2. Privacy Policy / Privacy Notice

A Privacy Policy (also known as a Privacy Notice or Privacy Statement) is the primary way that a data controller tells individuals how their personal data is processed.

In the case of surveillance and security operations, it would be good practice to include the following (or similar) in the controller’s Privacy Policy:  

OVERVIEW

We operate surveillance and security systems including, but not limited to, CCTV, electronic access control systems (EACS) automatic number plate recognition (ANPR) and other security management records that process personal data in properties for the purpose of achieving our legitimate interest of protecting the property, ensuring the safety of visitors, tenants and clients, and assisting with the prevention and detection of crime. These systems and records may also be used for monitoring workers who are carrying out their duties at the property. This includes our own staff and tenants’ staff. We also have a legitimate interest in assisting our tenants with HR and security matters by sharing footage and information recorded by these systems with them, on request.

We may be required to share personal data with recognised law enforcement agencies in which case the data will be released without a requirement for a search warrant.

In the case that organisations other than law enforcement agencies request access to data, this will only be complied with if the other party is a data controller registered with the Information Commissioners Office and under the terms of a data sharing agreement; and only if the receiving data controller has wording in its Privacy Policy explaining the source of the shared personal data (i.e. From the disclosing data controller). 

We would not release data outside the UK unless required by law.

If your personal data is transferred outside of the UK to a country which doesn’t offer equivalent protection to personal data then we ensure that the recipient signs the Standard Contractual Clauses (SCCs). The SCCs ensure that the recipient protects your information to the high standards set out in UK law. 

DATA MINIMISATION

We operate a data minimisation policy ensuring that we collect only the minimum of personal data that we need to achieve the intended legitimate purpose of the data processing.

YOUR RIGHTS

Right of Access – Known as a Data Subject Access Request (DSAR). Under data protection legislation you have the right to obtain confirmation, usually at no cost to yourself, that your data is being processed by the data controller and to receive copies of that personal data. In the case of security and surveillance systems this would typically be CCTV images or access control data.

The requested information will be provided without delay and at the latest within one month of receipt of the DSAR. We may extend the period of compliance by a further two months where requests are complex or numerous.

We do however reserve the right to make a reasonable charge to cover administrative costs of providing the information if you request further copies of the same information, or if your request is manifestly unfounded or excessive.

We may have to refuse your request if it might prejudice an ongoing criminal investigation. We may also refuse to comply with your request if, in our opinion, it is manifestly unfounded or excessive. In either case we will notify you of our decision giving our legal reasoning within one month of the receipt of the request.

Right to be Informed – You have the right to be informed that your data is being processed by means of this Privacy Policy and, in the case of CCTV surveillance, public information CCTV signs installed in the area of surveillance.

Right to Erasure – This right is also known as the ‘right to be forgotten’. It is only available in certain circumstances and it would be unusual for erasure to be applicable to properly governed surveillance and security data.

Right to Rectification – You have the right to request that we rectify inaccurate personal data held about you.  NB: It would be unusual for rectification to be applicable to surveillance data. One example is if the individual’s personal data has been incorrectly entered into an access control or other security related database, the data controller should correct this upon being informed.

Right to Withdraw Consent – If we are processing your personal data based on your consent then you can withdraw that consent by contacting us.  NB: Typically withdrawal of consent won’t be an issue for surveillance and security data processing because that processing is carried out on a legitimate interest basis.

ARCHIVE RETENTION

How long we need to archive your data for to achieve the purpose of the processing: 

CCTV Surveillance, Body Worn Cameras & Drones

30-60 days is the accepted norm although the purpose of the processing may justify a longer period. If the retained footage relates to an incident, the archive period may be extended until the investigation is complete and the case closed.

Public Parking ANPR

No data is retained relating to parking sessions that are completed within the allowed time window. Data relating to delinquent parking may be retained until the investigation is complete and the case closed.

Private Property Access ANPR

30 days, although this may be extended if the purpose of the processing justifies a longer period. If the retained footage relates to an incident, the archive period may be extended until the investigation is complete and the case closed.

Electronic Access Control Systems 

90 days in the case of building occupiers’ staff and others entered into the systems database by the data controller.  In the case that individuals’ use of the system is discontinued for any reason, the data will be deleted within 90 days of the date of the discontinuation.

Visitor and Contractor Attendance Records

30 days, although this may be extended during periods of heightened security risk.

Asset (Keys etc.) Issue Management

30 days in the case of items issued and returned within the allowed time window. Data relating to delinquent returns may be retained until investigation is complete and the case closed.

Activity Log (Daily Occurrence Log)

Having regard for RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) your personal data that may be contained in such a report may be retained for 6 – 7 years to allow time for any civil litigation to be made.