The CCTV Conundrum Explained
Most organisations have CCTV systems. In most cases the cameras used are part of a centrally managed system, while in some instances organisations may deploy standalone cameras. Data Protection law puts stringent requirements around the use, access and security of data captured through CCTV. This document explains the steps you can follow to manage your compliance obligations.
This policy sets out how the data controller, the Oxford and Cambridge Club, controls, manages, operates and secures the Closed-Circuit Television System (CCTV). It also communicates to data subjects their rights in relation to the personal data that is captured and recorded by the system.
The organisation records and stores personal data on the CCTV system for the following purposes:
- For security and personal safety of members, staff, visitors and members of the public
- For security in the protection and monitoring of buildings, equipment, and personal property of members, staff, visitors and members of the public
- For security in supporting the police and other related government agencies in preventing and detecting crime
- For security in supporting the police and other related government agencies in identifying individuals who are victims, perpetrators or affected by crime or other related incidents
- For disciplinary reasons in monitoring and upholding the rules of the Club
Location and positioning of cameras:
- Internal and external locations have been selected to achieve the purposes set out above. Locations and positions are appropriate to the purposes of image capture and are not located in areas that require heightened levels of privacy (changing rooms, toilets)
- Signage has been placed in visible locations notifying all organisation users that CCTV is in use
- Locations and positions of cameras may change from time to time in response to tactics required to meet the purposes set out above
- With the limited exception of public facing entrance, cameras are not publicly facing
System operation and management
- Only authorised staff may observe the operation of the system, and may do so 24 hours a day, 365 days a year
- Viewing of captured images is restricted to authorised individuals and only on the written instruction of the Operations and Facilities Manager
- Viewing of captured images will only be authorised in association with one of the purposes as above
- Where viewing of captured images is authorised, the purpose, time, date and images viewed will be documented and logged
- Unless otherwise required as evidence in pursuit of one of the stated purposes, images are stored for a maximum of 30 days before being overwritten
- The organisation takes proportionate organisational and technical measures to ensure the security of processing in accordance with Article 32 of the GDPR
- Regular maintenance of the cameras and the system will take place to ensure the continuity of recording and good health of the system
Image transfer and disclosure
- A log is maintained of all image transfers and disclosures. The log will document reasons for transfer or disclosure, the lawful basis to do so, the individuals to whom the data has been transferred / disclosed, and the date, time and protections in place when the transfer / disclosure took place.
- The organisation may receive CCTV images from third parties in achieving the purposes set out above. These parties may include transportation, accommodation organisations and other public bodies such as local government and police.
Any questions relating to this policy should be directed to: firstname.lastname@example.org