CCTV privacy notice
This Privacy Notice is relevant to all students, staff and others who visit the University campus. Our CCTV helps ensure a safe environment and reduce fear of crime.
The University of Surrey is registered as a Data Controller with the Information Commissioner’s Office (our notification number is Z6346945), and we are committed to ensuring that the data we process is handled in accordance with data protection legislation.
We have a Data Protection Officer who can be contacted via firstname.lastname@example.org.
One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.
Under data protection legislation we are only allowed to collect the minimum amount of personal data that we need to carry out a specific purpose.
Our CCTV monitors various locations across the campus 24 hours a day, every day of the year. These locations are selected to fulfil the lawful purpose for processing personal data whilst having due regard to the privacy of the data subjects. The CCTV images are monitored and reviewed by university staff trained and authorised to do so where it is reasonably necessary to fulfil the purposes outlined in this notice and in furtherance of the University’s CCTV policy.
The data we hold and process about you is the following.
- Images of people and their activity, which may include special categories of personal data, as defined by the data compliance legislation .
The University collects only the data we need, and we keep the data up to date and only for as long as it is needed. We take our obligations for handling your data very seriously and it is therefore important for you to know that we process your personal data on the following legal bases:
- We process data to ensure that we can carry out our public task as an educational and research establishment, meeting legal, moral and contractual obligations as laid out in the University’s Charter
- For special category data where there is a substantial public interest in processing this information for the purposes of preventing or detecting unlawful acts.
We keep your personal data for as long as it is required to perform its purpose or for as long as is required by law. These periods are defined in our Retention Management Schedule which are available on our information governance webpage.
We process CCTV footage for 30 days after the date of capture, although we may process footage for a longer period, for example if the footage is relevant to an internal investigation.
We take the security of your data seriously. Details on university-wide measures surrounding IT security can be found in Our Data Policy Statement (PDF) (incorporating Information Security Policy). This specifies regulations to be implemented to secure information and technology that the University manages and to protect against the consequences of breaches of confidentiality, failures of integrity and interruption of availability.
We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by our employees in the performance of their duties.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We will only do this when it is necessary, or if we are required to do so by law. We do not plan to share it with anyone else or use it for anything else.
Your information may be shared internally with:
- The Centre for Wellbeing in order to provide you with any care that you require
- Accommodation in order to assist with any accommodation issues you are having
- Student Services in order for them to provide you with support and advice
- Human Resources and other professional services.
External third parties
- The Student’s Union in order to notify them that you may require help or guidance
- Law enforcement agencies for the purpose of the prevention and detection of crime
- Other relevant organisations such as the emergency services for safeguarding or public protection.
As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.
You have the right to:
- Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
- Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
- Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
- Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
- Restrict the processing of your personal data in certain ways.
- Data portability – you can ask us to provide you with a copy of your personal data in a commonly used electronic format, so that you can transfer it to other businesses
- Object to certain processing of your personal data.
If you would like to exercise any of your rights, then please click on this link to make a Subject Access Request (SAR)
Make a complaint
If you have any concerns about the way that we have handled your personal data, please email the Data Protection team as we would like to have the opportunity to resolve your concerns.
If you’re still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.