CCTV privacy notice

Information you need to know

The Campus Support (Security) department is part of Liverpool John Moores University. See further information on the institution.

Liverpool John Moores University is the Data Controller.

Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk

This privacy notice explains how we use personal information captured through our CCTV system and your rights regarding that information.

For information about how the wider University uses personal data please see the Privacy Notice section of our website.

Information we are collecting

We collect CCTV images and recordings via a number of different camera types across the university estate.

The source of the personal data

The university’s estate comprises several buildings, car parks and public areas across Mount Pleasant, City and IM Marsh Campuses.

We operate a Closed-Circuit Television (CCTV) system across this estate. This includes:

  • The Primary CCTV System: located in the Security Control Centre, this system covers all campuses and includes internal and external cameras positioned at strategic locations. Some cameras have pan, tilt and zoom capability; others are fixed. The system is monitored and managed by authorised Security staff
  • Secondary Monitoring Stations: additional monitoring stations operate in the Sports Centre and at IM Marsh, allowing authorised staff at those locations to view feeds from cameras in their area

If you visit any part of the university estate, or the public areas immediately surrounding it, your image and movements may be captured. You may be captured on more than one camera during your visit.

Why we are collecting your data and the legal basis for this

We process personal data in accordance with the principles of the GDPR and only where there is a valid lawful basis to do so.

We are processing your data under Article 6: Legitimate Interests, where the processing is considered beneficial to the university and proportionate in relation to the impact on individuals’ rights.

Our legitimate interests are as follows, to:

  • help reduce the fear of crime
  • help prevent and/or detect crime and disorder, and provide evidential material
  • assist with the apprehension and prosecution of alleged offenders
  • assist in the overall management of safety and security at the University
  • investigate allegations of non-compliance with the University’s rules and regulations, particularly those applicable to staff and students
  • enhance community safety and support the economic well-being of the University area
  • assist with traffic management
  • assist the Local Authority in its enforcement and regulatory functions within the University area
  • assist in supporting civil proceedings which may help prevent and detect crime
  • assist in the training of Security Managers, the police and others involved in the use of the system.

Who has access to this data

Your personal data will be used only by relevant LJMU staff who require it for their role.

This may include:

  • LJMU Security
  • Student Governance
  • Safety Health and Environment Team
  • HR
  • Gym supervisors and managers (Live Feed)

We share your information with a range of external organisations and bodies, some of which are processing personal data on our behalf. We only share your personal data with another person or organisation where the law allows us to do so, and we consider it to be appropriate under the circumstances.

The external parties we may share information with include the following:

  • Government agencies and authorities, including the police and DWP for the prevention and detection of crime, apprehension and prosecution of offenders, the collection of tax or duty, and safeguarding national security, among other things.
  • Executive agencies or non-departmental public bodies such as UK Visas and Immigration, HM Revenue and Customs, and the Health and Safety Executive.
  • Insurance companies and solicitors where they make a lawful request for CCTV footage to investigate insurance claims involving their insured parties, or other legal claims (such as personal injury claims) relating to their clients.
  • Contractors who manage construction or other projects on, in, or near university premises who make a lawful request for CCTV footage to investigate health and safety incidents or other similar incidents.
  • Internal and external auditors to provide assurance that the University is following its risk management, governance and internal control processes and to independently inspect our financial statements and records.
  • Companies or organisations acting on our behalf – we use third-party data processors who provide elements of services for us. We have contracts in place with all our data processors, which means they cannot do anything with your personal information unless we instruct them to do so, and must keep it secure and retain it only for the period we specify.

How the university protects your data

The university implements a range of technical and organisational measures to protect CCTV data and ensure that it is handled securely and lawfully. These measures include:

  • CCTV systems operated within a secure University network environment
  • access to live and recorded footage restricted to authorised and trained Security Control Room staff and other authorised University personnel where required for operational or investigative purposes
  • user access controls and password-protected systems to prevent unauthorised access
  • CCTV recordings stored on secure University systems located within restricted access areas
  • physical security controls within the Security Control Centre and other authorised monitoring locations
  • strict procedures governing the viewing, export and sharing of footage, including evidential handling procedures
  • retention periods applied automatically to ensure footage is deleted in line with university policy unless required for investigation or evidential purposes.

Where third-party organisations process personal data on behalf of the University, contractual agreements are in place requiring them to protect personal data in accordance with UK GDPR and University information security standards.

How long the university keeps your data

Footage recorded via our CCTV System, including via body-worn video devices, will be retained for up to 30 days, after which it will be automatically overwritten or deleted.

Footage which has been viewed and downloaded because it may be required for evidential purposes (for example, because it shows a potential incident) will be retained for a maximum of six months, then it will be deleted.

Footage which has been downloaded because we have been informed it relates to a security incident and it has either been used as evidence for LJMU purposes or provided to a third party such as the police as evidence will be retained for six years.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request - this could be in a portable electronic format
  • request that the university changes incorrect or incomplete data if you think that it is inaccurate or out of date
  • request that the university delete or stop processing your data, for example where the data is no longer necessary or legally required for the purposes of processing.

If you would like to exercise any of these rights, please contact the Data Protection Officer at DPO@ljmu.ac.uk.

If you do not provide data

Personal data collected through the CCTV system is obtained automatically when individuals enter areas covered by CCTV cameras on the University estate. Individuals are not required to actively provide this information.

If you enter areas where CCTV operates, your image may be captured. CCTV is used to support the safety and security of staff, students and visitors, and to protect University property. Clear signage is displayed to inform individuals where CCTV cameras are in operation, enabling people to be aware of and understand this processing.

Transfers of data outside the UK

We normally keep your personal data within the UK. In some cases, however, we may need to transfer it to another country - for example, to deliver a contract with you or to work with a partner organisation such as a university based overseas.

Whenever this happens, we make sure your information stays protected. This could be through a UK 'adequacy regulation' (which confirms that the other country’s data protection laws are up to UK standards) or by putting strong safeguards in place.

These safeguards might include model contractual clauses, formal data sharing or processing agreements, or binding corporate rules. In short, even if your data travels abroad, it will continue to be treated with the same care and respect as it would under UK law.

Automated decision-making

We do not use computers to make decisions about you based solely on your personal data. Any decisions that affect you will always be made by a human, ensuring that you are treated fairly.

How to complain to the university

You have a right to complain to the university if you think it has not properly responded to your request for personal information or feel it has not handled your personal data responsibly.

If you are not satisfied with how your request for information or how your personal data has been handled, you should set out your complaint in writing to:

Maria Burquest
University Secretary and General Counsel
Legal and Governance Services
2nd Floor Exchange Station
Tithebarn Street
Liverpool
L2 2QP

or by email via DPO@ljmu.ac.uk.

How to complain to the Information Commissioner’s Office

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations. The Information Commissioner can be contacted using the following details:

  • Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF
  • Telephone: 0303 123 1113
  • Email: contact can be made by accessing the ICO website.