GDPR Checklist - CCTV

Article ID: 2847
Last updated: 04 Apr, 2023

CCTV CHECKLIST

Step 1 of 4: Installing a system

1.1 Data protection impact assessment

Your business has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system. You regularly review whether CCTV is still the best security solution.

If your cameras are likely to overlook any areas which people would regard as private (eg a neighbour’s garden), you should consider where to install them and avoid siting cameras in these locations, or restrict their fields of view or movement to minimise intrusion.

For internal workplace cameras, consider the greater expectation of privacy in certain areas such as locker rooms or social areas.

Consider the differing impacts of camera technologies. For example, a fixed camera might be more appropriate than a Pan-Tilt-Zoom. A system that records sound will be significantly more intrusive and harder to justify than one without that capability.

If your business is sited in a mixed or multiple-use location, consider the privacy concerns of the users of any common spaces.

1.2 Registration

Your business has paid the data protection fee to the Information Commissioner's Office (ICO).

Once you have determined the purpose for which you are processing personal data you must pay the ICO a data protection fee unless you are exempt. If your business uses non-domestic CCTV systems you are likely to need to pay a fee.

There are three different tiers of fee and you are expected to pay between £40 and £2,900. The fee depends on the size of your business, your turnover and, in some cases, the type of business you are. If you want to know more, the ICO has published more detailed Guidance on our website.

Step 2 of 4: Management

2.1 Governance

Your business has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.

A policy will help you to use CCTV consistently. The policy should cover the purposes you are using CCTV for and how you will handle this information, including guidance on disclosures and recording. It is good practice to assign day-to-day responsibility for CCTV to an appropriate individual. They should ensure that your business sets standards, has procedures and that the system complies with legal obligations including individuals’ rights of access.

2.2: Requests for personal data

Your business has established a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.

Be aware of people’s right to request a copy of their image (including staff) and be prepared to deal with these. These rights exist for both staff and customers.

Have a clear policy that will help you deal with requests effectively. Requests can be made verbally or in writing, so your policy should include how to record any requests you receive verbally.

You must provide the Information without delay and at the latest within one month of receipt of the request.

An individual should not have any greater difficulty in requesting their data when this is an image compared to a document or computer file. Providing information promptly is important, particularly if you have a set retention period which conflicts with the statutory response period. In such circumstances it is good practice to put a hold on the deletion of the information.

When dealing with individual’s requests for personal data you should carefully consider information about third parties, just as you would be if they were mentioned in a document or computer file that was the subject of a request.

Keeping an accurate log of subject access requests you receive and how you have handled them will help you manage requests and deal with any challenges to how you’ve handled them.

You should not provide images to third parties other than law enforcement bodies to assist them in the detection or prevention of a crime. You should have a process in place to enable you to do this as quickly as possible.

2.3 Training

Your business trains its staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.

Make all relevant staff aware of your CCTV policy and procedures and train them where necessary. For example:

  • All staff who are authorised to access the cameras should be familiar with the system, and with the processes for reviewing footage and extracting it if required.
  • All staff should be familiar with procedures for recognising and dealing with requests for personal data.
  • All staff should be familiar with the likely disciplinary penalties for misuse of the cameras.
  • Where a staff member’s role explicitly includes monitoring of CCTV, eg a security guard, ensure that you meet and record appropriate training standards (such as SIA qualifications).

Step 3 of 4: Operation

3.1 Retention

Your business only retains recorded CCTV images for long enough to allow for any incident to come to light (eg for a theft to be noticed) and to investigate it.

You should retain data for the minimum time necessary for its purpose and dispose of it appropriately when no longer required. Your retention period should not be based merely on the storage capacity of your system, but reflect how long you need the data for the purpose.

You may need to retain information for a longer period, if a law enforcement body is investigating a crime and asks you to preserve it, to give them opportunity to view the information as part of an active investigation.

You should delete it when it is not necessary to retain, for example if it does not achieve the purpose for which you are collecting and retaining information.

You should implement controls including:

  • Document your information retention policy for CCTV information and ensure it is understood by those who operate the system;
  • Implement measures to ensure you permanently delete information through secure methods at the end of the retention period;
  • Undertake systematic checks to ensure that you are complying with the retention period in practice. In addition it is worth noting that long retention periods can affect the quality of the footage with modern cameras recording to hard disks.

3.2 Data Quality

Your business has ensured that the CCTV images are clear and of a high quality.

You should select a system which produces high quality, clear images which law enforcement bodies (usually the police) can use to investigate crime.

One way you can achieve this is by siting your CCTV cameras in the best location possible to ensure that they provide clear images. For example, be aware of tree and plant growth or other obstructions which might interfere with cameras’ views.

You should also carry out regular checks to ensure that the system is continuing to produce high quality images. Ensure that system settings do not compromise quality – for example on a modern digital system ensure the overwrite cycle is not too long and degrades footage as the system trades resolution for recording time.

3.3 Data Security

Your business securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.

You must sufficiently protect all information to ensure that it does not fall into the wrong hands.

Poor security can lead to your cameras’ feeds being viewed by criminals, or being hijacked by them for use in computer botnets.

Security precautions should include technical, organisational and physical security:

  • Protect wireless transmission systems from interception.
  • Restrict the ability to view or make copies of information to appropriate staff.
  • A secure space where footage is stored.
  • Staff training in security procedures and sanctions against staff who misuse surveillance system information.
  • Establish appropriate controls if the system is connected to, or made available across, a computer network. Internet-protocol (IP) cameras should be protected by firewall and router controls, and default passwords should be changed.
  • Apply any software updates (particularly security updates) published by the equipment’s manufacturer to the system in a timely manner. Modern IP camera manufacturers issue security advisories and fixes to security problems, and users should keep these patched and up to date just as much as their other computer equipment.
  • Protect the recorded footage from CCTV, whether tapes or hard disk, against access by any unauthorised person, whether an unauthorised staff member or an outsider.
  • Store any data you have collected securely, for example by using encryption or another appropriate method of restricting access to the information.

Step 4 of 4: Public awareness and signage

Step 4.1 Fair processing

Your business clearly informs individuals of your use of CCTV.

You should display signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system, you should ensure there are contact details displayed on the sign(s).

Make signs the right size and location so that a person is aware that they are being observed, and given as much warning as possible. Such transparency may also have a deterrent effect in itself.

Outline the use of CCTV and its purposes on your website (where applicable).

Article ID: 2847
Last updated: 04 Apr, 2023
Revision: 6
Views: 942
This article was:  


Also listed in
folder GDPR Centre