Transport Canberra and City Services should destroy CCTV camera data onboard buses 30 days after its capture, the ACT Auditor-General has said.
While ACT law requires data to be deleted 30 days after it has been recorded unless requested by law enforcement agencies, CCTV on buses tapes over old data when the hard drive becomes full, Auditor-General Michael Harris found.
There is no practice to ensure that at least 30 days of data is retained, or that data is deleted after 30 days, according to the audit into the effectiveness of CCTV system management by TCCS, the Justice and Community Safety Directorate (JACS) and the City Services Directorate.
This means “more or less than 30 days of data is maintained on the buses depending on the frequency with which the bus is used”, the audit reported.
“If a bus is not used frequently, more than 30 days of data is retained as the onboard cameras are not operating as frequently.
“If a bus is used frequently, less than 30 days of data is maintained as the cameras are operating more frequently.”
“The period for which data is stored on individual buses is unknown, as it is not planned for, or checked.”
TCCS operates almost 3700 of the almost 4900 ACT Government CCTV cameras. More than 3280 of these cameras are on buses.
In February last year, Transport Canberra requested an upgrade to bus cameras which were originally installed in 2007 and have aged beyond their service life.
But while the proposal described the need for new cameras, no information about the nature, extent or cost of the problem was provided. TCCS also failed to undertake a cost-benefit analysis of operating cameras on its buses, the audit found.
TCCS had also failed to prepare annual reports on CCTV camera operations onboard buses as required by the Australian Standard.
“In the absence of any regular formal reporting on the CCTV systems, achievements of the CCTV systems have not been detailed for the CCTV systems installed onboard buses,” the report said.
ACT Policing requested footage from TCCS 143 times in 2018-19 but did not download any data.
JACS had also failed to conduct a cost-benefit analysis of its CCTV cameras but said such a review was delayed due to the pandemic, the audit found.
No further information as to the scope or timing of the study was provided.
Neither TCCS nor JACS had any specific policies or procedures for collecting, recording, and storing data from CCTV cameras on buses or across the public safety network.
However, controls are in place to protect the security of the data, including limited access and automatic record logs of anyone who accesses the data.
JACS had also failed to “formally and explicitly document roles and responsibilities for the management and operation of the public safety CCTV network in policy and procedural guidance”.
TCCS has not updated or reviewed its CCTV guidelines since 2016 and “risk losing their value and currency,” according to the audit.
Six recommendations were made by the Auditor-General, including an annual review or audit by the Directorates considering the effectiveness of the system and the ongoing need for the system; updated CCTV guidelines for TCCS; a practice where onboard bus data is deleted 30 days after its capture; and formal staff induction and training requirements for the management of CCTV systems.