CCTV policy

CCTV policy

1. SCOPE

1.1 This policy applies to Gamma Materials Ltd (hereafter “GML”).

1.2 GML has in place a Closed-Circuit Television Systems (hereafter “CCTV system”) across its premises. This policy details the purpose, use and management of the CCTV system at GML and details the procedures to be followed in order to ensure that GML complies with relevant legislation and guidance. 

1.3 GML will have due regard to the Data Protection Act 2017 (hereafter “DPA”) and the European Union General Data Protection Regulation 2016 (hereafter “GDPR’). 

1.4 This policy is also based upon the following documents issued by the Data Protection Office: 

    • Template on CCTV Policy; and 

    • Guidelines to regulate the processing of personal data by video surveillance systems (Volume 5).

1.5 This policy and the procedures therein detailed, apply to all of GML’s CCTV systems capturing images of identifiable individuals for the purpose of viewing and/or recording the activities of such individuals in line with Section 4 of this policy. CCTV images are monitored and recorded in strict accordance with this policy.

2. ROLES AND RESPONSIBILITIES OF THE CCTV SYSTEM OWNER

2.1 The CCTV system is owned by both the sales team and production team of GML. The CCTV system owner (hereafter the “System Owner”) is responsible for the overall management and operation of the CCTV system.  Contact details of the System Owner are as follows:

Name: Gamma Materials Ltd

Tel: +230 601 6000

Email: headoffice@gml.mu. 

2.2 The System Owner is accountable for lawful processing of personal data in the use of the CCTV system. 

2.3 The System Owner has the following responsibilities:

2.3.1 Ensure the conditions of lawful basis are met (see Section 5).

2.3.2 Ensure that the use of CCTV system is implemented in accordance with this policy.

2.3.3 Oversee and co-ordinate the use of CCTV monitoring for safety and security purposes. 

2.3.4 Ensure that all existing CCTV monitoring systems will be evaluated for compliance with this policy. 

2.3.5 Ensure that the CCTV monitoring is consistent with the highest standards and protections. 

2.3.6 Review camera locations and be responsible for the release of any personal data or recorded CCTV materials stored in compliance with this policy and together with the General Manager.

2.3.7 Maintain a record of access (e.g., an access log) of the release of images or of any material recorded or stored in the CCTV system. 

2.3.8 Approve the location of temporary cameras to be used during special events that have particular security requirements and ensure their withdrawal following such events.   

2.3.9 Give consideration to both staff and customer feedback/complaints regarding possible invasion of privacy or confidentiality due to the location of a particular CCTV camera or associated equipment. 

2.3.10 Ensure that all areas being monitored are not in breach of an enhanced expectation of the privacy of individuals within the business and be mindful that no such infringement is likely to take place. 

2.3.11 Ensure that adequate signage at appropriate and prominent locations is displayed as detailed in this policy.

2.3.12 Ensure that monitoring images are stored in a secure place where access is restricted to authorised personnel only. 

2.3.13 Ensure that images recorded on tapes/DVDs/digital recordings are stored for a minimum period of 3 months and are then erased unless required as part of a criminal investigation or court proceedings (criminal or civil) or other bona fide use as approved by the Data Protection Officer. 

2.3.14 Ensure that camera control is solely to monitor suspicious behaviour and criminal damage (amongst others) and not to monitor individual characteristics. 

2.3.15 Ensure that camera control is not infringing an individual’s reasonable expectation of privacy in public areas. 

2.3.16 Ensure that where the Mauritius Police Force requests to set up mobile video equipment for criminal investigations, legal advice has been obtained and such activities have the approval of the Data Protection Officer (hereafter “DPO”)and the General Manager.

2.3.17 Ensure that staff operating the CCTV system have been adequately trained in the application and use of this policy.

2.3.18 Ensure that GML conducts a Data Protection Impact Assessment for changes to the CCTV system or for new implementation of a CCTV system.

3. DESCRIPTION OF THE CCTV SYSTEM

3.1 System components

    • Fixed position cameras 

    • Monitors 

    • Digital recorders 

    • Public information signs 

3.2 CCTV camera locations

CCTV cameras will be found at the following locations:

    • GML’s Head Office at, Royal Road, Chapman Hill, Beau Bassin-Rose Hill; and 

    • Construction Sites.

CCTV cameras will be located on the following points on the premises of GML:

    • Gate post;

    • Sales offices;

    • Production sites; and

    • Head office entrance and exit.

CCTV cameras are installed in such a way that they are not hidden from view.

3.3 Signage/Notification

Signs will be prominently placed at the entrance on GML’s premises and construction site to inform employees, visitors, customers and members of the public that they are entering an area covered by a CCTV system (see Appendix 1) for them to choose whether they want to enter a monitored space or not:

    • [TO INSERT SIGNAGE LOCATIONS]

3.4 Recordings

The CCTV system will provide a 24-hours per day and 7-days per week continuous recording over all the locations where a CCTV camera is placed.

3.5 Effectiveness

Although every effort has been made to ensure maximum effectiveness of the CCTV system, it is not possible to guarantee that the CCTV system will detect every incident taking place within the area of coverage.

4. PURPOSE OF THE CCTV SYSTEM

4.1 The CCTV system has been installed by GML for the purposes of generally reducing the threat of crime, identifying disciplinary infringements in GML’s office compound, assisting in providing evidence where required, promoting a safe environment and protecting GML’s premises and property as well as helping to ensure the safety of all GML’s employees, customers, contractors and visitors consistent with respect for the individuals' privacy. 

4.2 These purposes will be achieved by monitoring the system to:

    • Deter those having criminal intent and prevent any unauthorised access.

    • To monitor the safety and security of GML’s premises and office compound.

    • Assure personal safety in the office compound and to promote a safe working environment.

    • Assist in the prevention and facilitate the identification, apprehension and prosecution of offenders in relation to crime, fraud and public order, including the use of images as evidence in criminal proceeding.

    • Assist in the investigation of breaches of its codes of conduct and policies by employees, contractors and visitors and where relevant and appropriate investigation complaints.

    • Be aware of any other disciplinary infringements in the office compound.

    • Check security in and around the office compound. 

    • Monitor suspicious transactions, cash handling and production.

4.3 Five observation categories have been defined based on the relative size that a person appears on screen, of which the business will be able to decide which categories best reflect the type of activity being observed. The observation categories are as follows:

    • Monitoring and Control – to oversee a large area or wide field of view; 

    • Detection – to be alerted to the presence of activity in the field of view; 

    • Observation – to be able to observe characteristics within a moderately sized field of view; 

    • Recognition – to be able to identify a known person or object within the field of view; and

    • Identification – to be able to clearly identify an unfamiliar individual or object within the field of view. 

4.4 CCTV images captured by the CCTV system may be further processed for the conduct of criminal proceedings in any court. This may also require the retention period be increased for this further processing purpose.

4.5 The CCTV system will not be used:

    • To provide recorded images for the world-wide-web; and

    • For any automated decision taking.

5. LEGAL BASIS OF PROCESSING

5.1 The use of the CCTV system is in the legitimate interests of GML, namely:

    • For security and safety purposes;

    • For verification and apprehension in case of any accident/incident;

    • For operational purposes; and

    • For monitoring.

6. RETENTION PERIOD AND BACK UP OF CCTV IMAGES

6.1 CCTV images will not to be retained for longer periods than necessary and will be retained for a period adequate to fulfil the purposes specified. This will normally be for a minimum period of three months. After this retention period, the IT Manager shall ensure that recordings are deleted. 

6.2 However, any footage that shows an offense or any misconduct will be kept as long as it is needed to undertake criminal proceedings or disciplinary procedures.

6.3 All retained CCTV images shall be stored securely and correct backup is done periodically and kept safely off premises.

7. SECURITY MEASURES 

7.1 The System Owner will ensure compliance with Article 32 the GDPR and Section 31 of the DPA, namely implement all appropriate security and organisational measures to prevent any unauthorised access, alteration, disclosure, accidental loss and destruction of images captured by the CCTV system.

7.2 In order to protect the CCTV images and footage, GML will provide the following security measures:

    • Using a Network Video Recorder (NVR) to store footage in a secured data cabinet on site

    • Replicating the footage on another NVR as backup and stored on site

    • Secure asset disposal once a hard drive storing CCTV images has come to the end of its use

    • Allowing only authorised personnel to access the CCTV images/room

    • Keeping a logbook to monitor staff access to footage

    • Transmitting and storing of footage in encrypted form

    • Doing regular audits of system security

    • Regular audits of the system security

8. ACCESS TO CCTV IMAGES AND FOOTAGE

All access to CCTV images or footage will be recorded in a logbook.

8.1 Access to CCTV images and footage by staff

8.1.1 Access to images or footage will be restricted to those staff who need to have access in accordance with the purposes of the CCTV system. These include:

    • Construction Site Managers

    • Business Unit Managers

    • IT Department 

    • HR Manager, for the purpose of investigating disciplinary infringements, complaints or any other related proceedings.

8.1.2 All staff who will be required to deal with the CCTV system will be made aware of the sensitivity of handling CCTV images and recordings. The System Owner will ensure that all staff are fully briefed and trained in respect of the functions, operational and administrative, arising from the use of CCTV.

8.1.3 Training should go to the extent of staff who receive, analyse and approve requests for CCTV information/images.

8.1.4 Staff access to the system will be limited through appropriate use of secure logon and access procedures.

8.2 Access to CCTV images and footage by third parties

8.2.1 Access to and the disclosure of CCTV images or footage to third parties should be restricted and carefully controlled to ensure the rights of individuals are protected. 

8.2.2 Disclosure should be made in limited and prescribed purposes. The chain of evidence must remain intact if the images or footage are required for evidential purposes. Reasons for the disclosure must be compatible with the purpose for which the images or footage were originally recorded.

8.2.3 Disclosure of recorded material will be limited to the following authorities:

    • Law enforcement agencies where the recorded material would assist in a criminal enquiry and/or the prevention of terrorism and disorder, including the Police;

    • Prosecution agencies;

    • Relevant legal representatives;

    • The media where the assistance of the general public is required in the identification of a victim of crime or the identification of a perpetrator of a crime;

    • People whose images have been recorded and retained unless disclosure to the individual would prejudice criminal enquiries or criminal proceedings;

    • Emergency services in connection with the investigation of an accident.

8.2.4 Disclosure will only be made once GML is in possession of a form certifying that the images are required for either an investigation concerning national security; the prevention or detection of crime; or the apprehension or prosecution of offenders, and that the investigation would be prejudiced by failure to disclose the information.

8.2.5 Where images are sought by other bodies/agencies with a statutory right to obtain information, evidence of that statutory authority will be sought before CCTV images are disclosed.

8.3 Access to CCTV images and footage by a data subject

8.3.1 Images or footage captured by the CCTV system, if they show a recognisable person, are personal data and are covered by the GDPR and the DPA. 

8.3.2 Anyone who believes that they have been filmed by the CCTV is entitled to ask for a copy of the personal data, subject to exemptions contained in the GDPR and the DPA.  

8.3.3 However, they do not have the right of instant access. If there are other identifiable people in the recorded material, GML will look at options to protect those people’s privacy, for instance by masking other individuals on the CCTV footage.

8.3.4 A person whose image has been recorded and retained and who wishes access to the personal data must apply in writing to the System Owner (see contact details in Section 2). 

8.3.5 The System Owner will liaise with the DPO in order to ensure that the process mentioned in our Data Subject Rights Request Policy and Procedure is followed. Contact details of the DPO can be found in the Website Privacy Notice published on our website.

8.3.6 It must also be noted that the contact point indicated on the sign (refer to Section 3.3) is available to members of the public during normal business hours. Employees staffing the contact point should be aware of the appropriate policies and procedures. 

8.3.7 For any other data subject requests, the System Owner will ensure that GML will comply with the requirements of the GDPR and the DPA through an annual review of the CCTV system with the DPO.

9. COMPLAINTS PROCEDURE

9.1 It is recognised that members of GML and members of the public may have concerns or complaints about the operation of the CCTV system. 

9.2 Any complaint should be addressed in the first instance to the System Owner who will liaise with the DPO. 

9.3 The System Owner will be available during the office hours of 8.00a.m to 16.45pm from Monday to Friday; except when GML is officially closed.

9.4 The CCTV Policy should be provided as a source of further information, either at the information desk, reception or cashier or displayed on an easily accessible poster or website.

9.5 Upon request, enquirers will be provided with a Subject Access Request Form if required or requested, to exercise any right a data subject has.

10. MONITORING COMPLIANCE OF THE CCTV SYSTEM

10.1 The DPO is responsible for ensuring day to day compliance with the GDPR and the DPA. 

10.2 All CCTV recordings will be handled in strict accordance with this policy. 

10.3 The effectiveness of the CCTV system and all documented procedures will be kept under review (see Appendix 2) and a report from the DPO will be periodically made to the General Manager of GML.