The spy agency watchdog says closed circuit TV or CCTV is being used in a "lawful" and "responsible" way, but questions its legal basis.
The fact the Security Intelligence Service even used CCTV was previously a secret - and a new report out today shows a downside to the secrecy.
Inspector-General of Intelligence and Security Brendan Horsley said he could not even have done this public review before, but the agency had agreed to declassify its use of CCTV, in a "welcome and sensible" move.
In a 12-page report out today, Horsley described how close control was being kept of the surveillance tool, but also made recommendations to improve it.
"My review has established that the service uses CCTV in a targeted and specific way rather than as a mechanism for general surveillance."
The SIS has accessed cameras in public places since March 2017, from a "network provider" that has CCTV that covers most of a city centre, he said.
In some cases, the spy agency can manoeuvre and manipulate the cameras.
There were "unresolved" questions, however.
"My full analysis of the legal position ... raised some difficult and unresolved questions as to the legal basis for the service's initial and ongoing access to the CCTV network provider's feeds," Horsley said.
"Given the questions I have raised, I consider it is important that the service ensures the lawful basis for its access to CCTV" by getting advice from the Solicitor-General.
The report showed the agency did not do a Privacy Impact Assessment beforehand, even though it was required.
The assessment "has now [been] finalised", Horsley said.
This came after he and the Privacy Commissioner had talks with the SIS.
He found other weaknesses, including the suggestion in operating procedures that "there can be no expectation of privacy when a camera is viewing the public domain".
"That is incorrect."
Also, he questioned the lack of information in logs' recording operations.
"As a result, the service now records further details regarding the ways in which it has operated a camera" including whether the cameras were manoeuvred, and whether the footage was retained in any way.
Tracking and forewarning
Mostly the SIS operated under a warrant authorising visual surveillance.
It employed CCTV in only one out of six deployments. Not many agents had access, and not many computer terminals could do it.
It was used to track people, and to "forewarn the surveillance team of any threats".
However, the operating procedures did not go far enough in requiring the agency to spell out in writing why CCTV was being used in an operation, or consider if its use was in proportion to the threat, or for how long it was being used.
That and record keeping needed strengthening.
"It will promote accountability."
In addition, the operating procedures "do not explain what a reasonable expectation of privacy actually is" and the SIS should look again at how it assessed if a location was public or private.
Horsley noted that the service did not currently retain or record any of the footage.
Secrecy around CCTV
The secrecy around the SIS's operating of CCTV - despite the commonplace use of the tool by law enforcement agencies worldwide - meant that only three people at the New Zealand network provider "knew of its existence".
There was a Memorandum of Understanding (MOU) but the network provider's chief executive "was aware of the arrangements but not the details of the service's CCTV access", Horsley said.
"The classification of the MOU may have been a barrier to the CE obtaining legal advice and advising their board of the arrangement."
Now its use had been declassified, such "problems ... can be avoided".
"The consequent transparency can only benefit public debate on the use of such surveillance.
"In this case the public can also be assured that the service is using what could be a highly invasive technology in a limited and proper manner."