CCTV Data Protection Policy: What Your Business Needs and How to Create One

Your CCTV system records identifiable individuals. Under UK GDPR and the Data Protection Act 2018, you need a written policy explaining what you're doing, why, and what rights people have. Most businesses either don't have one or have a generic paragraph buried in their privacy notice that says nothing useful.

A CCTV data protection policy is a standalone document — not a sentence in your website footer. Here's what it must contain and how to write one that actually meets ICO expectations.

Why You Need a Separate CCTV Policy

Your general privacy policy covers how you handle customer data, employee records, and website cookies. CCTV processing is different enough to warrant its own document because:

Different lawful basis. Most business CCTV relies on legitimate interests (Article 6(1)(f)), not consent. Your policy must explain the legitimate interests assessment.
Different audience. Your privacy policy targets customers. Your CCTV policy must also address employees, visitors, contractors, delivery drivers — anyone filmed.
Specific obligations. CCTV triggers requirements that don't apply to other processing: signage, DPIAs, retention schedules per camera, DSAR procedures for footage redaction.

The ICO's CCTV guidance expects organisations to have a documented policy that covers all of these areas. During complaints or audits, this is one of the first documents they request.

The 10 Sections Every CCTV Policy Must Include

1. Data controller details (required)

State who is responsible for the CCTV system:

Business name (the data controller)
Registered address
Contact email or phone for data protection queries
Data Protection Officer name and contact (if you have one — most SMEs won't need a DPO unless their core activities involve regular and systematic monitoring of individuals at scale, but you still need a named contact for CCTV-related queries)

2. Purpose of recording (required)

List every purpose your CCTV serves. Be specific:

Prevention and detection of crime (theft, vandalism, break-ins)
Staff safety and wellbeing
Health and safety monitoring (e.g., monitoring loading bays)
Insurance requirements

Don't include purposes you don't actually use. If you've never used footage for health and safety monitoring, don't list it. The ICO expects each stated purpose to be genuine and documented.

3. Lawful basis (required)

For most business CCTV, the lawful basis is legitimate interests under UK GDPR Article 6(1)(f). Your policy should state this and summarise the outcome of your legitimate interests assessment — specifically, why your interest in recording outweighs the privacy impact on the people being filmed.

If you use CCTV in areas where employees work, you may also need to reference employment law obligations (health and safety duties) as a supporting basis.

Never claim consent as your lawful basis for CCTV. Consent must be freely given, and employees in particular cannot freely consent to workplace surveillance. Legitimate interests is almost always the correct basis.

4. Camera locations and coverage (required)

Describe where cameras are positioned and what they cover. You don't need to publish exact coordinates, but the policy should give enough information for someone to understand the scope of surveillance:

Areas covered (entrances, shop floor, car park, warehouse)
Whether any cameras cover external/public areas
Whether audio recording is in use (and if so, which cameras)

This section should be consistent with your camera register. If they contradict each other, you have a compliance problem.

5. Retention periods (required)

State how long footage is kept for each purpose, and what happens when the retention period expires:

Standard retention period (the ICO's recommendation for routine business CCTV is 30 days)
Exceptions (e.g., footage preserved for a specific incident or legal proceedings)
Deletion method (automatic overwrite, manual deletion, secure destruction)

If different cameras have different retention periods based on their purpose, list them separately. Our retention calculator can help determine appropriate periods.

6. Access controls (required)

Document who can access footage — both live and recorded:

Named roles with access (e.g., "business owner and shift managers")
How access is controlled (password-protected DVR/NVR, physical key for server room)
Whether footage is accessible remotely (mobile app, cloud portal)
Audit trail — is access logged?

The fewer people with access, the better. The ICO considers excessive access a risk factor.

7. Data sharing (required)

List every third party you share footage with, or might share footage with:

Police (when requested during investigations)
Insurance company (in support of claims)
Landlord (if required by lease agreement)
CCTV maintenance provider (if they access recordings during servicing)

For each, state the legal basis for sharing and any safeguards in place.

8. Subject access requests (required)

Explain how individuals can request footage of themselves:

How to submit a request (email address, postal address, or in person)
What information the requester needs to provide (date, time, and area to help locate footage)
Response timeline (one calendar month under UK GDPR)
How footage will be provided (secure download, USB, in-person viewing)
Redaction process for third-party data

See our DSAR handling guide for the full process.

9. Individual rights (required)

Beyond subject access, your policy should acknowledge these rights:

Right to be informed — addressed by signage and this policy
Right to erasure — limited for CCTV (you can refuse if footage is needed for legal claims or legitimate interests, but you must respond to the request)
Right to object — individuals can object to processing based on legitimate interests. You must consider the objection and respond
Right to complain — provide the ICO's contact details for anyone dissatisfied with your response

10. Review schedule (good practice)

State how often the policy is reviewed and what triggers an update:

Annual review at minimum
Immediate review when cameras are added, moved, or removed
Immediate review when legislation or ICO guidance changes
Named person responsible for the review

Making Your Policy Accessible

Writing the policy is half the job. The other half is making sure people can find it:

Reference it on your CCTV signage. Signs should tell people where to find the full policy (website URL, reception desk, or "available on request")
Publish it on your website. A dedicated page or downloadable PDF
Include it in employee onboarding. Staff should receive and acknowledge the CCTV policy as part of their induction
Make it available on request. If a visitor or customer asks, you should be able to produce it within minutes

What a Bad CCTV Policy Looks Like

A single paragraph in your privacy notice: "We use CCTV for security purposes"
A generic template downloaded years ago with "[insert company name]" still in the text
A policy that lists purposes you don't actually use
A policy that claims 90-day retention but your DVR is set to 180 days
No mention of how to make a subject access request

If your policy matches any of these descriptions, it needs rewriting. Our free policy generator creates a tailored document based on your actual setup — cameras, purposes, retention periods, and access controls.

How Your Policy Connects to Other Documents

Your CCTV policy is part of a broader compliance framework:

Document	Connection
Camera register	Camera details in the policy must match the register
DPIA	The policy should reference your DPIA; retention and purposes must align
Signage	Signs should direct people to the policy
DSAR procedure	The policy should summarise the process; the full procedure supports it
Employee handbook	Should reference the CCTV policy and confirm staff acknowledgement

Inconsistencies between these documents are a common audit finding. If your policy says one thing and your practice says another, the ICO will notice.

Check your full compliance position with our free compliance checker, and read the complete UK CCTV regulations guide for context on how the policy fits into the broader obligation set.

This guide covers CCTV data protection policy requirements under UK GDPR and the Data Protection Act 2018 as of March 2026. It is not legal advice.