1. Introduction

The images may be recorded on DVD or other digital recording mechanism. The Club is a data controller with reference to the personal data which it manages, processes and stores. The purpose of this document is to provide a concise policy regarding the CCTV Policy of the Club. The Members of the Club should refer to the guidance provided by the Information Commissioner's Office (www.ico.org.uk) as well as seeking professional advice regarding best practice in this area. The Data Protection Officer is named for the avoidance of doubt.

Personal Data is defined under Article 1 of the UK General Protection Regulation ('UK GDPR'), also known as the UK's implementation of the GDPR - Data Protection Act 2018 ('DPA 2018') as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

Data is information in any format that can be processed. It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system). For these purposes, the Club may be considered as a Data Controller i.e. an organisation which (either alone or with others) controls the content and use of Personal Data. The Club's CCTV system is password protected and can only be accessed by the Club Committee designated Authorised Personnel Only (the 'CCTV Operator and Data Controller').

2. Purpose of the Policy

This policy relates directly to the location and use of CCTV and the monitoring, recording and subsequent use of such recorded material. The policy applies equally to personal data obtained by the Club via CCTV which is subsequently held in manual and automated form.

CCTV systems are installed (both internally and externally) on the Club's premises ('the Premises') for the purpose of enhancing the security of the Premises and its associated equipment, as well as creating a mindfulness among the occupants of the Premises that a surveillance security system is in operation within and/or in the external environs of the Premises both during and after normal attendance hours each day.

CCTV recording at the Club's Premises is intended for the purposes of:

• Protecting the Club buildings and assets, both during and after normal attendance hours, the Premises' perimeter, entrances and exits, steaming bays, rail tracks, buildings and storage areas.
• Promoting and protecting the health and safety of members and visitors at the Premises.
• Reducing the incidence of crime and anti-social behaviour (including theft and vandalism).
• Supporting the Police in a bid to deter and detect crime.
• Assisting in criminal investigations (carried out by The Police), including robbery, burglary, vandalism, damage and theft surveillance.
• Monitoring of access control systems: Monitor and record restricted access areas at entrances to the Premises and other areas.
• Verifying security alarms: Intrusion alarms, exit door controls, external alarms.
• Managing any health and safety risks and/or accidents in accordance with the Company's health and safety obligations and relevant insurance policies.

(Together 'the Purpose')

3. Scope

This policy relates directly to the location, use and purpose of CCTV at the Premises and the monitoring, recording and subsequent use of Recorded Data recorded by the CCTV. Where work activities are carried out in premises other than the Premises and which are rented by the Club for that purpose ('Rented Premises'), the Company will, insofar as is within the Club's power to do so, ensure that CCTV systems, where installed at such Rented Premises, are operated only in a way that is compatible with the provisions of this policy.

4. General Principles

The Club has a statutory responsibility to protect its property, equipment, and other plant as well as to provide a sense of security to its members, contractors and visitors to its Premises. The Club has a duty of care to such members, contractors, and visitors to its Premises under the provisions of the Safety, Health and Welfare at Work Act 2005 and associated legislation and utilises the CCTV systems and their associated monitoring and recording equipment as an added mode of security and surveillance to assist the Club to meet such duties.

The Club's use of the CCTV system is conducted by the Club in a professional, ethical and legal manner and utilised for the Purpose only. Any deviation from this policy and the use of CCTV for other purposes is prohibited by this policy e.g. CCTV will not be used by the Club for monitoring member's attendance and activities.

Recorded Data obtained by the Club through the CCTV system may only be released by the Club to any third party when such release is authorised by the Chairman. Any requests received by the Club from third parties including from The Police for Recorded Data recorded using the Club's CCTV system will be appropriately logged by the Club and legal advice as to the Club's obligations to comply with such request and related matters may, at the discretion of the Chairman, Secretary and CCTV Operator and Data Controller be sought if any such request is made. (See "CCTV Access" below.)

CCTV monitoring by the Club of public areas within or adjacent to the Premises for security purposes will be conducted by the Club in a manner consistent with all relevant policies adopted by the Club and in force at that time.

The policy is based on compliance of the 12 guiding Principles of the Home Office Surveillance Camera Code of Practice within DPA 2018.

5. Justification for Use of CCTV

Article 5(1) (b) of the UK GDPR states that Personal Data shall be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes".

This means that the Club needs to be able to justify the obtaining and use of Personal Data by means of CCTV. The use by the Club of CCTV to monitor the Premises for the Purpose has been deemed to be justified by the Club's committee members on behalf of the Club members. The CCTV system is intended to capture images of intruders or of individuals damaging property or removing goods without authorisation and for security and health and safety purposes (Risk assessment attached).

6. Location of Cameras

Article 5(1) (a) of UK GDPR states that Personal Data shall be "processed lawfully, fairly and in a transparent manner in relation to the data subject".

The location of the CCTV cameras at the Premises is a key consideration for the Club when operating CCTV. The Club does not seek to locate CCTV cameras to monitor areas of the Premises where individuals would have a reasonable expectation of privacy. The Club has endeavoured to select locations for the installation of CCTV cameras which minimise such intrusion to protect the privacy of individuals at the Premises so far as is reasonable.

Cameras placed by the Club to record external areas of the Premises are, so far as is reasonably possible, positioned to prevent or minimise recording of passers-by or of another person's private property.

7. Covert Surveillance

The Club does not engage in covert surveillance. Where the Police requests the Company to carry out covert surveillance on any the Company Premises, such covert surveillance must be requested by The Police in writing and approved in advance by the Chairman, Secretary and CCTV Operator and Data Controller. The Club may seek legal advice in relation to any such request(s) and act accordingly.

8. Notification – CCTV Signage

A copy of this CCTV Policy will be made available on request to the Club members, contractors, and visitors to the Premises in accordance with their rights as data subjects under the legislation. This policy describes the purpose and location of CCTV monitoring and provides a contact number for those wishing to discuss the Club's use of CCTV monitoring and guidelines for its use with the Club.

Adequate signage will be placed at each location at the Premises in which a CCTV camera(s) is sited to indicate that CCTV is in operation. Adequate signage will also be prominently displayed at the entrance to the Premises. Signage shall include the SAR (Subject Access Request) process, along with a contact name and contact details (email) of the Clubs Data Protection Officer (The Club Secretary), of all Recorded Data and state the specific purpose(s) for which the CCTV camera is in place in each location at the Premises.

Appropriate locations for signage will include:

• At entrances to the Premises i.e. external doors.
• Reception area in the Premises.
• At or close to each internal camera.

9. Storage & Retention

Article 5(1) (e) of UK GDPR states that Personal Data shall be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed".

All Recorded Data captured by the Club CCTV system will be retained by the Club for a maximum of one calendar month, except where the Club reasonably believes that an image (or images) of such Recorded Data identifies an issue or potential issue and is retained by the Club specifically in the context of an investigation/prosecution of that issue or potential issue.

Article 5(1) (f) of UK GDPR states that Personal Data shall be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

All Recorded Data will be stored by the Club in a secure environment and the Club will maintain an access log recording all individuals accessing such Recorded Data. Access to Recorded Data will be restricted by the Club to Authorised Personnel Only (the 'CCTV Operator and Data Controller') by the Club to access such Recorded Data ('Authorised Personnel'). Supervising the access and maintenance by the Club of CCTV is the responsibility of the Chairman, Secretary and CCTV Operator and Data Controller.

In certain circumstances, the Recorded Data may also be viewed by other individuals other than the Authorised Personnel for the Purpose, including the Police, the Chairman of the Club, the Club's insurance providers ('Additional Authorised Individuals'). When Recorded Data is being viewed, the Club will use its reasonable endeavours to limit access to such Additional Authorised Individuals which the Club reasonably believes need access to such Recorded Data in accordance with the Purpose.

10. CCTV Access

The Club shall ensure that USB keys/DVDs/hard drives storing the Recorded Data and the monitoring equipment comprising the CCTV system and the system for storing such Recorded Data will be securely stored in a restricted area (the 'Secure Area'). The Club shall endeavour to prevent unauthorised access to the secure area at any time. The Secure Area will be locked when not occupied by the Authorised Personnel. The Club will maintain an access log recording appropriate details in relation to each access to the Secure Area and viewing of the Recorded Data whether by the Authorised Personnel or any Additional Authorised Individuals.

The Club shall restrict access to the CCTV system and Recorded Data to Authorised Personnel Only (the 'CCTV Operator and Data Controller') as designated by the Club Committee - Access to, and the security of, the images should be controlled. – DPA 2018 Principle 3, 5 & 7. Where the Club deems it necessary, CCTV footage and Recorded Data may be accessed by Additional Authorised Individuals as follows:

• By the Police where the Club are required by law to make a report regarding the commission of a suspected crime; or
• Following a request by the Police when a crime or suspected crime has taken place and/or when it is suspected that illegal/anti-social behaviour is taking place on or around the Premises or other the Club property; or
• By individuals (or their legal representatives) subject to a court order being made obliging the Club to allow access; or
• By the Club's insurers where the insurers require same in order to pursue a claim for damage done to the Premises or in respect of any health and safety issue occurring or alleged to have occurred at the Premises.

Requests by the Police

Information to include Recorded Data obtained by the Club through CCTV will only be released by the Club to The Police when authorised by the Chairman in consultation with the Club Secretary and CCTV Operator and Data Controller. If a law enforcement authority, such as The Police, is seeking Recorded Data for a specific investigation, the Club will seek that any such request is made in writing stating that The Police is investigating a criminal matter. The Club may again, at its discretion, seek legal advice on any such requests made by the Police.

The ICO guidance on the use of CCTV makes a distinction between a request by the Police to view Recorded Data on the Premises and a request to take away or download a copy of the Recorded Data. The Club will always seek confirmation in writing from The Police in respect of a request to take away or download Recorded Data and seek that the written request is on The Police headed paper and sets out the details of the Recorded Data required and the legal basis for such a request. In urgent matters, verbal requests from The Police to view or access Recorded Data can be dealt with by the Club and can then be followed up by a written request from The Police.

Subject Access Requests (SAR)

On written request, any individual who is the subject of Personal Data (Data Subject) and whose image has been recorded in the Recorded Data has a right to be given a copy of the Recorded Data retained at that time by the Club which relates to him/her, provided always that such Recorded Data exists at the time of the relevant request i.e. has not been deleted and provided also that an exemption/prohibition does not apply to the release of such Recorded Data.

Where the relevant Recorded Data identifies another individual, that Recorded Data may only be released by the Club to the Data Subject where the relevant image(s) in the relevant Recorded Data can reasonably be redacted/anonymised/pixelated so that any other person(s) are not identified or identifiable or where the other person(s) have provided his/her explicit consent to the release of the Recorded Data to the Data Subject.

To exercise their right of access to Recorded Data relating to a Data Subject, that Data Subject must make an application in writing to the Club Secretary as the Data Protection Officer (a 'Request'). The Club may provide a SAR Form to complete where necessary. The Club Chairman should review the request and the Club must respond within one month of receipt of each such Request.

Requests should be made to the Club Secretary, as the Data Protection Officer, and reviewed by the Chairman. A Data Subject delivering a Request to the Club should provide all information with that Request which the Club deems necessary to assist the Club in locating the requested Recorded Data, such as the date, time and location of the relevant Recorded Data. If the relevant image(s) comprising the Recorded Data is of such poor quality as not to clearly identify an individual, that image may be deemed by the Club to not be Personal Data, and the Club may inform the relevant Data Subject who has made the relevant Request of that finding and may decline to hand over the relevant Recorded Data on that basis.

In circumstances where Recorded Data that is the subject of a Request cannot be copied to another device, or in other exceptional circumstances, the Club will endeavour to provide stills of the relevant Recorded Data as alternative to video footage to the Data Subject.

11. Responsibilities

The Club's Chairman is to ensure that the Club's use of its CCTV systems is implemented in accordance with the policy set down by the Club (as in force from time to time).

• Oversee and co-ordinate the use by the Club of CCTV monitoring for the Purpose at and within the Premises.
• Ensure that all the Club's existing CCTV monitoring systems will be evaluated for compliance with this policy.
• Ensure that the Club's use of CCTV monitoring at the Premises is consistent with guidance from the Information Commissioner's Office and complies with the Club's legal obligations.
• Review camera locations at the Premises and be responsible for the release of any Recorded Data created and stored in compliance with this policy.
• Maintain an access log recording access to the Secure Area and to the Recorded Data and of the release of Recorded Data and the medium upon which Recorded Data is stored.
• Ensure that the DVD, or other digital recording mechanism, containing Recorded Data are not duplicated for release otherwise than in compliance with this policy.
• Ensure that the perimeter of view from fixed location CCTV cameras installed and operated by the Club conforms to this policy both internally and externally.
• Approve the location of temporary cameras to be used by the Club during special events that have particular security requirements and ensure their withdrawal following such events.
• Give consideration to member, contractor and visitor feedback/complaints regarding possible invasion of privacy or confidentiality due to the location of a particular CCTV camera or associated equipment at the Premises.
• Co-operate with the Health & Safety Officer of the Club in reporting to any relevant persons on the CCTV system in operation in the Club.
• Ensure that adequate signage is maintained at appropriate and prominent locations in compliance with this policy.
• Ensure that external cameras forming part of the CCTV system are non-intrusive in terms of their positions and views of neighbouring residential housing and comply with an individual's reasonable expectation of privacy.
• Ensure that Recorded Data stored on USB keys/DVDs/digital recordings are stored for a period not longer than one calendar month and are then erased unless required as part of a criminal investigation or court proceedings (criminal or civil) or other bona fide use as approved by the Chairman or, in his absence the by the Club Secretary and CCTV Operator and Data Controller.
• Ensure that camera control by the Club is solely to monitor suspicious behaviour, criminal damage etc. in accordance with the Purpose and not to monitor individual characteristics.
• Ensure that camera control by the Club is not infringing an individual's reasonable expectation of privacy in public areas.
• Ensure that where the Police request to set up mobile video equipment for criminal investigations, appropriate legal advice is, where deemed necessary by the Chairman, obtained and such activities have the approval of the committee prior to set-up.

12. Implementation & Review

The policy will be reviewed and evaluated at least annually by the Chairman. Ongoing review and evaluation will take cognisance of changing legislation, information, or guidelines (e.g. from the ICO or the Police).