CCTV policy

Smile Club CCTV policy

Introduction

This policy describes how we comply with data protection legislation requirements in our use of CCTV and aims to support management in the safe implementation and use of Surveillance Cameras to protect all staff, patients and public using our premises.

We acknowledge our responsibility to protect staff, patients and the public who use the services whilst protecting the freedom of all individuals within the standards of the Human Rights Act, GDPR General Data Protection Rules and other guidance which may be issued by the Information Commissioners Office.

Purpose

Surveillance Cameras are used to:

  • help prevent and detect crime
  • help us maintain levels of safety and security of our staff and those visiting our clinic
  • protect our premises and property
  • pursue the prosecution of offenders as it may assist in the robust monitoring of areas that may need observing

 

It is central to any decision that, in line with the requirements of the Information Commissioners Office (ICO), a clear reason for installation is available. This could be in the form of a Risk Assessment highlighting incidents that have occurred within a specific area.

Surveillance cameras alone will not prevent staff or patients being assaulted or property from being stolen or damaged. However, combined with good local systems and procedures as part of a holistic solution, it can help to prevent and deter security-related incidents, as well as provide evidence to assist investigations of incidents.

Statement

As part of our commitment to ensure the delivery of a high quality and safe working environment for our staff, patients and visitors who access our facilities, we will:

  • operate it fairly and lawfully and in accordance with the General Data Protection ensuring full compliance
  • operate it with due regard for the privacy of all individuals at all times
  • ensure surveillance cameras are correctly and appropriately installed and operated
  • establish a robust management system to correctly identify footage, store it securely and prevent misuse
  • maintain the surveillance camera system and strive to continually improve the monitoring control process ensuring surveillance camera equipment and records are only used and accessed by authorised persons
  • provide clear guidance to relevant staff to ensure they understand the reasons, benefits and legal implications of the use of surveillance camera

Ownership & operation of CCTV

Nasser Syed is Data Controller who has an overall responsibility for CCTV operations and images produced at the clinic.

Dawes Security Ltd is responsible for installing and maintaining the CCTV equipment and storing the images produced. It processes information on behalf of the clinic, which is ultimately responsible for cameras, monitors, data collection, the use of all CCTV and retention processes at the clinic.

Roles and responsibilities

Employer/ Director is ultimately responsible for the adherence to agreed Data Protection requirements , full compliance with Code of Practise issued by Information Commissioner (ICO) and the manner in which CCTV Policy is implemented in the clinic.  

Information Governance Lead will:

  • ensure safe and appropriate management of the disclosure of material in response to subject requests
  • ensure Surveillance Camera arrangements comply with the Data protection Principles and GDPR regulations which state that data must be
    1. Fairly and lawfully processed
    2. Processed for limited purpose and not in any manner incompatible with those purposes
    3. Adequate, relevant and not excessive
    4. Accurate
    5. Not kept any longer than necessary
    6. Processed in accordance with individual rights
    7. Secure at all times
    8. Not transferred to locations without adequate protection

 

Management must be informed of any CCTV footage that potentially identifies members of staff in any alleged criminal activity, gross misconduct, fraud or inappropriate behaviour. In such cases, the individual staff member and if appropriate their union representative will have access to this CCTV footage.

Location and positioning of CCTV

For the safety of our patients, visitors and staff, CCTV cameras are placed in public areas where access is not restricted such as car parks to ensure vehicle safety, main entrance, back garden and premises where safety of either people who use the services, staff or visitors justifies the positioning.

Cameras will NEVER be installed within private areas such as any clinical areas, toilets, bathrooms, staff room.

Location of Surveillance Cameras

CCTV cameras cover the following areas:

  • Reception area
  • Private waiting room
  • Telephony office
  • Entrance hallway
  • Rear hallway
  • Upstairs landing
  • Upstairs rear room
  • Upstairs middle room
  • Front entrance external
  • Rear entrance external
  • Front of building external
  • Car park entrance external
  • Roadside external
  • Right side of building external

 

Positioning of Cameras and Monitors

Cameras are visible, never hidden from view but positioned in locations where they are secure and protected from vandalism.

CCTV Signs are displayed on premises and on the entrance so that staff and the public can clearly see the signage and are immediately aware that premises are monitored through Surveillance Camera System.

ICO ‘s Code of Practice Guidance on CCTV suggests that signs should:

  • be clearly visible and readable;
  • contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact about the scheme
  • include basic contact details such as a simple website address, telephone number or email contact;

  

The CCTV monitors (screens) are switched off when not in use and positioned in a way that the general public, or unauthorised staff members, cannot view when passing by.

Monitors are located in on computer in Practice managers office.

The CCTV does have audio recording capability.

Information about CCTV in operation is available on clinic’s website and state the following:

‘These premises are under CCTV Surveillance. Images are being recorded and monitored for the purposes of the prevention and detection of crime and for public safety. For Subject Access Requests or any other queries please contact our Data Controller Nasser Syed via email on info@mysmileclub.co.uk

Monitoring, servicing and quality of images

All equipment is tested once installed to ensure that only designated areas are covered by the cameras and high quality images are available in live and play back modes.

It is vital for a system that the images produced are of a sufficient quality to enable the recognition and identification of persons suspected of committing acts of unlawful intention.

CCTV systems are installed and maintained by appropriately certificated contractors.

Annual Servicing

Annual servicing on the system and Surveillance Camera Equipment is carried out by Dawes security ltd.

Weekly Monitoring

The CCTV equipment is checked weekly by an authorised appointed person Nasser Syed/Arti Shrestha to ensure that it is in a good working order, displays data accurately and images recorded are of a sufficient quality to be used for the purposes listed. 

‘Surveillance Camera Log’ is maintained and up to date.

If the cameras are not functioning correctly, Nasser Syed/Arti Shrestha must be notified immediately who will log fault on ‘Equipment Fault Log’ and arrange an approved specialist for repair or replacement.

Use, disclosure, storage and retention of images

Use and disclosure of Images and recordings

CCTV images and recordings are personal information and, when using or processing the information, we will respect the legal rights of the individuals shown in the recordings.

All recordings must be traceable which means that the system is set up to record with a camera number, date and time stamp.

Data Controller or Information Governance Lead must authorise and approve request before any images are released to any third party.

Disclosure of recorded material will only be available to a third party in strict compliance with the Data Protection Act 2018 (GDPR) with approval from Data Controller or Information Governance Lead and only in exceptional circumstances such as:

  • when requested by ‘Data Subject’, public member, patient, visitor or staff member
  • when requested by the local authority, police or courts for the investigation, prevention or prosecution of anti-social behaviour or criminal activity 
  • for bringing or defending a legal claim
  • to comply with a police warrant or an order given by a court or tribunal.
  • If requested by Health and Safety Executive who is also empowered to seize footage as part of an investigation they may be undertaking – if necessary and without approval.

 

All access provided to third parties must be recorded and documented using ‘Access to CCTV Recording Form’

Storage

Sufficient protection is in place to ensure that CCTV footage does not fall into the wrong hands such as preventing cameras’ feeds being viewed by criminals or being hijacked by them for use in computer botnets.

The following security precautions steps will be taken to ensure data security:

  • wireless transmission systems protected from interception
  • ability to view or make copies of information restricted to appropriate and authorised staff only
  • secure space to store footage is available
  • staff trained in security procedures and sanctions against staff who misuse surveillance system
  • appropriate controls established if the system is connected to, or made available across, a computer network. Internet-protocol (IP) cameras are protected by firewall and router controls, and strong password is set
  • Equipment’s Manufacturer Software updated as prompted and in a timely manner.
  • recorded footage from CCTV, whether tapes or hard disks, protected against access by any unauthorised persons or staff
  • collected data stored securely using encryption with restricted access to the information.

 

Retention Periods

The DPA does not prescribe any specific minimum or maximum retention periods which apply to all systems or footage. Retention should reflect the clinic’s purposes for recording information and should not be kept for longer than is necessary.

At our clinic, CCTV images and recordings will be kept for 30 days.

If images are to be specifically retained for evidential purposes i.e. following an incident, break-in, then the footage is retained in a secure place to which access is controlled and a back-up made.

After this time or following the conclusion of an investigation, the recordings will be destroyed and/or irretrievably deleted. 

Access requests for CCTV recordings

The Data Protection Act provides Data Subjects (persons to whom ‘personal data’ relates) with the right to access data concerning them, including images obtained by Surveillance Camera.

Requests for access by Data Subject Access can be made verbally or in writing but ‘Access to CCTV Recording Form’ must be completed and submitted to Data Controller or Information Governance Lead each time.

CCTV recordings will not be provided to third parties other than law enforcement bodies to assist them in the detection or prevention of a crime.

Requests for CCTV recordings should be made in writing using ‘Access to CCTV Recording Form’ and sent to Data Controller (Add Name) or Information Governance Lead (Add Name) who will :

  • verify the identity of the person / organisation and will take a copy of any identification documents, if required.
  • assess if request meetings the purpose for disclosure identified in section above
  • considers the rights of the individuals shown in the CCTV and balance the protection of these rights against the reasons for the request. Some images may require editing to protect the privacy of individuals.
  • where appropriate, provide access to the requested CCTV recordings / images securely
  • maintain a log of disclosure for access granted using ‘Access to CCTV Recording Form’

If unsure about providing the requested information to a third party, Data Controller and Information Governance Lead Nasser Syed will seek advice from the Information Commissioner’s Office (ICO).

Review

This policy will be reviewed annually or sooner if changes are made.

CCTV Compliance Checklist is completed annually to ensure correct guidance is followed, data security requirements and compliance are met.

CCTV Privacy Impact Assessment is carried out annually to ensure the CCTV is proportionate and the images are stored and accessed appropriately in line with Data Protection requirements.

Document reviewed on: April 2024

Document reviewed by: Nasser Syed

Associated Documents

Surveillance Camera Log

Access to CCTV Recording Form

CCTV Compliance Checklist

CCTV Privacy Impact Assessment

Further guidance and references