Apartamentos turísticos

H6.1 General Requirements

1. Where schools operate CCTV systems it will be necessary to satisfy the legal requirements of the Data Protection Act, the Police and Criminal Evidence Act and other relevant legislation. This will require ensuring that data security, evidence admissibility and civil liberties are not compromised.

2. Responsibility for the operation and administration of a school CCTV system must be identified and key appointments will need to be made of the Data Controller, System Manager and System Operators.

July 2014 (Issue 3a) Page 69 of 186 H6.2 The Data Controller

1. The Data Controller takes ultimate responsibility for determining the purposes for and the manner in which data is processed, and for ensuring that processes are in place to prevent unauthorised disclosure of captured data.

2. It is appropriate that the Data Controller should be the Head teacher or a delegated person within the School where CCTV Equipment has been located. The responsibilities of the Data Controller should include:

 Defining the purpose of the CCTV Installation – The likely purposes of the installations in this project will be to ‘prevent and detect crime’ and to ‘apprehend and prosecute offenders’. Schools may also decide that CCTV data will be used to ‘assist in the management of pupil behaviour’.  Informing others of the purpose of the CCTV Installation – Schools should

decide what level of notification is appropriate depending upon the defined purpose. Options will range from displaying signage at entrances (guidance on signage is available) to notifying parents that data will be captured.

 Deciding how long CCTV data will be retained – The digital hard drives installed at the Secondary Schools will automatically record all data captured and after a set period will automatically ‘over-write’ old data. Schools can decide to erase data at an earlier stage or alternatively to download data to some other recording media to retain data for longer periods.

 Controlling access to data – Given the nature of CCTV data, it is highly likely that ‘personal data’ (images of persons) and possibly ‘sensitive personal data’ (e.g. persons committing crimes). Data controllers will therefore be responsible for ensuring that access to, and disclosure of, recorded images is restricted and carefully controlled.

H6.3 The System Manager

1. Acting under the direction of the Data Controller, the System Manager will be responsible for the management and maintenance of the physical system. This person will ensure that best practice is adhered to, that records are auditable and that data is made available in accordance with legal requirements. H6.4 The System Operators

1. The system operators have day-to-day access to and control of the system. They must comply with instructions from the Data Controller or System Manager to ensure that the data under their control is not compromised. The system operators should be formally appointed and aware of their obligations and responsibilities. Due to the nature of the equipment installed in most

July 2014 (Issue 3a) Page 70 of 186 cases it will be possible to suitably control access to the CCTV data by means of password protection.

H6.5 CCTV System Operations

1. The majority of the day-to-day operation of the system will require a good deal of input from the System Operators. Suitable regular checks should be in place to ensure that:

 All cameras are functioning correctly.

 Camera views are correct and do not infringe upon inappropriate areas.  All multiplexing, recording and monitoring equipment is set properly.  Tapes, disks or other recording materials are properly inserted and

functioning.

 Used tapes, disks and other recorded media are passed to the data controller for safe storage.

 All documentation handed over is complete and up to date.

 Systems are not left logged on while operators are not in attendance. H6.6 Security Procedures

1. Operators must at all times be aware that they have access to restricted data and that they must not communicate any information to persons other than the system Owner, Manager, Data Controller or persons authorised by them. Access to the CCTV Equipment should be restricted at all times to prevent unauthorised access to data. This can be achieved through the use of password protection. The Data Controller should put procedures for the changing of passwords in place.

H6.7 Incident Reporting

1. When an incident occurs, the Operator, Manager or Controller should:  Operate camera and screen controls to ensure that the appropriate

footage has recorded, having due regard for the privacy of individuals not committing an offence.

 Along with the maintenance of the Log Book, fill out ‘CCTV Incident report Form’. This must be carried out immediately after or as soon as possible after the reported incident.

 Inform the System Manager and Data Controller of the incident at the earliest opportunity and comply with any instructions received. H6.8 Management of and Access to Recorded Material

1. Recorded material should be stored on the hard drive of the CCTV Equipment, and also possible on external tapes, disks or drives in line with the Data Controllers procedures.

July 2014 (Issue 3a) Page 71 of 186 2. If data is to be downloaded from the system that contains footage of an

incident that needs to be stored for future review or to be used as evidence, then this will need to be carried out in accordance with strict procedures. Where the Police are involved in this process, appropriate guidance will be given. Data taken from the system should be locked in a separate and suitably secure container. When any tape or disk is removed from secure storage for review, disclosure to Police or other body, or viewing by a subject granted access by the Data Controller, records of all access and all people accessing this data should be carefully maintained.

3. Access to recorded material should be restricted to the System Manager or the System Operator under instruction from the Data Controller.

H6.9 Subject Access Request

1. When a person makes a request to view any data held on recorded media and pertaining to them, they should be referred to the System Manager or Data Controller.

2. Requests for personal data by official bodies, such as Police, Inland Revenue or Customs and Excise, must be made on an official access request form.

3. The Data Controller, having satisfied himself/herself of the subject’s identity, will review the material requested (complying with all procedures previously mentioned in this manual) and will decide whether access can be granted. A written response to the data subject must be made within 40 days.

H6.10 Declaration of Confidentiality

1. It is necessary for all persons involved in the control and administration of a CCTV system to sign a declaration of confidentiality in which they agree to abide by the Code of Practice and Operating Manual associated with the system.

2. Managers, Operators and third parties must complete a Declaration of

Confidentiality, before they are permitted to have any form of contact with the CCTV system.