The safety of our students, staff and visitors and the protection of University property are of the utmost importance. Around the clock, our team monitors a network of over 500 CCTV cameras, on and off campus.
Our technical support team manage the installation of new CCTV and Access Control equipment and can provide consultation, advice and costings to departments. You can contact them using this form.
a. The University of Bath (the “University”) is the owner of a public closed circuit television system (CCTV) currently installed on the Campus and in/on University buildings off Campus; in addition the system incorporates an Automatic Number Plate Recognition system (ANPR), body worn, dashboard and covert cameras.
b. For the purpose of this Code of Practice these systems together will be collectively known as the CCTV systems.
c. Cameras are located in various areas around the campus and off campus including:
i. Car parks
ii. Academic buildings
iii. Service buildings
v. Students’ Union
viii. Security vehicles
d. There are several types of camera:
i. Overt fixed – these record uncontrolled images e.g. reception desk, doors etc.
ii. Overt Pan, Tilt, Zoom (PTZ) – these are controllable cameras that can follow vehicles or subjects when required.
iii. Body worn – used by Security staff when on patrols and dealing with drunkenness, violence and anti-social behaviour.
iv. Dashboard – used by Security staff when transporting students and dealing with drunkenness, violence and anti-social behaviour.
v. Covert – temporary fitted cameras used in areas not covered by CCTV but the scene of persistent criminality.
vi. Overt PTZHD – these are controllable cameras that can follow vehicles or subjects when required and are placed in incident ‘hotspots’.
vii. ANPR – these record vehicle number plates together with a date and time stamp.
e. The cameras cover roadways, car parks, buildings, the interior of security vehicles, vulnerable public facing offices, academic buildings and licensed premises.
f. Images are recorded locally within departments or centrally on servers in Digital, Data and Technology Group (DD&T) communications rooms; they are all viewable centrally by Security staff. In addition, a limited number of authorised users have the facility to monitor cameras sited within their own areas of responsibility to monitor legal compliance (bars managers), safety (laboratory superintendents) and misuse of equipment (Estates managers).
2. Objectives for the use of CCTV systems
a. The objectives for the use of the various CCTV systems are to:
i. Assist in providing a safe and secure environment for the benefit of those who might visit, work or live on the campus.
ii. Reduce crime and the fear of crime by reassuring students, staff and visitors.
iii. Deter and detect crime, public disorder and anti-social behaviour.
iv. Identify, apprehend and prosecute offenders in relation to crime, public disorder and anti-social behaviour.
v. Provide the Police, Health and Safety Executive and University with evidence upon which to take criminal, civil and disciplinary action respectively.
vi. Monitor crowd movements during University events.
vii. Monitor and assist with traffic management.
viii. Assist in the monitoring and deployment of Security staff during normal duties and emergency situations.
ix. Protect Security Officers from undue threats and violence.
x. Obtain evidence for use in the investigation of criminal activity, breaches of health and safety legislation and breaches of student and staff disciplinary procedures (subject to conditions, see section 3).
3. Procedural and administrative notes
The Head of Security Services of the University retains responsibility for the system and delegates the day to day management to the Security Manager and Security Technical Support Officers. It is their responsibility to ensure that CCTV within the University is managed in line with this Code of Practice, the current CCTV Code of Practice produced by the Information Commissioner’s Office and the current Surveillance Camera Code of Practice issued by the Home Office.
a. All images produced by the system remain the property and copyright of the University.
b. The University will only investigate images for use in a staff disciplinary case when:
i. There is, in the opinion of the selected investigating manager, a reasonable suspicion of gross misconduct or
ii. In a formal investigation of misconduct where there is a difference in the accounts of the staff member against whom allegations had been raised and an individual witness, and the CCTV evidence could verify which is most accurate.
In these situations the selected investigating manager or HR Business Partner/Advisor must first formally request access to images from Security Services, where these may prove or disprove suspected potential gross misconduct/misconduct. Where access is given, the confidentiality of these images and who is able to access them will be closely controlled.
The above will be carried out in line with the current University Disciplinary Policy Procedure.
CCTV evidence must not be used to generally monitor staff activity.
c. Likewise the images will only be sought as evidence in serious student discipline cases being heard by the Head of Student Services and Head of Security Services or other higher authority. This will be carried out in line with the current University Student Disciplinary Policy and Procedure.
d. Covert cameras will be used on rare occasions when a series of criminal acts have taken place e.g. thefts in the same area not fitted with CCTV. Authority of University Senior Management will always be sought before installing any covert cameras, they will be installed for limited periods of time when investigating a specific incident. It should be noted that provided that written authority has been sought and given prior to usage in line with this procedure, then recording will not constitute misconduct as set out in the last bullet point of section 8 (What is Gross Misconduct) of the Disciplinary Policy & Procedure – covert recording of staff, meetings etc. – without express consent.
e. The objectives outlines in section 2 of this Code will be closely followed when assessing the requirements for new CCTV installations. Similarly, if designated usage of the area changes it will be necessary to assess whether the location of cameras remains justified in meeting the stated purpose of whether there is a case for removal or relocation.
4. Security control room
a. The Security Control Room is situated on level 1 of Wessex House and is capable of receiving images from throughout the campus. It is staffed 24 hours a day by uniformed University Security Officers. In addition, the Library Security staff are able to view by way of direct viewer cameras in the Library linked to the network.
b. The Control Room is also equipped with a Home Office licensed radio system linking the Room with uniformed Security Officers and Parking Wardens who provide mobile and foot patrols of the car parks and are able to respond to incidents identified on the CCTV monitors.
5. Data protection
a. This Code of Practice reflects the spirit and guidance issued by the Information Commissioner’s Office as documented in the CCTV Code of Practice (revised addition May 2017) and the Surveillance Camera Code of Practice (updated October 2014) issued by the Home Office and will not be used to invade the privacy of any individual residence, business or other private premises, buildings or land, (see section 6 entitled Privacy Impact Assessment).
b. The University is committed to complying with the requirements of GDPR and will operate the system in accordance with the seven GDPR principles. The University will include the CCTV system in the University's GDPR notification. The Head of Security Services will be responsible for ensuring that the notification covers the purposes for which the system is used.
c. The standards, which must be met if the requirements of GDPR are to be satisfied, are based on the seven GDPR principles which are:
Lawfulness, fairness and transparency
Integrity and confidentiality (security)
d. All members of staff involved in operating the CCTV system will be made aware of the objectives of the scheme as set out in section 2 of this Code and will be permitted only to use the system to achieve those objectives.
e. All members of staff involved in operating the main controller satellite view stations will be forwarded a copy of the CCTV Code of Practice for reference and compliance purposes.
f. The University recognises the importance of strict guidelines in relation to access to and disclosure of recorded images and all members of staff should be aware of the restrictions relating to this set out in this Code and the rights of individuals under GDPR.
6. Privacy impact assessment
The recorded images are stored on both local and centralised servers and accessed by Security staff and authorised users* in accordance with this CCTV Code of Practice which has been agreed following consultation with interested stakeholders including the staff associations.
The code is updated annually and deals with aspects of GDPR, storing and viewing of images, signage, disclosure and general use of the system.
*Authorised users, see section 7.
Privacy risks and mitigation
The use of CCTV is a sensitive area in relation to the privacy of individuals as it is directly recording actions by staff, students and visitors alike.
The Information Commissioner’s Office and GDPR set down guidelines and/or regulations to monitor the use and management of such systems.
The privacy risks include:
|1||Accommodation blocks – viewing of student bedrooms||Pixel blocking of all viewable student accommodation bedrooms.|
|2||Showers/changing rooms||No cameras fitted in these areas.|
|3||Office/reception areas||Consultation with staff before fitment into these work areas.|
|4||Sports performance and tactical espionage opportunities||Strict disclosure rules set down in the Codes of Practice.|
|5||Social space monitoring||Signage at entry points of such spaces and strict control of disclosure.|
|6||Abuse of covert camera usage||Covert cameras can only be used with written authorisation of University Senior Management*.|
|7||Issues of trust if the system is abused||Good training of staff to ensure that the highest integrity is maintained when viewing and dealing with CCTV images.|
|8||Reputational damage to the Security Services or the University||Good training of staff to ensure that the highest integrity is maintained when viewing and dealing with CCTV images.|
*A member of University Executive Board.
Prior to introducing any new cameras into the system the Head of Security Services will ensure that a PIA is conducted and any risks mitigated to an acceptable level, if it is not possible to mitigate the risks then a re-designing of the system should be considered.
a. It will be the responsibility of the Head of Security Services or their absence their Deputy to:
i. Select camera sites and initial areas to be viewed.
ii. Be responsible for compliance with GDPR.
iii. Take responsibility for control of the images and make decisions on how these can be used.
iv. Ensure the system is secure and only viewed by authorised persons*.
v. Ensure the procedures of this Code of Practice comply with the current CCTV Code of Practice produced by the Information Commissioner’s Office and the current Surveillance Camera Code of Practice issued by the Home Office.
vi. Introduce a CCTV incident log and record of Police of other Statutory Authority requests for images.
vii. Make bi-annual checks to establish that nominated managers still require viewing rights of the system in line with the above objectives.
viii. Ensure adequate signage is erected.
ix. Regularly evaluate the system to ensure it complies with the latest legislation, CCTV Codes of Practice and its use is in accordance with this Code of Practice.
*Authorised persons include:
Management staff with a legitimate reason for accessing images, e.g. managers/ HR investigating the potential gross misconduct of staff cases (or potential misconduct cases where CCTV evidence may resolve a difference in evidence received), or authorised users e.g. bars managers to monitor legal compliance, laboratory superintendents to monitor safety and Estates managers to monitor waste disposal/lift damage.
Other Statutory Officers e.g. Health and Safety Executive Officers
Members of staff facing disciplinary action and Trade Union representatives speaking for them
Students facing disciplinary action and their friends or representatives
b. It will be the responsibility of the Security Manager to:-
i. Clearly communicate the specific purposes of the recording of and use of images and objectives to all Security staff.
ii. Ensure that a CCTV incident log and record of Police or other Statutory Authority requests for images is maintained.
iii. Carry out annual audits to check that procedures are being complied with.
iv. Ensure that the audit team includes CCTV practices and procedures on their regular audits of the Security Services Department.
v. Ensure that regular 3 monthly reviews are conducted of all locked images and delete those not still required for evidential purposes.
vi. Ensure that all GDPR forms received from the Police or other investigatory bodies e.g. Health and Safety Executive are filed for future reference.
vii. Ensure that all data and images are erased after a period of 3 months unless retained for evidential purposes.
viii. Ensure that all Security Officers working with the CCTV system hold or are working towards holding a valid Security Industry Authority (SIA) CCTV Public Space Surveillance Licence. This licence should be updated every three years once the initial licence course has been completed. Those working towards the licence would normally be accompanied by a licence holder.
c. It will be the responsibility of the individual operating officer to:-
i. Select appropriate images to be recorded on controllable cameras (PTZ) so as to comply with the objectives outlined above.
ii. Ensure that targeting of individuals with the cameras is only conducted when there is reasonable suspicion that the person falls within one of the objectives set above e.g. committing a criminal offence.
iii. Not to view into private property and be mindful of student privacy within student accommodation.
iv. Complete the CCTV incident log as appropriate.
8. Storing and viewing images
a. All images recorded on the University cameras are digitally stored, either centrally in DD&T data centres or remotely within their respective departments, on computer/server hard drives and although the images can be searched it is not possible to tamper with or alter them.
b. In the event of the Police requiring images they can be uploaded onto a memory stick for evidence in court, on receipt of the appropriate GDPR form.
c. The general CCTV images over record after 10-14 days dependent on the image quality being recorded, however any relevant images can be ‘locked’ on the hard drive for future reference.
d. All other images and data will be erased after 3 months unless required for evidential purposes.
e. Locked images are reviewed on a 3 monthly basis and any not still required for evidential purposes will be deleted.
f. ANPR plate data is stored on a dedicated hard drive for up to 6 months and overwritten on a rolling basis. Viewing of live images on monitors is restricted to Security operators and to other authorised persons (see section 7 above) and can only be accessed using passwords.
g. The Head of Security Services will consult with Senior University Management and with representatives from the Trade Unions and Students’ Union and a member of the IT Security Management team annually to agree how long footage can be stored or locked for and methods of information transfer.
h. Images are generally viewed confidentially in secure private offices however cameras within the Library can also be viewed discreetly at the Library Security Desk in small screens (6” or smaller) where images/individuals are not identifiable by persons passing the desk.
i. Requests to view images or image disclosure should be made in writing to the Head of Security Services.
a. The following guidelines will be adhered to in relation to disclosure of images:
i. Will be in line with the above objectives.
ii. Will be controlled under the supervision of the Head of Security Services or their Deputy.
iii. A logging spreadsheet will be maintained itemising the date, time(s), camera, person copying, person receiving and reason for the disclosure. Each entry on this spreadsheet will be maintained for 7 years and then removed.
iv. The appropriate disclosure documentation from the Police will be filed for future reference.
v. Images must not be forwarded to the media for entertainment purposes or be placed on the internet.
vi. Images must not be copied in any way e.g. photographed, filmed, copied downloaded or printed for use other than described in the objectives.
vii. Images will only be released to the media for identification purposes in liaison with the Police or other law enforcement agency.
viii. The method of disclosing images should be secure to ensure they are only seen by the intended recipient.
ix. Consider obscuring images of third parties not relevant to the investigation to prevent unnecessary identification of individuals.
NB: Even if a system was not established to prevent and detect crime, it would still be acceptable to disclose images to law enforcement agencies if failure to do so would be likely to prejudice the prevention and detection of crime.
b. Any other requests for images should be routed via the Head of Security Services or their Deputy, as disclosure of these may be unfair to the individuals concerned. In some limited circumstances it may be appropriate to release images to a third party, where their needs outweigh those of the individuals whose images are recorded.
i. Example: A member of the public requests CCTV footage of a car park, which shows their car being damaged. They say they need it so that they or their insurance company can take legal action. You should consider whether their request is genuine and whether there is any risk to the safety of other people involved.
c. The University has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once an image has been disclosed to another body, such as the Police, then they become the data controller for their copy of that image. It is their responsibility to comply with GDPR in relation to any further disclosures.
a. Signage has been erected at the main entrances to the University campus and at other locations where CCTV (including ANPR) is in use informing staff, students and visitors that CCTV surveillance is in operation.
b. The signs contain details of the University and a contact number for Security.
c. It is the responsibility of the Head of Security Services to ensure adequate signing is erected to comply with the Information Commissioner’s Code of Practice.
11. Subject access requests
Individuals whose images are recorded have a right to view the images of themselves and their property and, unless they agree otherwise, to be provided with a copy of the images. All such requests are handled centrally by the Legal Office and must be passed to firstname.lastname@example.org.
i. Those who request access must provide you with the details which allow you to identify them or their property as the subject of the images and also to locate the images on your system.
ii. A log of such request will be maintained in the disclosure log.
iii. If images of third parties are also shown with the images of the person who has made the access request, consideration must be given as to whether there is need to obscure the images of the third parties.
12. Freedom of information
a. As a public body the University may receive requests under the Freedom of Information Act 2000 (FOIA). All such requests are dealt with centrally by the Freedom of Information Coordinator and should be passed on receipt to email@example.com.
b. The response should be made within 20 working days from the receipt of the request.
c. Section 40 of the FOIA and section 38 of the FOISA contain a two-part exemption relating to information about individuals. If you receive a request for CCTV footage, you should consider:
i. Are the images those of the requestor? If so then that information is exempt from the FOIA/FOISA. Instead this request should be treated as a GDPR subject access request as explained above.
ii. Are the images of other people? These can be disclosed only if disclosing the information in question does not breach GDPR principles.
13. Use of the system
a. All Security staff and other authorised users* must read this Code of Practice prior to being instructed on the operation of the system.
b. All Security staff and other authorised users* will be trained on the use of the system by the Security Technical Support Officers and will only be able to view cameras relevant to their specific areas of interest.
c. The system can be used to observe the Campus and areas under surveillance and identify incidents that require a response; the response should be proportionate to the incident being witnessed. On some occasions the deployment of a security officer may be sufficient, on other occasions contacting the Police to respond may be the appropriate action.
d. Such surveillance should be accordance with the stipulated objectives.
e. Whenever a response is required a log should be commenced on the incident reporting system (TopDesk).
f. Viewing monitors should be password protected and switched off when not in use to prevent unauthorised use or viewing.
*Authorised users – see section 7.
a. Complaints received in relation to the use of the CCTV system should be made in writing to the Head of Security Services who will investigate the allegation or complaint and then follow the normal University grievance procedures as outlines on the Human Resources website.
b. Complaints in relation to the disclosure of image supply should be made in writing to the Head of Security Services.
15. Changes to the code
a. Any changes to this Code will only take place after consultation with the Students’ Union and Trades Union Representatives.
b. The changes will then have to be ratified by University Senior Management.
Head of Security Services