Security Systems and Data Protection: how to define the lawful basis of your CCTV systems

Jan 24, 2019

by Daniel Miller

The arrival of the GDPR in 2018 and the UK’s corresponding 2018 update to the Data Protection Act, highlighted the necessity of having secure procedures in place when dealing with Personally Identifiable Information (PII), and the importance of awareness when dealing with such data.

When talking about PII, the first thing that jumps to mind is email addresses, names, telephone numbers… but aren’t we forgetting something? Yes, that images are also PII.

When it comes to camera systems and solutions, this means that if you can identify individuals by the images captured on your video surveillance system, then your system must meet the same data protection requirements as any other system processing PII.

If you’re installing a new security system, or you have an existing one on your premises, you need to make sure that your recording of images has a lawful basis.

Which Lawful basis is applicable?

For most businesses, it’s likely that the appropriate lawful basis for using video surveillance will be the legitimate interest of the organisation. Examples of legitimate reasons for processing personal data include the prevention and detection of crime, safeguarding staff and visitors, ensuring compliance with health and safety procedures, and improving productivity.

In all cases, a business will still be required to justify the area under surveillance. As even inside a work premises, employees have a right to privacy.

One of the first things to think about is installing a visible, clear signage informing subjects that the area is under video surveillance and the purpose of this.

You should also make sure that there is a clear reason for installing cameras in an area, this reason should be reviewed routinely and whenever changes are applied to your security system.

The Information Commissioner’s Office (ICO) code of practice advises that you should regularly evaluate whether it is necessary and proportionate to use your CCTV system.

The latest CCTV code of practice addresses the growing public concern when it comes to the use of CCTV and the legal requirements for those who implement/adopt surveillance systems or/and live streaming cameras.

Among the main surveillance areas covered in the Code of Practice

Deciding when surveillance camera systems should be used

Before installing a video surveillance system you should carefully consider whether or not it is necessary. An initial assessment will be the best way to investigate the future use of your system and the implications.

In the case of an existing surveillance system, a regular evaluation of the necessity of this and the storage of data is advised.

These assessments should “ be based on reliable evidence and show whether the surveillance system proposed can be justified as proportionate to the needs identified.”


Once the surveillance system is in place, a clear procedure for storage and handling of the data should be issued. If more of one organisation is involved, your procedure should be clear address the responsibilities of each part.

All recorded material should be stored in a secure location and the storage procedures should be clear and easily accessible to those responsible. Other security measures such as encryption, access restrictions should be considered in this process.

In the case of a live public camera stream, set up purely to showcase a particular view for the public, the camera should always be zoomed so that members of the public are not identifiable in the stream. However, if individuals are identifiable, they should be made aware it and the video stream should be justified and shown to be “necessary and proportionate.”

All individuals appearing in the stream/surveillance recording have the right to access any of their data at any time. Information needs to be provided within 40 calendar days of receiving the request.

Always make sure that your system use is in line with its original installation purpose, throughout its life -e.g. if you set up a surveillance system to check who enters and leave your business premises, it wouldn’t be appropriate to stream online the images from it-.

Selecting and siting surveillance systems

Any surveillance system must be adequate for its purpose. Choose an installer/provider able to provide assistance is therefore very important.

Any system should also allow an easy extraction of the information held, if a data subject requires access to theirs PII.

An initial impact assessment will help in choosing the right system for your purposes and needs.

Surveillance technologies other than CCTV systems

As you add or take away technologies and units to your system, it’s important to recognise the system that you have in place and familiarise yourself with it, so that any action can be undertaken in a mannered time and in a secure way.


It’s important to make people aware of areas covered by CCTV surveillance. A straightforward way of doing so, is through clear and visible signage; this message can be reinforced through audio announcements and signposting to your CCTV Policy.

This blog post is merely an introduction to the legal requirements for CCTV, more information can be found on the ICO website.
If you need any further advice, please don’t hesitate to get in touch.

We're here to assist you

Find out how we can help, call us on 0151 633 2111

This website uses cookies to ensure you get the best experience. With your continued use of this site you accept cookies. Learn More

Got It