CCTV SURVEILLANCE POLICY

CONTENTS

1. POLICY STATEMENT.. 3
2. PURPOSE OF THE CCTV SYSTEM… 3
3. SCOPE. 3
4. LEGAL BASIS FOR PROCESSING.. 3
5. OPERATION AND MANAGEMENT OF THE CCTV SYSTEM… 4
6. SITING OF CAMERAS. 4
7. STORAGE ACCESS AND RETENTION.. 5
8. DISCLOSURE OF CCTV FOOTAGE. 5
9. DATA SUBJECT RIGHTS. 6
10. DATA SECURITY.. 6
11. MONITORING REVIEW AND COMPLIANCE. 6

1.          POLICY STATEMENT

• NAS (“We”, “Our” “Company”) is committed to maintaining the highest standards of data protection and physical security. To ensure the security of company premises and confidentiality and integrity of sensitive information, we operate CCTV surveillance in our offices and premises to protect employees, clients, visitors and our property.
• The use of CCTV is governed by the Data Protection Act, 2019, the Data Protection (General) Regulations, 2021 and this Policy.
• This Policy is intended to regulate the management, operation and use of CCTV within company premises. By adhering to this policy, we aim to minimize the risk of unauthorized access, data breaches and information leakage.

2.          PURPOSE OF THE CCTV SYSTEM

• The primary objectives of CCTV surveillance are to:-

• Enhance the safety and security of employees, clients and visitors;
• Deter and detect crime, vandalism and unauthorised access;
• Support investigations into security or safety incidents;
• Protect company assets and property;
• Comply with legal and regulatory obligations

3.          SCOPE

• This Policy applies to all NAS offices, branches and operational areas where CCTV cameras are installed.
• It covers all individuals whose images may be captured, including employees, clients, visitors, contractors and service providers.
• The Policy applies to all CCTV equipment, footage and related systems owned or operated by NAS or by authorised service providers on its behalf.

4.          LEGAL BASIS FOR PROCESSING

• CCTV footage constitutes personal data where individuals can be identified. NAS processes such data under the lawful basis of:
• Legitimate Interests – for safeguarding people, property and information; and
• Legal Obligation – to comply with applicable laws and security regulations.
• CCTV Signage shall be displayed prominently in all monitored areas to inform individuals that CCTV surveillance is in operation and to identify NAS as the data controller.

 

5.          OPERATION AND MANAGEMENT OF THE CCTV SYSTEM

• CCTV systems shall be installed in clearly defined areas approved by management.
• Cameras shall be positioned to achieve the intended security purpose with minimal intrusion into personal privacy.
• The IT Department shall be responsible for the technical maintenance and security of CCTV equipment and footage.
• The Security Department shall be responsible for the operational management and control of CCTV systems. This includes:
  • Monitoring live CCTV feeds to detect and respond to security incidents in real time.
  • Ensuring that access to CCTV control rooms and monitoring stations is restricted to authorized personnel only.
  • Coordinating with the IT Department regarding any technical issues, maintenance or access to recorded footage.
  • Maintaining a log of all CCTV access, including viewing, copying, or sharing of footage, to ensure accountability and compliance with the Data Protection Act.

• The Records Officer and Data Protection Officer (DPO) shall oversee compliance with data protection requirements, including lawful retention, access control and disposal of footage.

 

6.          SITING OF CAMERAS

 

• The placement of CCTV cameras shall be determined based on security risk assessments to ensure surveillance is necessary, proportionate and effective.
• Cameras shall be sited to:
• Cover only areas relevant to safety and security
• Avoid capturing areas where individuals have a reasonable expectation of privacy, such as restrooms, prayer rooms or changing areas
• Focus on entrances, exits, corridors, parking lots, reception areas, cash-handling points and other high-risk zones
• Prevent excessive coverage or overlap between cameras; and
• Ensure visibility of CCTV signage near all camera locations.
• Any new installation or relocation of cameras must be approved by the Data Protection Officer, in consultation with the Head of Security and IT Department, to confirm that privacy and data protection principles have been observed.
• A CCTV Camera Location Register shall be maintained and updated by the IT Department, listing the exact position of each camera, Its purpose and field of view, The date of installation, and the responsible department or officer.

 

7.          STORAGE ACCESS AND RETENTION

 

• All CCTV footage shall be stored securely on encrypted servers or approved cloud systems protected by appropriate security measures as outlined in this policy.
• Access to CCTV systems and footage shall be role-based and limited to authorised personnel only. The IT Department shall maintain user access lists and review them at least quarterly to ensure continued appropriateness.
• Every instance of footage access or retrieval shall be logged, indicating the date, time, user and reason for access. Logs shall be reviewed periodically by the DPO.
• CCTV recordings shall be retained for a standard period of 45 days, after which they shall be automatically overwritten or securely deleted, unless:
• Required for an ongoing investigation, disciplinary process or legal claim;
• Subject to a legal hold or law enforcement request; or
• Extended by written authorisation of the DPO.
• Backup copies, where necessary, shall be encrypted, clearly labelled and securely stored under the same protection standards as live footage, with defined destruction timelines.

 

8.          DISCLOSURE OF CCTV FOOTAGE

 

• In limited circumstances it may be appropriate to disclose images collected on our CCTV system to third parties.
• We may disclose personal information to third parties when it is required by law, in relation to the prevention, detection or investigation of a crime, for internal training purposes or to comply with a written law or court order.
• Such disclosures will be made at the discretion of the Head if IT in collaboration with the Data Protection Officer.
• Where a suspicion of misconduct arises, CCTV images may be disclosed to be used in employee disciplinary cases.

9.          DATA SUBJECT RIGHTS

• Individuals have the right to request access to CCTV footage in which they appear, subject to verification of identity and applicable exemptions.
• Requests shall be made in writing to the Data Protection Officer, who will respond within the statutory timelines.
• The Security Department shall release the requested CCTV footages only after the approval of the Data Protection Officer.
• NAS may restrict access where disclosure would compromise an investigation, another person’s privacy or legal obligations.

10.        DATA SECURITY

• NAS shall implement appropriate technical and organisational security measures to protect CCTV footage against unauthorised access, alteration, disclosure or loss.
• Security measures shall include, at minimum:
• Encryption of all stored and transmitted footage;
• Password protection and multi-factor authentication for system access;
• Physical security controls, such as locked server rooms and restricted access areas;
• Firewalls, antivirus protection and regular vulnerability assessments; and
• Continuous monitoring of CCTV systems for unauthorised access or malfunction
• All security incidents involving CCTV systems shall be immediately reported to the IT Department for investigation and, where applicable, regulatory notification under the Data Protection Act, 2019.
• The DPO and IT Department shall jointly ensure that all security configurations, software updates, and access controls remain current and effective.

11.        MONITORING REVIEW AND COMPLIANCE

• The Data Protection Officer shall periodically audit CCTV operations to ensure compliance with this Policy and data protection laws.
• This Policy shall be reviewed every two years, or earlier if legal or operational changes occur.
• Any misuse of CCTV systems or footage shall be treated as a serious disciplinary offence and may lead to disciplinary, contractual, or legal action.