1.     Introduction

Dorset Waterpark (“the Company”) uses closed circuit television (CCTV) systems to provide a safe and secure environment for employees and visitors to the Company’s premises, including customers, contractors, suppliers and other authorised persons, and to protect the Company’s property and assets.

This policy sets out the use and management of CCTV equipment and images in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and relevant guidance issued by the Information Commissioner’s Office (ICO).

The Company’s CCTV system records visual images only. Audio recording is not undertaken.

2.     Purposes of CCTV

The Company installs and operates CCTV systems for the following purposes:

  • To assist in the prevention and detection of crime, vandalism, fraud and other unlawful activity.
  • To assist in the identification and prosecution of offenders
  • To monitor the security of the Company’s premises, property and assets, particularly outside operating hours.
  • To record and investigate accidents, incidents, injuries and emergency situations occurring on the premises.
  • To assist with the investigation of water safety incidents and other safety-related events arising from the operation of the waterpark.
  • To support the Company’s health and safety obligations and assist in the investigation of specific incidents where CCTV footage may provide relevant evidence.
  • To investigate alleged breaches of Company procedures, misconduct or unsafe working practices where CCTV footage may provide relevant evidence.
  • To assist in defending or pursuing legal claims and insurance matters where appropriate.

3.     Lawful Basis for Processing

The Company processes CCTV images under Article 6(1)(f) UK GDPR, namely its legitimate interests.

The legitimate interests pursued include:

  • Protecting the safety and wellbeing of visitors, employees and contractors.
  • Preventing and detecting crime and anti-social behaviour.
  • Protecting Company property and assets.
  • Investigating accidents, incidents and safety concerns.
  • Supporting legal proceedings, insurance claims and regulatory requirements where necessary.

The Company has assessed that the use of CCTV is necessary and proportionate to achieve these objectives and that such use does not override the rights and freedoms of individuals.

4.     Location of Cameras

Cameras are located at strategic points throughout the Company’s premises, principally covering the briefing area and both lakes.

The Company has positioned cameras so that they only monitor areas necessary to achieve the purposes outlined in this policy. Cameras are sited to provide clear images while minimising intrusion into privacy.

No cameras are installed in toilets, shower facilities, changing rooms or any area where individuals would have a reasonable expectation of privacy.

All cameras are clearly visible.

Appropriate CCTV signage is prominently displayed so that employees, customers and other visitors are aware that they are entering an area monitored by CCTV.

5. Lawful Basis for Processing Date Protection Impact Assessments (DPIA)

The Company will undertake and periodically review a Data Protection Impact Assessment (DPIA) to ensure that the use of CCTV remains necessary, proportionate and justified.

Any significant changes to the CCTV system, including the installation of additional cameras or changes in monitoring practices, will be subject to review before implementation.

6.     Recording and Retention of Images

Images produced by the CCTV system are intended to be of sufficient quality to support the purposes set out in this policy.

Maintenance checks are undertaken regularly to ensure that equipment remains operational and produces clear images.

Images may be recorded continuously or during specified periods, depending on operational requirements.

CCTV recordings are retained for a maximum period of 31 days unless they are required for:

  • The investigation of an accident or incident.
  • An insurance claim.
  • Disciplinary or grievance proceedings.
  • A legal claim.
  • A criminal investigation or law enforcement request.

Where footage is retained for one of the above purposes, it will be retained only for as long as reasonably necessary and then securely deleted.

Once storage media reaches the end of its operational life, it will be securely erased or destroyed before disposal.

Any recordings stored on removable media will be securely erased or destroyed once no longer required.

7.     Security of CCTV Images

CCTV recordings are stored securely and protected against unauthorised access, alteration, disclosure or deletion.

Access to recorded footage is password protected and restricted to authorised personnel who require access for legitimate business purposes.

Appropriate technical and organisational measures are in place to safeguard CCTV data and ensure compliance with applicable data protection legislation.

8.     Access to and Disclosure of Images

Access to and disclosure of CCTV images is strictly controlled to ensure that individuals’ rights are protected.

Recorded images are held securely and access is restricted to authorised operators and managers who require access in accordance with the purposes set out in this policy.

Viewing of recorded images will take place in a secure area where access is restricted.

Where recordings are removed for viewing or evidential purposes, an appropriate record will be maintained.

Disclosure of images may be made to:

  • Police and other law enforcement agencies.
  • Prosecuting authorities.
  • Legal representatives.
  • Insurance providers and claims handlers where relevant.
  • Managers involved in investigations, disciplinary or grievance procedures.
  • Individuals whose images have been recorded, subject to applicable legal restrictions.

The Company’s Directors (or another senior manager authorised in their absence) are responsible for authorising disclosures to external third parties.

All requests for disclosure will be documented, including:

  • The date of the request.
  • The identity of the requester.
  • The reason for the request.
  • Whether disclosure was approved or refused.
  • The date of disclosure where applicable.

9.     Individuals’ Access Rights

Under the UK GDPR and the Data Protection Act 2018, individuals have the right to request access to personal data held about them, including CCTV images where they can be identified.

Requests should be submitted in writing to the Company’s Data Protection Lead, Sam Thompson.

Requests should include:

  • The date and approximate time of the recording.
  • The location of the camera involved.
  • Any information that may assist in locating the footage.

The Company will verify the identity of the requester before processing any request.

The Company will respond without undue delay and, in any event, within one month of receipt of the request.

Where disclosure would reveal information relating to another individual, the Company may obscure or redact third-party images where appropriate.

The Company may refuse access where an exemption applies, including where disclosure would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.

10.  Covert Recording

The Company will not undertake covert recording except in exceptional circumstances where there are reasonable grounds to suspect criminal activity or serious misconduct and where such monitoring is lawful, necessary and proportionate.

Any such activity would require prior authorisation from a Director and appropriate legal advice.

11.  Staff Training

The Company will ensure that all employees who have access to CCTV images or recordings receive appropriate training regarding:

  • The operation of the CCTV system.
  • Data protection obligations.
  • Information security requirements.
  • Individuals’ rights under UK GDPR and the Data Protection Act 2018.

12.  Implementation and Review

The Company’s Data Protection Lead, Sam Thompson, is responsible for implementing and monitoring compliance with this policy and overseeing the operation of the CCTV system.

The Company will review this policy and the operation of its CCTV system periodically to ensure continued compliance with legal and operational requirements.

As part of its periodic review of the CCTV system and associated Data Protection Impact Assessment (DPIA), the Company will consider the impact of CCTV monitoring on all individuals, including children and vulnerable persons who may visit the premises. The Company will ensure that the use of CCTV remains necessary, proportionate and balanced against the privacy rights of those individuals.

Any complaints, concerns or enquiries regarding the operation of the CCTV system should be directed to the Data Protection Lead.