Compliance Management Policy

Purpose

To ensure that University video recording and closed circuit television (CCTV) security systems are managed in such a way that:

• safety and security are enhanced
• the privacy rights of the University community and the public are respected, and
• applicable laws and policies are complied with.

Organisational scope

This policy applies to the installation and use of University-owned video security and CCTV cameras in and around University campuses, including University-owned residential colleges.

All references to video security and CCTV systems throughout this policy are to those systems which were designed and installed with the intent and ability to record video and/or to be monitored for the purposes of enhancing safety and physical facility security.  This policy does not apply to:

• use of video recording and CCTV technology relating to research with human subjects or animals
• use of video recording and CCTV technology for video conferencing
• video recording of lectures and other teaching and learning activities, and the subsequent use of such video recordings, or
• live web streaming cameras installed for public interest viewing.

The policy governs all new University-owned CCTV monitoring system installations following the policy's effective date. Existing installations, and written procedures for the use of those existing video monitoring and recording systems, shall be brought into compliance with this policy.

Definitions

Principal CCTV Manager

The person designated by the Vice-Chancellor to have oversight of the provision and management of video security and CCTV systems across the University, and to ensure compliance with this policy.

CCTV Manager

Person(s) approved by the Vice-Chancellor to manage the provision of video security and CCTV systems at specific sites, such as satellite campuses.

University Privacy Officer

The senior University staff member holding appointment as Privacy Officer under section 23 of the Privacy Act 2020.

Privacy Principles

13 principles contained in the Privacy Act 2020 that stipulate how information can be collected and used, and people's rights to gain access to that information and ask for it to be corrected.

Monitoring

The watching of CCTV images in real time.

CCTV

Closed circuit television used to transmit a signal to a specific place(s).

IP Cameras

Internet protocol (IP) cameras which utilise the protocol used most by Local Area Networks (LANs) to transmit video across data networks in digital form.

Content

1. Purpose of Monitoring Systems

   1. CCTV monitoring and access to CCTV recordings governed by this policy is permitted solely for the purpose of enhancing safety and security. This policy does not authorise use, interception, duplication, transmission or other diversion of video and CCTV technologies for any other purposes.
   2. In this policy, safety and security purposes are those which involve:
      1. the protection of individuals (including, but not limited to, students, faculty, staff, and visitors)
      2. the protection of University-owned and/or operated property, buildings and critical infrastructure
      3. the deterrence of criminal behaviour
      4. the investigation of criminal behaviour including the identification and apprehension of persons committing offences on or around Campus, and
      5. the taking of action under the University's Statutes in relation to breaches of the Code of Student Conduct where those breaches amount to criminal offences (but not otherwise)
      6. enhancement of the operational effectiveness of Campus Watch through monitoring the assembly and movement of people.

2. Protocol for the Use and Operation of Monitoring Systems

   1. CCTV monitoring and the use of video recordings will be conducted in a way that is consistent with this Policy and other relevant University policies, and in particular the Ethical Behaviour Policy. The monitoring of images based on personal or demographic characteristics (e.g. race, gender, sexual orientation, disability, etc.) or so as to unreasonably intrude on situations where there is an expectation of privacy is prohibited under this policy.
   2. The use of CCTV cameras with audio recording capabilities is not permitted.
   3. Cameras may be recorded continuously (24 hours a day, seven days a week) and may also be monitored in real time in accordance with the provisions of this policy.
   4. Only staff approved by the Principal CCTV Manager shall be permitted to monitor CCTV images and/or to have access to recorded footage. Approval for monitoring purposes shall be granted where such monitoring is relevant to the functions of the staff member's role. Access to recorded footage is governed by clause 6 below. Logs of all downloads must be automatically recorded within the servers and as far as reasonably possible shall be such as to enable identification of the person undertaking the download. Download logs shall be available for audit purposes to the University Privacy Officer.
   5. All staff granted approval to monitor University CCTV systems must receive appropriate training in the technical, legal, and ethical parameters of appropriate camera use. Training shall include the proper operation of the equipment and infrastructure and, where appropriate, its maintenance.
   6. All approvals to monitor or download images must be recorded in writing and retained by the Principal CCTV Manager. All approved users must acknowledge in writing, receipt of training, their acceptance of this Policy, and acknowledge that any breach of the requirements of this Policy may result in disciplinary action under the terms of their employment with the University.

3. Installation and Configuration of Monitoring Systems

   1. All requests for installation of CCTV cameras must be submitted to the Proctor's Office. Installations in Dunedin shall require approval of the Chief Operating Officer and the University Privacy Officer. Requests relating to the University of Otago Christchurch and the University of Otago Wellington require the approval of the relevant Dean/Head of Campus, the Chief Operating Officer and the University Privacy Officer.
   2. The Proctor's Office (or appropriate CCTV Manager for satellite campuses and colleges) is required to retain records of all new video security components' locations, costs, camera descriptions, camera capabilities, makes and model numbers.
   3. Qualified security technicians must install CCTV security systems and arrange for network provision. CCTV installations and network provision must meet the requirements of this Policy and any relevant University Codes of Practice.
   4. Installation of cameras with audio recording enabled is not permitted.
   5. IP video used for security purposes pursuant to this policy must always be restricted to a secure private network or VPN which may be accessed only by authorised persons. No CCTV system may be accessible from the public internet (with the exception of those utilising an approved VPN or free-to-access webcams).
   6. Cameras must be located and programmed so as to avoid capturing images of individuals in circumstances where they have a reasonable expectation of privacy including, but not limited to bathrooms, dressing rooms, locker rooms and private dwellings (including views through windows and rear gardens).
   7. Other than for installations approved under clause 4, signage advising that cameras are in operation shall be installed at sufficient appropriate locations to ensure as far as reasonably possible that users of an area are aware that they may be subject to CCTV surveillance. The signage should say: "Crime Prevention Cameras Operating at all times in this Area" or other similar wording approved by the University Privacy Officer.

4. Temporary/Covert Camera Installations

   1. Where justifiable under Privacy Principles and necessary in connection with any criminal investigation the Vice-Chancellor may authorise temporary and/or covert camera installations on, and able to view activity on, University property.
   2. The Vice-Chancellor may authorise a temporary and/or covert camera installation on, and able to view activity on, University property to investigate issues capable of having significant impact on the operation or administration of the University. Such measures may be taken only where justifiable under Privacy Principles and where the reasonable necessity of deployment can be established having regard to the seriousness of the issues and availability of other measures to address them. The use of covert cameras to generally monitor staff performance is not permitted. Cameras are to be removed immediately upon conclusion of any investigation.
   3. All approved temporary/covert camera installations must be coordinated through the Proctor's Office on all Campuses.

5. Records Retention

   1. Recordings will be retained for a period of approximately 30 days (based on available storage space) at which time footage will be automatically overwritten. Downloaded recordings will be retained for so long as is reasonably required for purposes consistent with this policy.
   2. Servers containing recorded footage will be housed in a secure location with access by authorised personnel only.
   3. Servers shall be regularly updated with the appropriate firmware as identified by Information Technology Services to ensure they have the appropriate security updates.

6. Use of Recorded Information

   1. The viewing, downloading and provision of recordings to others may be carried out only by the Proctor, Deputy Proctor, Security Systems Coordinator in the Proctor's Office or a CCTV Manager. Any downloading and provision of recordings shall be solely for a purpose recognised by this Policy. A written record of that purpose, signed by the person authorising the downloading, shall be made before any downloading is undertaken.
   2. Requests from students/staff (other than requests by an individual for that individual's own personal information) or outside agencies for the downloading and/or provision of footage will be actioned only upon receipt of a completed Request to Review CCTV form, the requirements of which form shall be approved by the University Privacy Officer from time to time. The Principal CCTV Manager will approve or decline the request having regard to the necessity for the request by reference to the purpose for which it is sought and the requirements of the Privacy Act 2020. Where it is determined that footage may appropriately be supplied to any party reasonable steps shall be taken to ensure that the footage is used solely for the authorised purpose and none other.
   3. All “Request to Review CCTV Footage” forms will be collated and retained in the Proctor's Office and shall be made available to the University Privacy Officer at any time.
   4. The University shall provide access to, or copies of, video recordings to the NZ Police in connection with any ongoing criminal investigation only upon receipt of appropriate documentation (Production Order/Search Warrant or other documentation establishing that release is justified by reference to Privacy Principle 11).

7. Audit and Evaluation

   1. The University Privacy Officer or Principal CCTV Manager may audit any department's CCTV surveillance operations for policy compliance, including recording storage and retention.
   2. Campuses and Colleges must provide all information requested by the Privacy Officer or Principal CCTV Manager in relation to any video security and/or CCTV deployed by them.
   3. The University's Privacy Officer will initiate a review of CCTV compliance with Privacy Principles and of the overall efficacy of CCTV operations no later than six months from the date of installation and recommend a timeframe for further review.

8. Privacy

   1. The University shall maintain the protection of individuals' privacy by:
      1. ensuring information is collected for necessary and lawful purposes only
      2. taking reasonable steps to make individuals aware that information is being collected and the reason for such collection
      3. ensuring that information is collected in a fair manner
      4. requiring the appropriate storage and security of recorded information
      5. ensuring information is used only for the purpose for which it was collected
      6. complying with Principles 6, 9 and 11 of the Privacy Act relating to access to and retention and disclosure of information.
   2. The University Privacy Officer is authorised to oversee the use of CCTV monitoring for safety and security purposes at the University.

9. Complaints

   1. Complaints regarding any aspect of the operation of CCTV cameras by the University including any complaint arising under this policy may be made to the University Privacy Officer. Complaints shall be investigated through such process as the University Privacy Officer is satisfied provides the complainant a full and fair opportunity to advance their concerns while having matters determined in a timely manner.
   2. Nothing in 9(a) shall limit any person's right to pursue a complaint under the Ethical Behaviour Policy or to the Privacy Commissioner.

Related policies, procedures and forms

• Ethical Behaviour Policy
• Policy on Access to, and use of, Personal Information
• Recording of Lectures and Other Teaching Activities Policy
• Privacy Act 2020
• Request to Review CCTV form
• Privacy Commissioner Guidelines – CCTV
• Official Information Act 1982
• Crimes Act 1961

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact:

The Proctor
Email proctor@otago.ac.nz