CDIC / All On 4 –Malvern / Facelab-Malvern – CCTV Policy


 “The purpose of this policy is to regulate the use of Closed Circuit Television and its associated technology in the monitoring of both the internal and external environs of the premises under the remit of CDIC / ALL ON 4 MALVERN / FACELAB MALVERN

CCTV systems are installed (both internally and externally) in premises for the purpose of enhancing security of the building and its associated equipment as well as creating a mindfulness among the occupants, at any one time, that a surveillance security system is in operation within and/or in the external environment of the premises during both the daylight and night hours each day. CCTV surveillance at CDIC / ALL ON 4 MALVERN / FACELAB MALVERN is intended for the purposes of:

  • protecting the building and assets, both during and after business hours;
  • promoting the health and safety of those who enter the premises
  • preventing bullying;
  • reducing the incidence of crime and anti-social behaviour (including theft and vandalism);
  • assisting in identifying, apprehending and prosecuting offenders;

  1. SCOPE

This policy relates directly to the location and use of CCTV and the monitoring, recording and subsequent use of such recorded material.


CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN has a responsibility for the protection of its property, and equipment as well providing a sense of security to its employees, patients and others who enter its premises.  CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN owes a duty of care and utilises CCTV systems and their associated monitoring and recording equipment as an added mode of security and surveillance.

The use of the CCTV system will be conducted in a professional, ethical and legal manner and any diversion of the use of CCTV security technologies for other purposes is prohibited by this policy e.g. CCTV will not be used for monitoring employee performance.

Information obtained through the CCTV system may only be released when authorised by the Practice Principal. Any requests for CCTV recordings/images will be fully recorded and legal advice will be sought if any such request is made.  If a law enforcement authority is seeking a recording for a specific investigation any such request will need to be made in writing and the CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN will immediately seek legal advice.


CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN justifies the obtaining and use of personal data by means of a CCTV system in order to control the buildings for security purposes and this has been deemed to be justified. The system is intended to capture images of intruders or of individuals damaging property or removing goods without authorisation.

CCTV systems are not intended be used to monitor clinician – patient activities.


Cameras are placed to record external areas and are positioned in such a way as to prevent or minimise recording of passers-by or of another person’s private property.


CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN will not engage in covert surveillance.


CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN will provide a copy of this CCTV Policy on request to staff, patients and visitors to the practice. This policy describes the purpose and location of CCTV monitoring, a contact number for those wishing to discuss CCTV monitoring and guidelines for its use. Adequate signage will be placed at each location in which a CCTV camera(s) is sited to indicate that CCTV is in operation.  Adequate signage will also be prominently displayed at the entrance to CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN.

Appropriate locations for signage will include:

  • at entrances to premises i.e. external doors,
  • reception area



For a normal CCTV security system, it would be difficult to justify retention beyond a 2 month period (60 days), except where the images identify an issue – such as a break-in or theft and those particular images/recordings are retained specifically in the context of an investigation/prosecution of that issue.

Accordingly, the images captured by the CCTV system will be retained for a maximum of 60 days, except where the image identifies an issue and is retained specifically in the context of an investigation/prosecution of that issue.

The images/recordings will be stored in a secure environment with a log of access kept. Access will be restricted to authorised personnel. Supervising the access and maintenance of the CCTV System is the responsibility of the Practice Principal. The Principal may delegate the administration of the CCTV System to another staff member.  In certain circumstances, the recordings may also be viewed by other individuals in order to achieve the objectives set out above. When CCTV recordings are being viewed, access will be limited to authorised individuals on a need-to-know basis.


Tapes/DVDs storing the recorded footage and the monitoring equipment will be securely stored in a restricted area.  Unauthorised access to that area will not be permitted at any time.

Access to the CCTV system and stored images will be restricted to authorised personnel only i.e. Practice Principal

In relevant circumstances, CCTV footage may be accessed:

  • By a person required by law to make a report regarding the commission of a suspected crime; or
  • To assist the Practice Principal in establishing facts in cases of unacceptable staff behaviour,
  • To data subjects (or their legal representatives), pursuant to an access request where the time, date and location of the recordings is furnished to CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN or
  • To individuals (or their legal representatives) subject to a court order.
  1. To the CDIC / ALL ON 4-MALERN / FACELAB-MALVERN insurance company where the insurance company requires same in order to pursue a claim for damage done to the insured property.


The Practice Principal will:

  • Ensure that the use of CCTV systems is implemented in accordance with the policy set down by CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN
  • Oversee and co-ordinate the use of CCTV monitoring for safety and security purposes within CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN
  • Ensure that all existing CCTV monitoring systems will be evaluated for compliance with this policy
  • Ensure that the CCTV monitoring at CDIC / ALL ON 4-MALVERN / FACELAB-MALVERN is consistent with the highest standards and protections
  • Review camera locations and be responsible for the release of any information or recorded CCTV materials stored in compliance with this policy
  • Maintain a record of access (e.g. an access log) to or the release of tapes or any material recorded or stored in the system
  • Ensure that monitoring recorded tapes are not duplicated for release
  • Ensure that the perimeter of view from fixed location cameras conforms to this policy both internally and externally
  • Ensure that all areas being monitored are not in breach of an enhanced expectation of the privacy of individuals within the practice and be mindful that no such infringement is likely to take place
  • Advise that adequate signage at appropriate and prominent locations is displayed as detailed above
  • Ensure that external cameras are non-intrusive in terms of their positions and views of neighbouring residential housing and comply with the principle of “Reasonable Expectation of Privacy”
  • Ensure that monitoring tapes are stored in a secure place with access by authorised personnel only
  • Ensure that images recorded on tapes/DVDs/digital recordings are stored for a period not longer than 60 days and are then erased unless required as part of a criminal investigation or court proceedings (criminal or civil) or other bona fide use.
  • Ensure that when a zoom facility on a camera is being used, there is a second person present with the operator of the camera to guarantee that there is no unwarranted invasion of privacy
  • Ensure that camera control is solely to monitor suspicious behaviour, criminal damage etc. and not to monitor individual characteristics
  • Ensure that camera control is not infringing an individual’s reasonable expectation of privacy in public areas


The policy will be reviewed and evaluated from time to time. On-going review and evaluation will take cognisance of changing information or guidelines, legislation and feedback from staff and others.


Definitions of words/phrases used in relation to the protection of personal data and referred to in the text of the policy;

CCTV – Closed-circuit television is the use of video cameras to transmit a signal to a specific place on a limited set of monitors.  The images may then be recorded on video tape or DVD or other digital recording mechanism.

Data – information in a form that can be processed.  It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system).

Personal Data – Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Access Request – this is where a person makes a request to the organisation for the disclosure of their personal data.

Data Processing – performing any operation or set of operations on data, including:

  • Obtaining, recording or keeping the data,
  • Collecting, organising, storing, altering or adapting the data,
  • Retrieving, consulting or using the data,
  • Disclosing the data by transmitting, disseminating or otherwise making it available,
  • Aligning, combining, blocking, erasing or destroying the data.

Data Subject – an individual who is the subject of personal data.

Data Controller – a person who (either alone or with others) controls the contents and use of personal data.

Data Processor – a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work