CCTV systems are a powerful deterrent against crime. As a result, many business owners choose to install surveillance systems to protect their employees and assets.
As a CCTV installation and system expert, we have developed this guide to help business owners understand and navigate the Commercial CCTV Regulations and guidelines.
Table of Contents
Quickly jump to any section using the handy links below.
Businesses are authorised to use CCTV to protect their property; however, you must follow data protection laws.
- Display clear signage to let people know CCTV is in use and for what purpose.
- Be able to provide recorded images within one month to anyone you have recorded on CCTV.
- When requested by the police, you must share images with the authorities.
- Only store images as long as required.
- You must pay a data protection fee to the ICO. There are some exemptions.
The Information Commissioner’s Office (ICO)
The ICO is an independent UK body created to uphold information rights.
Video surveillance systems can process large volumes of personal data. As a result, the ICO has detailed guidance on how your business can stay within the legal requirements of GDPR and the Data Protection Act 2018.
The ICO’s guidance is for businesses that operate CCTV systems that view or record individuals. This also includes ANPR, Facial Recognition Technology and Machine Learning.
The ICO’s guidelines refer to the Surveillance Camera Code of Practise to encourage compliance with the SC code.
Surveillance Camera Code of Practice
The surveillance camera code of practice provides standards and good practices when operating CCTV.
CCTV System operators should follow 12 principles:
- CCTV must always be used for a specific purpose with a legitimate aim to meet an identified need.
- The CCTV operator must consider the impact of operations on individuals’ privacy.
- There must be transparency about the use of CCTV, including a stated contact for access to information and complaints.
- There must be an individual responsible and accountable for all CCTV usage.
- Businesses must design and implement strict policies and procedures before using a surveillance system, and you must communicate them to all relevant parties.
- Images (CCTV footage) should only be stored as long as it is strictly required. Information should be deleted when no longer needed.
- Access to stored footage and information should be restricted.
- CCTV system operators must consider any operational, technical and competency standards to a system and its purpose.
- CCTV footage should be subject to strict security measures to protect against unauthorised access.
- You must implement effective review and audit procedures to meet legal requirements, policies and standards.
- CCTV surveillance should be used most effectively to support public safety and law enforcement to process images and information of evidential value.
- Information used to support a surveillance system which compares against a database for matching purposes should be accurate and up to date.
Businesses must implement technical and organisational measures to meet data protection legislation.
If your surveillance system is processing identifiable individuals’ personal data, you must notify and pay a data protection fee to the ICO.
Businesses must maintain a record of their processing activities. The record should include:
- The purpose of surveillance
- Data sharing
- Data retention periods
- Personal Data
When using a surveillance system, you must perform a Data Protection Impact Assessment (DPIA) if any processing is likely to result in a high risk to individuals, including:
- monitoring individuals at a workplace.
- monitoring publicly accessible places on a large scale or
- processing special category data such as biometric data and facial recognition
Your DPIA must include details of:
- the nature, content, scope and purpose of processing
- compliance measures
- risks to individuals
- measure to mitigate risk
You can find the ICO’s DPIA checklist here.
Effective control of surveillance systems
Businesses must establish who has control of personal data being processed. This person will:
- Decide what is to be recorded
- How surveillance should be used
- Who has access to recorded footage
You must always use surveillance systems fairly, as well as lawfully. Fairness means you should only use CCTV where it would be reasonably expected and not use it in unfair ways. For example, you should not use surveillance in toilets or changing rooms.
You must ensure that your CCTV usage is clearly communicated to those being recorded, for example, using signage. In addition, people should be able to find information and contact you about their privacy concerns.
Considering the implications of your surveillance system on people’s privacy is essential.
Transparency is a fundamental aspect of data protection law. You must inform people when you are capturing their personal data.
- Install signage to accompany your CCTV system that is visible and readable, explaining that its use is in operation.
- Include details of the organisation operating the system.
- Include contact details such as a website, telephone number or email address.
You should not use surveillance systems to record conversations between members of the public. Doing so is highly intrusive and unlikely to be justifiable.
If your surveillance system is equipped with sound recording functionality, it should be disabled.
CCTV in the workplace
You must only use surveillance systems in the workplace in rare circumstances. This could be to record staff performing a particular task or to record employees entering or exiting a secure area.
In these circumstances, you must:
- Consult your employees during the DPIA process
- Ensure you notify and inform employees about the nature and extent of surveillance as well as its purpose
- Target any video monitoring directly at the area of the specified risk
- Respect the rights staff have about their personal data and enable them to raise complaints or concerns to you directly.
Minimising the information you process and ensuring quality
Under UK GDPR and the Data Protection Act 2018, you must ensure that the data you are processing is:
- Adequate – efficiently fulfils its stated purpose
- Relevant – has a rational link to the purpose
- Limited – you don’t hold more than you require for its purpose
Your CCTV system must serve the purpose you installed it for. For example, if identification is an essential purpose of processing, then your system must produce images that identify. If your system does not meet your requirements, it undermines its purpose.
- Your CCTV system must process adequate and relevant personal data.
- Identify the minimum amount of personal data needed to fulfil its purpose.
- Install a surveillance system that can produce good, clear and high-quality images.
- Set up your system so that information cannot be corrupted.
- Have regular checks to ensure that the time stamp and dates recorded are accurate.
All recorded information should be stored securely to maintain confidentiality, integrity, and availability. To achieve this, you must consider how you hold and record data.
- Be able to demonstrate that technical and organisational measures are in place to maintain the confidentiality, integrity and availability of data captured by CCTV.
- Ensure that access to footage and data is restricted to authorised individuals.
- Be able to obtain copies of footage from your system in a timely manner while retaining image quality and time and date information.
- Be able to demonstrate that the information you collect complies with technical standards.
Automatic Number Plate Recognition (ANPR)
ANPR systems collect and analyse large volumes of data in real-time. For example, ANPR systems capture the images of vehicles, the number place and registration mark.
When using ANPR, you must ensure that your databases are:
- Provide sufficient quality to prevent mismatches.
If you intend to share data processed by ANPR with third parties, you must ensure you are doing so lawfully. In addition, you should have a data-sharing agreement in place.
Facial Recognition Technology (FRT)
FRT can identify a person from a digital image. The software measures and analyses facial features to create a biometric template.
Facial recognition technology is frequently used to identify, authenticate or verify an individual. For example, when unlocking a mobile phone or passing through passport control.
The ICO sees FRT as special category personal data.
To comply with ICO guidelines, you must:
- Conduct a DPIA that addresses the need to use Facial Recognition Technology.
- Fully document your justification for the use of FRT.
- Ensure that a sufficient volume and variety of training data have been included.
- Have chosen an appropriate resolution for the cameras you use and carried out testing.
- Position cameras in areas with sufficient light to ensure good quality images are taken.
- Be able to identify false and true matches.
- Record false positive and false negative rates.
- Comply with the Surveillance Camera code of practice.
CCTV System Checklist
The Biometrics and Surveillance Camera Commissioner created a buyer’s toolkin in 2018 to help small-businesses who are thinking about buying a cctv system.
The guide was designed to help business owners make an informed decision about whether a surveillance system is the right choice for them.
Commercial CCTV FAQ
We have been providing professional CCTV installation services to businesses across Essex for 20 years. As a result, we have been asked many questions about CCTV regulations.
We have listed some of the most frequently asked questions about commercial CCTV below.
Do I need to pay a data protection fee for CCTV?
If you use a surveillance system and process the personal data of identifiable individuals, you must notify the ICO and pay a data protection fee. There are some exemptions.
Can I operate CCTV without a licence?
CCTV Operators are lawfully required to have a CCTV licence. You must pass a series of application checks to obtain an SIA licence.
Do I have to put signs up when I have CCTV?
When using CCTV, it is a legal requirement to display appropriate signage. Your signage should state the purpose of the CCTV recording and details of a suitable contact should someone wish to complain or access their data.
Did you find this article helpful?
Easily share this article with a friend or colleague using the social share links below.