Here at Hili Ventures, we believe that CCTV and other surveillance systems have a legitimate role to play in helping to maintain a safe and secure environment for all our staff and visitors. However, we recognise that this may raise concerns about the effect on individuals and their privacy. This policy is intended to address such concerns. Images recorded by surveillance systems are personal data which must be processed in accordance with data protection laws. We are committed to complying with our legal obligations and ensuring that the legal rights of staff, relating to their personal data, are recognised and respected.
This policy is intended to assist staff in complying with their own legal obligations when working with personal data. In certain circumstances, misuse of information generated by CCTV or other surveillance systems could constitute a criminal offence.
For the purposes of this policy, the following terms have the following meanings:
CCTV: means fixed and domed cameras designed to capture and record images of individuals and property.
Data: is information which is stored electronically, or in certain paper-based filing systems. In respect of CCTV, this generally means video images. It may also include static pictures such as printed screen shots.
Data subjects: means all living individuals about whom we hold personal information as a result of the operation of our CCTV (or other surveillance systems).
Personal data: means data relating to a living individual who can be identified from that data (or other data in our possession). This will include video images of identifiable individuals.
Data controllers: are the people who, or organisations which, determine the manner in which any personal data is processed. They are responsible for establishing practices and policies to ensure compliance with the law. We are the data controller of all personal data used in our business for our own commercial purposes.
Data users: are those of our employees whose work involves processing personal data. This will include those whose duties are to operate CCTV cameras and other surveillance systems to record, monitor, store, retrieve and delete images. Data users must protect the data they handle in accordance with this policy and our Data Protection Policy.
Data processors: are any person or organisation that is not a data user (or other employee of a data controller) that processes data on our behalf and in accordance with our instructions (for example, a supplier which handles data on our behalf).
Processing: is any activity which involves the use of data. It includes obtaining, recording or holding data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing or destroying it. Processing also includes transferring personal data to third parties.
Surveillance systems: means any devices or systems designed to monitor or record images of individuals or information relating to individuals. The term includes CCTV systems as well as any technology that may be introduced in the future such as automatic number plate recognition (ANPR), body worn cameras, unmanned aerial systems and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
At Hili Ventures Limited (the Controller), we currently use CCTV cameras to view and record individuals on and around our premises. This policy outlines why we use CCTV, how we will use CCTV and how we will process data recorded by CCTV cameras to ensure that we are compliant with data protection law and best practice. This policy also explains how to make a subject access request in respect of personal data created by CCTV.
We recognise that information that we hold about individuals is subject to data protection legislation. The images of individuals recorded by CCTV cameras in the workplace are personal data and therefore subject to the legislation. We are committed to complying with all our legal obligations and seek to comply with best practice suggestions from the Information and Data Protection Commissioner (IDPC), as the data protection supervisory authority in Malta.
This policy covers all employees, directors, officers, consultants, contractors, freelancers, volunteers, attendees, interns, casual workers, zero hours workers and agency workers and also visiting members of the public.
This policy will be regularly reviewed to ensure that it meets legal requirements, relevant guidance published by the IDPC and industry standards.
The Data Protection Officer has overall responsibility for ensuring compliance with the relevant legislation and the effective operation of this policy. Day-to-day management responsibility for deciding what information is recorded, how it will be used and to whom it may be disclosed has been delegated to Director of Group IT and Head of Legal. Day-to-day operational responsibility for CCTV cameras and the storage of the data recorded is the responsibility of James Sciberras at APCO Limited.
Responsibility for keeping this policy up to date has been delegated to the Data Protection Officer.
We currently use CCTV around our sites as outlined below. We believe that such use is necessary for legitimate business purposes, including:
to prevent crime and protect buildings and assets from damage, disruption, vandalism and other crime;
for the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime;
to support law enforcement bodies in the prevention, detection and prosecution of crime;
to assist in the effective resolution of disputes which arise in the course of disciplinary or grievance proceedings; and
to assist in the defence of any civil litigation, including employment tribunal proceedings.
This list is not exhaustive and other purposes may be or become relevant.
CCTV monitors parts of the interior of the building. The following areas are also CCTV monitored:
Corridors on the third floor of the 1923 office building;
Recreational area on the third floor of the 1923 office building; and
Reception area on the first floor of the 1923 office building.
The above areas are monitored via motion detection and the data is not continuously recorded.
Camera locations are chosen to minimise viewing of spaces not relevant to the legitimate purpose of the monitoring. As far as practically possible, CCTV cameras will not focus on internal offices, or other areas where there is a reasonable expectation of privacy.
Surveillance systems will not be used to record sound, and images are monitored only by authorised personnel.
Staff using surveillance systems will be given appropriate training to ensure they understand and observe the legal requirements related to the processing of relevant data.
Where CCTV cameras are placed, we will ensure that signs are displayed at the entrance of the surveillance zone to alert individuals that their image may be recorded. Such signs will contain details of the organisation operating the system, the purpose for using the surveillance system and who to contact for further information.
Live feeds from CCTV cameras will only be monitored where this is reasonably necessary, for example to protect health and safety.
We will ensure that live feeds from cameras and recorded images are only viewed by approved members of staff whose role requires them to have access to such data. Recorded images will only be viewed in designated, secure offices.
In order to ensure that the rights of individuals recorded by the CCTV system are protected, we will ensure that data gathered from CCTV cameras is stored in a way that maintains its integrity and security. This may include encrypting the data, where it is possible to do so.
Given the large amount of data generated by surveillance systems, we may store video footage using a cloud computing system. We will take all reasonable steps to ensure that any cloud service provider maintains the security of our information, in accordance with industry standards.
We have engaged APCO Limited (C 8724) as a data processor to process CCTV data on our behalf, as well as to service and maintain our CCTV cameras. We will ensure reasonable contractual safeguards are in place to protect the security and integrity of the data.
Data recorded by the CCTV system will be stored digitally. Data from CCTV cameras will not be retained indefinitely but will be permanently deleted once there is no reason to retain the recorded information. Generally, recorded images will be kept for no longer than seven (7) days. We will maintain a comprehensive log of when data is deleted.
At the end of their useful life, all images stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs will be disposed of as confidential waste. Any still photographs and hard copy prints will be disposed of as confidential waste.
Prior to introducing any new surveillance system, including placing a new CCTV camera in any workplace location, we will carefully consider if they are appropriate by carrying out a privacy impact assessment (PIA).
No surveillance cameras will be placed in areas where there is an expectation of privacy unless, in very exceptional circumstances, it is judged by us to be necessary to deal with very serious concerns.
We will ensure that ongoing use of existing CCTV cameras on our premises is reviewed periodically to ensure that their use remains necessary and appropriate, and that any surveillance system is continuing to address the needs that justified its introduction.
Data subjects may make a request for disclosure of their personal data and this may include CCTV images (data subject access request). A data subject access request is subject to the statutory conditions from time to time in place and should be made in writing.
In addition to the data subjects’ right of access to the footage, data subjects may also make a request for erasure, or object to the processing of their personal data.
In order for us to locate the relevant footage, any requests for copies of recorded CCTV images must include the date and time of the recording, the location where the footage was captured and, if necessary, information identifying the individual.
We reserve the right to obscure images of third parties when disclosing CCTV data as part of a subject access request, where we consider it necessary to do so.
If any member of staff has questions about this policy or any concerns about our use of CCTV, then they should speak to the Data Protection Officer ([email protected]) in the first instance. Data subjects also have the right to lodge a complaint with the IDPC, as the data protection supervisory authority in Malta, should they deem it necessary to do so.
Date of Last Revision: 17/10/2019