WYNDHAM’S PRIVACY AND INTEGRITY POLICIES: BIG POWERS, WEAK SAFEGUARDS AND SOME EMBARRASSING DRAFTING

Wyndham City Council is asking councillors this week, to adopt a new suite of privacy and integrity policies. On the surface, they sound responsible: privacy, transparency, whistleblower protection, fraud control and modern governance.

But read the fine print and a very different picture emerges.

This is a policy package that gives Council enormous internal power over residents’ information, staff conduct, investigations, surveillance, AI use and complaint handling - while offering the public far fewer hard guarantees.

The most alarming part is the treatment of artificial intelligence. The Privacy Policy says Council may use “automated systems, analytics and artificial intelligence-enabled tools” for customer interactions, document processing, operational analysis, planning, forecasting and performance monitoring. That is not a minor administrative detail. That is Council opening the door to AI touching the way residents interact with local government, how documents are processed, how services are assessed and how performance is monitored. Yet the policy does not clearly require individual consent before AI is used on a resident’s information. It talks about governance, privacy assessment, security controls and “human oversight”, but where is the explicit opt-in? Where is the opt-out? Where is the plain-English promise that residents will be told when AI is involved in a decision or service interaction affecting them?

Council’s own report admits the policy has been changed to reflect “vastly different practices now in use across Council” in the collection and use of personal information, including electronic and digital interfaces, AI, cloud-based systems and data transfers outside Victoria. That should ring alarm bells. If the practices are now vastly different, the protections should be vastly stronger. Instead, the protections are mostly internal process words.

The surveillance provisions are just as broad. The policy allows Council to collect images, voice, location, behaviour and other identifying information through monitoring and recording technologies. It expressly includes CCTV, mobile cameras, body-worn cameras, access-control systems, sensors, metadata recording systems and “any future technology” used for monitoring, safety, compliance or operational purposes. That is a massive blank cheque.

Then comes the internal power structure.

The CEO is given broad leadership and governance control over privacy compliance. The Director Corporate Services has executive oversight of privacy and is also named as a Council Privacy Officer. Privacy Officers review complaints, coordinate breaches, sign off Privacy Impact Assessments and manage suspected privacy incidents. In other words, a huge amount of control sits inside the same organisation whose conduct may be under complaint.

The Privacy Impact Assessment procedure is also too soft. Project teams only inform the Privacy Officer, who then determines whether a PIA is required and its scope. The final PIA is signed off internally. There is no clear requirement for public release of PIA summaries, councillor notification for high-risk technology, or mandatory independent review for AI, surveillance, data matching or behavioural monitoring projects.

The breach process is equally weak. Where a privacy breach occurs, the Privacy Officer “may” notify affected individuals. May? For serious privacy failures, residents should not have to hope Council feels like telling them. Notification should be mandatory unless there is a clear legal reason not to.

The integrity framework has the same problem: it centralises too much control internally. If a disclosure is not treated as a Public Interest Disclosure, it may be referred to the CEO, and the CEO or delegate may investigate internally. Council “may” engage an independent investigator, but it is not mandatory. That is a dangerous structure when allegations could involve senior officers, executive decisions, procurement, governance culture or politically sensitive matters.

The fraud procedure is even more blunt. Where fraud or corruption is suspected, the CEO or delegate may conduct or cause an internal investigation, appoint an investigator, notify IBAC where required, and receive the written investigation report. The Director Corporate Services is also listed as CEO delegate with oversight of the fraud and corruption framework, responsibility for incident response and reporting significant matters. That is a lot of power concentrated in the hands of senior administration.

The most troubling line is the restriction on staff disclosure. Staff are told they must not “disclose or discuss suspected or proven fraud or corruption externally” without prior written approval from the Director Corporate Services. That may be intended to protect confidentiality, but it is drafted far too broadly. It should clearly and loudly carve out disclosures to IBAC, Victoria Police, the Ombudsman, the Local Government Inspectorate, legal advisers, protected disclosure channels and any other lawful reporting pathway. Without those exceptions written plainly, the effect could be chilling. Staff may read it as: keep quiet unless a director says otherwise.

And then there are the drafting problems. For documents supposedly about integrity, privacy and public trust, the errors are embarrassing.

The Privacy Policy is marked “Internal Use Only” even though the Council report says it is external facing and requires Council approval. The same document still contains placeholders such as “Effective XX”, “Objective ID XX”, “Review XX”, “Consult XX”, “Approve XX” and “Endorse XX”.

The Privacy Impact Assessment and Privacy Complaints and Breach procedures are both marked “Pending approval”.

The council report itself refers to a “Fraud and Courruption Management Procedure”. The fraud procedure defines corruption as abuse of a “position of rust” rather than trust. The Privacy Policy refers to “RPSCA” instead of RSPCA. These may look like small typos, but in integrity documents, sloppiness matters. If Council cannot properly proofread the policy, why should residents trust the machinery behind it?

The conclusion is simple.

Wyndham does need modern privacy and integrity policies. But these documents should not be rubber-stamped in their current form. They give Council broad powers over AI, surveillance, data collection, internal investigations and staff disclosure, while leaving too much to internal discretion.

Councillors should send them back.

Before adoption, Wyndham should require clear public consent and notification rules for AI, mandatory safeguards for surveillance and data matching, public reporting on breaches and integrity complaints, stronger independent investigation triggers, and explicit protections for lawful external disclosures.

Right now, this package reads less like a public trust charter and more like a bureaucratic control manual.