The Kilmurry Lodge Hotel CCTV Policy
Policy Statement
Closed Circuit Television (CCTV) operated by Kilmurray Lodge Hotel Ltd trading as Kilmurry Lodge Hotel on its premises are operated in accordance with the General Data Protection Regulation (GDPR) (Regulation EU 2016/679) and the Data Protection Act 2018.
Purpose Limitation
The purpose of this policy is to outline the safeguards in place regarding the operation of and access to CCTV systems and the resulting images. The primary purpose of this system is to reduce the threat of crime generally, protect Kilmurry Lodge Hotel premises and to help ensure the safety of all Kilmurry Lodge Hotel staff and customers with respect to the individuals privacy. Theses purposes will be achieved by monitoring the system to:
- Deter those having criminal intent.
- Assist in the prevention and detection of crime.
- Facilitate the identification, apprehension and prosecution of offenders in relation to crime and public order.
- Facilitate the identification of any activities/events which might warrant disciplinary proceedings being taken against staff and to assist in providing evidence to managers and/or to a member of staff who disciplinary or other action is, or is threatened to be taken.
- Facilitate the movement of vehicles on site.
- Provide management information relating to employee compliance with contracts of employment to security or operations staff.
- Investigate security incidents in order to secure evidence, should such incidents occur.
- To monitor or supervise staff or contractors at their daily work. This can and will be used as a tool for staff disciplinary action.
The system will not be used:
- To provide recorded image for the world-wide-web
- To record sound
- For any automated decision taking
- Any purposes other than those listed
Policy Scope
This policy applies to all staff involved in the operation of Kilmurry Lodge Hotel.
Legislation
Personal data collected through the CCTV system will be subject to the provisions of the General Data Protection Regulation (‘GDPR’). Personal Data as defined in the General Data Protection Regulations must be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This is subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Security Control Room
Images captured by the system will be monitored and recorded in the Control Room 24 hours a day throughout the entire year. Monitors are not visible from outside the control room. No unauthorised access to the Control Room is permitted at any time. Access will be strictly limited to duty managers, duty controllers, authorised members of senior management, an Garda Siochana and any other person of statutory powers of entry. For a list of the senior management members with authorised to access the Control Room see Appendix 2.
Customers, guests and staff may be granted access to the Control Room on a case-by-case basis and only then on written authorisation from the Operation Manager. In an emergency and where it is not reasonably practicable to secure prior authorisation, access may be granted to persons with a legitimate reason to enter the Control Room.
Before allowing access to the Control Room, staff must ensure clear and accurate identification of any visitor. Staff must ensure that visitor has appropriate authorisation. All visitors will be required to complete and sign the visitors’ log. This shall include details of their name, their department or organisation they represent, the person who granted authorisation and the times of entry to and exit from the center.
Roles & Responsibilities
The CCTV system of Kilmurry Lodge Hotel’s premises use Hik-Connect software and is maintained by our processors G.E. Services.
The operations manager has overall responsibility for overseeing the Control Room. Images of identifiable living individuals are subject to the provisions of the Data Protection Act 2018. The operations manager is responsible for ensuring day-to-day compliance with the Act. Details of the administrative procedures which apply to the Control Room will be set-out in the procedures manual. A copy of this is available for inspection by prior arrangement, stating the reasons for request. All recordings will be handled in strict accordance with this policy and the procedures set out in the procedure manual.
The controller Kilmurry Lodge Hotel has a written contract with GE Services which details the areas to be monitored, how long data is to be stored, what the security company may do with the data, what security standards should be in place and what verification procedures may apply.
Security companies that place and operate cameras on behalf of clients are considered to be ‘processors’. As processors, they operate under the instruction of ‘controllers’ (In this case the hotel is the data controller). The GDPR imposes obligations on these processors. These include having appropriate security measures in place to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. This obligation can be met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted. Staff of the security company must be made aware of their obligations relating to the security of data.
Staff
All staff working in the Kilmurry Lodge Hotel and who have access to the Control Room will be trained on handling CCTV images and recordings. The operations manager will ensure all staff are fully briefed and trained in respect of the functions, operational and administrative, arising from the use of CCTV. Training in the requirements of the GDPR and the Data Protection Act 2018will be given to all those required to work in the Control Room by the dedicated Privacy Lead.
Misuse/Mishandling of CCTV data or failure to comply with this policy will result in disciplinary action up to and including dismissal.
Recording
The CCTV system is a conventional static system. It records digital images and is equipped with motion detection. Any movement detected by the cameras in the area under surveillance, together with the time, date and location, is recorded. All cameras operate on a 24/7 basis. The image quality generally allows identification of those captured. The cameras are all fixed (there are no pan-tilt-and-zoom cameras), and cannot be used by operators to zoom in on or follow individuals around.
Kilmurry Lodge Hotel does not use high-tech or intelligent video-surveillance technology, does not use facial recognition software, does not interconnect our system with other systems, and does not use covert surveillance, sound recording, or talking CCTV. Images will be retained for 30 days from the date of recording, and then automatically over written and the log updated accordingly. This time period may be extended in accordance with law, e.g if the images are being used for an investigation. All hard drives and records storing said images shall remain the property of Kilmurry Lodge Hotel until disposal and destruction
Access to Images
Any access to images must be recorded in the Access Log as specified in the procedures manual. Access to images will be restricted purely to staff who require access in accordance with the purposes of the system. A list of such staff is given at Appendix 2.
Access to, and disclosure of images to third parties are strictly controlled and documented. This is to ensure that the rights of the individual are maintained, and that the chain of evidence remains intact should the images be required for evidential purposes. Access to these images will normally be through the following:
- Court Order for Discovery,
- Data Protection access request,
- Garda warrant, or a subpoena.
- In accordance with Art 6, 9 or 10 of the GDPR as set out in Appendix 2 below.
Images may be disclosed to those carrying out formal internal investigation or disciplinary procedure, where it can reasonably be expected that the disclosure of the images will help the investigation or disciplinary procedure. Appointment of staff designated to view any CCTV footage, throughout all departments, is subject to authorisation by senior management.
Retaining Information and Processing Images
Images must not be retained any longer than is considered necessary for the purposes for which they were processed. Therefore, unless the images are required for evidential purposes in legal proceedings, they will not be retained for a period exceeding 30 days. In order to protect the security of the CCTV system, a number of technical and organisational measures have been put in place.
Subject Access Requests (SARs)
Under the Data Protection Act 2018 and GDPR, an individual has the right to request access to any personal information held about them by a Controller. All requests should be made in writing to the Privacy Lead at privacy@kilmurrylodge.com
The following information should be logged where access is provided:
- Reason for disclosure.
- Details of the image disclosed i.e. the date, time and location of the image.
- List of individuals present when the images were disclosed.
- Whether any images were redacted to prevent identification of individuals other than the data subject.
Where an innocent third party is identifiable in a disclosed image, their image will be redacted to protect their own personal data rights. If it is not possible to redact the images internally, an external company may be contracted to facilitate this. This will be recorded. Correspondence may be sent to the requester seeking further details of their request if it appears to be overly broad.
If the data subject wishes to view the images on site, as opposed to a copy being sent, the viewing shall take place in a closed office with only the relevant individuals present.
Under EU law all Data Subjects have certain rights in relation to how we process their personal including personal data gathered via CCTV.. Data subjects maintain the right to:
- Access data relating to them (‘access right’).
- Rectify/correct data relating to them (‘right to rectification’).
- Object to processing of data relating to them (‘right to object’).
- Restrict the processing of data relating to them (‘right to restriction’).
- Erase/delete data relating to them (i.e. the “right to erasure”). and
- ‘Port’ certain data relating to them from one organisation to another (‘right to data portability’).
Data subjects may exercise any of the above rights by contacting our Privacy Lead at privacy@kilmurrylodge.com Complaints can be lodged with your local supervisory authority with respect to our processing of your personal data. The local Supervisory Authority in Ireland is the Data Protection Commission. The website is www.dataprotection.ie. We ask that you contact us prior to lodging such a complaint to allow us the opportunity to rectify your issue.
Signage
Legible “CCTV Recording in Use” signs must be displayed. These must be in a prominent place where they will be clearly seen by staff, people supported by Kilmurry Lodge Hotel, and the public.
The Signs should contain the following information:
- The Controller of the system.
- Contact details for queries on the CCTV, including queries for information on access rights.
- An image of the camera used.
Access Requests from An Garda Síochána
In line with Article 10 of the GDPR, An Garda Síochána are entitled to view personal information about individuals, under warrant, court order or other applicable legislation, or rule of law. Even without such documentation it may still be lawful processing if it is NECESSARY:
- For the administration of justice.
- To prevent injury or other damage to the health of a person.
- To prevent loss or damage to property.
Access requests must clearly set out the legal basis for such a request
Covert Surveillance
The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Covert surveillance is only permitted on a case by case basis, where the data is kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. Covert surveillance will only occur where there is sufficient evidence to deem it necessary.
Covert surveillance must be focused and of short duration. Only specific (and relevant) individuals/ locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.
If the surveillance is intended to prevent crime, covert cameras may be considered to be a more appropriate measure, and less invasive of individual privacy. Permission from one of the Directors of Insert details must be obtained before considering covert surveillance.
If covert surveillance is operated by an outside company, consent must give by one of the Directors of Insert details to authorise that company to act on behalf of Insert details.
Compliance Monitoring
The contact point for members of the public wishing to enquire about the CCTV system will be the Privacy Lead. They can be contacted at:
Kilmurry Lodge Hotel
Dublin Road,
Castletroy,
Limerick
V94 WTC9
Upon request enquiries will be provided with a summary of this statement policy and, where requested or necessary, a subject access request form
All documented procedures will be kept under review and a report periodically made. The effectiveness of the system in meeting its purposes will be kept under the review of management and the proprietors. The policy will be reviewed and evaluated from time to time. Ongoing review and evaluation will have consideration for changing information or guidelines, changes in technology, legislation and feedback.
Appendix 1
The following have authorised access to the Control Room:
- Proprietors
- Operations Manager and Privacy Lead
- Duty Managers
- CCTV support & maintenance personal
- IT Support
Appendix 2
The following have authorised access to the recordings in order to achieve the purpose of the system:
- Proprietors
- Operations Manager or acting Data Protection Officer and Privacy Lead
- Duty Managers
- CCTV support & maintenance personal
- IT Support
- Staff in connection with disciplinary matters which directly concern them
- Customers or guests from the general public, should the Operation Manager or acting Data Protection Officer deem it appropriate to do so (subject to the person’s written request and consent)
Note that the above appendices may be expanded or condensed where necessary during reviews of this policy.