The Surveillance Camera Code of Practice: What UK Businesses Need to Know

If you run CCTV in the UK, you'll have come across the Surveillance Camera Code of Practice — usually as a line in someone else's compliance checklist, rarely explained. It's frequently misunderstood: some businesses treat it as a binding statute they must obey to the letter; others ignore it because "it's only for the police." Both readings are wrong.

This guide explains what the Code is, what statute it comes from, who it legally binds, and why the ICO expects every CCTV operator — including your business — to follow it as best practice.

What the Surveillance Camera Code of Practice Is

The Surveillance Camera Code of Practice is a statutory code issued by the Home Secretary under the Protection of Freedoms Act 2012 (Part 2, Chapter 1). It was first published in 2013 and updated in 2022. Its purpose is to set out good-practice standards for the use of overt surveillance camera systems in public places.

The Code is built around 12 guiding principles. These cover why you operate cameras, how you protect people's privacy, how transparent you are, who is accountable, and how you handle the images you collect.

Crucially, the Code is not the same thing as data protection law. It sits alongside the UK GDPR and the Data Protection Act 2018, which are the laws the ICO enforces. The Code addresses the broader question of whether and how surveillance cameras should be used; data protection law governs the personal data those cameras produce. Most of the Code's substance overlaps with what data protection law already requires of you — which is exactly why following it is sensible even though it isn't directly binding on private businesses.

Who the Code Legally Binds — and Who It Doesn't

This is the part most checklists get wrong.

The Protection of Freedoms Act 2012 places a statutory duty to "have regard to" the Code only on "relevant authorities" — defined in the Act as bodies including police forces and local authorities. If you are a relevant authority, you have a legal obligation to take the Code into account when operating surveillance cameras.

If you are a private business — a shop, pub, warehouse, gym, office, care home, or car park operator — you are not a "relevant authority", so the Code does not legally bind you. You will not be prosecuted for breaching the Code itself.

So why does it matter to you? Because the ICO expects all organisations to follow the Code as best practice, and because nearly everything the Code asks for is also required of you under the UK GDPR and DPA 2018 — which the ICO does enforce against private businesses. In practice, if you follow the Code, you are doing most of what data protection law already demands. Ignore it, and you're likely breaching obligations that carry real enforcement risk.

Plain-English summary: The Code is legally binding on police and councils. For your business it's "best practice" — but the underlying obligations it reflects are binding on you through UK GDPR and the DPA 2018.

The 12 Guiding Principles — and What They Mean for Your Business

The Code's 12 principles read as if written for large public-sector camera networks, but each one translates directly into a practical step for an SME. Here's the plain-English version.

1. Use cameras for a specified purpose. Every system must serve a clear, legitimate aim that meets an identified pressing need — not "just in case." Write down why you have CCTV (theft prevention, staff safety, etc.).
2. Account for the privacy impact. Consider how recording affects individuals and review that regularly. This is, in effect, the Code's version of a Data Protection Impact Assessment.
3. Be transparent. Tell people they're being recorded and give them a contact point for questions and complaints. This is your signage and your published contact details.
4. Have clear responsibility and accountability. Someone must own the system — the images, the access, the decisions.
5. Have clear rules and policies before you start recording. This is your CCTV policy, communicated to anyone who operates the system.
6. Keep images no longer than necessary. Define and enforce a retention period; delete footage when the purpose has been served.
7. Restrict access to images and information. Only people with a genuine need should be able to view footage.
8. Operate to defined technical and operational standards. Cameras should be fit for the stated purpose.
9. Use only approved operational, technical, and competency standards relevant to the system and its purpose.
10. Have effective review and audit mechanisms to ensure legal requirements, policies, and standards are being met.
11. Use the system to support a legitimate aim and a pressing need, and use the most effective and least intrusive means to do so.
12. Hold accurate, well-managed information to support the system's stated purpose, and ensure any reference-database use (e.g. facial recognition) is accurate and up to date.

If you've already worked through your DPIA, signage, CCTV policy, retention schedule, and access controls under data protection law, you've satisfied most of these principles without thinking of them as "the Code."

What Changed in 2025: The Data (Use and Access) Act

There has been confusion about whether the Code still exists, because an earlier proposal — the Data Protection and Digital Information (DPDI) Bill — would have abolished the Surveillance Camera Commissioner role and scrapped the Code, transferring everything to the ICO's data protection remit. That Bill was abandoned before the 2024 general election and never became law.

The law that did pass — the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025 — did not abolish the Code or the Commissioner. It amends the UK GDPR and DPA 2018 rather than replacing them.

For completeness: the role of Biometrics and Surveillance Camera Commissioner had been vacant since August 2024, but a permanent commissioner (Professor William Webster) took office on 1 November 2025. The Code remains in force, and the Commissioner continues to oversee it.

The practical takeaway: don't be told the Code is gone. It isn't. The DUAA's CCTV-relevant changes (such as the new "stop the clock" rule for subject access requests and a documented complaints-handling duty from 19 June 2026) sit on top of the existing framework — they don't remove it.

How the Code Fits Your Overall CCTV Compliance

For your business, the Code is best treated as a quality benchmark rather than a separate legal hurdle. Use it as a sanity check: if you can map each of the 12 principles to something you actually do, your CCTV programme is in good shape. Where you can't, you've found a gap that's probably also a data protection gap.

Code principle	Your equivalent obligation under data protection law
Specified purpose (1, 11)	UK GDPR Article 5(1)(b) — purpose limitation
Privacy impact assessed (2)	UK GDPR Article 35 — DPIA for high-risk processing
Transparency (3)	UK GDPR Articles 13–14 — signage and privacy information
Accountability (4)	UK GDPR Article 5(2) — accountability principle
Documented rules (5)	Your CCTV policy (evidence of accountability)
Retention limits (6)	UK GDPR Article 5(1)(e) — storage limitation
Restricted access (7)	UK GDPR Article 5(1)(f) + Article 32 — security
Review and audit (10)	UK GDPR Article 5(2) — demonstrating compliance

Practical Steps

1. Read the 12 principles once. They take ten minutes and will tell you whether your system is being run for a clear purpose or by inertia.
2. Map each principle to what you do. Purpose statement, DPIA, signage, policy, retention schedule, access list, audit routine. A gap in the Code is almost always a gap in data protection law too.
3. Document your purpose. The single most common failing is operating cameras with no written reason. Fix this first.
4. Run a compliance check. Our free CCTV compliance checker covers the obligations the Code reflects, mapped to UK GDPR and the DPA 2018.

For the full picture of every law that applies to business CCTV, read our UK CCTV regulations guide. For how the broader data protection framework applies to your cameras, see our CCTV data protection guide, and for the DPIA in detail, our CCTV DPIA guide.

This guide explains the Surveillance Camera Code of Practice as it applies to UK businesses, current as of June 2026. The Code is issued under the Protection of Freedoms Act 2012 and was not abolished by the Data (Use and Access) Act 2025. This is not legal advice.

Sources

• Amended Surveillance Camera Code of Practice — GOV.UK
• Protection of Freedoms Act 2012, Part 2 Chapter 1 — legislation.gov.uk
• Data (Use and Access) Act 2025 — legislation.gov.uk
• ICO — Video surveillance guidance (including CCTV)