At a glance
This guidance covers the processing of personal data by video surveillance systems by public and private sector organisations. Surveillance systems specifically include, but are not limited to traditional CCTV, Automatic Number Plate Recognition (ANPR), Body Worn Video (BWV), Drones (UAVs), Facial Recognition Technology (FRT), dashcams and smart doorbell cameras.
Organisations using surveillance systems that process the personal data of identifiable individuals need to comply with the UK GDPR and DPA 2018.
This particular guidance does not cover:
- covert surveillance techniques;
- processing for specific criminal law enforcement purposes by competent authorities under Part 3 of the DPA 2018;
- processing by intelligence services under Part 4 of the DPA 2018; and
- processing that is purely in the context of personal or household activities, such as household CCTV within the boundaries of private property.
This guidance also does not cover the use of ‘dummy’ or non-operational systems. However, it does cover pilots or trials as personal data is still processed.
In detail
- What do we mean by a surveillance system?
- Who is this guidance for?
- What does this guidance address?
- What does this guidance not address?
What do we mean by a surveillance system?
S29(6) of the Protection of Freedoms Act 2012 (PoFA) states that “surveillance camera systems” mean:
(a) closed circuit television or automatic number plate recognition systems,
(b) any other systems for recording or viewing visual images for surveillance purposes,
(c) any systems for storing, receiving, transmitting, processing or checking images or information obtained by systems falling within paragraph (a) or (b), or
(d) any other systems associated with, or otherwise connected with, systems falling within paragraph (a), (b) or (c).
Surveillance systems can be used to monitor and record the activities of individuals, often in high definition and with ease. As such, these systems can capture information about identifiable individuals and how they behave. This is likely to be personal data under data protection law.
“Personal data” under Article 4(1) UK GDPR means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Biometric data”, in particular, means personal data resulting from specific technical processing relating to the physical, physio-logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data, as defined at Article 4(14) UK GDPR.
Who is this guidance for?
This guidance is aimed at organisations in both the public and private sectors who use surveillance systems and are subject to the UK GDPR and the DPA 2018.
This guidance does not apply to domestic surveillance systems or individuals recording footage in a purely personal or household context. See our separate guidance on personal or household processing for more information.
It is also not directed at specified “competent authorities” using surveillance systems for criminal law enforcement purposes, who are subject to the separate law enforcement processing regime under Part 3 of the DPA 2018. However, this guidance as a whole still provides advice for competent authorities using surveillance systems for other non-criminal law enforcement uses under the UK GDPR. For more information on which regime applies to you, see our guidance on which regime.
What does this guidance address?
This guidance covers UK GDPR and DPA 2018 requirements. It applies where personal data is being processed by video surveillance systems in the public and private sectors. From the localised small scale use of more traditional CCTV in shops and premises for security purposes, to the deployment of facial recognition technologies and the processing of personal data on a larger scale.
This guidance outlines additional considerations for the use of:
- Automatic Number Plate Recognition (ANPR);
- Body Worn Video (BWV);
- Unmanned Aerial Vehicles (UAVs, also known as drones);
- Facial Recognition Technology (FRT) and surveillance;
- commercial products such as smart doorbells and surveillance in vehicles;
- workplace monitoring, live streaming; and
- other commercially available surveillance systems that have the potential to process personal data.
What does this guidance not address?
This guidance is not intended to address covert surveillance activities by public authorities governed by the Regulation of Investigatory Powers Act 2000 (RIPA) and the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPSA). This type of recording is covert and directed at a specific individual or individuals.
This guidance also does not address:
- processing for specific criminal law enforcement purposes by competent authorities under Part 3 of the DPA 2018;
- processing by intelligence services under Part 4 of the DPA 2018; and
- processing that is purely in the context of personal or household activities, such as household CCTV within the boundaries of private property.
Note: The UK GDPR and DPA 2018 apply to information captured by surveillance systems. This guidance does not cover the use of ‘dummy’ or non-operational systems as no personal data is likely to be processed. However, it does cover pilots or trials where personal data is processed.
The use of conventional cameras (not CCTV) by the news media or for artistic purposes, such as for film making, are also not addressed by this guidance. This is because an exemption within data protection legislation applies to certain activities relating to journalistic, artistic and literary purposes. However, this guidance does apply to information collected by surveillance systems that is then provided to the media.
Surveillance systems vary substantially, as do the extent and reasons for use, and how personal data is processed. Therefore not all sections of this guidance are relevant in all cases. A checklist within this guidance for limited surveillance systems provides particular assistance in circumstances where privacy risks are small and resources are limited. To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. If you use video surveillance in a limited way but you wish to use your surveillance system for a new purpose, you should read the full guidance.