01604 261655
CCTV Data Protection

Do you use CCTV in your business?

CCTV Data ProtectionThe use of CCTV by organisations falls under the purview of the ICO (Information Commissioners Office) and is covered under the Data Protection Act 2018.  This is because surveillance cameras are no longer a passive technology that only records and retains images, but is now a proactive one that can be used to identify people of interest and keep detailed records of people’s activities, such as with ANPR cameras.

It is also worth noting that the unwarranted use of CCTV and other forms of surveillance cameras has led to a strengthening of the regulatory landscape through the passing of the Protection of Freedoms Act (POFA).

So you will need to ensure you comply under both of these if you use CCTV and we are not just talking about cameras, the following technologies also fall into this category:

  • Automatic Number Plate Recognition (ANPR);
  • Body Worn Video (BWV);
  • Unmanned Aerial Systems (UAS); and
  • other systems that capture information of identifiable individuals or information relating to individuals.


There are a couple of exceptions, the use of surveillance systems for limited household purposes can be exempt from the DPA, as is the use of conventional cameras (not CCTV) by the news media or for artistic (journalistic) purposes.

In order to properly assess the impact your system has on people’s privacy you will need to carry out an assessment. The best way to do this is to conduct a Data Protection Impact Assessment (DPIA).

What’s Next?

CCTV Data ProtectionAfter carrying out your DPIA you will then need a policy in place which ensures the following areas are covered:

  1. Ensuring effective administration

Establishing a clear basis for the processing of any personal information is essential, it is important that you establish who has responsibility for the control of this information within your organisation.

  1. Storing and viewing surveillance system information

Recorded material should be stored in a way that maintains the integrity of the information and is secure.

  1. Disclosure

Disclosure of information from surveillance systems must be controlled, it can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place them on the internet.

  1. Subject access requests

Individuals whose information is recorded have a right to be provided with that information or, if they consent to it, view that information. Information must be provided promptly and within no longer than 30 calendar days of receiving a request.

  1. Retention

You should not keep information for longer than strictly necessary to meet your purposes for recording it. On occasion, you may need to retain information for a longer period, where a law enforcement body is investigating a crime and ask for it to be preserved, to give them opportunity to view the information as part of an active investigation.  This maybe 30 days in order to comply with any Subject Access Requests.

  1. Selecting and siting surveillance systems

The information collected by a surveillance system must be adequate for the purpose you are collecting it. The type of surveillance system you choose and the location it operates within must also achieve the purposes for which you are using it. You should ensure that the design of any surveillance systems you purchase allows you to easily locate and extract personal data in response to subject access requests.

  1. Privacy notices

It will be difficult to ensure that an individual is fully informed of this information if the surveillance system is airborne, on a person or, in the case of ANPR, not visible at ground level.  However, these are issues that must be tackled as you are unlikely to comply with the data protection principles unless you make all reasonable efforts to provide fair processing information.

  1. Using the equipment

It is important that a surveillance system produces information that is of a suitable quality to meet the purpose for which it was installed. If identification is necessary, then poor quality information that does not help to identify individuals may undermine the purpose for installing the system.