27 July 2024
CCTV checklist report
Your overall rating was red.
- 9: Not yet implemented or planned
- 0: Partially implemented or planned
- 0: Successfully implemented
- 0: Not applicable
RED: not implemented or planned
Your business has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system. You regularly review whether CCTV is still the best security solution.
Suggested actions
You should:
- review whether you require CCTV cameras to address a particular issue faced by your business;
- consider whether alternative solutions might be more suitable; and
- if you decided to install CCTV then undertake a Data Privacy Impact Assessment (DPIA) to consider and address any privacy concerns.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to the UK GDPR – DPIAs, ICO website
Your business has paid the data protection fee to the Information Commissioner's Office (ICO).
Suggested actions
You should:
- ensure you have paid any data protection fee to the ICO; and
- renew your registration each year.
Guidance
Guide to the data protection fee, ICO website
Your business has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.
Suggested actions
You should:
- ensure that you have a policy in place to allow you to use CCTV consistently;
- clearly define in the policy the specific purposes for the use of CCTV information and document procedures on how you should handle this information; and
- include guidance in the policy on disclosures and how to keep a record of these.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Your business has established a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.
Suggested actions
You should:
- establish a clear process for staff to follow when handling requests from individuals who wish to access copies of their own images. The process should help staff to:
- recognise a request;
- identify and obtain the requested footage;
- provide the requested information in a secure and approved manner;
- keep the necessary records about a request and how you handled; and
- seek advice where necessary, whether internally or from the ICO.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to the UK GDPR – Right of access, ICO website
Your business trains its staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.
Suggested actions
You should ensure that:
- all staff who are authorised to access the cameras are familiar with the system, and how to review and extract footage if required;
- all staff are familiar with the likely disciplinary penalties for misuse of the CCTV systems; and
- you meet and record training standards (such as SIA qualifications) when a staff member’s role explicitly includes monitoring of CCTV, eg a security guard.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to the UK GDPR – Right of access, ICO website
Your business only retains recorded CCTV images for long enough to allow for any incident to come to light (eg for a theft to be noticed) and to investigate it.
Suggested actions
You should:
- document your information retention policy for CCTV information and ensure that it is understood by those who operate the system;
- implement measures to ensure you permanently delete information through secure methods at the end of the retention period; and
- undertake systematic checks to ensure that you are complying with the retention period in practice.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to the UK GDPR – Right of access, ICO website
- Keeping records to meet corporate requirements, National Archives
- Guide to the UK GDPR - Data minimisation, ICO website
Your business has ensured that the CCTV images are clear and of a high quality.
Suggested actions
You should:
- review your business’s CCTV system to ensure that it is fit for purpose.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Your business securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.
Suggested actions
You should:
- implement appropriate technical, organisational and physical security measures to protect against unauthorised real time access to your CCTV system;
- protect the recorded footage from a CCTV system, whether tapes or hard disk, against access by any unauthorised person, whether an unauthorised staff member or an outsider; and
- store any data you have collected securely, for example by using encryption or another appropriate method of restricting access to the information.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Your business clearly informs individuals of your use of CCTV.
Suggested actions
You should:
- put up clearly visible signs to ensure that anyone likely to be captured by the cameras is aware of them;
- ensure that signs include the contact details for the system’s owner; and
- consider including a web address where you can provide more detailed information about the system, for example how to exercise their rights and how long you keep images for.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to UK GDPR – Right to be informed, ICO website
Bespoke tools have been developed by the Surveillance Camera Commissioner to help organisations prove their surveillance camera systems comply with the code of practice. This code applies to relevant public authorities in England and Wales, but others can adopt it voluntarily. Although, the Information Commissioner and the Surveillance Camera Commissioner have separate roles and powers, they liaise to make sure guidance and tools are consistent.
Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.
The survey should take around three minutes to complete.