19 April 2024
CCTV checklist report
Your overall rating was amber.
- 2: Not yet implemented or planned
- 6: Partially implemented or planned
- 1: Successfully implemented
- 0: Not applicable
RED: not implemented or planned
Your business has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system. You regularly review whether CCTV is still the best security solution.
Suggested actions
You should:
- review whether you require CCTV cameras to address a particular issue faced by your business;
- consider whether alternative solutions might be more suitable; and
- if you decided to install CCTV then undertake a Data Privacy Impact Assessment (DPIA) to consider and address any privacy concerns.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to the UK GDPR – DPIAs, ICO website
Your business trains its staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.
Suggested actions
You should ensure that:
- all staff who are authorised to access the cameras are familiar with the system, and how to review and extract footage if required;
- all staff are familiar with the likely disciplinary penalties for misuse of the CCTV systems; and
- you meet and record training standards (such as SIA qualifications) when a staff member’s role explicitly includes monitoring of CCTV, eg a security guard.
Guidance
- Surveillance Camera Commissioner website
- Surveillance Camera Code of Practice, GOV.uk website
- Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
- Guide to the UK GDPR – Right of access, ICO website
AMBER: partially implemented or planned
Your business has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.
Suggested actions
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
- ensure that you have a policy in place to allow you to use CCTV consistently;
- clearly define in the policy the specific purposes for the use of CCTV information and document procedures on how you should handle this information; and
- include guidance in the policy on disclosures and how to keep a record of these.
Guidance
Surveillance Camera Commissioner website
Surveillance Camera Code of Practice, GOV.uk website
Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Your business has established a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.
Suggested actions
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
- establish a clear process for staff to follow when handling requests from individuals who wish to access copies of their own images. The process should help staff to:
- recognise a request;
- identify and obtain the requested footage;
- provide the requested information in a secure and approved manner;
- keep the necessary records about a request and how you handled; and
- seek advice where necessary, whether internally or from the ICO.
Guidance
Surveillance Camera Commissioner website
Surveillance Camera Code of Practice, GOV.uk website
Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Guide to the UK GDPR – Right of access, ICO website
Your business only retains recorded CCTV images for long enough to allow for any incident to come to light (eg for a theft to be noticed) and to investigate it.
Suggested actions
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
- document your information retention policy for CCTV information and ensure that it is understood by those who operate the system;
- implement measures to ensure you permanently delete information through secure methods at the end of the retention period; and
- undertake systematic checks to ensure that you are complying with the retention period in practice.
Guidance
Surveillance Camera Commissioner website
Surveillance Camera Code of Practice, GOV.uk website
Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Keeping records to meet corporate requirements, National Archives
Guide to the UK GDPR - Data minimisation, ICO website
Your business has ensured that the CCTV images are clear and of a high quality.
Suggested actions
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
- review your business’s CCTV system to ensure that it is fit for purpose.
Guidance
Surveillance Camera Commissioner website
Surveillance Camera Code of Practice, GOV.uk website
Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Your business securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.
Suggested actions
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
- implement appropriate technical, organisational and physical security measures to protect against unauthorised real time access to your CCTV system;
- protect the recorded footage from a CCTV system, whether tapes or hard disk, against access by any unauthorised person, whether an unauthorised staff member or an outsider; and
- store any data you have collected securely, for example by using encryption or another appropriate method of restricting access to the information.
Guidance
Surveillance Camera Commissioner website
Surveillance Camera Code of Practice, GOV.uk website
Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Your business clearly informs individuals of your use of CCTV.
Suggested actions
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
- put up clearly visible signs to ensure that anyone likely to be captured by the cameras is aware of them;
- ensure that signs include the contact details for the system’s owner; and
- consider including a web address where you can provide more detailed information about the system, for example how to exercise their rights and how long you keep images for.
Guidance
Surveillance Camera Commissioner website
Surveillance Camera Code of Practice, GOV.uk website
Surveillance Camera Code of Practice – Self Assessment Tools, GOV.uk website
Guide to UK GDPR – Right to be informed, ICO website
GREEN: successfully implemented
Your business has paid the data protection fee to the Information Commissioner's Office (ICO).
Bespoke tools have been developed by the Surveillance Camera Commissioner to help organisations prove their surveillance camera systems comply with the code of practice. This code applies to relevant public authorities in England and Wales, but others can adopt it voluntarily. Although, the Information Commissioner and the Surveillance Camera Commissioner have separate roles and powers, they liaise to make sure guidance and tools are consistent.
Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.
The survey should take around three minutes to complete.