Surveillance Camera Data Governance Policy
Surrey County Council is committed to ensuring that Closed-Circuit Television (CCTV) and similar surveillance technology is used appropriately and is managed in compliance with the General Data Protection Regulation and the Data Protection Act 2018.
This policy describes SCCs obligations with regard to monitoring in public spaces and Council property and the associated use of surveillance camera technology.
This policy exists to:
- ensure compliance with relevant law and codes of practice
- safeguard personal data collected and stored by the council
Negligent or malicious non-compliance with this policy may be dealt with through the disciplinary process.
This policy applies to delivery of services by all functions within the council.
Senior Information Risk Owner (SIRO) - The Senior Information Risk Owner's has responsibility for ensuring compliance with this Policy
Single Point of Contact (SPOC) – Senior management oversight of the organisation's use of surveillance camera technology
Data Protection Officer – is responsible for advising the organisation on data protection matters and meeting data subject's rights.
Strategic Directors & Heads of Service - responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance. Strategic Directors and Heads of Service are accountable for the communication about, and compliance with, Council Policy. Line Managers must ensure that staff are adequately trained and apply the appropriate guidelines.
Staff and Members - whether permanent, temporary or contracted are responsible for understanding and complying with relevant policies and procedures for securing the organisation's information assets, and for immediately reporting any event or breach affecting information assets of the organisation.
IT&D Security - is responsible for ensuring the confidentiality, integrity and availability of data stored and processed within the councils IT infrastructure. This is achieved through the use of technical and procedural controls as detailed in the IT Security Policy.
'Surveillance technology' is defined in this context as any 'systems used to monitor or record the activities of individuals, or both' (ICO Surveillance Camera Code of Practice (2015)). These include:
- Closed Circuit Television (CCTV)(with and without audio)
- Body Worn Video (BWV)
- Unmanned aerial systems (including Drones)
Monitoring the activities of individuals using surveillance technology involves the processing of Personal Data, defined under data protection law as information that allows identification of an individual.
'Monitoring' in the context of surveillance will often mean that personal data is collected outside of the purpose for which surveillance has been implemented as opposed to direct recording of an event/meeting (subject to separate policy).
'Overt surveillance'- this policy covers monitoring where data subjects are aware of the fact that surveillance is taking place. This is distinct from covert surveillance covered under SCC's RIPA Policy.
In order to ensure the Council upholds individuals' rights in processing personal data and complies with relevant legislation, any deployment of the use of surveillance technology must be designed and risk assessed using the following process:
- A Data Protection Impact Assessment and Surveillance Checklist (see Appendix 1) must be completed and signed off for each use and deployment* of surveillance technology.
- A technical Risk Assessment must be completed and signed off for each use and deployment of surveillance technology
*Deployment refers to a common instance of Surveillance Camera Technology i.e. using the same technology and processes for the same purpose and can therefore cover more than one camera.
The use of data gathered via surveillance technology must be clearly articulated, justified and documented in the Data Protection Impact Assessment.
Data must only be held for as long as is required to meet the purpose for which it was gathered unless a legal exemption applies. Requests by individuals for data be erased must be considered in line with Data Protection Law.
Siting and coverage of surveillance cameras will be kept under review to ensure the system is effective while minimising intrusion and impact on privacy of staff and visitors.
Operation of the CCTV systems will be documented in a procedures manual detailing appropriate use and management and all staff with direct access to the system will receive appropriate training.
Operation of the CCTV systems will be subject to daily routine checks to ensure correct operation and appropriate image quality. All CCTV systems will be subject to annual review to assure the organisation that they are still necessary, proportionate and fit-for-purpose.
Any external suppliers providing CCTV services will be subject to a written GDPR-compliant contract.
Appropriate and visible signage will be displayed at all locations and in and on all vehicles using surveillance cameras, with the identity of the organisation and contact details for the Security Manager clearly visible.
Our use of CCTV and surveillance technologies will be included in our Records of Data Processing Activity (under article 30 of GDPR) and in our data protection Privacy Notices.
Access to surveillance images
All operational requests from within the organisation to access stored recordings of surveillance camera images will be forwarded to the Corporate Information Governance Team for consideration and all decisions will be documented.
Police requests for access will be dealt with by the Corporate Information Governance Team and consideration given on receipt of an appropriate written request.
Subject access requests and other rights requests from individuals for their own CCTV/Surveillance camera images will be forwarded immediately to the Corporate Information Governance Team
All other third party access requests (from insurance companies, lawyers and others) will also be forwarded to the Corporate Information Governance Team for consideration and decisions will be documented.
Access to surveillance camera controls and monitors and to the servers and media containing surveillance images will be appropriately secured through encryption of devices and media, firewall protection of the servers, user account access controls and physical security for the control area. The system will be secured against hardware attack and backed up appropriately. (See Information Security policy.)
Related Policies, Guidance and Legislation
- General Data Protection Regulation/Data Protection Act
- Regulation of Investigatory Powers Act
- Protection of Freedoms Act
- Human Rights Act
- Data Protection Policy
- Information Security Policy
The ICO CCTV Code of Practice is normative for the organisation.
We also have regard to the Surveillance Camera Code of Practice issued by the Surveillance Camera Commissioner under the Protection of Freedoms Act 2012. (While it is only binding on English and Welsh police forces and local authorities, it provides useful principles for all users of CCTV.)
Appendix 1: Surveillance Checklist
- Is there a clear and legitimate purpose for use of surveillance? E.g. detection and prevention of crime
- Are there no alternatives to use of surveillance? Is there a pressing need for the use of surveillance technology?
- Is the processing lawful? (Does an applicable condition to process apply?)
- Will a robust privacy notice/signage be in place outlining the existence of surveillance and the use of personal data? (See PN guidance/checklist)
- Is personal data collected only to be used for the purposes outlined?
- Is only the minimum data required to fulfil the purpose collected?
- If applicable, is recording of audio data suitably justified? Has a 'pressing need' for audio been clearly articulated? Is there no other alternative?
- Has a Data Protection Impact Assessment (DPIA) been completed and this checklist appended?
- Is security of images assured from capture to destruction?
- Is access to view data confined to a secure area/office?
- Has the solution to be used been risk assessed (by IT&D)?
- Are all operator staff security cleared?
Procedure and Governance
- Are robust procedures in place to ensure authorised access only?
- Is a contract in place with any 3rd party supplier that assures compliance with data protection law?
- Do procedures clearly outline who, how and when personal data should be accessed, stored and disclosed?
- Are all operator staff trained in relevant procedures including access, disclosure (inc. subject access) and retention?
- Are staff aware of the consequences of the misuse of surveillance technology?
- Will the use of surveillance be reviewed annually?
- Is there an Information Asset Owner identified?
- Is information kept only for as long as required to fulfil the purpose for processing?
- Is the operator of the surveillance technology suitably licenced?
- Can surveillance be 'turned off' when not required?
- Can data subject rights be met e.g. erasure?
- Is the accuracy and integrity of information assured? Does image quality and metadata (e.g. date and time) meet requirements for processing the data?
- Can images be pixelated for disclosure/subject access purposes?
- Do systems allow ease of disclosure where relevant?
- Is an audit of access and disclosure to be kept?
- Can data be made available in a commonly used format?
- Does positioning of cameras/surveillance equipment exclude areas where individuals would have a legitimate expectation of privacy?
- Do disclosure mechanisms allow secure delivery to intended recipients?
- Where both audio and visual recording is in place, can these be enabled independently e.g. can audio be switched on and off?