CCTV Policy
The CCTV Conundrum Explained
Most organisations have CCTV systems. In most cases the cameras used are part of a centrally managed system, while in some instances organisations may deploy standalone cameras. Data Protection law puts stringent requirements around the use, access and security of data captured through CCTV. This document explains the steps you can follow to manage your compliance obligations.
CCTV Policy
This policy sets out how the data controller, the Oxford and Cambridge Club, controls, manages, operates and secures the Closed-Circuit Television System (CCTV). It also communicates to data subjects their rights in relation to the personal data that is captured and recorded by the system.
The organisation records and stores personal data on the CCTV system for the following purposes:
- For security and personal safety of members, staff, visitors and members of the public
- For security in the protection and monitoring of buildings, equipment, and personal property of members, staff, visitors and members of the public
- For security in supporting the police and other related government agencies in preventing and detecting crime
- For security in supporting the police and other related government agencies in identifying individuals who are victims, perpetrators or affected by crime or other related incidents
- For disciplinary reasons in monitoring and upholding the rules of the Club
- CCTV will not be used for monitoring employees work and personal life patterns
Location and positioning of cameras:
- Internal and external locations have been selected to achieve the purposes set out above. Locations and positions are appropriate to the purposes of image capture and are not located in areas that require heightened levels of privacy (changing rooms, toilets)
- Signage has been placed in visible locations in close proximity to cameras notifying all organisation users that CCTV is in use
- Signage is clearly visible and identifies the Club as the controller, the purpose of the CCTV and the contact for any queries (the DPO)
- Locations and positions of cameras may change from time to time in response to tactics required to meet the purposes set out above but will always remain visible
- With the limited exception of public facing entrance, cameras are not publicly facing and not used in bedrooms or meeting rooms. Public facing entrance cameras are positioned to limit the capturing of the general public. Images of the general public outside of the Club will only be shared when requested to do so by an appropriate authority such as the police
- Locations of cameras can be obtained from the Assistant Secretary
- CCTV is in place in the Staff Dining Room. Refer to document CCTV in SDR for further information
System operation and management
- Only authorised staff may observe the operation of the system, and may do so 24 hours a day, 365 days a year
- Viewing of captured images is restricted to authorised individuals and only on the written instruction of the Assistant Secretary
- Authorised personnel with receive training on the CCTV system and polices set out
- Viewing of captured images will only be authorised in association with one of the purposes as above
- Where viewing of captured images is authorised, the purpose, time, date and images viewed will be documented and logged
- Authorised users may not disclose, access, transfer, copy, delete or modify any CCTV data without authorisation from the DPO/Assistant Secretary. Unauthorised access may lead to disciplinary action and/or dismissal
- Unless otherwise required as evidence in pursuit of one of the stated purposes, images are recorded continuously 365 days of the year and stored for a maximum of 31 days before being overwritten. CCTV is stored locally and not cloud based
- The organisation takes proportionate organisational and technical measures to ensure the security of processing in accordance with Article 32 of the GDPR
- Regular maintenance of the cameras and the system will take place to ensure the continuity of recording and good health of the system
- The CCTV system is maintained by an external provider who only have access to the system when permitted by The Oxford and Cambridge Club
- The CCTV system is internet connected. The Club has stringent firewall systems for all of its IT infrastructure including CCTV
- Where cameras have audio capability this will not be activated. Audio will not be recorded
Information Rights
- Individuals may request to view CCTV footage after providing Date, Time and location of the footage required wherever possible subject to authorisation from the DPO and Assistant Secretary
- Other individuals’ images will be obscured prior to the data being provided
- Individuals may view the recording in the control room and will not be provided with footage to be removed from the control room
- Refer to the information Rights Policy for further information
Image transfer and disclosure
- A log is maintained of all image transfers and disclosures. The log will document reasons for transfer or disclosure, the lawful basis to do so, the individuals to whom the data has been transferred / disclosed, and the date, time and protections in place when the transfer / disclosure took place.
- The organisation may receive CCTV images from third parties in achieving the purposes set out above. These parties may include transportation, accommodation organisations and other public bodies such as local government and police.
Any questions relating to this policy should be directed to: dpo@oandc.uk.com