2. Privacy Policy / Privacy Notice

A Privacy Policy (also known as a Privacy Notice or Privacy Statement) is the primary way that a data controller tells individuals how their personal data is processed.

In the case of surveillance and security operations, it would be good practice to include the following (or similar) in the controller’s Privacy Policy:  


We operate surveillance and security systems including, but not limited to, CCTV, electronic access control systems (EACS) automatic number plate recognition (ANPR) and other security management records that process personal data in properties for the purpose of achieving our legitimate interest of protecting the property, ensuring the safety of visitors, tenants and clients, and assisting with the prevention and detection of crime. These systems & records may also be used for monitoring workers who are carrying out their duties at the property. This includes our own staff and tenants’ staff. Information relating to tenants’ staff may be shared with tenants for HR and security purposes. We may be required to share personal data with recognised law enforcement agencies in which case the data will be released without a requirement for a search warrant.

In the case that organisations other than law enforcement agencies request access to data this will only be complied with if the other party is a data controller registered with the Information Commissioners Office and under the terms of a data sharing agreement and only if the receiving data controller has wording in its Privacy Policy explaining the source of the shared personal data (i.e. From the disclosing data controller). Where the personal data relates to the receiving data controller’s workers, the wording would usually be included in the Receiving data controller’s Employee Privacy Policy.

We would not release data outside the UK unless required by law.


We operate a data minimisation policy ensuring that we collect only the minimum of personal data that we need to achieve the intended legitimate purpose of the data processing.


Right of Access – Known as a Subject Access Request (SAR) Under data protection legislation you have the right to obtain confirmation, usually at no cost to yourself, that your data is being processed by the data controller and to receive copies of that personal data. In the case of security and surveillance systems this would typically be CCTV images or access control data.

The requested information will be provided without delay and at the latest within one month of receipt of the SAR. We may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case we will inform you within one month of the receipt of the request and explain why the extension is necessary.

We do however reserve the right to make a reasonable charge to cover administrative cost of providing the information if you request further copies of the same information or your request is manifestly unfounded or excessive.

We may have to refuse your request if it might prejudice an ongoing criminal investigation, we may also refuse to comply with your request if in our opinion it is manifestly unfounded or excessive in either case we will notify you of our decision giving our legal reasoning within one month of the receipt of the request.

Right to be Informed – You have the right to be informed that your data is being processed by means of this Privacy Policy and in the case of CCTV surveillance public information CCTV signs installed in the area of surveillance.

Right to Erasure – This right is also known as the ‘right to be forgotten’. It is only available in certain circumstances and it would be unusual for erasure to be applicable to properly governed surveillance and security data.

Right to Rectification – It would be unusual for rectification to be applicable to surveillance data, and in the case that your personal data has been incorrectly entered into an access control or other security related data base we would correct this upon being informed.

Right to Withdraw Consent – Typically withdrawal of consent won’t be an issue for surveillance and security data processing because that processing is carried out on a legitimate interest basis.


How long we need to achieve your data for to achieve the purpose of the processing:

CCTV Surveillance, Body Worn Cameras & Drones

30-60 days is the accepted norm although the purpose of the processing may justify a longer period. If the retained footage relates to an incident the archive period may be extended until the investigation is complete and the case closed.

Public Parking ANPR

No data is retained relating to parking sessions that are completed within the allowed time window. Data relating to delinquent parking may be retained until the investigation is complete and the case closed.

Private Property Access ANPR

30 days although this may be extended if the purpose of the processing justifies a longer period. If the retained footage relates to an incident the archive period may be extended until the investigation is complete and the case closed.

Electronic Access Control Systems

90 days in the case of building occupiers staff and others entered into the systems data base by the data controller, in the case that individuals use of the system is discontinued for any reason the data will be deleted within 90 days of the date of the discontinuation.

Visitor and Contractor Attendance Records

30 days although this may be extended during periods of heightened security risk.

Asset (Keys etc.) Issue Management.

30 days in the case of items issued and returned within the allowed time window. Data relating to delinquent returns may be retained until investigation is complete and the case closed.

Activity Log (Daily Occurrence Log)

Having regard for RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) your personal data that may be contained in such report may be retained for 5 – 6 years to allow time for any civil litigation to be made.

This website uses cookies to ensure you get the best experience on our website.