Surveillance in vehicles
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Checklist
☐ We have conducted a Data Protection Impact Assessment (DPIA) that fully addresses our use of surveillance in vehicles, and explores the rights and freedoms of both drivers and passengers whose personal data could be captured by the system.
☐ We have clear and informative signage in place within vehicles to let drivers and passengers know when video surveillance systems may be used, and who to contact in the event of a query.
☐ We only use audio recording in exceptional circumstances, and this is switched off by default if the feature forms part of the installed surveillance system.
☐ We have efficient governance procedures in place, such as for the retention of information, and we are able to retrieve stored footage and process it for subject access requests or onward disclosures to third parties where appropriate.
☐ We comply with the Surveillance Camera code of practice where required.
How is surveillance in vehicles used?
Surveillance systems in vehicles, such as inward or outward facing cameras, are often small systems that are designed to be mounted in cars (or on bikes, most often on the rider’s helmet). They record footage of the journey and any incidents that might occur.
While other commercially available action cameras allow for mounting in a car and for footage to be recorded, some surveillance systems are specifically designed for in car use. They have features such as GPS technology, and allow footage to be saved automatically to aid an investigation in the event of a crash or sudden stop.
If you are considering using surveillance systems within any of your vehicles, you should consider the data protection issues that may arise in the specific context of its use. For example, an employer may choose to install inward facing cameras in licensed vehicles as a way to prevent crime, and to protect drivers and vulnerable passengers if there is a genuine need to do so. You should read sections in this guidance about the data protection principles and individuals rights for further information.
Surveillance systems can be intrusive, and can impact on the rights and freedoms of individuals where such systems are used, especially in places that people would not reasonably expect. In terms of outward facing cameras or dashcams, this can apply to other motorists or pedestrians being recorded outside of the vehicle, or for inward facing systems, drivers and passengers within a vehicle.
Employment and licensed vehicles
If you act as an employer, or oversee the use of licensed vehicles for example, then you should pay particular attention to data protection law if you choose to mandate surveillance systems within vehicles. This is so you can identify an appropriate lawful basis for processing, and adequately safeguard the rights and freedoms of both licenced drivers, passengers and other members of the public.
You must provide sufficient privacy information. For example, you should ensure that you have appropriate signage within the vehicle. This should notify drivers and passengers that recording is taking place and under what specific circumstances.
In addition, you must provide clarity over who is the controller for the processing. For example, sufficient contact details of the relevant controller so that individuals can exercise their rights under the UK GDPR, such as the right of access.
Read further information about installing surveillance in work vehicles in Can we monitor work vehicles? and Can we use dashcams to monitor our workers?
Can we record audio within vehicles?
You should also apply the same data protection considerations for recording any audio by in-vehicle surveillance systems. Generally, you should switch off any capability to record audio by default. You should only use it in exceptional circumstances, for example by a trigger switch, due to its intrusive nature. Continuous activation requires strong justification that you need to document and risk assess thoroughly.
Example
A logistics firm equips their lorries with in-vehicle surveillance systems with audio capability.
Whilst no intentional audio recording is made within the cabin, it is possible that conversations held by the driver can be picked up. The logistics firm, acting as controller, is therefore required to review whether or not the use of audio is necessary and proportionate in the circumstances. Conducting a DPIA prior to installation must be done to identify such risks to privacy.
Any capability to record audio should be switched off by default, and only used, for example by a trigger switch, in exceptional circumstances.
Example
A taxi company, acting as a controller, wishes to mandate the use of onboard cameras in taxis and private hire vehicles. These cameras will record video footage for the purposes of preventing crime and protecting drivers and passengers. The company wishes to use a system that records continuously, which is activated when a vehicle is running.
The drivers express concern that where vehicles are also used for private purposes outside of core working hours, that they, their friends and family would be subject to unnecessary continuous recording.
The company must conduct a DPIA, and ensure that the use of such systems are necessary and proportionate. Continuous recording, whilst the vehicle is being used for private purposes outside of working hours, is likely to be considered excessive. Drivers should have the option to deactivate the recording in these circumstances. The company would also need to take a data protection by design approach, and ensure that the systems they install are of a suitable technical standard, and allow compliance with the principles of data protection law.