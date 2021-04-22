CANDID CAMERA: The council is being urged to employ different measures with handling of CCTV in the city. Photo: Mike Knott / NewsMail

An audit report on Bundaberg Regional Council's compliance relating to information and privacy has been handed down.

The report details the findings of the Office of the Information Commissioner's audit of the council's compliance with the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld).

Legislation requires governments to make government-held information available to the public as a matter of course, unless there is good reason not to.

Furthermore, governments are expected to safeguard personal information.

The report concluded that Bundaberg Regional Council is committed to right to information and information privacy, but still needs to develop and implement some policies and put some systems and processes in place.

The report stated that the council executed a memorandum of understanding (MOU) with the Queensland Police Service about access to 127 surveillance cameras.

The original MOU exposed BRC to risks of non-compliance, consequential breaches of privacy and privacy complaints.

The council has taken actions to reduce these risks, according to the report, which was handed down on Tuesday.

The council is developing a new agreement and will need to ensure access to footage complies with the Information Privacy Act 2009.

Also regarding surveillance cameras, the report stated that the council needed "to do more work about how it operates and manages its surveillance cameras".

"Its procedure focuses on fixed cameras and does not accurately reflect the obligations under the Information Privacy Principles," the report reads.

"BRC has preventative security measures to protect the video footage. However, it does not use the system's audit logs to detect possible unauthorised access, disclosure or misuse."

A list of 12 recommendations was made in the report, with the council being given 12 months to them into action. The exception is the 11th recommendation, which is expected to be carried out within six months.

They are:

1. To develop and implement an information governance framework and supporting documented plans, policies and procedures to drive right to information and information privacy aims.

2. To develop and implements performance measures for access to information and information privacy outcomes, aligned with its operational plan.

3. To implement mandatory periodic refresher training on right to information and information privacy for all staff.

4. To better promotes its administrative access schemes on its website and to develop an administrative access policy that outlines the type of information staff can release, and the process for doing so.

5. To implement an information asset register, assigns responsibility for each asset and classify them to determine their suitability for public release, and to:

Develop and publish a version of the information asset register to better inform the community about the information it holds, and who to contact to request access to an information holding, and to:

Implement a process to review the information asset register regularly so it remains current and relevant.

6. Implement a process to update the publication scheme regularly so the community has access to relevant and up-to-date information.

7. Review collection notices for all forms and online emails and amend them to ensure compliance with the Information Privacy Act 2009.

8. To establish a rolling program of regular review of collection notices for all forms and online emails, to maintain compliance with the Information Privacy Act 2009.

9. To develop and implement a policy and procedures about privacy impact assessments, and to:

Integrates privacy impact assessments in its risk management and project management methodologies and tools.

10. To develop and implement a policy and procedures for managing its camera surveillance which is consistent with the council's legislative obligations, under the Right to Information Act 2009 and Information Privacy Act 2009 and covers all its audio and video technologies, and all devices and provides sufficient detail to guide staff operating the system.

11. Strengthen its safeguards to better protect camera surveillance footage from unauthorised access, use, modification or disclosure, and other misuse and loss.

12. Reviews its arrangement with the Queensland Police Service for the operation of camera surveillance, and takes all steps necessary to ensure the council complies with the Information Privacy Act 2009.

