How to Handle a CCTV Subject Access Request: UK Template and Process

Someone has asked for a copy of your CCTV footage. Maybe an employee, maybe a customer, maybe a solicitor. You have one calendar month to respond — and getting it wrong can mean an ICO complaint, enforcement action, or an employment tribunal citing your failure as evidence.

Here's the exact process for handling a CCTV subject access request (SAR), the exemptions you can rely on, and what your response should include.

What Counts as a Valid CCTV Subject Access Request

A SAR doesn't need to use specific wording. The requester doesn't need to say "subject access request" or cite UK GDPR. According to ICO guidance for employers, a request can be made verbally, in writing, by email, or even via social media.

If someone asks "can I see the camera footage from Tuesday?" — that's a valid SAR if the footage contains their personal data.

You must respond even if you plan to refuse. The one-month deadline applies to all responses, including refusals.

The 7-Step CCTV DSAR Process

Step 1: Log the request immediately

Record the date received, who made the request, what footage they've asked for, and any specifics (date, time, camera location). This date starts your one-month clock.

Step 2: Verify identity

You need reasonable confidence the requester is who they claim to be. For employees, your existing records are usually sufficient. For external requesters, ask for photo ID plus proof of address.

Don't over-verify — the ICO considers excessive identity checks a form of obstruction. If you already know the person (a current employee, a regular customer), asking for formal ID may be unreasonable.

Step 3: Locate the footage

Check whether the footage still exists. If your retention period has expired and the footage has been deleted, tell the requester — that's a valid response. You're not required to retain footage longer than your policy states just because a request might arrive.

If the footage exists, identify every camera that may have captured the requester during the time period they've specified.

Step 4: Review and redact

This is where most businesses get stuck. CCTV footage almost always contains other identifiable people. You cannot hand over unredacted footage showing third parties unless:

You have their consent, or
It's reasonable to disclose without consent (rare for CCTV)

Practical redaction options:

Blur or pixelate faces and identifiable features of third parties
Provide still images with third parties redacted instead of full video
Offer an in-person viewing where you can control what's shown

The ICO's SAR advice for small organisations confirms that redaction is expected when third-party data is involved.

If your DVR/NVR system doesn't support video export with redaction, you may need to use screen recording with areas manually obscured, or arrange a supervised viewing.

Step 5: Check exemptions

You may be able to withhold some or all footage if:

Crime prevention or detection: Disclosure would prejudice an ongoing investigation (e.g., the footage is evidence in a theft investigation)
Legal proceedings: The footage is subject to legal professional privilege
Third-party rights: Redaction isn't possible and disclosure would identify others without justification
Manifestly unfounded or excessive: The request is designed to harass rather than exercise a genuine right — but this is a high bar. A request you find inconvenient is not "manifestly unfounded"

Document your reasoning if you rely on any exemption. "We decided not to provide the footage" is not sufficient — you must explain which exemption applies and why.

Step 6: Prepare your response

Your response must include:

Confirmation of what personal data you hold (the footage)
A copy of the footage, or an explanation of why you're withholding it
Information about your retention period and when the footage will be deleted
Your lawful basis for processing (likely legitimate interests)
The requester's right to complain to the ICO if unsatisfied

Deliver the footage securely. Password-protected USB drives, encrypted file sharing, or secure download links are all acceptable. Do not send unencrypted footage by email.

Step 7: Record your response

Log what you provided, when you provided it, and any exemptions relied upon. Keep this record — if the requester complains to the ICO, you'll need to demonstrate your process was lawful.

Response Deadlines: The One-Month Rule and Extensions

Standard deadline: One calendar month from the date you receive the request. Note that "one calendar month" is not always exactly 30 days — a request received on 15 January is due by 15 February; one received on 31 January is due by 28/29 February.

Identity verification and the clock start: If you reasonably need to verify the requester's identity before you can process the request, the one-month period begins when you are satisfied of their identity. However, you should request ID promptly — do not delay as a way to extend the deadline.

Clock pause for clarification: If the request is unclear (e.g., "I want all footage of me" without specifying dates or locations), you can ask the requester to narrow it down. Under the Data (Use and Access) Act 2025, the deadline pauses until they respond. This is separate from identity verification — clarification pauses the clock, while identity verification delays the clock's start. You can only pause the clock if you genuinely need clarification — not as a stalling tactic.

Extension for complexity: If the request is genuinely complex — multiple cameras, long time periods, extensive redaction needed — you can extend by up to two additional months. You must tell the requester within the original one-month period that you're extending and explain why.

No fee: SARs are free. You cannot charge for providing CCTV footage unless the request is manifestly unfounded or excessive (in which case you can charge a "reasonable fee" or refuse entirely).

CCTV SAR Response Template

Use this structure for your written response:

Subject: Response to your subject access request — [Date of original request]

Confirm you received their request on [date]
State that you've identified footage from [cameras/dates/times] containing their personal data
Describe what you're providing (video file, stills, or offer of viewing)
Note any redaction applied and why (third-party data protection)
State any footage not provided and the specific exemption relied upon
Include your retention period ("this footage will be deleted on [date] in line with our retention policy")
Provide your contact details for follow-up
Inform them of their right to complain to the ICO if dissatisfied

Keep the language plain. The ICO expects responses to be understandable, not buried in legal jargon.

Common Mistakes That Trigger ICO Complaints

Ignoring the request. The single most common failure. Even if you think the request is unreasonable, you must respond within one calendar month.

Demanding formal paperwork. Requiring a specific form, a written letter, or a particular format is not permitted. The request can be verbal.

Over-redacting to the point of uselessness. If you blur so much that the requester can't identify themselves in the footage, you haven't fulfilled the request. Redact third parties, not the requester.

Deleting footage after receiving the request. Destroying footage that's been requested is a serious breach. Once you receive a SAR, preserve the relevant footage until you've completed the response — even if your retention period expires in the meantime.

Missing the deadline without explanation. If you need more time, communicate that within the initial one-month period. Silent delays are treated as non-compliance.

When You Can Refuse

Refusal is possible but limited:

The request is manifestly unfounded (e.g., the requester has explicitly stated the purpose is to disrupt your business)
The request is manifestly excessive (e.g., requesting footage from every camera for an entire year with no legitimate reason)
Providing the footage would prejudice a criminal investigation

If you refuse, you must tell the requester why, inform them of their right to complain to the ICO, and do so within one calendar month. You cannot simply not respond.

Practical Tips for SMEs

Set up your system properly now. Choose a DVR/NVR that supports footage export and date/time search. If extracting footage requires calling your installer, every SAR becomes expensive and slow.

Keep your camera register current. When a SAR arrives, you need to quickly identify which cameras may have captured the requester. A documented camera register saves hours of searching.

Have a named DSAR handler. One person who knows the process, has DVR access, and can respond within the deadline. For most SMEs, this is the owner or office manager.

Document your retention periods. Our retention calculator helps you set appropriate periods for each camera — which also tells you whether requested footage still exists.

Check your compliance gaps. Subject access requests often arrive alongside broader compliance questions. Our free compliance checker assesses your full CCTV compliance position in under 5 minutes.

This guide covers CCTV subject access request handling under UK GDPR and the Data Protection Act 2018 as of March 2026. It is not legal advice. For complex DSARs — particularly those involving ongoing legal proceedings or police investigations — consult a qualified data protection professional.