1. Introduction 1.1. Overview The use of Closed Circuit Television or Surveillance Cameras (collectively known as CCTV) that capture and process images of individuals, who can be identified from those images, must be operated in accordance with the Data Protection Act 1998 (DPA). Network Rail (NR) makes extensive use of CCTV throughout its railway network and infrastructure, office buildings, ROCs, depots and facilities and managed stations to safeguard staff, visitors, contractors and its premises. At times its use can be considered intrusive and impact on the privacy of individuals. With this being the case, we must ensure that the personal information we process via CCTV is obtained lawfully, used fairly, only retained when necessary, stored securely and not disclosed to unauthorised persons. 1.2. Purpose The purpose of this policy is to: 1.3. Scope ensure the processing of images via CCTV complies with the principles set out in the DPA, other relevant legislation and NR s Privacy and Data Protection Policy; regulate how NR operates, administers and uses CCTV; provide employees with an understanding of the purpose, management and operation of the CCTV by NR and their role in supporting this. This policy applies to all: all employees working for or on behalf of NR who operate CCTV on behalf of NR; third party service providers that process and operate CCTV on behalf of NR; This policy is for the benefit of: employees, contractors, visitors, members of the public and all other individuals whose image(s) may be captured by CCTV owned and/or operated by or on behalf of NR. This policy only covers the overt use of CCTV. NR does not undertake covert surveillance. 1.4. Legislative context Data Protection Act 1998 Freedom of Information Act 2000 Human Rights Act 1998 Health and Safety at Work Act 1974 Protection of Freedoms Act 2012 Air Navigation - The Orders 2009, CAP722 CCTV and Surveillance Camera Policy - Final v1.0 2
1.5. Definitions The following terms are used in this policy: Personal information (PI) in the context of CCTV is an image or other information/data from which a living individual can be identified where: the individual is the focus of the image; the image contains or shows significant information about that individual; the processing of the image affects the individual s privacy. Individual or data subject means a person who is the subject of the personal information; process or processing in the context of CCTV means actions carried out with the images such as collecting, streaming, monitoring, recording, storing, retrieving, viewing, holding, downloading, copying, disclosing, deleting, erasing or destroying images; CCTV and Surveillance Cameras encompasses but is not limited to traditional CCTV, Automatic Number Plate Recognition (ANPR), Body Worn Video Cameras (BWV),Unmanned Aerial Systems(UAS), Automatic Recognition Technologies (ART); Personal Information Owner means an individual or business area who initially collects or creates the personal information or is the primary user of the personal information; third party service provider means an independent external organisation that provides a service that processes CCTV images on behalf of NR; security means to protect the confidentiality, integrity and availability of personal information; 2. Policy statement privacy impact or privacy risk assessment means to identify, assess and manage the risks that may arise from the use of CCTV. NR is committed to complying with the DPA and other relevant privacy legislation. To support the above statement we will adhere to the following principles when operating CCTV in the course of running our business operations. We will: comply with the requirements of the DPA, the Information Commissioner's Code of Practice for Surveillance Camera and Personal Information and the Surveillance Camera Commissioner Surveillance Camera Code of Practice; ensure the use of CCTV is always for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need; register the purposes and objectives of our use of CCTV with the Information Commissioner and only operate CCTV in the manner registered. NR has registered the following purposes: prevention and detection of crime; CCTV and Surveillance Camera Policy - Final v1.0 3
maintain the safety and security of NR properties and assets and for those individuals who make use of those properties and assets(i.e. employees, members of the public, tenants); gathering census data Level Crossing misuse undertake Privacy Impact Assessments prior to making use of CCTV in order to identify and manage any privacy risks associated with its use; plan, design and install CCTV that takes into consideration any approved operational, technical and competency standards relevant to the system and its purpose; only make use of CCTV in an overt manner. Cameras will be noticeably visible with clear information notices and signs placed at all entry routes to the areas covered to make staff, contractors, visitors and members of the public aware they are entering an area covered by CCTV; position cameras so that they only cover up to the boundaries of NR premises; no cameras will focus on any lineside neighbour s property, residential accommodation or areas within the NR buildings or facilities where there is an expectation of privacy; maintain and service CCTV to ensure that recorded images remain clear and accurately reflect the date and time of day so that footage can used evidentially; only retain images for legitimate business purposes, securely storing any images that are retained for evidential purposes, securely deleting them once their purpose(s) have been discharged; comply with all subject access requests made for CCTV footage and ensure that disclosures to third parties are only be made in accordance with the purpose(s) for which the CCTV is operating; ensure access to, transmission, viewing and storage of live or recorded images are appropriately secured and restricted with clearly defined rules on who can be gain access. document all requests for disclosures of footage and log the movement of all footage downloaded or removed for viewing purposes; provide appropriate training for all staff involved in the operation of CCTV; undertake regular reviews to ensure the use of CCTV remains justified; 3. Roles and responsibilities The Executive Committee are ultimately accountable for ensuring that NR meets its legal obligation under Data Protection legislation. The following roles have overall responsibility for CCTV operated within the NR estate: Route Managing Directors Managing Director, Property Director, Maintenance and Operations Services CCTV and Surveillance Camera Policy - Final v1.0 4
It is their responsibility, as the Personal Information Owners, to: designate a Responsible Officer/Appointed Person and delegate responsibility for the day-to-day operation of CCTV within their area of the business; maintain an up-to-date directory of those designated Responsible Officers/Appointed Person; maintain an up-to-date inventory of all CCTV installations within their area of the business; It is the responsibility of the Responsible Officer/Appointed Person to: manage the day-to-day operation of the CCTV along with their designated staff who actually operate the CCTV equipment and handle the data within their charge (including those services outsourced); maintain the security of and accountability for all data/images, equipment and media used by the system; maintain the operational integrity of the CCTV system with regular maintenance plan; maintain an access control list of the individuals authorised to view or download live, recorded or still images; process information requests from data subjects and third parties; provide training for staff designated to operate CCTV; It is the responsibility of Designated Staff who operate CCTV to: operate the system in accordance with requirements set out in this policy document, the CCTV Protocol and specific operational procedures; work to meet and maintain those standards to ensure that the system will give maximum effectiveness and efficiency for the purpose proposed ensure that their training is up to date; bring any faults or misuse of the CCTV system or equipment to the Responsible Officer s/appointed person s attention immediately; It is responsibility of the Data Protection Officer to: monitor adherence to the NR CCTV Policy and CCTV Protocol; Maintain this policy and the supporting CCTV Protocol Third party suppliers who process personal information on behalf of NR must comply with this policy. 4. Policy breach 4.1. Any action that is found to have breached this policy or any of its supporting procedures where the breach results in non-compliance with the law will be CCTV and Surveillance Camera Policy - Final v1.0 5
dealt with in accordance with NR s disciplinary procedures. This could lead to termination of employment for employees; termination of a contract in the case of service providers, consultants or temporary staff and expulsion in the case of a voluntary placement. 4.2. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). 5. Policy compliance 5.1. Planned reviews will be undertaken as appropriate, by the Data Protection Officer to assess compliance to the policy. 5.2. In the event of not understanding the implications of this policy or how it may apply seek advice from your line manager or the Data Protection Officer. 6. Policy review and revision 6.1. This policy was approved by the Group General Counsel on 2 September 2015 and supersedes the previous CCTV Policy which was last updated on 7 January 2013. This policy will be reviewed on an annual basis. It will be amended in response to changes in managerial, operational or legal requirements. Every effort will be made to ensure that relevant individuals are made aware of those changes when they occur. 7. Supporting procedures and guidance 7.1. This policy is intended to act as a framework to support standards and promote compliance with the data protection. This policy should also be read in conjunction with the NR s Privacy and Data Protection Policy and the ICO s Surveillance Camera Code (2014). 7.2. Key policies, procedures and guidance relevant to this policy are listed below and can be found on Connect: CCTV Standard and Guidance (to be drafted) Directory of Responsible Officers Inventory of CCTV Installations Privacy and Data Protection Policy Code of practice for Surveillance Camera and Personal Information Information Security Policy Classification Standard Cyber Security Guide Retention Schedules CCTV and Surveillance Camera Policy - Final v1.0 6