Skip to content

Does the ICO Make it Too Risky for My Company to Use CCTV in England? 

Table of Contents

As a business owner, you are likely familiar with the benefits of a CCTV system. The better-known advantages include CCTV cameras aiding crime prevention, record keeping and safeguarding staff. However, our data protection law empowers the Information Commissioner’s Office (ICO) to fine organisations that fail to operate data protection-compliant CCTV systems. This article will explore the ICO’s expectations so your business can avoid breaching the General Data Protection Regulation (GDPR) while using your CCTV system.

What Are the Risks of Having a Non-Compliant CCTV System?

The UK GDPR and ICO do not make it too risky to use video surveillance systems. However, your organisation can greatly reduce the risk of breaching data protection regulations by implementing appropriate measures.

Let us explore several measures below.

1. Only Use CCTV if No Other Method is Available

The GDPR treats CCTV footage as ‘personal data’. Furthermore, the GDPR and ICO extend greater protection of personal data over other data. CCTV footage is no exception, as organisations can record an individual’s movements and actions without their prior express consent.

Accordingly, the ICO expects your organisation to consider whether a less intrusive method is sufficient for your goals. Failure to do so increases the risk that your CCTV system is for an unlawful purpose. 

Suppose you run a small clothing business with three branches. In recent weeks, you have suffered several instances of shoplifting and believe it may be due to customers hiding clothes in their bags when going into changing rooms. Accordingly, you may consider whether CCTV may help determine if customers steal clothes in the changing rooms. 

However, this is unlikely to be GDPR-compliant. There is an expectation of privacy within changing rooms (and bathrooms) due to the nature of the room. However, the clothing business may consider an alternative, less intrusive method. For example, placing electronic tags on clothes.  This avoids using a non-compliant CCTV system and means concealed clothing will beep at the exit (with tags being a deterrent). 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Only Use Audio if Truly Necessary

Audio is relatively rare within CCTV systems in England, with most CCTV set-ups only recording visual data. 

The GDPR lists several fundamental data protection principles, including transparency, proportionality and fairness. To justify audio recordings within a CCTV system, you should consider the following:

  • whether you are transparent about the use of audio recordings, such as using appropriate signage;
  • whether using audio is proportional to the purpose of the CCTV. For example, monitoring a staff car park to guard against car theft and trespassers does not require audio recording; and
  • whether it is fair in all circumstances to record audio in that setting.

3. Provide Written Reasoning for CCTV and Provide Signage

Your business should carry out a data protection impact assessment (DPIA). This document confirms how your organisation has considered the privacy of individuals on your premises when setting up and using the CCTV system. For example, if you run a shop that has recently suffered criminal damage and vandalism, you should record this in an updated DPIA.

Naturally, one of the primary purposes of a CCTV system is to act as a deterrent. Many businesses plaster CCTV warning signs all over their premises to deter wrongdoing. Moreover, placing CCTV signage near cameras is also a GDPR requirement (to warn individuals of personal data recording).

4. Keep CCTV Footage Safe and for a Short Period

The ICO expects businesses to keep the footage in a secure location (preferably a locked room) and under password protection. The new online guidelines set out by the ICO details the importance of protecting people’s privacy when processing video images.

The ICO and GDPR also require businesses in England to delete CCTV footage when it is no longer reasonably needed (for example, three months after the date in question). Naturally, if there is an ongoing disciplinary process, a company can keep the data relating to the incident in question for longer because it remains functional.

Key Takeaways

In summary, the legal requirements set out by the GDPR do not make it too risky to operate a CCTV system. Rather, your business must follow its data protection principles as per ICO guidelines. Businesses that follow GDPR rules can safely continue to use CCTV systems without risking a fine.

If you need help complying with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

What are the main purposes given by businesses to justify CCTV use?

The usual legitimate interests include safeguarding company property, protecting employees, preventing crime and protecting sensitive data (such as computers and hard drives). So, if a business wishes to protect vehicles in its car park from theft, it may consider using an automatic number plate recognition system.

Where should I display CCTV signage?

You should place CCTV signage in the direct eye line of individuals on your premises. For example, many businesses will place signs near the entrance and the cameras themselves. Companies can only record CCTV footage without appropriate signage in exceptional circumstances, whether within publicly accessible places or on private property.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards