insights and news

What Are The CCTV Regulations In the UK for Commercial Businesses?

22 September 2020

The use of CCTV for security measure in the workplace can be highly beneficial as a deterrent for criminal activity. For some there may be a concern around the legal responsibility and considerations for the use of CCTV by businesses, which does need to be explored by each business to determine the benefits and suitability of security and surveillance systems.


How is CCTV governed?

It is important to know that GDPR laws cover images captured by CCTV and so steps must be taken to ensure the organisation is compliant. The Information Commissioners Office (ICO) is a government body that is responsible for regulating data privacy issues. The ICO sets out a code of practice but is not a legal act itself. The practical advice that is offered will help organisations comply with the legal framework. The Surveillance Camera Commissioner’s Office (SCCO) also issues a code of practice that details the legal obligations for CCTV users and again like ICO is not an act itself but is an officially-sanctioned document.


The legal framework that the ICO and SCCO draw on to create the code of practice is based on 4 aspects of law;


  1. The Data Protection Act (DPA), which regulates how personal data can be processed and moved, and how it must be protected.
  2. The Freedom of Information Act (FOI), which regulates access to information held by public authorities
  3. The Protection of Freedoms Act (POFA), which regulates (among others) how surveillance and biometric data can be used, and how these types of data must be safeguarded.
  4. The Human Rights Act (HRA), which includes provisions regarding the right to privacy

Rules on CCTV

There are several points to consider when looking to decide if a business requires a surveillance security system:


  • Consider if it necessary to use CCTV and what needs to be recorded?
  • Register with ICO
  • Appoint a data controller to be responsible for the storage, processing and review of data
  • Perform Privacy impact assessment (PIA)
  • Inform all employees that they are being recorded and provide clear signage
  • Ensure areas of expected privacy, eg toilets and changing rooms are not included in surveillance areas.
  • Subjects of CCTV data can ask for any personal data that has been collected, which must then be provided to them within a reasonable time frame.
  • Comply with any requests to supply CCTV data for Legal proceedings

Benefits of compliance with regulations/Laws

There are benefits for businesses that work to comply with the laws that govern use of CCTV in commercial setting;

  • Allows for security infrastructure to be optimised as the legal framework looks to strike a balance between privacy and security
  • The organisation will be protected by authorities when data is held in accordance with DPA should any issue arise regarding the data held.
  • Internal documentation that is required to be maintained will allow for a continually refined and strengthened security strategy.

Breaches in compliance carry a heavy legal consequence, with more serious breaches resulting in £500,000 penalties and even custodial sentences.

Who is responsible for the data?

A business that hold personal data is required to appoint a Data controller who is legally responsible for the data. They decide what data is processed, the reason and manner. They don’t necessarily carry out surveillance or processing themselves. The data controller can be an individual, organisation or any other corporate or unincorporated bodies of persons.

The Guarding the data is the legal responsibility of businesses and so data must be stored securely and only accessed by authorised personnel. A business must also be able to show an audit trail of how the data is collected and kept. Once the data is no longer needed, it must also be disposed of in a way that it would be impossible to recover.

How long can data be kept?

Data should only be stored for as long as legitimately needed. No specific duration is defined for keeping data, and that is likely to vary depending on the circumstance that the data is collected. For example, a restaurant is likely to only need CCTV footage for a few hours while a hotel corridor perhaps a few days.

The legislation related to surveillance equipment aims to strike a balance between security and privacy by giving the CCTV users means to protect staff and assets without compromising basic human right to privacy. Having a well planned and efficient CCTV will bring benefits to a business. If you would like more information or to discuss your requirements, you can contact Arana Security, here.