Note: This must be communicated to all staff/contractors of the company/organisation.
This policy outlines the use of CCTV recording equipment at the premises of Simply Vision Limited.
This part should contain the following:
- CCTV cameras will be installed at the entrance door, shop area, back office area, back entrance door.
- The system will provide a twenty-four hour per day and seven (7) days per week recording over areas mentioned above;
- the use of CCTV cameras will be in accordance with the Data Protection Act 2017.
Signage will be displayed or has been displayed on the premises on the front door, the shop area, rear office area and rear entrance.
All signage and notification placed at all entrances and will specify:
- the purpose/s for which the surveillance is being carried out;
- the identity of the organisation;
- the contact details of the organisation.
4. Retention Period And Backup
- Images of the suggested CCTV system will be recorded and kept for a minimum of 3 months. As such there will not be a constant viewing of the images. All images will be deleted by the appointed data protection manager.
- Any footage that shows a crime will be kept if it is needed to undertake criminal proceedings
- Correct backup is done periodically and kept safely off premises.
5. Security Measures
Section 31 of the Data Protection Act states that controllers (Simply Vision Ltd) and processors (service providers / third parties) have the duty to implement all appropriate security and organisational measures to prevent any unauthorised access , alteration, disclosure, accidental loss, and destruction of personal data in its control (images captured by CCTV Camera).
- Only authorised personnel will get access to the CCTV room;
- An audit trail to monitor staff access to the footage is in place
- Password protection is used to manage staff access to stored footage;
- Any transmitting and storing of stored footage will be in encrypted form;
- There will be regular audits of system security (minimum once per business quarter)
6. Disclosure Of CCTV Footage
CCTV surveillance information will only be disclosed to a law enforcement agency (e.g. Police) when the purpose of the system is to prevent and detect crime but will not place them on the internet. It may also not be appropriate to disclose information about identifiable individuals to the media, unless authorised by a law enforcement agency.
7. Request For Access Of CCTV Footage
Subject to section 37 of the Data Protection Act 2017, individuals whose images are recorded have a right to view the CCTV images/footage about themselves and to be provided with a copy to them. If there are other identifiable people in the footage, we will endeavour to protect those people’s privacy, for instance by masking other individuals on the footage.
Note: As per section 37(6), if a controller refuses to take action on the request of a data subject (individual), it shall, within one month of the receipt of the request, inform the data subject in writing of the reason for the refusal and on the possibility of lodging a complaint with the Commissioner.
Procedures for individuals to access images of themselves are detailed in section 9 of this policy.
8. Procedures To Handle Incidents
- Any incidents recorded on the installed CCTV must be reported as soon as possible to the following person(s):
- Manager or Acting Manager
- Assistant Manager
- Data Protection Manager
- Appropriate Law enforcement agencies (e.g. Police)
- Appropriate Health and Safety Officers and Agencies
- Appropriate actions after reporting any incidents will be (but will not be limited to)
- Reported to Police
- Reported to Health and Safety Services
- Reported to any authority of which the most senior person (as above) feels appropriate to report to
- Any person employed/self-employed/contracted to Simply Vision Limited breaching any part of this policy will be reported as the steps above and this may lead to immediate suspension of duties and/or dismissal. Full investigations will be undertaken according to the HR policy of the business.
9. Request For Access To CCTV Images From Individual
- Requests for access must be made in an appropriate timeframe, usually within 1 month of image capture and prior to a 3-month period when the images will be destroyed as per this policy
- All requests must be made in writing to:
Data Protection Manager
Simply Vision Limited
63-65 Cooden Sea Road
- All images provided will be as per section 7 of this policy
- Any copies or sharing of any images/footage provided to the individual requesting the information will not be allowed. This must be agreed and signed by the individual prior to any provision of any such images/footage. Subsequently, Simply Vision Limited will hold no responsibility for any distribution after the provision of footage/images to the named individual requesting the information.