Closed-Circuit Television and other Surveillance Systems
1. Policy Statement and Scope
1.1 The use of closed-circuit television (CCTV) and other surveillance systems is considered intrusive to individuals right to privacy, as for the most part, these systems capture and record individuals as they go about their legitimate business. Castles & Coasts Housing Association (CCHA) will comply with the Surveillance Camera Code of Practice to ensure that our use of these systems is legitimate, necessary, proportionate, effective, and compliant with legislation. Thereby, balancing CCHA’s requirements with individuals’ rights to privacy.
1.2 This policy covers CCTV, smart doorbells (doorbells/door entry systems with cameras that record), body worn cameras, dash cams, drones with recording devices, noise monitoring or noise recording and the use of any other system that captures audio/visual or other surveillance recordings, including capturing audio/video on a smart phone. For ease this policy uses the phrase ‘system’ to cover all surveillance and recording systems.
1.3 This policy has two distinct sections, Section One covers systems that are installed by residents. CCHA are not the Data Controller (DC) for these systems; however, we need to ensure that systems do not cause nuisance or harassment to other residents. We will make residents are aware of the information provided by the Information Commissioners Office (ICO) on domestic CCTV systems, so residents are aware of their responsibilities.
1.4 Section Two applies to systems that CCHA are the DC for, that is all systems that CCHA install either temporarily or permanently including times when CCHA request someone captures or monitors surveillance data on our behalf. Section Two sets out how CCHA will comply with the Surveillance Camera Code of Practice. Through complying with these principles, we also meet our obligations under the UK GDPR
1.5 Where employees have dash cams in personal vehicles and use the vehicle for business purposes the dash cams are for personal use only and CCHA is not the DC for data captured by employees own dash cams. Data captured in employees dash cams will not be used by CCHA.
1.6 Employees should not use mobile phones to take recordings of people or record information about people unless there is a serious crime or serious Anti-Social Behaviour (ASB) taking place. This is because the recording can be considered intrusive of people’s privacy, though in the event of a serious crime, or serious ASB can outweigh the privacy considerations. Employees should inform their manager and the Data Protection Officer (DPO) in this event. Employees can use mobile phones to capture data that isn’t personal data, for example, it is fine to capture photos of property components, or repairs needed or repairs that have been completed as these are not usually personal data.
2. Section One
Systems installed and managed by residents
2.1 CCHA requires residents to inform us before they install any surveillance technology such as CCTV systems. Residents will be asked to confirm that the system is solely for domestic purposes, that is systems only capture recordings from within the boundaries of residents own home, and not any public areas, or any communal hallways, corridors or shared gardens, or neighbouring properties. Where the installation of systems will involve alterations to a property, such as electrical work, or drilling holes residents will also need to get permission as set out in their tenancy agreement.
Castles & Coasts Housing Association
CCTV Policy – Version 2 - July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025
Page 1 of 7
2.2 Residents wishing to install CCTV or other surveillance systems should contact their Lettings and Neighbourhood (L&N) Officer. Residents will be asked to demonstrate that the system is solely for domestic purposes by providing examples of the areas captured by the system.
2.3 Residents with CCTV in operation should display signage so that contractors or any other CCHA employee visiting their property is aware that recording is in operation. Residents must confirm that, if asked, they will turn off the recording equipment when contractors, or any CCHA employees, or anyone acting on CCHA’s behalf visit the property. Residents must confirm that any footage of CCHA employees or anyone acting on our behalf will not be made publicly available, for example, must not be put on the internet or social media. If a resident insists on recording CCHA employees or anyone acting on our behalf, this should be agreed in writing prior to the visit. Systems should not record audio as these are considered by the Surveillance Commissioner as particularly intrusive.
2.4 Upon receiving a request to install a CCTV or similar system the L&N Team will determine if the request is for a solely domestic system. The resident will be asked to sign a copy of the CCTV request in Appendix 1, to confirm they will comply with the requirements above. CCHA will make the resident aware of the data protection requirements and provide a link to the guidance provided by the ICO CCHA are not the DC and have no responsibility for the data captured in systems installed by residents.
2.5 Systems that capture recordings outside the boundary of a resident’s property can be considered intrusive to people’s right to privacy and CCHA may receive complaints from neighbours about such systems. Systems that capture recordings outside the boundaries of a resident’s home are subject to data protection laws. CCHA do not have the resources, nor are we responsible for assessing residents’ compliance with data protection laws, for that reason we can’t give permission for such systems.
2.6 If a resident informs CCHA that another resident has installed a system that captures images from outside the boundary of their own home, they will be provided with the guidance provided by the ICO https://ico.org.uk/your-data-matters/domestic-cctv-systems-guidance-for-people-being-filmed/ CCHA do not have any authority to enforce data protection laws, but we can and will inform people of their responsibilities by providing links to the ICO’s website.
2.7 If there is clear evidence that the system is causing nuisance, harassment, alarm, and distress, this will be dealt with in line with our ASB Policy. For example, images of other residents being shared on social media or information captured on the system being shared and discussed with other people.
2.8 The use of mobile phones for taking photos or making recordings is increasingly prevalent, and from time-to-time residents do send recordings of other people to CCHA. Often these are taken without people being aware the recordings are being made CCHA has to consider the lawfulness of using and storing these recordings. On receiving copies of such recordings, before this data is retained in CCHA systems, consideration needs to balance individuals’ rights to privacy with the purpose for which the recording has been sent to CCHA. If the recording has been sent to evidence serious crime or ASB, for example racist abuse, this could be considered to override the individual’s right to privacy. On choosing to retain recordings there should be evidence of serious ASB or a criminal offence and we must be able to justify our decision as this could be challenged under data protection laws Data subjects, the people in the recordings or photos, should be made aware that we have been provided with this evidence, but not the source, unless doing so would prejudice a criminal investigation It should be made clear to residents at the time they supply photos/recordings to CCHA that we will have to inform the data subjects that we have received this information. The same principles will be applied if residents supply CCHA with footage from CCTV or other surveillance systems.
Castles & Coasts Housing Association Page 2 of 7
CCTV Policy – Version 2nd July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025
3.1 CCHA will conduct a CCTV Data Protection Impact Assessment (CCTV DPIA), see Appendix 2, to assess the risks and benefits of any proposed system and audit compliance with this policy 1 . These will be reviewed yearly. For systems in place at the time this policy is launched, a CCTV DPIA should be completed and approved at the earliest opportunity.
3.2 The installation of any system must be approved by a Head of Service or Health and Safety Manager, usually Head of Housing for systems installed that cover CCHA’s housing schemes, and Health and Safety Manager and for systems that cover CCHA’s offices. They should make sure any actions identified in the CCTV DPIA are completed before the system captures data.
3.3 Where systems are going to be installed that affect leaseholders, shared owners or freeholders, this will be subject to formal leasehold consultation, in line with Section 20.
4. Principle 1 - Use of a surveillance camera system must always be for a specific purpose, which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
4.1 CCHA will only use surveillance systems where there is a need to do so for:
• the safety of employees or residents
• prevention or detection of crime
• to protect the rights and freedoms of individuals
We will not use surveillance systems, or data captured by surveillance systems for any other purpose.
4.2 There must be evidence of the need for the system, for example, a recent history of ASB or criminal activity There must be a valid reason why this cannot be solved by other means.
4.3 Systems that capture audio recordings are considered, by the Surveillance Commissioner, as highly intrusive, and unlikely to be justified. Any system that captures audio recordings, i.e., records conversations/voices, must have a very robust assessment. Such systems should only be used where it has not been possible to capture evidence by other means and the seriousness of the issue is significant to merit such intrusive recording. We must be able to robustly demonstrate why the decision was taken to capture audio as this could be challenged under data protection laws. It is expected that systems that record audio will have controls in place to limit the impact on individuals right to privacy, for example, only record audio when the sound is excessive, only allow for short bursts of audio to be recorded, around 30 seconds, and not allow for continuous recording.
5. Principle 2 - The user of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
5.1 The CCTV DPIA will include the effect the system will have on individuals’ privacy, including considering all areas in which the system will cover. In approving the system, consideration must balance individuals right to privacy with the need and purpose of the system. The use of systems in areas where individuals would expect privacy should only be undertaken where there is a very serious problem, that cannot be addressed by other means.
1 The only exception to this is where a third party is providing services to use drones for property inspections and the third party has provided a DPIA which has been reviewed by CCHA’s DPO.
Castles & Coasts Housing Association
CCTV Policy – Version 2nd July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025
Page 3 of 7
5.2 CCHA will not install CCTV systems that captures images from private gardens or looks directly into windows/doors of residential properties.
5.3 The CCTV DPIA must be completed before any new system is installed, be that permanent or temporary. It will be reviewed every year to ensure the system is still required and CCHA’s purpose for installing the system remains justified.
6. Principle 3 - There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
6.1 At the locations that CCHA has CCTV in operation we will make sure clear signage is in place to inform people that CCTV is in operation and the system is operated by CCHA. It shall be clear that CCHA is the DC for this information. We will also endeavour to include on the signage our reasons for CCTV, though this information will be available in our Privacy Notices. The Head of Housing is accountable for ensuring signage is in place for CCTV systems that cover our housing schemes, though the responsibility for this can be delegated to the scheme manager. For CCTV in office locations, the Health and Safety Manager has this accountability. Signage should be clearly visible and readable
6.2 For all other systems the CCTV DPIA shall document how people will be informed that the system is in operation. It is expected this will be through either signage, letters informing people of the system or given verbally at the time the data is captured.
6.3 CCHA will not operate covert systems, that is systems that operate without people being told about them. Where problems, as serious enough to warrant such systems, these should be referred to the police, or other relevant authority, who have to conduct investigations in line with the Investigatory Powers Act 2016
7. Principle 4 - There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
7.1 The data custodian, Head of Service or Health and Safety Manager, is accountable for the system and approves or declines requests for systems and the CCTV DPIA They are accountable for ensuring the system complies with this policy, though the responsibility for the day-to-day operation of the system can be passed to team/scheme managers. The details are documented in the CCTV DPIA which must be reviewed at least once a year.
8. Principle 5 - Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
8.1 This policy sets out the rules CCHA has in place for the use of surveillance systems. All staff who request, approve or use surveillance systems must familiarise themselves with this policy. The CCTV DPIA sets out who has access to the data captured by systems.
9. Principle 6 - No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
9.1 When deciding to install a new system consideration must be given to the location of cam eras or other recording equipment so that these only capture the data that is necessary for the purpose of the system.
Castles & Coasts Housing Association
CCTV Policy – Version 2nd July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025
Page 4 of 7
9.2 CCHA will not retain any images or recordings for more than one calendar month, unless one of the following circumstances applies:
• We are otherwise advised by police
• We believe that the footage may be required to evidence ASB or a crime, or required for civil litigation
• We may be required to disclose the footage as part of a subject access request
• The recording does not include personal data. There is no data that relates to and is identifiable to a person
• It is call recording data captured by the 8x8 system as set out in the call recording statement
9.3 Any images or recordings that are retained must be deleted as soon as they are no longer required.
10. Principle 7 - Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
10.1 The CCTV DPIA will set out who has access to data captured by systems, when the data can be accessed, when data can be retained, including access by third parties. The CCTV DPIA also documents how users will be made aware of their responsibilities. Any new employees who will have access to the system must receive this information as part of their induction.
10.2 If a third party has access to data captured or held in systems a Data Processing Agreement must be in place, before access to data is granted.
10.3 Data from systems can only be shared with the Police, either by facilitating viewing of data or providing the Police with a copy of the data, in response to a specific crime, prevention of a specific crime, usually where a time and date of the incident has been provided, or for apprehending or prosecuting offenders. The request should be made in writing and signed by a Senior Police Officer The request should include the lawful ground that is being relied upon under the UK GDPR and that failing to provide the disclosure would likely prejudice any investigation. Team Managers or Heads of Service, or Health and Safety Manager can authorise the viewing of CCTV by the Police
10.4 Before sharing any data or facilitating the viewing of data, confirmation of the Police Officer’s ID should be made, either taking the officers collar number and confirming their identity by calling 101 or viewing a warrant card.
10.5 Where a Police Officer, or any other authorised person, views data, a member of CCHA staff must be present at all times.
10.6 If the Police require a copy of the data, this should be transferred securely, e.g., encrypted.
10.7 There must be a record kept of all requests by the Police to view or have a copy of data, the reason for the request, if the access was granted and why it was granted. This must be sent to the DPO who will hold the central record.
10.8 When viewing images, or other data, it should be done in such a way that it is not visible to people not authorised to view such data.
10.9 Any other requests to view or have copies of data captured by surveillance systems must be referred to the DPO. CCHA are unlikely to disclose data captured by surveillance systems unless it is necessary for the purpose of establishing, exercising, or defending legal rights or in connection with legal proceedings or we are ordered to do so by the courts, or a Data Subject Access request has been made that includes surveillance data.
Castles & Coasts Housing Association Page 5 of 7
CCTV Policy – Version 2nd July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025
11 Principle 8 - Surveillance camera system operators should consider any approved operational, technical, and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
11.1 Prior to installing any new systems, a check should be made for any approved standards. All applicable approved standards should be adhered to. When undertaking the annual review of the CCTV DPIA, consideration should be given to any approved standards that may have been introduced in the last 12 months
11.2 If an external contractor is going to monitor surveillance systems, for example external security guards, it is likely they will need to be registered with the Security Industry Authority. This must be confirmed before the third-party begins monitoring the system. It is likely that a Data Processing Agreement will also be needed.
12 Principle 9 - Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
12.1 Systems should have adequate security to prevent unauthorised access to the data, including cyber and physical security. The system must be password protected with a complex password, i.e., combination of letters numbers and symbols, which is periodically changed. Any new system must, as a minimum, be encrypted when data is stored and when data is in transit.
12.2 For systems that store data remotely, such as web-based systems, the IT Lead should provide their view on the security measures. A signed Data Processing Agreement must be in place with any external party that stores surveillance data.
12.3 Where data is stored on local recording devices these should be secured to prevent theft or unauthorised access, for example, CCTV recording devices should be secured in a locked cabinet and secured by a Kensington lock In the event of a break-in it is highly likely recording devices will be stolen, thus removing evidence and also creating a data breach.
12.4 If there are not adequate security arrangements in place to prevent theft or unauthorised access, then it is hard to justify the use of the system.
13. Principle 10 - There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
13.1 CCHA will review all surveillance systems that are in use at least once a year. The DPO will ensure that all CCTV DPIA’s are reviewed annually and that there is consideration given to whether the system is still required or whether other less intrusive methods can be used.
14. Principle 11 - When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
14.1 Images or other data captured by the surveillance systems must be of sufficient quality that they are useable for the purpose the system was installed. For example, images captured by CCTV should be sufficiently clear that they could be used to identify any perpetrators
14.2 The integrity of surveillance data should be maintained so that it can be relied upon. Supporting information such as date, time and location should be correct
14.3 Where images may be shared, for example, with the Police for the prevention or detection of crime or for use in court for ASB, there must be an identified individual(s) who knows how to do this. If the data
Castles & Coasts Housing Association Page 6 of 7
CCTV Policy – Version 2nd July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025
can’t be extracted this is likely to undermine the case for using the system and the system must be reviewed.
15 Principle 12 - Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
15.1 CCHA does not use facial recognition or other biometric characteristic recognition systems or combine this type of data with data captured by surveillance systems.
15.2 If images of residents or employees are being used to confirm identity of individuals captured on surveillance systems these should be up to date and checks made to confirm they are correct.
16. Linked Documents
Data Protection Policy
Anti-Social Behaviour Policy
Call Recording Statement
17. Document Owner
The DPO is the document owner for this policy. This policy shall be reviewed every 2 years.
Castles & Coasts Housing Association Page 7 of 7
CCTV Policy – Version 2nd July 2022
This policy is owned by the Data Protection Officer
Next review date July 2025