Edenfield Road Surgery OL11 5AQ

 

CCTV Policy V1

 

INTRODUCTION

 

Edenfield Road Surgery are the Data Controllers in accordance with Data Protection Legislation.

 

The use of CCTV falls within the scope of the Data Protection Act 2018.

 

CCTV is installed for the purpose of staff, patient and premises security. Access to stored images will be controlled on a restricted basis within the practice.  Use of images, including the provision of images to a third party, will be in accordance with the practice’s Data Protection registration.

 

CCTV may be used to monitor the movements and activities of staff and visitors whilst on the premises.

 

In areas of surveillance, signs will be displayed prominently to inform individuals that CCTV is in use.  Cameras are located at various places on the premises, and images from the cameras are recorded.

 

The cameras are located: at the front and back of the building and the within the shared areas of the inside of the building.

 

CCTV images may be used where appropriate as part of staff counselling or disciplinary procedures.

 

External and internal signage are displayed on the premises stating of the presence of CCTV, and indicating the names of the Data Controllers and a contact number during office hours for enquiries.

 

The principles of the policy are that:

·        Individuals’ rights are respected and protected.

·        The installations are operated fairly and within the law.

·        The CCTV system is operated for the purposes for which it was set up.

·        The recorded material/data stored is fairly and lawfully processed.

·        The recorded material/data is adequate, relevant and not excessive for the purposes.

·        That recorded material/data is accurate, securely stored, and not kept for longer than is necessary.

 

Access to Images

It is important that access to, and disclosure of, images recorded by CCTV and similar surveillance equipment is restricted and carefully controlled, not only to ensure that the rights of individuals are preserved, but also to ensure that the chain of evidence remains intact should the images be required for evidential purposes.

 

Access to Images by Practice Staff

Access to recorded images is restricted to the Practice Manager and GP Partners, who will decide whether to allow requests for access by data subjects and/or third parties (see below).

 

Viewing of images must be documented as follows:

·      The name of the person removing from secure storage, or otherwise accessing, the recordings

·      The date and time of removal of the recordings

·      The name(s) of the person(s) viewing the images (including the names and organisations of any third parties)

·      The reason for the viewing

·      The outcome, if any, of the viewing

·      The date and time of replacement of the recordings

 

Removal of Images for use in Legal Proceedings

In cases where recordings are removed from secure storage for use in legal proceedings, the following must be documented:

 

·        The name of the person removing from secure storage, or otherwise accessing, the recordings

·        The date and time of removal of the recordings

·        The reason for removal

·        Specific authorisation of removal and provision to a third party

·        Any crime incident number to which the images may be relevant

·        The place to which the recordings will be taken

·        The signature of the collecting police officer, where appropriate

·        The date and time of replacement into secure storage of the recordings

 

Access to Images by Third Parties

Disclosure of recorded images to third parties will only be made in limited and prescribed circumstances. For example, in cases of the prevention and detection of crime, disclosure to third parties will be limited to the following:

 

·        Law enforcement agencies where the images recorded would assist in a specific criminal enquiry

·        Prosecution agencies

·        Relevant legal representatives

·        People whose images have been recorded and retained (unless disclosure to the individual would prejudice criminal enquiries or criminal proceedings)

 

All requests for access or for disclosure should be recorded. If access or disclosure is denied, the reason should be documented as above.

 

Access by Data Subjects

This is a right of access is provided by the Data Protection Act 2018. The requestor needs to provide enough information so that they can be identified in the footage, such as a specific date and time, proof of their identity and a description of themselves. Any footage provided may be edited to protect the identities of any other people.

 

The Practice may charge a reasonable fee to provide the footage if the request to see a copy of the personal information is deemed unfounded or excessive.

 

Procedures for Dealing with an Access Request

All requests for access by Data Subjects will be dealt with by the Practice Manager. The data controller will locate the images requested. The data controller will determine whether disclosure to the data subject would entail disclosing images of third parties.

 

The data controller will need to determine whether the images of third parties are held under a duty of confidence. If third party images are not to be disclosed, the data controllers will arrange for the third party images to be disguised or blurred. If the CCTV system does not have the facilities to carry out that type of editing, an editing company may need to be used to carry it out. If an editing company is used, then the data controller must ensure that there is a contractual relationship between them and the editing company, and:

 

·        That the editing company has given appropriate guarantees regarding the security measures they take in relation to the images

·        The written contract makes it explicit that the editing company can only use the images in accordance with the instructions of the data controllers

·        The written contract makes the security guarantees provided by the editing company explicit

·        The practice manager will provide a written response to the data subject within 30 days of receiving the request setting out the data controllers’ decision on the request.

·        A copy of the request and response should be retained.

 

Complaints

Complaints must be in writing, and addressed to the practice manager. Where the complainant is a third party, and the complaint or enquiry relates to someone else, the written consent of the patient or data subject is required. All complaints will be acknowledged within 3 days, and a written response issued within 10 days.

 

Adopted: 21.05.2026 MJ V1 / Review due 21.05.2028 or as needed