Last modified: 24 May 2018
Download PDF version
This policy details the operating policy and standards for the surveillance systems installed and operated by RHSU in compliance with General Data Protection Regulations (GDPR). This includes CCTV, Body Worn Video and Dash Cams.
The policy sets out the purpose and principles of data management and the operating standards of the systems.
Throughout this policy the following definitions will apply:
The CCTV, BWV and Dash Cam systems and all recorded material and copyright are owned by RHSU. RHSU is registered with the ICO as a Data Controller operating closed circuit surveillance systems.
The purpose of the CCTV systems in use at RHSU is broadly to enable the prevention, investigation and detection of crime and monitoring of the security and safety of the premises at RHSU.
Specifically, the system is intended to be used for:
For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, contractors, customers and clients, suspected offenders, members of the public and those inside, entering, or in the immediate vicinity of the area under surveillance.
The following principles will govern the operation of CCTV, BMW and Dash Cam systems:
6.1 The CCTV system comprises of both visible and discreet cameras situated in various locations around RHSU premises, which continuously record activities in these areas. The images are stored in network video recorders secured locally in restricted areas and are only accessible by delegated staff with password controlled access.
6.2 The BWV system comprises of visible cameras attached to key personnel in the employment of RHSU, which record activities when activated by the person. This system works in partnership with the CCTV system to continuously record activities during defined licensed operating hours.
6.3 The Dash Cam system comprises of visible cameras attached to the windscreen of the minibuses operated by RHSU, and continuously record activities in and around these vehicles when operated by RHSU as the Union Bus Service. The cameras are not installed in the vehicles for any other activity.
6.4 The images for both BWV and Dash Cam are stored on an encrypted hard drive and secured centrally in the RHSU Finance office and are only accessible by delegated staff with password controlled access.
Cameras shall not be hidden from view and signs will be prominently displayed at the point of entry to all RHSU premises and property, and at strategic locations, where surveillance systems are operated. Employees operating BWV will be defined within the premises event management procedures and will be wearing signs informing individuals that cameras are in operation. The signs will indicate:
It is imperative that access to, and security of, images is managed in accordance with the requirements of GDPR. At all times the following standards will apply:
7.2.1 Surveillance recordings and other materials produced from them will not be retained for longer than necessary. Data storage is automatically managed by the CCTV digital records which uses software programmed to overwrite historical data in chronological order. This process produces an approximate 31 day rotation in data retention.
7.2.2 Provided that there is no legitimate or legal reason for retaining the CCTV images, the images will be erased following the expiration of the retention period.
7.2.3 Where further investigation may be required data will be retained beyond the retention period and will be stored in a secure place to which access is controlled. Data will be erased when the purposes for processing have been met. For guidance purposes this would usually be in accordance with the following:
7.2.4 The ability to view live and historical CCTV data is only to be provided at designated locations and to authorised persons only.
7.2.5 Except where a request has been granted for third party access to certain specified surveillance images (see below), images are not to be displayed in the presence of any unauthorised person. For the purposes of viewing CCTV images, an authorised person is defined as an employee or appointed person acting on behalf of RHSU who has operational responsibility for either the prevention, investigation and detection of crime and/or the monitoring of the security and safety of the premises at RHSU.
Covert cameras may be used within pre-defined CCTV areas under the following circumstances on the authorisation of the senior management team, following the completion of a Privacy Impact Assessment:
Any such covert processing will only be carried out for a limited and reasonable period of time consistent with the data protection principles and lawful processing requirements and will only relate to the specific suspected unauthorised or illegal activity. The decision to adopt covert recording will be fully documented in the Privacy Impact Assessment.
8.1 Requests for access to, or disclosure of, images recorded on surveillance systems will only be granted if the requestor falls within the following:
Data subjects have a right to make a data subject access request. To make a data subject access request, the individual should submit an email request to firstname.lastname@example.org. In some cases we may need to ask for proof of identification before the request can be processed.
8.2.1 The organisation will normally respond to a request within a period of one month from the date it is received. In some cases, such as where large amounts of the individual's data is being processed, it may respond within three months of the date the request is received. RHSU will write to the individual within one month of receiving the original request to tell them if this is the case.
8.2.2 If a subject access request is manifestly unfounded or excessive, RHSU is not obliged to comply with it. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify them that this is the case and whether or not it will respond to it.
8.2.3 Where a data subject requests access to recordings believed to contain their personal data, the data set requested will be reviewed. Should the personal data for any other individual be contained within the data set requested then access will not be permitted.
8.2.4 RHSU has the right to refuse a Subject Access Request where such access could prejudice the prevention or detection of crime, the apprehension or prosecution of offenders or where multiple subjects are contained within the digital images who have not consented to their personal data being shared. If a Subject Access Request is refused the reasons will be fully documented.
8.3.1 Under section 29 of the Data Protection Act 1998 ‘relevant authorities’ such as the police, government departments and local authorities with the regulatory powers are able to request access to personal data without the consent of the data subject for the purposes of:
Section 29 of the Act does not give an automatic right of access to information. The Act states that public bodies can assess the merits of requests and decide whether or not to apply section 29.
8.3.2 Any request for disclosure by the Police should be made using the Information Disclosure Request Form. This should be submitted to senior management for review and decision regarding the appropriateness of releasing data.
Registered charity no: 1141998
The Students’ Union, Royal Holloway
Egham, TW20 0EX