City of York Council - CCTV Audit Procedure

Data Protection Principle 1:

“Use of a surveillance system must be for a specified purpose which is in pursuit of a legitimate aim
and necessary to meet an identified pressing need”

Is the purpose(s) of the system formally stated?

Is the purpose(s) of the system legitimate and justified?

Do reviews of these aims occur? How often?

Have those persons that are affected by the system been consulted on its use?

Is the system being used for purposes other than those stated?

Data Protection Principle 2:

“The use of a surveillance system must take into account its effect on individuals and their privacy,
with regular reviews to ensure its use remains justified”

Do reviews of the use of the system as whole occur? How often?

Has a PIA been carried out?

Data Protection Principle 3:

“There must be as much transparency in the use of a surveillance camera system as possible,
including a published contact point for access to information and complaints”

Is the site signage adequate?

Does the use of CCTV have the support of the relevant stakeholders? Is this documented?

Is the use of CCTV proportionate in this instance?

Is there an adequate CoP or equivalent document in place? Is it publically available?

Data Protection Principle 4:
“There must be clear responsibility and accountability for all CCTV system activities including images
and information collected, held and used”

Is the line of responsibility clear and documented?

Are specific responsibilities assigned to specific people?

Data Protection Principle 5:

“Clear rules, policies and procedures must be in place before a CCTV system is used, and these must
be communicated to all who need to comply with them”

Is there a process in place to ensure that all system users remain up to date with relevant changes in
legislation and best practice?

Do any users require SIA licenses?

If no licences are required, how are the relevant skills of operation and management maintained?

Is the production process clearly documented and auditable?

Are the relevant users aware of the implications of RIPA?

Data Protection Principle 6:

“No more images and information should be stored than that which is strictly required for the stated
purpose of a CCTV system, and such images and information should be deleted once their purposes
have been discharged”

How long are images retained for? Why this period?

Is there an auditable process for reviewing images and managing their retention?

Data Protection Principle 7:

“Access to retained images and information should be restricted and there must be clearly defined
rules on who can gain access and for what purpose such access is granted; the disclosure of images
and information should only take place when it is necessary for such a purpose or for law
enforcement purposes”

Who has access to the stored footage?

Are the access arrangements formally detailed?

Are there sufficient measures in place to enforce the access arrangements?

What is the procedure for production of footage to third parties? Is it documented?

Data Protection Principle 8:

“When the use of a CCTV system is in pursuit of a legitimate aim, and there is a pressing need for its
use, it should then be used in the most effective way to support public safety and law enforcement
with the aim of processing images and information of evidential value”

Are the images of a suitable quality?

Are the images stored in a format that is easily exportable?

Is the system maintained to an appropriate standard?

Other: