CCTV policy

1. Purpose

The University of Derby (the “university”, “us”, “we”) operates overt closed-circuit television (CCTV) systems for the purpose of ensuring the safety and security of its campus, assets, and members of the university community. This policy outlines the guidelines for the use, operation and management of the university’s CCTV systems in compliance with relevant legislation, including the General Data Protection Regulation (GDPR) and other applicable laws.

2. Scope

2.1. This policy applies to all CCTV systems provided and operated by the university across its campuses and associate premises, including Halls of residence, and other university-owned or operated properties.

2.2. The university’s CCTV system consists of fixed overt cameras situated on university property, which continuously record the area of coverage.

2.3. The principles of this policy also apply to the university’s overt automatic number plate recognition (ANPR) system and body-warn cameras, both of which form part of our wider CCTV technology.

2.4. It does not cover use of equipment pursuant to the university’s core education or research purposes (e.g. time lapse cameras installed to monitor the progress of a research project).

2.5. It applies to all students, staff, contractors and visitors.

3. Responsibilities

3.1. The University’s Security Team are the operators of our CCTV systems.

3.2. Head of Security:

Responsible for oversight and compliance of CCTV systems in accordance with this policy, university guidelines and relevant legislation.
Responsible for monitoring and managing the CCTV systems to ensure the safety and security of the university's premises, property, and members of the community.
Collaborates on new construction and renovation projects to determine the need for additional CCTV equipment and documents decisions.
Undertakes a Privacy Impact Assessment (PIA) for installations or relocations.
Approves any new CCTV installations or relocation of cameras.

3.3. Authorised Users:

All authorised users of CCTV systems are university staff and are Security Industry Authority (SIA) license holders. Users include, without limitation, control room security staff, designated security staff at other campuses/sites and halls managers.
Monitor and respond to security incidents, emergencies and associated breaches of university regulations or policy.
Investigate suspicious activities, thefts, vandalism and other criminal offences.
Responsible for the day-to-day management, operation, control and maintenance of CCTV systems, this includes monitoring system performance, responding to requests for access to CCTV footage and ensuring technical and organisational measures are in place to protect personal data.
Ensure that access to CCTV systems and footage is limited to authorised users.

3.4. Assurance Services:

Responds to requests for CCTV footage and, if thought fit, authorises release to relevant requester.

4. Policy Statement

The purpose of this CCTV policy is to establish clear guidelines for the deployment and use of overt CCTV systems across all university properties, including campuses, halls of residence, and other facilities. This policy aims to enhance the safety and security of students, staff and visitors, while protecting university assets and deterring criminal activity. It sets out the requirements for the lawful operation of CCTV systems, ensuring compliance with the Information Commissioner's Office (ICO) Code of Practice, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Human Rights Act 1998, and other relevant legislation and regulation.

This policy underscores the commitment to protecting individual privacy and outlines the approach to addressing complaints and data requests. Through this policy, we strive to balance security needs with the rights and freedoms of the university community, ensuring transparency and accountability in all CCTV operations.

4.1. Purpose of the CCTV System

To enhance the safety and security of students, staff and visitors.
To protect the university’s property and assets.
To detect, prevent and reduce incidence of crime.
To prevent and respond effectively to all forms of anti-social behaviour, public disorder, harassment and suspicious activity.
To assist with our health and safety obligations.
To support and monitor compliance with the University’s Regulations and guidelines, such as the University parking guidelines.
To investigate suspected breaches of university regulations.
To gather evidence by a fair and accountable method.
To improve the operational response of security patrols and aid emergency services.

4.2. Data Protection

Recorded images of living, identifiable individuals constitute personal data under the DPA and the UK GDPR. Our CCTV systems are designed, implemented and operated in accordance with the principles of the DPA and GDPR, including lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Any future changes in legislation will be considered.

The university is registered with the Information Commissioner’s Office (ICO): Information Commissioner's Office Register (ico.org.uk).

4.3. Locations

The CCTV system consists of overt cameras situated on university property.
CCTV cameras are strategically placed to cover key areas, including entrances, exits, public spaces and high-risk areas, as determined by risk assessments and security consideration, minimising intrusion into private areas.
Signs indicating the presence of CCTV cameras and providing contact information for enquiries or requests regarding CCTV footage are prominently displayed.
CCTV footage is monitored by authorised staff only.

4.4. Additional information for use of CCTV in Halls of Residence

Footage from our halls of residence is used primarily for the safety and security of residents. Cameras are installed in communal areas only, not in private living spaces. Signage will be displayed either in the foyer of the residence or on the external entrance to the building.

4.5. Body-worn Cameras

An additional policy covering the use of body-worn cameras by security staff is available, and includes the guidelines for activation, data storage and access.

4.6. Data Security and Technical Measures

Security measures such as encryption and access controls are implemented to prevent unauthorised access and ensure data security.
Access to CCTV systems and footage is restricted to authorised users as detailed above.
Logs of access to CCTV footage are maintained to track who accessed the footage, when and for what purpose.
Regular audits, maintenance and checks of CCTV equipment are carried out to ensure optimal performance and compliance with the policy.

4.7. Installation and Privacy Impact Assessments (PIA)

Before implementing any new CCTV system or significant changes to existing systems, a PIA will be conducted to assess the potential impact on privacy and to mitigate identified risks.

The PIA and any associated project documents detail the rationale and arrangements for the installation including, where cameras are sited to only capture images relevant to the purpose for which they are installed, and appropriateness and reasons for an installation in a particular location.

All CCTV installations must be carried out by a university-approved installer and with the approval of the Head Security or their nominated representative.

4.8. Retention

CCTV footage is normally retained for 30 days, and for no more than up to a maximum of 45 days. The actual retention period is determined by system configuration, after which it will be overwritten and securely deleted, unless there is a specific reason for its retention, such as an ongoing investigation or to comply with a data request or obligations pursuant to the relevant legislation.

4.9. Access to Systems

Access to the control room and recorded/live footage is prohibited, except for lawful and legitimate purposes (e.g., official visits from law enforcement or inspection agencies) and only then with the prior permission (verbal or written) of the Head of Security or their nominated representative.
All visitors to the control room will be requested to sign the visitor’s book and a declaration of confidentiality.
Any other staff admitted to the control room, such as cleaning staff, engineers or IT staff effecting repairs must be authorised by the Head of Security or their nominated representative (either verbally or in writing) and must be supervised.

4.10. Requests to Disclose CCTV Footage

All requests to disclose CCTV footage will be dealt with in accordance with all applicable legislation and regulation.

Requests for disclosure must be made to Assurance Services at gdpr@derby.c.uk, unless stated otherwise below.

Individuals - Individuals have the right to request access to CCTV footage in which they appear. Further information can be found here: Apply for a subject access request.
Third Party - Disclosure is strictly controlled and documented, ensuring compliance with UK GDPR and the protection of individuals rights. The university may refuse requests if, amongst other things, they do not meet legal requirements or if disclosure would infringe on the privacy rights of other individuals.
- Requests for information by the police and other authorities must be accompanied by the relevant data protection form duly signed by the appropriate authority and must be made through Assurance Services.
- Under Schedule 2, Part 1, Paragraph 2 of the DPA, disclosures of personal data for the prevention or detection of crime, or the apprehension or prosecution of offenders, can be made to law enforcement agencies without the consent of those persons identifiable by the relevant personal data.
- Requests from other third parties, such as legal representatives, solicitors, insurance companies or regulatory bodies must also comply with the applicable legal requirements and be properly documented. The university will assess these requests on a case-by-case basis to ensure, amongst other things, that they do not infringe on the privacy rights of individuals.
Internal - Footage may be shared internally with university departments or entities for purposes consistent with the original collection intent, such as disciplinary investigations. Internal requests to view CCTV should be made in writing to the Assurance Services Manager.
Union of Students - Please note where appropriate, requests from the university’s Union of Students (UoS), are processed in accordance with the principles applied to a request from an external third party. Requests from the UoS must be consistent with our original collection intent, such as investigations into breaches of policy such as disciplinaries.
Emergency Situations - Footage may be accessed without the relevant authorisation in emergency situations, such as immediate threat to life or national security where it is vital that the footage is made available immediately. A data protection form must still be obtained to document that the access occurred.
Freedom of Information Act 2000 – this legislation grants individuals the right to request information held by public authorities, such as the university, this may include CCTV footage. Further information can be found here: Freedom of Information Requests.

4.11. Training and awareness

Regular training is provided to staff involved in operating CCTV systems, focusing on data protection principles, privacy rights and the proper use of CCTV equipment.
Information is available to students and staff about the presence of CCTV, its purpose and their rights regarding recorded footage.

5. Compliance and Review

The Head of Security will undertake regular audits and reviews for adherence to this policy and will review this policy annually.
The Director of Campus Services has overall accountability for adherence to this policy.

6. Complaints

For questions or concerns regarding this policy, contact the university’s Control room security@derby.ac.uk.
Complaints regarding the use and operation of CCTV, should be made to the Head of Security.
Complaints regarding disclosure of CCTV footage, should be made to Assurance Services, GDPR@derby.ac.uk.
Complaints regarding misuse of the system will be treated seriously and investigated by the Head of Security and the Assurance Manager.

7. Sanctions

This policy prohibits unauthorised access to CCTV footage and mandates strict controls over data sharing and disclosure. Failure to comply with this policy may lead to disciplinary procedures being invoked. This could result in disciplinary action, including dismissal. If any breach constitutes an offence under criminal or civil law, the university may refer the matter to the police or take legal action.

8. Legislation, and related documentation

The University is committed to ensuring that the operation of its CCTV systems complies with all relevant legal and regulatory requirements. This policy outlines our adherence to key legislation, ensuring the lawful, fair and transparent processing of personal data capture CCTV.

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Freedom of Information Act 2000
ICO CCTV Code of Practice
Human Rights Act 1998
Toolbox Talk – Use of Body Camera available on request

9. Equality Analysis

This policy will be reviewed on a regular basis to ensure there is no unintended consequences for any particular groups or an individual

Policy approval details

Version	V1.0
Area	Campus Life
Authors	Assurance Manager, Head of Security, Director of Campus Life
Owner	Director of Campus Life
Equality analysis	September 2024
Approval body	University Executive Board
Last approval date	19 December 2024