We will only use and store information for so long as it is required for the purposes it was collected for. How long information will be stored depends on the information in question and what it is being used for.

We continually review what information we hold and delete what is no longer required.  We will not retain your data for any longer than necessary and the longest time that we will hold your data will be one year if used in any investigations.

Your records via CCTV will be stored in the following manner:

• For positive Unscheduled events a report will be generated and held for 12 months.

• For positive trespass with intent the video footage and a report will be held for 12 months.

• For all other data obtained our GDPR policy states we only store 14 days of CCTV footage on a re-write principal.

Some data will be held electronically (“in the cloud”) via our office computer. These are password-protected, backed up regularly and kept secure through encryption (ISO 27001).

All CCTV will have Installation Documents and a DPIA completed:

Purpose of a CTR Secure Services DPIA

Principle 2 of the surveillance camera code of practice[1] states that the use of a surveillance camera system must take into account the effect on individuals and their privacy, with regular reviews to ensure its use remains justified. The best way to ensure this is by carrying out a data protection impact assessment (DPIA) before any surveillance camera system is installed, whenever a new technology or functionality is being added on to an existing system, or whenever there are plans to process more sensitive data or capture images from a different location. This will assist in assessing and mitigating any privacy issues linked to the use of a surveillance system.

A DPIA is one of the ways that a data controller can check and demonstrate that their processing of personal data is compliant with the General Data Protection Regulation (GDPR)[2] and the Data Protection Act (DPA) 2018. There are statutory requirements to carry out a DPIA in Section 64 DPA 2018 and article 35 of the GDPR.

CTR Secure Services addresses statutory requirements under the Human Rights Act 1998 (HRA). Section 6(1) HRA provides that it is unlawful for a public authority to act in a way which is contrary to the rights guaranteed by the European Convention on Human Rights (ECHR). Therefore, in addition to the above, as a public body or any other body that performs public functions you must make sure that your system complies with HRA requirements. Whilst the particular human rights concerns associated with surveillance tend to be those arising from Article 8 which sets out a right to respect for privacy, surveillance does also have the potential to interfere with rights granted under other Articles of the ECHR such as conscience and religion (Article 9), expression (Article 10) or association (Article 11).

If a high risk (which CTR Secure Services doesn’t process) to privacy is identified that cannot be mitigate adequately, data protection law requires that we must consult the ICO before starting to process personal data. Use of any surveillance camera system with biometric capabilities, such as Automated Facial Recognition technology (which is not being used), is always likely to result in a high risk to the rights and freedoms of individuals and therefore a DPIA must always be carried out in respect of those systems before you process any personal data. There is a risk matrix at Appendix Two that can help you to identify these risks.

When should CTR Secure Services carry out the DPIA process for a surveillance camera system?

• Before any system is installed.
• Whenever a new technology or functionality is being added on to an existing system.
• Whenever there are plans to process more sensitive data or capture images from a different location.

In deciding whether to carry out a DPIA and its scope, consideration must be given to the nature and scope of the surveillance camera activities and their potential to interfere with the privacy rights of individuals.

You must carry out a DPIA for any processing of surveillance camera data that is likely to result in a high risk to individual privacy. The GDPR states that a DPIA “shall in particular be required in the case of ……. systematic monitoring of publicly accessible places on a large scale” (Article 35).

Furthermore, as a controller in relation to the processing of personal data, you must seek the advice of a designated Data Protection Officer when carrying out a DPIA.

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. It is important to embed DPIAs into your organisational processes such as project planning and other management and review activities and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and you should see it as an ongoing process, and regularly review it.

As part of an ongoing process, your DPIA should be updated whenever you review your surveillance camera systems, it is good practice to do so at least annually, and whenever you are considering introducing new technology or functionality connected to them.

The situations when a DPIA should be carried out, include the following:

• When you are introducing a new surveillance camera system.
• If you are considering introducing new or additional technology that may affect privacy (e.g. automatic facial recognition, automatic number plate recognition (ANPR), audio recording, body worn cameras, unmanned aerial vehicles (drones), megapixel or multi sensor very high-resolution cameras).
• When you are changing the location or field of view of a camera or other such change that may raise privacy concerns.
• When you are reviewing your system to ensure that it is still justified. Both the Surveillance Camera Code of Practice and the ICO recommend that you review your system annually.
• If your system involves any form of cross referencing to other collections of personal information.
• If your system involves more than one company or agency undertaking activities either on your behalf or in their own right.
• When you change the way in which the recorded images and information is handled, used or disclosed.
• When you increase the area captured by your surveillance camera system.
• When you change or add an end user or recipient for the recorded information or information derived from it.

If you decide that a DPIA is not necessary for your surveillance camera system, then you must record your decision together with the supporting rationale for your decision.

Who is it for?

Our clients within England and Wales that must have regard to the Surveillance Camera Code of Practice under Section 33(5) of the Protection of Freedoms Act 2012. This document helps our clients to understand how CTR Secure Services address the data protection and human rights obligations in the specific context of operating surveillance cameras, on behalf of clients.

[1] Surveillance Camera Code of Practice issued by the Home Secretary in June 2013 under Section 30(1)(a) Protection of Freedoms Act 2012

[2] Regulation (EU) 2016/679 of the European Parliament and European Council, also known as the General Data Protection Regulation, was transposed into UK law through the Data Protection Act 2018. Any processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences is regulated under Part 3 of the Data Protection Act 2018 which transposes Directive (EU) 2016/680, also known as the Law Enforcement Directive, into UK law.

Where can I get further information?

If you have any questions about our use of cookies or other technologies, please email us at admin@ctrservices.co.uk
Updated January 18, 2018