Closed Circuit Television (CCTV) Data Protection Policy

Introduction

The purpose of this policy is to regulate the use of Closed Circuit Television (“CCTV”) and its associated technology, monitoring the front entrance of the Veterinary Council of Ireland’s offices at 53 Lansdowne Road, Ballsbridge, Dublin 4, D04 NY29 (“the VCI offices”).

A copy of this CCTV Policy will be made available on the VCI website, provided to all VCI full time and temporary staff, Council, and Committee members. A copy will also be provided to visitors to the VCI offices, on request.

Scope

This policy is relevant to all personnel in, and visitors to, the VCI offices. Moreover, it relates directly to the location and use of CCTV, and the monitoring, recording and subsequent use of such recorded material.

The CCTV Policy is in place to enable Pioneer Fire & Security, Ashfield House, Brookvale, Rathfarnham Road, Dublin 14, D14 W8Y1 (the VCI’s CCTV service provider) to operate the CCTV system within the VCI.

This policy prohibits CCTV monitoring based on profiling, and in particular as it may relate to protected characteristics, visible or otherwise, contained in equality and other related legislation e.g. age, gender, sexual orientation, ethnic origin, race membership of the Traveller Community, or disability.

Furthermore, CCTV monitoring is limited to uses that do not violate the reasonable expectation to privacy as defined by law.

This policy prohibits the use of the CCTV network in the VCI offices to monitor members of VCI staff, or VCI office holders.

The CCTV camera will be used to:

  • protect the VCI offices and the assets held within it, both during and outside of operational hours (the system will be in operation 24 hours a day, every day);
  • ensure the safety of VCI personnel, and visitors to the VCI offices.
  • deter and detect crime; and
  • assist in identifying, apprehending and prosecuting offenders.

The personal data recorded and stored by the CCTV system will be used only for the purposes outlined in this policy document. Collection, storage and use of CCTV footage shall be in compliance with the Data Protection Acts 1988- 2018 and the General Data Protection Regulation (the data protection legislation).

Data Controller

The VCI is the data controller in respect of images recorded and stored by the CCTV system at the VCI offices.

The VCI’s contracted CCTV service provider, Pioneer Fire & Security, is a data processor for the purposes of this policy. The Registrar of the VCI has sole responsibility for monitoring the implementation of, and compliance with, the CCTV policy.

Lawful, Fair and Transparent Processing

The fair obtaining principles inherent in data protection legislation, require that those people whose images may be captured on camera are informed by having adequate signage in place in the VCI offices.

Adequate signage will be placed at the location in the VCI offices where CCTV cameras are situated to indicate that CCTV is in operation. Signage shall include the name and contact details of the data controller as well as the specific purpose for which the CCTV camera is in place in each location. As well as this, the VCI Data Protection Officer will provide a copy of this CCTV Policy to VCI staff, Council, and Committee members, and on request to visitors to the VCI offices. The CCTV Policy is made available also in the Data Protection Statement on the VCI website, and in a Privacy Notice provided to VCI personnel and office holders.

Location of Camera

The CCTV camera at the VCI offices is located at the front entrance.

Operation of the System

The system can only be accessed by authorised personnel from Pioneer Fire & Security who maintain the system), and the Registrar of the VCI. A Service Level Agreement has been put in place between the VCI and Pioneer Fire & Security which details the terms of the contract including confidentiality agreements, data security and disclosure clauses. The system is at 53 Lansdowne Road, Ballsbridge, Dublin 4, D04 NY29 in a secure, locked press in the front hall, which is only accessible to the Registrar of the VCI and Pioneer Fire & Security staff, when required.

Should the system be accessed or works conducted on it by unauthorised personnel or without instruction from Pioneer Fire & Security/Registrar, this will be viewed as extremely serious and will be grounds for automatic termination of contract.

Data Protection, Storage and Retention

The data captured from the CCTV cameras is securely stored as electronic data. Typically, this data is recorded on a loop and will be retained for a maximum of 30 days. It will be over-written after that period. However, data may be retained for longer periods where the events captured give rise to court proceedings.

Access to the data is restricted to authorised personnel (see Section 6). The storage devices are password protected. Supervising the access and maintenance of the CCTV system is the responsibility of the Registrar of the VCI. Unauthorised access will be viewed as a data breach. In such an event, the VCI Data Breach Management Policy and Procedure will be followed.

Access Requests

Access to the CCTV system and stored images will be restricted to authorised personnel only (as indicated in Section 6). In relevant circumstances, CCTV footage may be accessed:

  • By An Garda Síochána, where the VCI is required by law to make a report regarding suspected crime;
  • Following a written request by An Garda Síochána when a crime or suspected crime has taken place and/or when it is suspected that illegal/anti-social behaviour is taking place at the VCI offices.
  • To data subjects (or their legal representatives) in response to an access request where the time, date and location of the recordings is furnished to the VCI;
  • To individuals (or their legal representatives) subject to a court order;
  • To the VCI’s insurance company where the insurance company requires the same in order to pursue a claim for damage done to the insured property.

Any person whose image has been captured has a right to be given a copy of the information recorded, providing that such an image/recording exists (i.e. that it has not been deleted), and provided that an exemption/prohibition does not apply to the release. To exercise that right, a person must make an application in writing to the VCI and provide proof of identity, and proof of address, giving a reasonable indication of the time period sought, and identifying the location of the camera. If the person is under eighteen years, a parent or guardian may make an application. Access requests must be responded to by the VCI within one month (30 days) of receipt.

Access requests can be made to:

The Data Protection Officer,
The Veterinary Council of Ireland
53 Lansdowne Road,
Ballsbridge, Dublin 4,
D04 NY29,
Email: info@vci.ie

When a subject access request is received, the relevant footage is copied and a specific retention time is assigned to this copy. In giving a person a copy of his/her data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people’s images should be obscured or blurred before the data is released. Data will be delivered to the requester ensuring that security measures have been considered and implemented. A log of access to images will be maintained. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data.

Providing CCTV Images to An Garda Síochána

With regard to requests from An Garda Síochána to download footage, the Data Protection Commission recommends that requests for copies of CCTV footage should only be granted when a formal written request is provided to the VCI stating that An Garda Síochána is investigating a criminal matter.

For practical purposes, and to expedite response to an urgent request, a verbal request may be sufficient to allow for the release of the footage sought. However, any such verbal request must be followed up with a formal written request.

A log of all Garda Síochána requests will be maintained by the VCI and its data processors. Any such requests should be on An Garda Síochána headed paper, quote the details of the CCTV footage required and should also cite the legal basis for the request under the Data Protection legislation.

Prior to the VCI issuing any CCTV images to An Garda Síochána, it will be discussed and agreed with the VCI’s Data Protection Officer.

There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the offices of a data controller or processor would not raise any specific concerns from a data protection perspective.

Review and Approval of the CCTV Policy

This policy will be reviewed and updated regularly to take into account changing Data Protection legislation or guidelines.

Appendix: Glossary of Terms

Subject Access Request (SAR) – this is where a person makes a request to the organisation for the disclosure of their personal data held by the VCI under the applicable data protection legislation.
Closed Circuit Television (CCTV) – is the use of video cameras to transmit a signal to a specific place on a limited set of monitors, generally for security purposes. The images may then be recorded on video tape or DVD or other digital recording mechanism.
The General Data Protection Regulation and Data Protection Acts 1988-2018 – (together these can be referred to as the data protection legislation) Data protection legislation confers rights on individuals as well as responsibilities on those persons processing personal data. All staff must comply with the provisions of the data protection legislation when collecting, storing, sharing, or otherwise processing, personal information. This applies to personal information relating both to personnel of the organisation and individuals who interact with the organisation.
Data – information in a form that can be processed. It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a filing system or with the intention that it should form part of a filing system).
Personal Data – data (information) relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Data Breach – any event which results in the integrity or security of personal data being compromised. It can include loss or theft of electronic equipment on which personal data is stored, equipment failure, human error, mis-directed emails, loss or sharing of information, or a cyber-attack. Breaches also include accidental loss of personal data (e.g. fire and flood).
Data Controller – a person who (either alone or with others) controls the contents and use of personal data.
Data Processing – the umbrella term that refers to any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing may or may not be by automated means.
Data Processor – a person who processes personal information on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work. The data protection legislation place responsibilities on such entities in relation to their processing of the data.
Data Subject – an individual who is the subject of personal data.