CCTV Policy

At Netmatters Ltd, we believe that CCTV plays a legitimate role in helping to maintain a safe and secure environment for all our employees, visitors, customers, potential customers, suppliers and contractors and other persons lawfully on company premises.

Images recorded by CCTV are Personal Data and must be processed under Data Protection Legislation. We are committed to complying with our legal obligations to process and protect Personal Data appropriately and ensure that the legal rights of every Data Subject with whom we engage are recognised and respected.

This policy is intended to enable Data Subjects to understand how Netmatters Ltd, uses CCTV, the rights of Data Subjects concerning CCTV, and explains who has access to CCTV images and how Data Subjects can raise any queries or concerns they may have.


1. Definitions

For this policy, the following terms have the following meanings:

CCTV means cameras, devices or systems, including fixed CCTV and any other systems that capture information about identifiable individuals or information relating to identifiable individuals.

CCTV Data means any Data regarding CCTV, e.g. video images, static pictures, etc.

Data means any information processed that is stored electronically or in hard copy.

Data Subject means any individuals who can be identified directly or indirectly from CCTV Data (or other Data in our possession). Data Subjects include employees, visitors, customers, potential customers, suppliers, contractors, and other persons lawfully on company premises.

Data Controller means the organisation or authority that determines how and for what purpose the Personal Data are processed. Concerning CCTV, Netmatters Ltd. is  the Data Controller responsible for ensuring compliance with the Data Protection Legislation.

CCTV users are our employees (or employees of any Data Processors we appoint) whose work involves processing CCTV Data. This will include those who operate CCTV to record, monitor, store, retrieve and delete images. Data users must protect the CCTV Data they handle under this policy.

Data Processor is an organisation or individual (not a CCTV user or other employee of the Data Controller) who processes CCTV Data or Personal Data on our behalf and follows our instructions.

Data Protection Legislation means the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR 2018), the Privacy and Electronic Communications Regulations 2003 as amended (PECR) and all applicable laws and regulations relating to the processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other supervisory authority.

Processing means any activity involving CCTV Data, whether or not by automated means. It includes collecting, obtaining, recording or holding CCTV Data or carrying out any operation or set of operations on the CCTV Data, including organising, structuring, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring CCTV Data to third parties.

Sites means the Netmatters Ltd. premises, which are located;

Wymondham: Units 7-15 Penfold Drive, Wymondham, Norfolk. NR18 0WZ

Cambridge: Unit 1.31 St Johns Innovation Centre, Cowley Road, Milton, Cambridge. CB4 0WS

Great Yarmouth: Suite F23, Beacon Innovation Centre, Beacon Park, Gorleston, Great Yarmouth, Norfolk, NR31 7RA


2. About this policy

2.1 We currently use CCTV to view and record individuals at our Sites 24 hours per day, seven days per week. This policy sets out why we use CCTV, how we will use CCTV, and how we will process any CCTV Data recorded by CCTV to ensure that we comply with Data Protection Law.

2.2 This policy has been drafted in conjunction with the Netmatters Ltd. CCTV Data Protection Impact Assessment (DPIA)

2.3 The images of all living persons recorded by our CCTV are Personal Data and, therefore, are subject to the Data Protection Legislation. Netmatters Ltd. is the Data Controller of all CCTV Data captured at our Site.

2.4 This policy covers all Data Subjects visiting the Site.


3. Staff responsible

3.1 The Operations Manager, James Street, is responsible for ensuring compliance with Data Protection Legislation and the effective operation of this policy. Day-to-day operational responsibility for CCTV and the storage of CCTV Data recorded is the Site Manager's responsibility at each Site. Should you have any queries on our CCTV or surveillance systems, contact James Street, Operations Manager at the Wymondham Office.


4. Why do we use CCTV?

4.1 We currently use CCTV at our Sites as outlined below. We believe that such use is necessary for the following legitimate business purposes: -

4.1.1 to prevent or detect crime and protect buildings and assets from damage, disruption, theft, vandalism and other crime;

4.1.2 for the Personal safety of Data Subjects.

4.1.3 To support law enforcement bodies in crime prevention, detection, and prosecution.

4.1.4 To discourage vandalism and other criminal activity to the building(s) and within the curtilage of our premises.

4.1.5 To support any internal investigation as part of a staff disciplinary procedure.

We may use CCTV for purposes other than those specified above, which we will notify you of from time to time.


5. MONITORING

5.1 The positions of the CCTV cameras are chosen to minimise the viewing of locations/individuals that are not relevant to the legitimate purpose of the monitoring as specified above.

5.2 Currently, none of our CCTV systems records audio.

5.3 A live feed from the CCTV system is monitored continuously at the Wymondham Offices. Images are only revisited in case of an incident or if a legitimate request is made.

5.4 Staff using CCTV will be trained to understand and observe the legal requirements and their obligations relating to processing any Data gathered.


6. How we operate CCTV

6.1 Where CCTV is in use at our Sites, we shall ensure that signs are prominently displayed at the entrance of the surveillance zone alerting Data Subjects that their image(s) may be recorded. The signs will also contain details of the organisation operating the system (where a third party operates them) and who to contact.

6.2 We will ensure that live feeds from the CCTV are only viewed by appropriately authorised staff members or third-party service providers whose role requires them to access such CCTV Data. Recorded images will only be viewed by those properly entitled and in secure and restricted locations. Advances in technology allow those authorised to access/monitor the CCTV to do so remotely on password-protected mobile devices.


7. How we use the Data

7.1 To ensure the rights of individuals recorded by our CCTV are protected, we will ensure that all CCTV Data obtained from our systems is stored to maintain its integrity and security, including the encryption of Data wherever possible.

7.2 We will ensure that all CCTV Data can only be used for the purposes specified in section 4.1 above. We will not use CCTV Data for any other purpose unless permitted by Data Protection Legislation.

7.3 Where we engage Data Processors to process Data on our behalf, we will ensure adequate contractual safeguards are in place to protect the security and integrity of the Data.


8. Retention and Erasure of Data

8.1 Data recorded by our CCTV will be stored on Site and local servers. The retention duration will vary according to the purpose it has been obtained. For example, where images are being recorded for crime prevention purposes, CCTV Data will be kept only for as long as it takes to establish whether a crime has been committed or where we are using the CCTV Data for staff disciplinary purposes, the images will be kept until the process is completed. In all other cases, recorded images will be kept for no more than 30 days before being overwritten and permanently deleted.


9. Ongoing reviews of our use of CCTV

9.1 We will periodically review our use of CCTV at Netmatters Ltd. to ensure its use remains necessary, justifiable proportionate, and compliant with Data Protection Legislation.

9.2 This includes regularly reviewing the Data Protection Impact Assessment accompanying this policy to ensure consistency.

9.3 We will also conduct regular checks to ensure that all staff comply with this policy.


10. Rights of Data Subjects

10.1 As CCTV Data can identify individuals, it is considered Personal Data under current Data Protection Legislation as specified above. Data Protection Legislation gives Data Subjects certain rights regarding their Personal Data, as shown in our privacy policy with an extract below;

a) the right to be informed

b) the right of access

c) the right to rectification

d) the right to erasure

e) the right to restrict processing

f) the right to Data portability

g) the right to object

h) rights concerning automated decision-making and profiling


11. Service Providers

11.1 To operate CCTV across our Sites, we may appoint service providers to provide maintenance services related to that CCTV. Such service providers act only on our instructions and behalf for the purposes listed in section 4.1 above. We require these service providers by contract and by law to safeguard the privacy and security of the Personal Data they process on our behalf.


12. Requests of disclosure by third parties

12.1 Images from our CCTV cameras will never be disclosed to any third party (other than our third-party CCTV maintenance service providers in the course of their duty) without express permission given by The Senior Director or his delegated responsible person (Operations Manager, James Street). Data will only be disclosed to a third party permitted within the Data Protection Legislation.

12.2 We may allow law enforcement agencies to view or remove CCTV footage when it is required to detect or prosecute crime.


13. Complaints

13.1 in the first instance, any concerns about this policy or our use of CCTV should be directed to James Street, Operations Manager.

13.2 Where this is inappropriate, or matters cannot be resolved informally, you should contact our Data Protection Officer.


How to contact us

If you have any questions about how we collect, store, and use Personal Information using CCTV or any other privacy-related questions, contact us by any of the following means.

By Phone: 01603 704020

By Email: dpo@netmatters.com

In writing: The Data Protection Officer, Netmatters Ltd, 15 Penfold Drive, Wymondham, Norfolk. NR18 0WZ

If you are dissatisfied with how we deal with your request, you can contact the Information Commissioners Office on 0303 123 1113 or at their website www.ico.org.uk.