CCTV and Physical Monitoring Privacy Policy

The CCTV and Physical Monitoring Privacy Policy establishes privacy controls for monitoring activities that collect or otherwise process PII. Its scope includes CCTV, video monitoring, visitor monitoring, physical access-control logs, guard-operated monitoring records, premises monitoring systems, and related physical monitoring. The policy applies where the organization acts as a PII controller for its own premises and where it supports processor or subprocessor activities by operating, hosting, reviewing, storing, disclosing, deleting, or otherwise processing monitoring footage, visitor data, or physical access logs on behalf of a customer. The policy is designed to ensure that monitoring is purposeful, transparent, proportionate, access-controlled, retained for defined periods, disclosed only through approved channels, and supported by auditable PIMS evidence. Before monitoring begins, the Process Owner or Business Owner must record each monitoring activity in REG02, including purpose, lawful basis, monitored location, PII categories, PII principal categories, retention, notice, access, and disclosure fields. The Privacy Lead / PIMS Manager validates these entries before activation of a new or materially changed monitoring activity. Approved monitored zones, excluded zones, and collection boundaries must also be recorded before cameras, sensors, visitor logs, or access-control logging are enabled. The policy places strong emphasis on transparency and risk-based review. Monitoring signage or equivalent just-in-time notice evidence must be recorded in REG07 before monitored areas are opened to PII principals, and each notice must be linked to the corresponding REG02 processing purpose. Alternative transparency measures must be recorded for non-obvious or emergency monitoring. Higher-risk monitoring, including systematic monitoring, audio recording, biometric identification, analytics-enabled detection, sensitive locations, vulnerable individuals, or non-obvious monitoring, requires a REG04 privacy risk decision before activation. Where monitoring is high-risk, non-obvious, large-scale, employee-facing, or subject to unresolved rights or incident escalation, the Data Protection Officer / Privacy Advisor provides advice in REG04 or REG12. Operational controls address access, viewing, export, disclosure, retention, deletion, and incident escalation. The Information Security Lead defines authorized access roles for monitoring recordings, visitor records, and physical access logs, while the System Owner / Application Owner configures access restrictions and records privileged access review results at least quarterly in REG12. Routine deletion, overwriting, or disablement of expired monitoring recordings must be configured according to REG02, with deletion or overwriting completion evidence recorded at least monthly for repositories subject to automated or scheduled deletion. Retention holds and extracted copies require approval and recording in REG12 before normal retention is extended. External disclosures are recorded in REG08 before disclosure, or in REG10 within one business day when disclosure is part of an active incident response. The policy also defines governance for outsourced monitoring and physical security services. Outsourced monitoring system providers, guarding providers, visitor management providers, and physical access-control providers must be recorded in REG08 before service start, including scope, processor or subprocessor status, access permissions, retention support, deletion support, incident escalation, and disclosure restrictions. Oversight is maintained through quarterly metrics, annual reviews, audit testing, exception handling, nonconformity recording, corrective action ownership, and escalation to Top Management where required. This creates an evidence-based framework for managing CCTV and physical monitoring privacy obligations across controller and processor contexts.