Closed-Circuit Television (CCTV) technology has developed over recent years to be more reliable, cost-effective and generally available than ever before. When used appropriately, CCTV can help to reduce the risk of unauthorised access to premises, reassure customers and provide an accurate record of what happened when an incident occurs.
In order to protect its business, employees, customers and other interested parties, Yello Media Group Ltd makes use of CCTV in appropriate circumstances to address specific areas of risk.
In collecting and using this video (and possibly audio) data, the organisation is subject to a variety of legislation, including the General Data Protection Regulation (GDPR) and other appropriate local Data Protection Laws, which control how such activities may be carried out and the safeguards that must be put in place to protect the recorded information.
The purpose of this policy is to set out the rules that must be followed when installing and dealing with CCTV so that the organisation’s responsibilities are always met, and the usefulness of the recorded data is maximised.
Note that this policy does not address the use of specialist technology such as Automatic Number Plate Recognition (ANPR), facial recognition, Body Worn Video (BWV) or remotely operated vehicles (drones, also known as Unmanned Aerial Systems – UAS).
This policy applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Yello Media Group Ltd systems.
The following policies and procedures are relevant to this document:
• Data Protection Policy
• Records Retention and Protection Policy
• Data Protection Impact Assessment Process
• Legitimate Interest Assessment Procedure
In some limited uses of CCTV (often based on the location and range of vision), the General Data Protection Regulation (GDPR) and other applicable local Data Protection Laws may not apply, and it must be confirmed whether this is the case for each use. This policy applies in those cases where the GDPR and other applicable local Data Protection Law is applicable.
An initial assessment must be carried out to determine whether the use of CCTV is appropriate in any given circumstance. This will include consideration of the degree of risk being addressed and whether alternative controls, such as improved lighting, might have enough benefit to mean that CCTV is not required.
To be appropriate in any situation, CCTV must have a specified and legitimate purpose which addresses a pressing need or risk area, such as the prevention or reduction of crime in an area that might reasonably be expected to be subject to unlawful activity.
In line with the GDPR principle of data minimisation, video recording must only be active on days and between times when it is necessary and audio recording will only be used where it is sufficiently justified, giving due regard to privacy concerns.
For GDPR and other applicable local Data Protection Laws purposes, Yello Media Group Ltd will act as the data controller for the use of CCTV and, where required, will register with the appropriate supervisory authority.
Where a third party is used as part of the processing of CCTV images (for example, for storage or maintenance) they will be considered to be a processor in the context of the GDPR and an appropriately compliant contract must be in place.
For each implementation of CCTV, a data protection impact assessment (DPIA) must be carried out to consider the risks to the rights and freedoms of the data subject and ensure that appropriate safeguards of the data are identified. The DPIA must be reviewed on a regular basis and upon significant changes that may affect its conclusions.
The lawful basis of the processing of CCTV data must be clearly established; in most cases it is anticipated that this will be based on the legitimate interest of Yello Media Group Ltd, but this must be confirmed and documented in every situation.
Cameras must be sited appropriately for the area to be monitored, avoiding the recording of individuals outside the area for which a legitimate interest is claimed. Images must be of sufficient quality for the purpose intended.
Appropriate privacy notices must be displayed in the areas that are subject to CCTV monitoring or recording and must indicate the name of the operator (the controller in GDPR or applicable local Data Protection Laws terms), their contact details and where further information about the use of personal data may be obtained (e.g. a website).
Roles and responsibilities for the operation and management of CCTV facilities must be defined and appropriate training provided to allow them to be carried out effectively and lawfully.
Documented procedures must be created for each aspect of the operation of CCTV and appropriate training provided to all members of staff who will be carrying them out. This training will include information about responsibilities under data protection law.
CCTV images will only be retained for as long as it is reasonably expected they may be of use. This may vary in different circumstances and so retention periods will be defined according to the situation or context in which a particular CCTV camera is operated. Once the retention period has expired, images must be securely deleted, if appropriate via an automatic process.
Access to CCTV cameras, live displays and recordings must be restricted to authorised personnel only. Displays must be sited to prevent unauthorised viewing, including by members of the public. Where recordings are to be reviewed, appropriate controls must be used to ensure that this is done in a secure manner.
CCTV cameras and recording equipment must be tested on a planned basis to ensure that they are functioning correctly and that recorded images are of sufficient quality.
Recorded images must be protected in a way that takes account of the level of risk and sensitivity of the information contained – where appropriate, encryption techniques may be used to ensure confidentiality in situations such as the theft of the recording equipment. If cloud storage is used, due diligence must be carried out to ensure that the level of protection of the data is adequate.
If recorded CCTV footage is required to be used as part of a legal case, appropriate precautions must be taken to ensure that the images remain admissible in the relevant court.
Under the GDPR and other relevant local Data Protection Laws, a data subject may submit an access request to obtain CCTV images on which they appear. Such requests will be subject to the organisation’s procedures for this type of request, which will include all necessary checks to verify the lawful right to access and the identity of the requester. Where approved, recorded images may be viewed live (subject to access controls) or a permanent record of the images may be provided.
Requests to disclose CCTV images must be approved by management in all cases. Unauthorised disclosure of CCTV images (including publishing on the Internet and to the media) may result in disciplinary action being taken.
Where appropriate, actions must be taken to obscure the identity of people and information that is not relevant to the request.