With the British Security Industry Association estimating that there are between 4 and 6 million surveillance cameras in the UK, CCTV systems are one of the most popular forms of security technology in the country.
Used in a wide variety of settings - from small businesses to multinational corporations and government premises - CCTV systems are a vital security asset due to their ability to both deter crime and capture CCTV evidence that can then be used in court cases as required.
They can also be used to monitor daily operations to ensure that businesses are being run in compliance with the growing number of industry standards and government guidelines.
However, to use CCTV legally you have to comply with two legal frameworks: the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR). These frameworks exist to protect the individual's right to privacy, and to ensure the responsible handling of personal data.
In this article, we will address your obligations under the DPA and GDPR, so you can make sure that you are using your CCTV systems legally and responsibly.
We’ll refer to the current UK guidance as of April 2024, but note that this can change over time, so be sure to check for any updates to the guidance that may have occurred since. In addition, while we always operate under the relevant regulations when installing and maintaining CCTV systems, nothing in this article should be considered legal advice.
Clear And Legitimate Reason
Under both the DPA and the GDPR, businesses must have a clear and legitimate reason for the installation and use of CCTV on their premises. This purpose must be specific, compelling, and demonstrable, in order to be accepted.
The most common primary justification for installing CCTV on business premises is security. However, to cite security as your primary justification, you must be able to assess and document how you will use CCTV as part of your security strategy.
This must include evidence that your use is appropriate under the principles of necessity and proportionality detailed in the DPA and GDPR.
UK Data Protection Law – The Guidelines For CCTV Use
UK data protection law has set several guidelines that govern CCTV use in commercial premises. This guidance includes:
Transparency - Under the GDPR, all CCTV must be clearly signposted to make individuals aware that they are being filmed. In addition, staff must be made aware when a CCTV system is live, and informed if their movements will be recorded.
As part of this obligation, any individual captured on film has a right to request access to any information that identifies them, and can ask for it to be destroyed.
Privacy - CCTV must not intrude on an individual’s right to privacy. As such, you may not record private conversations except in exceptional circumstances, and CCTV cameras cannot be installed in private areas such as restrooms.
Similarly, if your CCTV system could accidentally capture images of other properties, you must make neighbouring businesses aware that you have CCTV in operation. This can be achieved by installing clear signage (like the type we can provide, for example) and ensuring that your cameras do not capture images beyond the criteria of your legitimate reason for having the CCTV system in place.
Security - You must have a named individual who has responsibility for managing any CCTV footage collected on your property.
This person should have enough authority and access to information to make informed decisions - for example, they could be a member of your security team, a manager, or the owner of the business.
The named individual must also be registered as your nominated Data Controller with the Information Commissioner’s Office.
In addition, CCTV footage must be safely and securely stored, and accessed exclusively by authorised viewers, only being transferred outside of the organisation if it is requested by the police.
Managing CCTV Footage
The duration for which you can store CCTV footage depends on what footage you have captured, and your purpose for storing it.
Guidance suggests that:
You can keep CCTV footage for up to 30 or 31 days, except in exceptional circumstances - like for example, needing to retain CCTV footage as evidence for an ongoing court case.
If your CCTV system has captured footage that needs investigation or a police report, you can keep this for up to 14 days more - or for as long as it takes the authorities to review the footage.
The length of time that you store CCTV footage for should be detailed in your company policy and supported by your reasons for surveillance.
You must not store footage for longer than six months unless an extended investigation is required.
Your Data Controller is responsible for ensuring that the identity of individuals captured by CCTV is kept private and not shared or uploaded to public networks or accessed by unauthorised personnel.
If you require technical assistance with any of these aspects – such as setting up the appropriate storage time for the CCTV footage, or how to correctly prepare it for use in a police investigation - our team can help!
Getting A Clearer Picture
At KCS Projects, we understand that the legal requirements for using CCTV technology can be complex. With over 20 years in the security industry, we are equipped with an in-depth understanding of the legal and ethical issues surrounding the use of CCTV systems.
If you have any questions regarding how to use CCTV legally and responsibly, we will be happy to assist! Contact us today on 01234 230690 to speak to one of our friendly professionals.