POLICY
Prepared: Marius
Socol
Verified: Approved
Approved by President: Yes
Approval Date: October 2024
Date of next verification: October 2025
1. INTRODUCTION
The British School of Bucharest (BSB), operated by the Crawford House Foundation (‘CHF’) and registered as a Data Controller with The National Authority for the Supervision of Personal Data Processing (ANSPDCP), hereby provides the following information for the legal awareness of concerned individuals about the use of the video system within the school campus.
2. RELEVANT LEGISLATION
The following laws and regulations govern the implementation of video surveillance measures at the BSB:
• Law no. 333 of 8th July 2003: Concerning the security services for strategic facilities, assets, valuables, and individual protection. This law has been amended and supplemented over time.
• Decision no. 301 of 11th April 2012: This decision approves the Methodological Norms of Law no. 333/2003 which is related to security services for strategic facilities, assets, valuables, and the protection of individuals.
• Instructions from the European Authority for the Protection of Personal Data regarding Video Surveillance: Published on 17th March 2010 in Brussels, these instructions offer guidance on the use of video surveillance within the scope of data protection.
• LAW no. 129 of June 15, 2018
• for amending and supplementing Law no. 102/2005 on the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing, as well as for repealing Law no. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data.
• The Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• DECISION No 99 of May 18, 2018 on the termination of the applicability of certain acts administrative regulations issued in application of Law No 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
• Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector
• Law no. 190/2018 which regards the implementation of the GDPR in Romania
3. AIM AND SCOPE OF THE VIDEO SURVEILLANCE SYSTEM
3.1 Overview.
This Video Surveillance Policy, which can be found at www.britishschool.ro, informs individuals about the video surveillance system managed by CHF on the BSB premises (42 Iancu Nicolae, Voluntari, Ilfov – hereinafter referred to as ‘Campus;). This policy outlines the safeguards in place for personal data processed through video cameras, as well as the rights afforded to individuals in relation to their personal data.
3.2 Purpose of Surveillance
Monitoring access to the BSB campus through video surveillance is carried out to maintain adequate security control, particularly ensuring the safety of students, staff, and campus facilities.
3.3
Implementation and Compliance
The system’s implementation was guided by a risk assessment performed by CHF related to physical security and the CHF’s obligations under GDPR,specifically addressing data collection, management, deletion, and informing concerned individuals about their rights. All CHF staff is trained on at least basic security requirements and is contractually obliged to maintain the adequate level of security and confidentiality of data based on their job descriptions and Non-Disclosure Agreements.
3.4 Periodic
Review
Members of staff responsible for security must review the risk assessment regularly by:
o Re-evaluating whether the system is appropriate.
o Ensuring the system’s alignment with its intended purpose.
o Assessing potential risk-reducing alternatives.
o Confirming this policy’s adherence to GDPR.
3.5 System Utilisation
CHF employs the system for security and access control to guarantee a safe environment for students, staff, visitors, by monitoring their access to personal data and ensuring all the conditions are met for a secure academic management. The video surveillance acts in conjunction with other security measures, such as physical guardianship, and falls under the CHF’s Risk Management Policy. The system prevents unauthorised access, thefts, and threats to the people and property based on Campus. It may also be used as evidence for internal investigations or disciplinary actions, particularly in the event of any security breaches. However, its use does not extend to the surveillance of staff’s performance, nor shall it ever be used as a tool for time recording in the sense of fulfilling of one’s job duties. The access to this data is restricted on the need-to-know basis.
3.6 Surveillance Areas
The following areas on Campus are CCTV monitored:
o Pedestrian access zones.
o Vehicle access zones.
o Lounge, Takanaka or free access zones for visitors.
o Facilities that include CHF’s valuable property (e.g., library, IT room).
o The perimeter of the building to ensure the protection of external boundaries.
3.7 Policy Implementation
The policy is enforced by:
o IT staff.
o The company’s board.
o Designated staff for maintaining surveillance systems.
o Data Protection Officer
The positioning of the cameras have been carefully selected to reduce surveillance of areas deemed low-risk or irrelevant. The recording equipment is securely placed within a safeguarded and continuously monitored area. Areas where privacy is paramount, including but not limited to workspaces, lavatories, and changing rooms, are intentionally exempt from surveillance.
3.8 Data Categories
The video surveillance captures distinct images from the designated areas to ensure precise recognition of individuals. Recorded data is held temporarily (please see the exact retention periods in the Fair Processing Notice that can be found at www.britishschool.ro) and used solely for the stated purpose.
4. SYSTEM DESCRIPTION AND TECHNICAL SPECIFICATIONS
The implementation of the video surveillance system offers several advantages:
o Enhanced Security: The system bolsters security within the school campus perimeter.
o Improved School Safety: The system provides an additional layer of protection around the school’s premises.
o Behavioral Prevention: It acts as a prevention against inappropriate actions on Campus and in the vicinity.
o Protection Against Violence: The system aids in preventing and addressing violent acts against individuals and property.
o Visitor Monitoring: It allows oversight and management of the visitor movements within the campus, which is crucial around minors.
5. INSTALLATION, ADMINISTRATION, AND SYSTEM OPERATION
5.1 Positioning of
The Equipment
To ensure the robust protection of individual rights and liberties, surveillance equipment is strategically positioned to only cover areas identified in the risk assesment as requiring enhanced protection.
5.2 Control Room Access
Unauthorised entry to the Control Room is strictly prohibited. Access is reserved exclusively for:
■ Authorised employees specially designated by the security firm hired by CHF.
■ CHF personnel approved by the management.
■ Designated IT staff.
■ Company representatives responsible for maintaining the system, accompanied by a relevant IT staff member. In exceptional situations, others might be permitted to access Control Room by seeking an approval from the management. However, these individuals won’t have access to personal data processed via video surveillance unless it is relevant for an investigation of a security/behavioural incident.
5.3
Privacy and Information Security Measures
To boost the security of the video system and enhance data protection, several technical and organisational measures have been implemented:
■ The duration for storing recorded through CCTV material is kept to a minimum, adhering to the shorterst period necessary for the compliance with the laws and ensuring safety,
■ Individuals who process and access personal data are required to sign confidentiality agreements regarding the personal information they have access to in their professional capacities
■ Access rights to personal data for users are restricted, particularly when such data is not essential for their specific job responsibilities.
■ The quantity of users with access to personal data is minimised, and these individuals are provided with annual training.
5.4 Data Access and Confidentiality
Access to stored recorded data or the surveillance system’s technical architecture is restricted based on specific job roles. CHF’s security management policy outlines these roles, detailing the type and purpose of access.
CHF determines the circumstances and boundaries of user’s rights to:
■ Real-time Viewing: Real-time footage is accessible only to the personnel designated by the security firm for surveillance tasks, with CHF’s consent.
■ Recorded Footage Viewing: Viewing recorded footage is limited to justified situations, like those explicitly stated by law or in the event of any security breaches and is restricted to specially designated individuals.
6. DISCLOSURE OF PERSONAL DATA: Circumstances & Limits
6.1 Analysis of Data Disclosure
The potential of disclosing personal data (images of individuals captured on video) to external parties will be evaluated by CHF case-by-case. This will include assessing both the necessity of the disclosure and ensuring that the purpose of the disclosure aligns with the original objectives of data collection, specifically for security and access control. Each instance of disclosure will be recorded by the surveillance system administrator in the System Events Register. The disclosure is always done ensuring the rights provided by the GDPR are met.
6.2 Legal Disclosure
In instances of criminal or inappropriate behaviour within the school campus, CHF will provide relevant video recordings to judicial authorities upon receiving their written request to assist in the resolution of the specific case.
6.3 Prohibited Uses
The video surveillance system must not be used to monitor employee’s punctuality or evaluate workplace performance.
6.4 Security Breach Documentation
All security breaches relating to the surveillance cameras must be documented in the System Events Register.
6.5 Data Storage Duration
The retention period for data recorded by the video surveillance system depends on its processing purpose. Typically, recordings are stored for no more than 20 days, after which they’re systematically deleted in the sequence they were captured. In the event of a security breach/ child safeguarding incident, the storage duration for the relevant recordings might extend beyond usual limits, depending on the additional time required for investigating the incident. Such extended retention will be thoroughly documented, with the storage necessity being regularly reassesed. Any extensions to retention periods will only be made based on a documented justification to ensure the rights of the data subjects are met and protected.
7.RIGHTS OF THE CONCERNED INDIVIDUALS
7.1 Assurance of Rights
CHF acknowledged and accepts the rights granted to individuals in accordance with the relevant legislative framework. All staff engaged in the video surveillance operations, along with those handling the recorded material, must adhere to the Procedure on Personal Data Access. This procedure is detailed in the Security Management Policy for Personal Data overseen by CHF. Failure to adhere to these policies and procedures may result in disciplinary, civil, or criminal consequences.
7.2 Information Dissemination
Every area under video surveillance will be distinctly marked using clear, visible signage situated within the monitored zone for the following puprose:
a) To inform individuals about the presence of CCTV.
b) To provide essential details related to the processing of their personal data.
7.3 Transparency and Awareness
Individuals within the surveillance area will be informed about the existence of the video surveillance infrastructure and its Controller. This is accomplished via Fair Processing Notices, which detail the data processing intent and identify CHF as its Data Controller.
8.RIGHTS TO ACCESS, RECTIFY, AND OBJECT
8.1 Overview
Throughout the period of CHF’s data processing, individuals have the right to:
a) Seek rectification or deletion, which includes deletion, update, correction, or anonymisation of their data.
b) To file an objection to their personal data’s processing in accordance with the relevant laws. Please note that some rights might be restricted in order to ensure the rights of others in accordance with the privacy legislative framework.
8.2 Request Procedure
Any request arising out of the use of CCTV cameras — whether it be access, rectification, or deletion — should be directed towards CHF, via the office department located at 42 Iancu Nicolae, Voluntari, Ilfov.
8.3 Response Timeframe
Responses to these requests are prepared and sent to the concerned individual within 20 calendar days, but no longer than 30 in any event. If, for valid reasons, there’s a delay, CHF shall inform the requester on the cause of such delay.
8.4
Viewing and Accessing Recorded Material
Upon an explicit request from the individual, CHF might:
a) Permit them to view the relevant footage.
b) Send them a copy of the recorded material through a secure communication channel.
All provided material shall ensure the original quality and secure that the rights of third parties aren’t compromised. If other individuals are visible in the shared video, their visuals must be edited to prevent recognition or identification. It’s imperative for the requester to establish their identity precisely, detailing when and where they were captured by CCTV. Additionally, a recent photograph may be requested for easier identification.
8.5 Access Limitations
Access might be rejected in accordance with the relevant laws. Furthermore, access can be denied if it’s imperative to safeguard the rights of third parties, especially if their consent can’t be obtained or heir data can not be edited out.
8.6 Resoluton of Complains
If individuals believe their rights, provided by the GDPR, have been violated, they have the right to contact CHF via Office at 42 Iancu Nicolae, Voluntari, Ilfov. In case the incident remains unresolved, they have the right to escalate it to the National Authority for the Supervision of Personal Data Processing.
National Authority Contact Details:
• Address: 28-30 Gheorghe Magheru Avenue, 1st District, Postal code 010336, Bucharest, Romania.
• Phone: +40.318.059.211; +40.318.059.212
• Fax: +40.318.059.602
5.REVISION HISTORY
2
3