Skip to content

How Can My UK Company Avoid Invasions of Privacy Through CCTV Cameras?

Table of Contents

As a UK business owner, you must protect your company property and staff, and most organisations choose to do so through a CCTV system. However, UK businesses must carefully act according to the General Data Protection Regulation (GDPR) and Data Protection Act. Any violation of the GDPR may result in a hefty fine from the Information Commissioner’s Office (ICO). This article will explain the GDPR rules for CCTV usage within UK businesses. This should help your company comply with the GDPR by deciding suitable locations for CCTV and helping implement the correct documentation.   

Why Does the GDPR Apply to CCTV Use?

The General Data Protection Regulation applies to CCTV systems because video cameras record ‘personal information’. The GDPR defines personal information as including all information that could identify a living individual, including visual images of their face.

Where the CCTV systems have microphones, the GDPR also catches any audio data from CCTV systems, which can also help identify a person.

Why Should My Company Be Aware of the ICO?

Many UK businesses are wary of the ICO because of their ability to fine UK organisations up to £17.5m for GDPR violations.

The ICO will impose fines for improper use of CCTV systems. This is because unreasonable CCTV use allows the potential for a gross invasion of privacy. Fortunately, the ICO website provides helpful information and guidance on complying with the GDPR.  

Now that we know the importance of having a fully-compliant CCTV system, let us explore some tips on avoiding invasions of privacy.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

1. Avoid Inappropriate Camera Placement

Because of the detailed nature of CCTV footage, your business can only place cameras in areas that do not have a reasonable expectation of privacy.  

In practice, this means that (absent genuinely exceptional circumstances) you should not place cameras within the following areas:

  • bathrooms; 
  • shower rooms;
  • changing areas; or
  • any space designed for safeguarding or confidential conversations.

In addition, the actual placement of CCTV cameras can violate privacy. For example, a business can likely justify placing a CCTV camera on the ceiling of an open-plan office but not using the webcam within each computer monitor. In the same way, a camera on the kitchen roof may be fine, but one hidden at waist level on the kitchen counter could well be a violation of privacy.

The GDPR and ICO require a good reason for CCTV camera placement and usage, and the most common reasons are crime prevention and staff protection. So, for example, placing cameras in a room with valuable stock and the company safe or any area where staff interact with the general public is usually fine.

Front page of publication
Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now

2. Carry Out Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process within which your organisation can review any risk of data protection violation. This includes a thorough review of whether any existing or planned CCTV system will result in privacy breaches.

A good DPIA should comment on the following:

  • the purpose of the CCTV system;
  • consideration of the main ways in which the system could violate the privacy of individuals;
  • how your business aims to mitigate those invasions of privacy risks;
  • confirmation that your company has intentionally avoided placing cameras in areas with a reasonable expectation of privacy.

The ICO value well-drafted DPIAs and having one in place is evidence of intention to comply with the GDPR.

3. Store CCTV Footage Safely

Every UK business must guard against the unauthorised use of personal data. In relation to CCTV, this involves your company taking active and reasonable steps to safeguard CCTV recordings. CCTV video surveillance footage is treated as confidential because it monitors the movement and activities of individuals. 

In this way, if an unauthorised person or cyber attacker gains access to those CCTV recordings, it would constitute a significant invasion of privacy. Any UK organisation guilty of enabling a significant invasion of privacy will likely face a hefty financial penalty from the ICO.

4. Implement a Reasonable CCTV Policy

Having a written record of the scope and nature of your CCTV system is essential. Many UK businesses do so through a CCTV Policy, which a lawyer often drafts.

Whilst CCTV policies should fit the relevant organisation, the majority will confirm the following points:

  • the locations of the cameras;
  • the primary purpose behind the camera locations (such as crime prevention for stock rooms and staff safety for public areas);
  • the name and contact details of the individual in charge of the CCTV system;
  • that your business will only store CCTV footage for as long as necessary and then safely delete outdated footage; and
  • that your company will place appropriate CCTV warning signage near cameras.

Key Takeaways

The good news is that the GDPR and ICO do not seek to discourage UK companies from using CCTV. Instead, they simply want organisations to ensure that their use of CCTV is reasonable and GDPR-compliant. Accordingly, ensuring appropriate camera placement and appropriate warning signage can help protect your business from any ICO fines down the line.

If you need help ensuring your CCTV system is GDPR compliant, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

What is the most common reason for CCTV usage in the UK?

Most UK businesses justify their use of surveillance systems for crime prevention purposes. Many companies also use staff safety as an additional reason.

Do ring doorbell cameras count as CCTV?

Potentially, yes. They are electronic devices that capture video and audio for security purposes, so they would have to operate in a GDPR-complaint matter.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards