Overview
Privacy

vGRID - Privacy Brief

What is vGRID?

Traditionally, when something went wrong – like a theft, ram raid or a stolen vehicle – CCTV camera networks were difficult and time consuming for Police to access.

SaferCities’ vGRID platform (vGRID) makes this easy by providing a way for organisations to quickly and effectively share footage from their CCTV and ANPR cameras (Producers) with Police and other third parties (Authorised Users). It also enables the Police to directly obtain digital evidence from the public.

We don’t own or operate any camera networks. What we do is improve the effectiveness of Producers’ networks. This helps prevent and solve crime to build safer, more vibrant communities. See here for more information about vGRID and the value it provides.

How does vGRID work?

Video, Automatic Number Plate Recognition (ANPR) data from Producers’ CCTV and ANPR cameras is ingested into the vGRID platform, which authorised Users can then view in the vGRID app.

vGRID has three core components:

  • vGRID Streams: live-streams of Producer CCTV cameras to authorised Users. For example, during an emergency the Police can access a livestream of CCTV footage from the relevant area.
  • vGRID ANPR: Shares information captured by Producer’s ANPR cameras with vGRID. Authorised Users like the NZ Police get real-time alerts when a vehicle of interest is detected at an ANPR site. They can also lawfully track vehicles under strict conditions, enabling them to search for a suspect’s plate during a major investigation like a homicide, or proactively during a firearms incident.
  • vGRID Vault: provides an easy way for Users to request and obtain digital evidence from member of the public, such as victims and witnesses, without the need for a physical visit.

Who are Producers and Users?

Producers own and operate the CCTV and ANPR cameras that feed into vGRID. They include private businesses, business associations, shopping centres, local councils, events spaces, museums, residential addresses, and places of worship.

By opting-in to share their CCTV and ANPR information with Authorised Users like the Police, Producers can reduce crime and create a safer environment for their staff and customers.

Producers will often install a vGRID Gateway to facilitate the secure connection to nominated Authorised Users using vGRID. Authorised Users are nominated in writing via the vGRID Producer Agreement.

Authorised Users include:

  • law enforcement agencies like NZ Police, which uses vGRID for crime prevention, investigation and prosecution; and
  • the likes of business associations, shopping centres, security firms, local authorities, supermarkets, retailers and events spaces. They typically use vGRID to identify and manage risks to property and community safety.

Authorised Users will typically have a subscription to the vGRID App providing them access to Producers’ sites which they are authorised to access.

What personal information is in vGRID?

Personal information is any information that identifies a living individual or that could be used to identify them. That might be because it contains personal identifiers (like someone’s name) or unique facts that would identify the person (like a photo of them). The data and footage that Producers disclose to Users through vGRID typically contains both personal information and non-personal information. Some of this information does not identity individuals, like images of vehicles, number plates, timestamps or location data. But some of it may include images or video featuring identifiable individuals. To respect our obligations under the Privacy Act 2020, we treat** all** data received from Producers as personal information.

What about the Privacy Act 2020

New Zealand’s Privacy Act 2020 requires agencies to handle personal information according to thirteen Information Privacy Principles governing how agencies may collect, store, provide access to, use and disclose personal information (IPPs). The obligations in the Privacy Act are subject to any other law that specifically regulates when and how personal information may be collected, used or disclosed. For example, Police powers under the Search and Surveillance Act 2012 (Search and Surveillance Act) would override Police obligations under the IPPs.

What are our privacy obligations?

From a privacy perspective, vGRID is an intermediary platform that facilitates the disclosure of personal information by Producers to Authorised Users. In accordance with section 11 of the Privacy Act, SaferCities is what is often referred to as a processor.

As a processor, SaferCities holds or processes personal information on behalf of other agencies (controllers), like Producers and Users. It does not use or disclose that information for its own purposes.

This means the relevant controller is deemed to “hold” such information and remains liable for it under the Privacy Act.

The key roles and responsibilities can be summarised as follows.

  • Controllers determine how personal information is collected, used and shared and are responsible for complying with the Privacy Act. — Both Producers and Authorised Users are controllers in the context of vGRID Streams and ANPR. The Police is the sole controller for vGRID Vault.
  • Processors store and process personal information on behalf of Producers and Authorised Users and don’t use or disclose it for their own purposes. — SaferCities is a processor that acts as an intermediary between Producers and Authorised Users, facilitating the disclosure and collection of personal information.

Producers who own and operate CCTV and ANPR cameras are responsible for complying with the Privacy Act when they collect, use and disclose personal information to Users through vGRID.

That includes ensuring you:

  • Provide clear notice that CCTV and/or ANPR cameras are in operation and that personal information will be collected and used for the purposes outlined in the notice. For example, for public safety purposes including sharing with law enforcement for the prevention, detection and investigation of crime (IPP 3)
  • Collect personal information by lawful means and in a way that is fair and not unreasonably intrusive (IPP 4)
  • Have reasonable grounds to believe you may disclose personal information to Users under IPP 11. See the Office of the Privacy Commissioner’s website for more information about this obligation.

Police and other Authorised Users are responsible for collecting and using information in a way that is consistent with the Privacy Act and any over-arching statutory obligations.

Who owns the data in vGRID?

As controllers, Producers own and are always in control of the data they input to vGRID. As a service provider/data processor, we only store and process personal information on behalf of controllers in accordance with their instructions.

How does vGRID protect our data?

vGRID provides Producers and Authorised Users with a safe and secure way to collate, store, use and share CCTV and ANPR data. Instead of relying on inefficient manual processes and unsafe sharing arrangements, vGRID provides a secure central platform with carefully designed controls around how and when information is accessed and shared.

All data in vGRID is protected against unauthorised access or disclosure and accidental or unlawful loss, destruction, alteration, disclosure or damage. That includes the following.

  • Regular independent penetration testing of vGRID
  • Our primary servers are hosted in New Zealand. We store Vault and ANPR footage/images on encrypted disks in servers owned and controlled by SaferCities’ Australian subsidiary within a secure Canberra-based datacentre.
  • There are strict access controls and auditing for User access to data in vGRID.
  • We apply role-based access controls for SaferCities staff (restricted solely to our technicians), with all access logged and auditable. vGRID data may only be accessed for legitimate reasons, such as platform maintenance and troubleshooting.

Producers and Authorised Users typically find that using vGRID improves the security of sharing camera information with third-parties. This is because the vGRID gateway does not require port forwarding or opening your security network directly to the internet.

How long do you keep our data for?

IPP 9 of the Privacy Act requires that agencies such as Producers only keep personal information for as long as they may lawfully use it.

  • SaferCities stores ANPR data in vGRID on behalf of Producers for up to six months from receipt so Police can conduct searches in relation to their investigations. The data is then automatically and securely deleted.
  • Producer’s camera configuration and staff contact details are retained in accordance with Producer instructions.
  • Any other data provided by Producers is deleted within 24 hours of receipt unless you instruct us otherwise or as required by law.
  • We securely destroy or delete any remaining data at the end of our relationship with a Producer.

Users are responsible for complying with IPP 9 in relation to data that they collect from vGRID and hold within their own systems. For example, as a controller the Police must comply with IPP 9 in relation to data in vGRID Vault.

Usage of ANPR by NZ Police

NZ Police leverage vGRID to access ANPR data in line with the Privacy Act 2020 and their publicly available ANPR Policy.

Additionally, NZ Police have conducted an independent Privacy Impact Assessment (PIA) on their use of third-party ANPR with the vGRID SaferCity Platform which has been proactively released here.

SaferCities Policies

To view the Privacy Policy for the vGRID SaferCity Platform Visit: vgrid.io/privacy/platform.

If you have any questions, please contact support@safercities.com.

vGRID AppFAQ