CSF-DOC-DECM-4 CCTV Policy

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document sets out the organization’s responsibilities and policy for the use of ClosedCircuit Television (CCTV).

Areas of the framework addressed

The following areas of the Cybersecurity Framework are addressed by this document:

• Detect (DE

o Continuous Monitoring (DE.CM)

▪ DE.CM-02

General guidance

You need to make sure your use of CCTV is appropriate and not overly intrusive. Under privacy law in many countries, data subjects may request images from your recordings, so it is wise to be prepared for this. You also need to be careful about who has access to the recordings and how long they are kept for, amongst other areas.

Review frequency

We would recommend that this document is reviewed annually and upon significant change to the organisation and relevant legislation.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

CCTV Policy

Revision history

1 Introduction

Closed-Circuit Television (CCTV) technology has developed over recent years to be more reliable, cost-effective and generally available than ever before. When used appropriately, CCTV can help to reduce the risk of unauthorized access to premises, reassure customers and provide an accurate record of what happened when an incident occurs.

In order to protect its business, employees, customers and other interested parties, [Organization Name] makes use of CCTV in appropriate circumstances to address specific areas of risk.

In collecting and using this video (and possibly audio) data, the organisation is subject to a variety of privacy legislation, which controls how such activities may be carried out and the safeguards that must be put in place to protect the recorded information.

The purpose of this policy is to set out the rules that must be followed when installing and dealing with CCTV so that the organization’s responsibilities are always met, and the usefulness of the recorded data is maximized

Note that this policy does not address the use of specialist technology such as Automatic Number Plate Recognition (ANPR), facial recognition, Body Worn Video (BWV) or remotely operated vehicles (drones, also known as Unmanned Aerial Systems - UAS).

This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

• Privacy and Personal Data Protection Policy

• Records Retention and Protection Policy

2 CCTV policy

In some limited uses of CCTV (often based on the location and range of vision), privacy legislation may not apply, and it must be confirmed whether this is the case for each use. This policy applies in those cases where relevant privacy law is applicable.

2.1 Assessing the need for CCTV

An initial assessment must be carried out to determine whether the use of CCTV is appropriate in any given circumstance. This will include consideration of the degree of risk being addressed and whether alternative controls, such as improved lighting, might have enough benefit to mean that CCTV is not required.

To be appropriate in any situation, CCTV must have a specified and legitimate purpose which addresses a pressing need or risk area, such as the prevention or reduction of crime in an area that might reasonably be expected to be subject to unlawful activity.

In line with the privacy principle of data minimization, video recording must only be active on days and between times when it is necessary and audio recording will only be used where it is sufficiently justified, giving due regard to privacy concerns.

For privacy legislative purposes, [Organization Name] will act as the data controller for the use of CCTV and, where required, will register with the appropriate supervisory authority.

Where a third party is used as part of the processing of CCTV images (for example, for storage or maintenance) they will be considered to be a processor in the context of relevant privacy legislation and an appropriately compliant contract must be in place.

For each implementation of CCTV, a data protection impact assessment (DPIA) must be carried out to consider the risks to the rights and freedoms of the data subject and ensure that appropriate safeguards of the data are identified. The DPIA must be reviewed on a regular basis and upon significant changes that may affect its conclusions.

The lawful basis of the processing of CCTV data must be clearly established; in most cases it is anticipated that this will be based on the legitimate interest of [Organization Name], but this must be confirmed and documented in every situation.

2.2 Installation of CCTV

Cameras must be sited appropriately for the area to be monitored, avoiding the recording of individuals outside the area for which a legitimate interest is claimed.

Images must be of sufficient quality for the purpose intended.

Appropriate privacy notices must be displayed in the areas that are subject to CCTV monitoring or recording and must indicate the name of the operator (the controller in legislative terms), their contact details and where further information about the use of personal data may be obtained (for example a website).

2.3 Management of CCTV monitoring

Roles and responsibilities for the operation and management of CCTV facilities must be defined and appropriate training provided to allow them to be carried out effectively and lawfully.

Documented procedures must be created for each aspect of the operation of CCTV and appropriate training provided to all members of staff who will be carrying them out. This training will include information about responsibilities under data protection law.

CCTV images will only be retained for as long as it is reasonably expected they may be of use. This may vary in different circumstances and so retention periods will be defined according to the situation or context in which a particular CCTV camera is operated. Once the retention period has expired, images must be securely deleted, if appropriate via an automatic process.

Access to CCTV cameras, live displays and recordings must be restricted to authorized personnel only. Displays must be sited to prevent unauthorized viewing, including by members of the public. Where recordings are to be reviewed, appropriate controls must be used to ensure that this is done in a secure manner.

CCTV cameras and recording equipment must be tested on a planned basis to ensure that they are functioning correctly and that recorded images are of sufficient quality.

Recorded images must be protected in a way that takes account of the level of risk and sensitivity of the information contained – where appropriate, encryption techniques may be used to ensure confidentiality in situations such as the theft of the recording equipment. If cloud storage is used, due diligence must be carried out to ensure that the level of protection of the data is adequate.

If recorded CCTV footage is required to be used as part of a legal case, appropriate precautions must be taken to ensure that the images remain admissible in the relevant court.

2.4 Data subject access requests

Under relevant privacy legislation, a data subject may submit an access request to obtain CCTV images on which they appear. Such requests will be subject to the organization’s procedures for this type of request, which will include all necessary checks to verify the lawful right to access and the identity of the requester. Where approved, recorded images may be viewed live (subject to access controls) or a permanent record of the images may be provided.

Requests to disclose CCTV images must be approved by management in all cases.

Unauthorized disclosure of CCTV images (including publishing on the Internet and to the media) may result in disciplinary action being taken.

Where appropriate, actions must be taken to obscure the identity of people and information that is not relevant to the request.