CCTV and Body-Worn Camera Privacy Notice — Department of Environment, HM Government of Gibraltar

Who we are

The Department of Environment, HM Government of Gibraltar (the "Department") is the data controller responsible for the processing of personal data collected through the Closed-Circuit Television ("CCTV") cameras and body-worn cameras ("BWC") deployed at designated locations across Gibraltar and during officer patrols. The Department has been appointed as the Litter Authority pursuant to section 3 of the Litter Control Act 1990 and the Litter Control (Notice of Appointment) 2014 (LN. 2014/082). 

If you have any questions about how we process your personal data, or if you wish to exercise any of your rights, please contact us at:

Department of Environment HM Government of Gibraltar situated at Suite 2a Leanse Place, 50 Town Range, Gibraltar, GX11 1AA. 

Our Data Protection Officer can be contacted at: DPO@gibraltar.gov.gi 

Why we use CCTV and body-worn cameras

We have deployed CCTV cameras at identified litter hotspots across Gibraltar for the purpose of identifying individuals who commit offences under the Litter Control Act 1990. 

In addition to fixed CCTV cameras, the Department issues body-worn cameras to authorised litter enforcement officers (known as Litter Wardens) for use during patrols. BWC are capable of capturing both visual and audio recordings at close proximity during interactions with members of the public. BWC will be activated by the officer when a littering offence is observed or suspected, or where activation is necessary for the officer's safety. Officers are required to deactivate BWC promptly after the relevant interaction has concluded. Continuous or indiscriminate recording by BWC is prohibited. 

Where reasonably practicable, officers wearing BWC will provide verbal notification to individuals that recording is taking place. BWC will be visibly worn with an indicator showing when recording is active. 

Where an individual is captured on CCTV or BWC committing a littering offence, we may use the footage to take enforcement action, which may include issuing a fixed penalty notice pursuant to section 6(1) of the Litter Control Act 1990 or instigating criminal proceedings pursuant to section 3(2) of the Litter Control Act 1990. 

What personal data we collect

The CCTV cameras and BWC capture visual images (video recordings) of individuals in public spaces within the cameras' field of view or within range of an activated BWC. This includes images of individuals who may be committing littering offences as well as other members of the public who are incidentally captured in the footage.

BWC also capture audio recordings, including verbal exchanges between officers and individuals and ambient sounds. Bystanders' voices may also be incidentally recorded. 

Where an individual is observed on CCTV exiting a vehicle and littering, the CCTV footage will also capture the vehicle's licence plate number. This licence plate data is recorded alongside the evidential clip for the purpose of assisting in the identification of the individual concerned. 

Where an individual is captured on CCTV or BWC committing a littering offence, an authorised officer within the Department will manually and visually compare the CCTV or BWC image against photographs held on the eID Platform administered by the Department of Immigration and Home Affairs to identify the individual. A second authorised officer independently verifies the identification before any enforcement action is taken. No facial recognition software or other automated biometric matching technology is used in this process. 

The personal data obtained from the eID Platform may include the individual's name, address, date of birth, and identification number. We also record the date, time, and location associated with each CCTV and BWC recording. 

Where an individual cannot be identified through the eID Platform or other available means, and where the individual was observed exiting a vehicle and littering, the Department will contact the Department of Transport to obtain the vehicle registration details associated with the captured licence plate. The vehicle registration data obtained may include the name and address of the registered keeper of the vehicle. This enables the Department to identify the registered keeper, who may then be contacted in connection with the suspected offence. 

In summary, the categories of personal data we process are:

• Visual images (photographs and video recordings) of individuals in public spaces captured by fixed CCTV cameras and BWC; 
• Audio recordings captured by BWC (including verbal exchanges between officers and individuals, and ambient conversations of bystanders); 
• Vehicle licence plate numbers captured by CCTV where individuals are observed exiting vehicles and littering; 
• Date, time, and location metadata associated with each recording; 
• Personal identification data obtained from the eID Platform (including name, address, date of birth, and identification number); 
• Vehicle registration data obtained from the Department of Transport (including the name and address of the registered keeper); 
• Records of enforcement action taken (including fixed penalty notices issued and criminal proceedings instigated). 

Sources of personal data

Some of the personal data we process is collected directly by us through the CCTV cameras and BWC. However, where we need to identify an individual captured on CCTV or BWC, we obtain additional personal data from the Government of Gibraltar's eID Platform, which is a third-party source and not data obtained directly from you. The eID Platform is administered by the Department of Immigration and Home Affairs and contains identification data (including photographs) relating to holders of Gibraltar identity cards. We access this data solely for the purpose of identifying individuals captured on CCTV or BWC committing offences under the Litter Control Act 1990, as described in this Privacy Notice. 

Where the eID Platform does not enable identification and a vehicle licence plate has been captured, we obtain vehicle registration data from the Department of Transport. The Department of Transport is a separate government department and is a third-party source. We access this data solely for the purpose of identifying individuals suspected of committing offences under the Litter Control Act 1990. 

The images captured by CCTV and BWC and the photographs viewed on the eID Platform are processed as ordinary personal data. Because the identification process involves manual visual comparison by a human officer — and does not involve any facial recognition software, algorithmic matching, biometric template creation, or other specific technical processing — the images are not biometric data and are not special category data within the meaning of the Gibraltar GDPR or Part III of the DPA 2004. However, the processing does involve criminal data, as the CCTV and BWC system is used to capture evidence of criminal offences under the Litter Control Act 1990. 

Our lawful basis for processing your personal data

We process your personal data under Part III of the Data Protection Act 2004 (Gibraltar), which governs the processing of personal data for law enforcement purposes. Our specific lawful basis is section 44(2)(b) of the DPA 2004, which permits us to process personal data where the processing is based on law and is necessary for the performance of a task carried out for law enforcement purposes by a competent authority. 

The processing is based on the following legal provisions: section 3 (including section 3(2)) and section 6(1) of the Litter Control Act 1990, and the Litter Control (Notice of Appointment) 2014 (LN. 2014/082). 

The Department is a competent authority for the purposes of Part III of the DPA 2004 by virtue of Schedule 7, paragraph 14 (public body carrying out investigatory functions) and/or section 39(1)(b) (person with statutory functions for law enforcement purposes). 

How we use the eID Platform

Where an individual has been captured on CCTV or BWC committing an offence under the Litter Control Act 1990, authorised officers within the Department may access the eID Platform solely for the purpose of identifying that individual so that enforcement can be considered and if necessary action can be taken. The identification process involves a human officer manually and visually comparing the CCTV or BWC image against photographs on the eID Platform. No facial recognition software, algorithmic matching, or other automated biometric identification technology is used. Access to the eID Platform is strictly limited to this purpose and is not used for any other reason. 

How we use vehicle licence plate data and the Department of Transport

Where an individual is observed on CCTV exiting a vehicle and littering, the CCTV footage will capture the vehicle's licence plate number. This licence plate data is used solely for the purpose of identifying the individual concerned so that enforcement action may be considered. 

Where the individual cannot be identified through the eID Platform or other available means (such as officer recognition), the Department will contact the Department of Transport to obtain the vehicle registration details associated with the captured licence plate. This may include the name and address of the registered keeper of the vehicle. 

The Department will not take enforcement action against a registered keeper solely on the basis of licence plate data. The Department will take reasonable steps to confirm that the registered keeper is the individual observed littering — for example, through follow-up enquiries or by comparing the registered keeper's photograph on the eID Platform with the CCTV footage. 

No automated number plate recognition software is used. The licence plate data is read manually from the CCTV footage by a human officer. 

Who we share your personal data with

We may share your personal data with the following recipients where it is necessary for the purposes described in this Privacy Notice:

(a) The Magistrates' Court or other judicial bodies, where criminal proceedings are instigated under section 3(2) of the Litter Control Act 1990; 

(b) The Royal Gibraltar Police, where the matter is referred for criminal investigation or prosecution; 

(c) The Department of Transport, where we share vehicle licence plate data captured on CCTV for the purpose of obtaining vehicle registration details (including the name and address of the registered keeper) to identify individuals suspected of committing littering offences who cannot be identified through the eID Platform or other available means; 

(d) Legal advisers acting on behalf of the Department; 

(e) CCTV system maintenance contractors, who may have incidental access to footage in the course of maintaining the system, subject to appropriate contractual safeguards; and 

(f) Members of the public, in exceptional circumstances where images of unidentified individuals are published on our social media channels or other public platforms to assist with identification, subject to the safeguards described in the section below entitled "Publication of images for identification purposes". 

We will not share your personal data with any other third party unless we are required to do so by law or are able to do so under appropriate exemptions contained in the DPA 2004. 

Publication of images for identification purposes

In certain cases, where an individual has been captured on CCTV or BWC committing an offence under the Litter Control Act 1990 but cannot be identified through the eID Platform, the Department of Transport, or other means available to the Department, we may publish CCTV or BWC still images of the unidentified individual on the Department's social media channels or other public platforms, with a view to members of the public assisting in identifying the individual. BWC audio will not be published. 

This processing constitutes law enforcement processing under Part III of the DPA 2004, as it is an investigative step taken by the Department in its capacity as a competent authority for the purpose of identifying a suspected offender so that enforcement action may be commenced. The publication is directly and inextricably linked to the Department's statutory enforcement functions under sections 3 and 6 of the Litter Control Act 1990 and is analogous to the well-established practice of police forces publishing CCTV images of unidentified suspects as part of their investigations. The lawful basis is section 44(2)(b) of Part III of the DPA 2004 — processing based on law and necessary for a task carried out for law enforcement purposes by a competent authority. No separate or additional lawful basis under the Gibraltar GDPR is required. 

The Department must be satisfied in each case that publication is necessary and proportionate — that is, that less intrusive means of identification (including the eID Platform, the Department of Transport, witness enquiries, patrol enquiries, liaison with the Royal Gibraltar Police, and other investigative steps) have been exhausted or are not reasonably available before resorting to public publication. 

The following safeguards will be applied to any publication of images for identification purposes:

(a) Publication will only take place as a measure of last resort, after all other reasonable means of identification (including the eID Platform, the Department of Transport, witness enquiries, patrol enquiries, and liaison with the Royal Gibraltar Police) have been exhausted or are not reasonably available. 

(b) The decision to publish will be authorised by a senior officer within the Department, who will document the reasons why publication is considered necessary and proportionate in the specific case. 

(c) Images will be limited to the minimum necessary for identification purposes. Where possible, images will be cropped or edited to exclude other individuals who may be visible in the footage and who are not suspected of committing an offence. 

(d) Images of individuals who appear to be children will not be published. Where there is any doubt as to whether an individual is a child, images will not be published. 

(e) Published images will be accompanied by a clear statement of the purpose of the publication (namely, to assist in identifying the individual in connection with a suspected littering offence) and contact details for the Department. 

(f) Once the individual has been identified (or where a decision is taken not to pursue enforcement action), the published images will be removed from social media and any other public platform as soon as reasonably practicable. 

(g) A record will be kept of all publications, including the date of publication, the platform(s) used, the authorising officer, the reasons for publication, and the date of removal. 

(h) The Department will conduct a proportionality assessment before each publication, weighing the seriousness of the offence, the interference with the individual's privacy, and the likelihood that publication will achieve the aim of identification. 

International transfers

Your personal data will not be transferred outside of Gibraltar. All CCTV and BWC footage, eID Platform data, vehicle registration data, and associated personal data is stored and processed entirely within Gibraltar. 

How long we keep your personal data

CCTV and BWC footage that does not contain evidence of a littering offence will be retained for a period of one week, after which it will be securely deleted and the hard drive formatted. 

Where CCTV or BWC footage contains evidence of a littering offence, an evidential clip (of approximately 12 frames) is extracted and retained for as long as is necessary for the purposes of the relevant enforcement action, including any fixed penalty notice process or criminal proceedings, and for a reasonable period thereafter to allow for any appeal or challenge. 

Where identification enquiries have not proven successful after a period of six months, the evidential clip will be deleted. 

Personal data obtained from the eID Platform is used only for the purpose of identifying the individual and is then deleted. Paper copies of personal data are shredded. 

Vehicle licence plate data and any associated vehicle registration data obtained from the Department of Transport will be retained only for so long as is necessary for the relevant enforcement action and will then be securely deleted. 

Once the retention period has expired, the data will be securely deleted. 

How we protect your personal data

We take the security of your personal data seriously. We have implemented appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, or destruction. These measures include access controls and authentication for the CCTV and BWC system and the eID Platform, physical security of recording equipment and storage facilities, audit logging of access to the eID Platform, restriction of access to the CCTV and BWC system to a limited number of authorised officers, the assignment of BWC to named officers with a prohibition on the retention of footage on personal devices, and regular staff training on data protection and information security. 

The CCTV and BWC footage is stored on a standalone desktop computer that is not connected to the internet or the Government server. 

Children

The CCTV cameras and BWC may incidentally capture images of children in public spaces. Where an individual who appears to be under the age of 18 is suspected of committing a littering offence, the Department will adopt specific procedures, including consideration of whether enforcement action is appropriate and proportionate, and will liaise with relevant authorities (including parents or guardians) before taking enforcement action. Images of individuals who appear to be children will not be published on social media or other public platforms. 

Your rights

Under Part III of the Data Protection Act 2004, you have the following rights in relation to the personal data we hold about you:

(a) Right of access: You have the right to request confirmation of whether we are processing your personal data and, if so, to obtain access to that data and certain supplementary information. 

(b) Right to rectification: You have the right to request that we rectify any inaccurate personal data we hold about you. 

(c) Right to erasure or restriction: You have the right to request that we erase your personal data or restrict its processing in certain circumstances. 

(d) Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you. 

Please note that these rights are not absolute and may be subject to exemptions or restrictions under the DPA 2004, particularly in the context of law enforcement processing. 

To exercise any of these rights, please contact us using the details set out at the top of this Privacy Notice. We will respond to your request within the timeframe required by the DPA 2004. 

Your right to complain

If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Gibraltar Regulatory Authority, which is the supervisory authority for data protection in Gibraltar. The Gibraltar Regulatory Authority can be contacted at:

Gibraltar Regulatory Authority 2nd Floor, Eurotowers 4 1 Europort Road Gibraltar

Email: info@gra.gi

Tel: 20074636

Website: www.gra.gi

Changes to this Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be published on this page. 

This Privacy Notice was last updated on 26th February 2026.