Data protection and the use of CCTV
Last update: August 2023
About the policy
Data protection lead: Sarah Rothwell, Treasurer & Trustee
ICO registered organisation name: Beeding & Bramber Village Hall
ICO reference: ZB573873
The Beeding & Bramber Village Hall (also referred to as the Hall) is required to adhere to the General data Protection Regulations (GDPR), with respect to all information or data held about our hirers, volunteers, contractors., and visitors including any data captured on CCTV.
The Hall has installed closed-circuit television (CCTV) for the following purposes:
- Assist in the prevention and detection of crime.
- Increase personal safety and reduce the fear of crime.
- Assist with the potential investigation and identification of potential offenders.
- Protect the Hall’s buildings and property.
- Assist in the management and monitoring of Hall’s facilities including the investigation of accidents.
- As a means of assistance to hirers of the Hall in case of emergency situations.
Our reasons for collecting your data
Legitimate interest – to ensure the safety of the property and those who may choose to use the space.
What data do we collect and keep?
We only collect what is known as, event-based video history and we purposefully don’t collect audio / sound. This means that unless motion takes place in front, or close proximity of the camera it is not constantly recording as it has no need – this is known as motion-triggered or event-based recordings. The static cameras located on the Hall have been directed where they will not focus on private homes, gardens, and other areas of private property so they should not be triggered, nor start recording movements within spaces external to the Hall perimeter. Their positioning is checked on a quarterly basis by one of our trustees and / or caretaker to ensure that they have not moved. Any recordings that are taking are stored within the Cameras themselves and pushed to our recognised cloud-based storage system, supplied by EZVIZ.
Why we collect your data
We only collect motion-triggered video footage as the Village Hall is not manned or used 24/7, so we wish to ensure its safety against potential crimes and vandalism, as well as ensuring the people and organisations who use the Hall feel safe.
Who has access to this data?
The following people are authorised to view images and footage captured by the CCTV system via the SD cards, EZVIZ app or Cloud-based storage:
- our data handler lead;
- manager of the Play Group (also a trustee);
- committee of management / trustees – upon request;
- external CCTV providers (engineers for the purpose of maintenance) or police personals – upon request;
- any other approved third parties such as the police / law enforcement required to assist in the identification of a data subject following an incident – upon request.
Motion-triggered video footage can be viewed via SD cards, or via our Cloud-based storage and app solutions provided via EVIZ. If you believe you have discovered a security vulnerability in our cloud storage, please report it to EZVIZ at email@example.com or you can report a data breach to ICO and / or to a Data protection lead firstname.lastname@example.org
How we use your data
The system is not constantly recording footage as it is only triggered by motion. The systems are never routinely monitored in real-time by any of the approved people who have access to the data, as we respect the privacy of our community, the people who hire the space and our visitors. Motion-triggered video footage of data subjects captured via our CCTV system is solely for the purpose of personal identification should an incident take place. The data captured by the system will never be used for commercial gain, social media or be shared of any other purposes other than those highlighted within this policy.
How long we keep your data for and the reasons for this
Images and footage recorded by the system will not be kept any longer than is necessary and for a maximum of 7 days, this means the system can only ever playback motion-triggered video footage that date, back to the last 7 days. After a period of 7 days, any film / footage captured on the 8th day will automatically overwrite those from the 1st day and so on. This process is automated and cannot be stopped.
The system is designed to only ever be accessed, saved, viewed, and potentially used, in circumstances / for purposes such as where a law enforcement body is investigating a crime, the footage is required for insurance purposes or as part of an ongoing investigation. If such purposes occur, these images will either be saved and email to the third-party requiring the data and / or download onto an external hard drive or flash drive. Access to any data is always limited to people highlighted within this policy. Should an event take place, a record of any CCTV footage handed over to third parties will be documented and an operating file of any images kept after the 7-day time period and the reason for this.
Who will we share your data with?
Information stored on the system constitutes personal data as defined by the GDPR. An individual may ask to see images of themselves via a Subject Access Request.
Any motion-triggered video footage of data subjects is stored both via the cameras themselves and via an approved off-site, third-party, cloud hosting provider EVIZ. Every layer of data – from the EZVIZ cloud to the app is fully encrypted from end to end with AES 128-bit encryption and TLS 1.2 encryption protocols and adhere to the following standards and principles: ISO 29151; CSA STAR; ISO 27018; ISO/IEC 27017; ISO/IEC 27701; ISO 20000 SOC 2 Type I. You can read more about their approach to data security via their website.
There will never be disclosure of any recorded data to third parties other than the authorised organisations such as the Police and others given permission by the Data protection lead or caretaker for a specific purpose, for example other investigations.
Your rights under data protection law
You have various rights under applicable data protection law, including the right to:
- access your personal data;
- correct incomplete or inaccurate personal data we hold about you;
- erase the personal data we hold about you;
- restrict our handling of your personal data;
- transfer your personal data to a third-party;
- object to how we are using your personal data; and
- withdraw your consent to us handling your personal data.
Regular Review: GDPR compliance is an ongoing process. The policy will be reviewed annually and updated when necessary to ensure continued compliance with changing regulations.
Please keep in mind that data protection law is complicated, and these rights won’t always be available to you all of the time.
You also have the right to lodge a complaint with us or the ICO, the supervisory authority for data protection issues in the UK.
If you want to exercise any of these rights or have any questions, please contact us.