CCTV Privacy
Obligations
If AXON has installed CCTV at your premises, you are the Data Controller for that footage under UK GDPR. This means you have legal obligations to your staff, visitors and members of the public who appear on camera. This guide explains what you need to do to stay compliant and avoid ICO enforcement action.
Your Legal Obligations at a Glance
Signage
- Display CCTV warning signs at all camera entry points
- Signs must be clearly visible and legible
- Include who operates the system and why
- Include a contact point for enquiries
Documentation
- Register with the ICO as a data controller (£40–£60/yr)
- Document your legitimate interest for using CCTV
- Update your privacy policy to mention CCTV use
- Maintain a record of processing activities
Retention
- Set a clear retention period — typically 31 days
- Footage should be automatically overwritten after retention period
- Keep footage longer only if needed for an incident
- Document your retention policy in writing
Access Control
- Limit who can view live and recorded footage
- Use strong passwords on your NVR/DVR and app
- Change default manufacturer passwords immediately
- Keep a log of who has accessed footage and when
Subject Rights
- Be prepared to handle Subject Access Requests (SARs)
- Must respond within 30 days
- Redact other people's faces before sharing footage
- Can decline requests that are manifestly unfounded
Camera Positioning
- Cameras must not cover areas where people have a reasonable expectation of privacy
- Avoid capturing public streets beyond what is necessary
- Never install cameras in toilets, changing rooms or private spaces
- Document why each camera is positioned where it is
ICO Registration — Mandatory
Operating CCTV without registering with the ICO is a criminal offence. Most organisations using CCTV must pay the data protection fee.
If your organisation uses CCTV (even just one camera), you are almost certainly required to register with the Information Commissioner's Office (ICO) as a data controller and pay an annual fee. The fee is tiered by organisation size — most small businesses pay £40 per year. You can register at ico.org.uk/registration.
Exemptions exist for very small organisations (sole traders with no employees) and for personal/household use only. Commercial premises with staff do not qualify for exemption.
CCTV Signage — What It Must Include
The ICO Code of Practice requires that CCTV warning signs are placed at all points where people might be recorded. Here is an example of a compliant sign you can use:
Operated by: [Your Business Name]
Footage retained for: 31 days
Tip: Signs should be A5 size minimum for outdoor use. Place them at the entrance to each area covered, at eye level, facing toward anyone about to enter the monitored zone. You can download printable CCTV signs from the ICO website free of charge.
Footage Retention
The UK GDPR data minimisation principle requires you to keep footage only for as long as necessary. The ICO recommends 31 days as a standard retention period for most commercial CCTV. Your Hikvision NVR is configured to overwrite footage automatically when storage is full — ensure this is set to overwrite oldest footage first.
If an incident occurs (theft, assault, accident), preserve the relevant footage immediately by exporting it to a secure location before it is overwritten. Footage retained for incident purposes can be kept for as long as needed to resolve the matter, including any legal proceedings.
Subject Access Requests (SARs)
Any individual who appears in your CCTV footage has the right to request a copy of footage in which they appear. You must respond within one calendar month. Key points:
- You cannot charge a fee for handling a SAR (except in exceptional circumstances)
- Before providing footage, redact (blur) the faces of any third parties who also appear in the footage — you can't share their data without their consent
- You can refuse a request that is manifestly unfounded or excessive, but you must inform the person and give them the right to complain to the ICO
- Contact AXON if you need assistance extracting specific footage from your NVR — we can assist contract customers with this as part of your maintenance agreement
AXON's Role as Data Processor
Where AXON engineers access your camera system remotely for maintenance or fault-finding purposes, AXON is acting as a data processor on your behalf. This is covered by the data processing provisions in your AXON service contract. AXON engineers:
- Only access your system when required for a specific maintenance or support task
- Do not retain copies of your footage
- Access is logged and auditable on request
- All remote access is carried out over encrypted connections
Useful Resources
- ICO Guidance on Video Surveillance
- ICO Registration — Pay Your Data Protection Fee
- ICO Guidance on Subject Access Requests
Questions? Contact the AXON team at info@axon-security.com — we're happy to advise on CCTV compliance as part of your service agreement.