CCTV policy

This policy explains how The National Football Museum (NFM) uses a closed-circuit TV system in compliance with General Data Protection Regulations (UK GDPR 2021).

1. Introduction

  1. The processing of personal data captured by CCTV systems is governed The General Data Protection Regulation (GDPR) applied in the UK from May 2018. On the 01/01/21 the UK’s data protection regime was set out in the UK General Data Protection Regulation (UK GDPR) after leaving the EU. The GDPR is retained in domestic law as the UK GDPR, but the UK has

the independence to keep the framework under review. The ‘UKGDPR’ sits alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments.

https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/dataprotection-and-the- eu-in-detail/the-uk-gdpr/

  1. CCTV digital images, if they show a recognisable person, are personal data and are covered by the General Data Protection Regulation (GDPR). This Policy is associated with the NFM’s Data Protection Policy, the provisions of which should be adhered to at all times.
    1. This Policy explains how the NFM will operate the CCTV system installed in 2019 and will comply with current legislation. It is prepared after taking due account of Code of Practice documents published by the Information Commissioner’s Office.
    1. This document refers to the CCTV system installed at the Museum site in Manchester by MCC as landlord. A CCTV system is not operated at the Preston research centre by the NFM. Preston North End FC as landlord has installed a stadium wide system at Deepdale which may cover external areas in the Research Centres locale.

2. Code of conduct 12 principles

The following 12 principles from the CCTV Code of Practice are followed with regard to the system installed in the NFM:

  • Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
    • The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
    • There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
    • There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
    • Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
    • No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
  • Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
    • Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
    • Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
    • There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
    • When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
    • Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

3. Purpose of system

  • CCTV has been installed to meet the legitimate aim of improving the safety of all staff, volunteers, visitors, partners and contractors by reducing the risk from criminal activities including: violence, anti-social behaviour, theft of monies / stock / collection items and terrorist attack. The system will be used to:
    • Help reduce the fear of crime.
    • Help deter crime.
    • Help detect crime and provide evidential material for court proceedings.
    • Enhance visitor safety, assist in developing the economic well-being of the NFM and encourage greater use of facilities.
    • Assist the Police in its enforcement and regulatory functions.
    • Assist in supporting civil proceedings which will help detect crime.
    • The system will not be used for:
      • Recording images for the world-wide-web.
      • Recording sound
      • For any automated decision making.
      • Live monitoring, unless it will reduce the imminent risk to individuals when a crime is taking place such as a terrorist attack.
  • Evidence in staff disciplinary investigations, except when a suspected criminal act has been reported to the Police such as a physical assault or an investigation relating to theft or fraud.

4. Privacy for individuals

  • A full system plan of the new CCTV system is available to view, as long as the request does not compromise the purpose and security of the system.
    • Cameras are located at strategic points on all floors to achieve the purpose of the system.
    • Cameras are not positioned where they will impact on individual privacy or activities outside of the scope of the system purpose.
    • The number and type of cameras are proportionate to the risk they are designed to mitigate.
    • The system uses a computer hard drive to record and store information.

5. Transparency of use

  • This policy is available to all users of the building.
    • No cameras are hidden from view. Cameras operate both inside and directly outside the Museum.
    • Cameras are located at strategic points on all floors to achieve the purpose of the system. The system has been designed in collaboration with MCC, who are the building landlord.
    • The cost of purchase and installation was wholly funded by MCC.
    • In areas where the CCTV is installed the NFM will ensure that there are prominently placed signs at both the entrance to the Museum and where practicable within the controlled area. The signs will be clearly visible and readable.

0161 605 8200.

6. Responsibility and accountability

  • Images captured by the system are recorded on a hard drive system only accessible to those detailed in 6.2
    • Access to the system will be strictly limited to the duty managers who are responsible for the building at any given time and the Data Protection Officer, they are:

Chief Operating Officer / Data Protection Officer Visitor Experience Manager

Visitor Experience Co-ordinators x3 Team Leaders x2

  • Responsibility for the system sits with the Visitor Experience Manager and the Data Protection Officer.
    • Accountability for the appropriate and legal use of the system sits with the Board of Trustees.

7. Rules, policies, procedures

  • This policy was signed off by the Board of Trustees on the 31/10/19 and is scheduled for refresh sign off in October 2021.
    • A procedure for the use of the system has been created describing how it can be used, who can use it, training, and the security of the system.
    • A data protection impact risk assessment has been created and will be reviewed annually.

8. Image storage

  • Digital recordings are made in real time and stored to a hard drive recorder.
    • Images will normally be retained for 31 days from the date of recording, and then automatically over written. On occasion however, images may need to be retained longer, to enable the Police to collect relevant images, or as part of an active crime investigation.
    • Images retained for evidential purposes will be saved on the CCTV system desktop of the individual operator. The Data Protection Officer will ensure that the reason for retention is recorded, where the images are kept, any use made and when they are finally destroyed.
    • Once a hard drive has reached the end of its use it will be erased prior to disposal and the Log will be updated accordingly.

9. Access to images

  • We will never sell CCTV data and will only ever share it with relevant law enforcement bodies. Disclosure of recorded material will only be made to third parties in strict accordance with the purposes of the system and is limited to the following authorities:
    • Law enforcement agencies where images recorded would assist in a criminal enquiry and/or the prevention of terrorism and disorder.
    • Prosecution agencies.
    • Relevant legal representatives.
    • The media where the assistance of the general public is required in the identification of a victim of crime or the identification of a perpetrator of a crime. The NFM will not directly share with the media it will only occur when the Police shares previously shared images.
  • People whose images have been recorded and retained, unless disclosure to the individual would prejudice criminal enquiries or criminal proceedings. (see section 15 for more details).
    • Emergency services in connection with the investigation of an accident.
    • Disclosure of information will be controlled and consistent with the purpose for which the system was installed.
    • Once information is disclosed to the police or any other law enforcement body, they will become data controller for the copy they hold. All requests for disclosure are recorded. If disclosure is denied, the reason is documented.

10. Training of operators

Operators of the system identified in 6.2 will receive suitable training in the use of the equipment to achieve its purpose. Any new staff member in the roles will be trained as part of their induction.

11. Safeguarding against unauthorised access

  1. Access to the system is only be granted to individuals as described in 6.2 through the use of passwords.
    1. The system is kept in a secure office which has restricted access via electronic pass to defined individuals.
    1. The system is specified to meet industry best practice standards. It was installed and designed by a suitable contractor as managed by MCC. The tendering process for this work was completed by MCC.
    1. A maintenance programme has been implemented to ensure the system is running securely
    1. The system is not connected via live feed to an external control centre.

12. Review and audit

  1. A Data Protection Impact Assessment (DPIA) has been completed prior to the new system being installed.
    1. The DPIA will be reviewed annually.

13. Public safety and law enforcement

  1. As detailed in section 3.1 the system has been installed to meet the legitimate aim of improving the safety of all staff, volunteers, visitors, partners and contractors by reducing the risk from criminal activities including: violence, anti-social behaviour, theft of monies / stock / collection items and terrorist attack.
  1. The system will enhance public safety and law enforcement within the curtilage of the Museum building and could help reduce crime in the local area if arrests and prosecutions are enabled by the system.

14. Reference database

The system does not match visual information to a database: ANPR is not included in the specification.

15. Subject Access Request

  1. CCTV digital images, if they show a recognisable person, are personal data and are covered by GDPR UK. Anyone who believes that they have been filmed by CCTV is entitled to ask for a copy of the data, subject to exemptions contained in the Act. They do not have the right of instant access.
    1. A person whose image has been recorded and retained and who wishes access to the data must apply in writing to the Data Protection Officer who will comply within one month of receiving the request. No fee will be charged unless the request is manifestly unfounded or excessive.
    1. If the request is approved The Data Protection Officer will arrange for a copy of the data to be made and given to the applicant or allow them to view it. The applicant must not ask another member of staff to show them the data or ask anyone else for a copy of the data. All communications must go through the Data Protection Officer.
    1. GDPR gives the Data Protection Officer the right to refuse a request for a copy of the data particularly where such access could prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.
    1. If it is decided that a data subject access request is to be refused, the reasons will be fully documented within 1 month and the data subject informed in writing, stating the reasons. The individual has the right to complain to the Information Commissioners Office.

16. Other Individuals’ Rights

Unless subject to an exemption, under the UK GDPR individuals have the following rights in relation to CCTV images of them:

  1. the right to be informed.
    1. the right of access.
    1. the right to rectification.
    1. the right to erasure. An individual can ask for their personal information to be deleted where it is no longer necessary, was unlawfully processed, they withdraw their consent or object to the processing, or they need to comply with a legal obligation.
  1. the right to restrict processing. Where there is a dispute in relation to the accuracy or processing of personal information, or it is needed regarding a legal claim, the individual has the right to request a restriction is placed on further processing.
    1. the right to data portability.
    1. the right to object.
    1. the right not to be subject to automated decision-making including profiling.
    1. Right to complain. Individuals have the right to lodge a complaint with the Information Commissioner’s Office.

17. Enquires about the operation of the CCTV

  1. Requests can be made to the NFM for information under the Freedom of Information Act 2000 relating to surveillance systems, such as the operation of the system, its siting or the cost of using and maintaining it. If such a request is received by the NFM it will consider whether disclosure is appropriate and/or whether an exemption under the Act applies.
    1. Requests under the Freedom of Information Act must be in writing and will receive a written response within 1 month from the Data Protection Officer.
    1. For independent advice, data protection compliance concerns or to lodge a formal complaint, contact the Information Commissioner’s Office on:

0303 123 1113

or at https://ico.org.uk/global/contact-us/email