CCTV Policy
Introduction
The Hong Kong University of Science and Technology (“HKUST”) has installed a CCTV surveillance system (the “CCTV system”) with cameras deployed at different locations within the Clear Water Bay campus and the Jockey Club Hall in Tseung Kwan O (collectively, the “Campus”). Over the years, the CCTV system has been enhanced incrementally; it is timely to review its governance to ensure that personal data privacy is protected.
This policy sets out the purposes, use and management of the CCTV system at the University, and the procedures to be followed, with reference to its obligations and requirements under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) and related guidance issued by the Privacy Commissioner for Personal Data. All staff and personnel responsible for managing the CCTV system or the footages recorded should familiarize themselves, and fully comply, with this policy and the relevant requirements and procedures hereunder.
Purposes
1. The purposes underlying the University’s installation of CCTV system are as follows (the “Prescribed Purposes”):
- Prevention / detection of crime and unlawful activities;
- To enhance Campus security, management and operation;
- To safeguard the health and safety of members of the University, including students and staff, and visitors to the Campus;
- To assist in investigation of suspected violation, and facilitate enforcement, of the University’s rules and regulations, and
- To support emergency responses, where necessary.
2. The University has endeavoured to ensure that the CCTV system as installed will give maximum effectiveness and efficiency to the Prescribed Purposes, but it is not possible to guarantee that the CCTV system will cover or detect every single incident taking place in the areas of coverage.
3. The University is home to around 16,000 students and 3,900 employees (as of December 2020) with a floor area of about 600,000 m2 covering over 60 buildings. With such a large population and an extensive area, ensuring security and safety of University members and visitors is our top priority. While the University acknowledges that CCTV cameras can only be deployed for the legitimate purposes of security and safety monitoring, careful considerations have been made to balance the need for monitoring (risk assessment) versus privacy to ensure all installations are necessary but not excessive.
Overview / Scope of Policy
4. All CCTVs installed in the communal areas within the Campus will be centrally managed by the Security Team of the Campus Management Office (“CMO”) of the University (“CMO Security”).
5. Subject to paragraph 6 below, this policy covers all CCTV cameras and any web cameras / recording devices within the Campus that are capable of viewing and recording footages (collectively “CCTVs”). CCTVs with limited resolution which sole purpose is for real-time traffic condition monitoring, people counting, or temperature checking, as well as CCTVs used by faculty and researchers for the sole purpose of tracking progress of research and experiments are not covered by this policy.
6. This policy does not cover:
- spaces leased to commercial outlets (e.g. banks, restaurants, and shops). The installation and operation of the CCTV system managed by commercial operators is governed by the PDPO and the University will ensure that all commercial operators are aware of the University’s expectations in this area.
- private spaces within the Campus (e.g. individual offices of staff, or the inside of staff quarters or student’s hostel rooms etc.). Where users of a private space within the Campus see a need to install CCTV, they may only do so upon strict compliance of the requirements under the PDPO including the carrying out of a privacy impact assessment (PIA). The scope of surveillance of the CCTVs so installed can only cover areas within the boundary of his / her private space, and users must put up notice alerting visitors that CCTV is in operation. Where any CCTV is to be installed in an individual office, prior approval must also be obtained from the Head of the respective unit.
Operation of CCTV system
7. The CCTV system shall only be operated by staff duly designated by the CMO Head of Campus Security. The University will prescribe the scope and limits of authority on designated staff responsible for operating the CCTV system in accordance with their respective positions and titles. Designated staff should operate the CCTV system strictly in compliance with the prescribed scope and limits.
CCTV deployment & operation
8. The CCTV system within the Campus operates 24 hours a day throughout the year.
9. CCTVs will only be deployed and installed for the Prescribed Purposes and at appropriate locations including:
- Common access points, e.g. gates, entrance / lift lobbies, car parks;
- Communal space with high volume, e.g. atrium, concourse, library, computer barns, bookable rooms;
- Where there is a need for safeguarding health & safety, e.g. lift cars, fitness centres, balcony;
- High risk locations, e.g. labs, dangerous goods stores; and
- Open / remote areas, e.g. seafront, roads, perimeter.
CCTVs will NOT be installed in areas in which individuals would have an expectation of privacy, e.g. washrooms, changing facilities etc.
10. The decision to install CCTV at a particular location is a result of the balance between management of risk and the potential impact on personal data privacy.
11. Prior approval from the Head of Campus Security must be obtained before any CCTV is to be installed. Any request for installation should be made to the Head of Campus Security, specifying the reasons and justification for the requested installation. Any CCTVs installed without proper authorization will be removed without notice.
12. No CCTV should be configured to record audio unless a PIA has been completed, and approval given by the University Data Privacy Officer (currently, the Vice-President for Administration and Business of the University).
13. Conspicuous notices shall be put up close to, or within a reasonable vicinity of, the CCTVs or at the entrance to the monitored areas, for notifying members of the University and visitors that CCTV is in operation.
14. No covert cameras will be allowed, save for highly exceptional circumstances related to the investigation of crime or serious misconduct.
Retention and deletion of CCTV footages
15. All CCTV footages and data from the CCTV system shall be transmitted and stored centrally and remotely on secure servers managed by the Information Technology Services Center (ITSC) of the University, with appropriate access and security arrangements in place including, amongst others, password setting and encryption.
16. Save in special circumstances related to the investigation of an incident, all CCTV footages and data will only be retained for 30 days from the date of recording, and will be automatically, permanently and securely deleted after this point.
Access to CCTV footages
17. Access to and viewing of live and recorded CCTV footages is restricted to the Head of Campus Security and personnel duly authorised thereby, and must only be for authorized purposes. Viewing of footages shall be done in a designated and secure office.
18. No access to live CCTV footages will normally be given to members of the University unless with the special approval of the Head of Campus Security and provided that proper security controls are in place to protect the data. Examples include for staff to respond to emergency incidents and cases where live monitoring requires specialised skills.
19. No access to recorded CCTV footages will normally be given to members of the University, save for exceptional circumstances, such as an investigation into a health, safety or security-related incident. CMO Security staff will review each application and handle the request according to the requirements of the PDPO.
Technology
20. All CCTVs to be deployed and installed within the Campus must be in compliance with the specifications and standard to be specified by CMO Security from time to time without infringement of personal data privacy.
21. Whilst the CCTV system allows for production of high definition images and embodies analytics function, such features will ONLY be used in the event of an investigation into an incident.
Training
22. All staff and personnel responsible for managing the CCTV system, or with right of access to the CCTV footages, shall undergo appropriate training to ensure that they understand and can fully observe the privacy obligations and procedures under this policy.
Review of CCTV System
23. Regular review shall be conducted to ensure that the CCTV deployment remains necessary and appropriate with reference to the Prescribed Purposes under this policy.
Review of this policy
24. The University’s usage of CCTVs and the contents of this policy shall be reviewed periodically and from time to time with reference to the relevant legislation or guidance in effect at the time and the prevailing circumstances.
Enquiry
25. All the relevant forms / applications can be found HERE .
26. Any enquiry or complaint concerning the University’s use of the CCTV system should be made in writing to the Head of Campus Security at eomail@ust.hk. The Head of Campus Security will consult relevant parties including the University Legal Counsel and Data Privacy Officer on a need basis.