Skip to content
Skip to navigation menu


CCTV Code of Practice



1. Introduction.

This Code of Practice aims to ensure that the CCTV systems installed and operated by Cardiff University comply with the law and that the scope, purpose and use of the systems are clearly defined.

Back to top

2. Definitions.

For the purpose of the Code of Practice the following definitions will apply:

  • “University” refers to Cardiff University.
  • “CCTV” is Closed Circuit Television System.
  • “Security Services” refers to Cardiff University Security Services as part of Security and Portering Services (SECTY)
  • “Data Controller” is Cardiff University..

Back to top

3. Scope.

This Code of Practice is binding on all employees and students of Cardiff University and all employees of contracted out services.  It also applies to all other persons who may be present, for whatever reason, on Cardiff University property.

Back to top

4. Ownership and Operation.

The CCTV system is operated by Security Services, as part of Security and Portering Services (SECTY) whose personnel are employed directly by Cardiff University.  The CCTV system, the copyright and all recorded material are owned by Cardiff University.

Back to top

5. Principles.

The following principles will govern the operation of the CCTV system.

  • The CCTV system will be operated fairly and lawfully and only for the purposes authorised by Cardiff University.
  • The CCTV system will be operated with due regard for privacy of the individual
  • Any changes to the purposes for which the CCTV system is operated will require the prior approval of the Director of Campus Services Division (CSERV) and will be published in advance.

Back to top

6. Purpose of the CCTV System.

The system is intended to provide an increased level of security in the University environment for the benefit of those who study, work, live in or visit the campus.

The CCTV system will be used to respond to the following key objectives, which will be subject to annual assessment.

  • To detect, prevent or reduce the incidence of crime.
  • To prevent and respond effectively to all forms of harassment and public disorder.
  • To improve communications and the operational response of security patrols in and around the areas where CCTV operates.
  • To reduce the fear of crime.
  • To create a safer community.
  • To gather evidence by a fair and accountable method.
  • To provide emergency services assistance.
  • To assist with health and safety.
  • To monitor the University car parks

As community confidence in the system is essential, all cameras will be operational.  An appropriate maintenance programme will be established.

Back to top

7. System Details.

The CCTV system consists of approximately 90 overt colour cameras situated on University property, which continuously record activities in that area.  The control room is staffed 24 hours a day by Security staff from Security and Portering Services (SECTY), working in shifts.

Back to top

8. Installation and Signage.

Cameras shall be installed in such a manner as not to overlook private domestic areas. Cameras shall not be hidden from view and signs will be prominently displayed in the locality of the cameras. The signs will indicate:

  • The presence of monitoring and recording.
  • The ownership of the system.
  • Contact telephone number.

If at any time mobile cameras are employed, their use will also be governed by this Code of Practice.

Back to top

9. Data Protection Act 1998.

Where images of living, identifiable individuals are deliberately recorded, this is likely to comprise those individuals’ personal data.  The collection, use and storage of personal data are governed by the Data Protection Act 1998.  Cardiff University is registered with the Commissioner as a Data Controller operating CCTV.

Given that any particular sequence of CCTV recording may include personal data, all such recordings will be treated in accordance with the Data Protection Principles, apart from the sixth principle, (which gives rights to the data subject).  The principles are set out in full in the appendix.

Data subjects’ rights, including a right of access to their personal data, (in accordance with Section 7 of the Data Protection Act), will be respected where recordings are confirmed to comprise personal data.  Where an individual requests access to recordings believed to be their personal data, the matter shall be referred to the Information Rights Team, Governance and Compliance Division (GOVRN).

Back to top

10. Access to Live Footage and Recordings.

10.1 Access to Live Footage. Images captured by the system will be monitored in the Control Room, a self-contained and secure room on the Cathays Campus.  For operational purposes, and in accordance with the stated purposes of the system, only designated Security staff from Security and Portering Services (SECTY), trained in their duties, shall have access to live CCTV footage.

Non-essential access to the Security (CCTV) Control Room is monitored/controlled and all staff are trained in their responsibilities in respect of the use of CCTV.

The live CCTV system is also accessible to the South Wales Police Camera Control Room at Cardiff County Hall via a slave monitor. Live images may be viewed at any time by the police, however the police do not have the power to record the images or to re-position or focus the cameras directly.

10.2 Access to Recordings. For operational purposes and in accordance with the stated purposes of the system, only designated Security staff from Security and Portering Services (SECTY) shall have primary access to CCTV recordings.

The Head of Security and Portering Services (SECTY) or nominee may permit the viewing of the CCTV recorded materials by other University staff where this is necessary in connection with the prevention of crime, assisting in the apprehension and prosecution of offenders or matters of national security.

Where University staff request access to CCTV recorded materials for any other purpose, the matter shall be referred to the Information Rights Team, Governance and Compliance Division (GOVRN)

10.3 Disclosure of Recorded Material. As the main purpose of the CCTV system is to prevent crime and assist in the apprehension and prosecution of offenders, designated Security staff from Security and Portering Services (SECTY) may release CCTV recorded materials to the police where the University has initiated contact with the police and there is a reasonable belief that the CCTV recorded materials will be of assistance.

Where the police or other official body with prosecuting powers approach the University and request access to CCTV Recorded materials they shall be asked to provide a Section 29 Notice (in the case of the police) or similar document confirming that the information is necessary for either the prevention of crime or the apprehension or prosecution of offenders, or matters of national security.

Where any other person requests access to CCTV Recorded materials, this request shall be forwarded to the Information Rights Team, Governance and Compliance. (GOVRN)

In all cases where Recorded materials are disclosed outside the University, the appropriate Security and Portering Services (SECTY) officer shall ensure that the disclosure is logged and duly signed for.

Back to top

11. Retention of Recorded Materials and Disposal.

CCTV Recordings and other materials produced from them shall be retained for fourteen days (in the case of DVD Hard Disc recordings) unless an incident is recorded which requires further investigation either by Security Services, as part of Security and Portering Services, the police or another external body with prosecuting powers.

In the later case, recordings shall be kept for a period of three years from the date of recording.

All media on which recordings were made and are no longer required will be destroyed or shredded (in the case of CD/DVD discs) and the appropriate details entered in the Destruction Records.

Back to top

12. Breaches of the Code and Complaints.

A copy of this Code of Practice will be made available to anyone requesting it.  Any complaint concerning misuse of the system will be treated seriously and investigated by the Head of Security and Portering Services or nominee with advice from the Information Rights Team, Governance and Compliance Division (GOVRN) as appropriate.

The Head of Security and Portering Services or nominee will ensure that every complaint is dealt with under the Campus Service Division (CSERV) Customer Care Policy, which includes a written Acknowledgement of the complaint, within three working days. Further details about the process of dealing with complaints can be found in the Customer Care Policy.

Breaches of this Code of Practice shall be dealt with in accordance with the appropriate disciplinary policy.  

Any use of the CCTV system or materials produced which is outside the Code and is inconsistent with the objectives of the system will be considered gross misconduct.

Where appropriate, the police will be asked to investigate any matter relating to the CCTV system which is deemed to be of a criminal nature.

Back to top


Data Protection Principles.

Processing shall be taken to mean all operations including obtaining, recording,, storing, analysing or converting into other formats.

  1. Personal data shall be processed fairly and lawfully (and in accordance with the grounds set out in Schedules 2 and 3 of the Act, as appropriate).
  2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in a manner incompatible with those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which the data is held.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall not be held any longer than is necessary in relation to the stated purposes.
  6. Personal data will be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
  7. The Data Controller shall take appropriate security measures to prevent unauthorised or accidental access to, alteration, disclosure or loss and destruction of personal data
  8. Personal data will not be transferred outside the European Economic Area without ensuring there is an adequate level of protection in relation to the processing of personal data.