Article 5 of the UK GDPR sets out seven key principles. These principles should lie at the heart of your approach to processing personal data. When using surveillance systems, you can encounter data protection problems if your focus is on technical capability over the transparency of the processing or the governance of information. Therefore, you need to consider each aspect equally.
For any use of surveillance systems, you need to identify and document a lawful basis under Article 6 of the UK GDPR. In practice, it is often difficult to obtain genuine consent from individuals for processing their personal data in public spaces. Therefore, it is likely the appropriate lawful basis will be either legitimate interests, or a reliance on public task (if you are carrying out your tasks as a public authority in the public interest or under official authority). A legitimate interests assessment (LIA) can help you demonstrate lawfulness of the processing, and can naturally feed into a DPIA.
You need to identify an Article 9 UK GDPR condition, if you are actively processing special category data, such as biometric data (for example when using facial recognition systems to uniquely identify individuals). If you process criminal conviction data, you need to comply with Article 10 UK GDPR.
The type of surveillance system you choose and the location it operates within must achieve the specific purpose(s) for which you are using it.
The information your surveillance system processes must be of good quality and be adequate, relevant and limited to what is necessary. You should identify the minimum amount of personal data you need to fulfil your purpose(s).
The UK GDPR and the DPA 2018 do not prescribe any specific minimum or maximum retention periods which apply to surveillance systems or the information you may process. Rather, it is the purpose of your processing that should determine your necessary retention period.
You should store recorded information securely in a way that maintains its confidentiality, integrity and availability. This is to ensure that you protect the rights of individuals you record by surveillance systems and use the information effectively for your intended purpose.
Modern surveillance systems can offer:
As such, surveillance systems can be particularly intrusive. Especially if they impact on the private lives of individuals and process personal data beyond their reasonable expectations.
Some systems are also capable of placing large numbers of people under surveillance as they go about their day-to-day activities. For example, this may include the use of ANPR or facial recognition technology in public spaces.
Regardless of the size of the system, you should initially consider achieving your outcome using alternative, less privacy intrusive methods. You may consider that new technology is an attractive or affordable solution. However, the use of surveillance systems should be a necessary and proportionate response to the problem you are addressing. You should therefore carefully consider whether or not to use a surveillance system, if other options are available.
Example
A disused public space is subject to vandalism and antisocial behaviour, and a local authority installs a surveillance system to try and monitor the area.
In order to reduce the amount of CCTV in the area, the local authority may wish to first consider less intrusive alternatives to surveillance systems. For example, improved lighting, fences and improvements to the area to encourage regeneration. This may also discourage antisocial behaviour if the space is used more often by the wider community.
Both fixed and mobile cameras should be focussed on a relevant space, and where wider surveillance is possible but unnecessary, this should be restricted. This ensures that surveillance does not occur in areas which are not of interest and individuals are not unintentionally made the subject of surveillance.
Example
A café installs a surveillance system which captures the entrance of the premises to improve its security, as there have been reports of break-ins in the local area.
When reviewing the system, the café owner realises that the camera’s field of vision also captures footage of a nearby flat, and can see into the property.
The café owner adjusts the field of vision so that the focus of the recording is restricted only on the café entrance to avoid any unnecessary privacy intrusion to nearby residents.
Article 5 of the UK GDPR sets out seven key principles that should lie at the heart of your approach to processing personal data.
You should carefully consider whether it is appropriate to use a surveillance system, and assess any potential impact this may have on the rights and freedoms individuals have under data protection law.
It is also important that you identify an appropriate lawful basis under the UK GDPR and DPA 2018. You should clearly document and justify your reliance on a particular lawful basis in conjunction with the principles of data protection law prior to any deployments.
As previously mentioned, for the use of surveillance systems you must perform a DPIA for any type of processing that is likely to result in a high risk to individuals. This is a legal requirement and applies in most cases, due to the inherent privacy risks involved in the use of surveillance systems as a type of processing. See section on DPIAs.
Checklist
☐ We have identified an Article 6 lawful basis for the processing of personal data under UK GDPR .
☐ We have also identified an Article 9 UK GDPR condition for the processing of any special category data, especially where the unique identification of individuals occurs .
☐ We have identified an appropriate DPA 2018 Schedule 1 condition where specifically required for the processing of special categories of personal data or criminal conviction data .
☐ Where relevant, we have identified our authority for any processing of criminal offence data under Article 10 UK GDPR .
☐ Where required, we have a readily available appropriate policy document (APD) that demonstrates the above .
For any use of surveillance systems you need to identify and document a lawful basis for processing under Article 6 of the UK GDPR. In practice, it is difficult to obtain genuine consent from individuals that are subject to video surveillance in public spaces. Therefore, it is likely the appropriate lawful basis will be either legitimate interests, or a reliance on public task (if you are carrying out your tasks as a public authority in the public interest or under official authority). A legitimate interests assessment (LIA) can help you demonstrate lawfulness of the processing, especially if you are not carrying out a DPIA. You must however independently identify an appropriate lawful basis that best suits your organisation or method of processing.
You need an Article 9 UK GDPR condition, if you are actively processing special category data, such as biometric data (for example when using facial recognition systems to uniquely identify individuals). There are 10 conditions for processing special category data in Article 9 of the UK GDPR. Five of these require you to meet additional conditions and safeguards set out in UK law, at Section 10 and in Schedule 1 of the DPA 2018. If you record footage involving criminal offence data, you also need to comply with Article 10 of the UK GDPR, Section 10(5) of the DPA 2018 and identify an appropriate condition under Schedule 1 of the DPA 2018. For more information see our guidance on criminal offence data.
Example
A shop manager suspects an employee of stealing money from the till. The manager compiles a report showing the shifts of the individual and collects CCTV footage of them at the till during those shifts.
This personal data is criminal offence data as it relates to the alleged commission of an offence which is unproven and requires compliance with Article 10 UK GDPR.
In some circumstances, the UK GDPR and DPA 2018 also require you to have supporting documentation that explains how you demonstrate lawfulness, in the form of an ‘appropriate policy document’. Read further guidance about documentation.
Processing of personal data must always be fair as well as lawful. If any aspect of your surveillance is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.
In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.
Naturally, there are places where individuals have a heightened expectation of privacy, such as private property. But also in public toilets and changing rooms, where the use of visual or audio recording would not be expected and often difficult to justify. If you are considering surveillance systems in these environments, you should only use them in the most exceptional circumstances, where it is necessary to deal with very serious concerns.
Example
An individual walks down a public shopping precinct and expects to be captured on CCTV that is installed for the prevention or detection of crime. When entering a shop, the shop also has a CCTV system installed for similar reasons. But the individual may not expect there to be a camera in the changing rooms where there is often a heightened expectation of personal privacy.
You always need to ensure that those under surveillance are clearly aware that they are being recorded. You should provide individuals with appropriate information about how they can exercise their rights, and that appropriate restrictions on viewing and disclosing images are in place for those using the system.
You need to assess whether the individual can reasonably expect the processing. In particular, you need to take into account when and how you collect the information. This is an objective test. The question is not whether a particular individual actually expects the processing, but whether on balance a person should reasonably expect the processing in the overall set of circumstances.
In terms of the use of surveillance systems, you need to recognise whether you are using a new technology or processing data in a new way that an individual may not reasonably anticipate. Or conversely, whether there are any developments in technology or updates to services that individuals have come to expect. Again, you should reflect this risk assessment in a DPIA prior to any deployment of a surveillance system.
By installing surveillance systems in areas where people have greater expectations of privacy, you may inadvertently increase the intrusion on their private life, especially where their behaviour is not modified. The use of surveillance systems in public spaces may also have a chilling effect on the way in which people behave, interact with each other, or the places that they choose to move freely. It is important that you also consider these issues when planning to use new or existing systems and whether they can be justifiable set against the purpose(s) for the processing.
Example
A business responsible for managing a public multi-storey car park wishes to use CCTV cameras around the premises and in the elevators, to ensure the safety and security of individuals using them. Those using the car park are likely to expect CCTV cameras for general safety reasons, but also in areas where a crime could possibly occur.
The owners of the car park should ensure that there is appropriate signage that people can read within, and prior to entering, the premises. It should include details of the organisation operating the system, the purpose for using it and who to directly contact in the event of a query.
Example
A school wishes to install CCTV cameras in the toilets in order to prevent vandalism.
The school would have to make a rigorous assessment based on necessity and proportionality in order to justify the processing. This is because the cameras would be recording children, particularly in an environment where there would be a natural and heightened expectation of privacy by both students and parents. Given the potential level of intrusion, this use is unlikely to be proportionate in most circumstances. The school should seek less privacy intrusive measures in order to solve a particular problem.
Checklist
☐ We have signs that accompany our surveillance system that are clearly visible and readable, explaining that its use is in operation .
☐ We include details of the organisation operating the system, the purpose for using the system and who to directly contact about its use .
☐ We include as a minimum basic contact details such as a website, telephone number or email address .
☐ We have signs that are an appropriate size depending on the context of the systems use. For example, whether the signs are viewed easily by pedestrians or drivers .
The need for transparency is a fundamental aspect of data protection law. You must tell people when you are capturing their personal data, where appropriate. However, it is recognised that the use of surveillance systems often presents challenges for providing individuals with privacy information. For example, it could prove difficult to ensure that an individual is fully informed of recording taking place if:
If you operate a surveillance system you are likely to collect personal data directly from the individuals you monitor. As a result you need to comply with data protection law, in particular Article 13 of the UK GDPR. This means you need to find a way to provide them with information about the surveillance. In any case, you must let people know when they are in an area where a surveillance system is in operation. You can also back up messages with an audio announcement, if public announcements are already used, such as in a train station or onboard public transport.
An effective way to provide transparent information is to place signs prominently before the entrance to the system’s field of vision and reinforce this with further signs inside the area. You should position information at a reasonable distance from the places monitored, and in such a way that individuals can easily recognise the circumstances of the surveillance before entering the monitored area. For example, it is not considered fair for an individual to read a sign that warns them about particularly intrusive surveillance technology in the area, if the system has already captured them whilst reading it.
Example
It may be useful to use websites or social media to inform individuals that certain types of surveillance systems are in operation at a specific time and in a specific area. It is important to note however that publishing information on a website, by itself, is not enough to comply. You have to draw the individuals’ attention to the information. Therefore, you could use physical signage with linked information, so that individuals can find out more if they are interested. This would essentially function as a layered privacy notice.
As a general rule, signs should be more prominent and frequent in areas where people are less likely to expect that they will be monitored by a surveillance system. For example, this is particularly important when you are using a system to cover a large public area and capture a large amount of personal data.
Example
A construction company uses traditional CCTV alongside security guards within the perimeters of a building site. This is to protect the site operatives, and nearby members of the public from any harm. The CCTV system provides extensive monitoring across the site, and the footage records the activity of the members of staff stationed there.
The site includes large, prominent notices to inform individuals:
Signs do not need to say who is operating the system if this is obvious. If a surveillance system is installed within a shop, for example, it may be obvious that the shop is responsible. All relevant staff within an organisation should know what to do or who to contact if a member of the public makes an enquiry about a surveillance system.
Example
Where processing is not obvious to an individual, a sign could read “Images are being monitored and recorded for the purposes of crime prevention and public safety. This system is controlled by XXXXX. For more information, visit our website at (web address) or call 01234 567890.”
Checklist
☐ We have initially considered achieving our outcome using alternative, less privacy intrusive methods without the need for surveillance systems .
☐ If we need to use a surveillance system, we only use it in locations where it achieves our specific purpose(s) .
☐ We have assessed any potential impact the use of surveillance may have on the rights and freedoms individuals have under data protection law .
☐ We only use audio recording where there is an evidenced and justified need .
☐ Any audio capabilities in our system are switched off by default .
☐ We take additional steps to make it clear to individuals that audio recording is taking place, over and above any visual recording which is already occurring .
You must be clear about what your purposes for processing personal data are from the start under the UK GDPR and DPA 2018. You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
When using surveillance systems, you can only use the personal data for a new purpose if:
You should not normally use surveillance systems to directly record conversations between members of the public. This is highly intrusive and unlikely to be justifiable in most circumstances. In most situations, the use of audio recording, particularly where it is continuous, is considered more privacy intrusive than purely visual recording. Its use will therefore require a much greater justification and you should switch off by default any capability to record audio. You should only use it in exceptional circumstances, for example by a trigger switch.
If your system comes equipped with an independent sound recording facility, then you should turn this off or disable it in some other way, unless you can clearly justify and evidence its use. If you cannot control sound recording separately you need to consider how privacy intrusive the system is as a whole, including the recording of sound.
You should only use audio recordings when you have:
You should take additional steps to make it clear to individuals that audio recording is taking place, over and above any visual recording which is already occurring.
If you are an employer, there may be cause for you to consider using overt surveillance systems to monitor staff, for reasons of health and safety, public health or security.
This could involve installing traditional CCTV cameras that record staff performing a particular task, or installing systems to record employees entering or exiting a secure premises. However, it is likely that employees would not always reasonably expect to be monitored by video or audio surveillance systems in their day-to-day roles. In the case of audio monitoring, this guidance focuses on the recording of face-to-face or private conversations, rather than business telephone calls commonly used for monitoring or training purposes.
It is therefore important if you are using surveillance systems in the workplace, especially any use of audio recording, that you use them in rare circumstances. In addition, you must:
Example
An employer records incoming calls taken by employees in a call centre for training purposes, and this is known and accepted by staff. However, the employer also wishes to install video recording in a separate rest area, where staff can take breaks from work and interact.
This use of surveillance would not generally be expected by staff, and would be difficult to justify as a necessary or appropriate use by the employer. Such surveillance may also prevent staff from using the rest area, and may affect the way in which people behave and interact with each other. The employer should rethink the purposes of the recording, and should not install the system if there is no compelling justification for its use. Conducting a DPIA prior to any installation would also be a useful exercise to help identify a genuine need for monitoring and any associated risks.
Further reading – ICO guidance
This legacy guidance is based on the DPA 1998 and may not include all the requirements of the UK GDPR.
You may choose to install a surveillance system, such as a webcam or even use a mobile phone app that provides access to live streaming functions. This does not necessarily record any footage or save any data to a storage device or the cloud. Instead, it streams the footage over the internet to be viewed in real-time.
The definition of processing is broad and means that it isn’t limited to simply holding the data under the UK GDPR and DPA 2018. Collecting or viewing data in real time on a screen also qualifies as processing. This means that even though you are not storing the images captured on a live stream camera, it still constitutes the processing of personal data if you can identify individuals directly or indirectly.
Your processing may involve broadcasting a video stream (eg online) to an indefinite number of people. This live streaming of images of identifiable individuals is still subject to the requirements of the UK GDPR and DPA 2018.
Example
A property developer provides maintenance services for a block of flats. As part of the service, the controller decides to install a surveillance system that live streams footage of the corridors and entrances back to themselves without the knowledge of the residents.
The surveillance is likely to be unnecessarily intrusive and capture individuals visiting and leaving their private apartments. Therefore, the streaming of this footage would not be justified, nor within the reasonable expectations of the residents.
As technology helps organisations to stay more connected with staff, colleagues and students, it is important that the use of any video conferencing technology by organisations is fair and transparent. Attendees of an online meeting or students in a virtual lesson need to know how you are processing their data, as well as having appropriate choice and control over it.
If you are acting as a controller for the processing of personal data, even by a live stream, you are responsible for protecting the rights attendees have about their personal information. It is important that you are able to make a clear justification for its use based on necessity and proportionality. For example, if you are using video conferencing as a way to communicate with staff or to host a virtual lesson with students, or make a physical record of a specific interaction.
You should consider whether it is truly necessary in the circumstances to use video conferencing to live stream or record interactions. You should always consider if you could achieve the purpose by less privacy intrusive methods, such as audio only calls. If you feel that the use of video conferencing is necessary and helpful, such as for online schooling, then you must be able to justify and document your reasons for this type of processing.
In the interest of transparency, you must also tell individuals, or in some circumstances the parents of young students, what you are doing. This is so that they can raise any safeguarding concerns or objections should they wish.
Generally, it is not appropriate for you to post recordings online or make personal data available to an indefinite audience without the express permission of those recorded. If formal recording and publication of an interaction is required, you must clearly explain to the individual(s) what the purpose of the recording is. You must also ensure that you do not use the recording for any other incompatible purpose or disclose it to unauthorised third parties unless there is a justifiable reason.
You should also consider providing a secure link to a live stream or recording, that only attendees can view by a strong password, rather than placing it on an unsecured open website or social media platform for others to view.
Checklist
☐ We have checked that the personal data our surveillance system processes is adequate, relevant and is limited only to what is necessary in the circumstances .
☐ We have identified the minimum amount of personal data we need to fulfil our purpose .
☐ We have a surveillance system that can produce good, clear, quality images. The quality of the information collected is also maintained throughout the recording process .
☐ We have set up the system in such a way that information cannot be inadvertently corrupted .
☐ We have regular checks in place to ensure that the date and time stamp recorded on images is accurate (eg, when the UK switches between summer and winter time) .
☐ We have procedures in place to ensure the accuracy of systems we use that match personal data, such as ANPR and Facial Recognition Technology (FRT) .
☐ We have fully documented our use of any algorithms, AI or machine learning in our automated systems to assist with accountability requirements .
☐ We have considered the data protection implications of using other functions, such as audio recording, live streaming and cloud storage and we have further documented their use in our DPIA .
Under the UK GDPR and DPA 2018, you must ensure that the personal data you are processing is:
You should therefore identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more. For example, this could involve recording for a defined time period, or restricting the recording to a particular location.
It is also important that a surveillance system produces information that is of a suitable quality to meet the purpose(s) you installed it for. If the identification of individuals is a necessary part of the processing, then poor quality information that does not assist this purpose may undermine the reason for installing the system.
The decisions you make, and the reasons for selecting a particular surveillance system should not be based solely on technical capabilities. For example, the quality of the images it can produce, the field of vision it offers or the amount of data it can record. It is important that you also consider the governance capabilities that complement the system, such as software that enables footage to be uploaded, stored and audited. In addition, personal data should be easily retrievable in response to a subject access request and other individual rights. You should ensure that your systems have the capability to redact footage if third parties need to be blurred or obscured. See the section in this guidance on redaction for further information.
You can encounter challenges to compliance with data protection law if your focus is on technical capability over the transparency of the processing or the governance of information. You need to consider each area equally. You may feel constrained by what is available on the market in terms of surveillance systems, however this does not stop you from specifying the features you require and asking system providers to respond to these demands. This is supported by the UK GDPR (Recital 78), which explains that manufacturers of products and services that are based on the processing of personal data, should be encouraged to take into account the right to data protection when in development. This is an aspect of data protection by design and default.
Example
A controller chooses a Body Worn Video (BWV) system that allows video and audio recording to be switched on and off easily, to ensure that excessive information is not recorded continuously. In addition, the controller is able to efficiently upload necessary footage at the end of use in a secure manner, and retain it for a defined period.
In response to a subject access request, the controller is able to efficiently locate relevant footage and apply redaction techniques to protect the rights of third parties if required, within the statutory response times.
Checklist
☐ We have decided on the shortest period that we need to retain the information for, based on our purpose(s) for recording .
☐ We have documented our information retention policy and it is readily available and understood by those who operate the system .
☐ We have measures in place to ensure the permanent deletion of information through secure methods .
☐ We undertake systematic checks to ensure that the retention period is being adhered to .
The UK GDPR and the DPA 2018 do not prescribe any specific minimum or maximum retention periods which apply to surveillance systems or the personal data you may process. Rather, it is the purpose of your processing that should determine your retention period. You should therefore be able to determine what your purpose for using a surveillance system is, and then how long you need to retain the data for. Personal data held for too long will, by definition, be unnecessary. You are therefore unlikely to have a lawful basis for such retention. It is key that you do not retain data for longer than is needed. Therefore your retention period should be the shortest period for that purpose. Where information is no longer needed, then you should delete it.
You should also not determine your retention period simply by the storage capacity of any surveillance system, or just in case you think the data may be useful in the future. For example, footage from a surveillance system shouldn’t be kept for six months merely because the manufacturer’s settings on the surveillance system allow retention for this length of time.
On occasion, you may need to retain information for a longer period for a specific purpose. For example, where a law enforcement agency is investigating a crime and asks for you to preserve it to give them an opportunity to view it as part of an active investigation.
Checklist
☐ We can demonstrate that appropriate technical and organisational measures are in place that maintains the confidentiality, integrity and availability of the information captured from our surveillance systems .
☐ We ensure that access to footage is restricted only to authorised individuals .
☐ We can obtain copies of footage from our system in a timely manner, in a suitable format without losing image quality or time and date information .
☐ We are able to retrieve footage from our systems efficiently if it is requested for disclosures or for further examination, within relevant statutory timescales .
☐ We can demonstrate that the information we collect complies with designated technical standards .
You should store recorded material securely in a way that maintains the confidentiality, integrity and availability of the information. This is to ensure that you protect the rights of individuals recorded by surveillance systems and can use the information effectively for its intended purpose.
To do this, you need to carefully choose how you hold and record the information, and ensure that access is restricted only to authorised individuals. You also need to ensure that the information is secure and where necessary, encrypted. Encryption can provide an effective means to prevent unauthorised access to images processed in a surveillance system. However, there are circumstances where it is not always possible to apply encryption.
Where encryption is not achievable, then you should employ other appropriate technical methods to ensure the safety and security of information.
If you are going to collect and retain a large amount of information, (eg extended video footage), then you may consider storing the data in a cloud computing system. You need to ensure that this system is secure. If you have contracted a cloud provider to provide data storage, you need to ensure that the provider can offer sufficient security, and explore whether the sharing of personal data might amount to an international transfer (if the cloud provider is based abroad). The ICO has published guidance on international data transfers that covers this issue in more detail.
For accountability reasons, you may also wish to keep a record or audit trail showing how you handle information, if it is likely to be used as evidence for law enforcement purposes.
You should restrict the viewing of live surveillance on monitors to the operator and any other authorised person, unless the monitor displays a scene which is also in plain sight from the monitor location. You should also view recorded surveillance footage in a restricted area, such as a designated secure office.
Example
A CCTV system is installed in a hotel for the purposes of security, with monitors at the hotel reception area showing guests in the corridors and lifts, (i.e. out of sight of the reception area).
The monitors should be positioned so that they are only visible to relevant staff. Members of the public should not be allowed access to the area where staff can view them.
When implementing appropriate technical and organisational security measures, you should check:
Where possible you should aim to document procedures and ensure you review them regularly. This is to ensure you maintain the standards you established during the setup of your system.
Similarly, you should build in a periodic review of your system’s effectiveness to ensure that it is still doing what it was intended to do. If it does not achieve its purpose, you should stop the processing until you modify the system accordingly. The timescale for such a review depends on your organisation’s circumstances, but could include a regular monthly review or a much longer timescale if appropriate.
Further reading