NEW ICO guidance on data protection regulations surrounding using CCTV and video surveillance in the workplace

18th March 2022ICO guidance on CCTV updated
Image credit: Pixabay

Do you use CCTV in your organisation or are you thinking about doing so?   Do you know the data protection regulations surrounding using CCTV and video surveillance in the workplace? 

Are you aware that this recording technology is covered by the UK GDPR and the Data Protection Act 2018?  This has always been the case, however the ICO has recently issued some new guidance that provides advice for organisations who carry out any kind of video surveillance.  

The ICO definition of video surveillance includes:- 

  •         Traditional CCTV
  •         ANPR (automatic numberplate recognition)
  •         Body Worn Video (BWV),
  •         Facial Recognition Technology (FRT),
  •         Drones 
  •         Commercially available technologies such as smart doorbells and dash cams.

(This guidance does not apply to CCTV used in a domestic setting as long as the coverage does not extend beyond your own private boundary).  See our blog on Ring Doorbells for information on this.

Whilst the guidance is new, it is not based on any new legislation.  The recommendations have been published by the ICO to help organisations to comply with the existing legislation and to explain how it works in relation to the developing technologies. 

If you use any of the above technologies in your organisation, we would urge you to read the full guide as it contains useful advice and check lists to help you to achieve good practice.  You can find the full guide on the ICO’s own website here. 

We have extracted some of the key issues you should most definitely be aware of in order to be compliant under the current legislation:

  • You must have considered and integrated the principles of data protection law into your processing activities (which include the above video surveillance activities).
  • You must have identified under which lawful basis you may carry out the video surveillance and you must be able to justify the surveillance (processing in ICO parlance) as ‘necessary and proportionate’.
  • If your surveillance systems are likely to capture anything that could potentially result in a ‘high risk to individuals’, you must perform a Data Protection Impact Assessment (DPIA).  This includes if you are likely to process / monitor:
    • Special category data
    • Publicly accessible places on a large scale
    • Individuals at a workplace

In the words of the ICO: 

“The public must have confidence that the use of surveillance systems is lawful, fair, transparent and meets the other standards set in data protection law.” 

And in terms of recording in the workplace it is . . .  

. . . important that the use of surveillance is not seen as the cure to the problems that organisations may face. But instead, a helpful supporting tool where lawful, necessary and proportionate in the circumstances.” 

In other words, you shouldn’t just install CCTV in your organisation without any serious thought, (documented via a DPIA) as to the consequences. 

As with all data processing, you have to adhere to the key principles of data protection law:- 

  • Lawfulness, fairness and transparency. In other words, you must inform individuals that recording is taking place, for what reason and who is managing the surveillance system.
  • Have a legitimate Purpose – be clear as to the reason why you need to monitor or record an
  • Only collect the minimum amount of information to achieve your stated purpose. In other words, narrow the focus of your recording to those areas of interest, ensure you are not recording private spaces, do not capture information which may be considered private without exceptional reasons, for example, recording audio. 
  • Ensure any information captured is accurate – in regards to CCTV make sure cameras are maintained and images are clear.
  • Do not keep footage for longer than is necessary, which depending on the reason for the surveillance may range from minutes to months.
  • You must maintain the integrity and confidentiality of the footage, in other words, keep any footage secure, protect against accidental loss or unauthorised access.
  • Accountability (this requires that you take responsibility and that you can prove you have measures in place to demonstrate compliance with all of the above principles).

The guidelines state that: 

“The type of surveillance system you choose and the location it operates within must achieve the specific purposes(s) for which you are using it.  The information your surveillance system processes must be of good quality and be adequate, relevant and limited to what is necessary.  You should identify the minimum amount of personal data you need to fulfil your purposes(s)”. 

For us, the key word here is minimum. 

Using video surveillance in your organisation requires very careful consideration and strict adherence to the regulations.  By issuing these guidelines the ICO are doing all they can to help organisations to comply.  The guidelines include practical examples and useful checklists.  If you are using any form of video surveillance, make sure you have all the relevant procedures and documentation in place.  Check out the new guidelines on data protection regulations surrounding using CCTV and video surveillance in the workplace, or if you would like second opinion as to whether you are compliant, or what you need to do to become compliant, your first step is to take advantage of your half hour complimentary data protection consultation which you can book here now with one of our specialists. 

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details










    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.