0333 900 0101

CCTV Rules and Regulations UK: Data Protection, GDPR and your business

Estimated Reading Time: 15 minute(s)

CCTV Laws UK – What is the law on CCTV cameras?

If you are thinking about installing CCTV at your place of business, there are some important issues to consider, including commercial CCTV rules and regulations.

It is perfectly reasonable to have CCTV installed at your workplace.  A video surveillance system can provide your company and its employees with many benefits.  For example, a camera system can increase the overall security of a site, creating a safer workspace for employees.  It is, however, the employers’ responsibility to inform employees of a few basic but very important factors.

 

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Legal Requirements and Notifications

In the UK, installing CCTV on commercial properties involves adhering to strict regulations. Unlike residential use, businesses do not enjoy the ‘household exemption’ and must comply with the Data Protection Act 2018 and the GDPR. This means you are required to:

  • Display clear signs notifying everyone that CCTV is in use.
  • Use the system solely for its intended purpose to minimise privacy invasion.
  • Ensure that data or footage is not misused or kept longer than necessary.

Additionally, individuals have the right to request access to footage of themselves. Handling these subject access requests properly is crucial. Non-compliance with these regulations can lead to substantial penalties, so understanding and meeting all requirements is essential for any business owner considering CCTV installation.

By being informed about these responsibilities, you can effectively utilise CCTV to enhance security while remaining compliant with all legal obligations.

Commercial CCTV regulations and the ICO CCTV code of practice

Firstly, the system must be registered with the Information Commissioner’s Office (ICO).  The ICO is the UK’s independent body set up to uphold information rights.  For companies with less than 250 employees, the annual cost for data protection fee is £60 (£55 if paid by direct debit).

CCTV and GDPR: CCTV Rules and Regulations in the workplace

People have the right to privacy; consider the impact a CCTV camera will have on your employees and visitors and the reason for its installation.

  • Installation Considerations: CCTV should not be installed in ‘private’ areas unless there’s a justified reason. Cameras in reception areas or open offices are generally acceptable, as these spaces are considered ‘public.’
  • Privacy: Meeting rooms, however, offer a higher expectation of privacy, and while typically off-limits, there might be justified reasons for monitoring, especially if there are external visitors. Under no circumstances should cameras be placed in toilets.

Limiting Privacy Invasion

To comply with regulations, the CCTV system must be used solely for its intended purpose, and data should not be misused or retained longer than necessary. Clear operational requirements for each camera should be defined to help stakeholders understand the need for surveillance and facilitate acceptance in the workplace.

Handling Subject Access Requests

Another critical aspect is handling subject access requests correctly. People have the right to view footage of themselves upon request, and businesses must be prepared to process these requests efficiently.

Risk Assessment and Compliance

A risk assessment should be conducted to identify potential problems like unauthorized entry or theft. This involves creating a standard matrix for likelihood and severity, helping decide the importance of each surveillance area.

Non-compliance with these regulations can result in significant penalties, so it’s crucial to be thoroughly versed in these laws and ensure all requirements are met. This demonstrates accountability and professionalism in the approach to CCTV installation, safeguarding both the business and its employees.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Uses of CCTV cameras in the workplace and CCTV data protection

CCTV should not be installed in ‘private’ areas unless there is a special consideration to justify this.  Installing a camera in a reception area or in an open office is generally acceptable because this sort of space is ‘public’.

Meeting rooms are less likely to be deemed as ‘public’, and most people would expect a higher level of privacy, but it could be that a meeting room could be required to be monitored – perhaps there is a possible risk if external people are in meetings.  Toilets are certain off-limits for cameras, and there would be very few scenarios where a camera could be justified.

Clearly defining the operational requirement of each camera is important and a very worthwhile exercise.  If you can justify each CCTV camera by stating what it is actually doing, you will help people understand and find it easier to accept a system in their work environment.  A site plan will help decide where potential issues may be.

The next step is to state the problems CCTV might be able to help with.  Things such as unauthorised entry and theft are two examples of common problems.  Stakeholders should, at this stage, have some input if appropriate – are the other businesses that use the space?

A risk assessment should be carried out for each potential problem.  A standard matrix of likelihood and severity should be completed.  An unauthorised entry might be considered likely but of minor severity in some offices, but others might consider this a severe breach of security.  It is for you to decide.

Again, this shows that your organisation has systematically worked through steps that demonstrate accountability and professionalism in its approach to the potential installation of a CCTV system.

The success criteria of a camera should also be considered:

  • Will it stop an event?
  • Will it help investigate an event after the fact?
  • Will it work 24/7 or just during office hours?

CCTV should be considered as part of a good security solution and should be looked at as part of the overall security measure of a site.  You would not leave an office unlocked overnight and expect the CCTV system to stop unauthorised persons from entering – you would at least lock the doors and set the alarm.  This may seem obvious, but it illustrates the point that CCTV is part of the security measures that you should consider to make your space as secure as you possibly can.

Is CCTV covered under the Data Protection Act (DPA)?

Absolutely, the DPA indeed covers CCTV usage. While domestic CCTV systems that only capture video footage within the boundaries of the homeowner’s property may be exempt, any system that records areas beyond these boundaries, such as communal areas, public footpaths, or neighbours’ properties, must comply with the DPA. This means that businesses and individuals using CCTV must ensure their systems are compliant with data protection regulations.

Before the CCTV is installed, please consult your staff and explain the reason for installation, ensuring them that their personal data is secure and will be deleted after a defined period. The CCTV will not be used to monitor or discipline them without warning. If you do wish to monitor what time staff arrive and leave the office, for example, they must clearly be told this and must feel comfortable with the practice.

Balancing Monitoring with Privacy

Using CCTV to watch staff can be a delicate matter. As an employer, it’s crucial to ensure that any monitoring is justified and doesn’t infringe on employees’ privacy rights. Clearly communicate the purpose of the surveillance to your team. This means providing clear signs that indicate CCTV is in operation and developing a comprehensive CCTV policy for all staff to access and understand.

Ensuring Transparency and Trust

Transparency is key. Let your employees know that they are being monitored and why. This not only builds trust but also ensures compliance with legal guidelines. Make sure to incorporate feedback from your staff during consultations and reassure them of the security and temporary nature of the data collected.

By carefully balancing the need for security with respect for privacy, you can create a safer and more transparent workplace environment.

Please remember that anyone, including your staff, has the right to ask for copies of any personal data you hold on them – this includes CCTV footage that they appear in.

Creating a Data Protection Impact Assessment (DPIA) will help document your reasons for using CCTV and provide support for installing CCTV.

Commercial CCTV Rules and Regulations FAQs

Where can I point my CCTV cameras?

As part of the DPIA, the operational requirement of each camera should be defined and designated as such.  This will also help us to ensure that we give you the coverage you require.  There are 4 groups that cameras will fall into.

They are detect, observe, recognise and identify.  As you will see from the setup of each of these types of cameras, the personal information will be different.  Having said this, we would suggest that all CCTV cameras that capture any person would be liable to subject access requests.  Here is a general overview of the 4 groups any camera you install will fall into:

  • Detect

Simply put, a camera that is designated to detect shows a general overview of an area.  The accepted technical definition is that an adult would account for approximately 10% of the image height.  At this size, you would be able to detect a person, but smaller details would be less detailed or not seen.

A detect camera is sometimes called an overview camera and would be put in a reception area or a car park, for example.  It would be used to see what is going on in a wide area but would not be able to give much more information other than that.

These types of cameras are extremely useful and probably the most common on a site.  Additionally, these cameras are probably seen as less intrusive as they are not taking close-up images of people and are generally in ‘public’ areas.

  • Observe

These cameras provide a more detailed view of an area, with the ratio of an adult being between 25 and 30% of the screen height.  At this size, more detail about the person is visible and gives a compromise between detail and context.

This type of camera might be used in more sensitive areas such as stock rooms or areas where cash is handled.  This camera would be able to provide a greater level of certainty over events in a smaller area.  Again, the level of justification for this type of camera will help provide a narrative to all.

If you were looking to put this type of camera in the general office overlooking your staff, they would probably find this unacceptable and without a good reason, they would probably be right to be concerned.  If, however, an observation camera was placed inside a cage where company IT equipment was stored, they would probably be more understanding.

This type of camera is less common and would only be used in limited scenarios.

  • Recognise

A recognised camera provides an image of an adult of approximately 50% of the screen height.  These cameras provide very good details of an individual and would allow identification rates to be very good.

These cameras are good for wider entry points to an area.  A set of double doors leading into a reception could be covered with a recognised camera and allow easy identification of an individual, whether it be live or via a retrospective review of footage.

These cameras are often used at wider egress points into an area.  Depending on your egress points, these cameras will be needed.

  • Identify

These cameras provide a close-up image of a person, with the individual taking up 100% of the screen height.

A camera of this type would provide an extremely detailed image of a person, and it would be expected to provide an image that would establish, beyond reasonable doubt, the identity of an individual.  Very little context would be given with this type of camera, and it would require a choke point such as a single door width opening.

Multiple cameras can also be used to cover wider areas, with each camera viewing a section of the egress point.  The entrance to a bank would have one or more of these cameras to record ID images of everyone that enters the branch, for example.

With an identifiable image of every person that enters the CCTV covered area, any activity captured on the subsequent observer or detect cameras would then be able to be tracked back to an individual that would be easily identifiable.  The addition of an identify camera can hugely increase the effectiveness of any investigation.

These groups are based on general concepts, and as CCTV technology improves, more detail can be gained from detect and observe cameras – in some cases, an observe camera can give the same level of detail as an identify camera.  In some cases, this is desirable, but in others, maybe not.

We are able to make sure that the cameras capture the right amount of information – not too little or too much.  It might be thought that you should capture as much as you are able to, but if you are able to observe cameras and see what someone is texting on their phone, you might want to reconsider the ability of that device and use a different one.

The system should be proportionate – this is for everyone’s good.  If you have a system that does what you set out to do – no more or no less – then you have succeeded, and you can be confident that you are treating everyone lawfully.  Understanding and defining each camera’s requirements will go a long way to helping you attain a compliant system.

Creating a company CCTV policy based on the steps discussed above will help you communicate to and safeguard your company and its employees.  The policy does not need to be overly complex but should detail what the system is being used for, reassuring staff that their data is being lawfully, safely used and stored, being deleted after an agreed period, who to contact if they have a question and what to do if they wish to see footage that they are in.

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Who can view CCTV footage?

Everyone has the right to access their personal data and, to some extent, the right to view CCTV images of themselves.  With CCTV footage, this can become difficult – if an employee has an altercation with another member of staff, the footage that they are in will most likely contain other people’s personal data too – which they are not able to see without the express permission of all recorded individuals.  This creates a dilemma that can be difficult to resolve.

Firstly, there is a limit to what an individual can request to see – you are within your rights to ask why they would like to see any footage, and the bar should be low to start with, but if they ask for more and more footage for no particular reason, you can refuse.

Secondly, there are ways to mask footage and provide redacted footage to staff with only their information in.  There are automated systems that we provide that can redact CCTV footage automatically, and there are services to redact footage after the fact.

Please talk to us if you have any questions relating to the release of images – it is a complex issue that we are here to help with.

Do you need a sign if you have CCTV? Are CCTV signs a legal requirement?

Controlling who has access to the recorded CCTV data is extremely important and will help ensure that everyone is comfortable with its use.  Proper signage is also very important.  We will be able to help ensure that cameras do not inadvertently capture images that they shouldn’t – collateral intrusion is sometimes unavoidable but should be acknowledged and documented.

We will also make sure that recorded footage is automatically deleted after an appropriate time.  There is no exact amount of time that CCTV must be deleted after – legally, the retention period should be justifiable.  30 days is considered the norm – this came from the days of VHS tapes – one tape for each day of the month – you would put in tape 1 on the 1st, tape 2 on the 2nd, etc.  It made things simple when you needed to find out what happened on the 15th of last month.

With modern systems, this is irrelevant, but the practice has remained.  In reality, you can overwrite the data after 10 days or 100 days – it really does not matter.  If you have a site that is empty for 3 months, you might want to keep the information for 100 days to give you the ability to check back over the period when it was empty.  If you have a site where people are in every day, the time between identifying an issue and potentially reviewing recorded footage is less.  Having said this, 30 days is considered the standard retention period for CCTV images.

Potential Consequences of Non-Compliance with UK CCTV Regulations

Ignoring CCTV regulations in the UK can lead to significant repercussions. One immediate consequence is the possibility of receiving a fine if a complaint is lodged against your system. When a complaint is raised, the Information Commissioner’s Office (ICO) might investigate to ensure you’re adhering to the Data Protection Act (DPA). Non-compliance could result in monetary penalties.

In more serious scenarios, violations might escalate to legal action. Ending up in court is a real possibility if the breaches of regulations are severe enough. Beyond the legal and financial aspects, there are social implications to consider. Failing to abide by the rules can strain relationships with neighbours, as privacy is a shared community value.

Maintaining compliance isn’t just about avoiding penalties; it’s about fostering a respectful atmosphere where everyone enjoys their privacy and feels secure. Therefore, adhering to CCTV guidelines serves as both a legal obligation and a social responsibility.

If you follow these steps, you and your company will have gone a long way to comply with the Data Protection Act, the Human Rights Act and GDPR and have a compliant security system that is fit for purpose. For any more information on commercial CCTV rules and regulations, please contact us at ACCL if you would like to discuss having a lawful and professionally installed CCTV system at your office.

Related topics: CCTV laws, UK CCTV employee rights

0333 900 0101 sales@network-data-cabling.co.uk Contact us

Get in touch today

Have a no-obligation chat with one of our data cabling experts, who can recommend a solution to suit your requirements and budget.

0333 900 0101 sales@network-data-cabling.co.uk Contact us