Closed Circuit Television (CCTV) Policy
Version: V5
Ratified by: Finance and Investment Committee
Date ratified: 03/01/2024
Job Title of author: Head of Health, Safety and Compliance
Reviewed by Committee or Expert Group Property, Health and Safety Steering Group
Equality Impact Assessed by: Head of Health, Safety and Compliance
Related procedural documents
IGPOL62 Information Governance Strategy and Policy
HSPOL06 Security Policy
Review date: 03/01/2026
(2 years from date of ratification or significant change)
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date Author Status Comment
V1 20th May 2016 Health & Safety, Security and Resilience Manager New Policy
V2 August 2018 Head of Safety & Resilience Revised at policy renewal date
V3 August 2022 Health, Safety, Fire and Security Manager Reviewed
V4 December 2022 Health, Safety, Fire and Security Manager Review of CCTV locations Ratified 25/01/2023
V5 November 2023 Head of Health Safety and Compliance Review of CCTV locations Ratified 03/01/2024
1. Introduction
This document sets out the appropriate actions and procedures, which must be followed to comply with the Data Protection Legislation in respect of the use of CCTV (closed circuit television) camera surveillance on premises.
An important feature of the legislation is the CCTV Code of Practice, which sets out the measures, which must be adopted, to comply with the Data Protection Legislation. The Code of Practice has a dual purpose of assisting operators of CCTV systems to understand their legal obligations while also reassuring the public about safeguards required to be in place.
2. Purpose
This policy sets out how Provide Community will operate and maintain CCTV across the organisation where it uses CCTV systems on Premises where Provide staff are located. It sets out the criteria and standards for the maintenance, of CCTV cameras and the rationale for the purpose of the positioning and installation of any new cameras.
Provide Community will respect people’s right to privacy and ensure the use of CCTV is regulated to ensure consistency and compliance with legislation such as;
• UK General Data Protection Regulation (GDPR)
• Data Protection Act 2018 (DPA);
• The Human Rights Act 1998 (HRA);
• The Freedom of Information Act 2000 (FOIA);
• The Regulation of Investigatory Powers Act 2000 (RIPA);
• The Protection of Freedoms Act 2012 (PFA);
• The Home Office Surveillance Camera Code of Practice
3. Definitions
The following abbreviations and definitions are used throughout this document:
CCTV – Close Circuit Televisions
DPIA – Data Protection Impact Assessment
DPO – Data Protection Officer
GDPR – General Data Protection Regulation
HSFS – Health, Safety, Fire and Security Manager
RIPA – Regulation of Investigatory Powers Act
SAR – Subject Access Request
The Purpose(s) for which both sensitive personal data is being processed. The data must be in line with the Data Protection Principles:
Lawfulness, fairness and transparency
You must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation
You must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
Data minimisation
You must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
Accuracy
You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
Storage limitation
You must delete personal data when you no longer need it. The timescales in most cases aren't set. They will depend on your business’ circumstances and the reasons why you collect this data.
Integrity and confidentiality
You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
4. Duties
The Board and Group Chief Executive
Have corporate responsibility for the implementation of the policy and monitoring its effectiveness. They are ultimately responsible in how Provide Community utilises CCTV
The Information Governance team is responsible for ensuring that systems and procedures are in place on the site for which they have responsibility to ensure compliance with this policy and the IC’s Code of Practice and the General Data Protection Regulations.
The Head of Health, Safety and Compliance (HHSC)
Acts as the competent person advising on Security Management and supporting all levels of management, which includes adherence to the policy and code of practice. They are responsible for ensuring that the sites within their locality which have CCTV are aware of this policy and implement its requirements.
The Estates and Facilities Team
Should be requested to undertake any procurement raised for CCTV systems in liaison with the HSFS manager.
All requests for CCTV systems must be authorised by the HSFS in order to avoid in discriminatory/inappropriate use of CCTV systems.
5. Consultation and Communication
All staff should be aware that the Estates team should be requested to undertake any procurement raised for CCTV systems in liaison with the HHSC
6. Monitoring
The use of CCTV will be monitored by the HHSC Manager as part of their monthly review of security incidents and reporting of incidents and an annual security risk assessment process and feedback will be via the HHSC to the Property, Health and Safety Quality & Safety Committee.
7. New CCTV Installations
Any new CCTV system or major change to an existing system must have a Data Protection Impact Assessment (DPIA) carried out to establish the specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need. Factors that will influence the installation of surveillance cameras include:
• a remote or isolated location
• where services are situated in an area where crime is a particular issue
• where critical or high value assets are maintained for example plant rooms or medical gases storage facilities
• locations of lone workers or late workers
• entrances where admittance is restricted to authorised personnel only
In collaboration the Estates and Facilities team, the HHSC will develop a formal specification for the functionality of the system. Every effort should be taken to ensure that new systems utilise technology to enable restricted access and data security as well as remote viewing by authorised personnel.
8. Camera Locations and Dash Cams
It is essential that the location of the equipment is carefully considered to ensure compliance with the GDPR and Code of Practice.
Approved signage must be placed on all entrance points to premises to ensure staff, visitors and service users are aware they are entering an area that is covered by CCTV surveillance equipment. The signage must have details on the purpose, organisation and contact details of the organisation (HHSC).
The HHSC must give express permission for the use of cameras and this will only be granted for legitimatereasons. Incidents involving captured images shouldbe reported immediately to the HHSC and where there is a suspected serious breach relating to privacy and dignity.
This policy does not apply to the covert use of video surveillance. Any use of covert CCTV monitoring will be undertaken in accordance with the requirements set out in the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA requires that due consideration is given to the proportionality and necessity of any covert activity and that regard is given to the rights of individuals under Article 8 of the Human Rights Act (the right to privacy).
Dashcams
Under the DPA 2018, the image of a person recorded by a Dashcam will constitute personal data, since it allows for the identification of an individual, in the same way as CCTV and other Provide Community’s surveillance systems. A DPIA has been carried out for Dashcams within the Provide Community’s vehicles to ensure the purpose for their usage is clearly defined.
Dashcam recordings should be saved as securely as any other instance of personal data, and should not be used for social media purposes. Sharing of Dashcam footage without proper authorisation constitutes a reportable data protection security breach, and should be treated as such.
See Appendix 1 for CCTV locations
Appendix 2 for Dash Cams
9. Data Protection and Confidentiality Issues
Any issues or concerns in relation to information or access held that discloses service users’ identities should be referred to the Information Governance Manager. Advice and liaison with the organisation’s Data Protection Officer (DPO) will be sought where there are concerns regarding compliance with the Data Protection Legislation.
10.Privacy
The organisation respects the individual’s rights to privacy and their entitlement to go about their lawful business.
Individuals in the ordinary course of lawful business will not be actively monitored in areas under surveillance
11.Provision of Evidence
Arrangements shall be made to provide recorded material to Police and other prosecution bodies as required for due process of the law and in accordance with the Data Protection Legislation. Any release should be done with the knowledge of the HHSC.
Release of material shall be authorised by the DPO. Material should only be released to the Police in connection with detection of a crime or to assist in locating a missing service user.
The decision to release material should be recorded with a clear rationale
12.Quality of Images
It is important that the images produced by the equipment are as clear as possible in order that they are effective for the purpose(s) for which they are intended. This is why it is essential that the purpose of the scheme is clearly identified. For example, if a system has been installed to prevent and detect crime, then it is essential that the images are adequate for that purpose.
Upon installation all equipment must be tested to ensure that only the designated agreed areas are monitored and high-quality pictures are made available in live and play back mode.
The HHSC must be informed if environments require additional cameras or CCTV equipment based upon the security risk assessment or where quality of the recording comes into question. This must also be included in the site security risk assessment.
All CCTV equipment must be serviced and maintained on a minimum 12 monthly basis.
13.Processing of Images
Images, which are not required for the purpose(s) for which the equipment is being used, should not be retained for longer than is necessary. While they are being retained it is essential that their integrity be maintained, whether it is to ensure evidential value or to protect the rights of the people whose images may have been recorded. It is therefore important that access to and security of the images is controlled in accordance with the requirements of the DPA.
All installed systems must securely store footage for a minimum period of 28 days. Only footage known to be required for evidence should be kept for longer.
Where footage/images are required for evidential purposes in legal or the organisation’s disciplinary proceedings, the footage/images are to be removed from circulation, placed in a secured location or separate hard drive with the below being documented.
• The date the images were removed for this purpose
• The name of the person who removed the images
• The name(s) of those viewing the images (if this includes a third party, the organisation name should be recorded
• Why the images were removed
• The crime reference number, if known
• The outcome, if any, of the viewing
Footage/Images must be stored in accordance with the requirements set out in the organisation’s Information Security Policy (IGPOL53)
14.Access and Disclosure of images to third parties
It is important to remember that access to, and disclosure of images recorded by CCTV and similar surveillance equipment is restricted and must be carefully controlled. This will ensure the rights of individuals are preserved, but also ensure that the chain of
evidence remains intact, should the images be required for police or organisation’s purposes.
CCTV recordings are only inspected or processed beyond collection where this is deemed necessary as part of an investigation into a suspected incident and will be monitored via SARs and Flowz.
Access and disclosure to investigators of images is permitted only if it supports the purpose of the scheme.
Under article 15 of the GDPR, individuals have a right to request access to CCTV images that identify them.
Upon receipt of a request via SAR the HHSC and Information Governance and IT Projects Manager will assess whether the disclosure is appropriate and whether there is a duty of care to protect images of any third parties. If the duty of care cannot be discharged then the request can be refused.
An appropriate formal response will be made within 21 days to the individual, giving the decisions for disclosure or reasons why it has been refused.
15.Operational Procedure for the Control and Use of CCTV
All installation and use of CCTV must be conducted in accordance with:
• The Data Protection Commissioners Code of Practice (CCTV)
• The following operational procedures
Standards
Camera
• Cameras must always be operated so that they will only capture the images relevant to the purpose for which the particular scheme has been established and approved
• Cameras and recording equipment should be properly maintained in accordance with manufacturer's guidance to ensure that clear images are recorded
• Cameras should be protected from vandalism in order to ensure that they remain in good working order
• If a camera/equipment is damaged or faulty it must be reported to the HHSC as soon as practicable and the installation company will respond
• Cameras should not be allowed/altered to view any areas outside of the boundaries of the Provide properties without prior permission and involvement of the HHSC and Information Governance Manager
Operators
• All operators of CCTV equipment should be trained in their responsibilities in accordance with organisational policy and this procedure
• All staff involved in the handling of the CCTV equipment will be made aware of the sensitivity of handling CCTV images and recordings
Training
• Guidance in the requirements of the law on Data Protection will be given to staff who are required to manage and work the CCTV systems
• Staff will be fully briefed and trained in respect of all functions, both operational and administrative relating to CCTV control operation, when appropriate
• Training by camera installers will can also be provided as appropriate
Maintenance
• A competent engineer will maintain all CCTV systems on an annual basis; this will assist with ensuring the quality of images. This is managed through the Estates team annually
• A comprehensive maintenance log will be kept which records all adjustments/alterations/servicing/non-availability of all individual schemes
• If the system records location/time/date these will be periodically checked (at least weekly) for accuracy and adjusted accordingly. In the case of alterations due to ‘British Summer Time’ the system should as a matter of course be checked for accuracy
PROCESSING
CCTV
• All digital CCTV systems installed (other than those installed purely for monitoring) must have the storage capacity to hold a minimum of 14-day footage, although CCTV owned by Provide will hold data for 30 days, and this should be the set standard of recorded days throughout the organisation. In certain circumstances, such as investigation of an incident, it will be necessary to retain data for a longer period. These images must be stored securely
• Where there is access to CCTV footage via the computer network, controls should be put into place so only authorised users are able to use it
Access
• Access to the recorded images should be restricted to the HHSC and nominated Estates Operational Manager. All accessing or viewing of recorded images should only occur within a restricted area and other employees should not be allowed to have access to that area or the images when a viewing is taking place
• Relevant staff should be made aware of the procedures for granting subject access requests to recorded images or the viewing capabilities of CCTV schemes
At the discretion of the HHSC, individuals may be allowed to view images:
1. If they are investigating an untoward incident or allegations relating to potential disciplinary procedures
2. In the case of a missing service user
3. To identify persons relating to an incident
Requests may be granted and will arise in a number of ways, including:
• Requests for a review of recording, in order to trace incidents that have been reported to the Police or other official investigating body
• Immediate action relating to live incidents e.g. immediate pursuit
• Individual police officer seeking to review digital images for the prevention of detection of crime or to assist with missing persons
• Access for a Provide employee who has been formally assigned to an internal investigation
• A subject access request submitted by a patient or staff member or any data subject captured by Provide’s CCTV cameras*
*Requests should be handled in line with IGPOL85 – Subject Access Requests from Staff for access to their Personal Data IGPOL29 – Access to Health Records
If images are to be specifically retained for evidential purposes i.e. following an incident, break-in etc. then these images must be retained in a secure place to which access is controlled
If recordings are to be handed over to the Police or other investigating bodies in the process of their enquiries, the name and station of that officer together with a crime incident or reference number and signature must be acquired and retained prior to release.
If copies are required of the footage, two copies must be made. One copy to be retained by the organisation. The event will be noted in the log and the details and signature of the recipient obtained. In the event of the recording being required for evidence, it will be retained for a period recommended by those involved with the case.
Areas, which would normally result in permission being refused, include:
1. Where the person wishing to view has no connection with the incident or has no management role relating to an incident
2. Where viewing is purely salacious
3. Where the performance of a member of staff not relating to crime, fraud or the investigation of untoward incidents is involved
16.Documentation
The HHSC must keep copies of all documentation and records relating to the CCTV scheme and requests for images/data for a period of 6 years. This documentation must be kept secure.
CCTV Documentation examples to be held.
• A formal documented assessment of the reasons for using CCTV and its appropriateness
• Copy of the formal notification to the Information Commissioner under Data Protection legislation
• A copy of the organisation’s CCTV policy
• A copy of the Information Commissioner CCTV code of practice
17.Breaches of Policy
Staff who breach policy protocols shall be dealt with in accordance with the disciplinary procedures of Provide.
A major purpose of these schemes is in assisting to safeguard the health and safety of staff, service users and visitors. It should be noted that intentional or reckless interference with any part of any monitoring equipment, including cameras/monitor/back-up media, could amount to a criminal offence.
Responsibility for the security of the CCTV system on site shall rest with the HHSC. This person shall therefore initiate investigation into any breaches or allegations of breaches into security of the system.
Findings of investigations should be reported to the appropriate Director(s).
18.Enforcement
The Data Protection Commissioner has the power to issue undertakings, enforcement notices or monetary penalties where they consider that there has been a breach of one or more of the Data Protection Principles. An Enforcement Notice would set out the remedial action that the Commissioner required of the organisation to ensure future compliance of the Act.
19.Comments, Complaints and Incidents
Comments regarding CCTV coverage may be addressed to the HHSC.
Formal external complaints regarding the operation of CCTV coverage should be addressed to the Customer Service Team. Staff should address their complaints through line management or the Grievance Procedure.
Any incidents arising from the misuse or malfunction of CCTV managed by Provide will be handled in line with the organisation’s Incident Reporting and Management Policy (QSPOL01)
Appendix: 1 – CCTV Locations where Provide Community are the Data Controllers
Site
Crouch Vale Medical Centre Burnham Road
Address
South Woodham Ferrers
Essex CM3 5QP
HQ – The Crescent 900 The Crescent
Colchester Business Park
Colchester
Essex CO4 9YQ
Kestrel House
Manor Street Surgery
Moulsham Lodge Clinic
Stapleford House
The Stow
Cypress Gardens
Coggeshall Road – Data
Controller Only
React sites
React Buxton SK17 7DN
Hedgerows Business Park
Colchester Road
Chelmsford
Essex CM2 5PF
Manor Street
Braintree
Essex CM7 3HW
Lilac Close
Chelmsford
Essex CM2 9NY
Stapleford Close
New Writtle Street
Chelmsford
Essex CM2 0SD
1 The Stow
Harlow
Essex CM20 3AH
Bocking Road
Braintree
Essex CM7 9GE
Coggeshall Road
Braintree CM7 9EH
29 Fairfield Road Buxton SK17 7DN