If employers wish to install in the workplace, they must take the following actions in order to adhere to UK privacy and data protection laws (GDPR):

​

1. Employers must register as a data controller by notifying the ICO and outline the purpose of using CCTV at work. The footage collected cannot legally be used for any other purpose.

2. All employees should be informed that they are being recorded. This is usually achieved with clear and visible signage in areas of the workplace that are monitored by cameras.

3. Cameras should not be installed in a private area of a workplace where people expect complete privacy. This includes toilets and changing rooms.

4. If an individual has been recorded on one of your cameras and requests to see the footage you have featuring them, you must provide them access to this within one month.

5. ICO guidance also states that a nominated person in your company should be made responsible for the storage of video, system procedures and reviews.

 

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt. 

By going through the following questions you will be able to decide if you – as an individual or on behalf of your business or organisation – need to pay a fee to the ICO.

From 25 May 2018, people who use CCTV for domestic purposes, ie to monitor their property, even if it films beyond the boundaries of their property will be exempt from paying a fee under data protection law.

On 1 April 2019, the rules around paying the data protection fee changed. Members of the House of Lords, elected representatives and prospective representatives (including police and crime commissioners) are exempt from paying a fee, unless they process personal data for purposes other than the exercise of their functions as a Member of the House of Lords, an elected representative or as a prospective representative. For more information, read our guidance on the data protection fee.

​

Is CCTV covered under GDPR?

​

Yes, cameras that monitor the activities of people constitute a processing of personal data. Therefore, this activity falls under the UK Data Protection Act 2018, which incorporates the EU-wide General Data Protection Regulations (GDPR).

All surveillance carried out away from a person’s domestic property is subject to the act, including recording from CCTV cameras in the workplace. A core principle of GDPR is that personal data, in this case video, should only be kept for as long as necessary.

Processing limits and the period of time footage can be kept for is flexible under the act. This is to take into account the differing aims and challenges each company has when introducing the cameras. The laws of CCTV do however insist upon complete transparency when it comes to the following:

​

• Why is your business carrying out surveillance?

• Who will be captured in recordings and are all individuals aware of the cameras?

• How long do you intend to store the footage for?

• How will you store the data and keep it secure in order to prevent unauthorised access?

      What are the risks involved with CCTV monitoring in the workplace?

      UK employers must consider the following risks when putting CCTV in place at their premises:

• Employee trust – If you install recording equipment without making employees aware, you risk damaging the relationship with your staff. This could ultimately lead to staffing and HR issues at your company, should they resign or lodge a complaint.

• An infringement of GDPR – If your business is found to be in breach of the General Data Protection Act, you could find yourselves facing large fines, bans on data processing and all the bad publicity that goes with a ruling against you. It’s very important that the security of the personal data collected is protected.

• Violation of the Human Rights Act – If the nature of your video monitoring is overly intrusive, you could be violating the privacy of your employees. This means that they could legally take you to court under the Human Right Acts 1998.

​

Is your CCTV policy and procedure in line with UK law?

Somebody in your organisation needs to be made responsible for managing your CCTV system and become the data controller. They need to outline a clear CCTV policy in the workplace that is in line with GDPR.

Once the system has been registered with the ICO, the first step is to make a GDPR compliant

company CCTV policy statement. This should explain to all individuals in the organisation why the cameras have been installed, how long the video data will be kept for and how it will be made secure.

A Data Protection Impact Assessment (DPIA) should be carried out to identify and manage the risks of processing video data and ensure the security of that personal data. Your procedure should be reviewed periodically to make sure that the risks continue to be managed effectively.

​

CCTV and GDPR FAQs

​

Do you have to display signs if you have CCTV?

​

Business owners need to display GDPR compliant CCTV signage if they install surveillance cameras in the workplace. CCTV signage requirements are simple. Signs should be clearly visible in all the areas where surveillance is taking place and they should be readable to anybody working in the vicinity.

If it isn’t already obvious, signs should make it clear which company is operating the cameras.

​

How long can CCTV footage be kept for in the UK?

​

Employers must have a clear policy stating how long they intend to store video footage for. This should be in line with the purpose of recording the images.

For example, if you are using surveillance to protect your industrial property from crime, it would not be acceptable to store the footage for longer than six months. There is a reasonable expectation that any crimes committed at your property would have been detected and investigated in this timeframe.

​

Do employers have to inform employees of cameras?

​

Yes. Regardless of the reason why monitoring has been implemented, staff must be informed that they are being recorded. If you choose not to inform them then, depending on the location of the cameras, you could be violating their right to privacy under the Human Rights Act 1998.

Recording can only be legally kept secret in exceptional circumstances. For example, if disclosure would jeopardise a criminal investigation.

​

Can CCTV be used to monitor staff?

​

CCTV monitoring can be legally used to monitor staff as long as you have made them aware of this in writing and explained the reasons why. It is only acceptable to monitor staff secretly in rare circumstances.

For example, if you suspect a staff member of committing a crime at work, it could make it hard to prove this if they were aware of the surveillance. This is only acceptable in specific investigations. Recording should cease once the investigation is concluded.

​

Who can view CCTV footage?

​

All footage should be secured by a nominated data controller. They need to ensure that nobody else views the video data, without good reason to do so. Anybody who has been caught on camera has the right to see the footage, in which they are identifiable. Under the 2018 Data Protection Act (GDPR), they are permitted to do this by submitting a subject access request for the relevant personal data. The data controller must respond within one calendar month and provide access to the footage.

​

What are the CCTV audio recording laws?

​

CCTV audio recording laws state that conversations between members of the public are not allowed to be recorded. The only exceptions to this rule include panic buttons in a taxi or monitoring carried out in a private area of a police custody room.

It is only acceptable to introduce audio recording at your workplace if the purpose is justifiable. All employees also need to be made aware that both video and sound are being captured by cameras.