Do you manage a site which operates a CCTV system? If the answer is yes…. please read on!
As you will know, the General Data Protection Regulations, about which all employees were recently written to, places a variety of obligations on the organisation with regards to how we handle personal data. Some of these regulations relate to the use we make of CCTV and the personal data CCTV records. The below advice seeks to complement existing communications on our approach to the GDPR and offer specific advice to site managers on the use of CCTV.
Clear Signage – GDPR obliges us to advise people we have CCTV in use. The template in the download section in the UK News website should be completed as appropriate (see list of specific purposes below) and clearly sign posted on the perimeter of the premises and at suitably located points within the site advising public, employees and visitors alike of the use and purpose of CCTV systems. The sign must include the purpose for which the CCTV is in use and the contact details through which an individual can exercise their right to a copy of the data. (Examples of both public facing and internal signs are at the bottom of this document or in the download section of UK News website).
Specific Purpose – The rationale for using our systems, which must be communicated to those affected (see Signage examples), stems from one or more of the following purposes:
- To protect buildings and assets from damage, disruption, vandalism and other crime
- Health and safety of staff, visitors and other members of the public
- To support law enforcement bodies in the prevention, detection and prosecution of crime
- Safe monitoring of productivity
- To assist in the resolution of disputes
- Protection of lone workers
Data Retention – Data will be retained only in accordance with the purpose for which it is recorded. Unused data will be deleted/over written after 30 days of retention. Where data is retained for evidential purposes, it shall be retained only for the duration required and for that purpose or otherwise as required by law enforcement agencies. Data will only be copied for legitimate purposes and in prior consultation with the CEMEX Data Protection Officer who can be contacted on dataprotectionUK@cemex.com
Data Access – Only those with a legitimate purpose shall have access to the CCTV system and its recorded data. Those with access should be kept to a minimum and restricted to the site or departmental manager, security and legal representatives.
Privacy Impact Assessment – CCTV should be positioned only according to its specific and legitimate purpose. Where cameras are focused wholly or partly on public land outside the CEMEX estate, such use must be justified and subject to a Privacy Impact Assessment (see template in the download section of the UK News website).
New Systems and Cameras – As new CCTV systems or additional/replacement cameras are installed, as a matter of good practice, CEMEX UK will adopt the UK Surveillance Camera Commissioners ‘Passport to Compliance’ scheme. Completion of the attached PIA templates will ensure the installation of CCTV systems or alteration/additions to existing systems are justified and that use is compliant with the GDPR.
For further advice please contact Colin Jones, UK Security Manager on: colinpeter.jones@cemex.com