Sign in Subscribe

CCTV Records: Legal Requirements for UK Businesses

Jamie Dawson

4 min read
CCTV Records: Legal Requirements for UK Businesses

Closed circuit television systems are now ubiquitous in UK workplaces, retail premises, and commercial properties. But the legal framework governing CCTV — and the record-keeping obligations it creates — is frequently misunderstood. Operating CCTV without proper documentation exposes businesses to enforcement action by the Information Commissioner's Office, potential criminal liability under the Data Protection Act 2018, and significant difficulties if footage is ever needed as evidence.

CCTV operation in the UK is primarily governed by the UK General Data Protection Regulation and the Data Protection Act 2018, which together impose obligations on any organisation that operates cameras capturing images of identifiable individuals. The ICO's CCTV Code of Practice provides detailed guidance on compliance. For public space surveillance, the Surveillance Camera Code of Practice issued under the Protection of Freedoms Act 2012 applies to relevant authorities and is best practice for others.

Organisations operating CCTV for purposes other than purely domestic use must register with the ICO as data controllers — unless they are exempt. Failure to register where required is a criminal offence.

The CCTV System Log

Every organisation operating CCTV should maintain a CCTV system log — a record of the system's operation, maintenance, and any incidents involving the footage. The log should record the dates and results of system checks and maintenance, any faults identified and the action taken, instances where footage has been accessed and the reason for access, instances where footage has been provided to third parties including the police, and instances where footage has been deleted or where the retention period has been applied.

The system log provides evidence that the CCTV system is being operated in accordance with the organisation's data protection obligations. It is the first document an ICO investigator will request.

Retention Periods for CCTV Footage

One of the most important record-keeping decisions for any CCTV operator is establishing and documenting a retention period for footage. The UK GDPR requires that personal data — which includes CCTV footage of identifiable individuals — is not kept for longer than necessary for the purpose for which it was collected.

For most commercial CCTV systems, a retention period of 31 days is standard and widely accepted as proportionate. Some higher-security environments retain footage for longer — up to 90 days is not uncommon. Whatever period is chosen, it must be documented in the organisation's data protection records and privacy notice, and it must be consistently applied. Retaining footage beyond the stated period without justification is a breach of the UK GDPR.

Where footage captures an incident — a theft, assault, accident, or other significant event — it should be preserved outside the normal retention cycle and retained until any legal proceedings are concluded or the relevant limitation period has expired.

The Data Protection Impact Assessment

For CCTV systems that are likely to result in a high risk to individuals — extensive public space surveillance, systems monitoring employees, or systems using facial recognition or other biometric analysis — a Data Protection Impact Assessment must be carried out before the system is deployed. The DPIA must be documented and retained.

Even where a full DPIA is not legally required, documenting a proportionality assessment — a written record of why the CCTV system is necessary, what it is intended to achieve, and why less intrusive means would not be sufficient — is strongly advisable. This documentation demonstrates that the decision to install CCTV was considered and proportionate.

Signage and Privacy Notices

Individuals must be informed that they are being recorded. This is typically achieved through signage at the entrance to any area covered by CCTV, supplemented by a privacy notice — either displayed or made available on request — explaining who operates the system, the purpose of the recording, the retention period, and individuals' rights regarding their data.

Records of the signage deployed and the privacy notice in use should be maintained. Where the privacy notice is updated, previous versions should be retained with the dates they were in effect.

Subject Access Requests

Individuals have the right to request a copy of CCTV footage in which they appear. Subject access requests must be responded to within one month. Records of all subject access requests — the request, the footage provided or the reason for refusal, and the date of response — must be maintained.

Frequently Asked Questions

Does a small business need to register with the ICO for CCTV? Most businesses operating CCTV must register with the ICO as data controllers. Exemptions are narrow. The ICO registration fee is modest — from £40 per year for small organisations — and failure to register where required is a criminal offence.

Can CCTV footage be used as evidence in court? Yes, provided it has been obtained and retained in accordance with data protection law. Courts may decline to admit footage where there are concerns about how it was obtained or retained. Maintaining proper records of the system's operation supports the admissibility of footage as evidence.

How long must CCTV records be kept? The system log and associated records should be retained for at least two years. Footage itself should be deleted after the stated retention period unless preserved for a specific purpose.

Key Takeaways

  • CCTV operators must register with the ICO as data controllers — failure to do so is a criminal offence.
  • A CCTV system log must record maintenance, access, disclosures, and deletions — it is the first document an ICO investigator will request.
  • A documented retention period must be established and consistently applied — 31 days is standard for most commercial systems.
  • Where CCTV poses high risks to individuals, a Data Protection Impact Assessment must be documented before deployment.
  • Signage and privacy notices must be in place — records of these should be maintained.
  • Subject access requests must be responded to within one month — records of all requests and responses must be kept.

Sign up for more like this.

Enter your email
Subscribe