1. POLICY STATEMENT
1.1 Howes Percival LLP (“we”, “our”, “us”, “the Firm”) operates CCTV at our Northampton office. As a result and to ensure compliance with the General Data Protection Regulation (“GDPR”) and related data protection laws (including, the Information Commissioner’s Code of Practice for surveillance cameras and personal information) (“the Data Protection Laws”)), the Firm has implemented this policy on the use of its CCTV system and in particular the collection and processing of Personal Data obtained from it.
1.2 This policy should be read in conjunction with the Firm’s Data Protection Policy (“the DP Policy”). Unless stated otherwise, this policy adopts the definitions set out in the DP Policy.
1.3 We believe that CCTV and other surveillance systems have a legitimate role to play in helping to maintain a safe and secure environment for all our staff, clients and visitors. However, we recognise that this may raise concerns about the effect on individuals and their privacy. This policy is intended to address such concerns. Images recorded by surveillance systems are Personal Data which must be processed in accordance with the Data Protection Laws. We are committed to complying with our legal obligations and ensuring that the legal rights of visitors, clients, employees, workers, consultants and partners, relating to their personal data, are recognised and respected.
2.1 This policy adopts the definitions set out in the DP Policy with the following additional terms which have the following meanings:
CCTV: means fixed and domed cameras designed to capture and record images of individuals and property. The Firm currently operates CCTV at its Northampton office.
Data: In respect of CCTV, this generally means video images. It may also include static pictures such as printed screen shots.
Surveillance systems: means any devices or systems designed to monitor or record images of individuals or information relating to individuals. The term includes CCTV systems as well as any technology that may be introduced in the future such as automatic number plate recognition (ANPR), and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
3. ABOUT THIS POLICY
3.1 We currently use CCTV cameras to view and record individuals at our Northampton office which is based at Nene House, 4 Rushmills, Northampton, NN4 7YB.
3.2 This policy outlines why we use CCTV, how we will use CCTV and how we will process Data recorded by CCTV cameras to ensure we are compliant with the Data Protection Laws and best practice.
3.3 We recognise that information that we hold about individuals is subject to the Data Protection Laws. We are committed to complying with all our legal obligations under the Data Protection Laws. The images of individuals recorded by CCTV cameras are Personal Data and therefore subject to the Data Protection Laws.
3.4 This policy covers all employees, workers, consultants, contractors, partners and job experience/placement students and may also be relevant to visiting members of the public and clients who visit our Northampton office from time to time.
3.5 This policy is non-contractual and does not form part of the terms and conditions of any employment or other contract. We may amend this policy at any time.
3.6 A breach of this policy may, in appropriate circumstances, be treated as a disciplinary matter. Following investigation, a breach of this policy may be regarded as misconduct leading to disciplinary action, up to and including dismissal.
4. PERSONNEL RESPONSIBLE
4.1 The Firm’s Data Protection Officer has been delegated responsibility for ensuring compliance with relevant legislation and the effective operation of this policy. Day-to-day management responsibility for deciding what information is recorded, how it will be used and to whom it may be disclosed is the Data Protection Officer’s responsibility. Day-to-day operational responsibility for CCTV cameras and the storage of data recorded is the responsibility of Gavin Merrington, IT Director.
5. REASONS FOR THE USE OF CCTV
5.1 We currently use CCTV at our Northampton office. We believe that such use is necessary for our legitimate business purposes, including:
(a) to prevent crime and protect buildings and assets from damage, disruption, vandalism and other crime;
(b) for the personal safety of employees, workers, consultants and partners, visitors and other members of the public and to act as a deterrent against crime;
(c) to support law enforcement bodies in the prevention, detection and prosecution of crime;
(d) to assist in day-to-day management, including ensuring the health and safety of staff and others; and
(e) other purposes as set out in any Privacy Notices issued from time to time.
This list is not exhaustive and other purposes may be or become relevant.
6.1 CCTV monitors the entrance to our Northampton car park, giving a view of the barrier arm, key pad and intercom, and monitors the front entrance to our Northampton building and an area of the car park which is part of our demise. The CCTV operates for 24 hours a day and this Data is continuously recorded.
6.2 Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. As far as practically possible, CCTV cameras will not focus on private homes, gardens or other areas of private property.
6.3 Images are monitored by authorised personnel during working hours every day the Northampton office is open for business. Those images include cars entering our car park, and individuals visiting our office.
6.4 Employees/partners using surveillance systems will be given appropriate training to ensure they understand and observe the legal requirements related to the processing of relevant Data.
7. HOW WE WILL OPERATE ANY CCTV
7.1 Where CCTV cameras are placed in the workplace, we will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information, where these things are not obvious to those being monitored.
7.2 Live feeds from CCTV cameras will only be monitored where this is reasonably necessary.
7.3 We will ensure that live feeds from cameras and recorded images are only viewed by approved employees/partners whose role requires them to have access to such Data. This may include HR employees, IT personnel and partners/employees responsible for making decisions in connection with the use of CCTV images and Data. Recorded images will only be viewed in a secure and restricted manner.
8. STORAGE OF DATA GATHERED BY CCTV
8.1 In order to ensure that the rights of individuals recorded by the CCTV system are protected, we will ensure that Data gathered from CCTV cameras is stored in a way that maintains its integrity and security. Currently such Data are stored on internal hard drives and are overwritten every three weeks.
9. RETENTION AND ERASURE OF DATA GATHERED BY CCTV
9.1 Data recorded by the CCTV system are stored on a 2TB internal hard drive. Such Data is stored for 21 days on such hard drive which is on a loop, so the oldest Data is overwritten every three weeks. If Data needs to be retained beyond this, and subject to authorisation being received from the Data Protection Officer, it will be stored separately and securely. Generally, such Data will not be stored longer than is necessary for the purpose for which the Data is needed and in accordance with our Retention Policy and Schedule. Exactly how long images will be retained for will vary according to the purpose for which they are being recorded. For example, where images are being recorded for crime prevention purposes, Data will be kept long enough only for incidents to come to light. In all other cases, recorded images will be kept for no longer than 2 months (subject to paragraph 9.2 below).
9.2 Data from the CCTV system may be retained for longer than that stated in paragraph 9.1 above in the following circumstances:
(a) We are required by law enforcement bodies to preserve evidence from a CCTV recording;
(b) We require the Data to establish, exercise or defend claims involving the Firm; or
(c) If otherwise required by law (which includes any court order served on us) to store the Data for a longer period
9.3 At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.
10. USE OF ADDITIONAL SURVEILLANCE SYSTEMS
10.1 Prior to introducing any new surveillance system, including placing a new CCTV camera in any workplace location, we will carefully consider if they are appropriate by carrying out a privacy impact assessment (PIA).
10.2 A PIA is intended to assist us in deciding whether new surveillance cameras are necessary and proportionate in the circumstances and whether they should be used at all or whether any limitations should be placed on their use.
10.3 Any PIA will consider the nature of the problem that we are seeking to address at that time and whether the surveillance camera is likely to be an effective solution, or whether a better alternative solution exists. In particular, we will consider the effect a surveillance camera will have on individuals and therefore whether its use is a proportionate response to the problem identified.
10.4 No surveillance cameras will be placed in areas where there is an expectation of privacy unless, in very exceptional circumstances, it is judged by us to be necessary to deal with very serious concerns.
11. COVERT MONITORING
11.1 We will only engage in covert monitoring or surveillance (that is, where individuals are unaware that the monitoring or surveillance is taking place) in highly exceptional circumstances. This includes but is not limited to instances where there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, we reasonably believe there is no alternative less intrusive way to tackle the issue.
11.2 In the unlikely event that covert monitoring is considered to be justified, it will only be carried out with the express authorisation of the Data Protection Officer and the Board. The decision to carry out covert monitoring will be fully documented and will set out how the decision to use covert means was reached and by whom. The risk of intrusion on innocent workers will always be a primary consideration in reaching any such decision.
11.3 Any covert monitoring that does take place will be carried out only by those authorised by the Firm to do so.
11.4 Covert monitoring will only be carried out for a limited and reasonable period of time consistent with the objectives of making the recording and will only relate to the specific suspected illegal or unauthorised activity.
12. ONGOING REVIEW OF CCTV USE
12.1 We will ensure that the ongoing use of existing CCTV cameras in the workplace is reviewed periodically to ensure that their use remains necessary and appropriate, and that any surveillance system is continuing to address the needs that justified its introduction.
13. REQUESTS FOR DISCLOSURE
13.1 No images from our CCTV cameras will be disclosed to any third party, without express permission being given by the Data Protection Officer. Data will not normally be released unless satisfactory evidence that it is required for legal proceedings or under a court order has been produced.
13.2 In other appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
13.3 We will maintain a record of all disclosures of CCTV footage.
13.4 No images from CCTV will ever be posted online or disclosed to the media.
14. SUBJECT ACCESS REQUESTS
14.1 Data subjects may make a request for disclosure of their personal information and this may include CCTV images (data subject access request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing, in accordance with our DP Policy (see paragraph 17 of the DP Policy).
14.2 In order for us to locate relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
14.3 We reserve the right to obscure images of third parties when disclosing CCTV Data as part of a subject access request, where we consider it necessary to do so.
15.1 If you have questions about this policy or any concerns about our use of CCTV, then you should speak to the Data Protection Officer in the first instance.
15.2 Where this is not appropriate or matters cannot be resolved informally, employees should use our formal grievance procedure.
15.3 You also have the right to complain at any time to the Information Commissioner’s Office.
16. INDIVIDUAL DATA PROTECTION RIGHTS
16.1 As a Data Subject, you have a number of individual rights when it comes to how we handle your Personal Data. Details of those rights are set out in paragraph 16 of the DP Policy.
The Firm’s Data Protection Officer is responsible for this Policy which was adopted on 8 May 2018.
Version 1.0 May 2018