Is CCTV Personal Data? What Every UK Business Owner Must Know

You know your CCTV records people. You're not sure whether that recording counts as "personal data" under UK law — and if it does, what that actually changes for your business.

The short answer: yes, CCTV footage is personal data in most business scenarios. But the detail matters, because there are edge cases where it isn't, and understanding the boundary helps you know exactly which obligations apply.

When CCTV Footage Is Personal Data

UK GDPR defines personal data as any information relating to an identified or identifiable natural person. The ICO's CCTV guidance is direct: footage containing identifiable individuals is personal data.

A person is "identifiable" if they can be recognised from the footage — directly or indirectly. This includes:

Face visible — the obvious case
Clothing and build — a person wearing a distinctive uniform at a known workplace is identifiable even if their face is obscured
Context — footage of someone at a specific desk, workstation, or till position identifies them through their role, even if they're filmed from behind
Vehicle registration plates — ANPR or footage showing a readable plate links to the registered keeper
Combination of factors — a timestamp plus a location plus general appearance may be enough, even if no single factor is sufficient alone

The test isn't "can we identify them?" — it's "could anyone reasonably identify them?" If you film someone in a corridor and you don't recognise them, but a colleague would, that footage is personal data.

When CCTV Footage Is NOT Personal Data

There are genuine scenarios where footage falls outside the definition:

No identifiable individuals present. A camera pointing at an empty car park overnight, recording only vehicles with no readable plates and no people, is not processing personal data during that period. The moment a person or readable plate enters the frame, it becomes personal data.

Resolution too low to identify anyone. If your camera captures such a wide area at such low resolution that no individual could reasonably be identified — even by someone who knows them — the footage may not constitute personal data. This is rare with modern cameras, which typically record in HD or higher.

Purely domestic use. A homeowner's camera covering only their own property for personal security falls outside data protection law entirely. But this exception is narrow: if the camera captures any area beyond the property (a shared driveway, a public pavement, a neighbour's garden), it's no longer purely domestic. And it never applies to businesses.

Important: these exceptions are narrow. For any business operating CCTV in areas where employees, customers, or visitors are present, the footage is almost certainly personal data.

Is CCTV Footage Confidential?

This is a related but different question. CCTV footage being "personal data" means data protection law applies. Whether it's also "confidential" depends on context:

Confidentiality obligations exist when:

An employee requests their footage via a subject access request — you must not share it with other employees unless there's a lawful reason
Footage captures sensitive situations (a medical incident, a disciplinary matter, a private conversation in an area where conversations might be overheard)
You've committed to confidentiality in your CCTV policy or employment contracts

Footage is not automatically confidential. A recording of a shop floor during business hours isn't confidential in the same way a medical record is. But it is personal data, and you must handle it accordingly — secure storage, limited access, defined retention, proper destruction.

The practical rule: Treat CCTV footage with the same care you'd give any other personal data. Don't share it casually, don't leave it accessible to everyone, and don't keep it longer than necessary.

What Changes When Footage Is Personal Data

Once footage qualifies as personal data, every UK GDPR obligation kicks in. Here's what that means in practice:

You need a lawful basis

You can't record people just because you want to. You need a documented legal reason — for most businesses, this is legitimate interests under Article 6(1)(f). You must be able to show that your interest in recording (preventing theft, protecting staff) outweighs the privacy rights of the people being filmed.

You must tell people they're being filmed

Transparency is a core UK GDPR principle. Compliant signage at every entrance to a surveilled area must state who is recording, why, and how to find out more. Generic "CCTV in operation" stickers don't meet the requirement. See our signage guide for the full requirements.

You must complete a DPIA

A Data Protection Impact Assessment is required for processing likely to result in high risk to individuals. The ICO considers systematic CCTV monitoring to meet this threshold in most cases. Our DPIA guide walks you through it step by step.

You must limit retention

The storage limitation principle means footage can only be kept as long as necessary for its stated purpose. The ICO recommends 30 days for routine business CCTV. Keeping footage for months "just in case" is a compliance failure. Our retention calculator helps set appropriate periods.

You must handle subject access requests

Anyone identifiable in your footage can request a copy. You have one calendar month to respond. This includes employees, customers, and any other individual captured on camera. See our DSAR handling guide for the process.

You must secure it

Footage must be protected against unauthorised access, accidental loss, and destruction. Password-protected DVR/NVR systems, restricted physical access to recording equipment, and logged access are all expected.

You must register with the ICO

If you process personal data, you must pay the annual ICO data protection fee (£52–78 for most SMEs). Failure to pay can result in enforcement action and penalty notices from the ICO.

Audio Recording: A Higher Bar

If your cameras record audio, that's an additional layer of personal data processing. The ICO considers recording conversations "particularly intrusive" and significantly harder to justify than video alone.

Many modern IP cameras ship with microphones enabled by default. If you haven't explicitly checked and disabled audio recording, it may be running without your knowledge — and without any documented justification in your DPIA.

Check your camera settings. If audio is on and you don't have a specific, documented reason for it, switch it off.

Special Category Data in CCTV

In most cases, CCTV footage is "ordinary" personal data. But it can become special category data (which carries stricter rules under UK GDPR Article 9) if it reveals:

Racial or ethnic origin
Religious beliefs (e.g., religious dress)
Health conditions (e.g., visible disabilities, medical incidents)
Trade union membership (e.g., footage of union meetings)

If your cameras routinely capture situations where special category data might be visible, your DPIA needs to address this specifically, and you need an additional legal condition under Article 9(2) beyond your Article 6 lawful basis.

For most SME CCTV setups — cameras covering shop entrances, car parks, and warehouses — special category data processing is incidental rather than systematic. But it's worth being aware of, particularly if cameras cover employee-only areas.

The Bottom Line

If your CCTV captures identifiable people — and in any business setting, it almost certainly does — that footage is personal data. Every obligation under UK GDPR applies: lawful basis, transparency, DPIAs, retention limits, subject access rights, security, and ICO registration.

The good news: compliance isn't complicated once you understand what's required. Check your current position with our free compliance checker, and read the complete UK CCTV regulations guide for the full picture.

This article covers CCTV personal data classification under UK GDPR and the Data Protection Act 2018 as of March 2026. It is not legal advice.