1.1 The Company uses Close Circuit Television (“CCTV”) on the premises. The purpose of this policy is to set out the position of the Company as to the management, operation and use of the CCTV across all company offices and buildings.
1.2 This policy applies to all employees, visitors to the Company and its surrounding area and all other persons whose images may be captured by the CCTV system.
1.3 This policy takes account of all applicable legislation and guidance, including:
1.3.1 General Data Protection Regulation (“GDPR”)
1.3.2 Data Protection Act 2018 (together the Data Protection Legislation)
1.3.3 CCTV Code of Practice produced by the Information Commissioner
1.3.4 Human Rights Act 1998
1.4 This policy sets out the position of the Company in relation to its use of CCTV.

2.1 The Company Directors will use CCTV for the following purposes:
2.1.1 To provide a safe and secure environment for staff and visitors
2.1.2 To prevent the loss of or damage to the Companies buildings
and/or assets
2.1.3 To assist in the prevention of crime and assist law enforcement agencies in apprehending offenders

3.1 Some of the areas will have a number of cameras in and outside of the building. Some cameras have sound recording capabilities and there is a range of movable and fixed cameras. The cameras are linked back to a main system located in the IT room

4.1 All CCTV cameras will be sited in such a way as to meet the purpose for which the CCTV is operated. Cameras will be sited in prominent positions where they are clearly visible to staff and visitors.

4.2 Cameras will not be sited, so far as possible, in such a way as to record areas that are not intended to be the subject of surveillance. The Company will make all reasonable efforts to ensure that areas outside of the premises and grounds are not recorded.

4.3 Signs will be erected to inform individuals that they are in an area within which CCTV is in operation.

4.4 Cameras will not be sited in any areas where members of staff have an expectation of privacy, such as changing rooms or toilets.

4.5 Cameras may be located in communal areas and, where this is the case, visitors and members of staff will be made aware. Access to the footage is restricted and will only be used to fulfil the purposes in 2.1.

5.1 Prior to the installation or repositioning of any CCTV camera, or system, a data protection impact assessment will be conducted by the Company to ensure that the proposed installation is compliant with legislation and ICO guidance. The assessment will be approved by the Company designated Data Protection Officer.

5.2 The Company will adopt a privacy by design approach when installing new cameras and systems, considering the purpose of each camera so as to avoid recording and storing excessive amounts of personal data.

6.1 The CCTV system within the Company will be managed by a member of the Senior Leadership Team.

6.2 Any allegations against company staff will be referred immediately to the Managing Director/ Chairman and only he/she will determine who needs to view the footage and the course of action necessary.

6.3 On a day-to-day basis the CCTV system will be operated by individuals who have been specifically trained in the operation of the system and are both Competent and considered to have the appropriate technical ability.

6.4 The viewing of live CCTV images will be restricted to the leadership team, site management team, IT management team and others delegated by the Senior Leadership Team. In doing so they will ensure that the purposes in 2.1 are satisfied.

6.5 Access to recorded images which are stored by the CCTV system will be restricted.
6.4. Relevant images may be shared with the leadership teams allowing them to review incidents where disciplinary matters or complaints need to be addressed.
6.6 No other individual will have the right to view or access any CCTV images unless in accordance with the terms of this policy as to disclosure of images.
6.7 The CCTV system is checked daily to ensure that it is operating effectively

7.1 Any images recorded by the CCTV system will be retained only for as long as necessary for the purpose for which they were originally recorded.
7.2 Recorded images are stored for a maximum of 30 days unless there is a specific purpose for which they are retained for a longer period.
7.3 The Company will ensure that appropriate security measures are in place to prevent the unlawful or inadvertent disclosure of any recorded images. The measures in place include:
7.3.1 CCTV recording systems being located in restricted access areas.
7.3.2 The CCTV system being encrypted/password protected.
7.3.3 Restriction of the ability to make copies to specified members of staff
7.4 A log of any access to the CCTV images, including time and dates of access, and a record of the individual accessing the images, will be maintained by the Company.

8.1 Any individual recorded in any CCTV image is a data subject for the purposes of the Data Protection Legislation and has a right to request access to those images.
8.2 Any individual who requests access to images of themselves will be considered to have made a subject access request pursuant to the Data Protection Legislation. Such a request should be considered in the context of the Trust’s Subject Access Request Policy.
8.3 When such a request is made the appropriate individual with access to the CCTV footage (ref 6.4) will review the CCTV footage, in respect of relevant time periods where appropriate, in accordance with the request.
8.4 If the footage contains only the individual making the request then the individual may be permitted to view the footage. This must be strictly limited to that footage which contains only images of the individual making the request. The individual accessing the footage must take appropriate measures to ensure that the footage is restricted in this way.
8.5 If the footage contains images of other individuals, then the academy/Trust must consider whether:
8.5.1 The request requires the disclosure of the images of individuals other than the requester, for example whether the images can be distorted so as not to identify other individuals.

8.5.2 The other individuals in the footage have consented to the disclosure of the images, or their consent could be obtained; or
8.5.3 If not, then whether it is otherwise reasonable in the circumstances to disclose those images to the individual making the request.
8.6 A record must be kept, and held securely, of all disclosures which sets out:
8.6.1 When the request was made.
8.6.2 The process followed by to the individual with access to the CCTV footage in determining whether the images contained third parties.
8.6.3 The considerations as to whether to allow access to those images.
8.6.4 When the individuals that were permitted viewed the images
8.6.5 Whether a copy of the images was provided, and if so to whom, when and in what format.

Note that, when a subject access request is made then, unless an exemption applies (such as in relation to third party data that it would be unreasonable to disclose) then the requester is entitled to a copy in a permanent form. There is reference here only to “access” as opposed to a “permanent copy” as the Company may consider it preferable in certain circumstances to seek to allow access to images by viewing in the first instance without providing copies of
images. If an individual agrees to viewing the images only then a permanent copy does not need to be provided. However, if a permanent copy is requested then this should be provided unless to do so is not possible or would involve disproportionate effort.

9.1 The Company will only disclose recorded CCTV images to third parties where it is permitted to do so in accordance with the Data Protection Legislation.
9.2 CCTV images will only be disclosed to law enforcement agencies in line with the purposes for which the CCTV system is in place.
9.3 If a request is received from a law enforcement agency for disclosure of CCTV images, then the individual with access to the CCTV footage must follow the same process as above in relation to subject access requests. Detail should be obtained from the law enforcement agency as to exactly what they want the CCTV images for, and any individuals of concern. This will then enable proper consideration to be given to what should be disclosed, and the potential disclosure of any third-party images.
9.4 The information above must be recorded in relation to any disclosure.
9.5 If an order is granted by a Court for disclosure of CCTV images, then this should be complied with. However very careful consideration must be given to exactly what the Court order requires. If there are any concerns as to disclosure, then the Data Protection Officer should be contacted in the first instance and appropriate legal advice may be required.

10.1 This policy will be reviewed every two years or earlier should the need arise.

11.1 The misuse of CCTV system could constitute a criminal offence.
11.2 Any member of staff who breaches this policy may be subject to disciplinary
action.

12.1 Any complaints relating to this policy or to the CCTV system operated by the
academy/Trust should be made in accordance with the academy/Trust
Complaints Policy.

1. Who will be captured on CCTV?
2. What personal data will be processed?
3. What are the purposes for operating the CCTV system? Set out the problem that the Company is seeking to address and why the CCTV is the best solution, and the matter cannot be addressed by way of less intrusive means.
4. What is the lawful basis for operating the CCTV system?
5. Who is/are the named person(s) responsible for the operation of the system?
6. Describe the CCTV system, including:
a. how this has been chosen to ensure that clear images are produced so that the images can be used for the purpose for which they are obtained.
b. siting of the cameras and why such locations were chosen.
c. how cameras have been sited to avoid capturing images which are not necessary for the purposes of the CCTV system.
d. where signs notifying individuals that CCTV is in operation are located and why those locations were chosen; and
e. whether the system enables third party data to be redacted, for example via blurring of details of third-party individuals.
7. Set out the details of any sharing with third parties, including processors
8. Set out the retention period of any recordings, including why those periods have been chosen
9. Set out the security measures in place to ensure that recordings are captured and stored securely
10. What are the risks to the rights and freedoms of individuals who may be captured on the CCTV recordings?
11. What measures are in place to address the risks identified?
12. Have staff and visitors where appropriate been consulted as to the use of the CCTV system? If so, what views were expressed and how have these been accounted for?
For example:
• Is it fair to record them in the way proposed?
• How is the amount of data processed to be minimised?
• What are the risks of the system being accessed unlawfully?
• What are the potential data breach risks?
• What are the risks during any transfer of recordings, or when disclosed to
third parties such as the police?
13. When will this privacy impact assessment be reviewed?
Approval:

This assessment was approved by the Data Protection Officer:

DPO ………………………………
Date ……………………………….

Revision History: 1

Version: 1.0

Date created: September 2022

Author: Mark Isaacs Director of Stadium 0perations

Ratified by: