CCTV is widely used across retail stores in New Zealand, to deter theft, protect staff, and safeguard customers. However, a recent decision of the Privacy Commissioner is a sharp reminder that installing and using CCTV systems is only the starting point of retailers’ privacy obligations.
The Privacy Commissioner’s decision concerned two incidents involving the unauthorised disclosure of CCTV images and footage of customers suspected of shoplifting. In the first incident, a security guard engaged by the store took a photograph on their personal mobile phone of a customer visible on CCTV footage. The security guard later published the photograph online, accompanied with allegations of theft, which led to the individual receiving threats and being subject to harassment.
The second incident involved a contracted security guard recording CCTV footage of an alleged theft on their mobile phone on the instruction of a store employee. The footage was sent by the security guard to the store employee, who then published the footage on social media and alleged that the individual was shoplifting. The publication of the footage attracted significant media attention.
Information Privacy Principle 11 – lawful exceptions allowing disclosure of personal information
Under Information Privacy Principle (IPP) 11, an agency must not disclose personal information it holds unless the agency believes on reasonable grounds that an exception under the Privacy Act 2020 (Privacy Act) applies to justify that disclosure. Importantly, under the Privacy Act, an agency remains responsible for personal information handled by their agents or third-party service providers where those parties hold information on the agency’s behalf. This typically includes contractors (and therefore contracted security guards).
In both cases, the Privacy Commissioner found that IPP 11 had been breached by the retailers (who were responsible for the actions of the security guards and employees).
IPP 11 was breached by personal information being disclosed online without a lawful basis for disclosure.
The Privacy Commissioner also found that the retailers did not have reasonable security safeguards in place to prevent the unauthorised use, access, or disclosure of personal information, which is required under IPP 5. Notably, one agency had no written contract with their security provider, and the other had a contract that did not adequately cover privacy and confidentiality obligations. Neither agency had provided privacy training to its security personnel.
Responsible governance and safe privacy practices
These incidents highlight a governance failure, with the agencies not taking reasonable steps to ensure that third party providers manage personal information in accordance with the Privacy Act. Where CCTV footage is involved (which is often sensitive, contextual, and capable of being widely shared), the consequences of inadequate oversight are heightened.
The decision also serves as a warning to retailers considering the publication of images or footage of suspected shoplifters, whether online or in store on ‘walls of shame.’ Such practices place retailers at risk of breaching the Privacy Act, by responding to one (suspected) unlawful act with another potentially unlawful act.
The Privacy Act places clear obligations on how personal information (including an image or video footage of an individual) can be collected, used, stored, and disclosed. It’s unlikely that the unauthorised public sharing of CCTV images and footage of individuals is consistent with these obligations.
If your organisation is using or considering using CCTV, now is the time to get clear on the risks, understand your obligations, and determine what responsible, lawful use looks like. MoranLaw’s experienced team of privacy specialists can help your organisation navigate the safe, lawful use of CCTV - Get in touch today.