Cut and paste privacy gaffe

AN eagle-eyed ratepayer has called out Vincent council for plagiarising so heavily from the City of Townsville’s CCTV policy that it’s own draft version quotes Queensland legislation that’s not relevant to WA.

Brendan Bensky, who’s got an interest in privacy policy, says aside from the red faces such a gaffe should produce, it’s made him question whether the council has the competency to run a CCTV network and deal with the complex world of privacy.

Councillors unanimously voted at their April 4 meeting to put the revamped CCTV policy out for public comment. The old policy needed amendments to cover recently installed CCTV systems in Leederville and the Mount Lawley/Highgate town centres, and recording devices worn by rangers. 

Mr Bensky wrote to all councillors this week pointing out: “Your new policy references the Information Privacy Act of 2009, and the Right to Information Act of 2009. However, these are Acts from Queensland – the QLD Information Privacy Act of 2009, and the QLD Right to Information Act of 2009.”

He compared Vincent and Townsville’s CCTV policies side-by-side and found that aside from small differences, “they’re materially identical”.

“I don’t know what’s more shocking,” Mr Bensky wrote to councillors, “that the City plagiarises policy from another state, or that no one in the City can correctly identify the prevailing privacy legislation to which the City is aligned?”

It’s not unusual for councils to copy text from each other.

Mr Bensky later told the Voice it was an indication of “how backward we are in WA without privacy legislation covering local governments”.

He says Vincent instead has a privacy policy that voluntarily aligns with the Commonwealth Privacy Act, but there’s no legal teeth to deter breaches. 

He’d previously raised concerns with the council over how it handled private data collected through its electronic parking permit system, which uses numberplate recognition and stores a parker’s information on a council database. 

“The City had no privacy competence at the time. Nothing seems to have changed…” Mr Bensky wrote to councillors.

Vincent’s not alone in its patchy IT security: Most of the 15 councils in a 2021 audit failed hacking tests, but their names were kept secret to not expose vulnerabilities to hackers. 

In December 2022 WA attorney general John Quigley announced new state privacy laws were in the pipeline to try to better protect personal data. 

The law is set to include rules for how the WA public sector and contractors handle personal information, require mandatory notification of data breaches, and establish an independent body where people can bring complaints about privacy breaches.

CCTV rulesVincent’s copy-pasted policy is due to be advertised from this week for 21 days of public comment, then it’ll go back to councillors who’ll vote on whether to adopt the new Townsvincent CCTV rules. 

We put Mr Bensky’s critique to the council, and got an emailed response attributed to acting mayor Susan Gontaszewski: “Any submissions received at the conclusion of the public notice period will be presented to Council for consideration prior to the policy being formally adopted.

“Vincent has received some initial feedback from the public relating to the content of the amended policy, which will be addressed as part of the usual process.”

In 2020 a WA auditor general report found Vincent’s computer systems had many “high risk” flaws that left it open to hackers, and the council embarked on a 24-item plan to fix critical vulnerabilities. 

As of the most recent auditor general report in 2022, several “moderate” risks were still present, including that 17 terminated employee accounts still had access to council finance and payroll systems, and a confidential “database security” issue and a “remote access” risk, both deemed too high risk for their details to be made public.

Most of the remaining risks are listed to be fixed by May 2023.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s