GDPR and CCTV – A Guide To The Laws Of CCTV In The Workplace

CCTV is a vital security measure for businesses up and down the country. By using CCTV cameras in the workplace, you can safeguard your property and employees from the threat of crime. However, without the right CCTV policy in place, you could also find yourself infringing strict privacy laws that protect the rights of individual people. Keep reading our guide to the laws of CCTV in the workplace for everything you need to know to ensure your business stays on the right side of UK CCTV laws, including GDPR.

What are the rules on CCTV for businesses?

If employers wish to install any types of CCTV cameras in the workplace, they must take the following actions in order to adhere to UK privacy and data protection laws (GDPR):

  1. Firstly, an employer must register as a data controller by notifying the ICO and outline the purpose of using CCTV at work. The footage collected cannot legally be used for any other purpose.
  2. All employees should then be informed that they are being recorded. This is usually achieved with clear and visible signage in areas of the workplace that are monitored by cameras.
  3. Cameras should not be installed in a private area of a workplace where people expect complete privacy. This includes toilets and changing rooms.
  4. If an individual has been recorded on one of your cameras and requests to see the footage you have featuring them, you must provide them access to this within one month.
  5. ICO guidance also states that a nominated person in your company should be made responsible for the storage of video, system procedures and reviews.

Our team can guide you on the laws of CCTV in the workplace

Is CCTV covered under GDPR?

CCTV at work laws including GDPR

Yes, cameras that monitor the activities of people constitute a processing of personal data. Therefore, this activity falls under the UK Data Protection Act 2018, which incorporates the EU-wide General Data Protection Regulations (GDPR).

All surveillance carried out away from a person’s domestic property is subject to the act, including recording from CCTV cameras in the workplace. A core principle of GDPR is that personal data, in this case video, should only be kept for as long as necessary.

Processing limits and the period of time footage can be kept for is flexible under the act. This is to take into account the differing aims and challenges each company has when introducing the cameras. The laws of CCTV do however insist upon complete transparency when it comes to the following:

What are the risks involved with CCTV monitoring in the workplace?

UK employers must consider the following risks when putting CCTV in place at their premises:

Is your CCTV policy and procedure in line with UK law?

Somebody in your organisation needs to be made responsible for managing your CCTV system and become the data controller. They need to outline a clear CCTV policy in the workplace that is in line with GDPR.

CCTV policy and procedure

Once the system has been registered with the ICO, the first step is to make a GDPR compliant company CCTV policy statement. This should explain to all individuals in the organisation why the cameras have been installed, how long the video data will be kept for and how it will be made secure.

A Data Protection Impact Assessment (DPIA) should be carried out to identify and manage the risks of processing video data and ensure the security of that personal data. Your procedure should be reviewed periodically to make sure that the risks continue to be managed effectively.

CCTV and GDPR FAQs

We have rounded up the most commonly asked questions from business owners across the UK below. If you have any other questions about CCTV systems and their relation to GDPR and the Human Rights Act, please contact our friendly security experts.

BusinessWatch know CCTV rules and related legislation inside out. We install, maintain and monitor CCTV systems for businesses across the UK.

Do you have to display signs if you have CCTV?

Business owners need to display GDPR compliant CCTV signage if they install surveillance cameras in the workplace. CCTV signage requirements are simple. Signs should be clearly visible in all the areas where surveillance is taking place and they should be readable to anybody working in the vicinity.

If it isn’t already obvious, signs should make it clear which company is operating the cameras.

Monitoring staff with CCTV in the workplace

How long can CCTV footage be kept for in the UK?

Employers must have a clear policy stating how long they intend to store video footage for. This should be in line with the purpose of recording the images.

For example, if you are using surveillance to protect your industrial property from crime, it would not be acceptable to store the footage for longer than six months. There is a reasonable expectation that any crimes committed at your property would have been detected and investigated in this timeframe.

Do employers have to inform employees of cameras?

Yes. Regardless of the reason why monitoring has been implemented, staff must be informed that they are being recorded. If you choose not to inform them then, depending on the location of the cameras, you could be violating their right to privacy under the Human Rights Act 1998.

Recording can only be legally kept secret in exceptional circumstances. For example, if disclosure would jeopardise a criminal investigation.

Can CCTV be used to monitor staff?

CCTV monitoring can be legally used to monitor staff as long as you have made them aware of this in writing and explained the reasons why. It is only acceptable to monitor staff secretly in rare circumstances.

For example, if you suspect a staff member of committing a crime at work, it could make it hard to prove this if they were aware of the surveillance. This is only acceptable in specific investigations. Recording should cease once the investigation is concluded.

Who can view CCTV footage?

All footage should be secured by a nominated data controller. They need to ensure that nobody else views the video data, without good reason to do so. Anybody who has been caught on camera has the right to see the footage, in which they are identifiable.

Under the 2018 Data Protection Act (GDPR), they are permitted to do this by submitting a subject access request for the relevant personal data. The data controller must respond within one calendar month and provide access to the footage.

What are the CCTV audio recording laws?

CCTV audio recording laws state that conversations between members of the public are not allowed to be recorded. The only exceptions to this rule include panic buttons in a taxi or monitoring carried out in a private area of a police custody room.

It is only acceptable to introduce audio recording at your workplace if the purpose is justifiable. All employees also need to be made aware that both video and sound are being captured by cameras.

Businesswatch are NSI Gold approved and design, install and manage bespoke CCTV systems for all industries. Our expert team of CCTV specialists are very knowledgeable in the legal requirements associated with CCTV systems in the workplace and will make sure yours is compliant with all rules, laws and regulations when they carry out the design and installation. Get in touch for a free quote today. Call us on 0330 094 7404 or fill out our online contact form here.