INTRODUCTION
The Jockey Club Estates (JCE) owns and has in place a CCTV Surveillance System, across the sites at:
a) 101 High Street, Newmarket, Suffolk, CB8 8JL
b) Southfields Farm Depot, Hamilton Road, CB8 0TE
c) Bury Side Depot, Newmarket, CB8 7BT
d) Lambourn Depot, Limes Farm, Upper Lambourn, RG17 8RG
We will have due regard to the Data Protection Act 1998, The General Data Protection Regulation (GDPR) and any subsequent data protection legislation and the Freedom of Information Act 2000, The Protection of Freedoms Act 2012 and the Human Rights Act 1998. Although not a relevant authority, we will also have due regard to the Surveillance Camera Code of Practice.
This Policy is based upon guidance issued by the Information Commissioners Office.
Under the Data Protection Act 1998 Jockey Club Estates is the ‘Data Controller’ for the images produced by the CCTV system.
Jockey Club Estates is registered with the Information Commissioners Office (ICO) and the registration number is Z6281994.
1. POLICY STATEMENT
1.1 We believe that CCTV and other surveillance systems have a legitimate role to play in helping maintain a safe and secure environment for all our staff and visitors. However, we recognise that this may raise concerns about the effect on individuals and their privacy. This policy is intended to address such concerns. Images recorded by surveillance systems are personal data which must be processed in accordance with data protection laws. We are committed to complying with our legal obligations and ensuring that the legal rights of staff and visitors, relating to their personal data, are recognised and respected.
1.2 This policy is intended to assist staff in complying with their own legal obligations when working with personal data. In certain circumstances, misuse of information generated by CCTV or other surveillance systems could constitute a criminal offence.
2. DEFINITIONS
2.1 For the purpose of this policy, the following terms have the following meanings:-
• CCTV means fixed and domed cameras designed to capture and record images of individuals and property.
• Data is information which is stored electronically, or in certain paper-based filing systems. In respect of CCTV, this generally means video images. It may also include static pictures such as printed screen shots.
• Data Subjects means all living individuals about whom we hold personal information as a result of the operation of our CCTV or other surveillance systems.
• Personal Data means data relating to a living individual who can be identified from that data (or other data in our possession). This will include video images of identifiable individuals.
• Data controllers are the people who, or organisations which determine the manner in which any personal data is processed. They are responsible for establishing practices and policies to ensure compliance with the law. We are the data controller of all personal data used in our business for our own commercial purposes.
• Data users are those of our employees whose work involves processing personal data. This will include those whose duties are to operate CCTV cameras and other surveillance systems to record, monitor, store, retrieve and delete images. Data users must protect the data they handle in accordance with this policy and our Privacy Policy.
• Data Processors are any person or organisation that is not a data user (or other employee of a data controller) that processes data on our behalf and in accordance with our instructions (for example, a supplier which handles data on our behalf).
• Processing is an activity which involves the use of data. It includes obtaining, recording or holding data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing or destroying it. Processing also includes transferring personal data to third parties.
• Surveillance systems means any devices or systems designed to monitor or record images of individuals or information relating to individuals. The term includes CCTV systems and automatic number plate recognition (ANPR) as well as any technology that may be introduced in the future such as, body worn cameras, unmanned aerial systems and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
3. ABOUT THIS POLICY
3.1 We currently use CCTV cameras to view and record individuals on our premises, 24 hours a day, 7 days a week. This policy outlines why we use CCTV, how we will use CCTV and how we will process data recorded by CCTV cameras to ensure we are compliant with data protection law and best practice. This policy also explains how to make a subject access request in respect of personal data created by CCTV.
3.2 We recognise that information that we hold about individuals is subject to data protection legislation. The images of individuals recorded by CCTV cameras in the workplace are personal data and therefore subject to the legislation. We are committed to complying with all our legal obligations and seek to comply with best practice suggestions from the Information Commissioner’s Office (ICO).
3.3 This policy covers all Jockey Club Rooms staff and visiting members of the public.
3.4 We may amend this policy at any time without consultation. The policy will be regularly reviewed to ensure that it meets legal requirements, relevant guidance published by the ICO and industry standards.
3.5 A breach of this policy may, in appropriate circumstances, be treated as a disciplinary matter. Following investigation, a breach of this policy may be regarded as misconduct leading to disciplinary action, up to and including dismissal.
4. PESONNEL RESPONSIBLE
4.1 The board of directors has overall responsibility for ensuring compliance with relevant legislation and the effective operation of this policy. Day-to-day operational responsibility for CCTV cameras and the storage of data recorded is the responsibility of the General Manager.
4.2 Responsibility for keeping this policy up to date has been delegated to the General Manager.
5. REASONS FOR THE USE OF CCTV
5.1 We currently use CCTV everyday all around the site as outlined below. We believe that such use is necessary for legitimate business purposes, including:-
• To prevent crime and protect buildings and assets.
• For the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime.
• To support law enforcement bodies in the prevention, detection and prosecution of crime.
• To assist in day-to-day management, including ensuring the health & safety of staff and others.
• To assist in the effective resolution of disputes which arise in the course auction proceedings.
This list is not exhaustive and other purposes may be or become relevant.
6. MONITORING
6.1 CCTV monitors all areas every day.
6.2 Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. CCTV cameras do not focus on private homes, gardens or other areas of private property.
6.3 Surveillance systems do not record sound.
6.4 Images are monitored by authorised personnel only and is kept in a secure area back of house.
7. HOW WE WILL OPERATE ANY CCTV
7.1 We will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information, where these things are not obvious to those being monitored.
7.2 We will ensure that live feeds from cameras and recorded images are only viewed by approved members of staff or suppliers whose role requires them to have access to such data. Recorded images will only be viewed in designated, secure offices.
8. USE OF DATA GATHERED BY CCTV
8.1 In order to ensure that the rights of individuals recorded by the CCTV system are protected, we will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the data, where it is possible to do so.
8.2 Given the large amount of data generated by surveillance systems, we may store video footage using a cloud computing system. We will take all reasonable steps to ensure that any cloud service provider maintains the security of our information, in accordance with industry standards.
8.3 We may engage data processors to process data on our behalf. We will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
8.4 All images recorded by the CCTV system remain the property and copyright of JCE.
9. RENTENTION AND ERASURE OF DATA GENERATED BY CCTV
9.1 Data from CCTV cameras will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. Exactly how long images will be retained for will vary according to the purpose for which they are being recorded, however, recorded images will be kept for no longer than seven years. We will maintain a comprehensive log of when data is deleted.
9.2 At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.
10. USE OF SURVEILLANCE SYSTEMS
10.1 We carefully consider if CCTV is appropriate by carrying out a privacy impact assessment (PIA).
10.2 A PIA is intended to assist us in deciding whether surveillance cameras are necessary and proportionate in the circumstances and whether they should be used at all or whether any limitations should be placed on their use.
10.3 Any PIA will consider the nature of the problem that we are seeking to address at that time and whether the surveillance camera is likely to be an effective solution, or whether a better solution exists. In particular, we will consider the effect a surveillance camera will have on individuals and therefore whether its use is a proportionate response to the problem identified.
10.4 No surveillance cameras will be placed in areas where there is an expectation of privacy (for example, in changing rooms) unless, in very exceptional circumstances, it is judged by us to be necessary to deal with very serious concerns.
11. COVERT MONITORING
11.1 We will never engage in covert monitoring or surveillance (that is, where individuals are unaware that the monitoring or surveillance is taking place) unless, in highly exceptional circumstances, there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, we reasonably believe there is no less intrusive way to tackle the issue.
11.2 In the unlikely event that covert monitoring is considered to be justified, it will only be carried out with the express authorisation of the Managing Director. The decision to carry out covert monitoring will be fully documented and will set out how the decision to use covert means was reached and by whom. The risk of intrusion on innocent workers or visitors will always be a primary consideration in reaching any such decisions.
11.3 Only limited numbers of people will be involved in any covert monitoring.
11.4 Covert monitoring will only be carried out for a limited and reasonable period of time consistent with the objectives of making the recording and will only relate to the specific suspected illegal or unauthorised activity.
12. ONGOING REVIEW OF CCTV USE
12.1 We will ensure that the ongoing use of existing CCTV cameras in the workplace is reviewed periodically to ensure that their use remains necessary and appropriate, and that any surveillance system is continuing to address the needs that justified its introduction.
13. REQUESTS FOR DISCLOSURE
13.1 No images from our CCTV cameras will be disclosed to any third party, without express permission being given by the Managing Director. Data will not normally be released unless satisfactory evidence that it is required for legal proceedings or under a court order has been produced.
13.2 In other appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
13.3 Where a suspicion of misconduct arises and at the formal request of the investigating officer or HR Manager/Advisor the Managing Director may provide access to CCTV images for use in staff disciplinary cases.
13.4 The Managing Director may provide access to CCTV images to investigating officers when sought as evidence in relation to Members discipline cases.
13.5 We will maintain a record of all disclosures of CCTV footage, itemizing the date, time, camera, requestor, authorizer and the reason for the disclosure.
13.6 No images from CCTV will ever be posted online or disclosed to the media.
13.7 Unless required for evidential purposes, the investigation of an officer or as required by law, CCTV images will be retained for no longer than 30 days, from the point of recording. Images will automatically overwritten after this point.
13.8 Images held in excess of their retention period will be reviewed on a 3 monthly basis and any not required for evidential purposes will be deleted.
14. SUBJECT ACCESS REQUESTS
14.1 Data subjects may make a request in relation to their personal information and this may include CCTV images (data subject request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing, in accordance with the Privacy Policy, which can be found on our website.
14.2 In order for us to locate relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
14.3 We reserve the right to obscure images of third parties when disclosing CCTV data as part of a subject access request, where we consider it necessary to do so.
15. COMPLAINTS PROCEDURE
15.1 Complaints concerning the JCR’s use of its CCTV system of the disclosure of CCTV images should be made in writing to the Managing Director at Jockey Club Estates.
15.2 All appeals against the decision of the Managing Director should be made in writing to the Finance Director at Jockey Club Rooms.
16. MONITORING COMPLIANCE
16.1 All staff involved in the operation of the JCE CCTV system will be made aware of this policy and will only be authorized to use the CCTV system in a way that is consistent with the purpose and procedures contained therein.
16.2 All staff with responsibility for accessing, recording, disclosing or otherwise processing CCTV images will be required to undertake Data Protection Training.
17. POLICY REVIEW
17.1 The JCE’s usage of CCTV and the content of this policy shall be reviewed annually by the Managing Director with reference to the relevant legislation or guidance in effect at the time. Further reviews will take place as required.