Privacy notice: CCTV system

This privacy notice tells you what to expect us to do with your personal information when it is collected via our CCTV system. Personal information (or personal data) is any information which relates to and identifies you. Data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA)) set out how we should handle your personal information.

The University of Central Lancashire Higher Education Corporation is the controller for the personal information we process, unless otherwise stated. We are registered with the Information Commissioner’s Office and our registration number is Z5512420.

There are many ways you can contact us, including by phone, email, social media and post. See our main contact details, which include contact details for our Security team.

UCLan’s Information Governance Manager & Data Protection Officer can be contacted on DPFOIA@uclan.ac.uk. Further information and contact details can be found on our Data Protection web page.

The University’s estate comprises a number of buildings, car parks, accommodation and other public areas at our Main Campus in the centre of Preston, in addition to campuses at Burnley and Westlakes. We operate a Closed-Circuit Television (CCTV) system across our estate. The CCTV System is made up of the following separate systems:

• The Primary CCTV System, located in the Security Control Centre, which consists of cameras at the Main Campus in Preston, the UCLan Library, UCLan Sports Arena (USA), UCLan Pre School Centre (PSC), Sir Tom Finney Sports Centre (STFSC), Sandygate Halls of Residence, Sandygate Mill and the Westlakes campus.
• The Library CCTV System which is separate, and in addition to, the cameras in the Library that are operated as part of the Primary CCTV System;
• Victoria Mill CCTV System, which is in Burnley; and
• Body worn video devices worn by security staff.

The Primary CCTV System consists of internal and external cameras installed at strategic locations. Some of the cameras are fully operational with pan, tilt and zoom facilities; others are fixed cameras, images from which are presented in the same location. The Primary CCTV System is fully managed by authorised Security staff from the Control Centre at the Main Campus in Preston. There are secondary monitoring stations in the Library, USA, PSC and STFSC, Sandygate Halls of Residence and Sandygate Mill. These secondary monitoring stations are standalone facilities which enable authorised staff at each location to monitor feeds from cameras situated in those locations.

The Library CCTV system is managed by the Library Systems Manager. Cameras are installed at various locations within the Library, including within individual study rooms.

The Victoria Mill CCTV System (Burnley) is operated by Security staff based at Victoria Mill, who have overall control of the system.

The University also equips certain members of staff with body-worn video devices, to be used only in authorised locations in accordance with specific procedures.

If you visit any part of the University estate or public areas in its immediate vicinity, your image and your movements may be captured by our CCTV System. You may be captured on more than one camera throughout your visit.

If you come into contact with our Security staff when they are operating body worn video devices, you may be captured on audio and visual recordings. Staff operating body worn video devices will always announce that a device is recording, and devices visibly flash when they are recording. Body worn video devices have the facility to live stream the footage they are capturing to our Security Control Room. Footage that is live-streamed can only be accessed from a single computer in the Control Room.

We will use your personal data collected by the CCTV System to:

• help reduce the fear of crime
• help prevent and/or detect crime and disorder and provide evidential material
• assist with the apprehension and prosecution of alleged offenders
• assist in the overall management of safety and security at the University
• investigate allegations of non-compliance with the University’s rules and regulations, particularly those applicable to staff and students
• enhance community safety and assist in developing the economic well-being of the University area
• assist with traffic management
• assist the Local Authority in its enforcement and regulatory functions within the University area
• assist in supporting civil proceedings which may help prevent and detect crime
• assist in the training of Security Managers, the police and others involved in the use of the System.

The University can only process personal data about you if there is a lawful basis from the UK GDPR which allows us to do so.

For the general operation of the system, which includes recording images from all cameras simultaneously on a continuous 24-hour cycle, and use of body worn video devices for recording or live streaming, we rely on Article 6(1)(f) UK GDPR, which enables us to process personal data when the processing is in the legitimate interests of the University. Those legitimate interests are as follows:

• To help reduce the fear of crime
• To help prevent and/or detect crime and disorder and provide evidential material
• To assist with the apprehension and prosecution of alleged offenders
• To assist in the overall management of safety and security at the University
• To investigate allegations of non-compliance with the University’s rules and regulations, particularly those applicable to staff and students
• To enhance community safety and assist in developing the economic well-being of the University area
• To assist with traffic management
• To assist the Local Authority in its enforcement and regulatory functions within the University area
• To assist in supporting civil proceedings which may help prevent and detect crime
• To assist in the training of Security Managers, the police and others involved in the use of the System

We rely on the following lawful bases from the UK GDPR when we make additional use of downloaded footage or recorded body worn video footage:

Article 6(1)(b) UK GDPR, which enables us to process personal data when it is necessary for the performance of a contract (the staff employment contract or the student contract) in relation to:

• Investigating allegations of non-compliance with the University’s rules and regulations, particularly those applicable to staff and students.

Where we process data about alleged or actual criminal offences for any of the above purposes, we will rely on the following additional lawful bases:

Article 9(2)(g) UK GDPR, which allows us to process this type of data if the processing is necessary in the substantial public interest and there is a basis to do so in law. The law which allows us to rely on Article 9(2)(g) is section 10 DPA by virtue of Schedule 1 DPA. The specific conditions from Schedule 1 DPA on which we rely for this type of processing are as follows:

• Schedule 1(6), which allows us to process data about criminal offences to comply with a statutory or legal function. Such functions include the duties set out in the Equality Act 2010 and the requirement to comply with the registration conditions imposed on us by the Office for Students under the Higher Education and Research Act 2017.
• Schedule 1(10), which allows us to process data about criminal offences to prevent or detect unlawful acts.
• Schedule 1(18), which allows us to process data about criminal offences to safeguard individuals at risk and children.

When processing special category data or data about criminal convictions in reliance on the above conditions from Schedule 1 DPA the University must have an appropriate policy document, which can be read here: Data Protection: Processing special category data and criminal convictions data.

Article 9(2)(j) UK GDPR, which allows us to process special category data for archiving, scientific or historical research purposes or statistical purposes, where there is a basis to do so in law. The law which allows us to rely on this basis is section 10 DPA by virtue of Schedule 1(4) DPA. We may also rely on Schedule 1(4) DPA if we process personal data relating to criminal convictions for archiving, research or statistical purposes.

We share your information with a range of external organisations and bodies, some of which are processing personal data on our behalf. We only share your personal data with another person or organisation where the law allows us to and we consider it to be appropriate under the circumstances. The external parties we may share information with include the following:

• Government agencies and authorities, including the police and DWP for the prevention and detection of crime, apprehension and prosecution of offenders, the collection of tax or duty and safeguarding national security, among other things.
• Executive agencies or non-departmental public bodies such as UK Visas and Immigration, HM Revenue and Customs and the Health and Safety Executive.
• Insurance companies and solicitors where they make a lawful request for CCTV footage for the purposes of investigating insurance claims involving their insured parties or other legal claims, such as personal injury claims, relating to their clients.
• Contractors who manage construction or other projects on, in or near University premises who make a lawful request for CCTV footage to investigate health and safety incidents or other similar incidents.
• Internal and external auditors to provide assurance that the University is following its risk management, governance and internal control processes and to independently inspect our financial statements and records.
• Companies or organisations acting on our behalf: We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct.

Occasionally we may need to send your personal information outside the UK or the European Union/European Economic Area (EU/EEA) e.g. to obtain a service from a processor. We only transfer personal data outside the EEA if there is a lawful basis to do so and appropriate safeguards are put in place to protect your information and ensure it remains secure.

Footage recorded via our CCTV System, including via body worn video devices, will be retained for up to 30 days, following which it will be automatically overwritten or deleted.

Footage which has been viewed and downloaded because it may be required for evidential purposes e.g. because it shows a potential incident, will be retained for a maximum of six months, then it will be deleted.

Footage which has been downloaded because we have been informed it relates to a security incident and it has either been used as evidence for UCLan purposes or provided to a third party such as the police as evidence, will be retained for six years.

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Further information about each of these rights can be found on the Information Commissioner’s Office website. To exercise any of these rights, you can contact the Information Governance Manager & Data Protection Officer. 

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. For further information or to make a request, please see the data protection pages of our website.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to any processing we carry out, if we carry it out on the basis that it forms part of our public task or is in our legitimate interests. You also have the right to object to your personal information being used for direct marketing purposes.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information because we have your consent or because it is necessary for your contract with us, and the processing is automated.

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact the Information Governance Manager & Data Protection Officer, and we will respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office, which is the UK supervisory authority for data protection. Further information can be found on our Data Protection webpage.