A CODE OF PRACTICE FOR THE
OPERATION OF CCTV SYSTEMS
SUBJECT TO THE PROVISIONS
OF THE DATA PROTECTION ACT
Anglia Ruskin University operates and manages a number of CCTV
systems at various University sites. This Code of Practice relates to those
systems that are subject to the provisions of the Data Protection Act, i.e.
those that include cameras that may be used to follow the movements of
and identify individual persons. These are commonly known as “Fully
Functional” cameras with a zoom, pan and tilt capability controlled
remotely.
This Code of practice has been published on the internet to demonstrate
that the principles which govern the regulation and operation of all CCTV
systems controlled by the University are known to and approved by Staff,
Students and all other interested parties.
For all enquiries about the Code of Practice, please telephone The Head of
Security on 0845 196 3717
5th
Edition, published October 2006
1
INTRODUCTION
University CCTV systems have been developed in response to the growth in and
the fear of crime on all sites operated by the University. The purpose of these
systems is to make our premises and surroundings safer and more welcoming,
thereby allowing all students, staff and visitors, regardless of age, gender or race,
the opportunity to participate fully in University life without fear.
All CCTV cameras are the property of Anglia Ruskin University. The University is
responsible for the fair and effective operation of all systems.
The Code of Practice follows that published by the Information Commissioner
and is intended to comply with the Data Protection Act 1998 and the additional
“good practice” recommendations. An Operational Manual for the guidance of
staff operating the systems supports the Code of Practice. Only designated staff
have routine access to the systems and authority for its operation. The
Operational Manual will be made available if requested, deleting only those
elements which remain confidential for security reasons.
The systems comprise multi-camera systems on the following sites:


Cambridge
Chelmsford Rivermead
The images from these cameras are recorded and monitored 24 hours a day 365
days a year with the majority being recorded digitally. All recorded material is the
property of Anglia Ruskin University, which retains copyright.
This Code of Practice sets out the aims of the CCTV systems and how they will
be used. The systems will not be used for any other purpose than those set out
in this document. The day to day management of the systems will be the
responsibility of the relevant Campus Security Manager.
2
1.
COMPLIANCE WITH THE PRINCIPLES OF THE DATA
PROTECTION ACT 1998
The First Data Protection Principle requires that personal data shall be
processed fairly and lawfully and shall not be processed unless certain conditions
are met. In response to the First Principle, the University considers:

That there is a legitimate basis for the processing of images, namely the
prevention and detection of crime

That the processing is necessary for the purposes of the prevention and
detection of any unlawful act

That images are processed lawfully and fairly

That appropriate signage provides the relevant information to individuals
at the point at which an image may be obtained
The Second Data Protection Principle requires that personal data shall be
obtained for one or more specified and lawful purposes and shall not be further
processed in any manner incompatible with that purpose or purposes. In
response to the Second Principle, University documented policy is that:

Being that the purpose for which images are processed is the prevention
and detection of crime, disclosure to a third party must be restricted to law
enforcement agencies.
The Third Data Protection Principle requires that personal data shall be
adequate, relevant and not excessive in relation to the purpose or purposes for
which they are processed. In response to the Third Principle, University policy
will be that:

Every step will be taken to ensure that surveillance is restricted to
University premises.

Images are of a quality that makes them adequate for the purposes of the
prevention and detection of crime.
The Fourth Data Protection Principle requires that personal data shall be
accurate and, where necessary, kept up to date. In response to the Fourth
Principle, the University certifies that:
3

The clarity of images is managed by the use of high quality recording
facilities, including digital technology.

Time and location references are checked through a documented
procedure

Evidential images in the form of stills or downloaded digital images are not
subjected to enhancement or compression techniques.
The Fifth Data Protection Principle requires that personal data processed shall
not be kept longer than is necessary. In response to the Fifth Principle, the
University certifies that:

All images processed for the purposes of crime prevention and public
safety, other than those retained for evidential purposes, are destroyed
within 31 days.
The Sixth Data Protection Principle requires that personal data shall be
processed in accordance with the rights of data subjects under the Act. In
response to the Sixth Principle, the University certifies that:

All subject data requests will be dealt with in an appropriate manner
The Seventh Data Protection Principle requires that appropriate technical and
organisational measure shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or
damage to, personal data. In response to the Seventh Principle, the University
certifies that:

Appropriate care is taken in the management and control of image
processing, retention and destruction.
The Eighth Data Protection Principle requires that personal data shall not be
transferred to a country or territory outside the European Economic Area unless
that country or territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal data. In
response to the Eighth Principle, the University certifies that:

No processed images will be transferred beyond the boundaries of the
United Kingdom.
4
2. PURPOSE STATEMENT
It is important that all those who will be affected by the University CCTV systems
and all those charged with operating them understand exactly why the systems
have been introduced and what they will and will not be used for. The key
objectives of the systems are :
a)
b)
c)
d)
e)
f)
Protecting all University buildings and premises
Deterring and detecting crime
Reducing anti-social behavior by any person on University Property
Assisting in the identification of offenders
Reducing the fear of crime
Creating a safer environment for all
No CCTV system incorporating cameras which are subject to the provisions of
the Data Protection Act shall be installed or operated unless the need for it has
been assessed against the above objectives. This shall be the responsibility of
the Head of Security.
He or she will additionally ensure that the assessment process and the reasons
for all CCTV installations undertaken from the date of publication of this Code of
Practice are documented and filed within the Secretary and Clerk’s Office. The
purpose of schemes in existence at the time of publication of this Code of
Practice will similarly be documented.
3. OPERATOR AWARENESS
In order that all CCTV operators are aware of the purposes for which schemes
have been established and the rights of data subjects, all Security Control
Rooms will contain a notice clearly visible to operators incorporating those
purposes and rights.
4. PRIVACY
An individual’s entitlement to go about his/her lawful business is respected and
supported and this is a primary consideration in the operation of the system.
Although there is inevitably some loss of privacy when CCTV cameras are
installed, they will not be used to monitor the progress of individuals in the
ordinary course of lawful business in the areas under surveillance. Individuals will
only be monitored if there is reasonable cause to suspect that an offence has
been or may be committed.
5
The Operators shall only use the cameras to view public areas and not to look
into the interior of any private premises, offices or any other area where an
infringement of privacy of individuals may occur. The only exception to this rule is
if an operator, whilst operating the cameras, nevertheless observes something
which he/she believes to indicate that a crime is being, or is about to be
committed in a non-public area. Any such event will be fully logged and operators
will be required to justify their actions. Any breach of this condition may result in
disciplinary proceedings against the Operator.
5. PROVISION OF EVIDENCE
Arrangements will be made to provide recorded material to the Police in
connection with investigations into criminal offences. Requests may also be
made for the release of material by other bodies with prosecution powers such as
Customs and Excise, the Health and Safety Executive or other statutory
agencies. The University reserves the right to provide recorded material to its
own agents.
6. SIGNAGE
On all sites subject to CCTV surveillance under the scheme, signage has been
placed so that the public is aware that they are entering an area that is covered
by the surveillance equipment. The signs are clearly visible and legible to the
public and identify the purposes for which images are recorded, by whom the
scheme is controlled and to whom any requests for information should be made.
7. BREACHES OF THE CODE
Any breach of this Code of Practice is a serious matter. Any employee in breach
of the Code may be dealt with in accordance with the disciplinary procedures of
the University. This process could ultimately result in dismissal.
The responsibility for ensuring the security of the systems will rest with the
relevant Campus Security Manager. He or she will, in the first instance,
investigate all breaches or allegations of breaches of security and report his
findings to the Head of Security who will agree a response following consultation
with the University Secretary & Clerk.
8. STAFF
Systems will be operated on a 24-hour basis. Operators employed by the
University are trained to a proficient level before they are allowed to take control
of any system. Training will include:
6
a)
b)
c)
d)
e)
f)
g)
Use of equipment
Observation techniques
University procedures and record keeping
Report procedures and action on incidents
Evidence handling
Actions in the event of an emergency
All staff training will be supervised by a suitably qualified Operator
The University will ensure that refresher training is provided on a regular basis to
ensure that the highest operating and management standards are maintained.
Staff may be required to provide the Police or other statutory agencies with
written statements from time to time, which may be required for evidential
purposes.
No Security Officer or Control Room Operator employed by a Contract Staff
Provider and for the time being stationed on University premises will control any
CCTV system in any manner unless they are licensed to do so by the Security
Industry Authority.
9. OPERATION AND ADMINISTRATION
CONTRACTORS
Contractor access will be provided from time to time for the purpose of
maintaining the equipment. No contractor will be left unattended at any time
whilst working on the systems.
A maintenance log will be maintained at each Security Control Room and will
include the following:

Details of planned preventative maintenance (PPM) arrangements

Details of person(s) responsible for managing the PPM and arranging
reactive maintenance and repair.

Details of person(s) responsible for monitoring the quality of maintenance and
repair.
10. DIRECTION AND CONTROL OF THE SYSTEMS
10.1 DIRECTION
7
Operational management of the system is the responsibility of the Head of
Security. The systems are directed towards providing a safer environment for all
staff, students and visitors to the University. The University will use the systems
for:
a) Day to day monitoring of the surveillance areas
b) The security of University premises.
c) The safety of staff, students and visitors
10.2 POLICE ROLE
The Police or other statutory enforcement agency may request assistance in
order to:
a)
b)
c)
d)
Assist with the deployment of resources.
Monitor potential public disorder or other major security situations
Assist in the detection of crime.
Facilitate the apprehension and prosecution of offenders in relation to crime
and public order.
11. CONTROL OF RECORDED IMAGES
11.1 RECORDING OF IMAGES
Recorded images may be submitted as evidence in criminal proceedings and
therefore must be of good quality and be accurate in content. All such material
will be treated in accordance with strictly defined procedures to provide continuity
of evidence and to avoid contamination of evidence.
Where the system records features such as the location of the cameras and/or a
time and date reference, there will be a documented procedure for ensuring the
accuracy of the embedding process and the person(s) responsible for monitoring
the procedure.
In most cases images from CCTV systems are recorded digitally, although some
systems remain that use VCR equipment and videotapes. Recorded material will
not be sold or used for commercial purposes or the provision of entertainment.
The showing of recorded material to the public will only be allowed in accordance
with current legislation and codes of practice when requested by Police as part of
any investigation.
8
All routine videotape recordings will be kept for a minimum of 14 and a maximum
of 28 days and then erased before re-use in accordance with defined operating
procedures.
In the case of digitally recorded images the length of retention is dependent upon
the number of images captured by motion-activated recording. A documented
procedure will be used to ensure that the system is managed so as to prevent
images being retained for excessive periods and on a par with taped images.
The procedure will include a register identifying:

The person(s) responsible for monitoring image retention

The average time that images are retained

The date of any system adjustments to limit the retention time

Details of all reviewing of videotapes and digital images
The University retains copyright of the tapes and digital recordings and will
enforce copyright to prevent improper use.
11.2 CONTROL OF TAPES
All tapes will remain the property of the University. Each new tape must be
clearly and uniquely marked before it is brought into operation.
At each use the identification number of the tape, date, time of insertion and time
of removal shall be noted in the Register. Between uses tapes will be stored
securely and in such a way that the completeness of the archive is immediately
apparent. The Tape Register will be stored securely.
Except for evidential, training and demonstration purposes, tapes containing
recordings will not be removed under any circumstances. All tapes will be erased
prior to disposal.
11.3 COPYING AND REVIEW OF TAPES AND DIGITAL IMAGES
Except for training, demonstration and evidential purposes tapes and digital
recordings will not be copied in whole or in part.
Viewing of recorded images will only take place in a restricted area and there will
be no general access to that area while viewing is in progress. A register will be
kept and will include the following:
9

The reason for the viewing

The outcome, if any, of the viewing

The name(s) of the person(s) viewing the images and if this includes third
parties, the organisation from whence they come

The date and time of any removal of images

The name of the person removing the images

The date and time the images were returned to the system or secure place, if
they have been retained for evidential purposes
11.4 EVIDENTIAL TAPES
Tapes and discs required for evidence will be dealt with in accordance with the
Police and Criminal Evidence Act 1984 (PACE) or any other statutory provision.
A record will be made in a Register (see 5.3 Above) of the release of such tapes
to the Police or to other authorised applicants.
The record will include the name, number and operating base of any Police
Officer removing images from the University. In accordance with the Data
Protection Act 1998 the release of images will be treated in the same way as with
other form of personal data and will require a written request signed by an officer
not below the rank of Inspector or the equivalent in the case of other enforcement
agencies.
12. DISCLOSURE
All staff involved in operating the equipment must be able to recognise a request
for access to recorded images by data subjects. A guidance note to assist staff
will be posted in each Security Control Room
Data subjects requesting access will be provided with a standard subject access
request form which:

Indicates the information required in order to locate the images requested.
Data Subjects will be required to provide dates and time of when they
visited the premises or area subject to CCTV surveillance
10

Indicates the information required in order to identify the person making the
request. A photograph of the individual may be requested in order to locate
the correct image

Indicates the fee that will be charged for carrying out the search for the
images requested. A fee of £10.00 will be charged for the search.

Asks whether the individual would be satisfied with merely viewing the
images recorded.

Indicates that the response will be provided promptly and in any event
within 40 days of receiving the required fee and information.

Explains the rights provided by the 1998 Act
Data subjects shall, at the time they are provided with the subject access request
form, also be given a leaflet describing the type of images that are recorded and
retained, the purposes for which those images are recorded and retained and
information about the University’s disclosure policy in relation to those images.
Upon individual request, disclosure to people whose images have been recorded
and retained may be allowed (Unless disclosure to the individual would prejudice
criminal inquiries or criminal proceedings). All subject access requests should be
dealt with by the Campus Security Manager or a Duty Security Supervisor, who
should locate the images requested.
The Security Manager or a Duty Security Supervisor will determine whether
disclosure to an individual would entail disclosing images of third parties and
whether those images are held under a duty of confidence. If third party images
are not to be disclosed for this reason, the Campus Security Manager shall
arrange for the third party images to be disguised or blurred. If the system does
not have facilities for this type of editing a third party or company will be hired to
carry it out.
In the case of the University, third party images are mainly but not exclusively
held other than under a duty of confidence.
All requests for access or for disclosure should be recorded. If access or
disclosure is denied, the reason should be documented, to include:

The identity of the individual making the request

The date of the request

The reason for refusing to supply the images requested
11

The name and signature of the Campus Security Manager or Duty Security
Supervisor making the decision to deny access.
If access to or disclosure of the images is allowed, then the following will be
documented:

The date and time at which access was allowed or the date upon which
disclosure was made

The identification of any third party who was allowed access or to whom
disclosure was made

The reason for allowing access or disclosure

The extent of the information to which access was allowed or which was
disclosed
13. REVIEW
The Head of Security will undertake regular reviews of all documented
procedures to ensure that the provisions of this Code of Practice are complied
with.
An internal annual assessment will be undertaken to evaluate the effectiveness
of the system measured against the stated purpose of the scheme. If the scheme
is not achieving its purpose it will be discontinued or modified.
A report on the review and assessment process will be forwarded annually to the
Data Controller for monitoring purposes.
14. COMMENTS AND COMPLAINTS
Comments or complaints concerning the University CCTV systems may be
addressed to the Head of Security who has operational responsibility for the
systems. Contact details can be found at the beginning of this document.
12
13