Surveillance and monitoring records
Surveillance and monitoring records are subject to the same fundamental information management principles as all other records. This includes ensuring:
- records are identified and captured
- access is secure and limited to appropriate people
- records are kept for as long as required then destroyed or transferred to Queensland State Archives.
While the main recordkeeping requirements remain consistent regardless of technology, surveillance records do have some additional considerations that you'll need to think about when capturing and managing these records.
Which records to capture
Surveillance footage and images are records and must be kept for a minimum amount of time. However, not all of them need to be formally captured as a record.
Determining which ones need to be formally captured will depend on:
- the type of record
- why they were originally created
- whether or not they provide evidence of an incident, crime or other information and/or evidence of a business activity.
Be aware that you may not be notified or become aware of an incident right away.
The following table will help you determine which records need to be formally captured and which ones don't.
| Type of record | Evidentiary value | To capture or not to capture? |
|---|---|---|
Surveillance and monitoring activities by devices for a specific purpose and Continuous routine surveillance Note: This is for all surveillance and monitoring devices, technology and equipment | Provides evidence of an incident, crime or other information and is required for an investigation | Capture and send copy to law enforcement |
Surveillance and monitoring activities by devices for a specific purpose (e.g. by drones, body cameras, mobile devices) | Provides evidence of, or for, a business activity | Capture |
Surveillance and monitoring activities by devices for a specific purpose (e.g. by drones, body cameras, mobile devices) | Does not provide evidence of an incident or crime | Capture |
Continuous routine surveillance and monitoring (e.g. usually by fixed surveillance devices such as CCTV cameras where the user cannot easily stop and start recording) | Not required as evidence or requested by investigative and law enforcement | No need to capture |
How to capture
All footage and images must be complete and reliable records and fit for purpose. The integrity of the records must be preserved when extracted or transferred to another device.
When extracting footage and images from the original device, there is a distinction between primary, original and working images.
Primary images
Primary images are identified as the first instances in which the image or footage is recorded onto any media (e.g. the recording of surveillance footage onto a device such as a DVD recorder or memory card of a body worn camera).
The primary image is generally overwritten after a specified period of time, when the footage could be considered to have no further administrative use.
Primary images must be exported in their native format and without any additional compression or alterations.
Original images
Original images are to be considered the 'master', and are the official record. They are preserved as exact copies of the primary image.
The integrity of the original image and appropriate audit trails must be maintained for the duration of the required retention period.
The original image should not be subjected to processes that cause permanent alteration.
Working images
Working images are copies of primary or original images. Working images are created where enhancements or alterations of the primary or original image are required (e.g. compression, filtering, cropping).
In the case where proprietary hardware or software is required for video replay, and where this may not provide the required functionality to enable editing or processing, a format conversion will be required.
Metadata
Any required metadata that give the footage and images context and meaning must be attached to and retained with the record to establish evidentiary audit trails.
Most surveillance devices will automatically generate metadata such as the date, the camera number (if applicable), location and other similar information.
Additional metadata may need to be attached to the record to include when, where, why, and how the footage or images were taken as well as who, if relevant.
Any audit logs and associated information need to be captured and/or included as part of the metadata to ensure the footage or images are complete and reliable records. It can also be necessary to establish the evidentiary audit trail and to provide contextual information in a secure manner.
For more information on metadata requirements:
Management and storage
All surveillance records must:
- be stored securely
- be safeguarded from alteration to ensure their integrity and authenticity can be verified
- be preserved so they remain accessible and usable for as long as they need to be kept
- have appropriate access controls in place.
You should avoid storing records in a proprietary, non-standard format.
Records should not be stored in a compressed format. Compression can reduce the quality of the image or video to a point where it becomes unusable and/or required information is obscured.
You can include information about the management of surveillance records in your agency's policies and procedures.
Find out more about choosing file formats for records.
Security and privacy
The Office of the Information Commissioner has information privacy principles for both drones and camera surveillance. These provide guidance on managing personal information that may have been captured, or is contained within descriptive and technical metadata or user data.
Any records containing personal information must be stored securely and have appropriate access controls in place.
How long to keep them
Surveillance records must be retained for as long as specified under a current retention and disposal schedule. How long they need to be kept will depend on why the records are needed.
The following table will help you determine which record class to use based on the purpose and evidentiary value of the record.
| Evidentiary value | Sentence and record class |
|---|---|
| Provides evidence of an incident, crime, investigation and has been handed over to law enforcement. | 1202 of the General Retention and Disposal Schedule, which states you need to keep them for 1 year after recordings sent to relevant law enforcement agency |
Provides evidence of a core business activity Note: This applies to both surveillance and monitoring activities captured for a specific purpose and continuous surveillance. | The relevant activity in your agency's core schedule–that is, the activity or record class that all records documenting that activity would be sentenced under. |
Is part of surveillance and monitoring activities captured for a specific purpose and is not required for investigative purposes or evidence (e.g. drones, body cameras, mobile devices) | 1284 of the General Retention and Disposal Schedule, which states you need to keep it for 90 days after the record is created |
Is part of continuous surveillance and is not required as evidence or requested by investigative and law enforcement agencies (e.g. fixed surveillance devices such as CCTV cameras where the user cannot easily stop and start recording) | 1277 of the General Retention and Disposal Schedule, which states you need to keep them until business action completed Note: Your agency will need to decide when business use ceases |
Note: Some surveillance records required as evidence may need to be sentenced under a different record class depending on what is needed as evidence. See the section on surveillance and monitoring in the General Retention and Disposal Schedule for more information on exceptions and other record classes that can be used.
Note: As with all retention periods in a retention and disposal schedule, these are the minimum amounts of time the records need to be kept.
Legal obligations
All agencies have a duty of care to ensure any records that may be needed as evidence in a judicial proceeding, including any legal action or a commission of inquiry, are not disposed of.
Any records which are subject to a request for access under the Right to Information Act 2009, the Information Privacy Act 2009 or any other relevant Act must not be destroyed until the action, and any applicable appeal period, has been completed.
Check the record classes relating to information privacy and access in the General Retention and Disposal Schedule to find out if the records must be kept longer than listed above.
When sentencing records, consider:
- how surveillance systems and activities are carried out in your agency
- the time it takes to actually identify what you need to capture (if anything)
- the time needed to retrieve the relevant image or section of footage.
Records must also be retained longer if there they may foreseeably be needed for legal action, even if you haven't been notified of any legal action yet, for example, where a drone has injured a person.
Bring your own device (BYOD)
Your agency should have policies and procedures in place for any staff who may use personal devices for work. This should cover the security, access and storage of the data, what records need to be kept and how they are captured in the agency's recordkeeping system.
Plan for use of surveillance and monitoring devices
Business planners need to be aware of the recordkeeping implications of using surveillance and monitoring devices (e.g. body cameras, drones, GoPros) and how they affect recordkeeping in your agency (e.g. changes to policies, procedures, storage requirements).
Guidelines for the use of surveillance and monitoring devices should cover recordkeeping requirements, such as when recording devices should be turned on, if and when they should be turned off, how the images and footage are transferred from the device if necessary and how they will be stored.
Outsourcing surveillance activities
There are extra recordkeeping considerations to consider if you are outsourcing any surveillance activities.
The transfer of any surveillance records between the service provider and your agency must be done securely to ensure the record, associated metadata and audit trails are maintained. How this is done and ways to mitigate any risks need to be included in the agreement.
Find out about the recordkeeping requirements when outsourcing.