0333 900 0101

CCTV Laws UK: CCTV Rules & Regulations & How They Impact Your Business

Estimated Reading Time: 12 minute(s)

CCTV systems are widely recognised today as one of the most efficient means for businesses to prevent on-premise crime and protect their staff and assets. However, the widespread use of CCTV cameras in the UK and elsewhere has also been met with concern regarding the privacy of those who are surveyed. This has prompted public authorities to introduce a broad set of regulations, aiming to balance the fundamental rights to privacy and public image with the security requirements of public and business spaces.

Most of these requirements follow a “policy, not mechanism” approach and establish objectives, not the means to achieve them. Businesses are, therefore, given considerable flexibility in this regard. This guide aims to explore the key practical aspects of your legal requirements in the hope that it will help you make the most of this flexibility. The key questions that we want to address concerning CCTV laws in the UK are:

  • What are the main acts which govern CCTV use?
  • Who is bound by these acts?
  • What are the main requirements that these acts prescribe?

The Basics of UK CCTV Laws: What, Why?

The legal framework that you need to comply with is founded on four acts:

  1. The Data Protection Act (DPA) regulates how personal data can be processed and moved and how it must be protected.
  2. The Freedom of Information Act (FOI) regulates access to information held by public authorities.
  3. The Protection of Freedoms Act (POFA) regulates (among others) how surveillance and biometric data can be used and how these types of data must be safeguarded.
  4. The Human Rights Act (HRA) includes provisions regarding the right to privacy.

This legal framework is not overly complex, but it is very broad. FOI, POFA, and especially HRA refer to a great deal of topics besides data from CCTV cameras. This has prompted various government and industry bodies to issue their own documents detailing the responsibilities of CCTV users and recommending compliance solutions.

The Information Commissioner’s Office (ICO) issues a data protection code of practice for surveillance cameras and personal information. The ICO is a government body, but the ICO code of practice itself is not a legal act – it’s a compilation of practical advice about how to ensure you are following the acts mentioned above. In other words, while following the ICO code of practice is not a legal requirement, chances are that if you are breaking it, you are breaking the law as well.

Ico

The Surveillance Camera Commissioner’s Office (SCCO) also issues a code of practice, aiming not only to detail the legal requirements that CCTV users are bound by but also to provide a coherent technical framework for planning the deployment of CCTV cameras and for integrating them into your IP security system. Like the ICO code of practice, while not a legal act, this is an officially sanctioned document.

Why strive for compliance with CCTV laws?

We should stress that these requirements are not mere legal burdens. There are real, substantial security benefits in following them, which go beyond the obvious benefit of not being fined, prosecuted or incarcerated. What are these benefits?

  • Perhaps surprisingly, devising your IP security system in accordance with legal regulations is a good way to avoid overspending. The legal framework is devised to strike a balance between privacy and security, and essentially forbids the deployment of security equipment that is not objectively needed. In the long run, this also means that continuous compliance allows you to optimise security infrastructure costs.
  • Protecting surveillance data in accordance with the DPA and other legal acts ensures that no one can use the fact that you hold this data against you, and that you can seek the authorities’ protection if they try to.
  • The internal documentation that you are required to maintain allows you to refine and strengthen your security strategy

Benefits aside, breaching the DPA carries heavy legal consequences: serious breaches can result in a fine of up to 500,000 GBP, and penalties for deliberate breaches include custodial sentences. In 2016, the ICO issued 35 fines, totalling 3.2 million GBP.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Who and What Is Covered?

Is my organisation bound by these requirements?

If you have to ask, it probably is: the DPA and the ICO code apply to all companies and organisations, regardless of size and activity, and regardless of why you use CCTV cameras. The only surveillance systems that do not fall under the DPA are those deployed for limited household purposes.

Who bears the responsibility?

In short, the legal responsibility belongs to the person who decides (alone, jointly, or in common with others) what data is processed, for what reasons, and in what manner. This person is called the data controller in the DPA jargon. “Person” here is to be taken in the legal sense – they can be an individual, an organisation, or any other corporate and unincorporated body of persons.

Data controllers do not necessarily carry out the surveillance and processing themselves. They may do so through third parties, such as security or tech support service providers. These are called data processors and are not bound by the DPA when it comes to data owned by the data controller.

If you are unsure whether you are a data controller or a data processor, the ICO maintains an excellent guide that can help you figure it out.

What equipment falls under these requirements?

The legal definition of surveillance is very broad. It covers CCTV cameras, automatic number plate recognition (ANPR) systems, body-worn cameras (BWC) and surveillance drones (SD). Under certain conditions, it can also cover data generated by electronic access control systems (EACS), biometric recognition (BR) data, voice conversations, and telephone data.

What are my responsibilities?

In short, the data controller of a CCTV system has the following responsibilities:

  1. To ensure that surveillance camera systems are used only where and when it is necessary
  2. To ensure an effective administration of the surveillance system
  3. To ensure that the data is guarded against unauthorised access
  4. To ensure that the data is disclosed to those who have the legal right to access it
  5. To retain the data only as long as it is legitimately needed
  6. To inform surveillance subjects about the use of surveillance equipment, about their rights and about the procedures that they need to follow to obtain any data that they are legally entitled to.

Ensuring that CCTV cameras are used only where and when it is necessary is perhaps the most fundamental element of legal compliance. The DPA explicitly states that personal data “shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” (DPA 1998, Sch I, 3). The ICO has a handy guide that can help you decide whether you need to collect any personal data and how to decide what data is adequate for your purposes.

In practice, this decision is usually based on a privacy impact assessment (PIA). Conducting a PIA is not a legal requirement of the DPA, but it is a very effective way of demonstrating DPA compliance, and the ICO routinely asks organisations if they have conducted a PIA.

Effective administration of the surveillance system is the cornerstone of DPA compliance. In the context of surveillance equipment, effective administration refers to: 

  • Clearly establishing who is responsible for the control of private data
  • Identifying the specific purposes for the use of the information and communicating them to operators
  • Establishing clear procedures to identify how information is handled in practice
  • Documenting all administrative aspects and ensuring that all responsibility is traceable, either internally (through internal procedures) or to third-party service providers, through clear legal contracts.
  • Regularly reviewing procedures and documentation related to surveillance activities

The ICO maintains several guides to help you devise effective administration schemes: a code of practice on privacy notices, transparency and control, one on employment practices, and one on data sharing.

You are legally responsible for guarding the data you collect.

This responsibility means you need to:

  • Ensure that data can only be accessed by authorised personnel and that it is stored securely
  • Keep an audit trail showing how the information is collected and used
  • Dispose of data securely and responsibly, which makes it impossible to recover.

Access control requirements are very strict, especially when it comes to sharing data with third parties. For example, the ICO has a special set of recommendations for using cloud-integrated IP security systems.

Oftentimes, this requirement is breached accidentally – for example, by posting surveillance camera images on the Internet or disclosing them to the media. The rule of thumb is that you should never disclose information unless you can point to the exact legal provision which allows you to do it.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

You are also legally responsible for disclosing data to those who have a legal right to access it.

Under the DPA, Section 7, the subject of CCTV data – that is, anyone who appears in your cameras’ footage – can ask for any personal data that you have collected on them, and you are required to release it.

You are allowed to charge for these services. You are also allowed to ask for additional information to be able to identify which data you need to disclose and to confirm that the person asking for the data is the one in the pictures. However, if you have received a written request and if this information has been supplied, you are required to disclose the information.

The DPA also allows third parties to access surveillance data under some conditions. For example, you may be required to disclose CCTV images if they are required for legal proceedings.

In practice, this means that you should ensure not only that your system is able to store the information you need, but also that you can look it up and retrieve any particular piece of footage in a timely manner, and that you can easily convert it in an easily-accessible format.

You are allowed to store the data only for as long as it is legitimately needed.

The DPA does not prescribe any fixed duration. The best way to determine the adequate duration for storing some data is to look at it from the opposite angle: you should remove it as soon as you no longer need it.

This duration does not have to be uniform for all equipment and under all circumstances. For example, CCTV footage from a hotel’s hallways and room access areas may need to be stored for a few days, as it can take some time before someone notices something has been stolen from their room. CCTV footage from a camera in the hotel’s restaurant, on the other hand, can safely be removed after just a few hours since incidents in these areas come to light very quickly. However, if that camera has captured footage of an incident that has been reported to the police, those sections can (and should) be kept until the legal proceedings are finished.

You must let everyone know if they are in an area where a surveillance system is operational.

For CCTV cameras, it is sufficient – and most effective – to place signs throughout the surveillance area and at its entrance. These signs should include:

  • A notice that the area is being surveyed
  • The details of who and why is using the surveillance system, if these things cannot be easily inferred from the surroundings
  • Basic contact details, such as a website, email or phone number

Maintaining an Audit Trail

The legal requirements we have seen so far cover very long periods and, more often than not, large amounts of data. Demonstrating compliance over such periods is nearly impossible without a solid audit trail. What kind of internal documentation should you maintain?

Small businesses typically need to maintain only a small set of documentation, outlined in Appendix 2 of the ICO Code of Practice – essentially, nothing but a checklist and a small number of documents (such as a notification sent to the ICO).

For larger businesses, a minimal audit trail includes:

  • An initial PIA
  • An internal surveillance system policy document
  • Periodic management audits, privacy impact reports, and system operational assessments

These documents will typically include CCTV-related information, as the CCTV cameras are likely to be only one component of a larger company’s IP security infrastructure.

Conclusions

In the UK, CCTV use is regulated as part of a broader legal framework, which deals with surveillance equipment of every form. For CCTV users, the ICO and the SCCO issue a set of guidelines in the form of codes of practice, which are not legal documents per se, but officially-sanctioned practical guides for ensuring compliance.

The body of legislation concerning surveillance equipment aims to strike a balance between privacy and security; it strives to give CCTV users the means to protect their staff and physical and electronic assets, without compromising the basic human right to privacy. Complying with surveillance-related legislation is a moral and legal requirement in and of itself, but it also brings substantial security and financial benefits.

Still confused by the legal requirements related to installing CCTV cameras in London? It’s perfectly understandable. The rules and regulations in this field take time to understand and master.

However, if you need more information on the topic of UK CCTV laws, we’re happy to help. After more than 20 years in this field, ACCL knows exactly how to make sure that all the CCTV systems we install in London meet legal requirements and adhere to the highest standards in the field.

Get in touch with us for your FREE, no-obligation on-site survey.

Services mentioned in this blog post: CCTV installationIP SecurityAccess ControlANPR

Related topics: CCTV rules and regulations, UK CCTV employee rights , Guidance on the use of domestic CCTV

0333 900 0101 sales@network-data-cabling.co.uk Contact us