Guidance on CCTV

What you need to know about the use of CCTV at unit meeting places, whether you own the venue or hire it

Approved: January 2021
Version: 1
Content owner: Data protection

If your meeting place uses CCTV,  you need to be aware of data protection laws around its use.

In general, closed circuit television (CCTV) views and/or records activities. This means that the use of CCTV is covered by the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). As such, the use of it needs to comply with these laws. 

The guidance on this page is advisory only. It’s designed to inform you of the laws around CCTV you should be aware of if you run meetings, or activities, in a venue with CCTV. It‘s the sole responsibility of the property owner to put appropriate measures in place to protect privacy rights.

If you manage CCTV at unit meeting places, use this guidance to make sure that the rights and privacy of members and the public are maintained. This guidance is for use at a local level and is not intended for CCTV use on properties at a commercial, county, or country and region level.

Installing CCTV on a property

If you own a building that is used for Girlguiding activities at a local level – for example a joint property with the Scouts - you may decide to install CCTV for security purposes. If the CCTV captures images beyond your private domestic property then your use of the system is subject to data protection laws. Private domestic property means the boundary of the property (including the garden) where you live.

As the CCTV user, you are a data controller and must comply with data protection laws and uphold the rights of the people whose images you are capturing. You must do so without being intrusive or invading privacy. Failure to comply with data protection laws may mean you become subject to enforcement action by the Information Commissioner's Office (ICO), which could include a fine. Legal action can also be pursued by individuals affected.

CCTV can be installed if laws and regulations are followed properly. It could be installed, for example, for security purposes in order to monitor activity for the purpose of crime prevention.

What to consider when installing CCTV

When installing a CCTV system:

  1. There should be a clear and justifiable reason for installing CCTV, which should be documented.
  2. People should be made aware that CCTV is to be installed. There must be clearly visible and readable signs displayed, outlining that recording is taking place and why.
  3. You must ensure that you don’t capture more footage than needed to achieve the purpose that the system was installed for.
  4. Any footage captured must be kept secure and access to this footage should be limited.
  5. If footage is being retained, you must only keep it for as long as needed. Footage should be deleted regularly and when no longer required.
  6. The CCTV system should only be operated for its intended use, you must ensure it cannot be used for other reasons.

Steps to take before installing CCTV

You must take the following steps before CCTV can be installed in a property. These are to protect the rights and privacy of members and the public.

You will need to:

1. Add signs to the property, stating who manages the CCTV system and how to get in touch.

Where there are CCTV cameras, you must clearly display signs that tell people they are entering an area covered by CCTV. The signs should be:

  • Clearly visible and readable.
  • Placed at the entrance of the surveillance system’s zone and be reinforced with further signs within the area.
  • More prominent and frequent in areas where people are less likely to expect they will be monitored.

You should include the following information on each sign:

  • Details of the organisation operating the system. This does not need to be included if who is operating the system is obvious through where the CCTV is installed (such as inside a building where it is clearly signed that it is owned by a certain individual or organisation). 
  • The purpose for using the surveillance system.
  • Who to contact about the surveillance system (basic contact details such as a simple website address, telephone number or email address).

2. Consider completing a Privacy Impact Assessment to document decisions made surrounding installing the surveillance system. 

Although not a legal requirement, a Privacy Impact Assessment should be completed as recommended by the ICO CCTV code of practice. This assessment should be documented if proof is needed in the future if someone were to complain. The assessment should identify:

  • The purpose behind the monitoring and likely benefits - you need to consider the problem you are seeking to address.
  • If believed to be justified, what level of monitoring is necessary? Is a surveillance system a justified and effective solution? For example, if the purpose is to prevent theft, violence and other crime would a movement activated light be more effective to cover a carpark or the front of a building? At what level does the surveillance need to be in place?
  • It should consider alternative ways in which their purpose might be achieved without CCTV.
  • What are the likely adverse impacts of using a CCTV system. For example, loss of privacy for hall or building users.
  • What action is to be taken in the event of a breach of the (video) data files?
  • It should record the obligations that will arise from the CCTV system such as the monitoring, notifying users, managing data in accordance with the DPA and risk of right of access requests.
  • Act as a record of the decision process.

3. Create a CCTV policy and be ready to provide this (on request) to those who ask. 

A CCTV policy should be in place to explain the nature and extent of monitoring and the reasons for it. It should detail what levels of privacy an individual can and cannot expect.
This should include:

  • Details of the data controller.
  • The data processing organisation responsible.
  • Justification of CCTV and it is positioning. For example, it’s easier to justify CCTV in an area like a public entrance, where expectations of privacy are low.
  • The assessment of adjusting the camera angles to avoid disproportionate monitoring.
  • For example, it’s possible to record entrances to a room but not the activity within the room to reduce privacy being infringed.
  • Is this surveillance system going to have live monitoring? If yes, who will have access to monitor this? Where possible, CCTV should only be monitored by Girlguiding members as they have undergone DBS and necessary checks.
  • How will the images be stored?
  • Who will have access to the captured images?
  • What security will be used to prevent unauthorised access to the images? What are the safeguards to prevent the captured imagery from being misused? You must consider this because, if images of children are to be captured on CCTV this data will need to be protected against loss, theft or disclosure as children are vulnerable persons requiring specific protection.
  • What is the retention period for the images? For example, if the purpose of the CCTV is to prevent crime, the retention period should be short as images are only needed if criminal activity was discovered.
  • When, or if, this data will be shared with others, and with whom.
  • How will individual rights requests be managed?
  • The actions that will be taken in the likelihood of a data breach.
  • How an individual can make a complaint to regarding use of the CCTV.
  • How the data controller will ensure that those who operate and have to access to CCTV are informed about the surrounding obligations.

The above points should be considered and included in a CCTV Policy. If you would like further guidance on creating a CCTV Policy contact the data protection team on [email protected].

 

4. Be able to point individuals towards the ICO CCTV code of practice if they wish to know more information about the use of CCTV.

5. Inform individuals about how they can make individual rights requests, including who it should be sent to and what information needs to be supplied with their request. This should be written into the CCTV policy.

As a data controller you must be able to respond and fulfill all individual rights requests. This process is regulated by the by the ICO (Information Commissioners Office). Individual rights requests include:

  • Subject access requests (SARs). If requested, you must be able to provide all information you hold on an individual (including identifiable images). SARs can be made verbally or in writing and a response must be given within one month, see the ICO page on SARs for more information about SARs and exemptions.
  • Erasure requests. If requested, you must be able to delete footage of people. This should take place within one month. You can refuse to delete it if you specifically need to keep it for a genuine legal dispute – in which case you need to tell them this, and also tell them they can challenge this in court or complain to the ICO. See the ICO page on an individual’s right to erasure for information.

6. Inform individuals about who a complaint should be made to, about either the operation of the system or failure to comply with the requirements of this code.

See the Managing Complaints and Disclosures section below for more information on how these should be handled.

7. Share the following information with anyone who operates and has access to CCTV:

  • The policy for recording and retaining information
  • How information will be handled securely
  • What to do if they receive a request for information, for example, from the police. See the Managing Complaints and Disclosures section below for more information on how these should be handled.
  • How to recognise a right of access request and what to do if they receive one.

CCTV in a property you use but do not own

What you need to know if your meeting place has CCTV but you do not own and manage the venue.

If CCTV is already present at a unit meeting place

If CCTV is already in place at your unit meeting place, the leader should make themselves aware of the CCTV policy in place and have a copy of this. See the above CCTV policy information for what should be contained within this policy. 

Parents and members should be made aware that there is CCTV in place. They should be informed about who to contact if they have any individual rights requests, or general questions regarding CCTV in place. This information should be included in the CCTV policy.

If CCTV is being installed at a unit meeting place

If you have been informed that CCTV will be put in place at a property or building that you are using for Girlguiding activities, the below actions should be undertaken:

  • Information regarding this installation should be sent to all members and parents.
  • A request should be sent to the owner of the property for a copy of the CCTV policy. See CCTV policy section above for the information that should be contained in this.
  • Members and parents should be informed about who to contact if they have individual rights requests, or general questions regarding CCTV (this information should be included in the CCTV policy).
  • A point of contact should be requested from the property owner for any issues, queries or individual rights requests. These may be submitted to them as part of their legal obligations under data protection legislation.

What to do if there is no CCTV Policy in place

If the property owner does not have a CCTV policy in place, and has not responded to requests for this, contact the data protection team on [email protected] who can facilitate this request and provide further guidance.

Managing Complaints and Disclosures

You should follow this guidance whether you own the venue or just hire it.

Complaints

Complaints about CCTV should be raised with the CCTV owner. If you are unsure as to who this is, it can be found in the CCTV policy. If someone wishes to complain about the use of CCTV within a unit meeting place, and the owner is a volunteer, the Complaints team encourage you to try to resolve it informally with local guiding before you escalate it through the complaints policy. Refer to the complaints procedure and if necessary ask the individual to contact the complaints team at [email protected].

If the CCTV is owned and managed by you, then it’s your responsibility to ensure the guidance on this page and from the ICO is followed. You'll also need to ensure you are managing complaints and following ICO guidance. If the CCTV is owned and managed by someone else then complaints will need to be taken up with the individual in question.

Disclosures

If the police request information that may be held within your surveillance system, and you are the data controller, you should have a process in place to manage this. If you would like guidance on how to manage a disclosure request contact the data protection team on d[email protected]. If the request has been made and you are not the data controller, you should direct the individual who has made the request to the CCTV owner (this will be included in the CCTV policy).

Data breaches

A data breach is an incident or omission that results in a loss, theft, deletion, unauthorised sharing or unauthorised access to personal data.

If a data breach takes place that involves CCTV managed by yourself then this must be recorded as outlined in your CCTV policy. Refer to the reporting a data breach procedure for more guidance about actions required in the event of a breach.

Remember that all data breaches should be reported to the data protection team. If you’re unsure about what has happened or what you have found is a data breach, report it - it’s better to over-report than under-report. Contact the data protection team if you need further guidance.

What to do if parents are uncomfortable with CCTV present, and do not want them or their child to be recorded

If you manage the CCTV, there should be a justified reason for the CCTV. Send parents a copy of the CCTV policy that you have in place and explain to them why the CCTV has been installed. If they still would like to raise a complaint refer them to the complaints procedure and request they contact the complaints team at [email protected].

If the CCTV is managed by someone other than you, request a copy of the CCTV Policy in place which can be shared with parents as in the situation above. If multiple individuals have raised issues surrounding the use of CCTV in a unit meeting place, then contact the data protection team who can provide further guidance.