This update sets out the accepted use of video surveillance systems to ensure that Tesco uses such systems in a fair and lawful way. This includes Closed Circuit Television (“CCTV”), automatic number plate recognition (“ANPR”), body worn cameras and video cameras mounted in vehicles (cumulatively referred to as “Surveillance Systems”) and the security measures implemented by Tesco for the installation and operation of the Surveillance Systems in accordance with the General Data Protection Regulation (“GDPR”)and Irish Data Protection Law (including the Data Protection Act 2018, the Data Protection Act 1988 and any other data protection legislation) (the “DP Acts”).
Any audio or video footage, including still images of individuals and vehicle registration numbers is personal data (i.e. information that is related to an identifiable individual), and is covered by applicable DP Acts. Collection, use, storage and disposal of Personal Data is strictly controlled by law, and all employees or contracted staff of Tesco must comply with these laws.
Surveillance Systems will capture an individual’s personal data under the DP Acts. All Surveillance Systems including the material recorded on them and copyright are owned and managed by Tesco Ireland Limited.
Tesco has a responsibility for the protection of its property, equipment and other plant as well as providing a sense of security to its colleagues, customers and visitors to the Properties. Tesco owes a duty of care under the provisions of the Safety, Health and Welfare at Work Act 2005 (as amended from time to time) and associated legislation to colleagues, customers and visitors who enter and exit the Properties. Tesco utilises the Surveillance Systems and its associated recording equipment as an added mode of security by integrating best practices governing security surveillance of the Properties. Tesco confirms that all aspects of the Surveillance Systems (including the installation of all cameras and the designation of access to recorded material) have been subject to a Data Protection Impact Assessment before installation and will, in all cases, be accompanied by clear signage stating that the CCTV is in operation.
Tesco confirms that CCTV monitoring at the Properties will be conducted in a manner consistent with this policy in addition to all existing policies adopted by Tesco, including Dignity at Work Policy, Codes of Business Conduct for dealing with complaints of bullying & harassment and sexual harassment and other relevant policies, including the provisions set down in the GDPR, the DP Acts, and other relevant legislation.
Tesco is committed to the highest standards in relation to the security and protection of its colleagues, customers and visitors who enter and exit its Properties. The installation and operation of Surveillance Systems will be reviewed regularly by Tesco in consultation with colleagues.
The purpose of this update is to advise on the use of Surveillance Systems and its associated technology in monitoring of both the internal and external environs of the Properties under the remit of Tesco. Tesco can only use Surveillance Systems for specific lawful purposes. A key element of this requirement is implementing reasonable measures to ensure individuals are aware of what personal data will be collected by these Surveillance Systems and how Tesco will use it.
Surveillance Systems are installed both externally and internally. The following is a list of purposes for which Surveillance Systems can be used:
- To safeguard the health and safety of our customers, colleagues and other visitors when they are on Tesco premises;
- To protect Tesco and its property both during and after operational hours;
- To reduce the incidence of crime and anti-social behaviour (including theft and vandalism);
- To support the prevention or detection of crime (including supporting An Garda Síochána in a bid to deter and detect crime by assisting in identifying, apprehending and prosecuting offenders);
- To assist in the investigation and/or defence of claims against Tesco by customers and/or contractors;
- To assist with investigations into grievance or misconduct claims against Tesco colleagues and/or contractors.
Any proposed use of Surveillance Systems must be approved by the Privacy Team in advance. It is recognised that pixilated CCTV footage can be used for training purposes. In cases of doubt, advice should be sought from the Privacy team.
Article 5 of the GDPR requires that data are, "adequate, relevant and not excessive" for the purpose for which they are collected. This means that Tesco needs to be able to justify the obtaining and use of personal data by means of the Surveillance System.
The use of the Surveillance Systems in areas external to the Properties is for security purposes (i.e. including the deterrence and/or detection of crime) and, for this reason, has been deemed to be justified by Tesco management. The Surveillance Systems are intended to capture footage of intruders or of individuals damaging or attempting to damage the Properties or removing or attempting to remove Tesco assets from the Properties without Tesco’s authorisation.
The recording of conversations is particularly intrusive and Surveillance Systems should not be used for this purpose other than in the circumstances outlined below and where signage is in place explicitly stating that audio recording is or may be carried out.
- Where a colleague or customer is being searched (e.g. in staff search rooms) and a reliable record of the conversation between the staff and the individual is necessary;
Where recording is activated by:
- A member of staff triggers a panic button (e.g. behind a store cash register); or
- A Security Guard activates a body-worn camera.
Only authorised systems should be used, permission must be obtained from In Country Loss Prevention and Security department before selecting and installing a Surveillance System.
Cameras shall not be hidden from view and they should be positioned so that they only cover Tesco premises. Tesco has endeavoured to select locations for the installation of Surveillance Systems which Tesco consider to be the least intrusive to protect the privacy of Data Subjects. As per the GDPR, Data Protection Impact Assessments will always be carried out before installing any new cameras to ensure the surveillance is proportionate to the privacy of Data Subjects. Tesco is committed to respecting the right to privacy of Data Subjects in accordance with the GDPR. For this reason, Tesco undertakes to position Surveillance Systems in areas external to the Properties in such a way as to prevent or minimise the recording of individuals not entering or exiting the Properties (e.g. passers-by) and areas which are not rented by Tesco (e.g. another organisation’s or person's private property).
Areas of the Properties monitored by the Surveillance Systems may include the following:
- entrances and exits, lifts, lobbies, special storage areas, receiving areas for goods/services, storage yard, docking levels, goods entrance, stock room, parking area(s), basement entrances, security entrances and waste management areas,
- petrol filling stations;
- customer service areas;
- aisles where high value goods are held, cash points, cash registers;
- restricted access areas at entrances and other related areas.
Tesco confirms that it may install additional CCTV cameras in these locations or other locations. Where this is carried out, Tesco will do so in accordance with this policy, the GDPR and the DP Acts. Tesco will also ensure that adequate signage is in place in order to notify colleagues, customers and visitors of the Properties in relation to any new areas subject to the CCTV system. Newly installed systems must produce footage of satisfactory quality and meet required standards to facilitate retrieval of footage in an efficient cost effective manner without significant disruption to the ongoing monitoring requirement.
Cameras should not capture irrelevant areas or areas where people have a reasonable expectation of privacy (changing rooms, toilets etc).
We must inform customers, colleagues and visitors that Surveillance System monitoring is being undertaken and for what purpose. To do this, clearly visible and readable signs must be prominently displayed externally at every entrance and exit to each Tesco Property and in designated internal areas of the Properties as well as reinforced inside the area subject to surveillance.
Signage shall include the name and contact details of the relevant Tesco contact person (for the purposes of this policy and the use of CCTV by Tesco generally) as well as the specific purpose(s) for which the CCTV camera is in place in each location.
Areas of the Properties monitored by the Surveillance Systems may include the following:
Access to images is restricted to those who need to have access in accordance with this policy and any governing legislation.
Subject Access Requests - Ireland Only
On written request, individuals have the right to be provided with a copy of their personal data held by Tesco (this includes Surveillance System footage) provided always that such an image/recording exists (i.e. has not been deleted) and provided also that an exemption/prohibition under the DP Acts does not apply to the release.
Where the image/recording identifies another individual, those images may only be released where they can be redacted/anonymised so that the other person is not identified or identifiable. To exercise your right of access, you must make an application in writing to Tesco. Data access requests can be made by Data Subjects to the following address:
Data Protection Officer
Tesco Head Office
A person may be asked to provide all the necessary information to assist Tesco in locating the Surveillance System recorded data, such as the date, time and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data and may not be handed over by Tesco.
In giving you a copy of your personal data, Tesco may provide a still/series of still pictures or a disk with relevant images. However, images of other individuals will be redacted/obscured before your personal data is released to you.
At Tesco all Subject Access Request must only be dealt with by the specialised central team within the Legal team.
Any such Subject Access Requests relating to Surveillance System footage must be immediately referred to email@example.com.
Supply of Footage to Third Parties
Tesco confirms that the use of the Surveillance Systems will be conducted in a professional, ethical and legal manner and any diversion of the use of Surveillance System (including CCTV security) technologies for other purposes is prohibited by this policy (e.g. CCTV will not be used for monitoring employee performance).
Requests for the supply of Tesco CCTV footage may also come from:
- An Garda Síochána and other regulatory authorities where Tesco is required by law to make a report regarding the commission of a suspected crime;
- An Garda Síochána and other regulatory authorities when a crime or suspected crime has taken place and/or when it is suspected that illegal/anti-social behaviour is taking place on the Properties;
- Data Subjects (or their legal representatives), pursuant to a Data Access Request where the time, date and location of the recordings is furnished to Tesco (see “Data Access Requests”);
- Data Subjects (or their legal representatives) subject to a court order;
- Tesco’s insurance company where the insurance company requires same in order to pursue or defend a claim;
- Tesco’s legal advisors where the legal advisors requires same in order to pursue or defend a claim; or
- Tesco’s security contractor for administration and/or monitoring purposes (whom, for the purposes of this policy, is a Data Processor).
Law enforcement requests for CCTV footage in order to prevent or detect crime can be authorised and facilitated by the duty or responsible manager subject to the requirements set out in the relevant guidance document and when authorised by Tesco senior management. Any requests for CCTV recordings/images from An Garda Síochána will be fully recorded and legal advice will be sought if any such request is made. (See “SECURITY” below). If a law enforcement authority, such as An Garda Síochána, is seeking to access a recording for a specific investigation, any such request made by An Garda Síochána should be made in writing and Tesco will immediately seek legal advice.
Article 5 of the GDPR states that data, "shall not be kept for longer than is necessary for" the purposes for which it has been obtained for. Accordingly, Tesco will ensure that recordings/images (including BWC footage) captured by the Surveillance System will be retained by Tesco for a maximum of 31 days from the date of recording unless required for legal process or the investigation of crime or breaches of the Code of Business Conduct. Recordings shall be deleted as soon as the footage is no longer required.
All images on electronic storage will be erased/overwritten by the automated system after a maximum of 31 days. All downloads, still photographs and hard copy prints must be securely disposed of as confidential waste.
Covert monitoring is where video or audio surveillance takes place without the knowledge of those being monitored and its deployment is strictly controlled. Tesco will not engage in covert monitoring except where deemed necessary and as permitted by law.
Where An Garda Síochána requests to carry out covert monitoring on the Properties, such covert monitoring may require the consent of a judge. Accordingly, any such request made by An Garda Síochána will be requested in writing and Tesco will seek legal advice.
Where covert monitoring is deemed necessary it can only be undertaken with the prior permission of the ROI Director of Legal, who will decide whether the proposed covert monitoring is necessary, legal and proportionate by taking into account whether:
- There are reasonable grounds to suspect criminal activity or serious breaches of the Code of Business Conduct;
- It would prejudice the investigation to give advance notice that monitoring is taking place;
- Less intrusive methodology has failed or is likely to fail having considered all relevant circumstances; and
- The persons installing and using covert monitoring equipment are trained in its use.
Covert monitoring installations must be subject of regular review and removed once the authorised purpose has been achieved or is no longer justified.
Tesco is committed to the security of Surveillance System footage to ensure that it is captured in accordance with the GDPR and the DP Acts. Tesco confirms that CCTV images/recordings are stored on an [encrypted] secure server with a log of access maintained. Access will be restricted to authorised personnel. Supervising the access and maintenance of the CCTV System is the responsibility of the In Country Loss Prevention & Security Manager. The Tesco security contractor monitors the CCTV System (whom, for the purposes of this policy, is a Data Processor). All processing of data done by the security contractor on behalf of Tesco will be done in accordance with the same standards as Tesco and will be subject to an agreement in compliance with Article 28 of the GDPR.
In certain circumstances, the recordings may also be viewed by other individuals in order to achieve the objectives set out above. When recordings are being viewed, access will be limited to authorised individuals on a need-to-know basis.
In treating the security of the Properties and protecting all footage captured with the highest standards of protection, Tesco has installed intrusion alarms, exit door controls and external alarms at the Properties.
The ROI Director of Legal will ensure this policy will be reviewed and evaluated annually and if necessary updated. On-going review and evaluation will take cognisance of changing information (e.g. a change to the definition of Properties as a result of a re-location), guidelines (e.g. from the Data Protection Commission, An Garda Síochána, Department of Education and Skills, Audit units (internal and external to Tesco) the C&AG, legislation and feedback from colleagues and others save that, in the event of a material change to the business or regulations that affect the subject of this policy, the policy will be tabled for review when such a change occurs.