CLOSED CIRCUIT TELEVISION (CCTV)
1.1 SYNLAB believes that CCTV and other surveillance systems have a legitimate role to play in helping to maintain a safe and secure environment for all of its staff and visitors. However, SYNLAB recognises that this may raise concerns about the effect on individuals and their privacy. This CCTV Policy is intended to address such concerns. Images recorded by surveillance systems are Personal Data which must be processed in accordance with data protection laws. SYNLAB is committed to complying with its legal obligations and ensuring that the legal rights of staff, relating to their Personal Data, are recognised and respected.
1.2 This policy is intended to assist SYNLAB staff in complying with their own legal obligations when working with Personal Data. In certain circumstances, misuse of information generated by CCTV or other surveillance systems could constitute a criminal offence.
For the purposes of this CCTV Policy, the following terms have the following meanings:
CCTV: means cameras designed to capture and record images of individuals and property.
Data: means information which is stored electronically, or in certain paper-based filing systems. In respect of CCTV, this generally means video images. It may also include static pictures such as printed screen shots.
Data Controllers: means those people who, or organisations which, determine the manner in which any Personal Data is processed. They are responsible for establishing practices and policies to ensure compliance with the applicable law. SYNLAB is the Data Controller of all Personal Data used in SYNLAB’s business for SYNLAB’s own commercial purposes.
Data Processors: means any person or organisation that is not a Data User (or other employee of a Data Controller) that Processes Personal Data on SYNLAB’s behalf and in accordance with SYNLAB’s instructions (for example, a supplier which handles Personal Data on SYNLAB’s behalf).
Data Subjects: means all living individuals about whom SYNLAB holds Personal Data as a result of the operation of its CCTV.
Data Users: means those SYNLAB employees whose work involves the Processing of Personal Data. This will include those whose duties are to operate CCTV cameras and other surveillance systems to record, monitor, store, retrieve and delete images. Data Users must protect the Personal Data they handle in accordance with this CCTV Policy and SYNLAB’s Privacy Standard.
Personal Data: means data relating to a living individual who can be identified from that data (or other data in SYNLAB’s possession). This will include video images of identifiable individuals.
Processing: is any activity which involves the use of Personal Data, including obtaining, recording or holding data, or carrying out any operation on the Personal Data including organising, amending, retrieving, using, disclosing or destroying it. Processing also includes transferring Personal Data to third parties.
Surveillance Systems: means any devices or systems designed to monitor or record images of individuals or information relating to individuals. The term includes CCTV systems as well as any technology that may be introduced in the future such as automatic number plate recognition (ANPR), body worn cameras, unmanned aerial systems and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
3. ABOUT THIS POLICY
3.1 SYNLAB currently uses CCTV cameras to view and record individuals on SYNLAB premises. This CCTV Policy outlines why SYNLAB uses CCTV, how SYNLAB will use CCTV and how SYNLAB will process Personal Data recorded by CCTV cameras to ensure that SYNLAB is compliant with data protection law and best practice. This CCTV Policy also explains how to make a subject access request in respect of Personal Data created by CCTV.
3.2 SYNLAB recognises that Personal Data that SYNLAB holds about individuals is subject to data protection legislation. The images of individuals recorded by CCTV cameras in the workplace are Personal Data and therefore subject to the legislation governing data protection, including the General Data Protection Regulation (GDPR).
3.3 This CCTV Policy covers all employees, directors, officers, consultants, contractors, freelancers, volunteers, interns, casual workers, zero hours workers and agency workers and may also be relevant to visiting members of the public.
3.4 This policy is non-contractual and does not form part of the terms and conditions of any employment or other contract. SYNLAB may amend this policy at any time. The policy will be regularly reviewed by SYNLAB to ensure that it meets legal requirements.
4. PERSONNEL RESPONSIBLE
4.1 The board of directors has overall responsibility for ensuring compliance with relevant legislation and the effective operation of this policy. Day-to-day management responsibility for deciding what information is recorded, how it will be used and to whom it may be disclosed has been delegated to the head of IT/IT director in the country. Day-to-day operational responsibility for CCTV cameras and the storage of data recorded is the responsibility of the IT department.
4.2 Responsibility for keeping this policy up to date has been delegated to the HR department, supported by the IT department and the legal department.
5. REASONS FOR THE USE OF CCTV
5.1 SYNLAB currently uses CCTV as outlined below. SYNLAB believes that such use is necessary for legitimate business purposes, including:
(a) to prevent crime and protect buildings and assets from damage, disruption, vandalism and other crime;
(b) for the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime;
(c) to support law enforcement bodies in the prevention, detection and prosecution of crime;
(d) to assist in day-to-day management, including ensuring the health and safety of staff and others; and
(e) to assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings.
This list is not exhaustive and other purposes may be or become relevant.
6.1 CCTV monitoring varies from site to site, however, it is usually the communal areas of the building, and both the main entrance and secondary exits. This data is continuously recorded 24 hours a day.
6.2 Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. As far as practically possible, CCTV cameras will not focus on private homes, gardens or other areas of private property.
6.3 Surveillance systems will not be used to record sound.
6.4 Images are monitored by authorised personnel. This monitoring is undertaken when required, not as a standard daily function.
6.5 Staff using surveillance systems will be given appropriate training to ensure they understand and observe the legal requirements related to the processing of relevant data.
7. HOW SYNLAB WILL OPERATE ANY CCTV
7.1 Where CCTV cameras are placed in the workplace, SYNLAB will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information, where these things are not obvious to those being monitored.
7.2 SYNLAB will ensure that live feeds from cameras and recorded images are only viewed by approved members of staff whose role requires them to have access to such data. This may include HR staff involved with disciplinary or grievance matters. Recorded images will only be viewed in designated, secure offices.
8. USE OF DATA GATHERED BY CCTV
8.1 In order to ensure that the rights of individuals recorded by the CCTV system are protected, SYNLAB will ensure that Personal Data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the Personal Data, where it is possible to do so.
8.2 Given the large amount of Personal Data generated by surveillance systems, SYNLAB may store video footage using a cloud computing system. SYNLAB will take all reasonable steps to ensure that any cloud service provider maintains the security of our information, in accordance with industry standards.
8.3 SYNLAB may engage Data Processors to process Personal Data on our behalf. SYNLAB will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
9. RETENTION AND ERASURE OF DATA GATHERED BY CCTV
9.1 Personal Data recorded by the CCTV system will be stored digitally using a cloud computing system. Personal Data from CCTV cameras will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. Exactly how long images will be retained for will vary according to the purpose for which they are being recorded. For example, where images are being recorded for crime prevention purposes, data will be kept long enough only for incidents to come to light. In all other cases, recorded images will be kept for no longer than 90 days.
9.2 At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.
10. USE OF ADDITIONAL SURVEILLANCE SYSTEMS
10.1 Prior to introducing any new surveillance system, including placing a new CCTV camera in any workplace location, SYNLAB will carefully consider if they are appropriate by carrying out a privacy impact assessment (PIA).
10.2 A PIA is intended to assist SYNLAB in deciding whether new surveillance cameras are necessary and proportionate in the circumstances and whether they should be used at all or whether any limitations should be placed on their use.
10.3 Any PIA will consider the nature of the problem that SYNLAB is seeking to address at that time and whether the surveillance camera is likely to be an effective solution, or whether a better solution exists. In particular, SYNLAB will consider the effect a surveillance camera will have on individuals and therefore whether its use is a proportionate response to the problem identified.
10.4 No surveillance cameras will be placed in areas where there is an expectation of privacy (for example, in changing rooms or toilets) unless, in very exceptional circumstances, it is judged by SYNLAB to be necessary to deal with very serious concerns.
11. COVERT MONITORING
11.1 SYNLAB will never engage in covert monitoring or surveillance (that is, where individuals are unaware that the monitoring or surveillance is taking place) unless, in highly exceptional circumstances, there are reasonable grounds to suspect that criminal activity or extremely serious malpractice is taking place and, after suitable consideration, we reasonably believe there is no less intrusive way to tackle the issue.
11.2 In the unlikely event that covert monitoring is considered to be justified, it will only be carried out with the express authorisation of the Group General Counsel. The decision to carry out covert monitoring will be fully documented and will set out how the decision to use covert means was reached and by whom. The risk of intrusion on innocent workers will always be a primary consideration in reaching any such decision.
11.3 Only limited numbers of people will be involved in any covert monitoring.
11.4 Covert monitoring will only be carried out for a limited and reasonable period of time consistent with the objectives of making the recording and will only relate to the specific suspected illegal or unauthorised activity.
12. ONGOING REVIEW OF CCTV USE
12.1 SYNLAB will ensure that the ongoing use of existing CCTV cameras in the workplace is reviewed periodically to ensure that their use remains necessary and appropriate, and that any surveillance system is continuing to address the needs that justified its introduction.
13. REQUESTS FOR DISCLOSURE
13.1 No images from SYNLAB’s CCTV cameras will be disclosed to any third party, without express permission being given by the Group General Counsel. Personal Data will not normally be released unless satisfactory evidence that it is required for legal proceedings or under a court order has been produced.
13.2 In accordance with applicable laws, SYNLAB will allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
13.3 SYNLAB will maintain a record of all disclosures of CCTV footage.
13.4 No images from CCTV will ever be posted online or disclosed to the media.
14. SUBJECT ACCESS REQUESTS
14.1 Data Subjects may make a request for disclosure of their Personal Data and this may include CCTV images (data subject access request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing, in accordance with the SYNLAB subject access policy.
14.2 In order for SYNLAB to locate relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
14.3 SYNLAB reserves the right to obscure images of third parties when disclosing CCTV data as part of a subject access request, where it considers it necessary to do so.
15.1 If any member of staff has questions about this policy or any concerns about our use of CCTV, then they should speak to their manager in the first instance or contact David Akinpitansoye.
15.2 Where this is not appropriate or matters cannot be resolved informally, employees should use our formal grievance procedure.
16. REQUESTS TO PREVENT PROCESSING
16.1 SYNLAB recognises that, in rare circumstances, individuals may have a legal right to object to processing and in certain circumstances to prevent automated decision making (see Articles 21 and 22 of the General Data Protection Regulation). For further information regarding this, please contact the SYNLAB Group Data Protection Officer (GDPO) Tom Chakraborti at [email protected]