VeriFi EIDOS

11. Data Viewing & Release

Foreword
VeriFI Data Viewing & Release is achieved by two alternative methods;
 
  • VeriFi EIDOS Secure File Sharing (SFS) in which case the compliance manual is supplied with a 1Tb password protected, encrypted hard drive and 4 x USB Memory Cards. The use of SFS is described in SFS Training Video.
  • VeriFi Hard Copy is supplied with a 1Tb password protected, encrypted hard drive, 4 x USB Memory Cards, 5 x Data Viewing Logs, 5 x Data Release Logs. Instruction sheets describing how these logs must be completed are included.
Overview

Viewing and release of data requires the following steps to be recorded either by means of the VeriFi paper based documentation or the VeriFi EIDOS SFS platform.

  1. Site address.
  2. Data details (type), normally CCTV, Access Control.
  3. Description of Incident/Activity.
  4. Purpose of Viewing – eg Police investigation).
  5. Data Viewed by – the name and address of the requesting organisation name of the person representing it.
  6. Request Logged by – normally Security
  7. Viewing Authorised by – normally Facilities or Building Manager
  8. Description of the data viewed
  9. Follow up Activity – this normally relates to the release of data in which case the following steps will be required:]
  10. Type of Media Released
  11. Data Released to – the name and address of the requesting organisation name of the person signing for receipt.
  12. Archive Copy – description of how and where the archive copy is stored.
  13. Routine Archive Copy Review – you should not retain the data for longer than is necessary to achieve the purpose it was required for.
  14. Erasure/Destruction of Archive – detail who approved the erasure/destruction, who carried this out and date.
It is important to ensure that NO data is released without the prior authorisation of the Data Manager who is usually one of the following;
 
  • Facilities Manager
  • Assistant Facilities Manager
  • Centre Manager
  • Building Manager
  • Operations Manager

As a general rule you should only allow viewing or release of data without a formal data sharing agreement in the case of applications by;-

  1. Police.
  2. HSE.
  3. HMRC. 
  4. Weights Measures.
  5. Employees of the data controller or data processor involved in security and safety of the premises.
  6. Individuals making a Data Subject Access Request (refer to 8.1).
  7. Insurance Companies acting on behalf of an insured where release is via VeriFi Secure File Sharing, otherwise it would be good practice to enter into a formal Data Sharing Agreement.
A Data Sharing Agreement (DSA) will be required if release is requested by an individual or organisation other than those listed above. For further information refer to section 14.
 
Any Data Viewing must recorded in the VeriFi Data Viewing Log or via VeriFi EIDOS Secure File Sharing (SFS).
 
If release of data is required  you must create a master (archive) copy on the encrypted hard drive and either download a copy to a VeriFi supplied USB memory card or upload to SFS. 
 
Prior to release of data you must obtain signed authorisation from the Data Manager and record this in the Data Release Log or SFS.
 
Once download to a USB memory card has been completed close the USB back in the card and place the ‘Tamper Evident Security Seal’ across the hinge recording both unique reference numbers of the USB device and the Security Seal in the Data Release log or SFS.
 
If the recipient cannot physically collect a USB Card you must scan a copy of the Data Release Log and email this to the applicant explaining the method by which the USB card will be despatched ‘track and trace’ asking that section 9 of the scanned copy is signed and returned.
 

Viewing and release of data requires the following steps to be recorded either by means of the VeriFi paper based documentation or the VeriFi EIDOS Electronic File Sharing platform.

Data Retention

The extent of retained data should should be no more than the minimum required to achieve the legitimate purpose you set out to achieve.

The period that CCTV data (including Body Worn Cameras and *ANPR) is retained for (archive period) is normally 30 days unless a longer period can be justified.

An archive period of 90 days is reasonable in the case of personal data processed by; Access Control, Visitor Logs, Asset Release Logs etc.,

Archive retention of data relating to incidents that are or may be the subject of investigation shall be until notification by the investigating body that the case is closed or in the absence of such notification for a period not exceeding 6 years. 

*Public car park access and egress transaction data should not be retained unless relating to a delinquent issue and a recording is required for evidential purposes.