CCTV Code of Practice
This Code of Practice aims to ensure that the CCTV systems installed and operated by Cardiff University comply with the law and that the scope, purpose and use of the systems are clearly defined.
For the purpose of the Code of Practice the following definitions will apply:
- “University” refers to Cardiff University.
- “CCTV” is Closed Circuit Television System.
- “Security Services” refers to Cardiff University Security Services as part of Security & Portering Services (SECTY).
- “Data Controller” is Cardiff University.
- “Systems Operator” is Head of Security & Portering Services (SECTY).
- “Systems Users” are Security staff authorised to use the Closed Circuit Television System.
This Code of Practice is binding on all employees and students of Cardiff University and all employees of contracted out services. It also applies to all other persons who maybe present, for whatever reason, on Cardiff University property.
4. Ownership and Operation.
The CCTV system is operated by Security Services, as part of Security & Portering Services (SECTY) whose personnel are employed directly by Cardiff University. The CCTV system, all recorded material and copyright are owned by Cardiff University.
The designated Systems Operator, on behalf of Cardiff University, is the Head of Security & Portering Services.
The following principles will govern the operation of the CCTV system.
- The CCTV system will be operated fairly and lawfully and only for the purposes authorised by Cardiff University.
- The CCTV system will be operated with due regard for privacy of the individual and in accordance with Article 8 of the European Convention on Human Rights i.e. an individual’s right to privacy.
- The CCTV system is fundamentally an overt system, used within the confines of the recognised Cardiff University campus. The CCTV system’s existence and presence will be declared as in section 8 of this document.
- Any changes to the purposes for which the CCTV system is operated will require the prior approval of the Director of Campus Services (CSERV) and will be published in advance.
- The use of the CCTV system for any covert purpose must be for exceptional and justifiable purposes only, as qualified above, and agreed by the Director of Campus Services. In these circumstances details of the change will not be published in advance or disclosed thereafter.
6. Purpose of the CCTV System.
The system is intended to provide an increased level of security in the University environment for the benefit of those who study, work, live in or visit the campus.
The CCTV system will be used to respond to the following legitimate aims / key objectives, which will be subject to annual assessment.
- To detect, prevent or reduce the incidence of crime.
- To prevent and respond effectively to all forms of harassment and public disorder.
- To improve communications and the operational response of security patrols in and around the areas where CCTV operates.
- To reduce the fear of crime.
- To create a safer community.
- To gather evidence by a fair and accountable method.
- To provide emergency services assistance.
- To assist with health and safety.
- To monitor traffic flow and the use of Cardiff University car parks.
As community confidence in the system is essential, all cameras will be operational. An appropriate maintenance programme will be established.
7. System Details.
The CCTV system consists of in excess of 300 overt colour cameras situated on University property, which continuously record activities in that area. The Security Control Room is staffed 24 hours a day by Security members of Security & Portering Services (SECTY) working in shifts.
8. Installation and Signage.
Cameras shall be installed in such a manner as not to overlook private domestic areas. Cameras shall not be hidden from view and signs will be prominently displayed in the locality of the cameras. The signs will indicate:
- The presence of monitoring and recording.
- The ownership of the system.
- Contact telephone number.
If at any time mobile cameras are employed, their use will also be governed by this Code of Practice.
9. Data Protection Act 1998.
Where images of living, identifiable individuals are deliberately recorded, this is likely to comprise those individuals’ personal data. The collection, use and storage of personal data are governed by the Data Protection Act 1998. Cardiff University is registered with the Commissioner as a Data Controller operating CCTV.
Given that any particular sequence of CCTV recording may include personal data, all such recordings will be treated in accordance with the Data Protection Principles, apart from the sixth principle, (which gives rights to the data subject). The principles are set out in full in the appendix.
Data subjects’ rights, including a right of access to their personal data, (in accordance with Section 7 of the Data Protection Act), will be respected where recordings are confirmed to comprise personal data. Where an individual requests access to recordings believed to be their personal data, the matter shall be referred to the Information Rights Team, Governance and Compliance Division (GOVRN).
10. Access to Live Footage and Recordings.
10.1 Access to Live Footage.
Images captured by the system will be monitored in the Security Control Room, a self-contained and secure room on the Cathays Campus. For operational purposes, and in accordance with the stated purposes of the system, only designated Security staff from Security & Portering Services (SECTY), trained in their duties, shall have access to live CCTV footage. These staff will be referred to as Systems Users.
Non-essential access to the Security Control Room is monitored / controlled and all staff are trained in their responsibilities in respect of the use of CCTV.
The live CCTV system is also accessible to the South Wales Police Camera Control Room at Cardiff Central Police Station via a slave monitor. Live images may be viewed at any time by the police, however the police do not have the power to record the images or to re-position or focus the cameras directly.
10.2 Access to Recordings.
For operational purposes and in accordance with the stated purposes of the system, only designated Security staff from Security & Portering Services (SECTY) shall have primary access to CCTV recordings.
The Head of Security & Portering Services (SECTY) or nominee may permit the viewing of the CCTV recorded materials by other University staff where this is necessary in connection with the prevention of crime, assisting in the apprehension and prosecution of offenders or matters of national security.
Where University staff request access to CCTV recorded materials for any other purpose, the matter shall be referred to the Information Rights Team, Governance and Compliance Division (GOVRN).
10.3 Disclosure of Recorded Material.
As the main purpose of the CCTV system is to prevent crime and assist in the apprehension and prosecution of offenders, designated Security staff from Security & Portering Services (SECTY) may release CCTV recorded materials to the police where Cardiff University has initiated contact with the police and there is a reasonable belief that the CCTV recorded materials will be of assistance.
Where the police or other official body with prosecuting powers approach Cardiff University and request access to CCTV recorded materials they shall be asked to provide a Section 29 Notice (in the case of the police) or similar document confirming that the information is necessary for either the prevention of crime or the apprehension or prosecution of offenders, or matters of national security.
Where any other person requests access to CCTV recorded materials, this request shall be forwarded to the Information Team, Governance and Compliance Division (GOVRN).
In all cases where recorded materials are disclosed outside the University, the appropriate Security & Portering Services (SECTY) officer shall ensure that the disclosure is logged and duly signed for.
11. Retention of Recorded Materials and Disposal.
CCTV recordings and other materials produced from them shall be retained for fourteen days (in the case of DVD Hard Disc recordings) unless an incident is recorded which requires further investigation either by the Security Service as part of Security & Portering Services, the police or another external body with prosecuting powers.
In the later case, recordings shall be kept for a period of three years from the date of recording.
All media, on which recordings were made, that are no longer required will be destroyed and the appropriate details entered in the Destruction Records.
12. Breaches of the Code and Complaints.
A copy of this Code of Practice will be made available to anyone requesting it. Any complaint concerning misuse of the system will be treated seriously and investigated by the Head of Security & Portering Services or nominee with advice from the Information Rights Team, Governance and Compliance Division (GOVRN) as appropriate.
The Head of Security & Portering Services or nominee will ensure that every complaint is dealt with under the Campus Services Division (CSERV) Customer Care Policy which includes a written acknowledgement of the complaint within three working days. Further details about the process of dealing with complaints can be found in the Customer Care Policy.
Breaches of this Code of Practice shall be dealt with in accordance with the appropriate disciplinary policy. Serious breaches of the Code may result in criminal liability on behalf of the individual which could be considered as gross misconduct.
Where appropriate, consideration will given as to whether the police will be asked to investigate any matter relating to the CCTV system which may be deemed to be of a criminal nature.
Version 3 ~ April 2014
Reviewed and amended in accordance with Home Office guidance ‘Surveillance Camera Code of Practice ~ Section 30(1)(a) of the Protection of Freedoms Act 2012.
Data Protection Principles.
Processing shall be taken to mean all operations including obtaining, recording, storing, analysing or converting into other formats.
Personal data shall be processed fairly and lawfully (and in accordance with the grounds set out in Schedules 2 and 3 of the Act, as appropriate).
Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in a manner incompatible with those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose for which the data is held.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data shall not be held any longer than is necessary in relation to the stated purposes.
Personal data will be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
The Data Controller shall take appropriate security measures to prevent unauthorised or accidental access to, alteration, disclosure or loss and destruction of personal data.
Personal data will not be transferred outside the European Economic Area without ensuring there is an adequate level of protection in relation to the processing of personal data.