THE LEARNING COLLECTIVE GROUP LIMITED
1.1 Images recorded by CCTV are Personal Data and as such must be processed in accordance with data protection laws.
1.2 The Company is committed to complying with legal obligations in order to appropriately handle and protect Personal Data and ensure that the legal rights of neighbours and clients are recognised and respected.
1.3 This policy is intended to enable members of the public and clients to understand how the Company uses CCTV, who is responsible for CCTV use, the rights individuals may have in relation to CCTV, who has access to CCTV images and how individuals can raise any queries or concerns they may have.
1.4 The Learning Collective Group are registered with the Information Commissioner’s Office (ICO), registration number ZA530066.
1.5 For all data matters contact:
Full name of legal entity: The Learning Collective Group Ltd.
For the attention of: The Data Privacy Manager
Email address: email@example.com
Postal address: 16 Arley Road, Pandy, Wrexham, LL12 8PQ
For the purposes of this policy, the following terms have the following meanings:
CCTV means cameras, devices or systems including fixed CCTV and any other systems that capture information of identifiable individuals or information relating to identifiable individuals.
CCTV Data means any Data in respect of CCTV, e.g. video images, static pictures, etc.
Personal Data means any information which is stored electronically or in paper-based filing systems.
Data Subject means any individuals who can be identified directly or indirectly from CCTV Data (or other Data in our possession). Data Subjects include members of the public and clients.
Data Controller is the organisation or authority which determines how and for what purpose the Personal Data are processed. When operating CCTV, a Director of The Learning Collective Group Ltd is the relevant Data Controller and is responsible for ensuring compliance with the Data Protection Laws.
CCTV Users are those Company directors whose work involves processing CCTV Data. This will include those whose duties are to operate CCTV to record, monitor, store, retrieve and delete images. Data users must protect the CCTV Data they handle in accordance with this policy. The Data Controller for the Company is also the CCTV user.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Data Protection Laws means:
a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and any equivalent or implementing legislation;
b) all other applicable laws, regulations or court judgements relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security; and
c) any and all legally binding guidelines, recommendations, best practice, opinions, directions, decisions, or codes issued, adopted or approved by the European Commission, the Article 29 Working Party, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time in relation to the processing of personal data, data privacy, electronic communications, marketing and/or data security; in each case as from time to time in force and as from time to time amended, extended, consolidated, re-enacted, replaced, superseded or in any other way incorporated into law and all orders, regulations, statutes, instruments and/or other subordinate legislation (including the Data Protection Bill 2017 when in force) made under any of the above in any jurisdiction from time to time.
Processing means any activity which involves the use of CCTV Data, whether or not by automated means. It includes collecting, obtaining, recording or holding CCTV Data, or carrying out any operation or set of operations on the CCTV Data including organising, structuring, amending, retrieving, using, disclosing or erasing or destroying it. Processing also includes transferring CCTV Data to third parties.
The Company means The Learning Collective Group Limited, a private limited company (10233825) under the Companies Act 2006, registered in Cardiff.
Site means the Company’s premises at 16 Arley Road, Pandy, Wrexham, LL12 8PQ.
3. About this policy
3.1 The Company currently uses CCTV to view and record child safety and vehicular movements at our site 24 hours per day, 7 days per week. This policy sets out why the Company uses CCTV, how we will use CCTV and how we will process any CCTV Data recorded by CCTV to ensure that we are compliant with Data Protection Law.
3.2 The images of individuals recorded by CCTV are Personal Data and therefore subject to the Data Protection Laws. the Company is the Data Controller of all CCTV Data captured at our Site.
3.3 This policy covers all staff, clients and members of the public.
4. Staff responsible
4.1 Andrew Taylor-Edwards, co-Director of The Learning Collective, has overall responsibility for ensuring compliance with Data Protection Laws and the effective operation of this policy and for the day-to-day operational responsibility for CCTV and the storage of CCTV Data recorded. Should you have any queries on the use of CCTV or surveillance systems by the Company, please contact Andrew Taylor-Edwards.
5. Why the Company uses CCTV
5.1 The Company currently uses CCTV at the front of our Site as outlined below. The company believes that such use is necessary for the following legitimate business purposes:
(a) to monitor the safety of all students, aged 11-16, who visit the Site. Having CCTV at the front of the Site can help ensure that the children the Company tutors/counsels are safeguarded from danger. Having CCTV cameras installed can help to reassure parents that the Company is ensuring that their children will be kept safe as they arrive and leave the Site. CCTV can be used to make sure that children are acting safely and provide a useful tool for the Company to evaluate potential risks in front of the Site as children arrive and depart.
(b) to protect confidential information provided to the Company by the parents/carers of the students we work with and to improve security measures to protect the physical assets, including technology, of the Company.
(c) to support law enforcement bodies in the prevention, detection and prosecution of crime. For example, potential thieves can see security cameras around the outside the Site and they may be deterred from attempting a burglary. If a break in does take place, then any CCTV footage can be handed over to the police. This can mean that any culprits are apprehended more quickly and that any items that have been stolen are recovered.
(d) in line with Condition 4 of Wrexham County Borough Council’s planning permission particulars (Code number GWE P/2019/0307), The Company will use CCTV to monitor that “no use of the development shall be made before 17:00 or after 20:00 hours Monday to Friday, school term time only“ and that there is no “use on Saturday, Sunday, Bank Holiday and outside school term time.” This will help ensure that tuition/counselling “is not used at a time which would be likely to cause nuisance or disturbance to nearby residents.”
(e) in line with Condition 5 of Wrexham County Borough Council’s planning permission particulars (Code number GWE P/2019/0307), the Company will use CCTV to ensure “no more than two students shall be tutored at any one time” in order to “safeguard existing levels of residential amenities of neighbouring occupiers.”
(f) in line with Condition 6 of Wrexham County Borough Council’s planning permission particulars (Code number GWE P/2019/0307), the Company will monitor our client’s compliance with ‘[dropping] off and [picking] up from the adopted public highway on Arley Road’, in order to ensure ‘congestion and disturbance to nearby neighbouring dwellings served from the private drive” is reduced.
(g) in relation to (c), (d) and (e), CCTV will be used by the Company to consider whether contravention of Conditions 4, 5 and 6 has taken place and, where necessary, to form the basis of remedial action (e.g. cancellation of private contract between client and the Company).
5.2 The Company may implement or use CCTV for purposes other than those specified above which we will notify you of from time to time.
6.1 The locations of the CCTV are chosen to minimise the viewing of spaces/individuals which are not relevant to the legitimate purpose of the monitoring as specified above.
6.2 The homes and gardens of neighbouring properties will be ‘filtered out’ unless neighbours provide written consent to allow their properties to be ‘unfiltered’ for their own security reasons.
6.3 Currently, none of the company’s CCTV records sound.
6.4 Any staff using CCTV will be given training to ensure that they understand and observe the legal requirements relating to the processing of any Data gathered.
7. How the Company operates CCTV
7.1 The Company will ensure that signs are displayed to alert clients, members of the public, guests, suppliers and contractors that their image may be recorded. The signs will contain details about who to contact for further information.
7.2 Recorded images will only ever be viewed in a Director’s office.
8. How the Company uses the Data
8.1 In order to ensure that the rights of individuals recorded by the Company CCTV are protected, the Company will ensure that CCTV Data gathered from such systems is stored in a way that maintains its integrity and security. This may include encrypting the Data, where it is possible to do so.
8.2 The Company will ensure that any CCTV Data is only used for the purposes specified in section 5 above. The Company will not use CCTV Data for another purpose unless permitted by Data Protection Laws.
9. Retention and erasure of Data
9.1 Data recorded by the Company’s CCTV will be stored locally on servers at the Company’s Site.
9.2 The Company will not retain this Data indefinitely but will permanently delete it once there is no reason to retain the recorded information. Exactly how long the Data will be retained for will vary according to the purpose for which it was recorded.
9.3 At the end of its useful life and, in any event, within 7 years, all Data stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs or hard copy photographs will be promptly disposed of as confidential waste.
10. Ongoing review the Company’s use of CCTV
10.1 The Company will periodically review its ongoing use of existing CCTV at its Site to ensure that its use remains necessary and appropriate and in compliance with Data Protection Laws.
11. Risk Assessment
11.1 In addition to being registered and compliant with the Information Commissioner’s Office CCTV code of practice and GDPR regulations, we have also implemented the following actions to maximise the privacy of neighbouring properties and to safeguard the data we process:
the homes, gardens and private driveways of all residents have been filtered out and, as recorded on the approved installer’s certificate of installation, the filters cannot be reconfigured by our company due to password protections that only allow the installer to reconfigure.
the hard drive upon which recordings are stored is securely housed in a metal casing which is securely affixed to an internal wall, making theft of the equipment very difficult.
the ability to capture audio has been fully disabled.
the camera installed for business use will not be remotely available on any mobile device, e.g. phone, tablet or laptop.
the control system is password protected prohibiting system use by anyone other than the Data Controller.
12. Rights of Data Subjects
12.1 As CCTV Data may identify individuals, it will be considered Personal Data under applicable Data Protection Laws. Under Data Protection Laws, Data Subjects have certain rights in relation to the Personal Data concerning them. These are as follows:
(a) the right to access a copy of that Personal Data and the following information (this may include CCTV Data captured by our CCTV):
i. the purpose of the processing;
ii. the types of Personal Data concerned;
iii. to whom the Personal Data has or will be disclosed; and
iv. the envisaged period that the Personal Data will be stored, or if not possible, the criteria used to decide that period;
(b) the right to request any inaccurate Personal Data that the Company holds concerning them is rectified, this includes having incomplete Personal Data completed;
(c) the right to request Personal Data the Company holds concerning them is erased without undue delay, where it is no longer necessary for the Company to retain it in relation to the purposes it was collected;
(d) the right to request restriction of the Company’s processing of Personal Data in certain circumstances; and
(e) the right to lodge a complaint with the Information Commissioner’s Office, if the Data Subject considers that the Company’s processing of the Personal Data relating to him or her infringes Data Protection Laws.
12.2 In most cases, the Company will not charge a fee to comply with a subject access request. However, where the request is manifestly unfounded or excessive, the Company reserves the right to charge a “reasonable fee” for the administrative costs of complying with the request.
12.3 In line with the requirements of General Data Protection Regulation (GDPR), the Company will respond within one calendar month.
12.4 In order for a formal DSAR to be valid it must come from the individual themselves (or an authorised agent/parent/guardian) and needs to be accompanied by enough information to enable the Company to extract the personal data pertaining to the individual from its systems.
12.5 On receipt of DSAR, the Company will ask for information from the Data Subject to ensure they are who they say they are, to avoid the damage of inadvertently disclosing personal information to the wrong person. If the information the Data Subject has provided in their request is insufficient, the Company will ensure it has enough details to fulfil the request. For example, the Company may:
I. request proof of ID
II. request proof of relationship/authority (for example, if information is requested about a child or by an agent)
III. ask if the Data Subject is interested in specific information
IV. ask what relationship the Data Subject has with the Company
V. ask if the Data Subject wishes to see CCTV images of them (if relevant) and request a photograph, description of clothes worn, dates of visits, etc.
VI. ask the Data Subject for information to be provided in writing or whether they will accept it in an electronic from
12.6 If no personal data is held about the Data Subject, they will be informed of this.
12.7 If the information gathered contains personal data relating to other individuals, the Company, on a case by case basis, will consider whether/how to redact this or judge it to be reasonable to disclose. Such information can be disclosed with the consent of other parties. Where consent is not feasible, the Company will consider the privacy impact and/or how its duty of confidentiality to these other parties could be broken should it disclose this information. The Company will document any justification for disclosure of personal information relating to other parties.
12.8 The information the Company provides will be in an “intelligible form”. The Companywill avoid using jargon or terms that people outside the business might not understand and explain any codes. When supplying the information, The Companywill use a traceable delivery system and, if agreed with the Data Subject, send it via secure electronic means.
12.9 The Company will keep a record of all requests and responses.
13. Requests of Disclosure by Third Parties
13.1 No images from the Company’s CCTV cameras will be disclosed to any third party without express permission being given by a Director.
13.2 In other appropriate circumstances, the company may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime.
14. How to make a complaint
14.1 To exercise all relevant rights, queries or complaints please in the first instance contact The Data Privacy Manager, 16 Arley Road, Pandy, Wrexham, LL12 8PQ or firstname.lastname@example.org
14.2 If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office:
Telephone: 0303 1231113
Postal Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
Policy to be reviewed: 30 June 2020