At MyLo we believe that CCTV plays a legitimate role in helping to maintain a safe and secure environment for all our team members, residents, guests, partners, suppliers and contractors. Images recorded by CCTV are Personal Data and as such must be processed in accordance with data protection laws. We are committed to complying with our legal obligations in order to appropriately handle and protect Personal Data and ensure that the legal rights of team members, residents, guests, partners and contractors relating to their Personal Data, are recognised and respected.
This policy is intended to enable team members, residents, guests, partners and contractors to understand how MyLo uses CCTV, those departments responsible for CCTV use, the rights individuals may have in relation to CCTV, who has access to CCTV images and how individuals can raise any queries or concerns they may have.
For the purposes of this policy, the following terms mean:
CCTV: means cameras, devices or systems including fixed CCTV and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
CCTV Data: means any Data in respect of CCTV, e.g. video images, static pictures, etc.
Data: means any information which is stored electronically or in paper-based filing systems.
Data Subject: means any individuals who can be identified directly or indirectly from CCTV Data (or other Data in our possession). Data Subjects include team members, residents, guests, partners and contractors and members of the public.
Data Controller: is the organisation or authority which, determines how and for what purpose the Personal Data is processed. When operating CCTV, MyLo is the relevant Data Controller and is responsible for ensuring compliance with the Data Protection Laws.
CCTV users: are team members whose work involves processing CCTV Data. This will include those whose duties are to operate CCTV to record, monitor, store, retrieve and delete images. Data users must protect the CCTV Data they handle in accordance with this policy.
Data Protection Laws:
- a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and any equivalent or implementing legislation;
- b) all other applicable laws, regulations or court judgements relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security; and
- c) any and all legally binding guidelines, recommendations, best practice, opinions, directions, decisions, or codes issued, adopted or approved by the European Commission, the Article 29 Working Party, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time in relation to the processing of personal data, data privacy, electronic communications, marketing and/or data security;
in each case as from time to time in force and as from time to time amended, extended, consolidated, re-enacted, replaced, superseded or in any other way incorporated into law and all orders, regulations, statutes, instruments and/or other subordinate legislation (including the Data Protection Bill 2017 when in force) made under any of the above in any jurisdiction from time to time.
Processing: is any activity which involves the use of CCTV Data, whether or not by automated means. It includes collecting, obtaining, recording or holding CCTV Data, or carrying out any operation or set of operations on the CCTV Data including organising, structuring, amending, retrieving, using, disclosing or erasing or destroying it. Processing also includes transferring CCTV Data to third parties.
Site: means the MyLo Nine Elms Point, Haydn Tower, 50 Wandworth Road, London, SW8 2FN
- About this policy
2.1: We currently use CCTV to view and record individuals at our Site, 24 hours per day, 7 days per week. This policy sets out why we use CCTV, how we will use CCTV and how we will process any CCTV Data recorded by CCTV to ensure that we are compliant with Data Protection Law.
2.2: The images of individuals recorded by CCTV are Personal Data and therefore subject to the Data Protection Laws. MyLo is the Data Controller of all CCTV Data captured at our site.
2.3: This policy covers all team members, residents, guests, partners and contractors and may also be relevant to members of the public visiting the site.
- Staff responsible
The Regional Facilities Manager (Robert Leahy) has overall responsibility for ensuring compliance with Data Protection Laws and the effective operation of this policy. Day-to-day operational responsibility for CCTV and the storage of CCTV Data recorded is the responsibility of the Community Manager. Should you have any queries on the use of CCTV or surveillance systems by us please contact Robert.Leahy@Greystar.com.
- Why we use CCTV
4.1: We currently use CCTV around our site as outlined below. We believe that such use is necessary for the following legitimate business purposes:
(a) to prevent or detect crime and protect buildings and assets from damage, disruption, theft, vandalism and other crime;
(b) for the personal safety of team members, residents, guests, partners and contractors and other members of the public and to act as a deterrent against crime;
(c) for the health and safety of those people using communal areas;
(d) to support law enforcement bodies in the prevention, detection and prosecution of crime; and
(e) to support any internal investigations as part of a team member disciplinary procedure.
We may implement or use CCTV for purposes other than those specified above which we will notify you of from time to time.
5.1: The locations of the CCTV are chosen to minimise the viewing of spaces/individuals which are not relevant to the legitimate purpose of the monitoring as specified above.
5.2: Currently, none of our CCTV records sound.
5.3: A live feed from the CCTV is not monitored continuously, images are only revisited in the event of an incident or if a request is made.
5.4: Any team member using CCTV will be given training to ensure that they understand and observe the legal requirements relating to the processing of any Data gathered.
- How we operate CCTV
6.1: Where CCTV is in use at our site, we will ensure that signs are displayed to alert team members, residents, guests, partners and contractors that their image may be recorded.
6:2: We will ensure that live feeds from the CCTV are only viewed by appropriately authorised members of the property team. Recorded images will only ever be viewed in the Community Manager’s Office which is restricted and access only by our property team members and Greystar Operational Directors, Regional Facilities Managers or the Health and Safety Manager.
- How we use the Data
7.1: In order to ensure that the rights of individuals recorded by our CCTV are protected, we will ensure that CCTV Data gathered from such systems is stored in a way that maintains its integrity and security. This may include encrypting the Data, where it is possible to do so.
7.2: We will ensure that any CCTV Data is only used for the purposes specified in section 4.1 above. We will not use CCTV Data for another purpose unless permitted by Data Protection Laws.
7.3: Where we engage Data Processors to process Data on our behalf, we will ensure contractual safeguards are in place to protect the security and integrity of the Data.
- Retention and erasure of Data
8.1: Data recorded by our CCTV will be stored locally on servers at our site. We will not retain this Data indefinitely but will permanently delete it once there is no reason to retain the recorded information. Exactly how long the Data will be retained for will vary according to the purpose for which it was recorded. For example, where images are being recorded for crime prevention purposes, CCTV Data will be kept only for as long as it takes to establish that a crime has been committed or where we are using the CCTV Data for team member disciplinary purposes, the images will be kept until the process is completed. In all other cases, recorded images will be kept for no longer than 30 days before being overwritten and permanently deleted.
8.2: At the end of its useful life and in any event within 7 years all Data stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs or hard copy photographs will be promptly disposed of as confidential waste.
9 Ongoing review of our use of CCTV
9.1: We will periodically review our ongoing use of existing CCTV at our site to ensure that its use remains necessary and appropriate and in compliance with Data Protection Laws.
9.2: We will also carry out checks to ensure that this policy is being followed by all team members.
- Rights of Data Subjects
10.1 As CCTV Data will identify individuals, it will be considered Personal Data under applicable Data Protection Laws. Under Data Protection Laws, Data Subjects have certain rights in relation to the Personal Data concerning them.
These are as follows:
(a) the right to access a copy of that Personal Data and the following information (this may include CCTV Data captured by our CCTV):
(i) the purpose of the processing;
(ii) the types of Personal Data concerned;
(iii) to whom the Personal Data has or will be disclosed; and
(iv) the envisaged period that the Personal Data will be stored, or if not possible, the criteria used to decide that period;
(b) the right to request any inaccurate Personal Data that we hold concerning them is rectified, this includes having incomplete Personal Data completed;
(c) the right to request the Personal Data we hold concerning them is erased without undue delay, where it is no longer necessary for us to retain it in relation to the purposes it was collected;
(d) the right to request restriction of our processing of Personal Data in certain circumstances; and
(e) the right to lodge a complaint with the Information Commissioner’s Office, if the Data Subject considers that our processing of the Personal Data relating to him or her infringes Data Protection Laws.
- SERVICE PROVIDERS
11.1 In order to operate CCTV across our Site we appoint service providers to provide us with maintenance services related to that CCTV. Such service providers act only on our instructions and on our behalf for the purposes listed in section 4.1 above. We require these service providers by contract to safeguard the privacy and security of Personal Data they process on our behalf.
- Requests of disclosure by third parties
12.1: No images from our CCTV cameras will be disclosed to any third party in accordance with Data Protection Laws.
12.2: In appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
13.1: If any team member has questions about this policy or any concerns about our use of CCTV, then they should speak to the Community Manager in the first instance.
13.2: Where this is not appropriate or matters cannot be resolved informally, matters should be raise with the Regional Facilities Manager who will escalate this matter as is appropriate.
It has been prepared following the guidelines contained in the Data Protection Commissioner’s “CCTV Code of Practice”. Breach of the DPA is a criminal offence. The enforcing and advisory authority is the Data Protection Commissioner: Tel 01625 545745