About this policy
Boatfolk Marinas Limited (the Company) uses closed circuit television (CCTV) for the purposes of the prevention and detection of crime and in order to recognise and identify individuals with a view to taking appropriate action where necessary. This policy sets out the accepted use and management of CCTV equipment and images to ensure that the Company complies with the Data Protection Act 2018 and other relevant legislation. We process personal data in line with our privacy notice.
As a controller, the Company has registered the use of CCTV with the Information Commissioner's Office (ICO) and seeks to comply with its best practice suggestions.
Purpose of this policy
The purpose of this policy is to:
- outline why and how the Company will use CCTV, and how we will process data recorded by CCTV cameras
- ensure that the legal rights of staff, relating to their personal data, are recognised and respected
- assist staff in complying with their own legal obligations when working with personal data. In certain circumstances, misuse of information generated by CCTV or other surveillance systems could constitute a criminal offence; and
- explain how to make a subject access request in respect of personal data created by CCTV.
A breach of this policy may, in appropriate circumstances, be treated as a disciplinary matter. Following investigation, a breach of this policy may be regarded as misconduct leading to disciplinary action, up to and including dismissal.
Who does this policy apply to?
This policy applies to all employees, officers, consultants, self-employed contractors, casual workers, agency workers, volunteers and interns. It also applies to anyone visiting our premises [or using our vehicles].
Who is responsible for this policy?
The board of directors (Board) has overall responsibility for the effective operation of this policy. The Board has delegated responsibility for overseeing its implementation to Dominic Zammit (the Director responsible for Data Protection (DDP)). Any questions you may have about the day-to-day application of this policy should be referred to your Line Manager in the first instance.
This policy is reviewed annually by the DDP. The Company will also review the ongoing use of existing CCTV cameras in the workplace at least every 12 months to ensure that their use remains necessary and appropriate, and that any surveillance system is continuing to address the needs that justified its introduction.
Reasons for the use of CCTV
The Company currently uses CCTV as outlined below. The Company believes that such use is necessary for legitimate business purposes, including:
- The general monitoring of the site and public areas.
- Prevention or detection of crime or equivalent malpractice.
- For the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime.
- Identification and prosecution of offenders.
- Monitoring of the security of the Company’s business premises.
- Ensuring that health and safety rules and Company procedures are being complied with.
- Identification of unauthorised actions or unsafe working practices that might result in disciplinary proceedings being instituted against employees and to assist in providing relevant evidence.
This list is not exhaustive and other purposes may be or become relevant.
Location of cameras
Cameras are located at strategic points throughout the Company’s business premises, principally at the entrance and exit points and around the Marinas. The Company has positioned the cameras so that they only cover communal or public areas on the Company’s business premises, and they have been sited so that they provide clear images. No camera focuses, or will focus, on toilets, shower facilities, changing rooms, staff kitchen areas, staff break rooms or private offices.
All cameras (with the exception of any that may be temporarily set up for covert recording) are also clearly visible.
Appropriate signs are prominently displayed so that employees, clients, customers and other visitors are aware they are entering an area covered by CCTV.
Where CCTV cameras are placed in the workplace, the Company will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. The signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information, where these things are not obvious to those being monitored.
Use of data gathered by CCTV
In order to ensure that the rights of individuals recorded by the CCTV system are protected, the Company will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the data, where it is possible to do so.
The Company may engage data processors to process data on our behalf. The Company will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
Recording and retention of data gathered by CCTV
Images produced by the CCTV equipment are intended to be as clear as possible so that they are effective for the purposes set out above. The Manager responsible for the site should ensure that maintenance checks of the equipment are undertaken on a regular basis to ensure it is working properly and that the media is producing high quality images. Regular checks should also be made to ensure GDPR compliance.
Images may be recorded either in constant real-time (24 hours a day throughout the year), or only at certain times, as the needs of the business dictate.
As the recording system records digital images, any CCTV images that are held on the hard drive of a PC or server are deleted and overwritten on a recycling basis and, in any event, once the hard drive has reached the end of its use, it will be erased prior to disposal.
Images that are stored on, or transferred on to, removable media such as CDs or which are stored digitally are permanently erased or destroyed once the purpose of the recording is no longer relevant. In normal circumstances, this will be a period of 30-days. However, where a law enforcement agency is investigating a crime, images may need to be retained for a longer period.
Access to and disclosure of images
Access to, and disclosure of, images recorded on CCTV is restricted to the Marina Manager and only those Company employees who have a specific reason to access or review the footage. This ensures that the rights of individuals are retained. Images can only be disclosed in accordance with the purposes for which they were originally collected.
The images that are filmed are recorded locally and securely. Access to recorded images is restricted to the operators of the CCTV system and to employees / managers who are authorised to view them in accordance with the purposes of the system.
Disclosure of images to other third parties will only be made in accordance with the purposes for which the system is used and will be limited to:
- The police and other law enforcement agencies, where the images recorded could assist in the prevention or detection of a crime or the identification and prosecution of an offender or the identification of a victim or witness.
- Prosecution agencies, such as the Crown Prosecution Service.
- Relevant legal representatives.
- Managers involved with Company disciplinary processes.
- Individuals whose images have been recorded and retained (unless disclosure would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders).
Managers are the only people who are permitted to authorise the disclosure of images to external third parties such as law enforcement agencies.
All requests for disclosure and access to images will be documented, including the date of the disclosure, to whom the images have been provided and the reasons why they are required. If disclosure is denied, the reason will be recorded.
Subject access requests
Under the UK’s data protection laws, including the General Data Protection Regulation (GDPR), data subjects have the right, on request, to view the personal data that the Company holds about them, including CCTV images if they are recognisable from the image.
If you wish to access any CCTV images relating to you, you must make a written request to your Line Manager. The Company will usually not make a charge for such a request, but we may charge a reasonable fee if you make a request which is manifestly unfounded or excessive or is repetitive. Your request must include the date and approximate time when the images were recorded and the location of the particular CCTV camera, so that the images can be easily located, and your identity can be established as the person in the images.
The Company will usually respond promptly and in any case within one month of receiving a request. However, where a request is complex or numerous the Company may extend the one month to respond by a further two months.
The Company may need to check the identity of the data subject making the request before processing it.
The Line Manager will always determine whether disclosure of your images will reveal third party information, as you have no right to access CCTV images relating to other people. In this case, the images of third parties may need to be obscured (wherever possible) if it would otherwise involve an unfair intrusion into their privacy. If it is not possible to obscure other third parties, your request for access to these images may be refused.
If the Company is unable to comply with your request because access could prejudice the prevention or detection of crime or the apprehension or prosecution of offenders, you will be advised accordingly.
Covert recording
The Company is aware that covert recording can only be done in exceptional circumstances for example where there are reasonable grounds to suspect that criminal activity or serious malpractice is taking place and, after suitable consideration, the Company reasonably believes there is no less intrusive way to tackle the issue. On this basis the Company will only undertake covert monitoring if it has carried out a data protection impact assessment which has addressed the following:
- the purpose of the covert recording;
- the necessity and proportionality of the covert recording;
- the risks to the privacy rights of the individual(s) affected by the covert recording;
- the time parameters for conducting the covert recording
- the safeguards and/or security measures that need to be put in place to ensure the covert recording is conducted in accordance with the data protection laws, including the GDPR.
If after undertaking the data impact assessment the Company considers there is a proportionate risk of criminal activity, or equivalent malpractice taking place or about to take place, and if informing the individuals concerned that the recording is taking place would seriously prejudice its prevention or detection, the Company will covertly record the suspected individual(s). In doing this the Company will rely on the protection of its own legitimate interests as the lawful and justifiable legal basis for carrying out the covert recording.
Before the covert recording commences, the Company will ensure that the Group Managing Director (or another Director acting on their behalf) agrees with the findings of the data protection assessment and provides written authorisation to proceed with the covert recording.
Covert monitoring may include both video and audio recording and only authorised Directors or Managers will have access to view or listen to recordings. Covert monitoring will only take place for a limited and reasonable amount of time consistent with the objective of assisting in the prevention and detection of particular suspected criminal activity or equivalent malpractice. Once the specific investigation has been completed, covert monitoring will cease.
Information obtained through covert monitoring will only be used for the prevention or detection of criminal activity or equivalent malpractice. All other information collected in the course of covert monitoring will be deleted or destroyed unless it reveals information which the Company cannot reasonably be expected to ignore.
Staff training
The Company will ensure that all employees handling CCTV images or recordings are adequately trained in the operation and administration of the CCTV system and on the impact of the laws regulating data protection and privacy with regard to that system.