A range of files and folders in colourful folders on shelves.

CCTV policy

policy info

  • Last reviewed: March 2019

contents

CCTV policy

1. Introduction

1.1 The University of West London is committed to providing a safe and secure learning environment across its campuses and buildings. The University therefore operates close circuit television cameras (CCTV) across its campuses and buildings for the security and safety of its staff and students.

1.2 Closed Circuit Television (CCTV) cameras are installed to view and record the activities of individuals overtly at selected locations on University premises. The deployment of these cameras are a strategic component of the University commitment to staff and student safety, security and crime prevention.

1.3 The University’s use of CCTV is covered by the General Data Protection Regulation (GDPR). Identifiable imagery is considered as personal data under the GDPR and, therefore, this policy is committed to the protection of individuals’ rights and privacy. The processing of personal data such as the collection, recording, use, and storage of personal information through the CCTV system will be dealt with lawfully and correctly in accordance with the University’s Data Protection Policy.

2. CCTV system

2.1 The CCTV system adopted includes internal / external; static colour / black
and white; full pan, tilt and zoom cameras. Pan, tilt and zoom (PTZ) function is employed only on playback but not in real time live recording mode and area viewed is pre-set and static, especially for all external cameras.

2.2 The vast majority of CCTV cameras are IP based and connected to the UWL IT network. The system records CCTV data in real time to specific Networked Video Recorders (NVR) in secure locations across the university estate. For buildings were analogue CCTV system is in use, the camera output is cabled to Video Camera Recorders (VCR’s) with real time recording available on motion sensors. The output of the cameras can be relayed between the VCR’s and authorised desk top computers via web links on the Universities computer network.

2.3 All CCTV cameras are set to motion detection, which means real time recording will be automated only when there are activities, that is, movement in the area. This ensures the system does not record when there are no activities taking place and guarantee sufficient disk recording space, maximise digital deletion or the recorded data ascribed retention period.

2.4 The Executive member responsible for the system is the Director of Property Services and the manager is the Head of Security. The University of West London is the owner of all recorded CCTV data.

3. Purpose of the CCTV system

3.1 The purpose of the CCTV system is as follows:

  • To enhance ‘safety, security and crime prevention on University premises’
  • Safety of staff, students, contractors and visitors
  • Provide an effective means by which to prevent and reduce crime in the monitored areas through an increased fear of detection and the prevention of offenders
  • Assist in the factual, accurate and speedy reconstruction of the circumstances of incidents
  • To assist the University and police in providing a swift response to criminal activity and provide evidential material for court and disciplinary proceedings
  • Protect the University assets
  • To assist in traffic management within University car parks
  • To assist in supporting University health and safety policies
  • To assist in the event of an emergency or disaster

4. Scope

4.1 The CCTV system is intended to view, monitor and record activities within University premises. It will focus primarily, but not limited to, key entry and exits points to premises, building perimeters, certain communal areas and others parts where CCTV is recommended to mitigate against risks to safety and security.

4.2 Every possible effort has been made in the planning and design of the CCTV system to give it maximum effectiveness. However it is not possible to guarantee that the system will see every single incident taking place in the areas of coverage.

4.3 The CCTV system must strike an appropriate balance between the personal privacy of individuals using the campuses/buildings and the objective of recording incidents.

4.4 The system will be operated fairly to ensure that all CCTV data is processed in accordance with GDPR, the Data Protection Act 2018 and the University data protection policy and only for the purposes to which it is established.

4.5 The system is not intended to invade the privacy of any individual in residential, business or other private premises, buildings or land not belonging to the University.

4.6 No sound will be recorded in public places and CCTV is not used to record conversations.

4.7 No images will be captured in areas where individuals would have an expectation of privacy (for example toilets, showers, changing facilities etc).

5. Signage

5.1 Strategically placed CCTV camera notices at key entry points to University premises will advise individuals that they are entering an area which is covered by CCTV cameras.

5.2 The CCTV notice at entrances to University of West London and in adjacent areas will contain:

  • The name of the data controller (ie University of West London)
  • The purpose(s) of the scheme
  • A contact name and telephone number for enquiries

6. Camera locations

6.1 The CCTV systems installed in and around the University estate comprises a mixture of fixed and pan/tilt/zoom cameras. These cameras provide fields of view encompassing approaches to building entrances, building property lines and internal communal and secure areas.

6.2 Covert cameras are not installed anywhere on the University premises. However, the University reserves the right to deploy covert cameras in exceptional circumstances affecting public safety, prevention and apprehension of nefarious and criminal activities within the premises. Any deployment of covert cameras will require written approval by the University Secretary or law enforcement agencies.

7. Data protection

7.1 This policy document will be implemented to ensure that the deployment and control of CCTV resources is proportionate and lawful under the terms of the General Data Protection Regulations (GDPR 2018), the Data Protection Act 2018 and the CCTV Codes of Practice issued by the Information Commissioner Office (ICO).

7.2 In summary, personal data should be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

7.3 The lawful basis identified for processing the personal data as part of the CCTV system is legitimate interests.

7.4 This CCTV policy should be read in conjunction with the following policy documents:

8. Responsibilities

8.1 University of West London as owner has responsibility for compliance with the purposes and objectives of the system including operational guidance and the protection of the interests of the University users and privacy of the individuals whose images are captured on the system. This responsibility is undertaken by the following members of staff:

8.2 Data Protection Officer: The University Secretary and Chief Compliance Officer is the appointed Data Protection Officer responsible for the management of data protection matters and for the development of specific guidance and practice on data protection issues for the University.

8.3 Director of Property Services: The Director of property services shall have responsibility for the CCTV infrastructure, ensuring there is an adequate maintenance regime, upgrades to CCTV hardware and software, so they are fit for purpose. The Director will support the Head of Security in developing and maintaining good CCTV data processing and handling practice within the University in accordance with the data protection policy and the information security policy.

8.4 Head of Security: The University Head of Security is responsible for the day to day management and control of the CCTV system on behalf of the University. Where management of the CCTV system is part of an outsourced contract to a TFM provider, he will work closely with the TFM partner to ensure service and maintenance agreements are carried out as dictated by the TFM contract or industry standard. Only security officers fully trained and who hold any relevant licenses required by regulatory authorities will be permitted to process data from the CCTV system. The Head of Security will work with the TFM provider of security services and CCTV contracts, to create an awareness of data protection "dos and don'ts" to security staff.

8.5 Chief Information Officer and/or Director of IT: The Chief Information Officer is responsible for protecting all data on the University’s IT systems and will ensure there are appropriate technical and organisational security measures in place to protect CCTV data on the system.

9. Assessment of the policy

9.1 The Head of Security will evaluate the system periodically to consider the following:

  • The assessment of impact upon crime
  • Assessment of areas without CCTV
  • The views of the users
  • Operation of the policy
  • Whether the purposes for which the scheme was established still exist
  • Future functioning, management and operation of the system

10. Management of the system

10.1 The Head of Security is responsible for the management of the University's CCTV system. This includes the maintenance and operation of the system as well as the protection of the privacy interests of individual members of the University and the public from intrusive monitoring.

10.2 The Head of Security will ensure that all Security staff involved in the recording, observation and capture of images are informed, through training on operating the CCTV system or through other means, of their responsibility to act in an ethical and lawful manner in line with relevant legislation and industry standards.

10.3 For the purpose of viewing CCTV images, an authorised person is defined as an employee or appointed person acting on behalf of University of West London who has an operational responsibility for either the prevention, investigation or detection of crime and/or the monitoring of the security and safety of the premises at University of West London.

10.4 All reported abuse or inappropriate use of the CCTV system will be investigated and if proven, the University will take appropriate measures to eliminate or minimise the risk of reoccurrence. Inappropriate use of the CCTV system will be considered a breach of University policy and will be handled accordingly.

11. Access To CCTV monitors and monitoring equipment

11.1 CCTV monitors which display live images may be installed in public areas to show live images of activities in the area. This may be deployed when it is important to emphasise an area is under CCTV surveillance as a deterrent to criminal activities, antisocial behaviour or allay any safety concerns within the area. The monitor displays only a scene or live images which is also in plain sight from the monitor location. Unless specifically designed for these purposes, access to CCTV monitors or display screens will be restricted to persons authorised to view those images.

11.2 All CCTV recording equipment will be located within secure areas and only accessible to authorised personnel.

11.3 Where software application allows remote access to the system for authorised staff via the web link, access rights to the systems will be highly password protected.

12. Recording and storage of information

12.1 All recorded material will be treated as confidential and unless required for evidence, will be kept in accordance with this policy.

12.2 The CCTV systems are operated and monitored 24 hours a day, every day of the year.

12.3 CCTV images not to be retained for longer than necessary. Data storage is automatically managed by the CCTV digital recorders which use software programme to overwrite historical data in chronological order to enable the recycling of storage capabilities. This process produces a minimum of 30 days rotation in data retention.

12.4 Provided that there is no legitimate reason for retaining the CCTV images (such as for use in legal or disciplinary proceedings), the images will be erased following the expiration of the retention period.

12.5 If CCTV images are retained beyond the retention period, they will be stored in a secure place with controlled access and erased when no longer required.

12.6 Access to the CCTV System and to the captured images will be restricted to authorised staff involved in monitoring or investigation.

13. Access and disclosure of CCTV images

13.1 Requests for access to (review), or disclosure of (ie provision of a copy) of images recorded on the CCTV systems from third parties (ie unauthorised persons) will only be granted if the requestor falls within the following types of person / organisation:

  • Data Subjects (ie persons whose images have been recorded by the CCTV systems)
  • Law enforcement agencies (where the images recorded would assist in a specific criminal enquiry)
  • Prosecution agencies (including University Managers in the course of staff or student disciplinary proceedings)
  • Relevant legal representatives of data subjects

13.2 Images from CCTV must not be forwarded to the media for entertainment purposes or be placed on the internet.

13.3 Images will only be released to the media on the authority of the University Secretary and following advice from law enforcement agencies to support police investigations.

13.4 Right of Access: Staff, students and other data subjects about whom the University holds or uses personal data have a legal right to access that information and request a copy of the data in permanent form. Any person wishing to exercise their right of access formally should complete the “Data Subject Access Form” and submit it along with proof of identity to prevent unlawful disclosure of personal data to: datarequests@uwl.ac.uk. An electronic copy of the Data Subject Access Form can be obtained from the University’s website.

13.5 By law, the University has one month from receipt of the request along with proof of identity, in which to respond to subject access requests. In any event the University will endeavour to respond as quickly as possible. In limited circumstances, the University may not be able to release personal data because exemptions under the Legislation are applicable, or the disclosure of the data would release personal data relating to other individuals.

13.6 Staff who receive enquiry for personal information from an individual (data subject) or a third party acting on behalf of a data subject, should be directed to complete the Subject Access Request form. All requests should be sent to: datarequest@uwl.ac.uk.

13.7 Where a third party is acting on behalf of a data subject, written authorisation from the data subject must be provided to confirm that the third party is acting on their behalf.

13.8 The University has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once an image has been disclosed to another body, such as the police, then they become the data controller for their copy of that image. It is their responsibility to comply with the Data Protection Legislation in relation to any further disclosures.

13.9 It may be necessary for redaction of images on copies of CCTV issued following a subject access request. This is usually to protect third party data. Where redaction is deemed impossible for example huge video files, the university may refuse a CCTV data request if providing this data infringes on the rights to privacy of others.

13.10 The contact point indicated on the CCTV signs around University of West London should be available to members of the public during normal business hours.

13.11 Whenever, recorded CCTV images are viewed or copy of data released authorised persons/organisation, a log must be maintained and signed by the issuer and requestor on the UWL Security CCTV management pack.

13.12 All disclosed CCTV data must be safely delivered to the intended recipient ideally by handing over information on a sealed data disc or other media storage device with encryption embedded in the CCTV application software. CCTV recorded data must not be transmitted by email.

13.13 Only the University Secretary and the Head of Security can authorise the viewing or release of CCTV data.

13.14 Please visit the ICO website for further information on the above rights. You may also contact the Data Protection Officer for further information (university.secretary@uwl.ac.uk)

13.15 You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. 

14. Liaison with the police services

14.1 Images may be released to the police service or other law enforcement agencies in compliance with Police Act 1996 Section 30(1) and Section 29(3), Section 30(5) of the DPA 1998 now promulgated in the Data Protection Act 2018 and General Data Protection Regulations (GDPR 2018).

14.2 All CCTV data requests from the police service or other law enforcement agencies should be referred to the Head of Security.

14.3 All CCTV data viewed or released to the police must be logged in the UWL security CCTV management register. Visiting police officers must provide their standard issued badge as proof of identity and provide signatures for any CCTV collected.

15. Installation

15.1 The CCTV installations are carried out through consultation with external CCTV providers approved by University of West London.

15.2 Any technological change, which will have a significant effect upon the capacity of the system, will be fully assessed in relation to the purpose and key objectives of the system.

15.3 The University reserves the right to deploy/restrict/cease the use of dummy cameras as part of the system subject to applicable laws, ICO code of practice or police directive.

16. Staff

16.1 All security staff involved in the recording, observation and capture of images must act in an ethical and lawful manner in accordance with legislation and must receive adequate training to ensure their understanding of compliance legislation.

16.2 Training will include how to identify suspicious behaviour, when to track individuals or groups and when to take close up views of incidents or people and compliance with Data Protection Act and any other relevant legislation. Staff with access to CCTV data should be particularly careful not to infringe upon the public’s human rights. The effectiveness of individual operators will be reviewed periodically.

16.3 Only authorised persons involved in the monitoring or investigation can view CCTV images.

16.4 The CCTV policy as with all other University policies and procedures are deemed reasonable management instructions covered by an employee’s contract of employment. As a result, breaches of any aspect of this policy may result in disciplinary penalties or be referred to the police as the subject of criminal or civil offence investigation.

16.5 Unless authorised by the University Secretary, only the Head of Security and their nominees may review stored recordings or down load information for the police or University.

17. Complaints

17.1 All complaint and enquiries relating to the CCTV system should be addressed to: Head of Security, University of West London, St. Mary’s Road, Ealing, London W5 5RF.

18. Breaches of the code

18.1 Breaches of the policy and of security will be investigated by the Head of Security or the Data Protection Officer’s nominee. Recommendations and corrective action plans will be put in place to remedy any breach which is proven.

18.2 The University Information Security Manager and the Head of Security are responsible for maintaining a record of CCTV data breaches as part of the policy.

18.3 All breaches of personal data must be reported to the University Secretary and Chief Compliance Officer, who is the appointed Data Protection Officer for the University.

19. Access request form

19.1 Under the General Data Protection Regulation (GDPR) you are entitled to request the personal data that we hold about you. Please use the form available on the University website to specify the data that you wish to access. Under GDPR we have one month in which to respond to you.