Reprimand issued to Greater Manchester Police over CCTV failings

• Police force demonstrated “serious shortcomings” in how they handle CCTV footage
• GMP “unable to recover” two hours missing footage
• Force has since improved retention policies and upgraded surveillance system

We have issued a reprimand to Greater Manchester Police (GMP) following failures in its storage and handling of CCTV footage.

A person was held in custody for 48 hours in February 2021. During this period, a CCTV system was in operation.

GMP’s Professional Standards Directorate (PSD) later submitted an internal request to retain this information beyond the typical 90-day period. When responding to a subsequent related subject access request, the force later realised two hours of the footage was missing. GMP states that, despite all attempts, it is unable to recover the missing two hours of footage. This led GMP to self-reporting a personal data breach to the ICO on 5 September 2023.

Our investigation assessed GMP’s compliance with data protection laws related to the storage of CCTV footage. We have ruled that GMP has failed to provide the complainant with their personal data, both without undue delay and by the end of the applicable period of one month, and failed to ensure that the appropriate technical or organisational measures were in place to protect the accidental loss of the CCTV data it was processing.

Our investigation found two key failings in GMP’s data protection practices:

• A misunderstanding between GMP staff, with regards to the responsibility to conduct a quality check of the retained footage.
• A lack of policies and guidelines within GMP to identify that quality checks were required or who is responsible for this task.

Sally Anne Poole, Head of Investigations at the Information Commissioner’s Office, said:

“CCTV footage, particularly of a person at their most vulnerable, can contain highly sensitive personal data and must be properly protected. It is vital that authorities like police forces have the strictest measures in place to protect personal data to maintain public trust.

“It is clear in this case that Greater Manchester Police failed its obligation to keep the complainant’s personal data safe and demonstrated serious shortcomings in how it handles CCTV footage. Data protection is not an afterthought; it is a core responsibility. In this case, we see the potential consequences when this responsibility is not properly adhered to.

“Police forces and public bodies across the country can learn from failures like this and ensure they have the right systems and oversight in place to prevent these mistakes from happening again. Public trust depends on it.”

In the time since the incident, GMP has taken remedial action, including:

• Implementing clearer retention policies for CCTV footage.
• Proactive investment in its surveillance and security system infrastructure in 2023, resulting in a significant upgrade in its system capabilities.
• Strengthening internal oversight and governance measures to prevent similar incidents in the future.
• Introducing a strictly regulated process to ensure that only authorised force personnel have access to the footage held within the CCTV server.

There is an ongoing investigation into the wider case by the Independent Office of Police Conduct.

The full reprimand can be read here. 

For further information on how organisations can ensure compliance with data protection laws, see our guidance on accountability and governance.