Data Protection Act

Data Protection Act
Staying within the Law

Data Protection and Human Rights legislation are important considerations for anyone designing, installing or using a CCTV system. However, there’s much more involved than is sometimes supposed. In some key respects, you may be surprised as to what the legislation specifically requires. Here we provide our step-by-step guide to ‘staying within the law’.

Underpinning the Data Protection Act 1998 are eight Data Protection Principles. In summary, the principles require that personal data (which means, broadly, data relating to a living individual) shall be:

    Fairly and lawfully processed

    Processed for limited purposes

    Adequate, relevant and not excessive


    Not kept longer than necessary

    Processed in accordance with the data subjects’ rights


    Not transferred to countries outside of the European Economic Area without adequate protection

There are five areas of CCTV design, installation, and operation that are directly affected by the need to uphold these principles: Registration, Signage, System Design, Recording, and Security.


The processing of personal data by means of a CCTV system is covered by the requirement to register with the Office of the Information Commissioner under the Data Protection Act 1998. The definition of ‘computer’ includes all electronic surveillance and storage systems whether analogue or digital, standalone, networked or IP-based. Although there are allowable exemptions to notification, no CCTV system is likely to qualify.

For most organisations, registration simply means adding an entry to an already existing registration to cover the CCTV system and providing a document that clearly states the following:

The subject of the surveillance

Its purpose (such as crime reduction or monitoring of staff behaviour)

The person(s) responsible for processing data

All persons with access to the system

Everyone with access to the system (including IT staff and third parties such as the installer or maintenance company) should be identified. It is good practice to register during the early days of the installation to ensure that all system testing complies with the Act from the day of commissioning.


It is a requirement of the Information Commissioner's CCTV Code of Practice that you must inform people that a CCTV system is in operation. It is normally sufficient to erect an appropriately sized and positioned notice that will be seen by people entering a surveillance area. However, this should say more than ‘CCTV in operation’. The Act requires three conditions of signage to be met. It should inform people:

The identity of the person or organisation responsible for the scheme

The purposes of the scheme

Details of whom to contact regarding the scheme

Signage is not required if the scheme is covert by design. However, under the CCTV Code of Practice, covert recording is only allowed if the user of the scheme has identified specific criminal activity, identified the need to use surveillance to obtain evidence, assessed whether the use of signs would prejudice success in obtaining evidence and assessed how long the covert monitoring shall take place. Documenting and filing the above is good practice. Although adequate signage is a requirement of the CCTV Code of Practice, it is not – as is often supposed - a requirement for a successful prosecution.


It may not be immediately apparent that the Data Protection Act and Human Rights Act have any bearing on the design of a CCTV system. However, a key data protection principle is that the use of data should be adequate, relevant, and not excessive. A key requirement of the Human Rights Act is the protection of personal privacy. This means that installers should be careful on a number of counts:

The number of cameras and camera angles should be adequate for the purpose but not excessive

Camera coverage should not be invasive to the point of recording an unnecessary level of personal detail

The positioning of cameras should respect personal privacy in adjoining buildings through the appropriate use of physical screens and privacy zones. Individuals must be consulted if such private areas are caught on camera.

Finally, the quality of images captured must be sufficiently clear to achieve the stated objectives.

Four data protection issues dominate the subject of recorded CCTV images – traceability, retention, access, and privacy.

To ensure confidentiality, all images must be fully traceable. This means that for each image you must be able to provide the following information: date and time of recording, recording device and medium, and the name of the person responsible for the recording. This need not be onerous – a written log and correctly labelled tapes can achieve this quite simply.

For recordings to be used in evidence, the audit trail for the recording must be complete. This includes recording in a suitable log when images are removed from the system for use in legal proceedings, why, by whom and to where they are being moved.

It is often heard in the industry that CCTV images should be retained for no longer than 31 days. However, there is no statutory time limit except that implied in the data protection principle that images should not be ‘kept longer than necessary’. The standard 31 day time period has emerged as an example of good practice and is probably derived from the net 30 day period in which retailers could expect a till transaction to be completed satisfactorily.

In reality, the appropriate time limit will vary from industry to industry. The defining concept must be one of reasonableness – what is a reasonable time period in which to expect an individual to report an incident that might require recourse to the recorded CCTV images?

In a health and safety environment such as a leisure club or factory, the period of time might be two months. In the case of retail, it may be as short as two weeks. In the case of a public bar, it could be seven days or less.

Every individual or ‘subject’ has a right of access to recorded CCTV footage in which they feature. The only exception to this right of access is where such a request would compromise the detection or prevention of a crime, or where it may impede the apprehension or prosecution of offenders.

Putting this principle into effect is not as straightforward as it sounds. This right of access has the potential to be an onerous and expensive burden on the CCTV user. Under the terms of the Data Protection Act, an organisation may only charge a member of the public a maximum sum of £10.00 per application to undertake a search for their recorded image. The cost of providing the means to view it (whether recorded or printed) may be much more, for the image supplied must not disclose the identity of any third party and may therefore require editing.

A carefully worded questionnaire as part of a standard procedure will reduce nuisance requests, and will also enable the system operators to access the information speedily. Printed digital images are more readily modified prior to actual printing to modify, mask, or delete third parties.


Data Security is a key data protection principle. Two issues are paramount:

the physical security of the system, recording environment and access to it

the electronic security of the system, especially network and IP-based systems


Tapes should be stored in lockable cabinets and access to the recording environment, including to maintenance staff, restricted by means of a written logbook.

The Data Protection Act specifically prevents the transmission of data outside of the European Economic Area (EEA) without adequate protection. The EEA is defined as the Member States of the European Union plus Iceland, Norway and Liechtenstein. If data is transmitted outside the EEA, proving that there is adequate protection in place is best provided by means of a contract between the data controllers in each country. Model clauses can be found on the data protection web site. This aspect of the legislation will become increasingly important with the anticipated rapid growth in IP-based systems.

Complying with the legislation

The simplest way to ensure compliance with the Data Protection and Human Rights Acts is to put in place a robust and thoughtful collection of Standard Operating Procedures to govern the day-to-day operational aspects of your CCTV system. For smaller systems, the Information Commissioner's checklist provided here is sufficient.

By clearly defining who is to be under surveillance, why, how and by whom, many of the requirements of modern privacy legislation will be swiftly met. Unless mentioned specifically in the SOPs, no one, other than the Police, should have any access to the CCTV system or the images it records. Once established, such watertight procedures should ensure legislative compliance with the minimum of additional burden on the organisation.

For further information:


Useful Documents:

CCTV Code of Practice

Small User’s Checklist

Both documents are available from the Information Commissioner.

Telephone Helpline of the Information Commissioner:

Tel: 01625 545745

SYSS Disclaimer

"This guide contains a brief summary only of the legislation related to CCTV systems. It is intended for informational purposes only and is not legal advice, and any legal advice required by you should be obtained from your legal advisers."