real-time monitoring, only those persons with responsibility for undertaking such monitoring should be in the control room or area. Examination of tapes or other recordings should also, likewise, be restricted to those with the responsibility to do so, whether that be security staff, the proprietor of a business, a homeowner or, in the case of a local council, for example, a committee including councillors and community representatives. Ownership of the images appearing on videotapes is not an issue dealt with in this Report. Nevertheless, great care must be taken that such material be dealt with in an appropriate manner. For example, videotape recordings or images obtained from surveillance should not be sold, given to unauthorised persons, used for entertainment purposes, or displayed as “wanted” posters.⁶¹

4.60 Procedures must be developed whereby videotapes (or other recording media) are designated for use in a particular sequence, and rotated according to that sequence. After the last tape is used, the sequence begins again, so that the old material is replaced with the new recording. Periodically, the tapes will need to be discarded and replaced with new ones to maintain quality. The recordings themselves must be securely stored so as to prevent theft or unauthorised access. They may be accessed only for the proper purposes (see Principle 7 below), and may not be copied or transcribed. All of these matters must be addressed by codes of practice, where these apply.

PRINCIPLE 7: MATERIAL OBTAINED THROUGH SURVEILLANCE TO BE USED IN A FAIR MANNER AND ONLY FOR THE PURPOSE OBTAINED

4.61 Just as overt surveillance may only be carried out for one or more of the permissible purposes under Principle 2, so also any material obtained as a result, such as recordings, may only be put to the same purpose. Where material obtained for one purpose is sought to be used for another, acceptable, purpose, the proposed legislation should allow for an order to be made to this effect. This might take the form of a law enforcement exception to the principle. For example, police may wish to circulate the photograph fairly obtained by the media of an individual being sought by them. The Commission does not believe there is a need to widen this exception to include the general public.

4.62 Adherence to the principle means that surveillance users are responsible for compliance with the following prohibitions in relation to material obtained through surveillance:

• no unauthorised viewing, listening etc;
• no unauthorised copying of all or any part, and where authorised copies are made, these should be strictly limited in numbers;
• no unauthorised transfer or conversion to another format of the material obtained by surveillance;
• no unauthorised person to be given access;
• no amendment, deletion or alteration.

PRINCIPLE 8: MATERIAL OBTAINED THROUGH SURVEILLANCE TO BE DESTROYED WITHIN SPECIFIED PERIOD

4.64 Material obtained through surveillance cannot be kept indefinitely, and must be taped over or destroyed within a specified time period. The choice of a maximum time for which recordings may be kept is somewhat arbitrary. Suggestions raised in submissions ranged from 12 hours⁶² to 30 days.⁶³ It is not always clear whether any particular tape might have some evidentiary value. It may, for example, provide a useful lead in tracing the movements of a missing person, whose disappearance is not even reported for some days. The Commission feels that setting the limit at 21 days is a reasonable period for the tapes to be kept available, so as neither to risk permanent loss of potentially valuable evidence, nor pose an unacceptable risk to privacy. Surveillance material obtained overtly and genuinely for media purposes need not be destroyed within this time limit if the intention is to retain it for file footage.

4.65 Extensions of time should be available where it is reasonably believed that recordings contain useful evidence or can aid in investigations relevant to either civil or criminal proceedings. The Commission proposes that it should be open to any individual to apply to a magistrate for an order to retain a surveillance recording beyond the suggested 21 day period in a place specified by the order. Recordings could then be held by the police or in some other nominated place.

4.66 Surveillance material cannot be copied or converted to another format, thereby avoiding the operation of this principle, without the express consent of the Privacy Commissioner.

THE PRIVACY COMMISSIONER’S ROLE

4.67 The functions of the Privacy Commissioner are largely set out in the Privacy and Personal Information Protection Act 1998 (NSW).⁶⁴ The proposed Surveillance Act gives the Privacy Commissioner new powers and functions to facilitate the objectives of the legislation. Procedures for dealing with complaints and reviews are discussed more fully in Chapter 10.

Powers

General

4.68 The general functions⁶⁵ of the Privacy Commissioner which are listed in the Privacy and Personal Information Protection Act 1998 (NSW) would well serve the goals of the legislation proposed here with regard to overt surveillance, and in most cases would require only slight amendment. Some of these functions, which appear at section 36(2), refer specifically to the information protection principles, contained in Part 2 of that Act, but could just as well apply to the overt surveillance principles proposed by the Commission. Examples of such functions include:

(a) to promote the adoption of, and monitor compliance with, the information protection principles

...

(d) to provide assistance to public sector agencies in adopting and complying with the information protection principles and privacy codes of practice; and

...

(k) to receive, investigate and conciliate complaints about privacy related matters ...

Appointment of inspectors

4.70 As well, the Privacy Commissioner should be given power to appoint inspectors. Under the accountability principle,⁶⁶ it is proposed that certain users be required to maintain registers setting out details of their overt surveillance systems, which can then be inspected as deemed necessary by the Office of the Privacy Commissioner. In addition, inspectors should be empowered to enter premises for the purpose of inspecting surveillance devices, where there is a reasonable belief that an offence against the proposed act has been committed. Similar provisions exist in other enactments. Thus, if inspectors appointed under the proposed Surveillance Act were given rights analogous to those of inspectors appointed under the Casino Control Act 1992 (NSW), they could enter business premises to do one or more of the following:

(a) observe the operation of the surveillance system;

(b) ascertain whether the operation of the surveillance system is being properly conducted;

(c) ascertain whether the provisions of the proposed Act are being complied with;

(d) exercise any other function under the proposed Act.⁶⁷

Determining standards

4.72 The Superintendent of Trade Measurement is responsible for providing and maintaining standards of measurement,⁷³ with which measuring instruments used for trade⁷⁴ must comply.⁷⁵ A similar power would, it is envisaged, reside in the Privacy Commissioner to determine what specifications, standards or restrictions, if any, should apply to devices used for overt surveillance. For example, it may be stipulated in certain circumstances that devices be no more sensitive or have no greater surveillance capacity than is necessary for the stated purpose (in accordance with Principle 3).

Rulings

4.73 In order to provide some measure of certainty and help avoid problems arising at some later date, it would be useful if the Privacy Commissioner were able to give binding rulings on matters of a preliminary or threshold nature. For example, a surveillance user might seek to ascertain whether he or she falls into a category exempted from the requirement to give notice of overt surveillance. Alternatively, a user may desire clarification as to whether the purpose for conducting overt surveillance is an acceptable purpose⁷⁶ within the meaning of the proposed Act.

THE EMPLOYMENT CONTEXT

4.74 The Commission considers that overt surveillance of employees by employers should be regulated according to the general framework proposed for overt surveillance, with the exception of the notice requirements outlined in Chapter 2.⁷⁷ In formulating the content of the notice requirements, we have had regard to current Codes of Practice, which although not legally binding, serve as guides to good practice. These Codes of Practice may also provide guidance to employers when assessing whether their overt surveillance practices comply with the overt surveillance principles.

Codes of practice

4.75 The most comprehensive guidance regarding overt video surveillance in the workplace is found in the Privacy Committee’s Code of Practice for the Use of Overt Video Surveillance in the Workplace (the “Code”).⁷⁸ The focus of this Code is on the importance of notification and consultation. Mirroring the Workplace Video Surveillance Act’s default definition of overt surveillance, the Code recommends that employees be given written notice of the intended surveillance a reasonable period of time before the cameras are used and that surveillance equipment be clearly visible, with signage. Expanding on the notification requirement, it is recommended that the prior notice should state the location of the proposed surveillance, the specific purpose and the identity of the person responsible for the conduct of the surveillance. In addition to notification, employers should consult their employees before commencing surveillance and cameras should only be installed in areas and operated during hours which were the subject of prior consultation. The Code also places limits on access to and retention of tapes, and empowers the Privacy Committee to conciliate complaints regarding contravention of the Code, make recommendations, cite instances of serious breach in its annual report or issue a special report to parliament regarding exceptional breaches.

4.76 In March 2000, the Australian Privacy Commissioner issued Guidelines on Workplace E-mail, Web Browsing and Privacy. The purpose of these Guidelines was “to recommend steps that organisations can take to ensure that their staff understand the organisation’s position on [use of e-mail and web browsing] through the development of clear policies”.⁷⁹ In essence, the Guidelines provide a framework for the conduct of overt surveillance of employee e-mail and internet usage. It is recommended that organisations develop policies that advise employees what information is logged and who has access to the logs and contents of staff e-mail and browsing activities. In addition, employees should be advised of any intended monitoring of e-mail and internet usage.

Performance monitoring

4.77 Given the highly controversial nature of performance monitoring and the many forms that the practice can take, the Commission wishes to highlight that substantial consideration must be given to the overt surveillance principles when performance monitoring is in issue.

4.78 Principle 2, which provides that overt surveillance must only be undertaken for an acceptable purpose, is of particular relevance. Whether a particular form of performance monitoring is being undertaken for an acceptable or unacceptable purpose will need to be assessed on a case by case basis. However, an example of what may, in the Commission’s view, be an acceptable purpose, is scanning employee e-mails for indications of unauthorised use. This would fall within the “protection of a legitimate interest” category as employers have a legitimate interest in ensuring that employees are not utilising the e-mail system for purposes such as distributing discriminatory or defamatory material.

4.79 Principle 3, which relates to the manner in which surveillance is conducted, will also be of particular relevance to performance monitoring. Again, whether the manner in which performance monitoring is conducted is appropriate for the purpose will depend on the individual circumstances of the case. However, we consider that factors such as the degree of consultation with employees and the frequency of the monitoring⁸⁰ may be relevant. To return to the e-mail example, we note that the Australian Privacy Commissioner has stated in the Guidelines on Workplace E-mail, Web Browsing and Privacy that:

While it is acknowledged that access to staff e-mails and browsing logs by system administrators may be required in certain circumstances, it is unlikely that pervasive, systematic and ongoing surveillance of staff e-mail and logs should be necessary.⁸¹

2. See para 3.74-3.79.

3. For example, Bruce Phillips, Canadian Privacy Commissioner, asks rhetorically “Is the age now upon us to be the Age of Surrender?”: Canada, Privacy Commissioner, Annual Report 1998-1999 at 1.

4. Canada, Privacy Commissioner, Annual Report 1998-1999 at 2.

5. For example, in Publishing and Broadcasting Limited, Submission at 2.

6. Chamber of Manufactures of NSW (Industrial), Submission at 6.

7. para 3.71-3.73.

8. This was brought to the fore in 2000 by the revelation of plans by the Australian Taxation Office (ATO) to sell personal information supplied by individuals applying for an Australian Business Number (ABN). The ATO had advised applicants for an ABN that the information they supplied would be treated with confidentiality. Instead, the ATO was forced to admit it had been in breach of the Privacy Act 1988 (Cth). The Federal Government announced that, “in response to concerns raised over public access to the register”, restrictions would apply to the information publicly available from the Australian Business Register”. It was also announced that the A New Tax System (Australian Business Number) Act 1999 (Cth) would be amended to improve privacy protection associated with the ABN: M Kingston, “They Won’t Even Let Me Complain” Sydney Morning Herald (3 June 2000) at 4; “Tax Office Admits Privacy Sin” Sydney Morning Herald (6 June 2000) at 3; Australian Privacy Commissioner, “Federal Privacy Commissioner and Taxation Office Continue Discussions Over ABN” (Media release of 5 June 2000) «www.privacy.gov.au/news/00_07.html»; Australia, Treasurer, “Privacy Restrictions on Australian Business Register” (Assistant Treasurer Press Release 29, 20 June 2000) «www.treasurer.gov.au/ assistanttreasurer/pressreleases/2000/029.asp»; Australian Privacy Commissioner, “Federal Privacy Commissioner Welcomes Today’s Announcement on ABN Privacy Solutions” (Media release of 20 June 2000) «www.privacy.gov.au/ news/00_11.html».

9. See para 1.46 and para 1.50-1.58 and para 2.20-2.27.

10. New South Wales Law Reform Commission, Surveillance (Issues Paper 12, 1997) at ch 4.

11. Para 3.5-3.6.

12. Para 3.80.

13. Para 4.32 and following.

14. Discussed at para 3.86 and following.

15. Australia, Law Reform Commission, Privacy (Report 22, 1983) at para 1201. The “voluntary guidelines” approach was repudiated by the Privacy Committee of New South Wales within two years of its promulgation: see para 3.94.

16. Para 3.4.

17. For example, Access to Neighbouring Land Act 2000 (NSW) Pt 2; Environmental Planning and Assessment Act 1979 (NSW) Pt 3; Local Government Act 1993 (NSW) ch 7, s 626.

18. L Doherty, “Shortage Sees Firms Get Familiar” Sydney Morning Herald (2 November 1999) at 2.

19. D Cameron, “Balmain’s Finest Seek Security from the Burglar’s Touch” Sydney Morning Herald (4 November 1999) at 1; C Miranda and S Birch, “Only the Attorney General Feels Safe” Daily Telegraph (5 November 1999) at 18; T Isles, “Private Cops for Lake Shops” Lake Macquarie News (15 December 1999) at 1.

20. P N Grabosky, “Crime Control and Policing in the 21st Century”, paper presented at the 14th Annual Conference of the Australian and New Zealand Society of Criminology (Perth 27-30, September 1999) at 5.

21. See also the discussion at para 2.20-2.27.

22. Para 3.33.

23. K O’Connor, “Why a National Law to Protect the Privacy of Australians?” (1998) 48(2) Telecommunication Journal of Australia 21 at 23.

24. See para 3.80

25. Eg Price Waterhouse, Submission at 5; Privacy Committee of NSW, Submission at 22.

26. For example, under Swedish legislation a licence is required for surveillance of a place to which the public has access: Ireland, Law Reform Commission (“ILRC”), Report on Privacy: Surveillance and the Interception of Communications (Report 57, 1998) at para 6.56 (Act on Surveillance Cameras 1990 (Sweden) s 4).

27. ILRC Report 57 at para 1.69.

28. Para 2.78-2.79.

29. Department of Corrective Services, Submission at 2.

30. See para 4.73.

31. Eg “Castle Hill police last week took charge of state-of-the-art video equipment required to satisfy updated legislative requirements. The digital video camera will be used to record search warrants, interviewing suspects at crime scenes, location and quantities of drug evidence and also for general surveillance. ... The video equipment was donated by the Hills Chamber of Commerce and Industry which approached local electrical retailers after it became aware of the police’s need for the new equipment”: G Moses, “Camera Helps Cops Collar Crims” Hills News (17 August 1999) at 1.

32. “Construction of CCTV surveillance systems in public spaces depends crucially on a strategic alliance between the local state and local private capital. Local state involvement is necessary because of municipal responsibility for the areas that make up the public spaces of city centres in which cameras operate. The high financial costs of installing and running a system, however, mean that individual local councils are unable or unwilling to finance CCTV systems unilaterally. ... The construction of a partnership between the local public and private sectors is, however, fraught with tensions because of the way in which CCTV occupies an ambiguous position, both geographically and conceptually, on the boundary between the private and public domains. From the perspective of local councils there are anxieties about committing public funding to a project which may mainly appear to serve the needs of local private commercial interests and which raises sensitive civil libertarian questions about the invasion of privacy”: N R Fyfe and J Bannister, “City Watching: Closed Circuit Television Surveillance in Public Spaces” (1996) 28 Area 37 at 40.

33. The Internet Industry Association (“IIA”), which describes itself as Australia’s national internet and e-commerce representative body, wrote to the Prime Minister in 1998, requesting the introduction of Commonwealth privacy legislation for the private sector: Internet Industry Association, “Letter to the Prime Minister on Privacy Legislation” «www.iia.net.au/news/981012.html». The letter states: “While this request might seem incompatible with our professed and demonstrable commitment to self-regulation, there are ... reasons why we believe it is appropriate for your government to take a stronger position on the issue of privacy. ... [W]e believe the continued uptake of the Internet in Australia depends on strong consumer confidence in the medium, particularly where e-commerce is concerned. ... As with many difficult regulatory issues which the Internet has created, such as the regulation of online content, the IIA considers that industry should have first option to assume responsibility for issues of social concern. Nevertheless, it is not inappropriate for government to provide a safety net, to catch businesses that are not prepared to assume responsibility for themselves. Fortunately, in the area of privacy we believe the interests of citizens coincide with the interests of the market, making this a low risk initiative, but with a strong upside.”

34. Australian Law Reform Commission (“ALRC”), Privacy (Report 22, 1983) Vol 2 at Appendix A.

35. ALRC Report 22 at para 1195. The Privacy Act 1988 (Cth) contains a list of Information Privacy Principles at Section 14.

36. ILRC Report 57 at para 2.11.

37. cf Victoria, Department of Justice, Surveillance Devices Bill (Discussion Paper, 1998) at 7.

38. See also ILRC Report 57 at para 2.13-2.19.

39. Eg it might be reasonable to use visual surveillance devices to monitor a shopping mall, but not aural devices which would pick up conversations.

40. “Surveillance, even in a public place, which deliberately seeks out or targets the intimate corners of a person’s life or personality, such as at a time of death, injury or grieving, where those affected are vulnerable or are otherwise unable at the time to fend off such surveillance may violate a person’s “reasonable expectation” of privacy”: ILRC Report 57 at 2.14.

41. No 916 (April 1997). See Australian Press Council, Annual Report 1997 at 114-115. A Sydney newspaper published “sneak photographs” of Senator Bob Woods and his wife in private conversation in their backyard at a sensitive time.

42. Australian Press Council, Annual Report 1997 at 115.

43. See para 3.7-3.28.

44. See fuller discussion at para 3.12 and following.

45. Q Burrows, “Scowl Because You’re on Candid Camera: Privacy and Video Surveillance” (1997) 31 Valparaiso University Law Review 1079 at 1108.

46. As was reported to be taking place in Miami, according to a report in the Sun-Sentinel (South Florida): D Bunuel, “South Beach Sunbathers Unwittingly Become Fodder for Internet Voyeurs” (25 February 1999) at Mediaeater, “Surveillance Camera Project” «www.mediaeater.com/cameras/news/022598.html». According to a source from the adult publication industry, quoted in the report, “voyeur sites are the biggest thing on the Internet right now”, a billion dollar industry with between 45,000 and 200,000 sites up at any time.

47. See para 4.73.

48. Para 3.33.

49. Para 4.26.

50. The State Government has recently developed guidelines for CCTV in public places. The definition of “public place” is from the Local Government Act 1993 (NSW), and refers to public reserves, public bathing reserves, public baths or swimming pools, public roads, public bridges, public wharves or public road-ferries, together with public transport and car parks: «www.lawlink.nsw.gov.au/cpd.nsf/ pages/cctv_intro».

51. Annual Reports (Departments) Act 1985 (NSW) Pt 2; Annual Reports (Statutory Bodies) Act 1984 (NSW) Pt 2; Local Government Act 1993 (NSW) s 428.

52. The Sydney Morning Herald reported that, following a stabbing at Sydney’s Town Hall railway station in the early hours of New Year’s Day, 1999, an audit discovered that a third of the station’s surveillance cameras were either not working or were out of focus. In addition to the technical faults, some station staff were blamed for failing to carry out a job specification requiring them to ensure the closed circuit cameras were operating: A Bernoth, “See No Evil: Rail Cameras on Blink” Sydney Morning Herald (13 January 1999) at 1.

53. See para 4.37.

54. Security Industry Act 1997 (NSW) s 7. For exceptions, see s 6 and Security Industry Regulation 1998 (NSW) cl 5.

55. Security Industry Act 1997 (NSW) s 4(b).

56. Security Industry Act 1997 (NSW) s 4(c).

57. Security Industry Act 1997 (NSW) s 3(1).

58. Security Industry Act 1997 (NSW) s 15(1)(a).

59. Security Industry Act 1997 (NSW) s 15(3).

60. See para 4.69.

61. Eg S Verghis, “Wanted Shots ‘Outrageous’” Sydney Morning Herald (22 January 2000) at 15.

62. NSW Council for Civil Liberties, Submission at 3.

63. Dr Brian Simpson, Submission at attachment (Scottish Council for Civil Liberties “Draft Rules for the Use of CCTV in Public Places”, draft rule 12).

64. Privacy and Personal Information Protection Act 1998 (NSW) Pt 4.

65. “Function” includes a power, authority or duty: Privacy and Personal Information Protection Act 1998 (NSW) s 3.

66. See Principle 5.

67. Casino Control Act 1992 (NSW) s 108.

68. Trade Measurement Act 1989 (NSW) s 60(1).

69. Trade Measurement Act 1989 (NSW) s 61(a).

70. Trade Measurement Act 1989 (NSW) s 61(b).

71. Trade Measurement Act 1989 (NSW) s 60(1).

72. Trade Measurement Act 1989 (NSW) s 60(2).

73. Trade Measurement Act 1989 (NSW) s 10; Trade Measurement Administration Act 1989 (NSW) s 3(1).

74. Trade Measurement Act 1989 (NSW) s 4.

75. Trade Measurement Act 1989 (NSW) s 7, 11-14.

76. See Principle 2.

77. We note the view of the Chamber of Manufactures of NSW (Industrial) that overt surveillance should be regulated by a voluntary code of practice, Submission at 10. We similarly note the view of the NSW Young Lawyers Criminal Law Committee that overt surveillance is best dealt with between employer and employee, Submission at 9.

78. «http://www.lawlink.nsw.gov.au/pc.nsf/pages/videocodeir».

79. Australian Privacy Commissioner, Guidelines on Workplace E-mail, Web Browsing and Privacy (30 March 2000) «http://www.privacy.gov.au/issues/p7_4.html».

80. Privacy Committee (1995) at 53-54.