Closed-Circuit Television (CCTV) Monitoring Equipment is used by the Company for a number of purposes and will be used in accordance with the terms set out in this document. This use may involve the recording of personal data of individuals, including their recognisable images.
The Company is obliged to protect such data in accordance with provisions contained in the General Data Protection Regulation (GDPR) which came into effect on 25th May 2018 and the Data Protection Act 2018.
The Company has developed a number of general policies and procedures to protect personal data. Provisions contained in these documents apply to the operation of the CCTV systems by the Company. The purpose of this policy is to support these documents by outlining specific provisions to assist the Company to fulfil its data protection obligations regarding the operation of CCTV systems including, but not limited to, arrangements relating to the location, control and security of CCTV systems, recording by CCTV systems and access to their recordings.
This policy applies to:
- All use of CCTV that involve the recording of personal data.
- All employees of the Company.
- All CCTV service providers contracted by the Company.
The Company accepts primary responsibility for ensuring there is no breach of security and that these Guidelines are complied with and has day-to-day responsibility for the management of the monitoring equipment.
Any breach of these Guidelines or any aspect of confidentiality or security will be dealt with in accordance with established disciplinary procedures.
In this policy, the following words shall have the following meanings:
means the Data Protection Act 2018.
means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
“the Data Protection Regulations”
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
means all or any of:
(a) the Data Protection Regulation,
(b) the Act,
(c) the Data Protection Act 1988,
(d) the Data Protection Act 2003,
(e) regulations made under the Act,
- “data controller”, “data processor”, “data subjects”, “personal data”, “process”, “processed” and “processing” shall have the meanings respectively, as defined in the Act. Note that “process” and “processing” are defined to include simple events like receiving data into our system or storing it. Processing is not limited to “doing something with it”.
- Purpose of CCTV
Data obtained through the use of CCTV systems shall be limited and proportionate to the purposes for which it was obtained.
The company uses CCTV for the following purposes.
- Safeguarding of all persons and property located on company premises and its environs.
- Assist in the prevention and detection of crime or disorder
- Reduce the fear of crime or disorder
- CCTV footage may be used in the context of disciplinary proceedings involving employees (to protect the vital interests of the Company, employees, customers and affected individuals).
- Securing public order and safety by facilitating the deterrence and detection of anti-social behaviour.
- CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instance’s disclosure is based on a valid request.
CCTV will not be used by the Company for any other purposes other than those outlined in this policy document.
- CCTV Locations
CCTV will be deployed, as appropriate, either permanently or from time to time, throughout the property, including external and internal spaces within the building, car parks, pathways and grounds.
CCTV will not be deployed where persons have a reasonable expectation of privacy.
Cameras shall be positioned in such a way as to prevent or minimise recordings of persons or property other than those that are intended to be covered by the CCTV system.
- CCTV Signage
Signage indicating that CCTV is in use is displayed prominently throughout the property and includes the following information:
- Notice that CCTV is in operation.
- Details of who to contact regarding the CCTV system.
- CCTV Retention
- Data recorded on CCTV systems shall be kept for no longer than is considered necessary.
- Normally data recorded on CCTV systems will not be retained by the Company beyond a maximum of 28 days.
- Data recorded on CCTV systems may, however, be retained by the Company beyond a maximum of 28 days in circumstances where the data is required for evidential purposes and/or legal proceedings
- CCTV Register
A CCTV Register shall be maintained by the Company, this register shall contain, at a minimum, the following information:
- Location of each CCTV system.
- Purpose of each CCTV system.
- Type of signage at each CCTV location.
- Location of signage at each CCTV location.
- Details of employees authorised to access the CCTV system.
- Retention period for CCTV recordings.
- CCTV service provider details
- Security Arrangements for CCTV
- For reasons of security and confidentiality, access to the CCTV Monitoring equipment is restricted. Only those members of employees, trained specifically will be allowed to operate any of the equipment.
- Employees will be specifically selected for the role and will be trained in the use of the equipment. Each employee will be personally issued with a copy of this policy. They will be fully conversant with the contents of this document, which may be updated from time to time, and which he/she will be expected to comply with at all times. Monitoring shall be conducted by a trained employee. An authorised employee will be present at all times when the monitoring equipment is in use
- Unauthorised access by employees is prohibited. Managers should enforce this requirement at all times and with due care.
- Public access to the designated location of the CCTV monitoring equipment will be prohibited except for lawful, proper and sufficient reasons and only with the authority of a Manager.
- Access to CCTV Recordings
Access to CCTV recordings may be provided to the following:
- Data Subjects.
- An Garda Síochána.
- Other Third Parties.
- Access by Data Subjects
- Data protection legislation provides data subjects with a right to access their personal data. This includes their recognisable images and other personal data captured by CCTV recordings. Access requests are required to be submitted in writing in physical or electronic format e.g. by letter or e-mail and will be processed in accordance with provisions contained in the Company’s Access Request Policy and Procedures.
- Where it is deemed necessary or appropriate the Company may request the provision of additional information to confirm the identity of person submitting a data subject access request.
- It would not suffice for a data subject to make a general access request for a copy of CCTV recordings. Instead, it will be necessary that data subjects specify that they are seeking to access a copy of CCTV recordings that have captured their recognisable images and/or other personal data between specified dates, at certain times and at specific areas.
- The provision of access to a data subject to CCTV recordings of his/her recognisable images and/or other personal data will normally involve providing a copy of the recording in video format. In circumstances where the recording is technically incapable of being copied, or in other exceptional circumstances, stills may be provided as an alternative to video footage.
- Where recognisable images and/or other personal data of other parties other than the data subject appear on the CCTV recordings, these will be pixelated or otherwise redacted on any copies or stills provided to the data subject. Alternatively, unedited copies of the CCTV recordings may be released provided consent is obtained from those other parties whose recognisable images and/or other personal data appear on the CCTV recordings.
- If the CCTV recording is of such poor quality as to not clearly identify recognisable images and/or other personal data relating to the data subject, then the recording will not be considered as personal data and may not be released by the Company.
- If the CCTV recording no longer exists on the date that the Company receives an access request, it will not be possible to provide access to a data subject. CCTV recordings are usually deleted in accordance with provisions contained in this policy.
- Access by Data Subjects
- There is a distinction between a request by An Garda Síochána to view CCTV recordings and to obtain copies of such recordings. In general, a request made by An Garda Síochána to simply view CCTV recordings should be accommodated as it does not raise any concerns from a data protection perspective.
- Requests from An Garda Síochána for copies of CCTV recordings are required to be submitted in writing on An Garda Síochána headed paper and signed by an appropriate ranking member of An Garda Síochána. The request should specify the details of the CCTV recordings required and cite the legal basis for the request being made.
- In order to expedite a request in urgent situations, a verbal request from An Garda Síochána for copies of CCTV recordings will suffice. However, such a verbal request must be followed up with a formal written request from An Garda Síochána.
- Access by Other Third Parties
Access by third parties such as public bodies, private organisations and individuals other than the data subject to CCTV recordings will only be provided in circumstances that are permitted by data protection legislation.
- Access Log
An Access Log shall be maintained by the Company. This log shall maintain a record of all requests made by the following to view/obtain copies of CCTV recordings and the outcome of such requests:
- Data Subjects
- An Garda Síochána
- Other Third Parties
- Data Protection Impact Assessment
A Data Protection Impact Assessment shall be carried out, in accordance with data protection legislative requirements, before any installation of a new CCTV system or upgrade to an existing CCTV system if, in the opinion of the Company, the installation or upgrade is likely to result in a high risk to the rights and freedoms of individuals
- Supporting Policies, Procedures & Guidelines
The company shall adhere to all relevant CCTV Guidelines/Codes of Practice issued by the Data Protection Commission and/or other statutory bodies.
- Monitoring and Review
Provisions contained in this policy document shall be subject to on-going monitoring and review.
- Complaints to the Data Protection Commission
Data subjects may make a complaint to the Data Protection Commissioner in the following circumstances:
If they experience a delay outside of the prescribed timeframe for making a decision on an access request or if they are dissatisfied with a decision by the Company on their access request.
If they consider that the Company’s processing of their personal data is contrary to their data protection rights.