Privacy Impact Assessment on use of CCTV

Similar documents
PRIVACY IMPACT ASSESSMENT

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

PRIVACY IMPACT ASSESSMENT CONDUCTING A PRIVACY IMPACT ASSESSMENT ON SURVEILLANCE CAMERA SYSTEMS (CCTV)

Staffordshire Police

Protection of Privacy Policy

2018 / Photography & Video Bell Lane Primary School & Children s Centre

Photography and Videos at School Policy

IET Guidelines for Volunteers: Data Protection

DRAFT South Wales Police Privacy Impact Assessment

Images Policy September 2017

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Robert Bond Partner, Commercial/IP/IT

Privacy. New technologies, same responsibilities. Carole Fleeman Office of the Victorian Privacy Commissioner

Privacy Impact Assessments

Data Protection and Information Security. Photography and Filming - Guidelines for the use of Personal Data

GDPR Implications for ediscovery from a legal and technical point of view

Photography Policy: Taking, storing and using images

Mellor Community Primary School Policy for Photographs and Photography

Privacy Policy SOP-031

Use of Photographs (Senior School) Policy

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Striving for Excellence. Ark Oval Primary Academy

I hope you will find these comments constructive and helpful.

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

The University of Sheffield Research Ethics Policy Note no. 14 RESEARCH INVOLVING SOCIAL MEDIA DATA 1. BACKGROUND

The Information Commissioner s role

Ocean Energy Europe Privacy Policy

Australian Census 2016 and Privacy Impact Assessment (PIA)

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

Castan Centre for Human Rights Law Faculty of Law, Monash University. Submission to Senate Standing Committee on Economics

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

Use of Camera and Mobile Policy. Use of Camera and Mobile Phone Policy

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

1 SERVICE DESCRIPTION

SAINT VINCENT AND THE GRENADINES TELECOMMUNICATIONS (SPECTRUM MANAGEMENT) REGULATIONS 2007 ARRANGEMENT OF REGULATIONS PART I PRELIMINARY PART II

ICC POSITION ON LEGITIMATE INTERESTS

SAFEGUARDING ADULTS FRAMEWORK. Prevention and effective responses to neglect, harm and abuse is a basic requirement of modern health care services.

Employees, contractors and other personnel of KKR should note that a separate privacy notice will be made available to them.

Violent Intent Modeling System

Merton Clinical Commissioning Group Constitution. [29 May] 2012

THE EXECUTIVE BOARD OF DELFT UNIVERSITY OF TECHNOLOGY

Use of Pupils Images Policy This policy applies to all pupils, including those in EYFS

UK Research and Innovation Conflicts of Interest Policy

UK Research and Innovation. Counter Fraud and Bribery Policy

SURVEY QUESTIONS If you prefer an electronic copy of the survey please contact the Thomas Law Firm by at:

Commonwealth Data Forum. Giovanni Buttarelli

About the Office of the Australian Information Commissioner

Freedom of Information Act 2000 (FOIA) Decision notice

Privacy Policy. Catalyst.Net Limited. Version 1.0

Standard VAR b Generator Operation for Maintaining Network Voltage Schedules

2

KKR Credit Advisors (Ireland) Unlimited Company PILLAR 3 DISCLOSURES

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

FINAL NOTICE. MLP Private Finance Plc. 100 Fenchurch Street. London EC3M 5JD. Date: 21 February 2003

House of Lords Select Committee on the Constitution

The Ethics of Using Cameras in Care Settings

Wireless Sensor Networks and Privacy

VAR Generator Operation for Maintaining Network Voltage Schedules

Triennial Review of the Medicines and Healthcare Products Regulatory Agency. Call for Evidence

Photography policy. Policy history

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

VAR Generator Operation for Maintaining Network Voltage Schedules

Statement on the Authorisation of Short Range Devices in 870 to 876 MHz and 915 to 921 MHz

Herts Valleys Clinical Commissioning Group. Review of NHS Herts Valleys CCG Constitution

ST. MARY in the MARSH PARISH COUNCIL

Guidance for Industry

Specialist Services Section

Contact with the media

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

DATA PROTECTION POLICY

(Non-legislative acts) DECISIONS

Corporate Services. Yes. Chief Executive Officer. Head of Legal and Compliance. Policy and Compliance Officer

RULES AND REGULATIONS Title 58 RECREATION

VAR Generator Operation for Maintaining Network Voltage Schedules

Questionnaire February 2010

RULES AND REGULATIONS. Title 58 - RECREATION PENNSYLVANIA GAMING CONTROL BOARD [58 PA. CODE CH. 525] Table Game Internal Controls

Cash Converters Financial Services Guide

VAR Generator Operation for Maintaining Network Voltage Schedules

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Graffiti Management Strategy Update

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

TECHNICAL AND OPERATIONAL NOTE ON CHANGE MANAGEMENT OF GAMBLING TECHNICAL SYSTEMS AND APPROVAL OF THE SUBSTANTIAL CHANGES TO CRITICAL COMPONENTS.

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

Primary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008

Management of Unacceptable Behaviour On School Transport A COMMON APPROACH

Exemplar Assignment Brief. Pearson BTEC Level 2 Award for Working as a CCTV Operator (Public Space Surveillance) within the Private Security Industry

The Recast RoHS Directive 2011/65/EU

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Getting the evidence: Using research in policy making

Surveillance Technologies: efficiency, human rights, ethics Prof. Dr. Tom Sorell, University of Warwick, UK

Transcription:

Appendix 2 Privacy Impact Assessment on use of CCTV CCTV is currently in the majority of the Council s leisure facilities, however this needs to be extended to areas not currently covered by CCTV. Background Close Circuit Television (CCTV) is visual surveillance technology designed to monitor a variety of environments and activity. The Data Protection Act 1998 regulates the processing of personal and sensitive personal data. The Act impacts upon the use of CCTV if images that focus on an individual are recorded. These must be aimed at identifying a particular person or learning about their behaviour. The Information Commissioner s Office (ICO) has issued a Code of Practice (COP) relating to CCTV and this provides standards the ICO considers good practice on the processing of images and footage. It sets out how a Data Controller should manage the overall processing of CCTV data. This is a very important part of meeting compliance with the Act and the COP has been considered in the development of this document. The personal data processed as part of the CCTV system is controlled by Derry City and Strabane District Council who is the Data Controller of the personal data recorded for this purpose. Leisure and Sports Services currently operates a number of CCTV cameras both internally and externally in all its facilities. The use of CCTV in leisure and sports centre is now considered common place and significantly enhances the safety and wellbeing of staff and the public, the protection of children and vulnerable adults, prevention, investigation and detection of crime and anti-social behaviour, and investigation into and criminal activity. Whilst the current coverage of CCTV in facilities is good, there have been regular occasions when a lack of CCTV coverage in key areas of facilities was absent and detrimental to addressing issues. 1

Information flows The use of CCTV cameras will fall into the category of overt recording and is not subject to the Regulation of Investigatory Powers Act 2000 (RIPA). They are not to be used in a hidden or covert manner. CCTV will capture individuals travelling or walking through an area within the leisure centres, CCTV will also capture moving video of cashing up areas for front of house staff. Management at Leisure and Sports facilities believe that additional coverage of CCTV cameras in key designated areas of facilities would improve and enhance the service as outlined in the CCTV policy. Details: Foyle Arena currently has village changing in its swimming pool changing area and a number of Councils have now installed CCTV coverage in these areas to further enhance the protection of children, vulnerable adults, staff and the public and it is proposed that additional CCTV coverage is installed in village changing corridors. At present both Foyle Arena and Riversdale Leisure Centre operate CCTV coverage overlooking the swimming pools at these sites. It is proposed that Templemore Sports Complex and City Bath install cameras in both main and learner pool halls at these sites to align provision of CCTV across the service. Templemore Sports Complex currently has no internal CCTV coverage in its sports hall. To align with our facilities and to improve the coverage in this area, it is proposed 2 CCTV cameras are installed in this area. At present the new Sports Centre in Brooke Park has no internal CCTV Coverage with the 3G and Grass Pitch at this site currently having no external coverage. It is proposed that five internal cameras installed for the sports centre and two external cameras for the 3G and grass pitch, and one covering cash handling at the Brooke Park Leisure Centre reception area are installed at this site. Recently some facilities of Leisure and Sports Services have undergone internal financial audits. A recommendation from these audits, to further protect employees, is to include CCTV cameras over counter cash draws, at key cash counting areas and in areas that safe s are located. Therefore it is proposed that CCTV coverage is installed in these areas at all Leisure and Sports Facilities.

Cameras will be positioned in a suitable location with appropriate signage which enables members of the public to see both the camera and read the signage advising them what organisation installed the camera(s) and their purpose. Cameras will observe members of the public using the area CCTV Leisure & Sports Services Cameras Controlled by Derry City and Strabane District Council Additional Requirements Requirement 1 Facility Name Foyle Arena Number of Cameras office 6 = 3 x village changing corridors, 2 x front of house area, 1 x cash Age of System 2years Temporary or Permanent Permanent Type of Camera 24 hour cover Record or Download Download Overwrite Time 30 days Location of Recording Equipment Comms Room, Foyle Arena Who Has Access Leisure Area Manager, service managers Requirement 2 Facility Name Templemore Sports Complex

Number of Cameras 7 = 3 in pool area, 1 x front of house, 1 x cash office, 2 x Sports Hall. Age of System 10 years+ Temporary or Permanent Permanent Type of Camera 24 hour cover Record or Download Download Overwrite Time 30 days Location of Recording Equipment Comms Room, Templemore Sports Complex Who Has Access Leisure Area Manager, service managers Requirement 3 Facility Name Brooke Park Sports Centre & Pitches Number of Cameras 8 = 1 x grass pitch, 1 x 3G pitch, 1 x reception office in leisure centre, 5 x sports centre including reception, gym, studio 1, boxing studio, activity room Age of system 1 year Temporary or Permanent Permanent Type of Camera 24 hour cover Record or Download Download

Overwrite Time 30 days Location of Recording Equipment Brooke Park Leisure Centre Who Has Access Leisure Area Manager, service managers Requirement 4 Facility Name Riversdale Leisure Centre Number of Cameras 1 x cash office area Age of system 2 years Temporary or Permanent Permanent Type of Camera 24 hour cover Record or Download Download Overwrite Time 30 days Location of Recording Equipment LAM Office Who Has Access Leisure Area Manager, service managers Control Processes for Derry City and Strabane District Council CCTV Cameras Service Area Leisure & Sports Services Location Foyle Arena, Brooke Park L&S Centre, Templemore Sports Complex Purpose for which CCTV is processed

The use of CCTV in leisure and sports centre is now considered common place and significantly enhances the safety and wellbeing of staff and the public, the protection of children and vulnerable adults, prevention, investigation and detection of crime and anti-social behaviour, and investigation into and criminal activity. When was this purpose reviewed and is its use proportionate to the issue/problem Reviewed August 2017 and deemed proportionate. Who has access to the CCTV footage Leisure Area Managers, Service Managers Is this access to live or recorded footage or both Both Who responsible for the control of the of the information (data controller) Leisure Area Manager Who is resp. for deciding Leisure Area Manager what is recorded Who is resp. for deciding Leisure Area Manager where the CCTV is set up Who is resp. for deciding Leisure Area Manager how the info is used Who authorises the release of CCTV footage Head of Service/Director Who is resp for storage of the information Leisure Area Manager Who is resp for deletion Information not deleted, overwritten after 30 days

of the information Consultation requirements The use of CCTV has been discussed across Council services who deal with environmental crime issues in various leisure facilities, green spaces, football pitches, play areas, parks, walkways and popular pathways etc. The use of CCTV in leisure and sports centre is now considered common place and significantly enhances the safety and wellbeing of staff and the public, the protection of children and vulnerable adults, prevention, investigation and detection of crime and anti-social behaviour, and investigation into and criminal activity. What is the organisation s purpose for using CCTV? What are the problems it is meant to address? The use of CCTV in leisure and sports centre is now considered common place and significantly enhances the safety and wellbeing of staff and the public, the protection of children and vulnerable adults, prevention, investigation and detection of crime and anti-social behaviour, and investigation into and criminal activity. What are the views of those who will be under surveillance? The general feeling is that people who are not involved in crime are happy to be in an area that is monitored by CCTV cameras. There are some members of society both law abiding and those who are not, who have issues with being in areas covered by CCTV cameras. By abiding with current legislation. What are the benefits to be gained from its use? CCTV is a proven tool in detecting offences, and the perpetrators of it. Using CCTV can significantly reduce the time and cost on the Council in investigating allegations. CCTV captures actual events and is not influenced by interpretation. CCTV also helps deter offences occurring.

Following on from a recent financial audit, CCTV in front of house and cash office areas will be used to protect the employee when handling and counting cash. The deployment of CCTV camera technology will produce a number of benefits to the Council including: Deter environmental crime Lessen challenges to Council Officers as the cameras will provide a first-hand visual account of offence(s) identified; Assist in the gathering of evidence. What could you do to minimise intrusion for those that may be monitored, particularly if specific concerns have been expressed? Derry City and Strabane District Council officers will be trained on the proper installation of the cameras. The cameras will be used on a proper and legal basis, comply with the Data Protection Act and regular reviews of camera performance will be undertaken to justify their need. Can CCTV technology realistically deliver these benefits? Yes, and does so consistently for other Local Authorities across the UK. Do you need images of identifiable individuals, or could the scheme use other images not capable of identifying the individual? The system must be capable of identifying individuals, as footage from the system could be used for enforcement of statutory legislation by Council in regard to criminal activity. If the system did not have this capability it would not be fit for purpose. Will the particular equipment/system of work being considered deliver the desired benefits now and remain suitable in the future? Yes. Derry City and Strabane District Council working methods are unlikely to change. The system will be installed and closely monitored and reviewed to determine its effectiveness. What future demands may arise for wider use of images and how will you address these?

Legislation can and does change. We will comply with all future regulations placed upon us. The demand for wider use of images captured is likely to be very small however any additional use of images will be considered in line with the Council s Data Protection Policy and CCTV policy. Due to the overt nature of CCTV, the signage displayed and the information imparted, it should make an individual aware they are being recorded in relation to an incident or investigation. Identify the privacy and related risks Annex three was used to help identify the DPA related compliance risks. Privacy issue Inadequate disclosure controls The information being used for a different purpose Risk to individuals Increase the likelihood of Information of general public being shared inappropriately. The context in which information is used or disclosed can change over time, leading to it being used for different purposes without people s knowledge. Compliance risk Associated organisation / corporate risk Non-compliance with the DPA. Non-compliance with the Privacy and Electronic Communications Regulations (PECR). Non-compliance with sector specific legislation or standards. Non-compliance with human rights legislation. Council reputation and possible litigation Non-compliance with the DPA or other legislation can lead to sanctions, fines and reputational damage. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, is less useful to the business. Public distrust about how information is used can damage an organisation s reputation and lead to loss of business/engagement.

CCTV surveillance methods and measures are unnecessary Inappropriate use and sharing of information. Disclosure of information capturing Vulnerable people Could lead to an unjustified intrusion on people s privacy. The sharing and merging of datasets can allow organisations to collect a much wider set of information than individuals might expect. Vulnerable people may be particularly concerned about the risks of identification or the disclosure of information. Data losses which damage individuals could lead to claims for compensation. Inappropriate storage or duplication of collected information. Information which is collected and stored unnecessarily, or is not properly managed so that duplicate records are created, presents a greater security risk.

Collected information being retained for too long. If a retention period is not established information might be used for longer than necessary

Identify privacy solutions Risk Solution(s) Result: is the risk eliminated, reduced, or accepted? Evaluation: is the final impact on individuals after implementing each solution a justified, compliant and proportionate response to the aims of the project? Inadequate disclosure Controls put in place in Eliminated Yes controls accordance with Council CCTV policy, DPA and PECR to ensure that information of general public is not shared inappropriately. The information being used Controls put in place in Reduced Yes for a different purpose accordance with Council CCTV policy, DPA and PECR to ensure that information 1

of general public is not shared inappropriately. Legislation can and does change. We will comply with all future regulations placed upon us. The demand for wider use of images captured is likely to be very small however any additional use of images will be considered in line with the Council s Data Protection Policy and CCTV policy. Other law enforcement agencies such as the PSNI will be granted access to the images if a legitimate request is received. DCSDC will be the Data Controller

at the point of images being recorded, however if any images are released to any of the authorised organisations, then the legal responsibility will be transferred to that organisation in relation to the images that have been released. CCTV surveillance methods CCTV will only be used in Eliminated Yes and measures are areas where there is a unnecessary problem of environmental crime and other methods have been tried or deemed ineffective. Problem areas will be identified through good internal Council communication, number of complaints via members of

Inappropriate use and sharing of information the public or elected representatives. CCTV information will only be shared internally for the purposes of Council fulfilling its statutory functions. Eliminated Yes DCSDC is the main user of the CCTV system, however, other law enforcement agencies such as the PSNI will be granted access to the images if a legitimate request is received. DCSDC will be the Data Controller at the point of images being recorded, however if any images are

released to any of the authorised organisations, then the legal responsibility will be transferred to that organisation in relation to the images that have been Disclosure of information released. Eliminated Yes capturing Vulnerable people Controls put in place in accordance with Council CCTV policy, DPA and PECR to ensure that information relating to vulnerable people is not shared Inappropriate storage or inappropriately. Eliminated Yes duplication of collected information. Controls put in place in accordance with Council CCTV policy, DPA and PECR to ensure that information is not collected and stored unnecessarily, and is

properly managed to avoid the creation of duplicate Collected information being retained for too long. records. Eliminated Yes Irrelevant CCTV images can be deleted upon viewing, relevant information is held pending investigation and prosecution and then retained for periods recommended under DCSDC Retention and Disposal Policy and Schedule.

Sign off and record the PIA outcomes Who has approved the privacy risks involved in the project? What solutions need to be implemented? Risks Approved solutions Approved by Inadequate disclosure controls Controls put in place in accordance with Council CCTV policy, DPA and PECR to ensure that: Information of general public, vulnerable people is not shared inappropriately. Barry O Hagan, Head of Service Karen McFarland, Director The information being used for a different purpose Information is not collected and stored unnecessarily. CCTV surveillance methods and measures are unnecessary Inappropriate use and sharing of information Disclosure of information capturing Vulnerable people Inappropriate storage or duplication of collected information. Collected information being retained for too long. Information is properly managed to avoid the creation of duplicate records. Irrelevant information is deleted upon viewing, relevant information is held pending investigation and prosecution and then retained for periods recommended under DCSDC Retention and Disposal Policy and Schedule. 1

Integrate the PIA outcomes back into the project plan Action to be taken Integrate the PIA outcomes back into the project plan and update any project management paperwork Date for completion of actions 30 September 2017 Paul Tamati Responsibility for action Contact point for future privacy concerns Paul Tamati

Annex three Linking the PIA to the data protection principles Answering these questions during the PIA process will help you to identify where there is a risk that the project will fail to comply with the DPA or other relevant legislation, for example the Human Rights Act. Principle 1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: a) at least one of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Have you identified the purpose of the project? How will you tell individuals about the use of their personal data? Do you need to amend your privacy notices? Have you established which conditions for processing apply? If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn? If your organisation is subject to the Human Rights Act, you also need to consider: Will your actions interfere with the right to privacy under Article 8? Have you identified the social need and aims of the project? Are your actions a proportionate response to the social need? Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Does your project plan cover all of the purposes for processing personal data?

Have you identified potential new purposes as the scope of the project expands? Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Is the quality of the information good enough for the purposes it is used? Which personal data could you not use, without compromising the needs of the project? Principle 4 Personal data shall be accurate and, where necessary, kept up to date. If you are procuring new software does it allow you to amend data when necessary? How are you ensuring that personal data obtained from individuals or other organisations is accurate? Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes. What retention periods are suitable for the personal data you will be processing? Are you procuring software that will allow you to delete information in line with your retention periods? Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. Will the systems you are putting in place allow you to respond to subject access requests more easily? If the project involves marketing, have you got a procedure for individuals to opt out of their information being used for that purpose?

Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Do any new systems provide protection against the security risks you have identified? What training and instructions are necessary to ensure that staff know how to operate a new system securely? Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country of territory ensures and adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Will the project require you to transfer data outside of the EEA? If you will be making transfers, how will you ensure that the data is adequately protected?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback