Data protection for security CCTV and body-worn cameras

If your security company operates CCTV, body-worn video (BWV), or other surveillance cameras, you are processing personal data. This creates specific legal obligations under both the UK General Data Protection Regulation (UK GDPR) and the Surveillance Camera Code of Practice issued under the Protection of Freedoms Act 2012.

Getting this wrong carries serious consequences. The Information Commissioner's Office (ICO) can issue fines, and individuals whose data you mishandle can bring claims against you. Your SIA licence conditions also require you to comply with data protection law, so a breach could put your licence at risk.

This guide explains what the two frameworks require of you, how they interact, and the practical steps you need to take to stay compliant.

Two frameworks you must follow

Security CCTV sits under two overlapping legal frameworks. You need to satisfy both.

UK GDPR and the Data Protection Act 2018 apply because CCTV footage of identifiable people is personal data. This framework governs how you collect, store, share, and delete that data. The ICO enforces it.

The Surveillance Camera Code of Practice sets out 12 guiding principles for the use of surveillance cameras in public places. It was issued under the Protection of Freedoms Act 2012 and is overseen by the Surveillance Camera Commissioner (now part of the Biometrics and Surveillance Camera Commissioner's role). Public authorities must have regard to the code; private security companies operating in public spaces should treat it as best practice that regulators and courts will reference.

In practice, a system that meets UK GDPR requirements and follows the Surveillance Camera Code will satisfy both frameworks. The key areas where they overlap are purpose limitation, proportionality, transparency, retention, and access rights.

ICO requirements for CCTV operators

The ICO sets out specific expectations for organisations operating CCTV. As a security company, you are typically the data processor acting on behalf of your client (the data controller), but you may also be a controller in your own right if you determine the purposes and means of the surveillance — for example, if you install and operate a system at your own premises.

Your obligations differ depending on your role, and your contract with each client must clearly define who is controller and who is processor. If you get this wrong, both parties face enforcement risk.

CCTV data protection requirements for security operators

ICO requirements for businesses and security companies operating CCTV systems: data protection impact assessments, signage obligations, footage retention periods, subject access request handling, ICO data protection fee, and the distinction between the ICO data protection framework and the Home Office Surveillance Camera Code of Practice. Applies to all organisations using CCTV, with additional relevance to SIA-licensed CCTV operators.

Primary legislation: Data Protection Act 2018 and UK GDPR
Surveillance camera code: Surveillance Camera Code of Practice (Home Office, issued under Protection of Freedoms Act 2012)
ICO data protection fee: Required — most organisations operating CCTV must pay the annual ICO data protection fee (Tier 1: £40, Tier 2: £60, Tier 3: £2,900 depending on size and turnover)
DPIA requirement: Mandatory where CCTV involves systematic monitoring of a publicly accessible area on a large scale
Subject access request response deadline: 1 calendar month from receipt of request
SAR extension (complex requests): Up to 2 further months if request is complex or numerous — must inform requester within 1 month
Recommended maximum retention period: Typically 30 days for general security purposes — must be justified by a documented retention policy
Signage requirement: Clear, prominently placed signs before individuals enter the CCTV-monitored area
Surveillance Camera Code guiding principles: 12 principles covering necessity, proportionality, transparency, data minimisation, security, and accountability
Lawful basis for CCTV (most common): Legitimate interests (Article 6(1)(f) UK GDPR) — requires a documented Legitimate Interests Assessment (LIA)

Two separate regulatory frameworks

CCTV operation in the UK is governed by two distinct but overlapping frameworks that security operators must understand:

ICO data protection framework — the Data Protection Act 2018 and UK GDPR regulate how personal data captured by CCTV is collected, stored, shared, and deleted. The ICO enforces this framework and has published detailed guidance for organisations using video surveillance. This applies to all organisations operating CCTV.
Surveillance Camera Code of Practice — issued by the Home Office under section 29 of the Protection of Freedoms Act 2012, this code sets out 12 guiding principles for the appropriate use of surveillance camera systems. Relevant authorities (including local authorities and police) must have regard to the code. Private security companies are not legally required to follow the code but are strongly encouraged to do so as a matter of best practice, and the ICO considers adherence when assessing compliance.

Signage and transparency

The ICO requires organisations operating CCTV to provide clear and prominent signage informing people they are entering a CCTV-monitored area. Signs must include:

The identity of the organisation operating the CCTV (the data controller)
The purpose of the surveillance (for example, crime prevention and public safety)
Contact details for the data controller or a way to obtain more information
Details of any third parties the footage may be shared with (if practicable)

Data Protection Impact Assessment (DPIA)

A DPIA is mandatory before installing or significantly changing a CCTV system where the processing is likely to result in a high risk to individuals. The ICO guidance specifies that systematic monitoring of a publicly accessible area on a large scale always requires a DPIA. Security companies operating CCTV across multiple client sites should conduct a DPIA for each distinct deployment or group of similar deployments.

Footage retention

CCTV footage must not be retained for longer than necessary for the stated purpose. There is no single statutory retention period; organisations must set and document their own retention schedule based on the purpose of the surveillance. For general security and crime prevention, 30 days is widely considered appropriate. Footage relevant to an ongoing investigation or subject access request must be preserved until the matter is resolved. The retention policy must be documented and regularly reviewed.

Subject access requests (SARs)

Under the UK GDPR, individuals have the right to request a copy of CCTV footage in which they appear. Security operators must:

Respond within 1 calendar month of receiving the request
Verify the identity of the requester before releasing footage
Redact or obscure images of other identifiable individuals unless they consent or disclosure is otherwise lawful
Provide the footage in a commonly used electronic format if requested
Not charge a fee for the first copy (a reasonable fee may be charged for further copies or manifestly unfounded requests)

Security of CCTV data

The UK GDPR requires appropriate technical and organisational measures to protect CCTV footage. Security operators must ensure:

Access to footage is restricted to authorised personnel only
Monitoring stations and recording equipment are in secure locations
Remote access to CCTV systems uses encryption and strong authentication
Footage shared with third parties (for example, police) is transferred securely and a disclosure log is maintained
Old footage is securely deleted when the retention period expires

ICO enforcement

The ICO can take enforcement action against organisations that fail to comply with data protection requirements for CCTV, including:

Information notices requiring organisations to provide information
Assessment notices allowing the ICO to audit CCTV practices
Enforcement notices requiring specific actions to achieve compliance
Penalty notices (fines) of up to £17.5 million or 4% of annual worldwide turnover (whichever is higher) for serious breaches under the UK GDPR

Data protection impact assessments

A data protection impact assessment (DPIA) is mandatory before you deploy any new CCTV or BWV system that is likely to result in a high risk to individuals' rights. In practice, most security surveillance systems in public or semi-public spaces will meet this threshold.

The DPIA should document:

The purpose of the surveillance and why it is necessary
Why less intrusive alternatives are insufficient
What footage you will capture and where
How long you will retain it and why
Who will have access and under what conditions
Technical and organisational security measures
How you will handle subject access requests

If the DPIA identifies high residual risks that you cannot mitigate, you must consult the ICO before proceeding. Do not treat the DPIA as a one-off exercise — review it whenever you change the system, expand coverage, or deploy cameras in a new location.

If you operate CCTV on behalf of a client, the client (as controller) is responsible for ensuring a DPIA is completed. However, as processor you must assist them, and your contract should require this. If neither party completes a DPIA, both may face enforcement action.

Signage, retention and subject access requests

Signage. You must display clear signs wherever cameras are operating. Signs need to be visible before a person enters the surveilled area and must state the purpose of the surveillance and who to contact. A small sign hidden behind a plant will not satisfy the ICO. For body-worn cameras, the wearer must inform people they are being recorded unless doing so would compromise safety.

Retention. Keep footage only as long as you need it for the stated purpose. There is no single mandatory retention period in law, but the ICO considers 30 days reasonable for most routine security surveillance. If you need to retain footage longer — for example, because of an ongoing investigation or incident — document the reason and review regularly. Automatic deletion at the end of the retention period is the safest approach.

Subject access requests (SARs). Anyone captured on your CCTV can request a copy of footage that identifies them. You must respond within one calendar month. Before releasing footage, you need to redact or obscure other identifiable individuals unless they have also consented. Failing to respond to a SAR on time is one of the most common ICO complaints about CCTV operators.

Build a SAR response process before you receive your first request. Identify who handles requests, how you locate footage, what redaction tools you use, and how you verify the requester's identity. Scrambling to work this out under time pressure leads to missed deadlines.

Training your operatives

SIA-licensed operatives working with CCTV must hold the correct training qualification, which includes data protection modules. Beyond the licensing requirement, all staff who access, review, or manage footage need practical training on your organisation's data protection procedures — including how to handle SARs, when to escalate, and what constitutes a data breach.

SIA CCTV operator training requirements

Qualification and training requirements for obtaining an SIA CCTV (Public Space Surveillance) licence, including the mandatory Level 2 Award and data protection modules.

Qualification: Level 2 Award for Working as a CCTV Operator (Public Space Surveillance) within the Private Security Industry
Qualification level: Level 2 (RQF)
Total qualification time: 31 hours
Guided learning hours: 25 hours
Core units: Working in the private security industry; CCTV operations in a public space environment
Key content areas: Data protection legislation (UK GDPR and Data Protection Act 2018); ICO Surveillance Camera Code of Practice; evidence handling and continuity; operator health and welfare
Awarding organisations: Highfield Qualifications; City and Guilds; HABC; SFJ Awards
Validity for licence application: Must be achieved within 3 years before licence application

To apply for an SIA CCTV (Public Space Surveillance) licence, applicants must complete the Level 2 Award for Working as a CCTV Operator within the Private Security Industry. This qualification covers the operation of CCTV systems used for monitoring members of the public in public spaces.

A significant component of the CCTV operator qualification relates to data protection obligations. Operators must understand the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Information Commissioner's Office (ICO) Surveillance Camera Code of Practice. The qualification also covers evidence handling procedures, maintaining continuity of evidence, and operator welfare during extended monitoring sessions.

What to do if something goes wrong

Data breach. If footage is lost, stolen, accessed without authorisation, or sent to the wrong person, assess whether the breach poses a risk to the individuals involved. If there is a risk, you must notify the ICO within 72 hours. If there is a high risk, you must also notify the affected individuals. As a processor, you must notify the controller without undue delay and let them handle the ICO reporting — but do not use this as a reason to delay.

ICO investigation. The ICO can investigate complaints and carry out audits. Cooperate fully. Common triggers include unanswered SARs, missing signage, and excessive retention. Keep records that demonstrate compliance — your DPIA, retention schedule, SAR log, and training records will be your evidence.

Client disputes. If your client instructs you to do something that would breach data protection law — such as refusing to delete footage or sharing it without a lawful basis — you should refuse and document your reasons. Processing unlawful instructions does not absolve you of liability as a processor.

Related guidance

SIA licence requirements for licensing obligations covering CCTV operatives
Data protection and UK GDPR basics for general data protection duties
Security industry regulations overview for the full regulatory landscape

UNDER CONSTRUCTION

Guvnor

Data protection for security CCTV and body-worn cameras

Two frameworks you must follow

ICO requirements for CCTV operators

Data protection impact assessments

Signage, retention and subject access requests

Training your operatives

What to do if something goes wrong

Related guidance

Compliance Assistant

🚧 UNDER CONSTRUCTION

Two frameworks you must follow

ICO requirements for CCTV operators

Data protection impact assessments

Signage, retention and subject access requests

Training your operatives

What to do if something goes wrong

Related guidance

Related guides in Risk Assessment

UNDER CONSTRUCTION