CCTV Laws UK: CCTV Rules & Regulations & How They Impact Your Business

13th July, 2018

Request a FREE Quotation

Enter your details below and we'll get in touch to arrange your FREE no obligation consultation.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    CCTV systems are widely recognized today as one of the most efficient means for businesses to prevent on-premise crime and to protect their staff and assets. However, the widespread use of CCTV cameras in the UK and elsewhere has also been met with concern regarding the privacy of those who are surveyed. This has prompted public authorities to introduce a broad set of regulations, aiming to balance the fundamental rights to privacy and public image, with the security requirements of public and businesses spaces.


    Most of these requirements follow a “policy, not mechanism” approach and establish objectives, not the means to achieve them. Businesses are therefore given a great deal of flexibility in this regard. This guide aims to explore the key practical points of your legal requirements, in the hope that it will help you make the most out of this flexibility. The key questions that we want to address in regards to CCTV laws in the UK are:


    1. What are the main acts which govern CCTV use?
    2. Who is bound by these acts?
    3. What are the main requirements that these acts prescribe?

    The Basics of UK CCTV Laws: What, Why?


    The legal framework that you need to comply with is founded on four acts:


    1. The Data Protection Act (DPA), which regulates how personal data can be processed and moved, and how it must be protected.
    2. The Freedom of Information Act (FOI), which regulates access to information held by public authorities
    3. The Protection of Freedoms Act (POFA), which regulates (among others) how surveillance and biometric data can be used, and how these types of data must be safeguarded.
    4. The Human Rights Act (HRA), which includes provisions regarding the right to privacy


    This legal framework is not overly complex, but it is very broad. FOI, POFA, and especially HRA refer to a great deal of topics besides data from CCTV cameras. This has prompted various government and industry bodies to issue their own documents, detailing the responsibilities of CCTV users and recommending compliance solutions.


    The Information Commissioner’s Office (ICO) issues a data protection code of practice for surveillance cameras and personal information. The ICO is a government body, but the ICO code of practice itself is not a legal act – it’s a compilation of practical advice about how to ensure you are following the acts mentioned above. In other words, while following the ICO code of practice is not a legal requirement, chances are that, if you are breaking it, you are breaking the law as well.


    The Surveillance Camera Commissioner’s Office (SCCO) also issues a code of practice, aiming not only to detail the legal requirements that CCTV users are bound by, but also to provide a coherent technical framework for planning the deployment of CCTV cameras and for integrating them in your IP security system. Like the ICO code of practice, while not a legal act, this is an officially-sanctioned document.


    Why strive for compliance with CCTV laws?


    We should stress that these requirements are not mere legal burdens. There are real, substantial security benefits in following them, which go beyond the obvious benefit of not being fined, prosecuted or incarcerated. What are these benefits?


    • Perhaps surprisingly, devising your IP security system in accordance with legal regulations is a good way to avoid overspending. The legal framework is devised to strike a balance between privacy and security – and essentially forbids the deployment of security equipment that is not objectively needed. In the long run, this also means that continuous compliance allows you to optimize security infrastructure costs.
    • Protecting surveillance data in accordance with the DPA and other legal acts ensures that no one can use the fact that you hold this data against you – and that you can seek the authorities’ protection if they try to.
    • The internal documentation that you are required to maintain allows you to refine and strengthen your security strategy


    Benefits aside, breaching the DPA carries heavy legal consequences: serious breaches can result in a fine of up to 500,000 GBP, and penalties for deliberate breaches include custodial sentences. In 2016, the ICO has issued 35 fines, totaling 3.2 million GBP.


    Who and What Is Covered?

    Is my organization bound by these requirements?


    If you have to ask, it probably is: the DPA and the ICO code apply to all companies and organizations, regardless of size and activity, and regardless of why you use CCTV cameras. The only surveillance systems that do not fall under the DPA are those deployed for limited household purposes.


    Who bears the responsibility?


    In short, the legal responsibility belongs to the person who decides (alone, jointly, or in common with others) what data is processed, for what reasons, and in what manner. This person is called the data controller in the DPA jargon. “Person” here is to be taken in the legal sense – they can be an individual, an organisation, or any other corporate and unincorporated bodies of persons.


    Data controllers do not necessarily carry out the surveillance and processing themselves. They may do so through third-parties, such security or tech support service providers. These are called data processors and are not bound by the DPA when it comes to data owned by the data controller.


    If you are unsure whether you are a data controller or a data processor, the ICO maintains an excellent guide that can help you figure it out.


    What equipment falls under these requirements?


    The legal definition of surveillance is very broad. It definitely covers CCTV cameras, automatic number plate recognition (ANPR) systems, body-worn cameras (BWC) and surveillance drones (SD). Under certain conditions, it can also cover data generated by electronic access control systems (EACS), biometric recognition (BR) data, voice conversations, and telephone data.


    What Are My Responsibilities?


    In short, the data controller of a CCTV system has the following responsibilities:


    1. To ensure that surveillance camera systems are used only where and when it is necessary
    2. To ensure an effective administration of the surveillance system
    3. To ensure that the data is guarded against unauthorized access
    4. To ensure that the data is disclosed to those who have the legal right to access it
    5. To retain the data only as long as it is legitimately needed
    6. To inform surveillance subjects about the use of surveillance equipment, about their rights and about the procedures that they need to follow in order to obtain any data that they are legally entitled to.


    Ensuring that CCTV cameras are used only where and when it is necessary is perhaps the most fundamental element of legal compliance. The DPA explicitly states that personal data “shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” (DPA 1998, Sch I, 3). The ICO has a handy guide that can help you decide whether you need to collect any personal data, and how to decide what data is adequate for your purposes.


    In practice, this decision is usually based on a privacy impact assessment (PIA). Conducting a PIA is not a legal requirement of the DPA, but it is a very effective way of demonstrating DPA compliance, and the ICO routinely asks organizations if they have conducted a PIA.


    access control installers

    Effective administration of the surveillance system is the cornerstone of DPA compliance. In the context of surveillance equipment, effective administration refers to: 


    • Clearly establishing who has responsibility for the control of private data
    • Identifying the specific purposes for the use of the information, and communicating them to operators
    • Establishing clear procedures to identify how information is handled in practice
    • Documenting all administrative aspects and ensuring that all responsibility is traceable, either internally (through internal procedures) or to third-party service providers, through clear legal contracts.
    • Regularly reviewing procedures and documentation related to surveillance activities


    The ICO maintains several guides to help you devise an effective administration schemes: a code of practice on privacy notices, transparency and control, one on employment practices, and one on data sharing.


    You are legally responsible for guarding the data you collect.


    This responsibility means you need to:


    • Ensure that data can only be accessed by authorized personnel and that it is stored securely
    • Keep an audit trail showing how the information is collected and used
    • Dispose of data in a secure and responsible manner, which makes it impossible to recover.


    Access control requirements are very strict, especially when it comes to sharing data with third-parties. For example, the ICO has a special set of recommendations for using cloud-integrated IP security systems.


    Oftentimes, this requirement is breached accidentally – for example by posting surveillance camera images on the Internet or disclosing them to the media. The rule of thumb is that you should never disclose information unless you can point at the exact legal provision which allows you to do it.


    You are also legally responsible for disclosing data to those who have a legal right to access it.


    Under the DPA, Section 7, the subject of CCTV data – that is, anyone who appears in your cameras’ footage – can ask for any personal data that you have collected on them, and you are required to release it.


    You are allowed to charge for these services. You are also allowed to ask for additional information in order to be able identify which data you need to disclose, and in order to confirm that the person asking for the data is really the one in the pictures. However, if you have received a written request and if this information has been supplied, you are required to disclose the information.


    The DPA also allows third-parties to access surveillance data under some conditions. For example, you may be required to disclose CCTV images if they are required for legal proceedings.


    In practice, this means that you should ensure not only that your system is able to store the information you need, but also that you can look it up and retrieve any particular piece of footage in a timely manner, and that you can easily convert it in an easily-accessible format.


    You are allowed to store the data only for as long as it is legitimately needed.


    The DPA does not prescribe any fixed duration. The best way to determine the adequate duration for storing some data is to look at it from the opposite angle: you should remove it as soon as you no longer need it.


    This duration does not have to be uniform for all equipment and under all circumstances. For example, CCTV footage from a hotel’s hallways and room access areas may need to be stored for a few days, as it can take some time before someone notices something has been stolen from their room. CCTV footage from a camera in the hotel’s restaurant, on the other hand, can safely be removed after just a few hours, since incidents in these areas come to light very quickly. However, if that camera has captured footage of an incident that has been reported to the police, those sections can (and should) be kept until the legal proceedings are finished.


    You must let everyone know if they are in an area where a surveillance system is operational.


    For CCTV cameras, it is sufficient – and most effective – to place signs throughout the surveilled area and at its entrance. These signs should include:


    • A notice that the area is being surveyed
    • The details of who and why is using the surveillance system, if these things cannot be easily inferred from the surroundings
    • Basic contact details, such as a website, email or phone number


    Maintaining an Audit Trail


    The legal requirements we have seen so far cover very long periods of time and, more often than not, large amounts of data. Demonstrating compliance over such periods is nearly impossible without a solid audit trail. What kind of internal documentation should you maintain?


    Small businesses typically need to maintain only a small set of documentation, outlined in Appendix 2 of the ICO Code of Practice – essentially, nothing but a checklist and a small number of documents (such as a notification sent to the ICO).


    For larger businesses, a minimal audit trail includes:


    • An initial PIA
    • An internal surveillance system policy document
    • Periodic management audits, privacy impact reports, and system operational assessments


    These documents will typically include CCTV-related information, as the CCTV cameras are likely to be only one component of a larger company’s IP security infrastructure.





    In the UK, CCTV use is regulated as part of a broader legal framework, which deals with surveillance equipment of every form. For CCTV users, the ICO and the SCCO issue a set of guidelines in the form of codes of practice, which are not legal documents per se, but officially-sanctioned practical guides for ensuring compliance.


    The body of legislation concerning surveillance equipment aims to strike a balance between privacy and security; it strives to give CCTV users the means to protect their staff, physical and electronic assets, without compromising the basic human right to privacy. Complying with surveillance-related legislation is a moral and legal requirement in and of itself, but it also brings substantial security and financial benefits.


    Still confused by the legal requirements related to installing CCTV cameras in London? It’s perfectly understandable. The rules and regulations in this field take time to understand and master.


    However, if you need more than information on the topic of UK CCTV laws, we’re happy to help. After more than 20 years in this field, ACCL knows exactly how to make sure that all the CCTV systems we install in London meet legal requirements and adhere to the highest standards in the field.


    Get in touch with us for your FREE, no-obligations on-site survey.

    © Copyright Active Communication Company LTD | All Rights Reserved
    • Data Cabling
    • Data Cabling
    • Data Cabling
    • Data Cabling
    • Data Cabling
    • Data Cabling
    Call Now Button