YMCA St Paul's Group CCTV Policy

1. Ownership

1.1 YMCA St Paul’s Group (YSPG) operates a CCTV surveillance system (“the CCTV system”) in its premises (“YSPG premises).
1.2 The CCTV system installed in YSPG premises is owned and operated by YSPG and is monitored locally by authorised staff only.
1.3 This policy sets out YSPG’s principles guiding the use of the CCTV system in accordance with all relevant laws.

2. Compliance

2.1 YMCA is fully committed to meeting its obligations under the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and associated legislation (“the Data Protection Laws”).
2.2 Images obtained from the CCTV system (“Images”) which includes recognisable individuals constitutes personal data and are covered by the Data Protection Laws and this policy should be read in conjunction with the Privacy and Cookies Policy found on the YSPG website at www.ymcastpaulsgroup.org
2.3 YSPG complies with the Information Commissioner’s Office (ICO) Closed Circuit Television Code of Practice and is appropriately registered with the ICO as a data controller.

3. Purpose

3.1 YSPG uses the CCTV system and the images produced (“Images”) to protect the rights and freedoms of clients, staff, volunteers, visitors, partners and anyone using the YSPG premises. This includes to prevent or detect crime in order to provide a safe and secure environment for everyone working at, or using, the YSPG premises and its facilities.

4. Description

4.1 The CCTV system used in YSPG premises comprise a number of fixed and dome cameras which do not have any sound recording capability.
4.2 The CCTV system is positioned in such a way as to prevent, or minimize, recording of passers-by or of another person’s private property including restricting visibility of live images of data subjects through windows, doors, reflections etc. from visitors or persons located outside the area.
4.3 The CCTV system monitors and records areas including the following:
4.3.1 building perimeter, entrances/exits, lobbies and corridors, special storage areas, cashier locations, receiving areas for goods/services etc.;
4.3.2 locations of access control systems and intrusion alarms; and
4.3.3 public areas such as parking facilities.
4.4 CCTV signs are prominently placed at the main external entrance of each of the YSPG premises and other outdoor areas as appropriate
4.5 It is not the policy of YSPG to conduct ‘covert monitoring’ unless there is a legal, legitimate or public interest to do so, and any such requests will be decided taking into account proper justification on a case by case basis.

5. Operation

5.1 The Images are recorded may be monitored by local authorised staff and will where possible not be visible to the public. Access to the CCTV system is strictly limited.
5.2 All staff who work on the CCTV system are made aware of the sensitivity of handling Images and are trained in all aspects of the CCTV system.

6. Access

6.1 Access to Images will be restricted to only those staff authorised to view them.
6.2 Copies of Images will only be made where:
6.2.1 the incident recorded is required to assist in the investigation of offences and/or the prosecution of offenders by the Police; or
6.2.2 a copy is required to satisfy a valid subject access request (see section 9 below).
6.3 Where the CCTV system on YSPG premises may be controlled, supported or managed by another company on its behalf, YSPG will ensure that:
6.3.1 a legally binding contract outlining the responsibility of the contracting company as a data processor, as provided for by the Data Protection Laws, is in place; and
6.3.2 YSPG will secure sufficient guarantees from the contracting company in respect of the technical and organisational measures to be put in place to secure personal data that will be processed by them.

7. Retention

7.1 The CCTV system is programmed to automatically record Images for a storage period of 28 days after which the Images are erased unless required for the investigation of offences or evidential purposes.
7.2 While retained, the integrity and confidentiality of the Images will be maintained at all times to ensure the rights of data subjects are protected whilst, at the same time, upholding the integrity of data stored.
7. Subject Access Requests (SAR)
7.1 In accordance with the provisions of the Data Protection Laws, individuals have the right to request access to CCTV footage relating to themselves (unless where disclosure to the individual would prejudice an ongoing criminal enquiries or proceedings).
7.2 Procedures are in place to ensure that all such access requests are dealt with effectively and within the law. If you wish to make a request, please write to us at the contact details set out in section 9 below setting out as much information as you can, including date, time and location of the requested data.

8. Access to and Disclosure of Images to Third Parties

8.1 Disclosure of Images will only be made to third parties in accordance with the CCTV system and in compliance with the Data Protection Laws, including to aid the investigation of a particular offence or incident, or a requirement under any enactment, rule of law or court or as required by a legal representative of YSPG.
8.2 All requests for disclosure will be recorded and, where appropriate, the images of other individuals not concerned will be blurred to protect their confidentiality.

9. YSPG’s Contact Details

Members of the public should address any subject access requests, concerns or complaints over use of the YSPG’s CCTV system by:

• writing to us at YMCA St Paul’s Group, 49 Victoria Road, Surbiton, KT6 4NG
• calling us on 0208 399 5427; or
• emailing to gdprenquiries@ymcaspg.org

YSPG staff should address any enquiries or concerns relating to the CCTV system to their line manager in the first instance.

10. Annual review

This policy (Version 1) was last updated in July 2018 and will be reviewed annually to ensure that it complies with the Data Protection Laws.