CCTV and Similar Surveillance Equipment 
CCTV Code of Practice
The University uses CCTV across its campuses to ensure site security and the safety of staff, students and visitors. Since these systems invariably require the processing of personal data, their use must comply with the Data Protection Legislation. In accordance with guidance from the UK Information Commissioner, the University has adopted the following Code of Practice for the use of CCTV:
Download the CCTV Code of Practice in PDF format.
A link to the CCTV section of the University's Data Protection Code of Practice is available here: http://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/CodeofPractice/Pages/CCTV.aspx
Requests for CCTV images
Request by data subjects for CCTV images
Data Protection legislation gives individuals the right of access to their personal data, which includes CCTV images. Information on how to request these images is provided in these Guidance Notes, together with a 
request form which can be used to make a request.
Request by third parties for CCTV images
Requests for images of third parties made by the Police or authorities with prosecuting powers will be dealt with under Data Protection legislation. Any other third party requests will be treated as requests under the Freedom of Information (Scotland) Act 2002. Please refer to section 12.3 of the University’s CCTV Code of Practice for further information and guidance.
All types of requests for CCTV images should be submitted to:
Facilities Services Manager
Room 6.B.22
Sighthill Campus
Edinburgh
EH11 4BN
Individuals Requesting CCTV Footage
As CCTV is very intrusive it is classed as high risk by the UK Information Commissioner’s Office (ICO) (further information here: https://ico.org.uk/your-data-matters/cctv/). The reason for this is that operators, as Data Controllers, have no control over what data they are collecting using the cameras e.g. the personal data of numerous individuals, and therefore this is very tightly controlled and restricted, and the University adheres to the Code of Practice mentioned above. Data Protection legislation allows Data Controllers to give individuals access to their own personal data, that is images of themselves only, but it does not allow Controllers to give access to anyone else’s data, unless that processing is covered by either a legal basis or an exemption in the legislation. Whilst there are exemptions for crime and fraud, there are also conditions attached which state that such disclosures are only to be made to “competent authorities” e.g. the Police, and therefore the University would be breaking the law if it allowed individuals to view CCTV footage which contains the images and personal data of the many other individuals whose image/s may be captured in the footage being requested.
Where personal data is requested under data protection legislation and a formal subject access request made, the University is required to obscure/anonymise/pixelate all the other images, including registration plates and identifying features if they constitute the personal data of other individuals - this would be an extremely time consuming and costly exercise for which the University would charge.
The University is only be able to release time limited full footage to a “competent authority” e.g. the Police, and only after they have submitted an official request form. If you have been the victim of a crime, including a motor vehicle accident/damage, please contact the Police and report it - they will submit their official request to the University for consideration. Further guidance is available here: http://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/CodeofPractice/Pages/DataSharing02.aspx
Page last updated 2 December 2021