The ICO exists to empower you through information.

15 July 2024

Overall rating

Your overall rating was red.

  • 8: Not yet implemented or planned
  • 0: Partially implemented or planned
  • 1: Successfully implemented
  • 0: Not applicable

RED: not implemented or planned

Your business has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system. You regularly review whether CCTV is still the best security solution.

 

Suggested actions

You should:

  • review whether you require CCTV cameras to address a particular issue faced by your business;
  • consider whether alternative solutions might be more suitable; and
  • if you decided to install CCTV then undertake a Data Privacy Impact Assessment (DPIA) to consider and address any privacy concerns.

Guidance

Your business has paid the data protection fee to the Information Commissioner's Office (ICO).

 

Suggested actions

You should:

  • ensure you have paid any data protection fee to the ICO; and
  • renew your registration each year.

Guidance

Guide to the data protection fee, ICO website

Your business has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.

 

Suggested actions

You should:

  • ensure that you have a policy in place to allow you to use CCTV consistently;
  • clearly define in the policy the specific purposes for the use of CCTV information and document procedures on how you should handle this information; and
  • include guidance in the policy on disclosures and how to keep a record of these.

Guidance

Your business has established a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.

 

Suggested actions

You should:

  • establish a clear process for staff to follow when handling requests from individuals who wish to access copies of their own images. The process should help staff to:
    • recognise a request;
    • identify and obtain the requested footage;
    • provide the requested information in a secure and approved manner;
    • keep the necessary records about a request and how you handled; and
    • seek advice where necessary, whether internally or from the ICO.

Guidance

Your business trains its staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.

 

Suggested actions

You should ensure that:

  • all staff who are authorised to access the cameras are familiar with the system, and how to review and extract footage if required;
  • all staff are familiar with the likely disciplinary penalties for misuse of the CCTV systems; and
  • you meet and record training standards (such as SIA qualifications) when a staff member’s role explicitly includes monitoring of CCTV, eg a security guard.

Guidance

Your business only retains recorded CCTV images for long enough to allow for any incident to come to light (eg for a theft to be noticed) and to investigate it.

 

Suggested actions

You should:

  • document your information retention policy for CCTV information and ensure that it is understood by those who operate the system;
  • implement measures to ensure you permanently delete information through secure methods at the end of the retention period; and
  • undertake systematic checks to ensure that you are complying with the retention period in practice.

Guidance

Your business has ensured that the CCTV images are clear and of a high quality.

 

Suggested actions

You should:

  • review your business’s CCTV system to ensure that it is fit for purpose.

Guidance

Your business securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.

 

Suggested actions

You should:

  • implement appropriate technical, organisational and physical security measures to protect against unauthorised real time access to your CCTV system;
  • protect the recorded footage from a CCTV system, whether tapes or hard disk, against access by any unauthorised person, whether an unauthorised staff member or an outsider; and 
  • store any data you have collected securely, for example by using encryption or another appropriate method of restricting access to the information.

Guidance

 

GREEN: successfully implemented

Your business clearly informs individuals of your use of CCTV.

 

 



Bespoke tools have been developed by the Surveillance Camera Commissioner
to help organisations prove their surveillance camera systems comply with the code of practice. This code applies to relevant public authorities in England and Wales, but others can adopt it voluntarily. Although, the Information Commissioner and the Surveillance Camera Commissioner have separate roles and powers, they liaise to make sure guidance and tools are consistent.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.