CCTV and Surveillance Policy
- Introduction
- Purpose
- Background
- Surveillance Camera Code of Practice
- CCTV and surveillance within the scope of this policy
- General Principles/Guidelines
- Cameras and Area Coverage
- Roles and Responsibilities
- Data protection and subject access rights
- Data Retention and Sharing
- Review of this policy
- Related Policies
- References
- Definitions
1 Introduction
1.1 This policy governs the operation of closed circuit television (“CCTV”) systems operated by Wychavon District Council as data controller to assist in its carrying out its enforcement, public safety and other functions.
1.2 The policy sets out the principles to be observed by the Council, its members, employees, contractors, and any other parties or organisations involved in the operation, management and administration of relevant CCTV systems, as well as the hierarchy of responsibilities which exist to ensure that these systems are operated in a compliant manner.
1.3 It is also intended to inform members of the public of the purposes for which CCTV is operated, and of the standards which will be met in relation to it. In this way, the Council can be held accountable for its compliance with the policy.
1.4 A list of key definitions and acronyms is set out at section 14 of this policy.
1.5 The policy is supplemental to any safe operating procedures for Council departments to follow when procuring and installing CCTV systems.
1.6 This policy does not govern the Council’s use of the surveillance powers available to it, which are conducted under the auspices of the Regulation of Investigatory Powers Act. Covert surveillance is governed by a separate document, the RIPA Policy.
2 Purpose
2.1 The purpose of this policy is to set out how the Council manages, uses and operates CCTV. Wychavon District Council uses CCTV for the following purposes:
- To provide a safe and secure environment for residents, staff and visitors
- To prevent the loss of or damage to public spaces, buildings and/or assets
- To assist in the detection and prevention of crime and assist law enforcement agencies in apprehending offenders
- To help reduce the fear of crime
2.2 Compliance with this policy and with the detailed arrangements which sit under it ensures that the Council’s use of CCTV reflects a proportionate response to identified problems, which is operated with due regard to the privacy rights of individuals.
2.3 This policy is approved by Wychavon District Council’s Senior Management Team. It provides guidance on the appropriate and effective use of surveillance camera systems and in particular how it meets the requirements of:
- The Human Rights Act 1998 Art 8
- Data Protection Act 2018 and 1998
- General Data Protection Regulation (“GDPR”)
- The Regulation of Investigatory Powers Act 2000
- The Protection of Freedoms Act 2012
- Information Commissioners’ CCTV Code of Practice
- Surveillance Commissioner’s Surveillance Camera Code of Practice
- Wychavon District Council Data Protection Policy
- Criminal Procedure and Investigations Act 1996
2.4 This policy applies to Wychavon District Council employees, West Mercia Police and any third party organisations shared services or individuals who are contracted to work on behalf of Wychavon District Council and in doing so have access to information or footage captured by CCTV.
3 Background
3.1 In recent years there has been a substantial increase in the number of CCTV systems, driven in part by a reduction in the costs of installing and operating this type of equipment.
3.2 This increase has coincided with heightened privacy concerns, which have resulted in laws, regulations and codes of practice designed to ensure that the use of cameras is legitimate, proportionate to the intended purpose and respectful of the legitimate privacy expectations.
3.3 Article 8 of the Human Rights Convention recognises the right to a private and family life. Where CCTV captures images of people which comprise personal data, there is potential for this to infringe on the privacy of individuals. Accordingly, there is an obligation for CCTV installations and handling practices to comply with the 3rd Data Protection Principle (data minimisation) as well as the 6th Principle (Appropriate technical and organisational security) of the GDPR.
3.4 CCTV systems are operated by the Council only as a proportionate response to identified problems, this in so far as it is considered necessary in a democratic society in the interests of public safety, for the prevention and detection of crime and disorder and for the protection of the rights and freedoms of others.
3.5 The Information Commissioner’s Office (“the ICO”) has enforcement powers which include the power to issue directives to remove or modify CCTV installations. The ICO is supported by the Surveillance Camera Commissioner, which was established under the Protection of Freedoms Act 2012 and has issued a code of practice for the use of these cameras, which includes the guiding principles set out below.
4 Surveillance Camera Code of Practice
4.1 The Council will operate all CCTV implementations in line with the principles set out in the Surveillance Camera Commissioner Code of Conduct:
- Use of a CCTV system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
- The use of a CCTV system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
- There must be as much transparency in the use of a CCTV system as possible, including a published contact point for access to information and complaints.
- There must be clear responsibility and accountability for all CCTV system activities including images and information collected, held and used.
- Clear rules, policies and procedures must be in place before a CCTV system is used, and these must be communicated to all who need to comply with them.
- No more images and information should be stored than that which is strictly required for the stated purpose of a CCTV system, and such images and information should be deleted once their purposes have been discharged.
- Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
- CCTV system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
- CCTV system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
- There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
- When the use of a CCTV system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
- Any information used to support a CCTV system which compares against a reference database for matching purposes should be accurate and kept up to date.
5 CCTV and surveillance within the scope of this policy
5.1 The Council acts as data controller for the CCTV systems it operates for the purposes of maintaining preventing and detecting crime and for ensuring public safety.
5.2 The Council operates CCTV at the Civic Centre for the protection of staff and the Council as a whole from the threats or acts of violence against staff and to defend against legal and insurance claims.
5.3 The Council operates mounted CCTV in the central areas of Broadway, Droitwich, Evesham and Pershore and at the Westlands Centre, Droitwich
6 General Principles/Guidelines
6.1 The Council’s use of CCTV accords with the requirements and the principles of the Human Rights Act 1998, the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018 and the Protection of Freedoms Act 2012. This policy recognises the need for formal authorisation of any covert ‘directed’ surveillance as required by the Regulation of Investigatory Powers Act 2000, and provides that CCTV shall be operated fairly, within the law and only for the purposes for which it was established or which are subsequently agreed in accordance with the Code. CCTV shall be operated with due regard to the principle that everyone has the right to respect for his or her private and family life and home. Public interest in the operation of CCTV will be recognised by ensuring the security and integrity of operational procedures which sit underneath it, and which balance the objectives of the CCTV usage with the need to safeguard the individual’s rights.
6.2 In accordance with the ECHR, the use of CCTV and surveillance equipment must be necessary, in pursuit of a legitimate aim and in accordance with the law. It is therefore necessary to at all times consider the ECHR and a subject’s human rights in the operation of this policy.
6.3 This policy ensures that CCTV used managed or operated by or on behalf of the Council meets the Surveillance Code of Practice by being:
a. Transparent
Wherever possible, the presence of CCTV, the purpose for it and contact details for the Controller of it should be clearly displayed to the public.
There are strict laws around the use of covert surveillance cameras and these should only be implemented where necessary for a criminal enforcement purpose where the Council has the necessary statutory authority and under the oversight of the DPO.
b. For a Legitimate and Specified Purpose
Prior to establishing any CCTV installation, it is necessary to establish a legitimate purpose for it. The appropriate balance between the necessity of the CCTV and the privacy rights of individuals can only be assessed in light of this intended purpose.
c. Proportionate to that purpose
The usage of CCTV cameras, including field of vision and whether they can be remotely controlled, has to be proportionate to the identified need. For example, installation of a camera for the purpose of public safety would be unlikely to be proportionate in any area of no particular history of incidents.
CCTV with audio/voice recording will not be installed unless found to be proportionate following a Privacy Impact Assessment. Where it is necessary to make voice recordings, signage will reflect that, save for in the case of BWV where in the interests of safety of Council Officers and enforcement purposes, voice recording is usually present without such warning.
d. Privacy Risk Assessed
All existing and proposed CCTV installations should be subject to a Privacy Risk Assessment to identify what risks to privacy they pose and what controls can be applied to minimise these
e. Subject to Senior Management Approval and Oversight
Proposals to install CCTV must be approved by a member of the Senior Management Team, normally the relevant Director for the service area. Where the privacy assessment indicates a high risk to privacy, then the approval of the DPO is required prior to the procurement of CCTV equipment.
f. Secure from inappropriate access and interference
As CCTV recordings contain personal (and sometimes special category) data, there is a legal obligation to ensure that access is limited to those with a genuine need and that any data held meets technical standards for information security. In the event of a data breach, then prompt steps will be taken in accordance with the Council’s procedures to mitigate the breach and to notify relevant parties.
g. Subject to clear operational procedures which are binding on staff and contractors
All Council departments operating CCTV are required to ensure that there are procedures in place which regulate where cameras can be installed, where they should point, under what circumstances data can be accessed or removed from the devices and under what circumstances in can be disclosed to other parties.
h. Auditable
All staff actions which effect the operation of CCTV equipment should be captured in audit logs held on the devices or controlling applications. This includes, any actions which change the field of vision, any downloads of footage and any deletion of footage. All CCTV equipment must be specified so as to provide accurate time and date stamping.
All CCTV installations will be recorded on the Council’s CCTV Register.
i. Data Retention
CCTV systems operated by the Council shall normally retain footage for no longer than 30 days. Where footage is required for the purposes of prosecution of an offence or to defend legal claims, a copy should be made and stored securely.
j. Data Sharing requests
All requests for surveillance footage or images must complete the appropriate request form and submitted to the service area responsible for recording the footage and logged in accordance with the Standard Operating Procedure. All subject access requests will be reviewed by the Council’s data protection team and determined according to a process which ensures compliance with the law.
7 Cameras and Area Coverage
7.1 All CCTV surveillance will be sited in such a way as to meet the purpose for which the CCTV is operated. Cameras will be sited in prominent positions where they are clearly visible to residents, staff and visitors.
7.2 Any new requests for street CCTV surveillance will be subject to identification of need in partnership with West Mercia Police and Office of Police and Crime Commissioner analyst data and available funding.
7.3 No hidden (covert) cameras will be used unless in relation to authorised operations mounted under the Regulatory of Investigatory Powers Act 2000, and nor shall cameras be directed in such a way as to amount to surveillance which is intrusive. Any such hidden cameras will be operated in accordance with RIPA 2000.
7.4 Clear signage is normally placed within the area which is being monitored in order to ensure that both the public are aware when they are in a monitored area and also that the maximum deterrent value is achieved.
7.5 The CCTV systems do not record audio.
7.6 Camera positions are reviewed regularly to ensure that they remain proportionate to their purpose. Where the purpose can no longer be justified against the intrusion on personal privacy, they will be removed or switched off.
7.7 All viewing and recording equipment shall only be operated by trained and authorised users.
8 Roles and Responsibilities
8.1 All staff with operational access to CCTV equipment are responsible for following the specific operational procedures established for its use. This includes checking the equipment and reporting to management where it is found to deviate from the agreed specification or appears to have been interfered with.
8.2 Staff, contractors and other relevant persons shall only be permitted access to images obtained via CCTV in accordance with this policy. Only staff with the appropriate delegated Authority shall have access to CCTV systems. The viewing of live CCTV images will be restricted to authorised officers (which may include West Mercia Police Officers in the case of emergency or with a crime reference number) in a controlled environment or such other live camera footage used by the Council in public areas of their own buildings and as approved by the DPO or Monitoring Officer (or such person to whom either delegates such approval to)
8.3 Recorded images which are stored by the CCTV system will be restricted to access by authorised members of staff and West Mercia Police with explicit powers to view images where viewed in accordance with the Standard Operating Procedure. No other individual will have the right to view or access any CCTV images unless in accordance with the terms of this policy as to disclosure of images.
8.4 All individuals with a need for operational access to CCTV systems or for access to images captured via CCTV shall be trained to a proficient level which meets appropriate safeguards before they are permitted access. In addition, they will be overseen by senior staff experienced in all aspects of the management and operation of the CCTV system.
8.5 All relevant individuals are furthermore required to have read the Surveillance Camera Code of Conduct and to have had sufficient training in the specific equipment they operate.
8.6 Staff are not permitted at any time to edit or alter CCTV footage. The misuse of CCTV system could constitute a criminal offence. Any member of staff who breaches this policy may be subject to disciplinary action.
8.7 Heads of Service are accountable for identifying a legitimate need for CCTV installations where one exists (and for reviewing the same), for ensuring that data privacy impact assessments are conducted and reviewed by the Corporate Policy and Strategy Team and an action plan generated and progressed and for making sure that risk controls are established where needed to protect personal privacy.
8.8 Members of the Senior Management Team are responsible for approving proposed new CCTV installations and any significant changes to existing ones. Where proposed installations are assessed as posing a high risk to personal privacy, they are responsible for referring the matter to the DPO for approval.
8.9 In cases of a serious breach involving CCTV data, the DPO is responsible for reporting the matter to the ICO.
8.10 The Corporate Policy and Strategy Team is responsible for maintaining the Corporate CCTV Register and participating in the investigation of breaches.
9 Data protection and subject access rights
9.1 Privacy
- Prior to the installation of any street CCTV camera, or system, a privacy impact assessment will be conducted to ensure that the proposed installation is compliant with legislation and ICO guidance.
- Cameras will not be sited, so far as possible, in such a way as to record areas that are not intended to be the subject or invade peoples privacy, such as bedroom windows.
- Signs will be erected to inform individuals that they are in an area within which CCTV is in operation. However even though prominent, not every camera will have signage.
9.2 Disclosure of Images and Subject Access Requests
- Any individual recorded in any CCTV image is a data subject for the purposes of the General Data Protection Regulation (GDPR) therefore the District Council will only release footage for the purpose for which it was recorded. This may include to the police, insurance companies, social services, environmental health, Council shared services, Legal and insurance companies and/or authorised agencies partners or bodies in pursuant of their statutory functions.
- Only requests received by the control room for CCTV images of an incident with a crime or incident reference number within 30 days of the incident will be processed and released to the Police.
- All other requests (including police requests to departments other than the control room) will be considered by the Council’s Data Protection Officer and/or Monitoring Officer (or such person to whom either delegates such function to) and determined according to a process which ensures compliance with the law.
- An individual has the right to request footage of themselves only, but photographic proof of identification and a description of themselves and what they were wearing must be provided before a request is processed.
- All requests should be made in writing to
This email address is being protected from spambots. You need JavaScript enabled to view it. In order to proceed with a request, the date, approximate time, exact location and nature of request must be provided. An authorised officer will review the request and if it meets the requirements the officer will request the control room to review footage in the respect of relevant time periods where appropriate, in accordance with the request. If the footage contains only the individual making the request then the individual may be permitted to view the footage. This must be strictly limited to that footage which contains only images of the individual making the request. - The information above must be recorded in relation to any disclosure and retained for six years.
- Residents have the following rights with regard to CCTV footage captured by the Council’s cameras:
- A right to request through subject access, a copy of footage in which they are captured, subject to exemptions within the Data Protection Act 2018 and also balanced against the rights and freedoms of others who may appear in that footage. A link to further information on Subject Access Requests can be found here: https://www.wychavon.gov.uk/about-wychavon-district-council/privacy-notice
- A right to object to processing where they believe that the field of vision or the siting of the camera is disproportionate to the stated purpose of the camera. Where a resident objects to processing, the Council will consider the objection and decide whether a lawful basis for processing can still be justified. A written response will be provided outlining the outcome. Objections can be raised by writing to:
This email address is being protected from spambots. You need JavaScript enabled to view it.
10 Data Retention and Sharing
10.1 All Council CCTV Cameras automatically over-write footage 30 days after it is captured. Where authorised bodies are granted access to data collected via CCTV in order to carry out their statutory functions, then copies of the data may be made and provided securely for this purpose.
10.2 CCTV footage may be retained longer if required as evidence for court. The Council may be required by law to disclose CCTV footage, without notification to the subject, in the interests of public security and in order to disclose information that is material to a legal case. All images that are relevant to a criminal investigation must be retained in accordance with the 1996 Act.
10.3 Wychavon District Council will ensure that appropriate security measures are in place to prevent the unlawful or inadvertent disclosure of any recorded images. These measures in place include:
- CCTV recording systems are located in restricted access areas
- The CCTV system being encrypted/password protected
- Only authorised officers have access and are able to make copies of CCTV footage in accordance with this policy and the Standard Operating Procedure
10.4 A log of any access to the CCTV images, including time and dates of access, and a record of the individual accessing the images, will be maintained by authorised officers. The log will be retained for six years.
11 Review of this policy
11.1 This policy shall be reviewed every three years.
12 Related Policies
Wychavon District Council's Privacy Policy
Wychavon District Council’s RIPA Policy
13 References
Surveillance Camera Commissioner Code of Conduct
14 Definitions
CCTV: Closed Circuit Television
Data Protection officer (DPO): A statutory role set out under the Data Protection Act with responsibility for ensuring that organisations are compliant with personal privacy rights. Any resident can report a personal privacy concern about the Council to the Data Protection Officer.
Deputy Monitoring Officer: The people appointed by the Monitoring Officer to deputise on their behalf.
ECHR: European Convention on Human Rights
General Data Protection Regulation (GDPR): A Regulation establishing data protection principles and privacy rights for people whose data is processed in the European Union. It is supplemented in British law by the Data Protection Act 2018 which enshrines its rights and principles.
Information Governance: The discipline of applying controls to how information or data is created, how it is stored and where it moves.
Monitoring Officer: A statutory role under section 5 of the Local Government and Housing Act 1989 whose role is to ensure that the Council, its officers and elected members maintain the highest standards of conduct which includes ensuring the lawfulness and fairness of decision making.
RIPA: The Regulation of Investigatory Powers Act 2000. This act sets out the conditions under which investigations and covert surveillance can be lawfully conducted.