Attachment 4 PT Camera Surveillance PIA GWRC v3.pdf

Privacy Impact Assessment
Public Transport Camera Surveillance
6th July 2018

Glossary

Term
Meaning
Council
Greater Wellington Regional Council
GWRC
Greater Wellington Regional Council
GWRL
Greater Wellington Rail XX
PIA
Privacy Impact Assessment
PTOM
Public Transport Operating Model
RMC
Rail Monitoring Centre based at Wellington Railway Station
SCC
Service Control Centre based at Wellington Railway Station

Related Documents
The following documents are related to this privacy impact assessment:
Title
Author
180502_3889_Bus Hubs High Level Design Showing Canopy
Isthmus
Conditions of Carriage (https://www.metlink.org.nz/tickets-and-
GWRC
fares/conditions-of-travel/)
Current GWRC Privacy Statement (http://www.gw.govt.nz/privacy-
GWRC
statement/)
Current Metlink Privacy Statement
GWRC
(https://www.metlink.org.nz/privacy/)
Draft Camera Page for Website
TwoBlackLabs
Draft Privacy Statement
KensingtonSwan
Draft PT Group camera surveillance system policy
TwoBlackLabs
Draft Red Wolf Agreement for Supply of Camera Surveillance System
GWRC
and Associated Services
PTO584 – CCTV and Audio Installation Maintenance Services – Dec 2017 GWRC
PTO416 – Partnering Contract
GWRC
Bus Operators Contract
GWRC
CCTV Access Request Form April 2017
Transdev
CCTV RMTU Interim Agreement
KiwiRail
LOA Police and Transdev 11072017
Transdev
Monthly Performance Report May 2018
Transdev
TDW Security Management Plan – Draft Feb 2018
Transdev

IN-CONFIDENCE
3

1  Executive Summary
1.1  Inherent Risk Level
The privacy impact assessment (PIA) has identified 43 privacy risks as shown below. There are eight
risks rated as high and twenty-one rated as medium assuming all current controls are functioning
effectively.
The high risks relate to four key themes:
•  Inadequate signage advising individuals that they are under surveillance – A03, C03
•  Disclosure of footage without authorisation from GWRC / GWRL – A13, A14, A15, A16, C13
•  Security of footage within the existing camera surveillance system operating on the rail
network – A6
•  Handling of privacy requests – A07, B04, C07.

A07, B04,
A04, A19,
A03, A13,

C07
B01, C04,
A14, A15,
Almost
C16
A16, C03,
Certain
C13
B08
B02
A05, A09,
A06

B05, B07,
Likely
C05, C09,
C10

C12
A01, A10,

d
o
A11, B06,
o
hil Unlikely
C06
keiL

A12, B03
A02, A17,

A18, C01,
Highly
C02, C11,
Unlikely
C14, C15

A08, C08

Rare

Individual
Single
Moderate
Major
Extreme
Consequence
1.2  Residual Risk Level
If all the recommended additional controls are implemented and are functioning effectively the risk
level reduces as shown below. Once the additional controls are implemented there are no risks
rated as high and one remaining rated as medium. The one remaining medium risk, B04, relates to
individuals incorrectly requesting footage obtained whilst aboard a bus from GWRC. These requests
need to be transferred to the relevant Bus Operator. It is proposed that GWRC take steps to
minimise the number of these requests however as individuals identify Metlink as the provider of
the bus services it is expected that a large number will still be received.

IN-CONFIDENCE
4

B04

Almost Certain

Likely

A03, A05,

d
o
B01, B02,
o
h
C03, C05
il
Unlikely
keiL
A04, B08,
A09, A12,
A01, A02,

C04
A14, B03,
A06, A10,
B05, C09,
A13, B06,
Highly Unlikely
C12
B07, C01,

C02, C06,
C10, C13
A07, A15,
A19, C16
A08, A11,

A16, C07
A17, A18,
Rare
C08, C11,
C14, C!5

Individual
Single
Moderate
Major
Extreme
Consequence

IN-CONFIDENCE
5

2  Project Summary
2.1  Overview
The new Public Transport Operating Model (PTOM) passed into legislation in 2013 and created a
strategic change in the way Wellington’s public transport system is planned and procured by Greater
Wellington Regional Council (GWRC). PTOM aims to build long-term commercial partnerships
between regional authorities and public transport operators, to improve services and grow
patronage.
Journeys on buses, trains and ferries in the Wellington region are forecast to increase from 38
million to 42 million trips a year, between now and 2024.
2.2  Rail Services
GWRC funds rails services on four key lines throughout the region:
•  Hutt Valley Line
•  Johnsonville Line
•  Kapiti Line
•  Wairarapa Line.
Wellington’s rail services were the first to go through the new PTOM contract process. Transdev
Wellington were awarded the contract and took over operating the network on the 3rd July 2016.
Camera surveillance is utilised across the rail services including:
•  At railway stations, carparks, bridges and subways
•  Within passenger carriages on trains
•  On the front and rear of trains
•  At the Rail Monitoring Centre
•  Use of a very limited number of bodycams.
2.3  Bus Services
GWRC fund bus services across the entire region. These are split into several geographic regions:
•  Wellington city
•  Wairarapa
•  Hutt Valley
•  Porirua
•  Kapiti
The bus services have recently been through the new PTOM contract process. The bus changes are
being rolled out in three phases – in the Wairarapa from 30 April 2018, the Hutt Valley from 17 June
2018 and in Wellington, Porirua and Kapiti from 15 July 2018.
As part of the changes to bus services some bus routes are being changed. Eight new Bus Hubs are
being introduced across Wellington city as part of the changes. These connect buses from outer
suburbs with main routes. Each Bus Hub consists of several bus shelters. The Bus Hubs are located
at:

IN-CONFIDENCE
6

link to page 8 •  Bus Interchange at Wellington Station
•  Courtenay Place – near Allen Street
•  Johnsonville – Moorefield Road and Johnsonville Station
•  Kilbirnie – Evans Bay Parade
•  Miramar – Miramar Avenue
•  Newtown – outside the Regional Hospital
•  Karori Tunnel – city side on Glenmore Street
•  Brooklyn – Cleveland Street.
Camera surveillance is utilised across the bus services including:
•  At the new Bus Hubs1
•  Onboard all buses
•  Externally on all buses.
2.4  Ferry Services
Two harbour ferries, the City Cat and the Cobar Cat run peak and off peak commuter services
between Days Bay, Queens Wharf and Seatoun. These are operated by East West Ferries Limited.
There is currently no camera surveillance in operation on ferry services.

1 Camera surveillance system at the Bus Interchange at Wellington Station is owned and operated by
Wellington City Council (WCC)

IN-CONFIDENCE
7

3  Privacy Impact Assessment (PIA)
3.1  Scope
This Privacy Impact Assessment (PIA) covers the camera surveillance usage across GWRC’s Public
Transport. This PIA will consider the entire information lifecycle including:
•  Collection practices
•  Use of personal information
•  Disclosure of personal information
•  Security of personal information
•  Retention and disposal of personal information.
This PIA does not cover the ferry services as currently no camera surveillance is in operation on
these services.
This PIA also does not cover the camera surveillance operations of the operators as these are not the
responsibility of GWRC.
3.2  Rational for Completion
GWRC has recently reviewed their camera surveillance usage at a high level across all their areas of
responsibility. This review identified that the usage of camera surveillance within the public
transport network was a high risk activity unless appropriate controls are implemented.
This PIA has been commissioned to understand the current level of controls in place and to identify
any additional controls that could be introduced to further reduce any residual risk.
3.3  Development Process
A review of the collateral relating to the current and proposed operations was undertaken. Collateral
included:
•  Business requirements
•  Build specifications
•  Current contracts
•  Proposed contracts
•  Operating procedures.

Several workshops were also conducted to discuss the information lifecycle for surveillance footage.
3.4  Structure
The parties utilised to provide the various services differs along with the operating procedures and
processes. Therefore, the PIA is split into three sections:
•  Rail services
•  Bus services
•  Bus Hubs.

IN-CONFIDENCE
8

4  Rail Services
4.1  Collection of Personal Information
Most of the stations on the Metlink network are under camera surveillance. The area under
surveillance varies per station however it generally includes the following areas:
•  Platforms
•  Waiting rooms
•  Carparks
•  Bridges
•  Subways
•  Train yards.
The cameras only record visual footage and can work in very low light conditions. The cameras
operate 24 hours a day, seven days a week.  Some of the cameras are fixed on a specific location and
others can be swivelled and zoomed by the Surveillance Officers as required.
Cameras also operate on all GWRC trains. There are four cameras located inside each passenger
carriage (8 in a two car unit) and one on the front and one on the rear of the train.
The bodyworn cameras in operation are operated by Transdev and are therefore not the
responsibility of GWRC or GWRL.
All the cameras and related equipment are owned by GWRL, a subsidiary of GWRC. Red Wolf are
responsible for the installation and maintenance of the camera equipment at stations. Transdev are
responsible for the maintenance of the cameras installed on the trains, which is subcontracted to
Hyundai-Rotem. Transdev are also responsible for the monitoring of the cameras at both the
stations and on the trains. Monitoring of the cameras at the stations is subcontracted to
Armourguard.
The Public Transport Group Camera Surveillance Policy details that footage is to only be collected for
the purposes of:
•  Immediately detecting criminal events, objectionable behaviours and safety incidents
•  Collecting evidence for prosecution of criminal events
•  Monitoring of patterns of travel behaviour in groups of customers where no individual
customer is uniquely identifiable
•  Ensuring fare revenue is appropriately collected.
The capturing of footage is also used to deter criminal events, objectionable behaviours and safety
incidents occurring.

IN-CONFIDENCE
9

Individuals are made aware that camera surveillance is in operation at the
stations, for the purposes of crime prevention and safety, through the
inclusion of signage. The signs are highly visible to any person within the
area normally being captured as part of the footage. The signs contain
both the phone number for Metlink and the website address. Red Wolf are
responsible for ensuring that the signs are in place at least every six
months and advising GWRL of any that require replacement.
Upon the trains, passengers are made aware that camera surveillance is in
operation for the purposes of crime prevention and safety, through the
inclusion of signage on the bulk head of each carriage. When the train is
busy there is potential that all customers may not be aware that cameras
are operating as they are unable to view the signage. Transdev are responsible for ensuring that the
signs are in place and replacing any as required.
The GWRC privacy statement is currently being updated and will replace the existing Metlink privacy
statement (https://www.metlink.org.nz/privacy/)  as well as the current GWRC Customer Privacy
Policy (http://www.gw.govt.nz/privacy-statement/) which provide details about the use of camera
surveillance within the rail network.
The new privacy statement is currently in the process of being reviewed by ELT and is expected to be
in place within the next month. It details that camera surveillance is in operation and directs
individuals to a webpage detailing the locations where surveillance is used and the purposes. This
webpage includes details of the camera surveillance operating within the rail network.
If an individual contacts either the Metlink Call Centre or the GWRC Service Centre they are provided
details regarding the usage of camera surveillance based on the information contained within the
privacy statement or can request a copy of the privacy statement.
The Conditions of Carriage also detail that camera surveillance is in operation and directs individuals
to the GWRC privacy statement for further information.
Transdev are responsible for ensuring individuals are made aware that camera surveillance is in
operation using bodyworn cameras and that they operate the system. Due to the requirement that
the signage indicates the collection purpose and the system operator the signs cannot be developed
by GWRC in isolation. The PTOM contract requires each Transdev to develop a privacy statement
that covers the bodyworn cameras. GWRC can provide feedback on the privacy statement. GWRC
require that Transdev make the privacy statement freely available upon request by any person, this
is currently not available.
The Rail Monitoring Centre (RMC) and ticket offices are also under camera surveillance. Therefore,
employees of GWRC, Transdev and Armourguard working in these environments are captured in the
footage. The Transdev Security Plan details that staff will be advised in writing, and notices posted in
staff common areas, to ensure all staff are aware that cameras operate in these areas. However,
there is no evidence of these actions currently occurring.
Limited personal information is also collected about the actions of GWRC, Red Wolf, Transdev and
Armourguard employees who access the camera surveillance system for monitoring and
administrative reasons. The information collected relates to the individual who logged on to the
system and the actions they took. This is contained within the logs of the system. The staff are not
made aware at the time that their behaviours are being monitored.

IN-CONFIDENCE
10

4.2  Use of Personal Information
The cameras installed at the stations are monitored 24 hours a day, 7 days a week, by Armourguard
Surveillance Officers located in the RMC. The individual cameras are not monitored a hundred
percent of the time but rather the operators cycle through them.  The Surveillance Officers can
control the majority of the cameras and swivel and zoom them in as required to monitor a situation.
The Surveillance Officers can view private property utilising the cameras however standard practice
is not to do this unless they are following an assailant.
The onboard train cameras can be monitored in real-time by Transdev staff onboard the train on a
monitor in the guard’s area. There is no ability to view historic footage onboard the train. The
process for accessing historic footage involves the Transdev Security Manager removing the drives
from the required train, replacing the drives with a spare set and then downloading the footage in
the RMC. Historic recorded footage is only accessed by Transdev in the event of an incident /
request.
The Transdev contract details that Transdev and their subcontractors must only use footage for the
purposes requested by GWRL as specified within the agreed Security Management Plan.
The Public Transport Group Camera Surveillance Policy details that footage can only be used for the
purpose for which it was collected. The footage may also only be used, with the prior approval of the
Responsible Officer, for the following related purposes:
•  Inquiries relating to the investigation of other criminal offences or safety incidents
•  Training of security staff and maintenance of the system
•  Research, such as into the nature of security incidents, patterns in use or travel behaviour,
or evaluation of the operation of particular camera systems.
The Surveillance Officers primarily monitor the rail network for incidents or issues and respond in
accordance with the Security Risk Procedure as below.

IN-CONFIDENCE
11

The Transdev Security Manager or the RMC Surveillance Officers may also review recorded footage
in circumstances where they are requested by NZ Police to establish events when dealing with a live
situation.
Access to footage of the RMC and ticket offices can only be accessed by the Transdev Chief
Operating Officer or the Transdev Security Manager. These feeds are not available to the
Surveillance Officers in the RMC.
Regular audits are carried out by the Transdev Security Manager of the records of who accessed the
system, copied footage and provided images to external parties. This information is used to identify
unauthorised behaviours and to investigate any incidents.
The use of the footage collected by the bodyworm cameras is determined by Transdev.
4.3  Disclosure of Personal Information
The Transdev Security Manager is responsible for ensuring that all staff are aware of and comply
with the Public Transport Group Camera Surveillance Policy. Footage must not be copied or removed
from the RMC without prior written approval.
The identity of individuals within the footage from the stations is not masked and is visible to anyone
within the RMC. All the Surveillance Officers within the RMC are licenced under the Private Security
Personnel and Private Investigators Act 2010. Access to the RMC is restricted to authorised
personnel, except with written permission from the Security Manager. The public are unable to
observe the area as all external windows are frosted.
Limited footage of station cameras is also available to operators within the Service Control Centre
(SCC).  The identity of individuals within the footage is not masked. Staff within the SCC are unable to

IN-CONFIDENCE
12

control any of the cameras and cannot view historic footage. Staff within this area maybe employees
of GWRC, Transdev or Armourguard. Access to the SCC is restricted to authorised personnel, except
with written permission from the Transdev Security Manager.
GWRC have a console to access footage located at the Walter Street office. There are only two
GWRC staff who have user accounts to enable access. The console is located within an open plan
office within a corner to minimise shoulder surfing potential. The console is generally only utilised
when there are reduced staff numbers within the office to further reduce this risk. All GWRC staff
and contractors who have access to the open plan area of the office are bound by confidentiality
clauses as part of their contracts.
The Transdev and Armourguard contracts detail that staff must only disclose information / footage
for the purposes requested by GWRC as specified within Security Management Plan. This plan
currently doesn’t provide details of any allowable disclosures.
If an individual wants to receive a copy of their information / footage they can request this by email
or through the Metlink or GWRC Service Centre. Generally, people are directed to contact the Police
if the footage relates to a crime. Frontline staff don’t currently have any documentation regarding
how to handle privacy requests. They generally email them to the Privacy Officer is they are unsure.
Privacy requests are logged in accordance with GWRC standard process and the Privacy Officer is
responsible for dealing with the request. Where footage exists but is not able to be released due to
issues with de-identifying others contained within the footage, a written record of the incident may
be made available instead. This process is detailed in the Public Transport Group Camera
Surveillance Policy. To date there have been very few requests for footage from individuals.
In the event of some unlawful activity being recorded on GWRC’s surveillance cameras anywhere in
the rail network Transdev may pass that footage of the incident over to Police for investigation. This
disclosure is detailed in the current and new privacy statements. When footage is shared with Police
none of the identities of the people contained within the footage are masked.
There is an agreement in place between Transdev and NZ Police signed on the 11 July 2017. In
accordance with this agreement Transdev will provide Police with access to the RMC where
pertinent significant matters arise, and timeliness is a factor. This access allows them to view live
footage from the stations and surrounding areas. The agreement also allows for Police to make
requests to Transdev for footage across the rail network without a production order. This footage
will be used to contribute to crime prevention, crime and other investigations and / or resolutions.
These disclosures are detailed in the current and new privacy statements.
Requests by Police for footage are usually made by email to the Transdev Security Manager. If
requests are made by phone, due to the urgency of the situation, the process for extracting footage
will commence, however the footage will not be provided to Police until the request has been
received in writing. There is a log kept of requests received by Transdev and this is available for
GWRC review on request. Currently there are approximately three requests received per day from
Police.
Once the required footage requested by the Police has been identified it is downloaded by the
Transdev Security Manager and burnt to CD which is then couriered to Police. When footage is
shared with Police none of the identities of the people contained within the footage are masked.
GWRC have approved KiwiRail Train Control to have access to the live and previous thirty minutes
footage from the stations and surrounding areas. None of the identities of the people contained
within the footage are masked. KiwiRail use the footage for the purposes of Wellington Network
Situational Awareness, and ultimately improved decision making around the prioritisation and

IN-CONFIDENCE
13

efficient operation of the rail network within Wellington. Train Control Instruction A033 details how
KiwiRail staff may use the footage. There is currently no formal written agreement authorising this
disclosure and details of the disclosure are not included within the Privacy Statement.
For all requests for footage by Transdev employees a CCTV Access Request Form must be completed
and returned to the Transdev Security Manager. These requests may be made in the circumstances
such as complaints from customers, investigations into staff or to assist with details of operations.
The usage is possibly not in accordance with the purposes the information was collected for. It is at
the discretion of the Transdev Security Manager if these requests are responded to and GWRC is not
proactively informed.
There is an agreement, dated March 2011, in place between KiwiRail and the Rail and Maritime
Transport Union (RMTU). This agreement requires the Transdev Security Manager to advise the
RMTU of any requests for footage that include Transdev staff and provide details of the staff
involved. The RMTU Representative has the right to view any footage prior to release. They require
that KiwiRail must obtain permission from all other parties in the footage prior to making it available
for viewing. Normally the RMTU Representative does not request a viewing of the footage. Details of
this disclosure are not included within the Privacy Statement.
If an individual wants to receive a copy of their footage collected using a bodyworn camera they can
request this through Transdev. GWRC is not able to provide this footage. There is some likelihood
that multiple requests will be received by GWRC in error. These requests will be transferred to
Transdev. However detailed standard operating procedures do not exist detailing how this transfer
will occur.
4.4  Security of Personal Information
Red Wolf are contracted to manage the camera surveillance system infrastructure and software for
the station cameras. Transdev are contracted to manage the security of the on train camera system.
There is not currently a security risk assessment for either system. There are also no details available
about ongoing security control testing and maintenance activities.
4.5  Retention and Disposal of Personal Information
Each station also has their own server which holds approximately fourteen days footage. It is
overwritten automatically once the storage reaches capacity with the oldest footage being
overwritten first.
The onboard train footage is saved for approximately fourteen days on each train. The exact
retention period for each train depends on the number of hours the individual train is utilised for. If
the drives are removed from a train to download the footage, then the drives are wiped post the
download. The drives are then returned to another train.
In the event footage is downloaded or copies made then the footage may be kept for up to a year
unless it is required to be held longer for use in legal proceedings. The Transdev Security Manager is
responsible for managing all downloaded and copied footage. There are currently no documented
procedures available about how downloaded or copied footage is handled.
The system audit logs are retained for an unknown period and then overwritten when the storage
reaches capacity.

IN-CONFIDENCE
14

4.6 Unique Identifiers
No unique identifiers are assigned as part of this solution.

IN-CONFIDENCE
15

4.7  Risk Assessment
The key risks to GWRC associated with usage of camera surveillance on the rail network are as follows. These have been evaluated based on the GWRC Risk Management Policy 2013.
Ref
Description
IPP
Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
A01
More personal information is
1
•  Limited areas of collection.
Unlikely
Moderate
Medium  •  AA16 - Standard operating procedures.
Highly
Moderate
Low
collected than required as part of
•
Unlikely
  Monitoring of Surveillance Officer
the footage.
behaviour.
•  No audio recording.
•  Regular checks on area of collection.
•  Surveillance Officer training.
A02
More personal information is
1
•  Data minimisation.
Highly
Moderate
Low

Highly
Moderate
Low
collected than required regarding
Unlikely
Unlikely
staff usage of the system.
A03
Individuals are unaware of why their
3
•  Privacy statement available from Service
Almost
Moderate
High
•  AA01 - Additional signage in Wellington
Unlikely
Single
Low
information is being collected and
Centre.
Certain
station.
who will get the information.
•  Privacy statement on Metlink website.
•  AA02 - Additional signage on trains
•  Questions answered by Service Centre.
•  AA14 - Service Centre training.
•  Signage at stations.
•  AA18 - Updated privacy statement.
•  Signage on trains.
•  AA19 – Bodyworn camera information.
•  Six monthly review of signage.

•  Terms of Carriage.
•  Visible cameras.
A04
Staff are unaware of why their
3
•  Public Transport Group Camera
Almost
Single
Medium  •  AA06 - Communication of updated Public
Highly
Individual
Low
information is being collected and
Surveillance Policy.
Certain
Transport Group Camera Surveillance
Unlikely
who will get the information.
Policy.
•  AA11 - Privacy statement on system.
•  AA15 - Signage in ticket offices and RMC.

A05
Individuals feel the collection is
4
•  Limited areas of collection.
Likely
Moderate
Medium  •  AA01 - Additional signage in Wellington
Unlikely
Single
Low
unreasonably intrusive.
•  No audio recording.
station.
•
•
  Privacy statement on Metlink website.
  AA02 - Additional signage on trains
•
•
  Questions answered by Service Centre.
  AA14 - Service Centre training.
•
•
  Signage at stations.
  AA15 - Signage in ticket offices and RMC.
•
•
  Signage on trains.
  AA18 - Updated privacy statement.
•
•
  Terms of Carriage.
  AA19 – Bodyworn camera information.
•  Visible cameras.
IN-CONFIDENCE

16

Ref
Description
IPP
Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
A06
A security breach causes
5
•  Red Wolf contract.
Likely
Major
High
•  AA10 - Penetration testing.
Highly
Moderate
Low
unauthorised access to footage or
•
Unlikely
  Transdev contract.
•  AA12 - Regular security control
system logs.
validation.
•  AA13 - Security risk assessment.
•  AA17 - System updates.
A07
An individual’s request for a copy of
6
•  Centrally logged.
Almost
Individual
Medium  •  AA06 - Communication of updated Public
Rare
Individual
Low
their information / footage is not
Certain
•  Established process for handling
Transport Group Camera Surveillance
actioned.
requests.
Policy.
•
•
  Public Transport Group Camera
  AA14 - Service Centre training.
Surveillance Policy.
•  AA19 – Bodyworn camera information.
A08
Information disclosed to a third
8
•  Daily checks on system performance.
Rare
Moderate
Low

Rare
Moderate
Low
party e.g. Police, is incorrect
•  Red Wolf contract.
•  Time syncing.
A09
Information is held longer than
9
•  Automated overwrite capabilities.
Likely
Moderate
Medium  •  AA07 – Decide, document and
Highly
Single
Low
required.
•
Unlikely
  Retention schedule documented for
implement log retention schedule.
footage.
•  AA16 – Standard operating procedures.
A10
Footage or log information is used
10
•  Approval process.
Highly
Moderate
Low
•  AA06 – Communication of updated
Highly
Moderate
Low
for other purposes.
•
Unlikely
Unlikely
  Monitoring of system logs.
Public Transport Group Camera
Surveillance Policy.
•  Public Transport Group Camera
•
Surveillance Policy.
  AA09 – Masking of individuals.
•  Red Wolf contract.
•  Restricted download abilities.
•  Security Management Plan.
•  Transdev contract.
A11
Footage or log information is
11
•  GWRC employment contract.
Highly
Moderate
Low
•  AA06 – Communication of updated
Rare
Moderate
Low
disclosed to more staff than
•
Unlikely
  Kiwirail contract.
Public Transport Group Camera
required.
Surveillance Policy.
•  Location of console.
•  AA09 – Masking of individuals.
•  Monitoring of system logs.
•  Public Transport Group Camera
Surveillance Policy.
•  Restricted access to RMC and SCC.
•  Security Management Plan.
•  Times of console.
•  Trandev contract.
IN-CONFIDENCE

17

Ref
Description
IPP
Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
A12
Footage is proactively disclosed to
11
•  Experienced staff.
Highly
Single
Low
•  AA06 – Communication of updated
Highly
Single
Low
Police without due cause.
•
Unlikely
Unlikely
  Licenced staff.
Public Transport Group Camera
Surveillance Policy.
•  Monitoring of system logs.
•  Public Transport Group Camera
Surveillance Policy.
•  Restricted download abilities.
•  Security Management Plan.
A13
Footage is disclosed to Police on
11
•  Privacy statement on Metlink website.
Almost
Moderate
High
•  AA05 – Change to parties to the Letter of
Highly
Moderate
Low
request without production order.
•
Certain
Unlikely
  Public Transport Group Camera
Agreement with NZ Police.
Surveillance Policy.
A14
Footage is disclosed to Transdev
11

Almost
Moderate
High
•  AA04 – Change to business process for
Highly
Single
Low
employees for purposes other than
Certain
requests.
Unlikely
which it was collected.
•  AA09 – Masking of individuals.
•  AA18 – Updated privacy statement.
A15
Footage details are disclosed to the
11

Almost
Moderate
High
•  AA03 – Cancellation of agreement with
Rare
Individual
Low
RMTU without the individuals
Certain
RMTU.
consent.
•  AA04 – Change to business process for
requests.
A16
Footage details are disclosed to the
11
•  Email agreement with GWRC for sharing.
Almost
Moderate
High
•  AA08 – Formal agreement with KiwiRail.
Rare
Individual
Low
KiwiRail Train Control without
Certain
•  AA09 – Masking of individuals.
authorisation.
•  AA18 – Updated privacy statement.
A17
Red Wolf, Transdev or Armourguard
11
•  Armourguard contract.
Highly
Moderate
Low
•  AA06 – Communication of updated
Rare
Moderate
Low
disclose information to an
•
Unlikely
  Licenced staff.
Public Transport Group Camera
unauthorised party.
Surveillance Policy.
•  Monitoring of system logs.
•  AA09 – Masking of individuals.
•  Public Transport Group Camera
Surveillance Policy.
•  Red Wolf contract.
•  Restricted download abilities.
•  Transdev contract.
A18
GWRC discloses information to an
11
•  GWRC employment contract.
Highly
Moderate
Low
•  AA06 – Communication of updated
Rare
Moderate
Low
unauthorised party.
•
Unlikely
  Monitoring of system logs.
Public Transport Group Camera
Surveillance Policy.
•  Public Transport Group Camera
•
Surveillance Policy.
  AA09 – Masking of individuals.
A19
An individual contained within
11
•  Manual masking for privacy requests.
Almost
Single
Medium  •  AA09 – Masking of individuals.
Rare
Single
Low
footage who is not the person of
Certain

interest is included in disclosed
footage.
IN-CONFIDENCE

18

4.8  Action Plan
The following actions are agreed in relation to the camera surveillance in use on the rail network.

Ref
Agreed action
Related
Who is
Completion
risks
responsible
date
AA01  Install additional signage inside Wellington
A03
Barry Fryer
August 2018
Station and ensure it is clearly visible.
A05
AA02  Install additional signage on the trains and
A03
Barry Fryer
August 2018
ensure it is visible from anywhere on the train.  A05
AA03  Advise Transdev GWRC no longer wish for
A15
Barry Fryer
August 2018
details of footage to be shared with the RMTU.
AA04  Update the business process for requests to
A14
Barry Fryer
August 2018
ensure:
A15
•  Only pre-approved scenarios are approved
by the Transdev Security Manager.
•  Authorisation is received from the
Responsible Officer for non-approved
scenarios.
•  Footage is only used for the same purpose
it was collected for.
•  RMTU are not advised of all requests.
AA05  Change the parties to the Letter of Agreement
A13
Barry Fryer
August 2018
with NZ Police for provision of footage without
a production order.
AA06  Communication of updated Public Transport
A04
Paul Kos
July 2018
Group Camera Surveillance Policy to all staff
A07
with access to the system once agreed.
A10
A11
A12
A17
A18
AA07  Decide, document and implement retention
A09
Barry Fryer
July 2018
schedule for how long logs pertaining to
system usage should be held.
AA08  Develop a Memorandum of Understanding
A16
Barry Fryer
August 2018
with KiwiRail for provision of footage. Once
signed update the privacy statements.
AA09  Explore options to mask the identity of
A10
IT
December
individuals unless they need to be explicitly
A11
2018
identified.
A14
A16
A17
A18

IN-CONFIDENCE
19

Ref
Agreed action
Related
Who is
Completion
risks
responsible
date
AA10  Complete network security penetration testing  A06
IT
August 2018
and address any issues identified.
AA11  Develop a privacy statement that is available
A04
Privacy
August 2018
to users of the system when they login.
Officer
AA12  Develop a regular programme of IT security
A06
IT
December
control validation.
2018
AA13  Complete a security risk assessment and
A06
IT
August 2018
update this PIA to reflect any risks that may
impact on the privacy of personal information.
AA14  Provide training for staff within the Metlink
A03
Privacy
August 2018
Call Centre / GWRC Service Centre on:
A05
Officer
•  The new privacy statement.
A07
•  How to handle requests from individuals
for access.
•  How to handle requests from Police for
access.
AA15  Install signage in the RMC and ticket offices
A04
Barry Fryer
July 2018
advising camera surveillance is operational.
A05
AA16  Develop standard operating procedures to
A01
Barry Fryer
August 2018
include:
A09
•  Accessing live footage.
•  Accessing historic footage.
•  Handling requests from individuals for
access.
•  Handling requests from Police for
access.
•  Copying footage.
•  Disposing of footage.
AA17  Complete all required system updates to
A06
Red Wolf
August 2018
ensure that the latest version of software and
security patches are installed.
AA18  Update the privacy statement including the
A03
Sally Parker
August 2018
camera surveillance page on the GWRC and
A05
Metlink websites once signed off.
A14
A16
AA19  Clarification provided to Transdev that they
A03
Barry Fryer
July 2018
are the operator of the bodyworn cameras and  A05
as such need to provide information to the
A07
public in accordance with the Privacy Act.

IN-CONFIDENCE
20

5  Bus Services
5.1  Collection of Personal Information
There is a requirement in the PTOM contract for all Bus Operators to ensure that all vehicles are
fitted with a camera surveillance system which is visible to customers. The camera surveillance
system and all footage collected is owned and operated by the relevant Bus Operator.
The minimum number of cameras required by GWRC is detailed in the following table. However, the
Bus Operator may choose to install more cameras if they wish.
Location
Small
Medium
Large
Double
Vehicle
Vehicle
Vehicle
Decker
(SV)
(MV)
(LV)
(DD)
Entrance platform and passenger / driver
✓
✓
✓
✓
interface
Rear of interior seated area looking forwards
✓
✓
✓
✓
covering rear seated area
Exit area providing the driver with an

✓
✓
✓
unobstructed view of rear door
Between the rear door and the front door of

✓
✓
✓
the vehicle. Mounted either at the front
looking rearwards or at the rear door looking
forwards and covering the wheelchair space
Rear of the upper saloon area looking

✓
forwards covering rear seated areas
Top of the stairwell directed down the

✓
stairwell
Front of upper saloon looking rearwards

✓
Facing forward to road ahead of vehicle
✓
✓
✓
✓
Kerb side facing towards the rear monitoring
✓
✓
✓
✓
door activity

GWRC have requested that the camera footage must commence a maximum of three minutes after
the vehicle has been started and must continue until at least fifteen minutes after the vehicle is
turned off. GWRC require that footage must be collected in all light conditions and suggest some
cameras should have infrared capabilities to enable this requirement to be met.
GRWC have requested a microphone be installed near the drivers cab to record audible sounds,
conversations and other activities that occur within two metres of the driving seat upon activation of
the duress alarm. GWRC require that no audio recording is to be made unless the duress alarm is
activated.
GWRC have requested that footage is collected for the purposes of:
•  Collecting evidence for prosecution of criminal events
•  Investigation of incidents

IN-CONFIDENCE
21

•  Ensuring Farebox Revenue is appropriately collected.
However, the Bus Operator may also choose to collect footage for other reasons at their discretion.
The capturing of footage is also used to deter criminal events, objectionable behaviours and safety
incidents occurring.
The Bus Operator is responsible for ensuring individuals are made aware that camera surveillance is
in operation upon the bus and that they operate the system. GWRC have identified several potential
locations within the bus where signage could be included. Due to the requirement that the signage
indicates the collection purpose and the system operator the signs cannot be developed by GWRC in
isolation.
The PTOM contract requires each Bus Operator to develop a privacy statement that covers the
camera surveillance operations. GWRC can provide feedback on the privacy statements. Currently
several the privacy statements are still under development or will need to be updated to include the
details of the camera surveillance system. GWRC require that the Bus Operator make the privacy
statement freely available upon request by any person. Currently not all the Bus Operators have
their privacy statement publicly available.
The GWRC privacy statement is currently being updated and will replace the existing Metlink privacy
statement (https://www.metlink.org.nz/privacy/)  as well as the current GWRC Customer Privacy
Policy (http://www.gw.govt.nz/privacy-statement/) which do not mention the use of camera
surveillance on buses explicitly. The new privacy statement details that camera surveillance is in
operation and directs individuals to a webpage detailing the locations where surveillance is used.
This webpage details that the camera surveillance on the buses is not operated by GWRC and directs
the individual to the relevant Bus Operator’s privacy statement.
If an individual contacts either the Metlink Call Centre or the GWRC Service Centre regarding the on
bus camera surveillance they will need to be directed to the relevant Bus Operator. Currently Service
Centre staff have no documented process for dealing with these requests.
5.2  Use of Personal Information
The use of the footage collected is determined by the relevant Bus Operator. However, GWRC have
requested access so they can use the footage for:
•  Investigation of incidents
•  Ensuring Farebox Revenue is appropriately collected.

Within the driver’s cab there is a monitor where the driver can view any or all of the images in real
time. The intent is that this is utilised by the driver for passenger safety reasons. However, each
individual Bus Operator will individually determine how they wish their drivers to utilise this
functionality.
GWRC do not require the cameras on the buses to be actively monitored. However, they do require
that a maintenance check is completed at least every six months by the Bus Operator and that the
footage is easily and readily downloadable.
5.3  Disclosure of Personal Information
If an individual wants to receive a copy of their footage they can request this through the relevant
Bus Operator.  GWRC is not able to provide this footage. There is some likelihood that multiple
requests will be received by GWRC in error. These requests will be transferred to the relevant Bus

IN-CONFIDENCE
22

Operator. However detailed standard operating procedures do not exist detailing how this transfer
will occur.
The PTOM contract requires that GWRC have access to footage for the purposes of auditing the Bus
Operator’s compliance with the contract. The contract also allows GWRC to request images and
recordings where they relate to an incident or where GWRC wishes to ensure Farebox revenue is
appropriately collected. There are currently no standard operating procedures in place between
GWRC and the Bus Operators to enable this activity.
Information received by GWRC from a Bus Operator must not be shared with any other party
including the Police. Any further disclosure of the footage collected is determined by the relevant
Bus Operator. GWRC do require that any disclosure be in accordance with the Privacy Act.
5.4  Security of Personal Information
The Bus Operator is ulitmately repsonsible for the security of the footage. GWRC requires that the
Bus Operator takes all reasonable steps to ensure that the footage is protected against misuse, loss,
unauthorised access, modficiation or disclosure. They are also reqiured to ensure only authorised
and required personnel have access to the footage.
In the event of a security breach of the footage the Bus Operator is required to notify GWRC.
5.5  Retention and Disposal of Personal Information
GWRC require that all footage is kept for a minimum of fourteen days. After this GWRC has
consented for the information to be overwritten.  As the Bus Operator owns and operates the
system it is their choice how long they wish to keep the footage for over and above fourteen days
and how it is disposed of. The Bus Operator is required to comply with the Privacy Act which
requires they don’t retain information for longer than it is required.
Any footage received by GWRC from a Bus Operator must only be held as long as required. There are
currently no standard operating procedures detailing how footage received from a Bus Operator
should be handled.
5.6  Unique Identifiers
No unique identifiers will be assigned by GWRC as part of this solution.

IN-CONFIDENCE
23

5.7  Risk Assessment
The key risks to GWRC associated with usage of camera surveillance on the buses are as follows. These have been evaluated based on the GWRC Risk Management Policy 2013.
Ref
Description
IPP  Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
B01
Individuals are unaware of why their
3
•  Privacy statement on Metlink website.
Almost
Single
Medium  •  BA01 - Bus Operators privacy
Unlikely
Single
Low
information is being collected, by
•
Certain
  Questions answered by Service Centre.
statements.
who and who will get the
•  BA02 - GWRC review of Bus Operator
information and believe GWRC are
•  Terms of Carriage.
privacy statements.
responsible.
•  Visible cameras.
•  BA03 - Service Centre training.
•  BA04 - Signage on the bus.
•  BA06 - Updated GWRC privacy
statement.

B02
Individuals feel the collection is
4
•  Limited audio recording.
Likely
Single
Medium  •  BA01 - Bus Operators privacy
Unlikely
Single
Low
unreasonably intrusive.
•  Privacy statement on Metlink website.
statements.
•
•
  Questions answered by Service Centre.
  BA03 - Service Centre training.
•
•
  Terms of Carriage.
  BA04 - Signage on the bus.
•
•
  Visible cameras.
  BA06 - Updated GWRC privacy
statement.
B03
A security breach causes
5
•  Contract with Bus Operator.
Highly
Single
Low
•  BA04- Signage on the bus.
Highly
Single
Low
unauthorised access to footage and
•
Unlikely
Unlikely
  Requirement to notify of breach.
•  BA06 - Updated GWRC privacy
the public opinion is that GWRC are
statement.
responsible.
B04
An individual’s request for a copy of
6
•  Established process for handling
Almost
Individual
Medium  •  BA01 - Bus Operators privacy statement.
Almost
Individual
Medium
their footage is sent to GWRC in
requests.
Certain
•
Certain
  BA02 - GWRC review of Bus Operator
error.
privacy statements.
•  BA03 - Service Centre training.
•  BA04 - Signage on the bus.
•  BA05 - Standard operating procedures.
•  BA06 - Updated GWRC privacy
statement.
B05
Footage provided to GWRC by a Bus
9
•  GWRC Privacy Policy.
Likely
Moderate
Medium  •  BA05 - Standard operating procedures.
Highly
Single
Low
Operator is held longer than
Unlikely
required.
B06
Footage provided to GWRC by a Bus
10
•  Approval process.
Unlikely
Moderate
Medium  •  BA05 - Standard operating procedures.
Highly
Moderate
Low
Operator is used for an unapproved
•
Unlikely
  GWRC Privacy Policy.
purpose.
B07
Footage provide to GWRC by a Bus
11
•  Experienced staff.
Likely
Moderate
Medium  •  BA05 - Standard operating procedures.
Highly
Moderate
Low
Operator is disclosed to a third
•
Unlikely
  GWRC Privacy Policy.
party.
IN-CONFIDENCE

24

Ref
Description
IPP  Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
B08
Individuals make privacy complaints
All
•  Established process for handling
Likely
Individual
Low
•  BA01 - Bus Operators privacy statement.
Highly
Individual
Low
to GWRC in error.
complaints.
•
Unlikely
  BA02 - GWRC review of Bus Operator
privacy statements.
•  BA03 - Service Centre training.
•  BA04 - Signage on the bus.
•  BA06 - Updated GWRC privacy
statement.
IN-CONFIDENCE

25

5.8  Action Plan
The following actions are agreed in relation to the camera surveillance in use on the buses.

Ref
Agreed action
Related
Who is
Completion
risks
responsible
date
BA01  Ensure each Bus Operator has a privacy
B01
Rhona
Pre Go Live
statement and that it is publicly available,
B02
Hewitt
ideally on their website.
B04
B08
BA02  Review each Bus Operator’s privacy statement
B01
Rhona
Pre Go Live
and ensure that it adequately covers the
B04
Hewitt
details of the camera surveillance in operation,  B08
how to request access and how to make a
complaint.
BA03  Provide training for staff in the Service Centre
B01
Rhona
Pre Go Live
on:
B02
Hewitt
•  The arrangements for the buses around
B04
the camera surveillance and GWRC’s role.
B08
•  How to handle requests from individuals
for access to footage onboard buses
•  How to handle requests from Police for
access to footage from onboard buses
•  How to handle privacy complaints from
individuals relating to the buses.
BA04  Work with the Bus Operators to develop
B01
Rhona
Pre Go Live
signage for inside the buses and ensure it is
B02
Hewitt
visible from anywhere where footage is
B03
collected.
B04
B08
BA05  Develop standard operating procedures to
B04
Rhona
Pre Go Live
include:
B05
Hewitt
•  Requesting footage.
B06
•  Transferring access requests.
B07
•  Transferring privacy complaints.
•  Approved uses of footage.
•  Disposing of footage.
BA06  Update the GWRC privacy statement including
B01
Sally Parker
August 2018
the camera surveillance page on the GWRC
B02
and Metlink websites once signed off.
B03
B04
B08

IN-CONFIDENCE
26

6  Bus Hubs
6.1  Collection of Personal Information
Each bus shelter located at a Bus Hub has a camera installed at each end under the canopy and are
clearly visible. The cameras only record visual footage and can work in very low light conditions. The
cameras cover the area inside the bus shelter as well as a small area outside of the bus shelter which
is captured either through clear line of sight or through the transparent screens of the shelter. The
cameras operate 24 hours a day, seven days a week.
Except for the Bus Hub at the bus exchange at Wellington Station the cameras are owned by GWRC
and operated on GWRC’s behalf by Red Wolf. The cameras at the bus exchange are owned and
operated by Wellington City Council and are therefore outside of the scope of this PIA.

The Public Transport Group Camera Surveillance Policy details that footage is to only be collected for
the purposes of:
•  Immediately detecting criminal events, objectionable behaviours and safety incidents
•  Collecting evidence for prosecution of criminal events
•  Collecting information of asset condition and damage
•  Monitoring of patterns of travel behaviour in groups of customers where no individual
customer is uniquely identifiable.
The capturing of footage is also used to deter criminal events, objectionable behaviours and safety
incidents occurring.
Individuals are made aware that camera surveillance is in operation for the
purposes of crime prevention and safety through the inclusion of signage
both inside the bus shelter and on the outside. This signage is currently
under development but will be similar to other Metlink camera operating
signs. The signs will be visible to any person prior to entering the area
being captured as part of the footage. The signs contain both the phone
number for Metlink and the website address.
The GWRC privacy statement is currently being updated and will replace
the existing Metlink privacy statement
(https://www.metlink.org.nz/privacy/)  as well as the current GWRC

IN-CONFIDENCE
27

Customer Privacy Policy (http://www.gw.govt.nz/privacy-statement/) which do not mention the use
of camera surveillance at the Bus Hubs explicitly.
The new privacy statement is currently in the process of being reviewed by ELT and is expected to be
in place within the next month. The new privacy statement details that camera surveillance is in
operation and directs individuals to a page detailing the locations where surveillance is used and the
purposes. This includes details of the camera surveillance at the Bus Hubs.
If an individual contacts either the Metlink or GWRC Service Centre they are provided details
regarding the usage of camera surveillance based on the information contained within the updated
privacy statement or can request a copy of the privacy statement.
The Conditions of Carriage also detail that camera surveillance is in operation and directs individuals
to the GWRC privacy statement for further information.
Limited personal information is also collected about the actions of GWRC and Red Wolf employees
who access the camera surveillance system for administrative reasons. The information collected
relates to the individual who logged on to the system and the actions they took. This is contained
within the logs of the system. The staff are not made aware at the time that their behaviours are
being monitored.
6.2  Use of Personal Information
The cameras at the Bus Hubs are not actively monitored. However, a maintenance check is
completed twice a day by Red Wolf for the primary purpose of maintenance of the system and the
bus shelter assets. Red Wolf employees and two GWRC employees have access to the footage
through specially provided consoles.
The Public Transport Group Camera Surveillance Policy details that footage can only be used for the
purpose for which it was collected. Camera footage obtained from the Bus Hubs must only be
downloaded in response to an incident / request.
The footage may also only be used, with the prior approval of the Responsible Officer, for the
following related purposes:
•  Inquiries relating to the investigation of other criminal offences or safety incidents
•  Training of security staff and maintenance of the system
•  Research, such as into the nature of security incidents, patterns in use or travel behaviour,
or evaluation of the operation of particular camera systems.
The Red Wolf contract details that Red Wolf must only use footage for the purposes requested by
GWRC as specified within the Standard Operating Procedures (SOPs). Currently the SOPs have not
been developed.
Information collected within the system logs regarding the usage of the system by Red Wolf and
GWRC staff is used to identify unauthorised behaviours and to investigate any incidents.
Audits are planned to be undertaken of the records of who accesses the system, copies footage and
provides images to external parties.
6.3  Disclosure of Personal Information
Any individual who is recorded by the cameras at the Bus Hubs has the right to access that footage.
Red Wolf and GWRC employees also have the right to a copy of the personal information held about
them in the system logs.

IN-CONFIDENCE
28

If an individual wants to receive a copy of their information / footage they can request this by email
or through the Metlink or GWRC Service Centre. Frontline staff don’t currently have any
documentation regarding how to handle privacy requests.
Privacy requests are logged in accordance with GWRC standard process and the Privacy Officer is
responsible for dealing with the request. Where footage exists but is not able to be released due to
issues with de-identifying others contained within the footage, a written record of the incident may
be made available instead. This process is detailed in the Public Transport Group Camera
Surveillance Policy. It is expected that the level of privacy requests relating to the Bus Hubs will be
similar to the current level for rail services, which is a few a year.
Any requests for footage taken at the bus exchange at Wellington Station are transferred to
Wellington City Council.
In the event of unlawful activity being carried out and footage being available relating to the incident
then GWRC or Red Wolf, as authorised by GWRC, may pass the related footage to the Police for
investigation.
If the Police believe that unlawful activities have been captured on the footage, then they may
request GWRC provide the footage to help their investigation. It is expected that the level of
requests relating to the Bus Hubs will be similar to those for rail services which is currently
approximately three a day. There is currently no Memorandum of Understanding in place to allow
sharing of footage other than with a production order.
Any release of footage to third parties other than Police and insurance companies must be approved
by the Responsible Officer. The process for handling these requests for Bus Hub footage has not yet
been defined.
The Red Wolf contract details that Red Wolf must only disclose information / footage for the
purposes requested by GWRC as specified within the Standard Operating Procedures (SOPs).
Currently the SOPs have not been developed.
If any other third party wishes to receive a copy of the footage then this must be approved by the
General Manager, Public Transport.
The identity of individuals within the footage is not masked when visible to staff using a console. All
Red Wolf Operators are licenced under the Private Security Personnel and Private Investigators Act
2010. Red Wolf only have access from a control room which is locked and has restricted access.
GWRC will have a console to access footage. There will only be two staff with user accounts for
access. As the console is located within an open plan office it will be located within a corner to
minimise shoulder surfing potential. The console will generally only be utilised when there are
reduced staff numbers within the office. All GWRC staff and contractors who have access to the
open plan area of the office are bound by confidentiality clauses as part of their contracts.
6.4  Security of Personal Information
A security risk assessment for the camera surveillance system operating at the Bus Hubs is currently
underway. This PIA will be updated to reflect the outcomes of this work once available.
6.5  Retention and Disposal of Personal Information
Camera footage from the Bus Hubs will be retained for fourteen days and then overwritten. Any
copies of footage will be kept for up to a year unless it is required to be held longer for use in legal
proceedings.

IN-CONFIDENCE
29

Red Wolf are contractually required to audit the system to ensure the disposal schedule is being
followed.
The system audit logs are retained for an unknown period and then overwritten when the storage
reaches capacity.
6.6 Unique Identifiers
No unique identifiers are assigned as part of this solution.

IN-CONFIDENCE
30

6.7  Risk Assessment
The key risks to GWRC associated with usage of camera surveillance at the Bus Hubs are as follows. These have been evaluated based on the GWRC Risk Management Policy 2013.
Ref
Description
IPP  Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
C01
More personal information is
1
•  Limited areas of collection.
Highly
Moderate
Low

Highly
Moderate
Low
collected than required as part of
•
Unlikely
Unlikely
  No audio recording.
the footage.
•  Regular checks on area of collection.
C02
More personal information is
1
•  Data minimisation.
Highly
Moderate
Low

Highly
Moderate
Low
collected than required regarding
Unlikely
Unlikely
staff usage of the system.
C03
Individuals are unaware of why their
3
•  Privacy statement available from Service
Almost
Moderate
High
•  CA08 - Service Centre training.
Unlikely
Single
Low
information is being collected and
Centre.
Certain
•  CA09 - Signage inside the bus shelter.
who will get the information.
•  Privacy statement on Metlink website.
•  CA10 - Signage outside the bus shelter.
•  Questions answered by Service Centre.
•  CA12 - Updated privacy statement.
•  Terms of Carriage.

•  Visible cameras.
C04
Staff are unaware of why their
3
•  Public Transport Group Camera
Almost
Single
Medium  •  CA01 - Communication of updated Public
Highly
Individual
Low
information is being collected and
Surveillance Policy.
Certain
Transport Group Camera Surveillance
Unlikely
who will get the information.
Policy.
•  CA04 - Privacy statement on system.

C05
Individuals feel the collection is
4
•  Limited areas of collection.
Likely
Moderate
Medium  •  CA08 - Service Centre training.
Unlikely
Single
Low
unreasonably intrusive.
•  No audio recording.
•  CA09 - Signage inside the bus shelter.
•  No private property captured without
•  CA10 - Signage outside the bus shelter.
permission.
•  CA12 - Updated privacy statement.
•  Privacy statement on Metlink website.
•  Questions answered by Service Centre.
•  Terms of Carriage.
•  Visible cameras.
C06
A security breach causes
5
•  Liquid IT contract.
Unlikely
Moderate
Medium  •  CA05 - Penetration testing.
Highly
Moderate
Low
unauthorised access to footage or
•
Unlikely
  Liquid IT requirements.
•  CA07 - Security risk assessment.
system logs.
•  Red Wolf contract.
C07
An individual’s request for a copy of
6
•  Centrally logged.
Almost
Individual
Medium  •  CA01 - Communication of updated Public
Rare
Individual
Low
their information / footage is not
•
Certain
  Established process for handling
Transport Group Camera Surveillance
actioned.
requests.

Policy.
•
•
  Public Transport Group Camera

  CA08 - Service Centre training.
Surveillance Policy.

IN-CONFIDENCE

31

Ref
Description
IPP  Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
C08
Information disclosed to a third
8
•  Daily checks on system performance.
Rare
Moderate
Low

Rare
Moderate
Low
party e.g. Police, is incorrect
•  Time syncing.
C09
Information is held longer than
9
•  Retention schedule documented for
Likely
Moderate
Medium  •  CA02 - Decide, document and implement
Highly
Single
Low
required.
footage.
log retention schedule.
Unlikely
•  CA11 - Standard operating procedures.
C10
Footage or log information is used
10
•  Approval process.
Likely
Moderate
Medium  •  CA01 - Communication of updated Public
Highly
Moderate
Low
for other purposes.
•
Unlikely
  Public Transport Group Camera
Transport Group Camera Surveillance
Surveillance Policy.
Policy.
•
•
  Red Wolf contract.
  CA04 - Monitoring of system logs.
•
•
  System logs.
  CA11 - Standard operating procedures.
•  CA13 - Masking of individuals.
C11
Footage or log information is
11
•  GWRC employment contract.
Highly
Moderate
Low
•  CA01 - Communication of updated Public
Rare
Moderate
Low
disclosed to more staff than
•
Unlikely
  Location of console.
Transport Group Camera Surveillance
required.
Policy.
•  Public Transport Group Camera
•
Surveillance Policy.
  CA04 - Monitoring of system logs.
•
•
  Red Wolf contract.
  CA11 - Standard operating procedures.
•
•
  System logs.
  CA13 - Masking of individuals.
•  Usage times of console.
C12
Footage is proactively disclosed to
11
•  Experienced staff.
Unlikely
Single
Low
•  CA01 - Communication of updated Public
Highly
Single
Low
Police without due cause.
•
Unlikely
  Licenced staff.
Transport Group Camera Surveillance
Policy.
•  Public Transport Group Camera
•
Surveillance Policy.
  CA04 - Monitoring of system logs.
•
•
  System logs.
  CA11 - Standard operating procedures.
C13
Footage is disclosed to Police on
11

Almost
Moderate
High
•  CA04 - Monitoring of system logs.
Highly
Moderate
Low
request without production order.
Certain
•
Unlikely
  CA11 - Standard operating procedures.
•  CA03 - Memorandum of Understanding
with NZ Police and update to privacy
statements.
C14
Red Wolf discloses information to an
11
•  Licenced staff.
Highly
Moderate
Low
•  CA01 - Communication of updated Public
Rare
Moderate
Low
unauthorised party.
•
Unlikely
  Public Transport Group Camera
Transport Group Camera Surveillance
Surveillance Policy.
Policy.
•
•
  Red Wolf contract.
  CA04 - Monitoring of system logs.
•
•
  System logs.
  CA13 - Masking of individuals.
IN-CONFIDENCE

32

Ref
Description
IPP  Existing controls
Inherent
Recommended mitigations
Residual
Likelihood  Consequence
Rating
Likelihood  Consequence
Rating
C15
GWRC discloses information to an
11
•  GWRC employment contract.
Highly
Moderate
Low
•  CA01 - Communication of updated Public
Rare
Moderate
Low
unauthorised party.
•
Unlikely
  Public Transport Group Camera
Transport Group Camera Surveillance
Surveillance Policy.
Policy.
•
•
  System logs.
  CA04 - Monitoring of system logs.
•  CA13 - Masking of individuals.
C16
An individual contained within
11
•  Manual masking for privacy requests.
Almost
Single
Medium  •  CA13 - Masking of individuals.
Rare
Single
Low
footage who is not the person of
Certain

interest is included in disclosed
footage.
IN-CONFIDENCE

33

6.8  Action Plan
The following actions are agreed in relation to the camera surveillance in use at the Bus Hubs.

Ref
Agreed action
Related
Who is
Completion
risks
responsible
date
CA01  Communication of updated Public Transport
C04
Paul Kos
Pre Go Live
Group Camera Surveillance Policy to all staff
C07
with access to the system once agreed.
C10
C11
C12
C14
C15
CA02  Decide, document and implement retention
C08
Rhona
Pre Go Live
schedule for how long logs pertaining to
C09
Hewitt
system usage should be held.
CA03  Develop a Memorandum of Understanding
C13
Rhona
August 2018
with NZ Police for provision of footage
Hewitt
without a production order. Once signed
update the privacy statements.
CA04  Develop a monitoring programme for the
C10
Paul Kos
August 2018
system logs to identify unauthorised
C11
behaviours.
C12
C13
C14
C15
CA05  Complete penetration testing and address any  C06
Stuart
Pre Go Live
issues identified.
MacDonald
CA06  Develop a privacy statement for the system to  C04
Privacy
Pre Go Live
advise users of collection of logs.
Officer
CA07  Complete the scheduled security risk
C06
Stuart
Pre Go Live
assessment and update this PIA to reflect any
MacDonald
risks that may impact on the privacy of
personal information.
CA08  Provide training for the Service Centre on:
C03
Privacy
Pre Go Live
•
Officer
  The new privacy statement.
C05
•
C07
  How to handle requests from individuals
for access.
•  How to handle requests from Police for
access.
CA09  Develop signage for inside the bus shelter and  C03
David Boyd
Pre Go Live
ensure it is visible from anywhere in the
C05
shelter.

IN-CONFIDENCE
34

Ref
Agreed action
Related
Who is
Completion
risks
responsible
date
CA10  Develop signage for outside the bus shelter
C03
David Boyd
Pre Go Live
and ensure it is visible from anywhere where
C05
footage is collected.
CA11  Develop standard operating procedures to
C09
Rhona
Pre Go Live
include:
C10
Hewitt
•  Accessing live footage.
C11
•  Accessing historic footage.
C12
•
C13
  Handling live incidents.
•  Reporting incidents to the Police.
•  Handling requests from individuals for
access.
•  Handling requests from Police for access.
•  Copying footage.
•  Disposing of footage.
•  Ongoing audit of usage.
CA12  Update the privacy statement including the
C03
Privacy
Pre Go Live
camera surveillance page on the GWRC and
C05
Officer
Metlink websites once signed off.
CA13  Explore options to mask the identity of
C10
IT
December
individuals unless they need to be explicitly
C11
2018
identified.
C14
C15
C16

IN-CONFIDENCE
35

7 Authorisation
The Business Owner is ultimately responsible for ensuring that the Privacy Impact Assessment has
the appropriate scope, and that the recommendations are actioned.
Authorised by
Signature
Date
Wayne Hastie

General Manager

Public Transport Group

Forward a copy of the signed document to GWRC’s Privacy Officer.

IN-CONFIDENCE
36