Latest updates - last updated 23 June 2023
23 June 2023 - We have changed the example of less intrusive security options. Dummy cameras don’t process personal data and therefore aren’t subject to UK GDPR – we have removed the reference to them to avoid confusion.
24 October 2022 - we’ve updated our blog - Installing CCTV? Things you need to do first to add further clarification and make it even easier for SMEs to follow.
We’ve written these basic steps about installing CCTV for SMEs, small businesses, and small organisations of any type.
If you’re thinking about installing CCTV or similar technology, whether you’re recording footage or just live-streaming, you’ll need to think about data protection too. People care about how you treat their personal information and that includes footage of them captured by your CCTV.
By following these basic steps, we hope you’ll feel confident that your use of CCTV complies with data protection law. You’ll also demonstrate to your customers, staff, members, and visitors how seriously you take your data protection obligations.
If you decide to install CCTV that could capture images of people, and you’re not already registered with the ICO, you must also register with us and pay the data protection fee. For SMEs this will be either £40 or £60 a year (reduced to £35 or £55 a year, if paid by direct debit).
Step one: Think about how you’ll respect people’s privacy and uphold their rights
People have a right to privacy so, if you’re thinking about installing CCTV, you have to consider how it could impact them.
It’s not unusual to see security cameras in the doorway of a bank or a nightclub, but people don’t reasonably expect to be filmed all the time.
CCTV shouldn’t be running in areas considered private – such as in toilets and changing rooms. Using CCTV here wouldn’t usually be fair or proportionate, meaning it wouldn’t be compliant with data protection law. In exceptional cases – such as when dealing with repeated serious antisocial behaviour – it may be necessary to have surveillance in private areas. You’d need strong justification for this and should make it clear that people are being filmed in these areas.
If you’re considering using CCTV but can’t justify that it’s necessary for your identified purpose, you should look into other less intrusive security options – such as security shutters or stronger lighting – before making the investment.
For example, Margaret runs a small boutique. She’s worried about shoplifting. She considers putting CCTV cameras in the fitting rooms, but she’s concerned it would be too intrusive. Instead, she decides to start using security tags on her merchandise and introduces a new policy where a member of staff logs how many items of clothing a customer takes into the fitting rooms.
If you employ staff, you should listen to their concerns about being filmed. Before installing CCTV, you should explain why you’re doing it. If you install CCTV for security reasons, it won’t usually be fair on your staff to use it to monitor or discipline them without warning. If you want to use CCTV to monitor your staff, you’ll need to make this clear to them and have a strong reason for doing so, such as health and safety reasons. Staff members can complain to the ICO if they feel you’re using CCTV unfairly. You can contact us if you’re unsure about the right thing to do in your situation.
When you’re using CCTV, you need to be aware of people’s information rights and your responsibilities in relation to those rights. One of the most common rights you’re likely to come across is the right of access. This means people can ask you for copies of their own personal data, including video recordings you hold. The CCTV system you choose therefore needs to allow you to retrieve stored footage so this right can be upheld. You must also be able to redact or remove third party data from the footage where necessary.
Step two: Consider if you need to use audio
Many cameras can record sound – but this doesn’t mean you should. You should consider whether it’s necessary in the situation you want to use it in.
Some of the key concepts in data protection law are about transparency, fairness and proportionality. Because recording conversations can be particularly intrusive, it’s difficult to justify audio recording. You won’t usually need to hear what people say, and you’re unlikely to find a lawful basis for this level of intrusion.
But the ability to record audio can be helpful for businesses in situations where you’ve exhausted all other options and you’ve got a particular need for it. For example, if your staff are subject to frequent, verbal abuse from customers. If you decide this is the way forward for your business, you must make clear to people that your CCTV captures audio as well as images. In most cases, it’s unlikely the audio recording needs to be continuous. Consider using a system where the audio can be switched on in specific circumstances eg where staff press a button.
Step three: Create a document which explains your decision
Set out why you need CCTV and how you plan to minimise the impact on people’s privacy. Include which areas the CCTV will cover, and how long you’ll keep the footage for.
It’s important to record your reasons for using CCTV. You should document your decision, including your justifications. Our checklist will help you with this.
If your use of CCTV is likely to result in a high risk to people, you’ll also need to carry out a Data Protection Impact Assessment (DPIA). A DPIA is a useful tool to help you identify the impact your use of CCTV may have on people, so you can reduce any risks. For example, if you have cameras in private areas, or are using CCTV to monitor staff. If you identify a high risk that you’re unable to reduce, you must contact us before you begin using the CCTV.
For example, Lucy runs a local community centre. The centre is used by different groups, including a slimming club, a cub-scout troop and an alcohol dependency support group. Local youths have been gathering outside the centre, committing vandalism and harassing the centre users. Lucy thinks about installing security lighting to deter the youths, but notices other local businesses have been vandalised, even with security lighting. She decides that CCTV is the best fit for the centre to prevent the vandalism and harassment. As the people likely to be recorded by the CCTV may be vulnerable, she documents this as part of a DPIA.
Step four: Update your policies
Use the document you created in step three to update your policies.
Every company, no matter the size, will have policies in place for how they do things. It’s important that you update your privacy notice to reflect that you’re now using CCTV. You should also have a separate CCTV policy.
In your CCTV policy, you need to explain the reasons why you’re using CCTV. It should include:
- the lawful basis you’re relying on for gathering and using the CCTV footage;
- who has responsibility for the CCTV;
- the security measures you have in place to protect the data you’re gathering;
- who you’ll share the data with; and
- how long you’ll keep the data.
A shorter version of this should be included in your privacy notice. You can create your own privacy notice using our template, if you haven’t already got one.
Being on top of your policies is not only efficient, it also makes the right impression on your customers, members and clients. Knowing they can find out what you do with their personal information helps to reassure them that you’re trustworthy.
Step five: Pay attention to how your CCTV is set-up
Before you start using your CCTV, you need to check the camera angle and put up signs to tell people it’s there.
When your CCTV system is being installed, make sure it only captures what you need it to – and nothing more. A slight adjustment of the camera angle could make a big difference to what’s included in the shot. You also need to check the footage is clear, otherwise it will be of limited use to you.
You need to put up signs to let people know you’re filming them. The signs should make it clear that CCTV is in operation, and should be displayed where they can be seen, such as your office or shop window. The signs could also help to improve your security by acting as a deterrent.
Your signs should explain why you’re using CCTV, and who to contact to raise any queries. Make sure your staff know what to do if someone enquires about your CCTV system.
For example, James runs a bar with an outside terrace. There have been incidents on the terrace including fights and theft, so he decides to install CCTV. He chooses a CCTV system that records high quality footage and positions the cameras so they cover only his terrace, entrance and exit, and not people passing by outside. He puts up signs at the entrance and around the terrace, to both act as a deterrent and to let those using the terrace know that the CCTV is there. He also registers with the ICO and sets up an annual direct debit payment for the data protection fee.
Step six: Keep on top of the footage you capture
You mustn’t keep the CCTV footage for longer than you need it.
Decide how long you’ll keep the data for and record this in your CCTV policy and privacy information. Have a process in place to delete the footage you no longer need. Many CCTV systems have an automatic overwrite feature, which could help with this.
You also need to keep the CCTV footage safe. If it falls into the wrong hands, your customers could be at risk and you may need to notify us of a personal data breach. You can avoid this by making sure the footage is stored securely.
You should only keep CCTV footage for as long as you need it. Most CCTV systems will have an overwrite feature, so make sure you turn this on or find another way to make sure the footage is deleted securely.
Think back to James. If another fight breaks out on his terrace, he could use the system to identify those responsible and take the necessary action. James will know fairly quickly if an incident happens, either as a result of his staff, his customers or the police telling him, and he can then review the footage. But, if nothing happens, he won’t need to keep that footage for very long. As a result, James decides to introduce a two-week retention policy for the CCTV footage.
He also makes sure the CCTV system and the footage are protected using passwords, and the system controls are in a locked private room. He limits which staff members are authorised to access the system.