Corporate CCTV Policy - March 2026

2. Objectives

2.1. It is important that everyone and especially those charged with operating the CCTV systems on behalf of the Council understand exactly why each of the CCTV systems and each camera used as part of a CCTV system has been introduced and what the cameras should and should not be used for. 
 
2.2. Each CCTV system will have its own site or task specific objectives. These could include some or all the following:  

•    Protecting areas and premises used by council officers and the public. 
•    Deterring and detecting crime and anti-social behaviour. 
•    Assisting in the identification of and apprehension of offenders. 
•    Deterring violent or aggressive behaviour towards council officers. 
•    Traffic management including on-site traffic and car park management. 
•    Traffic regulation enforcement. 
•    Protecting council property and assets. 
•    Assisting in grievances, formal complaints and investigations. 
•    Monitoring operational environments.

3. Legislation

3.1.  CCTV systems are subject to legislation under: 
 
•    The Data Protection Act 2018 (DPA).
•    UK General Data Protection Regulation (UK GDPR). 
•    The Human Rights Act 1998 (HRA).  
•    The Freedom of Information Act 2000 (FOIA).  
•    The Protection of Freedoms Act 2012 (PROTECTION OF FREEDOMS ACT 2012). 
•    The Criminal Procedures and Investigations Act 1996 • The Regulation of Investigatory Powers Act 2000 (RIPA). 
•    Computer Misuse Act 1990. 
•    The Health & Safety at Work Act 1974.

4. Responsibilities

4.1.    The Senior Information Risk Owner (SIRO) 
 
4.1.1. The SIRO ensures the delivery of a corporate approach to the Council’s responsibilities arising from Protection of Freedoms Act 2012. They have strategic responsibility for the integrity and efficacy of the processes in place, which ensure compliance and in respect of all surveillance cameras operated by the Council. 
 
4.1.2. The SIRO will ensure the publication of all Self-Assessment Templates (SATs) and Data Protection Impact Assessments (DPIAs) on the website and that these are reviewed on an annual basis. 
 
4.1.3. The SIRO will lead on third-party certification to provide evidence of compliance with the Surveillance Camera Commissioner’s Code of Practice. 

4.2.    CCTV Single Point of Contact  
 
4.2.1. The CCTV Single Point of Contact (SPOC) is responsible for overseeing all aspects related to surveillance cameras. They ensure that everyone involved in the use of CCTV systems is informed about current legislation and guidance relating to these systems. Information and contact details for the CCTV SPOC can be found on the Council's intranet. 
 
4.3.    Heads of Service  
 
4.3.1. The overall responsibility for CCTV systems rests with the relevant Head of Service. This includes ensuring all relevant staff are appropriately trained and all systems are used in accordance with this policy.  
 
4.3.2. Heads of Service will nominate a designated Service Lead CCTV Officer for CCTV who will liaise with the CCTV Operators of the system. 
 
4.4.    Service Lead CCTV Officers 
 
4.4.1. Service Lead CCTV Officers will have oversight of all CCTV systems managed by the service and will be a central point of contact and offer advice in relation to queries from staff.  They will be responsible for ensuring that Self Assessment Template (SATs) are in place for all systems, that the corporate Data Protection Impact Assessments (DPIAs) cover all systems and that these documents are reviewed on an annual basis and available for publication.
 
4.4.2. Service Lead officers will ensure that the necessary steps are taken before installing a new system or making changes to existing ones, including the completion of EOI and consultation. Please see CCTV section on the intranet for details. 
 
4.4.3. The designated Service Lead Officer is responsible for the daily operation of each CCTV system. All systems and their respective officers will be listed in a register on the Council's CCTV intranet page, which must be regularly updated by the Lead Officers. This applies to third parties operating under the Council's direction. 
 
4.4.4. The Service Lead Officer shall ensure that council officers involved in the operation of the CCTV system are trained in the use of the equipment and are aware of this policy and the procedures in place to manage CCTV systems at the council. 
 
4.4.5. The Service Lead Officer should act as the first point of contact for all enquiries relevant to the CCTV system and should ensure that only authorised council officers are able to operate or view images. 
 
4.4.6. The Service Lead Officer shall investigate any reported misuse of a CCTV system and report it immediately to the CCTV SPOC. 
 
4.4.7. The Service Lead Officer shall ensure the CCTV system is operational and take steps to deal with any faults as appropriate. 
 
4.4.8. Service Lead Officers will ensure that the necessary steps are taken before installing a new system or making changes to existing ones, including the completion of the EOI and consultation. 

4.5.    CCTV Operators 
 
4.5.1. Council officers operating CCTV systems must comply with current legislation, this policy, guidelines, codes of practice, and local manuals. They must know the UK GDPR and DPA requirements and complete the Council's eLearning course on these regulations.  
 
4.5.2. Council officers involved in the use of CCTV systems shall report any misuse to the Service Lead CCTV Officer and shall cooperate with any investigation. The Service Lead Officer shall report it immediately to the CCTV SPOC and investigate any reported misuse of a CCTV system. 
 
4.5.3. Council officers operating CCTV systems shall be responsible for bringing any equipment faults to the Service Lead Officer’s attention immediately. 
 
4.5.4. Several council owned CCTV systems are in premises occupied by third parties. In these cases, it is important that there is a clear understanding between the Council and the organisation(s) concerned as to who is responsible for each aspect of the CCTV system. This should be recorded and signed by both parties. A copy of this document should be given to the council’s CCTV SPOC.

5. Purchasing and Deployment of CCTV Cameras

5.1. All new or significantly altered CCTV systems (including body-worn and vehicle mounted) intended for use by the Council must receive formal sign-off from the Senior Information Risk Owner (SIRO), or their nominated delegate, prior to implementation.

This approval process must be in accordance with the Council’s Expression of Interest (EOI) procedure, as documented on the CCTV section of the intranet Closed Circuit Television (CCTC).
 
5.2. The Expression of Interest (EOI) process will follow Corporate Properties governance procedures, which will be involved in approving new installation requests to ensure compliance with Health and Safety at Work requirements. 
 
5.3. No CCTV system may be procured, installed, or operated without completing the EOI process and obtaining authorisation from the SIRO. 
 
5.4. Those responsible for introducing and operating CCTV systems must ensure that the use of cameras is proportionate to the intended objective and that individuals' right to privacy is always respected. The EOI must be completed with a clear operational objective for the CCTV system and the relevant DPIA checked to ensure it covers the system. 
 
5.5. Care must be taken to ensure that cameras do not capture images or sounds of private spaces such as private houses. 
 
5.6. Covert cameras are not permitted to be deployed under the auspices of this policy. Such activities fall under the ambit of RIPA or shadow RIPA, and authorisation must be obtained for such activity under the relevant RIPA procedures. CCTV systems should normally be clearly visible with unobstructed signage situated close to the device informing those in the vicinity that they are being monitored and/or recorded. The content of such a sign or notice may differ according to the nature of the device being used, the area it is being used in and the purpose of its use. 
 
5.7. The Council notes that 'dummy' cameras may serve as deterrents, and requests for their use should proceed through the EOI process and be risk-assessed individually, considering the justification provided. 
 
5.8. Smart doorbell cameras may only be deployed at council-owned residential entrances, staff-only access points, and designated public service counters. Installation must be approved through the Expression of Interest (EOI) process and documented in the central CCTV register. All deployments must include signage and comply with privacy impact assessments. 
 
5.9. CCTV systems with Pan, Tilt & Zoom (PTZ) capability will require a justified basis for their procurement, installation, and operation, depending on the nature of the site, the level of potential privacy intrusion, and the purpose and identified need for PTZ capability. They will not be installed as standard.  
 
5.10. Upon the introduction of a static CCTV system, a map showing the location of the camera must be sent to the CCTV SPOC for inclusion in the Council’s central register of CCTV systems.  
 
5.11. Use of CCTV systems must be considered as part of planning a building construction or refurbishment. Advice should be obtained from the Designing Out Crime Officer from Dyfed Powys Police. Authorisation for the deployment of CCTV systems should be shared at an early stage in building design with the Head of Service for whom the building is being constructed. This is so that this policy can be applied and either an alternative method adopted, or an acceptable CCTV system built into the designs. Information about the CCTV system should be retained as part of the file relating to the completed building.

6. Monitoring

6.1. CCTV monitors installed in public spaces are designed for live surveillance. The practicality of these installations should be assessed individually, considering the business and operational requirements, as well as determining the appropriate personnel and members of the public who can view the footage.  
 
6.2. Accessing of recorded CCTV footage must only be carried out by persons authorised by the relevant Service Lead Officer. 
 
6.3. CCTV footage must not be download without an approval to disclosure being submitted and approved.  
 
6.4. CCTV will only be subject to the UK GDPR if the footage captured “relates to living individuals who can be identified” from it. 
 
6.5. If the UK GDPR applies, the CCTV operator will be required to carry out the following:  
 
6.5.1.  Put up signs notifying people that CCTV is in use (see section 9).

6.5.2. Give any individual who requests it, copies of footage of themselves (Subject Access Request) in consultation with the Data Protection Officer (see 8.2).
  
6.5.3. Ensure that any footage stored is kept for no longer than necessary for the purposes for which it is obtained. 

6.5.4. Ensure that footage is not disclosed to anyone unless it is permitted under an exemption contained under the Data Protection Act 2018 and UK GDPR.  
 
6.6. In addition to the obligations under the Data Protection Act 2018, the Human Rights Act requires any public authority using CCTV cameras to do so compatibly with Article 8 of the convention. 

6.7. The Council uses body worn cameras to protect council officers dealing with members of public in situations where they are particularly vulnerable to abuse or where there is an ongoing need to capture images or speech for evidential purposes. 
 
6.8. Details of CCTV systems data collection are included in the Council's privacy notice for CCTV. 
 
6.9. Remote access to CCTV systems must adhere to secure corporate protocols set by the Digital Services team. Requests must list users who will have access and be approved by the Head of Service and SIRO.

7. CCTV Checks and Assurance

7.1. CCTV Operators must carry out routine checks to ensure that all CCTV equipment is functioning correctly. These checks include regular (e.g. weekly) visual inspections of cameras, monitors, recording equipment and associated operating systems. Any faults, defects or performance issues identified must be reported immediately in line with local fault‑reporting procedures. 
 
7.2. Service Lead CCTV Officers are responsible for undertaking periodic inspections of all CCTV systems within their remit to provide assurance that systems remain operational, fit for purpose and compliant with this policy. These inspections must be completed at least annually and must include reviewing operator check records, monitoring the resolution of reported faults, and identifying any areas of non‑compliance. Any non‑compliance identified must be reported to Digital Services, the CCTV SPOC or the SIRO. 
 
7.3. Digital Services may arrange and coordinate formal CCTV “Health Checks” as part of a structured inspection programme. These health checks will be undertaken with Service Lead CCTV Officers and relevant Service Managers and will assess system performance, resilience, security and compliance. Where third‑party suppliers are required to support this activity, the relevant department is responsible for covering the associated costs required to maintain compliance.

8. Viewing footage

8.1. CCTV footage viewing must be conducted solely for legitimate reasons, such as operational needs or surveillance and monitoring at a site to prevent crime or antisocial behaviour. The Council, along with the Service Lead Officer, will define the use of the CCTV system on a site-by-site basis. 
 
8.2. The casual viewing or trawling of footage is strictly forbidden. Viewings must only be carried out for a specific, legitimate purpose. Inappropriate access must be reported and may lead to disciplinary action.  

8.3. Under Article 15 of the UK GDPR, data subjects have the right to access information held about them by the Council and to have a copy of that personal data.  Individuals also have the right to access images of themselves recorded on CCTV systems controlled by the Council.  Such requests must be made in writing to the Data Protection Officer, County Hall, Carmarthen, SA31 1 JP dataprotection@carmarthenshire.gov.uk  Please see our website for further details: Data Protection - Carmarthenshire County Council
 
8.4. In the event of a request being received by another officer, that officer should contact the Data Protection Officer to discuss the request.   
 
8.5. On occasion, council services may wish to access images and recordings captured on CCTV systems as part of a legitimate investigation into criminal activities, civil claims, potential disciplinary matters, complaints, grievances or health and safety issues. Viewings and images will only be released to a properly authorised investigating council officer upon the submission of a formal request to the Service Lead Officer.  The viewing request should include: 
 
•    The name of the authorising officer  
•    The name and contact details of the person viewing images 
•    The reason for viewing the images. 
 
8.6. Police requests for footage generally fall within the exemption outlined in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018. Access is authorised for the purposes of preventing or detecting crime, or apprehending or prosecuting offenders. Withholding access may impede these objectives, thereby invoking the exemption and permitting the release of such footage. 
 
8.7. Viewing Requests must be made in a timely manner as the retention period for most CCTV systems in operation in the council is one month. Council officers who are subject to council disciplinary, complaints or grievance procedures have the right to see and retain footage of themselves and can request copies as a Subject Access request as outlined in 8.3.  
 
8.8. On occasion, police officers may request to view images taken from CCTV systems during the investigation of criminal activity. This is generally permitted under an exemption in the UK GDPR.  
 
8.9. Insurance companies and solicitors may request footage for personal injury or employers' liability claims, often due to car park damage disputes. As the footage may identify drivers or vehicles, it is considered personal information. Copies can be requested via a Subject Access Request to the Information and Data Protection Officer (see 8.3). Consult the Risk Management team as needed. 
 
8.10.    A record of all disclosures is kept by the Data Protection Officer for a period of five years after administrative use is concluded.  Details of any disclosures will also be recorded on the template held relating to the system which records all occasions when images are viewed.

9. Signage

9.1. All areas where fixed site CCTV is in use must be clearly signed. Such signs warn people that they are about to enter an area covered by a CCTV system or to remind them that they are still in an area covered by a CCTV system. Signs will also act as an additional deterrent. CCTV system signs should not be displayed in areas that do not have CCTV cameras. 
 
9.2. Where body worn cameras are in use, officers using them must wear the appropriate council uniform and display a clear notice that this is the case on their person or on the device to confirm that they are operating a body worn camera.  Officers will always advise that an individual is being recorded as soon as the device is activated. 
 
9.3. Signs must be an appropriate size depending on context. For example, whether they are viewed by pedestrians or car drivers. 
 
9.4. Signs should be more prominent and frequent in areas where people are less likely to expect that they will be monitored by a CCTV system. This is particularly important when an ANPR system is being used that covers a large area. 
 
9.5. Corporate signage will be made available which will: 
 
9.5.1. Be clearly visible and readable.

9.5.2. Confirm that the system is operated by the Council and include contact details for the Contact Centre.
 
9.5.3. Confirm if the system is recorded or monitored or both.
 
9.5.4. State the purpose for having a surveillance system in place.

10. Storage and Retention

10.1. CCTV system footage is stored for 30 days and then overwritten. 

10.2. Access to CCTV footage will be kept secure in accordance with the Corporate CCTV Policy.

10.3. All footage will be stored securely in accordance with the Council's Corporate CCTV Policy.

10.4. Footage from smart doorbell cameras must be retained for no longer than 30 days unless required for investigation. All footage must be encrypted during storage and transmission. Access logs must be maintained for all interactions with smart doorbell footage, including viewing, copying, and deletion. 

10.5. Data Residency and International Transfers - All CCTV footage, including that captured by smart doorbell cameras, should be stored in data centres located within the United Kingdom or European Economic Area (EEA), or with cloud service providers who guarantee UK/EEA data residency and full compliance with UK GDPR. 
 
10.6. Where footage is stored or processed outside the UK/EEA, the Council must ensure that appropriate safeguards are in place, such as Standard Contractual Clauses, and that the rights and freedoms of data subjects are protected to the same standard as required by UK GDPR. 
 
10.7. The location of all CCTV data storage must be documented in the system register and reviewed as part of the Data Protection Impact Assessment (DPIA). 
 
10.8. All footage remains the property and copyright of the Council. 
 
10.9. All footage is time and date stamped. 
 
10.10. All media and CCTV devices will be confidentially disposed of when no longer needed following Council’s disposal procedure.  
 
10.11. Recorded material will not be sold or used for commercial purposes. 
 
10.12. Footage transferred from the CCTV recorder to the Council laptop via USB memory stick must be deleted from the USB once the transfer is completed. 
 
10.13.  For further information, please see the Council’s policy on Handling personal data.

11. Advanced Surveillance Technologies

11.1. The Council does not currently permit the use of AI-based analytics or facial recognition technologies within its CCTV systems. Any future deployment of such technologies must undergo a Data Protection Impact Assessment (DPIA), ethical review, and receive formal approval from the SIRO. This includes systems capable of biometric identification, behavioural analysis, or automated decision-making.

12. Inspections

12.1. Council owned CCTV systems can be inspected at any time by: 
 
•    The SIRO.
•    The CCTV SPOC. 
•    The relevant Service Lead CCTV Officer. 
•    The relevant Head of Service or their nominated representative. 
•    A member of the relevant regulatory body.

13. Health and Safety

13.1. This policy should be read in conjunction with the Council’s Health and Safety Policy, available at Health and Safety Policy.
 
13.2. CCTV systems, including fixed cameras and body-worn cameras, form part of the organisation’s approach to supporting health and safety across sites and activities. While the presence of CCTV may help to deter unsafe behaviours or assist in identifying hazards, it should not be relied upon to prevent incidents from occurring. Instead, CCTV footage can provide valuable evidence to assist with post-incident investigations, enabling a clearer understanding of events and contributing to the development of improved safety measures. Access to CCTV for investigation purposes will be managed in accordance with this policy and related data protection requirements. Risk assessments should be used to consider whether the use of CCTV or body-worn cameras is appropriate or necessary for monitoring specific activities or within certain environments. Advice must be sought from the Health and Safety Team to ensure that the inclusion and operation of CCTV systems within risk assessments are proportionate, justified, and compliant with relevant legislation and organisational procedures.

14. Compliance measurement

14.1.  Adherence to this policy is mandatory and will be subject to monitoring by the CCTV Officers Working Group and the Cyber and Information Governance Group (CIGG). Any violations of this policy by staff may result in disciplinary measures.

15. Custodian

15.1. It is the responsibility of Digital Services to ensure that this policy is regularly reviewed and updated.

16. Complaints

16.1. Any complaints regarding CCTV systems operated by the Council will be dealt with in accordance with the Council's Complaints Policy.

17. Version History