IntroductionCCTV cameras are in operation in Bayside Medical Centre for the protection of our patients and team members. The purpose of this policy is to regulate the use of Closed Circuit Television (CCTV) and its associated technology when monitoring both the internal and external environment of the Face Hub Facial Aesthetic Clinic premises. A copy of this CCTV Policy will be made available on the Face Hub Facial Aesthetic Clinic website, provided to all Face Hub Facial Aesthetic Clinic staff and a copy will be provided to visitors / patients on request.
ScopeThis policy applies to all personnel in and visitors to Face Hub Facial Aesthetic Clinic, Bayside Medical Centre, Sutton, Dublin 13. Moreover, it relates directly to the location and use of CCTV, and the monitoring, recording and subsequent use of such recorded material. This policy prohibits CCTV monitoring based on the characteristics and classifications contained in equality and other related legislation e.g. race, gender, sexual orientation, national origin, disability etc. Furthermore, CCTV monitoring is limited to uses that do not violate the reasonable expectation to privacy as defined by law. The CCTV cameras will be used to: Protect Face Hub Facial Aesthetic Clinic’s buildings and assets, both during and outside of operational hours (the system will be in operation 24 hours a day, every day); promote the health and safety of personnel and visitors; support the Gardaí in a bid to deter and detect crime; and assist identifying, apprehending and prosecuting offenders. The personal data recorded and stored by the CCTV system will be used only for the purposes outlined in this policy document. Collection, storage and use of CCTV footage shall be in compliance with Data Protection legislation. Data Controller The data controller in respect of images recorded and stored by the CCTV system at Face Hub Facial Aesthetic Clinic’s premises is Face Hub Facial Aesthetic Clinic. The data processor is Face Hub Facial Aesthetic Clinic. The Director or appropriate nominee(s) is responsible for monitoring the implementation and compliance of the CCTV policy within Face Hub Facial Aesthetic Clinic. Fair Obtaining The fair obtaining principles inherent in the Data Protection Acts 1988 and 2003 require that those people whose images may be captured on camera are so informed. Accordingly, Face Hub Facial Aesthetic Clinic’s Data Protection Officer will provide a copy of this CCTV Policy to staff and on request to visitors / patients to Face Hub Facial Aesthetic Clinic. Adequate signage will be placed at each location in which CCTV cameras are situated to indicate that CCTV is in operation (locations listed in following section). The name and contact details of the data controller as well as the specific purpose for which the CCTV camera is in place in each location can be provided upon request. Location of Cameras, The CCTV network for Face Hub Facial Aesthetic Clinic is located in the following areas: -All Dental Surgeries -Waiting Room -Decontamination Room -OPG X-ray Room and small adjoining corridor immediately outside of the OPG room There are 11 cameras in total with the objective of protecting the safety and wellbeing of the Face Hub Facial Aesthetic team and our patients.v Operation of the System, The recording system is a Digital system which records video data. The system can only be accessed by the Director of Face Hub Facial Aesthetic Clinic or an appropriate nominee(s). Data Protection, Storage and Retention The data captured from the CCTV cameras is securely stored as electronic data in a designated area within the dental clinic. Typically, this data is recorded on a loop and will be retained for a short period until it is over written on the Hard Drive. However, data may be retained for longer periods where in the opinion of Face Hub Facial Aesthetic Clinic the events captured may give rise to court proceedings. Unauthorised access to the CCTV data is not be permitted at any time. Access to the data is restricted to authorised personnel (see Section 6 for list). There is no access to the CCTV data other than with authorised personnel. The storage devices are password protected. Supervising the access and maintenance of the CCTV system is the responsibility of the Director or appropriate nominee(s). Unauthorised access will be viewed as a data breach. In such an event, Face Hub Facial Aesthetic Clinic’s Data Breach Management Policy and Procedure must be followed. Access Requests Access to the CCTV system will be restricted to authorised personnel only (as indicated in Section 6). In relevant circumstances, CCTV footage may be accessed: By An Garda Síochána where Face Hub Facial Aesthetic Clinic are required by law. Access requests can be made to: Dr Laura Fee (Director) Face Hub Facial Aesthetic Clinic Bayside Medical Centre, Bayside Shopping Centre, Sutton, Dublin 13 firstname.lastname@example.org
Providing CCTV Images to An Garda Síochána With regard to requests from An Garda Síochána to download footage, the footage will only be released to An Garda Siochana and if requested by a Judge in a Court of Irish Law, the Data Protection Commissioner recommends that requests for copies of CCTV footage should only be granted when a formal written request is provided to Face Hub Facial Aesthetic Clinic stating that An Garda Síochána is investigating a criminal matter. For practical purposes, and to expedite a request speedily in urgent situations, a verbal request may be sufficient to allow for the release of the footage sought. However, any such verbal request must be followed up with a formal written request. It is up to Face Hub Facial Aesthetic Clinic to be satisfied that there is a genuine investigation underway. For practical purposes, a phone call to the requesting Garda’s station may be sufficient, provided that you speak to a member in the District Office, the station sergeant or a higher ranking officer, as all may be assumed to be acting with the authority of a District/Divisional officer in confirming that an investigation is authorised. A log of all An Garda Síochána requests will be maintained by Face Hub Facial Aesthetic Clinic. Any such requests should be on An Garda Síochána headed paper, quote the details of the CCTV footage required and should also cite the legal basis for the request (i.e. Section 8(b) of the Acts). Prior to Face Hub Facial Aesthetic Clinic issuing any CCTV images to An Garda Síochána, it will be discussed and agreed with the responsible Face Hub Facial Aesthetic Clinic staff member. There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective. Review and Approval of the CCTV Policy This policy will be reviewed and updated regularly to take into account changing Data Protection legislation or guidelines from the Data Protection Commissioner, An Garda Síochána, and relevant bodies. Revision Date Description Approved by A copy made available at reception for visitors. Appendix: Glossary of Terms CCTV – Closed-circuit television is the use of video cameras to transmit a signal to a specific place on a limited set of monitors. The images may then be recorded on video tape or DVD or other digital recording mechanism. The Data Protection Acts – The Data Protection Acts 1988 and 2003 and any future amendments that confer rights on individuals as well as responsibilities on those persons handling, processing, managing and controlling personal data. All staff must comply with the provisions of the Data Protection Acts when collecting and storing personal information. This applies to personal information relating both to employees of the organisation and individuals who interact with the organisation. Data – information in a form that can be processed. It includes automated or electronic data (any information on computer or information recorded with the intention of putting it on computer) and manual data (information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system). Personal Data – Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. Access Request – this is where a person makes a request to the organisation for the disclosure of their personal data under Section 3 and/or section 4 of the Data Protection Acts. Data Processing – performing any operation or set of operations on data, including: -Obtaining, recording or keeping the data, -Collecting, organising, storing, altering or adapting the data, -Retrieving, consulting or using the data, -Disclosing the data by transmitting, disseminating or otherwise making it available, -Aligning, combining, blocking, erasing or destroying the data. Data Subject – an individual who is the subject of personal data. Data Controller – a person who (either alone or with appropriate nominee(s) controls the contents and use of personal data. Data Processor – a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of their employment, for example, this might mean an employee of an organisation to which the data controller out-sources work. The Data Protection Acts place responsibilities on such entities in relation to their processing of the data.