DATA PROTECTION - CCTV

Similar documents
This procedure sets out the usage of mobile CCTV units within Arhag.

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Data Protection. Policy

DATA PROTECTION POLICY

DATA PROTECTION POLICY THE HOLST GROUP

Access Rights and Responsibilities. A guide for Individuals and Organisations

DCU Guide to Subject Access Requests. Under Irish Data Protection Legislation

Data Protection Privacy Notice

Privacy Impact Assessment

Subject: Kier Group plc Data Protection Policy

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

The British Museum. Data Protection Code of Practise. 1 Introduction

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

The University of Sheffield CCTV and Body worn cameras (BWC) Privacy Impact Assessment

ICO Information Request Handling Procedures

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Data Protection Policy

ADMA Briefing Summary March

Data Protection and CCTV Policy. Institute of Technology, Tallaght

Cloud Security Standards

Data Protection Policy

DATA PROTECTION IN RESEARCH

DATA PROTECTION POLICY

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

Application for Advice and Assistance

Introduction to the Personal Data (Privacy) Ordinance

About the information we collect We collect and process personal data including but not limited to:-

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

PS Mailing Services Ltd Data Protection Policy May 2018

Cloud Security Standards and Guidelines

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

PATRIOT CAMPERS PTY LTD PRIVACY POLICY

Dealing with Security and Security Breaches

The Data Protection Act 1998 Clare Hall Data Protection Policy

Motorola Mobility Binding Corporate Rules (BCRs)

TABLE OF CONTENTS. Page

Management and Use of CCTV Systems

Element Finance Solutions Ltd Data Protection Policy

Contract Services Europe

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Privacy and Data Protection Policy

Rights of Individuals under the General Data Protection Regulation

UWC International Data Protection Policy

EIT Health UK-Ireland Privacy Policy

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

CCTV Privacy Impact Assessment

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

Data Breach Incident Management Policy

Introduction to the Personal Data (Privacy) Ordinance

Commercial Vehicle Mobile ANPR Policy

The University of Sheffield CCTV Privacy Impact Assessment

Data Subject Access Request (SAR) Policy, Guidance and Template

Privacy notice. Last updated: 25 May 2018

UWTSD Group Data Protection Policy

WIT Diverse Campus Services Ltd. Data Protection Policy

Data Protection Policy

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

Islam21c.com Data Protection and Privacy Policy

RVC DATA PROTECTION POLICY

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Data Protection Policy

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

The New Data Protection Law a Basic Guide

Introduction to the Personal Data (Privacy) Ordinance

Notebooks and PDAs. Standard Operating Procedure

A Homeopath Registered Homeopath

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Privacy Statement Tai Ceredigion Cyf Site Privacy Statement

Industry Best Practice Guide: Section 29(3) Completing RAD 1:

HOW WE USE YOUR INFORMATION

Cloud Security Standards Supplier Survey. Version 1

HBW LAW LTD T/A HESELTINE BRAY & WELSH

Information Leaflet. On the Record. How Do We Manage People s Information? PROVIDING SUPPORTS FOR CHILDREN AND ADULTS WITH INTELLECTUAL DISABILITIES

PERSONAL DATA PROTECTION POLICY

BEAUTIFUL DRINKS LTD.

Procedures for responding to requests for personal data to support Data Protection Policy

PRIVACY IMPACT ASSESSMENT CONDUCTING A PRIVACY IMPACT ASSESSMENT ON SURVEILLANCE CAMERA SYSTEMS (CCTV)

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

Data Protection Policy

The Park Hotel Privacy Statement

Subject Access Request (SAR) application form and guidance

GDPR data subject rights

FOUNDRY COLLEGE. General Data Protection Regulation (GDPR) Policy Incorporating Freedom of Information

Privacy Breach Policy

Policy & Procedure Privacy Policy

Privacy Policy Wealth Elements Pty Ltd

CHANCERY EDUCATION TRUST PICKHURST ACADEMY SUBJECT ACCESS REQUEST (SAR) POLICY OCTOBER 2018

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

Frequently Asked Questions

The West End Community Trust Privacy Policy

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

These pieces of information are used to improve services for you through, for example:

Privacy Notice - General Data Protection Regulation ( GDPR )

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Information Security Data Classification Procedure

Data Subject Access Request Procedure. Page 1 KubeNet Data Subject Access Request Procedure KN-SOP

Transcription:

- CCTV

#1 of 9 Introduction Recognisable images captured by CCTV systems are personal data and are therefore subject to the provisions of the Data Protection Act 2004. The use of CCTV systems has greatly expanded in recent years. So has the sophistication of such systems. The Gibraltar Regulatory Authority, as the Data Protection Commissioner (the Commissioner ), will soon be publishing a new guidance document in relation to Closed Circuit Television ( CCTV ) due to the significant developments in the use of CCTV systems and issues identified locally. The expanded use of CCTV systems has society-wide implications. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual s private space is being unreasonably invaded. During the next few weeks our social media posts will focus on providing summarised information and guidance on the compliant use of CCTV systems. As mentioned above, an updated guidance document on CCTV systems will be published shortly. In the meantime, our current guidance document is available on our website.

#2 of 9 Proportionality Using CCTV systems can be intrusive. CCTV is capable of placing large numbers of people under surveillance and recording their daily movements and activities. The Data Protection Act 2004 requires information obtained and used to be adequate, relevant, and not excessive for the purpose for which they were collected. Therefore, prior to the use of CCTV systems, one should carefully consider whether or not it is necessary to go down the CCTV route. The fact that it is possible, affordable or has public support should not be the reason for the use of CCTV systems. You should consider what other less intrusive options one might have before going down the route of setting up a CCTV system. Where CCTV systems is already in use, the same issues should be considered or considerations should be made as to whether a less privacy intrusive method could be used to address the pressing need.

- the establishment of proactive checks or audits to be carried out on a regular basis to ensure that procedures are being complied with. #3 of 9 Effective Administration When using CCTV systems, it is important that you establish who has responsibility for the control of the information recorded by the CCTV. If you are the organisation that makes these decisions then you are the data controller and you are legally responsible for compliance with the Data Protection Act 2004. Issues an organisation should consider when using CCTV systems are - - who is responsible for control of the information and making decisions about how it can be used? - if there is more than one data controller, have responsibilities been agreed and does each party involved know what their responsibilities are? - has the party or parties responsible for the data registered with the Gibraltar Regulatory Authority ( GRA ) as data controllers? - if someone outside your organisation provides you with any processing services, for example, accessing/hosting/editing CCTV footage, is there an outsourcing agreement/contract in place stating their responsibilities? - the establishment of documented and clear procedures that determine the use of the system.

- include basic contract details such as website address, telephone number or email address. #4 of 9 Fair & Transparent One of the fundamental requirements of the Data Protection Act 2004 is that personal data is obtained fairly. To comply with this requirement, organisations should be transparent at the outset about how information will be used by providing the following information to individuals at the point of obtaining images - - the identity of the data controller unless this is self-evident - the identity of any local representative nominated by the data controller - the purposes for the use of CCTV - any other necessary information to do with the specific processing of the information. Generally the most effective way of doing this is by using prominently placed signs at the entrance to the CCTV system s zone. The signs should - - be clearly visible and readable - contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact

#5 of 9 Accurate & Up to date The Data Protection Act 2004 states that personal data should be accurate, complete and where necessary kept up to date. It is therefore essential that recorded images are clear and accurate and if the system uses features such as time references and / or location references then these too must be accurate. Data controllers must ensure that the equipment used for CCTV recordings are in good working order and should be properly maintained throughout its life cycle. Recording of images should be used in good quality storage media for example tapes, memory card etc. The maintenance of the CCTV system is therefore a priority and if it is damaged in any way it should be repaired within a specific time period. It is therefore good practice to - - have a designated person to maintain the CCTV system - keep a maintenance log.

- do you undertake systematic checks to ensure that the retention period is being complied with in practice? #6 of 9 Retention The Data Protection Act 2004 does not dictate any specific minimum or maximum retention periods. A retention period should reflect the organisation s purposes for recording and obtaining the information. The retention period should be relative to the purpose for which the information is collected and how long it is needed to achieve this purpose. Things to consider when establishing a retention period - - have you decided on the shortest period that you need to retain the information, based upon your purpose for recording it? - is your retention policy documented and understood by those who operate the CCTV system? - are measures in place to ensure the permanent deletion of information through secure methods at the end of the retention period?

#7 of 9 Adequate, relevant and not excessive When using CCTV Systems, data controllers must give careful consideration to where CCTV cameras are sited and the Data Protection Act 2004 states that processing of personal data must be adequate, relevant and not excessive. The purposes as to why the cameras are being used should be considered and the data controller must ensure the operators are aware of these purposes. Enough information should be recorded to meet these purposes but must not record information that exceeds these purposes. For example if a data controller is using CCTV Systems with the purpose of ensuring security amongst its premises then it must do so in a way in which the CCTV camera will not capture other neighbouring properties. Further to the above, in the event that it may not be possible to avoid filming/recording an adjoining property, then the owners of the adjoining property should be consulted as to whether or not images from that property might be recorded.

- date and time images returned to secure place if - the extent of the information disclosed they are to be retained for evidential purposes #8 of 9 Security Measures The Data Protection Act 2004 requires data controllers to consider the harm that data subjects could experience due to the lack of appropriate organisational and technical security measures. The nature of the personal data is a significant factor in assessing the degree of harm that could result. If an unauthorised disclosure of CCTV footage occurs, then public confidence in the data controller of the CCTV footage could be adversely affected. Furthermore, in cases where recordings are lost, destroyed or damaged, then reliable evidence will be unavailable for court proceedings thus possibly resulting in justice not being upheld. Recorded images should be stored in a way that maintains the integrity of the information. This is to ensure that the rights of individuals recorded by CCTV are protected and that information can be used effectively for its intended purposes. Access and viewing of CCTV recordings should be restricted to a senior or designated member of staff in a restricted area in which other members of staff do not have access to. It is good practice to document the following when footage is accessed - - date and time of removal of storage media viewing - name of the person removing the storage media - name(s) of the person(s) viewing the images - date, time and reason for the viewing

#9 of 9 Subject Access Request The Data Protection Act 2004 states that an individual has a right to obtain any personal information relating to them being processed by an organisation. This would include CCTV images that can identify an individual. Therefore an individual can make a Subject Access Request (SAR) to an organisation for a copy of the recording of his or her image. The SAR must be submitted in writing and upon receipt of a request from an individual for their personal information, the organisation should respond within 28 days. Providing information promptly to an individual who submitted the SAR is important, particularly where the organisation may have a set retention period in place for recorded footage, in which footage is routinely deleted after a fixed period of days. In such circumstances it is good practice to put on hold the deletion of the specific footage. An organisation may ask an individual who has submitted a SAR, to specify a date and (approximate) time of the images he or she wants. This is to ensure that there is no disproportionate effort to the time spent in retrieving the footage. The recorded footage released in a SAR should only contain images of the individual who submitted the SAR. Any other individual appearing should be blanked out. Finally, an organisation can refuse a SAR in certain circumstances. For example, a SAR could be denied if the release of the recording would be likely to prejudice the purposes of the prevention and detection of crime and the apprehension or prosecution of offenders.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback