9.4 CCTV Monitoring
9.4.1 – CCTV monitors, whether fixed or portable, must only be viewable by persons directly involved in achieving the purpose of the surveillance.
9.4.2 – Persons employed to monitor CCTV shall be subject to a non-disclosure agreement in respect of information viewed.
9.4.3 – An exception exists where monitors are installed for public awareness purposes such as in retail applications. This is only if they display scenes which are in plain sight of an individual whilst in areas freely accessible to the public and where there can be no reasonable expectation of privacy.
9.4.4 – CCTV images of individuals must be clearly identifiable or recognisable for footage to be considered credible when submitted as evidence.
9.4.5 – Playback of recordings should always be strictly controlled and only viewed by authorised stakeholders having a justified need to view.
9.4.6 – Monitoring by means of portable devices including (but not limited to) Laptops, Computer Tablets and Smartphones shall be strictly limited to devices issued by the data controller. These can also be issued by a data processor subject to the agreement of the data controller. The issue and return of portable monitoring devices shall be registered to the recipient in an Asset Register or Daily Occurrence Log under the ultimate control of the data controller. Security of access to monitoring devices shall be by means of password protection.
9.4.7 – Guidance relating to Data Viewing and Release can be found here.
9.4.8 – Where Remote Monitoring is provided, this must be installed and managed in accordance with BS8418 by an ISO27001 accredited service provider.