1. CCTV Ownership
The Institute of Directors (IoD) operates a CCTV surveillance system (“the system”) throughout the IoD estate, with images being monitored and recorded centrally. The CCTV cameras are situated at specific locations internally and externally on the IoD estate. The system is owned and managed by Art Security Solutions and operated by MITIE security.
The responsible manager is the Head of Facilities – Joanna Masterman.
Images obtained from the system which include recognisable individuals constitute personal data and are covered by the General Data Protection Regulation (GDPR).
The IoD is the registered data controller under the terms of the GDPR. The Data Protection Officer for the IoD is the Manager who is responsible for ensuring compliance with the GDPR.
This policy has been drafted in accordance with the advisory guidance contained within the Information Commissioner’s CCTV Code of Practice and the Home Office Surveillance Camera Code of Practice.
3. Purpose of our CCTV System
The IoD’s registered purpose for processing personal data through use of the system is crime prevention and/or staff monitoring. This is further defined as:
“CCTV is used for maintaining public safety, the security of property and premises and for preventing and investigating crime. This information may be about staff, members, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance.
Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, court or tribunal, security organisations and persons making an enquiry.”
The operators of the system recognise the effect of such systems on the individual and the right to privacy.
Full details of the IoD’s data protection registration are available on the Information Commissioner’s Office website.
The system is intended to produce images as clear as possible and appropriate for the purposes stated. The system is operated to provide when required, information and images of evidential value.
Cameras are located at strategic points throughout the IoD’s estate, principally at the perimeters, entrance and exit points of buildings and public and non-public collection spaces.
Signage is prominently placed at strategic points on the estate to inform staff, visitors and members of the public that a CCTV installation is in use and includes contact details for further information.
Images captured by the system are recorded continuously and may be monitored in the IoD’s Security control room. Images displayed on monitors are not visible from outside the Security control room and access to the Security control room is strictly limited.
All Security staff working in IoD premises are licensed by the Security Industry Authority and are fully aware of the sensitivity of handling CCTV images and recordings. The Senior Controller will ensure that authorised staff are fully briefed and trained in all aspects of the operational and administrative functions of the system.
6. Information retention
No more images and information shall be stored than is required for the stated purpose. A daily audit is carried out to ensure that all images captured by the CCTV are deleted after 30 days or once their purpose has been discharged. Information used as a reference database for matching purposes will be accurate and kept up to date.
All access to recorded images is recorded in the Security Control Room daily log. Access to images is restricted to those who need to have access in accordance with this policy, the SOPs and any governing legislation.
Disclosure of recorded material will only be made to third parties in accordance with the purposes of the system and in compliance with the General Data Protection Regulation.
Anyone who believes that they have been filmed by the system can request a copy of the recording, subject to any restrictions covered by the General Data Protection Regulation (“Subject access request”). Data subjects also have the right to request that inaccurate data be corrected or erased and to seek redress for any damage caused. Procedures are in place to ensure all such access requests are dealt with effectively and within the law. Access requests should be addressed to the DPO and e-mailed to firstname.lastname@example.org or by letter to:
For the attention of the DPO at the Institute of Directors, 116 Pall Mall, London SW1Y 5ED.
Members of the public should address any concerns or complaints over use of the Institute of Directors CCTV system to email@example.com or by post to the Institute of Directors at 116 Pall Mall, London SW1Y 5ED for the attention of the DPO. IoD staff should address any enquiries or concerns relating to the system to their line manager in the first instance.
9. Annual review
This policy was approved by the Data Protection Officer on 9th March 2018. It will be reviewed annually by the Data Protection Team to ensure that the purpose still applies and every five years by the Board.