Data Protection

Home Office Requirements for CCTV systems

Since the 24th October 2001 it has been a criminal offence to use an unregistered CCTV system to record people in a public or private place unless it meets certain criteria.

The introduction of the Data Protection Act 1998 and other related legislation has had far reaching consequences for those who own, manage or operate CCTV systems in the United Kingdom. Every aspect of this new legislation impacts upon your use of CCTV.

The Code of Practice contains 62 legally enforceable 'Standards' that must be met to ensure compliance with the Data Protection Act 1998. The Commissioner includes a further 30 points of good practice, which together with the standards, are designed to build and maintain public confidence in CCTV systems and to ensure that they operate within the law.

The Data Protection Act 1998 came into force on March 1st 2000 and the Information Commissioner has issued a Code of Practice for CCTV systems. This Code was updated on July 14th 2000 and is available at You will need to access the section 'Guidance and other principles' then 'Codes of practice our responses & other papers' and finally 'CCTV Code of Practice'.

The code is also available from the above site as a 49-page word document.

Unfortunately, we find that those who are responsible for implementing the act consistently report that working through the code of practice is like swimming in treacle and ask what is available to help us break it down into a checklist of items that need implementing.

You will find at The Data Protection Act and CCTV our own interpretation and summary of the requirements of the act.

The Data Protection Act

This information will help you decide whether your system is subject to the Data Protection Act


1. Why is this additional guidance necessary?
There has been a recent court case that affects whether particular CCTV activities are covered by the DPA. The following notes make clearer which CCTV activities are covered by the DPA. It is particularly aimed at helping users of basic CCTV systems such as small businesses.

2. What CCTV activities are covered by the DPA?
The court case dealt with when information relates to an individual and is then covered by the DPA. The court decided that for information to relate to an individual, it had to affect their privacy. To help judge this, the Court decided that two matters were important:

  • that a person had to be the focus of the information
  • the information tells you something significant about them

This means that whether you are covered or not will depend on how you use your CCTV system.

3. If I only use a very basic CCTV system, how am I affected?
If you have just a basic CCTV system, your use may no longer be covered by the DPA. This depends on what happens in practice. For example, a small shopkeeper would not be covered who:

  • Only have a couple cameras,
  • Can't move them remotely,
  • Just record on video tape whatever the cameras pick up, and
  • Only give the recorded images to the police to investigate an incident in their shop.

The retailers would need to make sure that they do not use the images for their own purposes such as checking whether a member of staff is doing their job properly, because if they did, then that person would be the focus of attention and they would be trying to learn things about them so the use of the system would then be covered by the DPA.

4. It sounds like many users of basic CCTV systems are no longer covered by the DPA, is there an easy way to tell?
Think about what you are trying to achieve by using CCTV. Is it there for you to learn about individuals' activities for your own business purposes (such as monitoring a staff member who is giving concern)? If so, then it will still be covered. However if you can answer 'no' to all the following 3 questions you will not be covered:

  • Do you ever operate the cameras remotely in order to zoom in/out or point in different directions to pick up what particular people are doing?
  • Do you ever use the images to try to observe someone's behaviour for your own business purposes such as monitoring staff members?
  • Do you ever give the recorded images to anyone other than a law enforcement body such as the police?

5. How does this affect more sophisticated CCTV systems?
Many CCTV schemes, such as those that are used in town centres or by large retailers, are more sophisticated. They are used to focus on the activities of particular people either by directing cameras at an individual's activities, looking out for particular individuals or examining recorded CCTV images to find things out about the people, such as identifying a criminal or a witness or assessing how an employee is performing. These activities are covered by the DPA but some of the images they record will no longer be covered. So if only a general scene is recorded without any incident occurring and with no focus on any particular individual's activities, these images are not covered by the DPA.

In short, organisations using CCTV for anything other than the most basic of surveillance will have to comply with the DPA although not all their images will be covered in all circumstances. What you need to decide is whether the image you have taken is aimed at learning about a particular person's activities.

6. What should I do next?

If some of your CCTV activities are still covered you still need to comply with the DPA by making sure you have

The Data Protection Act & CCTV

The Data Protection Act 1998 is based on the following Eight Principles:

Section 4(4) of the Data Protection Act 1998 places all Data Controllers under a duty to comply with the Eight Principles of Data Protection.

As a quick reference guide:

1st Principle

Personal shall be processed fairly and lawfully, and, in particular, shall not be processed unless:

  • At least one of the conditions of Schedule 2 is met, and
  • In the case of sensitive personal data, at least one of the conditions of Schedule 3 is also met.

2nd Principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3rd Principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4th Principle

Personal data shall be accurate and, where necessary, kept up to date.

5th Principle

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6th Principle

Personal data shall be processed in accordance with the rights of data subjects under this act.

7th Principle

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8th Principle

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to...

Initial Assessment - Data Protection Principle 1

The purpose and use of the CCTV system should be established before use.

1. Assess the reasons for using equipment and how appropriate it is.
2. Establish the person or organisation that is legally responsible for the scheme.
3. Establish the purpose of scheme.
4. Document standards 1-3.
5. Lodge notification with Office of the Information Commissioner to cover purposes of use.
6. Document and identify the person or organisation that will monitor compliance of scheme.
7. Establish and document security and disclosure policies.

Location of Cameras - Data Protection Principle 2

To ensure the images are captured in a manner prescribed the location of cameras must be carefully considered.

1. The equipment should be used to only monitor the intended spaces.
2. Owners and residents of domestic premises must be consulted if domestic premises border the intended area to be viewed. (Not mandatory but good practice)
3. Those operating the system must be aware of its purpose and only use it for its specified purpose.
4. The cameras must be restricted where practicable so that those operating the system cannot overlook spaces that are not intended to be viewed.
5. Signs, which are clearly visible and legible, should be displayed so that the public are aware they are entering an area covered by CCTV.
6. Specific information should be included on the sign

  • Identity of who is responsible for the scheme.
  • The purpose of the scheme.
  • Details of who to contact regarding the scheme.

7. If signs are not appropriate and monitoring is for a specific CRIMINAL activity:

  • Fully document the following steps.
  • Identify the specific criminal activity.
  • Identify there is a need to use surveillance to obtain evidence of that activity and whether the use of signs would prejudice success in obtaining such evidence.
  • To ensure it is not carried out for longer than necessary, assess how long covert monitoring should take place.

Access by Data Subjects

This right is provided by section 7 of the Data Protection Act 1998 - Data Protection Principles 1, 6 & 7.

1. When data subjects make a request for accessing their information, those operating the system must be able to recognise such a request. A standard subject access request form should exist for this purpose and should indicate:

  • What information is required to locate the requested images?
  • What information is required in order to identify the person making the request?
  • What fee is charged for carrying out the requested search? (max £10.00)
  • Whether merely viewing the images recorded would satisfy the individual.
  • That within 40 days of receiving the required fee and information the response will be provided.
  • An explanation of the Rights provided by the 1998 Act.

2. Written information should be given to individuals of the types of images retained, their purpose and the policy concerning disclosure in relation to those images.
3. Standard 3 above should also be provided with the subject access request form.
4. The designated person should deal with all subject access.
5. The images requested should be located by a designated person.
6. A designated person should make the decision whether disclosure also entails disclosure to a third party.
7. A designated person should determine the decision as to whether the images of third parties are held under a duty of confidence.
8. A designated person must ensure that third party images are disguised if third party images are not to be disclosed.
9. An editing company may be used if the system does not have the capability to comply with standard 9 above.
10. If a third party or an editing company is used the following procedures apply:

  • There is a contractual relationship between the data controller and the editing company.
  • The editing company must give appropriate guarantees regarding the security measures taken in relation to the images.
  • It is the responsibility of the designated person to check and ensure that the guarantees are met.
  • That the editing company can only use the images in accordance with the instructions of the designated person should be explicit and in the form of a written contract.
  • The security guarantees provided by the editing company should be explicit and in the form of a written contract.

11. If it is decided by a designated person that an access is not to be complied with, the following should be documented:

  • The date of the request.
  • The identity of the person making the request.
  • Why the request to supply the images was refused.
  • The name and signature of the designated person making the decision.

12. All staff should be aware of individual's rights.
13. If disclosure is made, it should be in private with only authorised staff present.
14. The Data Subject is entitled to a copy of his data in intelligible format (Standard VHS tape).

Under Sections 10, 12 and 13 of The Data Protection Act 1998 Other Rights May Also Apply.

1. When there is a request from an individual to prevent processing likely to cause unwarranted and substantial damage or automated decision taking in relation to that individual. All operators must be able to recognise such a request.
2. When such requests are made all staff must be aware of the designated person who should respond to them.
3. The response from the designated person must indicate whether they will comply with such requests.
4. There must be a response in writing within 21 days of the designated person receiving the request.
5. The designated person must give written reasons if the request cannot be complied with.
6. A copy of the request and response must be kept.
7. The designated person must notify the individual if an automated decision is made.
8. If the individual makes a request in writing within 21 days the designated person must reconsider an automated decision.
9. The designated person will respond within 21 days setting out the steps they will take if they receive a receipt of the written request in standard 8 above.
10. The designated person will document the original decision, the request from the individual and their response to the request.
11. Data Subjects can take court action to prevent unlawful processing.
12. Data Subjects can claim compensation for "damage" suffered as a result of breaches of this Act.

Action Surrounding Subject Access Requests, Complaints and Audit

1. The contact point indicated on the sign should be available to members of the public during office hours Employees staffing the contact point should be aware of the appropriate policies and procedures.
2. Specific documentation should be provided to each enquiry. Enquirers should be provided, on request, with one or more of the following:

  • The leaflet which individuals receive when they make a subject access request as general information.
  • A copy of this code of practice.
  • A subject access request forms if required or requested.
  • The complaints procedure to be followed if they have concerns about the use of the system.
  • The complaints procedure to be followed if they have concerns about the non-compliance with the provisions of this code of practice.

3. A complaints procedure should be clearly documented.
4. A record of the number and nature of complaints or enquiries received should be kept together with an outline of the action taken.
5. A designated person should use the report in standard 4 to assess public reaction to and opinion of the use of the system.
6. A designated person should undertake regular reviews of the documented procedures to ensure compliance with the code.
7. A report of the reviews in standard 6 should be provided to the data controller so the legal obligations and provisions of this code can be monitored.
8. An internal annual assessment should be undertaken.
9. The results of the report in standard 7 should be compared with the purpose of the scheme. If the scheme is not achieving its purpose, it should be discontinued or modified.
10. The results of the report in standard 7 should be made publicly available.

Images should not be retained for longer than is necessary

Images should not be retained for longer than is necessary. While retained, the integrity of the images must be maintained to ensure their evidential value and/or to protect the rights of the people whose images have been recorded. Access to, and the security of, the images should be controlled - Data Protection Principle 3, 5 & 7.

1. Images should not be retained for longer than necessary to achieve the purposes of the CCTV system.
2. Once a retention period has expired, images must be erased.
3. If images are to be held for evidential purposes, they should be kept in a secure place with controlled access away from other routine data.
4. There are procedures for removing the medium on which the images have been recorded for use in legal proceedings. The following should be documented:

  • The date on which the images were removed from the general system.
  • The reason why they were removed.
  • Any crime incident number to which the images are relevant.
  • The location of the images.
  • The signature of the collecting officer; see below.

If the medium on which images are recorded is removed the following should be documented:

  • The date and time of removal.
  • The names of the person removing the images.
  • The name(s) of the person(s) viewing the images and the organisation s they represent.
  • The reason for the viewing.
  • The outcome if any of the viewing.
  • The date and time that images were returned to the system (or secure place if they have been retained for evidential purposes)

5. Monitors in areas where individuals would have an expectation of privacy should not be viewed by unauthorised operators and/or employees of the operators
6. Access to images should be restricted to designated staff.
7. All CCTV data must be stored securely with access limited to authorised personnel only.
8. Viewing of recorded images should only take place in a restricted area.
9. There are procedures for the removal of the medium on which images are recorded see 4 above.
10. All operators and employees to be informed of the procedures for accessing the recorded images.
11. All operators to be trained in their responsibilities so they are aware of the user's security and disclosure policies and the rights of individuals.

Access to and the disclosure of CCTV images

Access to, and the disclosure of, CCTV images and the disclosure of images to third parties should be restricted and carefully controlled to ensure the rights of individuals are protected. The chain of evidence must remain intact if the images are required for evidential purposes. Reasons for the disclosure of the images must be compatible with the purpose for which the images were originally recorded - Data Protection Principles 2, 7 & 8.

1. Access to the images should be restricted to only those who need access to fulfil the purpose of the system.
2. All access should be documented.
3. Disclosure should be made in limited and prescribed purposes.
4. All requests for access should be recorded and reasons for any denials.
5. There are procedures for allowing access or disclosure. When access to or disclosure of the images is allowed then the following should be documented:

  • The date and time of access or disclosure.
  • Identification of third party to who access or disclosure is allowed.
  • The reason for allowing access or disclosure.
  • The extent of information to which access or disclosure is allowed.

6. Recorded images should not be made widely available e.g. on an intranet site.
7. If the images are made widely available, the decision should be made by a designated person and the reasons documented.
8. If the images are disclosed to the media, the images of individuals will need to be disguised to avoid identification.
9. If the system does not have the capability to comply with standard 8 above, an editing company may be used. There are procedures if an editing company is used:

  • There is a contractual relationship between the data controller and the editing company.
  • That the editing company has given the appropriate guarantees regarding the security measures they take in relation to the images.
  • The designated person checks to ensure the guarantees are met.
  • The written contract makes it explicit that the editing company can only use the images in accordance with the instructions of the designated person.
  • The written contract makes the security guarantees provided by the editing company explicit.

10. There are procedures if the media organisation receiving the images undertakes the editing. (See notes under point 10 above.)

Quality of the Data

Quality of the Data - Images produced by the system must be as clear as possible to ensure that they are effective for the purposes for which they are intended - Data Protection Principle 3.4 & 5.

1. When installed, the equipment should be checked to ensure it performs correctly.
2. Tapes (if used) should be of good quality.
3. The maximum number of passes is 13 times.
4. The medium on which the images are recorded should be cleaned to prevent recording on top of previous images.
5. The medium on which the images are recorded should no longer be used if there is deterioration in the quality of the images.
6. If the system records location of camera, date, time etc. these should be accurate.
7. There should be a documented procedure for 5 above.
8. Cameras should be sited only where they will capture relevant images.
9. If automatic facial recognition systems are utilised, the database of images should be clear.
10. A human operator should assess and determine the action to be taken to verify matches made by automatic facial recognition systems.
11. The assessment in 9 above should be documented regardless of a match.
12. Consideration must be given to the physical conditions in which the cameras are located.
13. Operators should assess whether real time or specific timed recordings are required.
14. Cameras should be properly maintained and serviced.
15. Cameras should be protected from vandalism (if it is a likely problem).
16. A maintenance log should be kept.
17. If a camera is damaged, there are clear procedures for:

  • Defining the person responsible for making arrangements for ensuring the camera is fixed.
  • Ensuring the camera is fixed within a specific time period.
  • Monitoring the quality of the maintenance work
  • How do I draw up a CCTV Code of Practice (a legal requirement)?
  • How do I design data management documentation?
  • What form does Access documentation take?

The police state that 80% of CCTV evidence is inadmissible in court. Causes of such failures include inadequate documentation, lack of audit trail and incorrect recording of evidence.

Having spent thousands of pounds on the installation of a CCTV system it is indefensible to then have the evidence rendered unusable by the relatively small lack of investment in procedural items.

Contact Us

Please enable JavaScript in your browser to complete this form.