Reviewed by CamComply
Who Can View CCTV Footage? UK Access Rules Explained
Who is allowed to watch your CCTV footage — staff, the person recorded, the police? UK data protection law sets clear limits. Here's who can view footage, and when.
"Who's allowed to look at the CCTV?" sounds like a simple question. It isn't. The answer depends on who's asking — a member of your staff, the person who appears in the footage, the police, an insurer, or a curious manager. UK data protection law treats each differently, and getting it wrong can turn a routine recording into a criminal offence or an ICO complaint.
This guide walks through each category of person and explains when they can — and can't — view your CCTV footage.
The Default Rule: Access Must Be Restricted
Start from the principle, not the exceptions. The UK GDPR requires that personal data — and CCTV footage of identifiable people is personal data — is processed "in a manner that ensures appropriate security" (Article 5(1)(f)), backed by the security obligations in Article 32.
In practice that means access to footage should be limited to the smallest number of people who genuinely need it, each of whom should be named and authorised. "Anyone in the office can log into the camera app" is a compliance failure waiting to happen.
Your Own Staff
Staff can view footage only where it's necessary for their role and they're authorised to do so.
- A manager reviewing footage to investigate a specific incident: usually fine, if it's within the stated purpose of the system.
- An employee browsing footage out of curiosity, or to check on a colleague: not allowed — and potentially a criminal offence.
Under section 170 of the Data Protection Act 2018, knowingly or recklessly obtaining or disclosing personal data without the controller's consent is a criminal offence. An employee who accesses footage they're not authorised to view, or shares a clip on social media, isn't just breaking a workplace rule — they may be committing an offence prosecuted by the ICO.
The protection here is procedural: keep an access list of who is authorised, log every viewing, and brief staff that unauthorised access has legal consequences. A CCTV log book and camera register is how you evidence this.
The Person Recorded (Subject Access Requests)
Anyone captured in your footage has the right to request a copy of footage of themselves, under UK GDPR Article 15 — a subject access request (SAR or DSAR).
Key points:
- You have one calendar month to respond.
- Footage is provided free of charge unless the request is manifestly unfounded or excessive.
- You must redact other identifiable individuals before releasing footage — blur faces, or otherwise protect third parties' personal data.
- The Data (Use and Access) Act 2025 added a "stop the clock" rule: if you need more information to locate the footage (date, time, camera), the one-month clock pauses until the requester provides it.
So the person recorded can view footage of themselves — but only their own, and only after you've protected everyone else who appears. For the full process, see our subject access request guide.
Can One Employee Get Footage of Another?
A common workplace question. An employee can submit a DSAR for footage of themselves, even if a colleague appears alongside them — you'd redact the colleague. But an employee has no right to demand footage of a different person; that would be the other person's data, not theirs.
Covert monitoring of staff is a separate and stricter issue. The ICO's view is that covert surveillance of employees is rarely justified and only acceptable in exceptional circumstances (e.g. suspicion of serious wrongdoing where overt methods would prejudice an investigation), for a limited time, and usually with a DPIA. Routine covert monitoring of staff is very likely unlawful.
The Police
You can disclose footage to the police for the prevention or detection of crime without the data subject's consent, relying on the relevant exemption in the DPA 2018.
Best practice:
- Ask for the request in writing where possible (many forces use a standard data request form).
- Disclose only the footage relevant to the specific matter.
- Log the disclosure — what was shared, when, with which force/officer, and the basis. This record protects you.
You're not obliged to hand over footage on a casual verbal request; you're entitled to be satisfied there's a proper basis. But where there's a genuine crime-prevention purpose, you may share it.
Insurers, Solicitors, and Other Third Parties
There's no automatic right for an insurer or a solicitor to view your footage. You'd need a lawful basis to disclose, and you must consider the privacy of everyone in the footage. Treat these requests with the same care as any other disclosure: confirm the purpose, disclose only what's necessary, redact third parties, and log it.
Practical Steps
- Create an access list — name the few people authorised to view footage, and remove everyone else.
- Log every viewing and disclosure — especially to police and third parties.
- Brief your staff that unauthorised access or sharing is a criminal offence, not just a policy breach.
- Have a DSAR process ready — including how you'll redact third parties.
- Check your access controls with our free CCTV compliance checker.
For the wider data protection picture, see our CCTV data protection guide and the UK CCTV regulations guide. For whether footage counts as personal data at all, see is CCTV personal data?.
This guide explains who may access CCTV footage under the UK GDPR and Data Protection Act 2018, current as of June 2026. This is not legal advice.
Sources
Last reviewed: 9 July 2026