11. Data Viewing & Release

VeriFI Data Viewing & Release is achieved by two alternative methods;
  • VeriFi EIDOS Secure File Sharing (SFS) in which case the compliance manual is supplied with a 1Tb password protected, encrypted hard drive and 4 x USB Memory Cards. The use of SFS is described in SFS Training Video.
  • VeriFi Hard Copy is supplied with a 1Tb password protected, encrypted hard drive, 4 x USB Memory Cards,  10 x Data Viewing & Release Management Record sheets. Instruction sheets describing how these must be completed are included.
  • Legacy VeriFi Hard Copy this includes a supply of DVDs for downloading evidence and management records that will become redundant when replaced as above on the next annual site visit.

Viewing and release of data requires the following steps to be recorded either by means of the VeriFi paper based documentation or the VeriFi EIDOS SFS platform.

  1. Site address
  2. Data details (type), normally CCTV, Access Control
  3. Description of Incident/Activity
  4. Purpose of Viewing – eg Police investigation
  5. Data Viewed by – the name and address of the requesting organisation and the name of the person representing it
  6. Request Logged by – normally Security
  7. Viewing Authorised by – normally Facilities or Building Manager
  8. Description of the data viewed
  9. Follow up Activity – this normally relates to the release of data in which case the following steps will be required:

i. Type of Media Released

ii. Data Released to – the name and address of the requesting organisation and the name of the person signing for receipt.

iii. Archive Copy – description of how and where the archive copy is stored.

iv. Routine Archive Copy Review – you should not retain the data for longer than is necessary to achieve the purpose it was required for.

v. Erasure/Destruction of Archive – detail who approved the erasure/destruction, who carried this out and date.

It is important to ensure that NO data is released without the prior authorisation of the data manager who is usually one of the following;
  • Facilities Manager
  • Assistant Facilities Manager
  • Centre Manager
  • Building Manager
  • Operations Manager

As a general rule you should only allow viewing or release of data without a formal data sharing agreement in the case of applications by:

  1. Police
  2. HSE
  3. HMRC
  4. Weights Measures (Trading Standards)
  5. Employees of the data controller or data processor involved in security and safety of the premises
  6. Individuals making a Data Subject Access Request (refer to 8.1)
  7. Insurance Companies acting on behalf of an insured where release is via VeriFi Secure File Sharing, otherwise it would be good practice to enter into a formal Data Sharing Agreement
A Data Sharing Agreement (DSA) will be required if release is requested by an individual or organisation other than those listed above. For further information refer to section 14.
Any Data Viewing must recorded in the VeriFi Data Viewing Log or via VeriFi EIDOS Secure File Sharing (SFS).
If release of data is required  you must create a master (archive) copy on the encrypted hard drive and either download a copy to a VeriFi supplied USB memory card or upload to SFS. 
Prior to release of data you must obtain signed authorisation from the data manager and record this in the Data Release Log or SFS.
Once download to a USB memory card has been completed close the USB back in the card and place the ‘Tamper Evident Security Seal’ across the hinge recording both unique reference numbers of the USB device and the Security Seal in the Data Release log or SFS.
If the recipient cannot physically collect a USB Card you must scan a copy of the Data Release Log and email this to the applicant explaining the method by which the USB card will be despatched ‘track and trace’, asking that section 9 of the scanned copy is signed and returned.
Data Retention

The extent of retained data should should be no more than the minimum required to achieve the legitimate purpose you set out to achieve.

The period that CCTV data (including Body Worn Cameras and *ANPR) is retained for (archive period) is normally 30 days unless a longer period can be justified.

An archive period of 90 days is reasonable in the case of personal data processed by; Access Control, Visitor Logs, Asset Release Logs etc.,

At the expiry of the archive period, data that is held on portable media must be physically destroyed. In the case of electronically held data, it must be irrevocably deleted (as far as is practicable).

Archive retention of data relating to incidents that are or may be the subject of investigation shall be until notification by the investigating body that the case is closed or in the absence of such notification for a period not exceeding 7 years.

Retained data must be subject to routine review to ensure that it is not held longer than is necessary.

*Public car park access and egress transaction data should not be retained unless relating to a delinquent issue and a recording is required for evidential purposes.