Reed in Partnership CCTV Policy
1. Policy Statement
Reed in Partnership Limited uses Closed Circuit Television (“CCTV”) within some of the premises of the company delivery sites. The purpose of this policy is to set out the position of Reed in Partnership as to the management, operation and use of the CCTV across the delivery sites where CCTV is installed.
This policy applies to all images captured for which Reed in Partnership are the data controller, including co-members of our workforce, contractors and visitors to the operational sites and all other persons whose images may be captured by the CCTV system for which the relevant authority are not the controller. The relevant authority is the controller of their candidate and their staff/contractors data when captured by the CCTV system.
This policy takes account of all applicable legislation and guidance, including:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”). Data Protection Act 2018 (together the “Data Protection Legislation”)
- CCTV Code of Practice produced by the Information Commissioner.
- Human Rights Act 1998
This policy sets out the position of Reed in Partnership in relation to its use of CCTV across all sites where CCTV is used.
2. Purpose of CCTV
Reed in Partnership uses CCTV for the following purposes:
- To assist in the prevention of crime and assist law enforcement agencies in apprehending offenders.
- To provide a safe and secure environment for candidates, staff and visitors.
- To prevent loss of, and or damage to Reed in Partnership.
- To facilitate the conduct of post-incident investigations on behalf of DVSA, DVA or the Home Office.
- To facilitate the response to Subject Access Requests (SARs).
- For Internal HR processes including, but, not limited to investigations into allegations of misconduct.
3. Description of System
The following CCTV system is installed at each of the sites where CCTV is used:
- HIKVision IP CCTV cameras installed in entrance, reception, waiting areas, invigilation areas and test labs.
- All CCTV cameras are networked to primary and back-up Network Video Recorders (NVRs).
- CCTV system setup is secure, with individual user access logons and passwords.
- All NVRs, connections and the network Switch will be protected in secure, locked containers.
- Back-up CCTV recordings will be held for 60 days if recorded on the DVSA NVR and 3 years if recorded on the Home Office NVR. Evidential CCTV footage to support a post-incident investigation will be retained on a secure Reed in Partnership network as set out in clause 7.2 below.
- Access to the CCTV system, including recorded footage is controlled. Test Centre staff will be restricted to live CCTV view capability in order to invigilate the relevant tests conducted at the centres. Access to recorded/back-up footage will be restricted to approved Reed in Partnership co-members, for the purpose of post-incident investigation and SAR response, see 6.1 –6.6 below.
4. Siting of Cameras
All CCTV cameras will be sited in such a way as to meet the purpose for which the CCTV is operated. Cameras will be sited in prominent positions where they are clearly visible to candidates, staff and visitors.
Cameras will not be sited, so far as possible, in such a way as to record areas that are not intended to be the subject of surveillance. Reed in Partnership will make all reasonable efforts to ensure the areas outside of Reed in Partnership premises and grounds are not recorded.
CCTV camera locations are chosen to minimise the capture of images which are not relevant to the legitimate purposes of the monitoring.
Signs will be erected to inform individuals that they are in an area within which CCTV is in operation.
Cameras will not be sited in areas where individuals have a heightened expectation of privacy, such as toilets.
Cameras may be located in test areas and, where this is the case, employees and candidates will be made aware. Access to footage is restricted and will only be used to fulfil the purposes outlined in section 2 above.
5. Privacy Impact Assessment
Prior to the installation or repositioning of any CCTV camera, a Privacy Impact Assessment (PIA) has been conducted by Reed in Partnership to ensure that the proposed installation is compliant with legislation and ICO guidance. The assessment has been approved by the DPO.
Reed in Partnership will adopt a privacy by design approach when installing new cameras and systems, taking into account the purpose of each camera so as to avoid recording and storing excessive amounts of personal data.
6. Management and Access
The CCTV system in each site will be managed by the Senior Test Centre member or appropriate role.
On a day-to-day basis the CCTV system will be operated by an individual with appropriate technical ability.
The viewing of live and recorded CCTV images will be restricted to appropriate staff and only for the purposes outlined in section 2 above.
Viewing of recorded images which are stored by the CCTV system will be restricted to appropriate staff and only for the purposes outlined in section 2 above. Relevant images may be shared with governing bodies reviewing instances of fraud, investigations, SARs or complaints.
No other individual will have the right to view or access any CCTV images unless in accordance with the terms of this policy as to disclosure of images.
The CCTV system is checked daily to ensure that it is operating effectively.
7. Storage and Retention of Images
Any images recorded by the CCTV system will be retained only for as long as necessary for the purpose for which they were originally recorded. This may vary depending on contractual requirements as outlined here.
Recorded images are stored for a maximum of:
- 60 days in accordance with contractual requirements for DVSA, and for the lifetime of the contract in the cases of incidents and fraud investigations.
- 3 years in accordance with contractual requirements for the Home Office, and for the lifetime of the contract in the cases of incidents and fraud investigations.
Recorded images are stored on 2 separate NVRs (for security resilience purposes). One Primary NVR is for the use of live CCTV viewing capability by Test Centre invigilators. All CCTV recording is separately stored on a back-up NVR, where images are retained for the contractual periods set out in clause 7.2.
Retention beyond the contractual requirement outlined in 7.2, for the purposes of investigations, SARs, or complaints may be retrieved via secure link to an encrypted Reed in Partnership OneDrive folder, where it will be retained for a specified period; in the case of security and fraud incidents, this will be held for the lifetime of the contract, for all other instances, this will be retained for a period of 12 months.
Reed in Partnership ensures that appropriate security measures are in place to prevent unlawful or inadvertent disclosure of any recorded images. The measures in place include:
- CCTV recording systems being in restricted access areas.
- The CCTV system being encrypted/password protected.
- Restriction of the ability to make copies to specified, authorised members of staff
- CCTV Technical and Operational Processes policy in place for all system users.
- Regular assurance audits and compliance inspections of the CCTV system.
A log of any access to CCTV images, including time and dates of access, and a record of the individual accessing the images, are maintained by Reed in Partnership.
8. Disclosure of Images to Data Subjects
Any individual recorded in any CCTV image is a data subject for the purposes of the Data Protection Legislation and has a right to request access to those images.
Reed in Partnership may be the Data Controller or Data Processor for any stored CCTV images of participants and this should be checked at contract level for any requests. Reed in Partnership is a Data Controller of all Co-Member images.
Any individual who requests access to images of themselves will be considered to have made a SAR pursuant to the Data Protection Legislation. Such a request is subject to Reed in Partnership’s SAR Policy.
When such a request is made the appropriate individual with access to the CCTV footage will review the CCTV footage, in respect of relevant time periods where appropriate, in accordance with the request.
If the footage contains only the individual making the request then the individual may be permitted to view the footage. This is strictly limited to that footage which contains only images of the individual making the request.
If the footage contains images of other individuals then Reed in Partnership redacts the images to erase the images of any person other than the requester. Redaction is performed by authorised personnel under secure conditions on the Reed in Partnership encrypted OneDrive.
A record is kept, and held securely, of all disclosures which sets out:
- When the request was made.
- The process followed by to the individual with access to the CCTV footage in determining whether the images contain third parties.
- The considerations as to whether to allow access to those images.
- The individuals that were permitted to view the images and when.
- Whether a copy of the images was provided, and if so to whom, when and in what format.
Note that, when a SAR is made, unless an exemption applies (such as in relation to third party data that it would be unreasonable to disclose) then the requester is entitled to a copy in a permanent form. There is reference here only to “access” as opposed to a “permanent copy” as Reed in Partnership may consider it preferable in certain circumstances to seek to allow access to images by viewing in the first instance without providing copies of images. If an individual agrees to viewing the images only then a permanent copy does not need to be provided. However, if a permanent copy is requested then this should be provided.
9. Disclosure of Images to Third Parties
Reed in Partnership will only disclose recorded CCTV images to third parties where it is permitted to do so in accordance with the Data Protection Legislation.
CCTV images will only be disclosed to law enforcement agencies in line with the purposes for which the CCTV system is in place.
If a request is received from a law enforcement agency for disclosure of CCTV images then the individual with access to the CCTV footage must follow the same process as above in relation to SARs. Detail should be obtained from the law enforcement agency as to exactly what they want the CCTV images for, and any particular individuals of concern. This will then enable appropriate consideration to be given to what should be disclosed, and the potential disclosure of any third party images.
The information above must be recorded in relation to any disclosure.
If an order is granted by a Court for disclosure of CCTV images then this should be complied with. However very careful consideration must be given to exactly what the Court order requires. If there are any concerns as to disclosure then the Data Protection Officer should be contacted in the first instance and appropriate legal advice may be required.
10. Automated Decision Making & Profiling
Your data is not subject to automated decision making or profiling as defined in data protection legislation.
11. Review of Policy and CCTV System
This policy will be reviewed every two years or earlier should the need arise.
Any changes to this privacy notice will be applied to you and your data as of that revision date.
12. Misuse of CCTV Systems
The misuse of CCTV system could constitute a criminal offence.
Any member of staff who breaches this policy may be subject to disciplinary action.
13. Complaints relating to this policy
Any complaints relating to this policy or to the CCTV system operated by
Reed in Partnership should be made in accordance with Reed in Partnership’s Complaints Policy.