PRIVACY NOTICE: OFFENDERS and the GENERAL PUBLIC (CCTV)
This document describes the Hastings Business Crime Reduction Partnership Exclusion Scheme (the Scheme), and explains why the Scheme processes the personal data of specific individuals (Offenders), and the general public (CCTV) and what the lawful basis is for that processing. It describes the kind of information about Offenders and the General Public that the Scheme processes and what it does with that information.
1. Contact details
Hastings BCRP Rock House, Cambridge Road, Hastings TN34 1DT Email address:firstname.lastname@example.org
2. The Scheme’s Data Controller is responsible for ensuring its compliance with current Data Protection law and can be contacted at the above address or email address. The Scheme is registered with the Information Commissioners Office as a Business Crime Reduction Partnership.
Purpose of processing personal data
3. Members of the Scheme have the right to protect their property, staff and customers from crime and anti-social behaviour and to exclude from their premises any individuals who are proven threats to their property, staff or customers or disrupt the peaceful enjoyment that their customers expect from the goods and/or services that our Members offer. The Scheme processes Offenders’ personal data for the management of its Exclusion Scheme on behalf of its Members, to inform Members of an offender’s modus operandi, to collate intelligence on criminal activity within the area of the Scheme’s operation and to contribute to legal proceedings against Offenders where appropriate.
4. The Scheme’s area of operation, and its Exclusion Scheme, is within the boundaries of Hastings.
Types of processing
5. The Scheme undertakes the following types of processing of personal data of Offenders:
a. Data collection; see Sources of personal data below;
b. Data storage; storage of Offenders’ data and CCTV data in a facility independently certified as secure to a high standard;
c. Data retention; see Data Retention period below;
d. Data collation; associating individual Offenders with multiple incidents, and with other Offenders;
e. Data sharing; as defined in Recipients, or categories of recipients, of personal data below;
f. Data deletion; see Data Retention period below;
g. Data analysis; of de-personalised data for historical comparisons etc.
Lawful basis of processing
6. The Scheme’s Members’ ‘legitimate interests’ provides the lawful basis on which it may process specific items of personal data for specific purposes without consent.
7. The Scheme has assessed the impact of its processing on Offenders’ rights and freedoms, has balanced these with its Members’ own rights, and has concluded that its Members’ rights prevail over Offenders’ rights in this specific matter. Therefore, for the purposes of the management of its Exclusion Scheme on behalf of its Members, to inform Members of an offender’s modus operandi, to collate intelligence on criminal activity within the area of the Scheme’s operation and to contribute to legal proceedings against Offenders where appropriate, Members’ legitimate interests constitute the Scheme’s lawful basis for processing Offenders’ personal data without requiring consent. Legitimate reasons for processing CCTV-obtained personal data include the prevention and detection of crime and safeguarding business staff or the general public.
8. Categories and types of personal data processed
a. Offender’s name, date of birth, distinguishing marks and facial image and any relevant information about the nature of his/her activities; the purpose of this processing is to enable Members to identify Offenders in order to submit reports about them, to include them in a list or gallery of excluded persons (if appropriate and in line with the Scheme’s Rules & Protocols), and to provide information about them which may be necessary to protect the property and personal safety of Members and their staff, customers etc. This data may be shared among Members and other agencies that have a legitimate interest.
b. Offenders’ postal and email addresses, telephone number(s) and other contact details; the purpose of this processing is to enable the Scheme to communicate with Offenders from time to time, for example to send warning letters, confirmation of exclusions, rules of the exclusion scheme, or confirmation that exclusions have expired. Such data will not be shared with Members except for the purposes of civil recovery or any legal proceedings.
c. Information and evidence about incidents in which an Offender has been involved; the purpose of this processing is to enable the Scheme to authorise the issuing of Exclusion Notices, to inform Members of an offender’s modus operandi, to collate intelligence on criminal activity within the area of the Scheme’s operation and to defend its legal rights against any claim or suit by an Offender or other party. Such data may be shared with Members.
d. CCTV images of the general public in areas covered by the scheme’s cameras which will only be used for the purposes of either (i) matching with known Offenders (ii) reducing risk to individuals (e.g. looking for mising persons), or (c) monitoring oublic spaces and/or events to reduce the risk of public order offences. CCTV is used in general terms to:
- Detect, prevent or reduce the incidence of crime
- Prevent andrespond effectively to all forms of possible harassment and disorder.
- Reduce the fear of crime
- Create a safer environment
- Provide emergency services assistance
9. For the purposes of identification, some sensitive or ‘special category’ personal data e.g. ethnicity may be processed by the Scheme and for the safety and protection of our members, some medical conditions where the condition has symptoms that would render the Offender a danger to our Members. The dissemination of this information to our Members will not be widespread or general in nature but rather targeted to those most likely to be affected.
Sources and sharing of personal data
10. Offenders’ personal data may be collected or provided to or shared by the Scheme from or to:
a. Offenders who may voluntarily offer information about themselves;
b. Members who may submit reports about incidents in which Offenders have been involved. They may also send relevant ‘intelligence’ about Offenders, for example they may provide a name when asked to identify an unidentified image;
c. Police or other public agencies may provide Offenders’ personal data under a formal Information Sharing Agreement;
d. Social media platforms where such information is in the public realm by virtue of being displayed, without privacy controls, on a publicly accessible platform.
e. CCTV footage or still images obtained from cameras owned and monitored by the scheme. Images and information will be stored at the highest quality in line with industry standards to minimise the chances of mis-identification. Recorded images will only be used for the purposes defined in this Policy as per the ICO Codes of Practice (noting that the CCTV Commisioner code of practice does not apply to CICs) and ownership of the recorded material is with Hastings Area Business Crime Reduction Partnership CIC as the Data Controller – which will be made clear on all signage erected to alert peple to the presence of cameras. Recording equipment will be properly maintained and images will only be viewed when there is a legitimate business reason to do so and the showing of recorded material to other internal or external individuals will only be allowed in accordance with the law. Recorded images will be stored securely on eaither hard drives or cloud servers. Where there is a business reason to keep an image longer than the usual set retention period the image will be copied and stored securely, again in digital format. If contractors are employed to view CCTV footage they will be SIA trained and approved. The effectiveness and appropriateness of cameras and their locations will be reviewed regularly through the Hastings Joint Action Group and a Data Protection Impact Assessment will be carried out and published. To remove the risk of intrusion into private property privacy masks will be employed to restrict viewing to public spaces.
Recipients, or categories of recipients, of personal data
11. The following types of individuals may have access to the Scheme’s data, including the personal data of Offenders:
a. Members who are property owners, agents or their employees working within the operational area of the Scheme who share the same legitimate interests;
b. Employees and officers of public agencies involved in the prevention and detection of crime, such as police, whose lawful basis for processing your data is their public task;
c. Data Controllers of other organisations, similar to the Scheme, in neighbouring areas if there is evidence that an Offender has participated, or is likely to participate, in any threat or damage to property, staff and customers in areas outside the Scheme’s area of operation.
d. The genral media if, for the purposes of crime prevention or personal safeguarding, it is deemed by the police suitable to release CCTV images to the wider public to assist with the identification of suspects or the tracing of vulnerable individuals.
12. The Scheme will not transfer Offenders’ data outside the UK unless suitable GDPR compiant agreements exist with cloud server providers.
Data retention period
13. When an Offender is reported by a Member for participating in any threat or damage to any Member’s property, staff or customers, his/her name, date of birth and facial image together with any relevant information of offences or offending behaviour may be shared among Members for 12 months. If no further report is submitted during that period, the Offender’s data will be withdrawn from Members at the expiry of that period. It will be retained for a further 12 months in the Scheme’s database (which can only be accessed by the Data Controller and authorised personnel) after which time, if no further incidents are reported, it will be irrevocably deleted.
14. If during the 12 months when an Offender’s data is circulated among Members he/she is reported for another incident involving a threat or damage to any Member’s property, staff or customers, his/her name, date of birth and facial image will be circulated among Members for a further 12 months from the date of the second report. Additionally, the Offender may be excluded from all the properties of all or some Members for 12 months, and this fact will be shared with Members. If no further report is submitted by a Member during that period, the Offender’s data will be withdrawn from Members at the expiry of that period. It will be retained for a further 12 months in the Scheme’s database (which can only be accessed by the Data Controller and authorised personnel) after which, if no further incidents are reported, it will be irrevocably deleted.
NB in the case of people under 16 years of age the above rules will apply but a period of six months will be used.
NB CCTV Data will be automatically erased after 30 – 60 days (depending ypon local data storage capability).
Data subject’s rights
15. Every Data Subject has the right to obtain a copy of all the personal data which the Scheme holds about him/her; to do so theyr must contact the Data Controller (see contact details). Applicants may be required to provide proof of identity to make sure we aren’t giving details to someone else without permission. The Scheme will respond to the request within 30 days and provide full documentation in compliance with Data Protection law.
16. If, when a subject accesses his/her personal data, any of it is deemed to be incorrect, unnecessary or disproportionate, the Subject can require the Scheme to correct it. Offenders do not have the right to require the Scheme to delete correct, necessary or proportionate information.
17. Data subjects have the right to complain about the Scheme to the Information Commissioners Office; Offenders can submit a complaint on the ICO’s website at https://ico.org.uk/concerns/handling/
THE ICO and private CCTV
The Information Commissioner issues the following guidance on private CCTV covering public spaces
What must I do if I capture images of people outside my own property?
If you are capturing images beyond your property boundary, you should have a clear and justifiable reason for doing so. In particular, you will need to think why you need these images. If asked by an individual or the ICO, you will need to be able to explain your reasons, so you should write them down now. You should also write down why you think capturing the images is more important than invading the privacy of your neighbours and passers-by.Full guidance here https://ico.org.uk/your-data-matters/domestic-cctv-systems-guidance-for-people-using-cctv
To meet the requirements of the ICO we adopt the following standards
- We will always let people know we are using CCTV by putting up signs saying that recording is taking place.
- We will ensure we don’t capture more footage than we need to achieve our purpose in using the system – this means we will use privacy masks to obscure private property and non-evidential footage will be deleted within 30-60 days.
- The security of the footage we capture will be maintained by holding it securely and making sure nobody can watch it without good reason.
- We will ensure the CCTV system is only operated in ways we intend and can’t be misused for other reasons. Anyone we share data with will be conversant with the importance of not misusing it.
In order to respect the data protection rights of the people whose images we capture we will:
- Respond to subject access requests (SARs), if we receive any. Individuals have a right to access the personal data we hold about them, including identifiable images. They can ask us verbally or in writing. We must respond within one month and give them a copy of the data.
- Delete footage of people if they ask us to do so. We will do this within one month. We can refuse to delete it if we specifically need to keep it for a genuine legal dispute – in which case we will tell them this, and also tell them they can challenge this in court or complain to the ICO.