Please see the Code of Practice 4 - CCTV

1.0 INTRODUCTION AND ACCOUNTABILITY
1.1 Following the Government’s commitment to further regulate Closed Circuit Television (CCTV), the Protection of Freedoms Act 2012 (PFA) provided for the development of a Code of Practice relating to CCTV, Automatic Number Plate Recognition (ANPR) and other surveillance camera systems, and the appointment of a Surveillance Camera Commissioner.
1.2 The ‘Surveillance Code of Practice’ pursuant to the Protection of Freedoms Act 2012 was published in August 2013. It will help ensure that a system operator makes transparent decisions about the legitimacy and proportionality of surveillance.
1.3 This Code of Practice covers the College’s CCTV and ANPR systems and is intended to reflect the spirit and guidance issued by the Information Commissioner’s Office, as documented in the ‘Protection of Freedoms Act 2012’.
1.4 Closed Circuit Television (CCTV)
1.4.1 Imperial College London (‘The College’) is the owner of public closed circuit television (CCTV) systems currently installed on its campuses and in/on College property off campus. The Head of the Security Department at the College retains overall responsibility for the system and delegates the day to day management to the Deputy Head of Security.
1.4.2 All images produced by the system remain the property of the College.
1.4.3 The vast majority of our cameras are overt, with the images recorded centrally, and are all viewable centrally by trained Security staff. In addition, a limited number of management staff have the facility to monitor cameras sited within their own areas of responsibility. The cameras cover roadways, car parks, buildings, vulnerable public facing offices and some licensed premises. See also ‘Covert filming or monitoring’ section, below.
1.4.4 The primary Security Control room is situated on the ground floor of the Sherfield Building, South Kensington Campus, London, SW7 2BX, and is staffed 24 hours a day, 365 days per year by trained, uniformed Security Officers; there is also an alternate control room on the South Kensington site and one at Silwood Park campus Buckhurst Road, Ascot, Berks, SL5 7PY.
1.4.5 The primary and Silwood park Control Rooms also have Home Office licensed radio systems installed, linking the Control Rooms with trained Security Officers who provide mobile and foot patrols of the campuses and are able to respond to incidents identified on the CCTV monitors.
1.4.6 Unlawful access to the data and images is prevented by swipe control and key access to secure areas, 24 hour manning, and controlled IT system login.
1.5 Automatic Number Plate Recognition System
1.5.1 Parking at the College’s South Kensington and Silwood Park Campuses is operated and controlled using an Automatic Number 
Plate Recognition system (ANPR). The Director of Estate Facilities at Imperial College London retains overall responsibility for the system,  and has delegated the day to day management of the system to the Security Team.
1.5.2 Cameras are located at the entrances and exits to campuses, where  images of vehicle number plates are captured and remain the property of the College.
1.5.3 The ANPR system provider for South Kensington is Sagoss, through which their server hosts both the cameras and the payment kiosks 
linked to the system. At Silwood the ANPR system is provided by PIPS Technology. The College reserves the right to vary its systems 
providers whilst ensuring the principles within this code are met.
1.5.4 All images for South Kensington are viewable centrally by approved and trained members of its Security Services Team located on the 
Ground Floor of the Sherfield Building and staffed Monday – Friday from 7am – 4pm. Those at Silwood are viewed locally by approved and trained Security staff.
2. OBJECTIVES
2.1 Objectives of the CCTV Schemes:
2.1.1 To assist in providing a safe and secure environment for the benefit of those who might visit, work or live within the College’s campuses. Subject to this Code of Practice the schemes will not be used to invade the privacy of any individual residence, business or other private premises, buildings or land, and are for the purposes of parking control and enforcement and the good and safe management of its car parks, furthering compliance with the College’s Parking Regulations.
2.2 The CCTV systems will only be used for the following purposes and within this Code of Practice.
2.2.1 To reduce the fear of crime and to reassure students, staff and visitors.
2.2.2 To deter and detect crime, public disorder and anti-social behaviour.
2.2.3 To identify, apprehend and prosecute offenders in relation to crime, public disorder and anti-social behaviour.
2.2.4 To provide the College with evidence upon which to take criminal and civil action. - Staff and student discipline: The College will only use the images in a staff disciplinary case when there is suspicion of misconduct and not to generally monitor staff activity; likewise the images will only be used as evidence in serious student disciplinary cases being heard by the College Discipline Committee and the Head of Security Services or other higher authority.
2.2.5 To monitor and assist with parking and traffic management issues.
2.2.6 To assist in the monitoring and deployment of staff during emergency situations.
2.2.7 Upon formal request, to assist Police and other law enforcement agencies with the pursuit of their objectives.
2.3 Covert Filming or Monitoring
2.3.1 Covert filming or monitoring may be used as part of a specific timelimited investigation where informing subjects of, or signposting the activity would have a prejudicial effect on that investigation. The decision to use covert monitoring as a proactive investigation tactic may only be taken after consultation with the Head of Imperial College Security or Security Operations Manager in his/her absence and with 
written authorisation from the College Secretariat. Covert monitoring shall only be used for the prevention and detection of criminal activity or equivalent malpractice.
2.4 Objectives of the ANPR Schemes:
2.4.1 Automatic Number Plate Recognition is used by the College for the 
purposes of parking control and enforcement and the good and safe 
management of its car parks, furthering compliance with the College’s 
Parking Regulations. On occasion, College Managers, in the course 
of investigating incidents or accidents, or undertaking Staff or Student 
disciplinary proceedings may need controlled access to ANPR data.
2.4.2 The ANPR systems will only be used for the following purposes and within this Code of Practice.
• To ensure that arrangements for the limited car parking spaces available across our London campuses are more consistent. 
• To assist with reducing congestion in and around the campus.
• To prevent unauthorised use of the car parks.
• To assist with investigations in conjunction with The Security Department.
• To assist with the provision of a smoother, more efficient parking experience for members of the public.
3. DATA PROTECTION
3.1 The College is committed to complying with applicable data protection legislation including the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. For full details explaining what this entails please see the Data Protection Policy.
4. CCTV/ANPR GUIDING PRINCIPLES
The College has adopted the following 12 guiding principles of the Code:
4.1 Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
4.2 The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
4.3 There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
4.4 There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
4.5 Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
4.6 No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
4.7 Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
4.8 Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
4.9 Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
4.10 There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
4.11 When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
4.12 Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
The College recognises the importance of strict guidelines in relation to access to and disclosure of recorded images and all members of staff should be aware of the restrictions relating to this set out in this Code and the rights of individuals under the GDPR and the Surveillance Camera Code of Practice (SCCoP).
5. ADMINISTRATION
5.1 CCTV
5.1.1 It is the responsibility of the Head of the Security Department (or Deputy in his/her absence) to:
• Select camera sites and initial areas to be viewed.
• Be responsible for compliance with the GDPR and SCCoP.
• Take responsibility for control of the images and make decisions on how these can be used.
• Ensure the system is secure and only viewed by authorised personnel.
• Ensure that the procedures of this Code of Practice comply with the current data protection law and SCCoP.
• Introduce a CCTV incident log and record of Police or other Statutory Authority requests for images.
• Bi-annual checks by the Head of the Security Department or Deputy Head of Security to establish that nominated area managers still require viewing rights of the system in line with the above objectives
• Ensure adequate signage is erected.
• Regularly evaluate the system and its usage to ensure it continues to comply with the latest legislation, CCTV Codes of Practice.
5.1.2 It is the responsibility of the Head of the Security Department to:
• Clearly communicate the specific purposes of the recording of and use of images and objectives to all Security staff.
• Ensure that a CCTV incident log and record of Police or other Statutory Authority requests for images is maintained.
• Carry out audit checks at 6 monthly intervals (at a minimum) to check that procedures are being correctly followed. Records of audits to be kept.
5.1.3 It is the responsibility of the individual operating officers to:
• Select appropriate images to be recorded on controllable cameras (Pan-TiltZoom (PTZ)) so as to comply with the objectives outlined above.
• Ensure that targeting of individuals with the cameras is only conducted when there is reasonable suspicion that the person falls within one of the objectives set above e.g. committing a criminal offence or engaging in anti-social behaviour.
• Not to view into private property and be mindful of privacy within College owned accommodation.
• Complete the Imperial College Crime Report and obtain the data release form as appropriate.
5.2 ANPR
5.2.1 It is the responsibility of the Head of Security or deputy in his/her absence to:
• Ensure that all ANPR equipment is working correctly.
• Be responsible for compliance with the GDPR and SCCoP.
• Take responsibility for control of the images and make decisions on how these can be used.
• Ensure the system is secure, and only viewed by authorised personnel.
• Ensure that the procedures of this Code of Practice comply with the GDPR and SCCoP. 
• Introduce an ANPR incident log and record of Police or other Statutory Authority requests for images.
• Bi-annual checks by the System Manager to establish that authorised operators require viewing rights of the system in line with the above 
objectives
• Regularly evaluate the system to ensure it continues to comply with the latest legislation.
5.2.2 It is the responsibility of the Head of Security or deputy to:
• Clearly communicate the specific purposes of the recording of and use of images and objectives to all authorised operators
• Ensure that an ANPR incident log and record of Police or other Statutory Authority requests for images is maintained
• Carry out annual audits to check that procedures are being complied with
• Ensure that the audit team include ANPR practices and procedures on their regular audits of the Estates Facilities Department
6. STORING AND VIEWING IMAGES
6.1 All images recorded on the College’s CCTV cameras are digitally stored on computer/server hard drives, and although the images can be searched, it is not possible to tamper or alter them. The ANPR images are stored on the system and can be searched but not altered.
6.2 In the event of the Police requiring CCTV images they can be ‘burnt’ onto a CD/DVD for evidence in court, on receipt of the appropriate Data Protection form. ANPR images can also be printed, also upon the receipt of appropriate Data Protection forms.
6.3 The CCTV images over record after 30 days, however any relevant images can be locked on the hard drive for future reference. ANPR images are kept for 6 months and then purged from the system unless required for operational needs. All retained images are subject to the controls outlined in these procedures.
6.4 Viewing of live images on monitors is restricted to Security/ANPR operators and other authorised personnel and can only be accessed using passwords.
6.5 Images are viewed in confidence in secure private offices.
6.6 Requests to view images or image disclosure of third parties should be made in writing to the Head of the Security Department.
7. DISCLOSURE OF IMAGES TO THIRD PARTIES
7.1 The following guidelines will be adhered to in relation to disclosure of images:
7.1.1 Will be in line with the objectives (see Section 4 above)
7.1.2 Will be controlled under the supervision of the Head of the Security Department or his/her Security Managers
7.1.3 A log book/sheet will be maintained itemising the date, time(s), camera, person copying, person receiving and reason for disclosure
7.1.4 The appropriate disclosure documentation from the Police will be attached to the log entry
7.1.5 Images must not be forwarded to the media or be placed on the internet or otherwise distributed without specific and written prior approval of the College Central Secretariat acting in compliance with the law and these procedures. Failure to comply will result in disciplinary action being taken. Images will only be released to the media for legitimate purposes (e.g. identification of data subjects) and in liaison with the Police or other law enforcement agency.
7.2 Any other requests for images should be routed via the Head of the Security Department, as disclosure of these may be unfair or unlawful to the individuals concerned. In some limited circumstances it may be appropriate to release images to a third party, where their needs outweigh those of individuals whose images are recorded.
7.3 The College has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once an image has been disclosed to another body such as the Police, then they become the data controller for their copy of that image. It is their responsibility to comply with the GDPR in relation to any further disclosures.
8. SIGNAGE
8.1 Signage has been erected at the main entrances to the College campuses and at other locations where CCTV is in use, stating that CCTV and ANPR systems are in operation.
8.2 It is the responsibility of the Head of the Security Department to ensure that adequate signage is erected to comply with the Information Commissioner’s Code of Practice.
9. DISCLOSURE OF IMAGES TO THE DATA SUBJECT (SUBJECT ACCESS REQUESTS)
9.1 Individuals whose images are recorded have a right to view the images of themselves, or their vehicles and, unless they agree otherwise, to be provided with a copy of the images. All such requests are handled by the College’s Data Protection Officer in liaison with the Head of the Security Department (for CCTV) or the Estate Facilities Campus Coordinator (for ANPR).
9.1.1 Individuals whose images are recorded have a right to view the images of themselves, or their vehicles and, unless they agree otherwise, to be provided with a copy of the images. All such requests are handled by the College’s Data Protection Officer in liaison with the Head of the Security Department (for CCTV) or the Estate Facilities Campus Coordinator (for ANPR).
9.1.2 A log of such requests will be maintained.
9.1.3 If images of third parties are also shown within the requested images of the person who has made the access request, consideration must be given as to whether there is a need to obscure the images of the third parties.
9.2 Access to / Disclosure of CCTV/ANPR Images
9.2.1 The College respects the right of individuals to check the accuracy of any personal data that is being kept about them, either on computer or in a relevant filing system.
9.2.2 Exceptions to the above paragraph are:
• where disclosure would simultaneously disclose data about another person (unless that person consents to the disclosure);
9.3 Any Data Subject wishing to gain access to personal data held about them may do so by the submission of a request in writing to the Data Protection Officer (until 25 May 2018, together with the payment of a fee), on each occasion that access is requested. The College aims to comply with requests for access to personal data as quickly as possible, but will ensure that it is provided within 40 calendar days of receipt of the application form until 25 May 2018 and within one month thereafter. Where the College receives large 
numbers of requests, or especially complex requests, the time limit may be extended by a maximum of two further months.
9.4 A copy of the standard request form for "Access to Personal Information" is available on the College website: http://www.imperial.ac.uk/adminservices/legal-services-office/data-protection/subject-access-requests/
9.5 To make a subject access request to see personal data held by the College an ‘Application Form for Subject Access’ available on the link above will assist the process.
9.6 If after consulting the above web page there are still queries, please contact the College’s Data Protection Officer. Contact details of the College’s Data Protection Officer are available on the Legal Services Office webpages.
10. FREEDOM OF INFORMATION
10.1 As a public body the College may receive requests under the Freedom of Information Act 2000 (FOIA). All such requests are dealt with centrally by the College Secretariat and Communications office.
10.2 Section 40 of the FOIA contains a two-part exemption relating to information about individuals. If we receive a request for CCTV footage, we will consider:
10.2.1 Are the images those of the requester? If so then that information is exempt from the FOIA/FOISA. The request will be treated as a data protection subject access request as explained above.
10.2.2 Are the images of other people? These can be disclosed only if disclosing the information in question does not breach the data protection principles.
11. USE OF THE SYSTEMS
11.1 All Security staff and other authorised personnel must read this Code of Practice prior to being instructed on the operation of the system.
11.2 All personnel authorised to use these systems are required to have read and comply with the College’s Data Protection Policy which is issued to all operators of College CCTV.
11.3 The CCTV system can be used to observe the campuses and areas under surveillance and identify incidents that require a response; the appropriate response will be determined by Security Services staff.
11.4 The ANPR system must only be used to identify vehicle number plates and time of access and egress. Note: ‘Number Plate’ means the display plate of the Vehicle Registration Number (VRN) OR vehicle licence number (foreign registered vehicles).
11.5 CCTV surveillance should be in accordance with the stipulated objectives.
11.6 Whenever a response is required a log should be commenced on an Imperial College Crime Report.
11.7 Viewing monitors are password protected and viewed only by authorised personnel.
11.8 Deliberate failure to comply with these procedures may result in disciplinary proceedings being taken.