CCTV Code of Practice

The monitoring, recording, holding and processing of images of distinguishable individuals constitutes personal data as defined by the General Data Protection Regulation and the Data Protection Act (2018) This Code of Practice is consequently intended to ensure that in its use of Closed Circuit Television (CCTV) AU is fully compliant with the requirements of the General Data Protection Regulation and with related legislation and with the CCTV Code of Practice published by the Office of the Information Commissioner. It should be read in conjunction with the AU Data Protection Policy that outlines the Data Protection Principles upon which these guidelines are based.

1. Responsibility

Responsibility for implementing AU's Data Protection Policy as it relates to CCTV rests with the Pro Vice-Chancellor (Chief Operating Officer))

Responsibility for managing AU’s CCTV network and for monitoring implementation of this Code of Practice is delegated by the Pro Vice-Chancellor (Chief Operating Officer) to the Director of Campus Services or his/her nominee acting as Manager of the CCTV Scheme

Responsibility for the day-to-day management and use of authorised CCTV systems may be delegated to appropriately designated Local CCTV Managers in conjunction with the Head of Residential Services.

2. Approval and Registration

Any new requests for the installation of CCTV on AU premises must be forwarded, in writing, to the Pro Vice-Chancellor (Chief Operating Officer), following discussion with the Manager of the Scheme. Each request will be considered individually upon its merits. Approval will be provided in writing by the Pro Vice-Chancellor (Chief Operating Officer)). Each part of the system must fully comply with the provisions of this Code of Practice. A central register will be maintained listing the location of cameras and associated equipment.

3. Purpose

CCTV systems are employed at AU only for the following specific purposes:

To discourage delinquent and anti-social behaviour

To deter and detect crime, including theft and criminal damage

To enhance the safety and well-being of staff, students and members of the public

To assist in the overall management of buildings and campus facilities

Where, in carrying out these purposes, images are obtained of persons committing acts of an illegal nature and/or acts which breach the University’s Rules and Regulations, these may be used as evidence.

 CCTV systems must not be used for purposes other than those specifically indicated above.

4. Location and sites

The following guidelines must be observed when installing CCTV systems:

  • Apart from in exceptional circumstances (see 5 below), cameras must not be hidden from view and must be sited in such a way as to ensure that they only monitor spaces intended to be covered
  • Signs must be displayed so that everyone is aware that they are entering a zone that is covered by surveillance equipment. Signs must indicate the purposes for which cameras are installed and contact details for the Manager of the CCTV Scheme

5. Covert monitoring

Covert use of CCTV can only take place on the written permission of the Pro Vice-Chancellor (Chief Operating Officer) or his/her nominee. For these circumstances to occur, there must be reasonable cause to suspect that unauthorized or illegal activity is taking place, or is about to take place, or that a breach of the University Rules and Regulations is taking, or is about to take place. Covert monitoring will be undertaken only for a limited and reasonable period of time consistent with the documented objectives. All decisions relating to the use of covert CCTV will be fully recorded.

6. Processing data

  • It is important that access to, and disclosure of, images is restricted and carefully controlled, not only to safeguard the rights of individuals but also to ensure that evidence remains intact should the images be required for evidential purposes. Local CCTV Managers must: restrict access to those staff who need to have access to recorded images for the purpose(s) for which the system was installed;
  • make practical arrangements for ensuring that recorded images are viewed only by staff, authorized by them, via a nominated PC in a secure and confidential location; ensure that the CCTV log records all processing of data.

7. Documentation

Each CCTV system must have associated documentation listing the purposes for which the system has been installed and sited in that particular location. Documentation must also include details relating to means of access to images, extent of access, and must log requests to view, viewings themselves, any outcomes, repairs to cameras or re-siting of cameras. Those authorized to view images must provide a signature agreeing to abide by this Code of Practice.

A Privacy Impact Assessment must be undertaken for any significant modification of the CCTV system or its reasons for use.

8. Access

Arrangements for access to CCTV images are covered by the AU Data Protection Policy. Data Subjects have a right of access to their personal data and should complete a standard Subject Access Request form as outlined in that policy. Local CCTV Managers must ensure that:

  • all staff are made aware of the rights of data subjects to access images of themselves and the conditions under which access may be granted to them and to third parties
  • all subject access requests are dealt with by the AU Data Protection Officer in consultation with the Scheme Manager, Local Manager and/or other senior members of staff as appropriate
  • images are not to be disclosed to third parties without the permission of the Pro Vice-Chancellor (Chief Operating Officer) or his/her nominee
  • all requests from the police for access or disclosure are dealt with according to procedures detailed in the Data Protection Information webpages or in the CCTV Procedural Manual http://www.aber.ac.uk/en/infocompliance/dp/police/

9. Monitoring and review

 This CCTV Code of Practice will be kept under continuous review. Any questions about its interpretation or operation should be referred to the Data Protection Officer.