The CCTV Code of Practice gives valuable guidance in the use of CCTV, and the protection of law-abiding citizens. It also provides guidance on producing evidence against perpetrators of Criminal action.
Surveillance technology will only be used by Cardiff Council if such devices have been assessed through a Data Protection Impact Assessment and justified in line with the lawful conditions for processing under the Data Protection Act 2018.
The Information Governance Manager is responsible for this Policy and Code of Practice and will review and amend the CCTV Code of Practice as appropriate and publish such amendments on an annual basis.
Council Services’ and device owners who operate surveillance technology are responsible for ensuring that the requirements as set out within this policy are followed at all times.
1.2 It sets out to ensure the most effective use of the systems operated by Cardiff Council to prevent crime and disorder and ensure the safety of officers where applicable. It endeavours to uphold the civil liberties of those who live, work and visit Cardiff.
1.3 All partners who benefit from the Council’s CCTV system agree to be bound by this Policy and Code of Practice in order that the public interest may be best served.
1.4 The Code of Practice applies to all CCTV installations operating in conjunction with the Authority and all CCTV equipment linked into the Authority's Partnership with South Wales Police Operations, where such devices are owned by the Authority. This includes hand held, body worn and portable devices and automatic number plate recognition (ANPR) technology.
1.5 A separate Infrastructure CCTV Code of Practice is used for Highways telematics cameras. The Infrastructure Code of Practice must be consistent with this overarching Policy, and in line with the handling requests for information protocol in place between the Council and South Wales Police
1.6 It is important to state from the outset that CCTV systems will not be used as "spy systems". There will be no interest shown in or deliberate monitoring of people going about their legitimate business.
1.7 All devices operated are subject to Data Protection Impact Assessments in line with the CCTV In the Picture Code of Practice and Surveillance Camera Code of Practice to ensure that they have legitimate purposes for processing in line with the requirements of the Data Protection Act and Article 8 of the Human Rights Act.
1.8 Retention of footage varies depending on the device and location. All digital images recorded are kept for no longer than 31 days after which they will be automatically overwritten. After these agreed retention dates such data will be overwritten unless a valid access request has been made under the following circumstances:-
Police for the purpose of any criminal investigation, Under the Schedules 2 and 3 of the Data Protection Act 2018.
Officers of Cardiff Council for the purpose of any civil investigation.
Any legal obligation for access under the provisions of the Data Protection Act 2018.
The release of any digital images will be in accordance with this Policy and Code of Practice and the Council’s Data Protection Act Requests for Information Policy.
2.1 The use of the systems operated by Cardiff Council shall be for the purpose of:-
a) Providing the Police and the Council with evidence to take criminal and civil action in the Courts;
e) Deterring or reducing the incidence of vandalism, graffiti, and other environmental crime;
f) Deterring persons from committing crimes and to enhance the opportunities for detecting those who do;
g) Improving the safety and security of residents, visitors and the business community;
h) Discouraging anti-social behaviour including alcohol and drug-related elements;
j) Traffic Monitoring of Highways and Tunnels across the City of Cardiff, including traffic movement and contraventions in line with additional powers granted to the Council by the Welsh Government.
2.2 The Authority is committed to maintaining, reviewing, and enhancing the systems in order to ensure and improve their effectiveness. It is also committed to maintaining civil liberties. Any additional purposes of processing will be considered in line with legislation outlined in this Policy and Code of Practice.
The use of Body Worn Camera technology for Council employees will be outlined within the Council’s Body Worn Camera Policy.
The use of ANPR technology for Council services will be outlined within Service Operational Procedures which will be made publicly available.
3.0 Operational Code of Practice
3.1 No CCTV images shall be sold (or given) for commercial use nor made available to any person other than the Police, Fire Service, Legal profession, partner agency or Local Authority Staff (as defined in this Code of Practice), except under certain circumstances.
3.2 Any members of the General Public who approach the Council requesting to view the content of any CCTV images regarding any incident will be advised to report the matter to the Police or Insurance Company for further investigation. Where a member of the public specifically asks to see CCTV images of themselves, they should be advised of the individual rights provisions under the Data Protection Act 2018.
3.3 All requests for information must be managed in line with the Council’s Data Protection Act Requests for Information Policy, which contains forms which should be used in the event of requests for footage being received.
3.4 Any requests from the Police or any other bodies for CCTV images must be made under the non-disclosure provisions of the Data Protection Act 2018 and provided on either the Police approved ACPO Disclosure Forms, or on Cardiff Council’s Schedule 2 and 3 Requests for information Form. Requests from the Police should be signed by an Inspector or an Officer of higher authority. The Police will also sign and accept responsibility as part of their obligations under the Data Protection Act 2018 for any image released into their care.
3.5 All such requests must be approved by the relevant officer in line with the Council’s Schedule 2 and 3 Requests guidance before release. All such requests must be formally logged and recorded for a minimum of 3 years and this register of requests retained for audit inspection.
3.6 All requests from internal Directorates/Service Areas for access to CCTV images must also be made on the agreed standard Schedule 2/3 Data Protection disclosure forms and approved by the relevant officers and logged and retained for a period of 3 years.
3.7 All CCTV images provided by the Council shall remain its property at all times and at no time is the copyright transferred to the recipient.
3.8 The Police, when required, and where operational factors allow, shall, with agreement of the authority, have operational access to view any of the Authority's CCTV installations. Services should contact the Information Governance Team if advice is required.
3.9 CCTV images recorded shall be kept for maximum of 31 days, unless requested for the purposes stated at Para. 1.8, in which case a copy of the data will be retained, or unless the retention of such images are kept for shorter periods of time as defined within this Policy and Code of Practice.
3.10 No CCTV system shall intentionally overlook and view into private premises without receiving prior consent from the occupiers of those premises unless allowed by law.
3.11 No CCTV system shall be installed or operated unless such equipment has been vetted through a Data Protection Impact Assessment (DPIA). A DPIA would consider any privacy and collateral intrusive risks, including inadvertent/accidental disclosure of data.
3.12 Requests from Insurance Companies/Solicitors acting on behalf of an individual must be accompanied with signed consent in addition to other information required to process a request as outlined in the Council’s individual rights procedures.
4.0 Requests from the media for CCTV video images of crimes or criminals
4.1 CCTV images will not normally be given to the media for broadcast or reproduction. However, in exceptional circumstances, they may be provided under strict controls if it is thought that by so doing, they may assist in solving a crime or potential criminal activity, but this should only be done with the express approval of all the partners and under the following conditions.
4.2 The Data Protection Act 2018 sets out clear controls that personal data should not be disclosed to third parties subject to certain exceptions and were images from which a living individual can be identified.
4.3 Disclosure of CCTV images to the media for broadcasting or reproduction may be done in the following circumstances:
a) If it would assist in the prevention or detection of crime, or the apprehension of prosecution of offenders.
b) If there is a reasonable belief that having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest.
4.4 In deciding whether to disclose CCTV images to the media, a balance should be struck between the individuals’ right to a private / family life against the reason in (a) or (b) above for the disclosure of the information.
4.5 CCTV images should not be disclosed to the media unless the consent of any victim of a crime shown on the image has been first obtained wherever possible and in partnership with the Police.
4.6 Before any CCTV images are released to the media advice should be sought from the Data Protection Officer and Legal Services.
5.0 Changes to this code of practice
5.1 Minor changes to the Policy and Code of Practice and Operational Manual that are required to efficiently maintain the operation of CCTV devices may be made by the Information Governance Manager or Senior Information Risk Owner.
5.2 Any major changes to the Policy and Code of Practice will be agreed by the Cabinet.
6.0 Responsibilities of the operators of the systems
6.1 The Operators of the system have prime responsibility for: -
a) Compliance with the purpose and objectives of the system.
b) Operation and security of the system.
c) The protection of the interests of the public and of the individual as far as is practical.
d) The compliance with this Policy and Code of Practice.
e) Compliance with Individual Rights requirements to footage;
f) Compliance with all legislation pertaining to the use of the system.
g) Ensuring they comply with the Council’s training requirements.
7.0 Management of the system
7.1 The nominated owner of each CCTV device will be responsible for ensuring that the use of devices is in accordance with the legislative requirements as set up in this Policy and Code of Practice.
7.2 The Senior Information Risk Owner will have overall responsibility for ensuring that devices are operated in accordance with the legislation, and for the management of this Policy and Code of Practice.
7.3 Owners of devices must be clearly stipulated and will form part of publicly available registers. Register of CCTV Assets is available online: https://foi.cardiff.gov.uk/eng/Pages/OpenData_All.aspx
7.4 Device owners will be responsible for complying with annual assurance audits and for completing any surveys/assessments when required by the Surveillance Camera Commissioner (SCC).
7.5 Device owners should be familiar with all requirements of operation of surveillance cameras and ensure that they always have compliant processes in place.
8.0 CCTV monitoring
8.1 Access to and Security of Monitoring Equipment
a) Access to view monitors, whether to operate the equipment or to view the images, is limited to authorised staff with that responsibility.
b) Only authorised personnel are to be admitted to the control rooms in which such monitoring is viewable. The names of all authorised personnel must be held within each operating room and all such staff must carry an official identification card.
c) Visits by non-authorised personnel for example, Councillors, Council employees or the Police can only be authorised by the system owner.
d) Visitors will only be allowed access if the visit has been authorised in advance. An authorised member of staff must accompany all visitors and ensure that they sign the visitor’s book on entering and exiting the building.
e) Access to or demonstration of monitors shall not be allowed except for lawful, proper and sufficient reasons and, on such occasions, adequate precautions shall be in place to ensure security and privacy of individuals and information.
8.2 Operational standards
a) The CCTV control room and all other monitoring control rooms shall operate to a recognised "National Security Inspectorate (NSI) Standard" ensuring that "best practice" and strict security procedures are maintained.
b) All staff who operate or monitor CCTV footage shall undergo positive security vetting ( DBS Check) and be trained to an appropriate standard. Monitoring of CCTV is as defined within Security Industry Authority and as defined as “Regulated activity” within DBS requirements.
c) All staff with access to CCTV devices must ensure compliance with Council’s Information Governance Training strategies.
d) Staff who work within control rooms must be trained to Security Industry Standard (Award in CCTV Operations Public Space Surveillance) with a register of training maintained by the service area.
9.0 Complaints procedure
9.1 Any complaints regarding the privacy of operation of CCTV devices should be made to:
The Data Protection Officer,
Cardiff Council,
Room 118, County Hall,
Atlantic Wharf,
Cardiff Bay,
Cardiff, CF10 4UW,
dataprotection@cardiff.gov.uk.
All complaints will be referred to the relevant system owner.
9.2 This procedure must be used for any complaints regarding CCTV owned or part owned by the Council.
9.3 Any complaints received against the Police must be forwarded immediately to South Wales Police Divisional Police Headquarters, to be dealt with through normal Police procedures.
Consultation
10.1 Cardiff Council works in Partnership and prides itself on its participation, co-operation, and communication with all interested parties in the fight to prevent and reduce crime.
10.2 Any proposed CCTV system must be the subject of adequate research and consultation within the area to be covered by the camera system and where applicable the adjacent areas.
10.3 No new CCTV system will be considered unless a Data Protection Impact Assessment has been completed.
a) A CCTV System must not infringe legislation on human rights issues, ie. Privacy, and this must be explained as part of the consultation process.
b) All parties involved must be informed about the provisions relating to CCTV contained in the Data Protection Act 2018, the ICO In the Picture Code of Practice and the Home Office Surveillance Camera Code of Practice.
11.0 Data Protection Act 2018
11.1 The Authority has an obligation to comply with the requirements of the Data Protection Act 2018.
11.2 All CCTV Systems which record pictures must be registered under the Data Protection Act 2018.
11.3 Device owners are required to ensure that where external parties deliver surveillance operations, that they are registered with the Information Commissioner’s Office.
12.0 CCTV signs
12.1 All CCTV systems shall have appropriate signage, advising people that CCTV is in operation. These signs need to be placed on the perimeter of the CCTV system and other strategic places as agreed within the Data Protection Impact Assessment for devices at each location.
12.2 The CCTV signs will vary in size according to location and the circumstances. Each sign shall contain the identity of the organisation responsible for the scheme and its purpose. A contact number should be given for further information about the scheme. All signs must also be bilingual.
12.3 A register of CCTV devices must be accurately maintained at all times on the Council’s website and held by the Information Governance Team, together with the purpose for processing each device and exact location of each device. This list will also contain details of devices used for any covert surveillance to be supplied to the Monitoring Officer.
13.0 Confidentiality
13.1 CCTV images may contain sensitive scenes and information; therefore, confidentiality must be maintained at all times in line with Cardiff Council’s employees Contract of Employment conditions. It is essential that strict security is maintained and access to images restricted.
14.0 Human Rights
14.1 All CCTV systems in their design, management and operation must comply with Human Rights Legislation which will be achieved through annual Impact Assessments of all devices operated.
15.0 Consideration before purchase of CCTV systems
15.1 In considering the installation of a CCTV System, we will ensure that it complies with the Authority's Policy and Code of Practice in line with the Councils procurement process and in so doing, prior to purchase, satisfy its requirements on: -
a) The purpose of the CCTV system with evidence to suggest its introduction will satisfy the demand.
b) The CCTV systems purpose linked with other crime prevention measures.
c) The adequacy of the procedures for System and Access Management.
15.2 In the likely event that CCTV recorded images are to be used as Court evidence, the following questions should be considered: -
a) What level of detail are the cameras expected to identify, e.g. groups of people, individuals, car number plates etc?
b) What operational requirements are needed, ie, night-time efficiency (there are 4000 hours of darkness per annum), number of cameras, colour or monochrome, the frequency of time-lapse recording etc..
c) Consider measures to protect the CCTV cameras from vandalism.
15.3 Can the subsequent revenue costs for running the system be afforded?
15.4 Further Information
Useful information can be obtained by browsing the Home Office website and the Information Commissioners Office website.
15.5 In addition to the Codes of Practice referred to in this Policy the Home Office has provided a number of informative documents some of which are as follows:
- CCTV – Looking Out for You
- CCTV Operational Requirements Manual
- National CCTV Strategy
- Homme Office Surveillance Camera Code of Practice
The Information Commissioner has produced documents as follows:
- In The Picture Code of Practice
16.0 Image recording procedures
Adhering to the agreed management and operational procedures is crucial if the digital recordings produced are to be of sufficient evidential value and quality that they can be used for intelligence gathering purposes or as evidence to be produced in a court.
16.2 Time lapsed digital images are automatically recorded and are kept for no longer than 31 days on secure Council networks, after which the images will be overwritten.
16.3 Real time digital Images are automatically recorded and will be automatically overwritten; however, some images may be archived on certain systems hard drive for training purposes.
16.4 For evidential purposes each recorded image downloaded must have the correct time and date automatically embossed on it, therefore it is essential that operators periodically check that images released are correct.
16.5 If a request for access to recorded images is made within the 31 days, then only copies of the images that have been specifically requested can be retained. These images can be downloaded on secure media or systems.
16.6 Each recorded image that is released should be endorsed with all the relevant information pertaining to what the image relates to and information relating to third parties which should not be disclosed should be redacted from disclosure.
16.7 Viewing/Copying Procedure
On receiving a request to view a digital recording of a particular incident, the following process should be followed: -
To preserve the continuity of evidence a report should be created for either a viewing or a copy made of a digital recording, thereby creating a unique incident reference number.
Requests to view footage should be logged by the device owner and a record retained of the request and disclosure.
The report should include the following:
- the name, rank or title of the person requesting the viewing or copy,
- the organisation that the person represents, Incident type e.g. assault theft etc,
- date time and location of the incident, Police/Fire Service incident reference number (if applicable).
- any additional information applicable.
16.8 It is important to stress to the recipient of digital image recordings that the images will at all times remain the copyright property of Cardiff Council. Therefore, no images should be released either wholly or partially to a third party without the written consent from Cardiff Council. A record of all data released will be kept by the authority for 3 years in line with Council policies and guidance.
16.9 Individuals when viewing footage are not permitted to take copies or photograph stills of images. Allowing such copies of images to be taken would breach the Council’s Data Protection Policy and employees contract of employment conditions.
17.0 Local monitoring and recording
17.1 A premises which has a CCTV system, which is monitored and recorded but not connected to live feeds is known as a "Locally Monitored and Recorded" (LMR).
17.2 LMR systems are adopted where an organisation does not want or require the CCTV images transmitting back to live feeds or where the cost of getting images transmitted are cost prohibitive. As technology advances, this situation may change and therefore the Authority will keep CCTV development under constant review. All Owners of LMR devices/systems must comply with this Policy and Code of Practice.
17.3 All CCTV equipment at LMR sites should be securely stored to prevent theft, loss etc.
17.4 It is essential that “device owners” and any staff with access to footage are adequately trained in the use of their CCTV system and the protocol contained in this document as outlined in section 8.1.
a) All staff who “monitor” CCTV footage shall undergo positive security vetting (DBS Check) and must comply with training as outlined in section 8.2 of this policy. Monitoring of CCTV is as defined within Security Industry Authority and as defined as “Regulated activity” within DBS requirements.
17.6 The CCTV system management on image recording and storing procedures should at all times be adhered to and in accordance with the guidelines contained within this Policy and Code of Practice.
17.7 Police Investigation
The Police may need to investigate an incident recorded on the LMR CCTV system and as a result they may request to view CCTV images from the system. In these circumstances the Owner of the operating LMR systems should adhere to the procedures as set out in Section 3 and 16 of this Policy and Code of Practice.
18.0 CCTV recordings provided to the council
18.1 In the event of recordings being provided to the Council in respect of potential criminal offences, advice should be sought from the Data Protection Officer and Legal Services if possible litigation action could arise from the use of the footage.
18.2 Whilst members of the public can be exempt from the provisions of the Data Protection Act if information recorded is for domestic purposes, advice is required on a case by case basis to determine if such exemptions apply and to determine if the footage recorded does identify any individuals, in which case it becomes personal data of the data subject(s) and therefore subject to the provisions of the Act if the authority processes such data.
18.3 Where information is provided to the Council following which the Council make a determination to act upon the information provided, this must be done in line with all relevant Council policies, including the Council’s HR policies where allegations are in relation to Council employees.
18.4 The Council are not responsible for footage captured by individuals outside of those devices operating within the Council’s control. Individuals are able to operate cameras under domestic purposes and in line with guidance from the Information Commissioner. The Council are not able to regulate whether individuals use of cameras is compliant but will ensure that any onward use of footage supplied to us complies with our legal obligations.
19.0 Officers recording footage
19.1 Council Officers are not permitted to use personal devices for recording footage. Use of personal devices is not secure, using such devices would breach the Council’s Data Protection Policy and employees’ contract of employment conditions.
19.2 Officers are not permitted to record any data subjects outside of the operation of recording devices as outlined in this Policy and Code of Practice. Such operations are subject to Regulation to Investigatory Powers Act and can only be used in conjunction with the Council’s RIPA Policies.
20.0 Disciplinary action
20.1 The appropriate disciplinary action should be implemented where there is a deliberate breach of security procedures (or this Policy and Code of Practice) and staff should be made aware of such disciplinary procedures. Action would be taking in line with Corporate Disciplinary Policies.
20.2 The use of footage can be permitted in respect of investigatory matters concerning employees. The use of footage must however be proportionate in such cases and the rights of individuals must at all times be considered. The Council’s HR Policies and Procedures must be followed at all times and footage used kept confidential and secure.
21.0 Regulations of Investigatory Powers Act 2000 (RIPA)
21.1 It is essential that before conducting any surveillance that advice should be sought from the Authorities Nominated RIPA Officer. Any Surveillance subject to the RIPA must be approved via Magistrate Court and is outside the scope of this policy.
21.1 Officers must follow the Council’s Regulation of Investigatory Powers Policy (1.CM.121). Covert operations shall not start until the owner/operator of the CCTV system has been shown the Authorisation for the covert action (redacted where necessary to ensure compliance with the Data Protection Act) and has been briefed on the parameters of the covert action required to be conducted.
21.3 Once the authorisation has been shown officers must follow out such instructions as directed and provide a copy of any footage recorded via secure means to the authorised officer.
21.4 In the event of oral instructions being issued, operators must be provided and record the details of the authorising officer and the summary of what covert action has been authorised.
22.0 Freedom of Information Act
22.1 It is essential that before releasing any data under a Freedom of Information request that advice should be sought from the Information Governance Team.
23.0 Council Directorate, Section Request or Request Images
23.1 Any other Council Directorate/Section may request to view CCTV images in pursuit of any alleged criminal or civil action, the procedure for access is at (Para 3.4).