Get In Touch
6 Altamont Crescent, Kingston 5
info@mystiquejamaica.com
Phone: (876)618-8320

CCTV Privacy Policy

Policy Statement

Mystique Integrated Services (hereinafter referred to as the “Company”) uses CCTV surveillance “CCTV” across its business areas. The Company adheres to the Data Protection Act and understands that the use of CCTV falls under its data protection obligations. We have developed this CCTV Policy to help ensure that where we are capturing individuals’ information, the Company complies with its relevant statutory obligations.

  1. Purpose

The purpose of this policy is to provide the Company’s intent, objectives and procedures in relation to the use of CCTV within its business operations and to ensure that individuals whose data is captured through the use of CCTV are aware of their rights and the reasons for processing.

 

2. Scope

This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action. 

 

3. CCTV Overview

The Company uses CCTV for the reasons and purposes described in this policy.

All cameras are in a visible location and area clearly signposted to ensure individuals are aware of their location. The CCTV operates on a continual, 24hr basis. The Company never installs or uses CCTV in areas where privacy is to be expected (i.e. toilets).

 

4. Objectives

  • To ensure that clear signs are used to notify individuals about the use of CCTV.
  • To have a detailed CCTV policy in place to ensure that the use of CCTV is valid and legal.
  • To protect data subjects whilst in a business area or building.
  • To document the reasons for using CCTV and the legal basis upon which the Company relies.

5.  Data Protection Impact Assessment

The Company has completed a Data Protection Impact Assessment (DPIA) to ensure that the use of CCTV is necessary and to assess the impact of such recordings on the individuals involved. The Company reviews the DPIA on CCTV use annually to ensure that the legal reasons for using CCTV are still valid and necessary.

When evaluating why the Company needs to use CCTV, we consider whether its use is proportionate and if there are any alternative, less invasive methods of obtaining similar data or end results.

 

6. Signage

The Company uses clear signage to inform individuals about the use and placement of CCTV within its business locations and/or services. Signs clearly mark the use of CCTV before an individual is recorded (i.e. on vehicular entry to the car park or at the main door when entering the building). 

Where it is not obvious who is responsible for the operation or use of the CCTV, the Company has ensured that the relevant contact details are displayed on the sign(s).

 

7. Privacy notice & Usage Reasons

The Company has separate privacy notices for individuals and employees, both of which detail the use of CCTV (where applicable). To ensure compliance with data protection laws, the privacy notices document the Company’s reasons for using CCTV, the legal basis we rely on for processing and how to request access to an individual’s personal data. 

The reasons for using CCTV as noted in the above-mentioned privacy notices are: –

  • For the personal safety of visitors, employees and any other individuals within the Company grounds and buildings
  • To prevent crime and protect buildings, business areas and vehicles from damage, disruption, vandalism and any other crime
  • To support law enforcement agencies in the prevention, detection and prosecution of crime
  • To monitor and enforce regulatory, contractual and/or legal compliance with rules and obligations
  • To assist in effective dispute resolution relating to disciplinary or grievance proceedings
  • To monitor and protect employees during the provision of their duties.

8.  Recording and Monitoring

  • Location of CCTV cameras: –
    • Car parks
    • Building entrances and exits
    • Access to secure rooms 
    • Reception areas and corridors
    • Meeting rooms
    • Hallways and other areas
    • CCTV is monitored and reviewed 24 hrs a day by the Chief Executive Officer
    • Footage is stored for a maximum of ninety (90) days and is automatically disposed of after the storage period expires.

9. Requests for Personal Data 

The Company has Data Subject Access Request procedures in place which are easily accessible to all individuals. The procedures document how, why and when an individual can request access to their personal data, which includes CCTV images and/or footage.

Data Subject Access Requests (DSAR) are passed to the Data Protection Officer as soon as received and a record of the request is noted. The type of personal data held about the individual is checked against our records to see what format it is held in, who else has it has been shared with and any specific timeframes for access.

DSARs are always completed within 30-days. You may view our DSAR procedures by clicking here.

 

10.  Security Measures

We ensure the maximum security of any CCTV footage to ensure that it is safe and secure at all times. We employ appropriate and adequate technical and organizational measures to secure CCTV data, including when it is recorded, stored, disclosed and transferred. 

Below is a summary of the measures used to secure CCTV footage and data. However, our main security measures and controls are documented in our Information Security Policies.

  • Firewalls are used on all networks and devices.
  • Antivirus and malware software is used on all networks and devices.
  • CCTV recording equipment is secured by restricted access measures.
  • Access to CCTV footage is password protected and subject to our Password Policy protocols.
  • Cameras are frequently reviewed to ensure they are only capturing the necessary and required footage.
  • CCTV footage is only retained for as long as it necessary and in accordance with our Data Retention Policy
  • CCTV footage is encrypted and secured before any disclosure or transfer. 
  • An Access Request form is complete for any legal or regulatory request to view CCTV footage. 

11.  Breach Management

We carry out information audits to ensure that all personal data held and processed by us is accounted for and recorded, alongside risk assessments to ascertain the scope and impact a data breach could have on a data subject(s). We have implemented adequate and appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Whilst every effort and measures are taken to reduce the risk of data breaches from our CCTV, the Company has dedicated controls and procedures in place for such situations, along with the notifications to be made to the Information Commissioner and data subjects (where applicable). 

Please refer to our Data Breach Policy & Procedures for specific protocols. You may view it here.

 

12.  Retention

To ensure compliance with data protection laws, CCTV footage or images are never retained for longer than is necessary. The data protection impact assessment details why the use of CCTV is necessary and the Company’s reasons for processing such data. With this legal basis in mind, we ensure that all CCTV images are only retained for up to ninety 90 days. 

CCTV footage is deleted when there is no legitimate reason for retaining it and in accordance with our Data Retention Policy and Schedule. 

All CCTV images and footage are retained in a safe and secure manner. Please refer to our Information Security Policies for further details on our security systems and measures.

 

13.Responsibilities

The Chief Executive Officer has overall responsibility for CCTV use, oversight and ensuring its compliance with any relevant legislation. The Operations team are responsible for reviewing and maintaining this policy and the CCTV data protection impact assessment as well as providing management information where applicable.

The appointed person is also responsible for the signage relating to any CCTV, what images or footage are captured, who it may be disclosed to and the provision of information in the privacy policy relating to the Company’s use of CCTV. The Chief Executive Officer has been allocated the responsibility of CCTV footage storage, security and destruction.

 

Last Update: December 2023

 

Code:

 

Version:

1

Date of version:

December 2024

Created by:

Kathryn Davis – Director of Operations

Approved by:

Valon Thorpe

Confidentiality level:

Public

 

 

 

Change history:

Date

Version

Created by

Description of change

dd.mm.yyyy

0.1