The safety of our students, staff and visitors and the protection of University property are of the utmost importance. Around the clock, our team monitors a network of over 700 CCTV cameras, on and off campus.
Our technical support team manage the installation of new CCTV and Access Control equipment and can provide consultation, advice and costings to departments. You can contact them using this form.
1. Introduction
a. The University of Bath (the “University”) is the owner of a public closed circuit television system (CCTV) currently installed on the Campus and in/on University buildings off Campus; in addition the system incorporates an Automatic Number Plate Recognition system (ANPR), body worn, dashboard and covert cameras.
b. For the purpose of this Code of Practice these systems together will be collectively known as the CCTV systems.
c. Cameras are located in various areas around the campus and off campus including:
i. Car parks
ii. Academic buildings
iii. Service buildings
iv. Bars
v. Students’ Union
vi. Accommodation
vii. Shops
viii. Security vehicles
d. There are several types of camera:
i. Overt fixed – these record uncontrolled images e.g. reception desk, doors etc.
ii. Overt Pan, Tilt, Zoom (PTZ) – these are controllable cameras that can follow vehicles or subjects when required.
iii. Body worn – used by Security staff when on patrols and dealing with drunkenness, violence and anti-social behaviour.
iv. Dashboard – used by Security staff when transporting students and dealing with drunkenness, violence and anti-social behaviour.
v. Covert – temporary fitted cameras used in areas not covered by CCTV but the scene of persistent criminality.
vi. Overt PTZHD – these are controllable cameras that can follow vehicles or subjects when required and are placed in incident ‘hotspots’.
vii. ANPR – these record vehicle number plates together with a date and time stamp.
e. The cameras cover roadways, car parks, buildings, the interior of security vehicles, vulnerable public facing offices, academic buildings and licensed premises.
f. Images are recorded locally within departments or centrally on servers in Digital, Data and Technology Group (DD&T) communications rooms, images for the body worn cameras are temporarily stored on system controllers located in the Control Room in Wessex House; they are all viewable centrally by Security staff. In addition, a limited number of authorised users* have the facility to monitor cameras sited within their own areas of responsibility to monitor legal compliance (bars managers), safety (laboratory superintendents) and misuse of equipment (Campus Infrastructure and Digital, Data and Technology Group managers).
2. Other Image Capture Systems
a. The University also uses other image and audio recording systems that fall outside of our main Security CCTV system and are not covered by this Code but will have their own Codes to meet data protection requirements (this will be reviewed by the University’s Data Protection Officer). These include:
i. Recording systems used for research purposes, such as those in place in our Psychology Department, Department of Computer Science and in the School of Management. These systems are used as and when required to record research participants and/or University staff or students partaking or involved with research being undertaken. All such research is subject to prior Ethical Approval having been obtained and all individuals who are recorded will usually have provided their explicit prior consent to the recordings being made. All recordings made are held securely in accordance with the Data Protection Act and are retained and subsequently destroyed in accordance with the University’s Data Retention Policy.
ii. Recording systems used for the purposes of teaching and learning, such as those used to record lectures (which are all made in accordance with the University’s Lecture Capture Policy) or those used to make training videos for teaching purposes.
iii. The recording system used inside the SafePod in the Library, which is only used to record inside the SafePod, and which is operated by the SafePod Network.
iv. The recording system in use by the Department of Sports Development and Recreation for the recording and broadcasting of training and competition for the purposes of being a coaching aid, fulfilling National Governing Body requirements and for the live streaming of matches. The cameras in use by the Department of Sports Development and Recreation have their own Code of Practice which is available on request.
v. The recording system in use by the Students’ Union for events they organise. The cameras in use by the Students’ Union have their own Code of Practice which is available on request.
vi. The recordings made by the Scotia Medical Observation and Training System (SMOTS) which is used solely within the University’s Pharmacy Practice Suite for purposes pertaining to learning, teaching, feedback and assessment of Pharmacy students and which is governed by its own Code of Practice (Code of Practice for Visual and Digital Recording and Guidance for use of the Scotia Medical Observation and Training System (SMOTS)), which is available from the Department of Pharmacy and Pharmacology.
3. Objectives for the use of CCTV systems
a. The objectives for the use of the various CCTV systems are to:
i. Assist in providing a safe and secure environment for the benefit of those who might visit, work or live on the campus.
ii. Reduce crime and the fear of crime by reassuring students, staff and visitors.
iii. Deter and detect crime, public disorder and anti-social behaviour.
iv. Identify, apprehend and prosecute offenders in relation to crime, public disorder and anti-social behaviour.
v. Provide the Police, Health and Safety Executive and University with evidence upon which to take criminal, civil and disciplinary action respectively.
vi. Monitor crowd movements during University events.
vii. Monitor and assist with traffic management.
viii. Assist in the monitoring and deployment of Security staff during normal duties and emergency situations.
ix. Protect Security Officers from undue threats and violence.
x. Obtain evidence for use in the investigation of criminal activity, breaches of health and safety legislation, breaches of student and staff disciplinary procedures and other University Regulations (subject to conditions, see section 4).
4. Procedural and administrative notes
The Head of Security Services of the University retains responsibility for the system and delegates the day to day management to the Security Manager and Security Technical Support Officers. It is their responsibility to ensure that CCTV within the University is managed in line with this Code of Practice, the current CCTV guidance produced by the Information Commissioner’s Office and the current Surveillance Camera Code of Practice issued by the Home Office.
a. All images produced by the system remain the property and copyright of the University.
b. The University will only investigate images for use in a formal staff disciplinary investigation/case when:
i. There is, in the opinion of the selected investigating manager, a reasonable suspicion of gross misconduct or
ii. In an investigation of misconduct where there is a difference in the accounts of the staff member against whom allegations had been raised and an individual witness, and the CCTV evidence could verify which is most accurate.
In these situations the selected investigating manager or HR Business Partner/Advisor must first formally request access to images from the University’s Data Protection Officer, where these may prove or disprove suspected potential gross misconduct/misconduct. Where access is given, the confidentiality of these images and who is able to access them will be closely controlled.
The above will be carried out in line with the current University Disciplinary Policy Procedure.
CCTV evidence must not be used to generally monitor staff activity.
c. Likewise the images will only be sought as evidence in appropriate student discipline cases being heard by the Student Discipline Team or other higher authority. This will be carried out in line with the current University Student Disciplinary Policy and Procedure.
d. Covert cameras will be used on rare occasions when a series of criminal acts have taken place e.g. thefts in the same area not fitted with CCTV. Authority of University Senior Management will always be sought before installing any covert cameras, they will be installed for limited periods of time when investigating a specific incident. It should be noted that provided that written authority has been sought and given prior to usage in line with this procedure, then recording will not constitute misconduct as set out in the last bullet point of section 8 (What is Gross Misconduct) of the Disciplinary Policy & Procedure – covert recording of staff, meetings etc. – without express consent.
e. The objectives outlines in section 3 of this Code will be closely followed when assessing the requirements for new CCTV installations. Similarly, if designated usage of the area changes it will be necessary to assess whether the location of cameras remains justified in meeting the stated purpose of whether there is a case for removal or relocation.
5. Security control room
a. The Security Control Room is situated on level 1 of Wessex House and is capable of receiving images from throughout the campus. It is staffed 24 hours a day by uniformed University Security Officers. In addition, the Library Security staff are able to view cameras from throughout the campus, but only monitor Library cameras unless there is an urgent requirement to view other areas of campus.
b. The Control Room is also equipped with a Home Office licensed radio system linking the Room with uniformed Security Officers and Parking Wardens who provide mobile and foot patrols of the car parks and are able to respond to incidents identified on the CCTV monitors.
6. General Data Protection Regulations (GDPR)
a. This Code of Practice reflects the spirit and guidance issued by the Information Commissioner’s Office and the Surveillance Camera Code of Practice (updated January 2022) issued by the Home Office and will not be used to invade the privacy of any individual residence, business or other private premises, buildings or land, (see section 7 entitled Privacy Impact Assessment).
b. The University is committed to complying with the requirements of the Data Protection Act and the GDPR and will operate the system in accordance with the seven GDPR principles. The University will include the CCTV system in the University's Data Protection notification and ensure that the notification covers the purposes for which the system is used.
c. The standards, which must be met if the requirements of GDPR are to be satisfied, are based on the seven GDPR principles which are:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
d. All members of staff involved in operating the CCTV system will be made aware of the objectives of the scheme as set out in section 3 of this Code and will be permitted only to use the system to achieve those objectives.
e. All members of staff involved in operating the main controller satellite view stations will be forwarded a copy of the CCTV Code of Practice for reference and compliance purposes.
f. The University recognises the importance of strict guidelines in relation to access to and disclosure of recorded images and all members of staff should be aware of the restrictions relating to this set out in this Code and the rights of individuals under GDPR.
7. Privacy Impact Assessment
The recorded images are stored on centralised servers and accessed by Security staff and authorised users* in accordance with this CCTV Code of Practice which has been agreed following consultation with interested stakeholders including the staff associations.
The code is updated annually and deals with aspects of GDPR, storing and viewing of images, signage, disclosure and general use of the system.
*Authorised users, see section 8.
Privacy risks and mitigation
The use of CCTV is a sensitive area in relation to the privacy of individuals as it is directly recording actions by staff, students and visitors alike.
The Information Commissioner’s Office and GDPR set down guidelines and/or regulations to monitor the use and management of such systems.
The privacy risks include:
No. | Privacy Risk | Mitigation |
---|---|---|
1 | Accommodation blocks – viewing of student bedrooms | Pixel/colour blocking of all viewable student accommodation bedrooms. Body worn cameras will be labelled clearly as a recording device and will show a red light when actively recording. Security Officers will alert students that they are using a body worn camera if they need to use it in a student bedroom. |
2 | Showers/changing rooms | No cameras fitted in these areas. |
3 | Office/reception areas | Consultation with staff before fitment into these work areas (e.g. where there is cash handling or high value equipment). |
4 | Sports performance and tactical espionage opportunities | Strict disclosure rules set down in the Codes of Practice. |
5 | Social space monitoring | Signage at entry points of such spaces and strict control of disclosure. Proportionate level of consultation prior to application. |
6 | Abuse of covert camera usage | Covert cameras can only be used with written authorisation of University Senior Management*. |
7 | Issues of trust if the system is abused | Good training of staff to ensure that the highest integrity is maintained when viewing and dealing with CCTV images. |
8 | Reputational damage to the Security Services or the University | Good training of staff to ensure that the highest integrity is maintained when viewing and dealing with CCTV images. |
*A member of University Executive Board.
Prior to introducing any new cameras into the system the Head of Security Services will ensure that a Privacy Impact Assessment (PIA) is conducted and any risks mitigated to an acceptable level, if it is not possible to mitigate the risks then a re-designing of the system should be considered.
8. Administration
a. It will be the responsibility of the Head of Security Services or their absence their Deputy to:
i. Select camera sites and initial areas to be viewed.
ii. Be responsible for compliance with the GDPR and the Data Protection Act, in consultation with the University’s Data Protection Officer.
iii. Take responsibility for control of the images and make decisions on how these can be used.
iv. Ensure the system is secure and only viewed by authorised persons*.
v. Ensure the procedures of this Code of Practice comply with guidance produced by the Information Commissioner’s Office and the current Surveillance Camera Code of Practice issued by the Home Office.
vi. Maintain a CCTV incident log and record of Police of other Statutory Authority requests for images.
vii. Make bi-annual checks to establish that nominated managers still require viewing rights of the system in line with the above objectives.
viii. Ensure adequate signage is erected and maintained.
ix. Regularly evaluate the system to ensure it complies with the latest legislation, CCTV Codes of Practice and its use is in accordance with this Code of Practice.
*Authorised persons include:
Security staff
Management staff with a legitimate reason for accessing images, e.g. managers/ HR investigating the potential gross misconduct of staff cases (or potential misconduct cases where CCTV evidence may resolve a difference in evidence received), bars managers to monitor legal compliance, laboratory superintendents to monitor safety, Campus Infrastructure managers to monitor waste disposal/lift damage, Digital, Data and Technology Group Managers to monitor high value equipment areas and the University’s Data Protection Team / Legal Office.
The University’s Data Protection Team / Legal Office may permit other third parties to access recordings made in their discretion, where such access is permitted under the Data Protection Act. This may include individuals who make a valid Subject Access Request to access images of themselves, Police Officers and other Statutory Officers e.g. Health and Safety Executive Officers.
Members of staff facing disciplinary action and Trade Union representatives speaking for them
Students facing disciplinary action and their friends or representatives
b. It will be the responsibility of the Head of Security Services to:-
i. Clearly communicate the specific purposes of the recording of and use of images and objectives to all Security staff.
ii. Ensure that a CCTV incident log and record of Police or other Statutory Authority requests for images is maintained.
iii. Carry out annual audits to check that procedures are being complied with.
iv. Ensure that the audit team includes CCTV practices and procedures on their regular audits of the Security Services Department.
v. Ensure that regular 3 monthly reviews are conducted of all locked images and delete those not still required for evidential purposes.
vi. Ensure that all GDPR forms or Subject Access Requests received are forwarded to the University’s Data Protection Team / Legal Office.
vii. Ensure that all data and images are erased after a period of 3 months unless retained for evidential purposes.
viii. Ensure that all Security Officers working with the CCTV system hold or are working towards holding a valid Security Industry Authority (SIA) CCTV Public Space Surveillance Licence. This licence should be updated every three years once the initial licence course has been completed. Those working towards the licence would normally be accompanied by a licence holder when working with the CCTV system.
c. It will be the responsibility of the individual operating officer to:-
i. Select appropriate images to be recorded on controllable cameras (PTZ) so as to comply with the objectives outlined above.
ii. Ensure that targeting of individuals with the cameras is only conducted when there is reasonable suspicion that the person falls within one of the objectives set above e.g. committing a criminal offence.
iii. Not to view into private property and be mindful of student privacy within student accommodation.
iv. Complete the CCTV incident log as appropriate.
9. Storing and viewing images
a. All images recorded on the University cameras are digitally stored, either centrally in DD&T data centres or remotely within their respective departments, on computer/server hard drives and although the images can be searched it is not possible to tamper with or alter them.
b. In the event of a Subject Access Request being made or a request to access recording being received from the Police or other statutory body, if access is granted to the recordings by the University’s Data Protection Team / Legal Office they may ask for the images to be downloaded onto an encrypted USB for disclosure purposes.
c. The general CCTV images over record after 14 days dependent on the image quality being recorded, however any relevant images can be ‘locked’ on the hard drive for future reference.
d. All other images and data will be erased after 3 months unless required for evidential purposes.
e. Locked images are reviewed on a 3 monthly basis and any not still required for evidential purposes or pursuant to a request for data made under the Data Protection Act will be deleted.
f. ANPR plate data is stored on a dedicated hard drive for up to 6 months and overwritten on a rolling basis. Viewing of live images on monitors is restricted to Security operators and to other authorised persons (see section 8 above) and can only be accessed using passwords.
g. The Head of Security Services will consult with Senior University Management and with representatives from the Trade Unions and Students’ Union and a member of the IT Security Management team annually to agree how long footage can be stored or locked for and methods of information transfer.
h. Images are generally viewed confidentially in secure private offices however cameras within the Library can also be viewed discreetly at the Library Security Desk in small screens (6” or smaller) where images/individuals are not identifiable by persons passing the desk.
i. Requests to view images or image disclosure should be made in writing to the University’s Data Protection Team / Legal Office.
10. Disclosure
a. The following guidelines will be adhered to in relation to disclosure of images:
i. Will be in line with the above objectives and no images or recordings will be disclosed for any purpose other than those outlined above (e.g. images must not be copied, photographed, downloaded or printed for any other type of use, or forwarded to the media for entertainment purposes or be placed on the internet, etc.).
ii. The decision as to whether to disclose any images or recordings to any third party outside of the University will rest with the Legal Office.
iii. If images/recordings are disclosed the method of disclosing images should be secure to ensure they are only seen by the intended recipient and the images/recordings themselves may be partly obscured to block out images of third parties. Even if a system was not established to prevent and detect crime, it may still be acceptable to disclose images to law enforcement agencies if failure to do so would be likely to prejudice the prevention and detection of crime.
iv. All requests for images should be routed via the Data Protection Team / Legal Office who will consider whether they should be disclosed in accordance with Data Protection Legislation.
v. The University has discretion to refuse any third party requests for access to recordings/images unless there is an overriding legal obligation to disclose.
vi. A logging spreadsheet will be maintained by Security itemising the date, time(s), camera, person copying, person receiving and reason for the disclosure. Each entry on this spreadsheet will be maintained for 7 years and then removed.
b. All requests for images should be routed via the University’s Data Protection Team / Legal Office who will consider whether they should be disclosed in accordance with the Data Protection Legislation.
c. The University has discretion to refuse any third party request for access to recordings/images unless there is an overriding legal obligation to disclose.
11. Signage
a. Signage has been erected at the main entrances to the University campus and at other locations where CCTV (including ANPR) is in use informing staff, students and visitors that CCTV surveillance is in operation.
b. The signs contain details of the University and a contact number for Security.
c. It is the responsibility of the Head of Security Services to ensure adequate signing is erected and maintained to comply with the Information Commissioner’s guidance.
12. Subject access requests
Individuals whose images are recorded have a right to view the images of themselves and their property and, unless they agree otherwise, to be provided with a copy of the images. All such requests are handled centrally by the University Data Protection Team / Legal Office and must be passed to dataprotection-queries@lists.bath.ac.uk.
i. Those who request access to images of themselves must provide the legal team with details which allow them to be identified as the subject of the images and also to allow location of the images on the system.
ii. If images of third parties are also shown with the images of the person who has made the access request, the Data Protection Team / Legal Office will give consideration as to whether there is need to obscure the images of the third parties.
13. Freedom of information
a. As a public body the University may receive requests under the Freedom of Information Act 2000 (FOIA). All such requests are dealt with centrally by the Freedom of Information Coordinator and should be passed on receipt to freedom-of-information@bath.ac.uk.
b. The response should be made within 20 working days from the receipt of the request.
c. Section 40 of the FOIA and section 38 of the FOISA contain a two-part exemption relating to information about individuals. If the University receives a request for footage, it will consider:
i. Are the images those of the requestor? If so then that information is exempt from the FOIA/FOISA. Instead this request should be treated as a Data Subject Access Request as outlined above.
ii. Are the images of other people? If so, their rights and data protection considerations will be taken into consideration before any decision regarding disclosure can be made.
14. Use of the system
a. All Security staff and other authorised users* must read this Code of Practice prior to being instructed on the operation of the system.
b. All Security staff and other authorised users* will be trained on the use of the system by the Security Technical Support Officers and will only be able to view cameras relevant to their specific areas of interest.
c. The system can be used to observe the Campus and areas under surveillance and identify incidents that require a response; the response should be proportionate to the incident being witnessed. On some occasions the deployment of a security officer may be sufficient, on other occasions contacting the Police to respond may be the appropriate action.
d. Such surveillance should be accordance with the stipulated objectives.
e. Whenever a response is required a log should be commenced on the incident reporting system (TopDesk).
f. Viewing monitors should be password protected and switched off when not in use to prevent unauthorised use or viewing.
*Authorised users – see section 8.
15. Complaints
a. Complaints received in relation to the use of the CCTV system should be made in writing to the Head of Security Services who will investigate the allegation or complaint and then follow the normal University grievance procedures as outlines on the Human Resources website.
b. Complaints in relation to the disclosure of image supply should be made in writing to the University’s Data Protection Team / Legal Office.
16. Changes to the Code
a. Any changes to this Code, or changes which affect the privacy of individuals will only take place after consultation with the Students’ Union and Trades Union Representatives.
b. The changes will then have to be ratified by University Senior Management.
Mike Porter Head of Security Services November 2024
Samuel Sherry Data Protection Officer November 2024