Skip to content
  • Homepage
  • Our Solutions
    • Document Storage and Records Management
      • Deed Storage
      • Long Term Storage
      • Media Storage Solutions
      • On Demand Storage
      • Onsite Management
      • Secure Vault Storage
    • AP Invoice Automation Solution
      • Start Your AP Journey
      • E-Invoicing
      • Features
      • ERP Integrations
      • Insights by Industry
      • Why Kefron AP?
      • Pricing
    • IT Asset Disposition Services
      • IT Asset Disposal
      • Hard Drive Shredding Services
      • Secure Data Destruction
      • WEEE Recycling and Electrical Waste Disposal
      • Refurbished IT Equipment
      • IT Equipment Resale and Revenue Return
    • Scanning and Data Capture
      • Scan to Digitise
      • Scan to Process
      • Digital Mailroom
      • Microfiche Scanning
    • Online Document Solutions
      • Online Document
        Management Software
      • Online Document Storage
    • Business Process Services
      • Data Management
      • Data Subject Access Requests
      • Securities and Deeds Management
  • Who We Are
    • About Kefron
    • Who We Are
    • Partners
    • Contact Us
    • Working with Kefron
  • News & Events
    • News & Events
    • Articles & Updates
    • Customer Stories
    • Upcoming Events
    • On-demand Events
    • Select Location
    • Ireland
    • United Kingdom
    • United States
    • Rest of the world
  • Let’s Talk
  • Republic of Ireland website
  • UK website
  • US website
  • Rest of the world website

How CCTV Footage Has Become A Data Protection Matter

First published March 2017

CCTV used to be considered a solution to security issues. But in recent years, data protection legislation in both the UK and Ireland has reflected concerns over privacy and personal rights. Storing recorded security footage is now considered the same as storing personal data.

For business owners, security is always high on the priority list – and for obvious reasons. According to the Home Office’s 2013 Commercial Victimisation Survey, commercial operations in the UK continue to deal with high rates of shoplifting and burglary. In a 12-month period between 2012 and 2013, retail supermarkets had suffered a rate of 87,890 shoplifting incidents per 1,000 premises, while London-based wholesale and retail businesses recorded almost three times theft and burglary rates as those in rural areas – 11,425 incidents per 1,000 premises compared to 3,811.

The advantage of CCTV systems, of course, is that a company’s property can be watched over constantly. But it becomes a more complex issue when installed cameras watch employees, students, or customers. And as ‘personal data’, the responsibilities of data controllers in managing it are made a little more intricate.

CCTV Footage Is Personal Data

In Ireland, the Data Protection Commission clarified changes that were made to the Data Protection Act in December 2015, confirming data captured on camera subject to the terms of the act.

In the UK, the Information Commissioner’s Office (ICO) confirmed that surveillance cameras must only be used when it is absolutely necessary. It has also stated that surveillance must be a ‘proportionate response to a real and pressing problem’.

In brief, using CCTV in a way that satisfies the terms of data protection legislation depends on 4 key conditions:

  • there must be a genuine reason for installing such a system
  • the purpose for its use must be displayed in a prominent position
  • signage must be used to inform employees of the location of cameras
  • CCTV footage cannot be used for any purpose other than that stated

Because recorded footage is ‘personal data’, capturing any footage must be proven ‘justified’ and a ‘proportionate response’.

Is Surveillance Justified?

For general security purposes, justifying the use of CCTV for surveillance is pretty straightforward; it’s basically all about guarding against theft.

With employees at work, there can be a very thin line between justifiable surveillance and a breach of personal rights, especially when staff is being recorded while carrying out their everyday duties. Staff members are usually satisfied when they are made aware they are being recorded as part of a general security policy.

Employers must be aware that monitoring staff without proper justification can end up at the employment tribunal. But surveillance without providing prior warning is possible in only a few situations:

  • If you suspect they’re breaking the law
  • When letting them know about it would make it hard to detect a crime

Is Surveillance A Proportionate Response?

Clearly, recording footage is a proportional response to crime, which tends to happen at night or when no-one is around. So, a CCTV system can be considered an example of vigilance. When monitoring employees, security cameras can be seen as necessary for health and safety reasons, but it is important to point to specific examples where a camera would be useful.

The key issue, however, is where the cameras will be located. It is extremely difficult to accept CCTV cameras in staff toilets or changing rooms as being proportional. Even if it can be, images cannot be captured at urinals, in cubicles or in shower areas.

Retention and Access

In Ireland, the Data Protection Acts leaves the issue of data retention open to interpretation, saying that data should not be stored ‘for longer than is necessary’ and only for the purposes for which they were obtained. Storage needs to be fully secure, with restricted access and a clear access log kept.

People who are captured in CCTV images have a right access to that data. A data subject (as they are called) must make an application in writing, and a data controller must respond within 40 days.

In the UK, everyone is entitled to access to any data gathered about them. All they need to do is make a written request, and can be:

  • given a description of the personal data
  • told why it is being processed
  • told if it will be given to any third parties
  • given a copy of the information comprising the data

What Do You Have To Do?

Nobody likes the idea of a Big Brother scenario, so the major investment in high street and public transport CCTV systems is being counter-balanced with strict legislation. New regulations are expected to be introduced in Ireland in 2018 which will include heavier fines for data controllers who fail to adhere to data protection guidelines.

So, it’s important to get procedures in order. To do so, follow these 2 steps:

  1. Carry Out Assessments – This should be done before installing a CCTV system, and should comprise a Risk Assessment and a Privacy Impact Assessment.
  2. Draw Up a Written CCTV Policy – This needs to be as detailed as possible covering everything from the identity of the data controller to access procedures and agreed retention periods.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) will be one of the most far-reaching data protection regulations in recent times, unifying data protection for residents of the European Union (EU) and the export of data outside of the EU.

Does your business understand how CCTV footage will be classified under the GDPR?

BlogBusiness Processes

Related articles

Impact of New Digital Legislation on Irish and European Businesses in 2025

BlogBusiness Processes

The 2024 Digital Legislation, including the EU AI Act, Digital Services Act (DSA), NIS2 Directive, and Cyber Resilience Act, significantly impacts Irish and European businesses. Key areas affected include AI regulation, cybersecurity, and platform ac...

Read more

6 Simple Steps To Creating A Paperless Office

BlogBusiness Processes

How can you make the switch to a paperless office? Here are 6 simple steps to help your company make the dream a reality. Read our latest blog.

Read more

GDPR Compliance: One Year On, How Has Your Business Been Affected?

BlogBusiness Processes

Only a year ago, the long-awaited arrival of the European Union’s stringent GDPR final ended, and the business world would never be the same again. But now than the dust has settled, has the expected dramatic shake-up to data protection actually ha...

Read more

GDPR: Non-Compliant Businesses Facing First Fines

BlogBusiness Processes

It is now 6 months since the EU’s new data protection measures, the General Data Protection Regulation (GDPR), finally came into effect. But although May 25th had long been known as the deadline, there are still companies out there who are not yet ...

Read more

Data Protection in Hospitals: How To Rectify GDPR Failings In The Hospital Sector

BlogBusiness Processes

Not every sector has yet complied with GDPR. One of the biggest is the Hospitals Sector, with the Data Protection Commission highlighting 14 matters of concern it has found in hospitals. But while the situation is serious, some key steps are all that...

Read more

Why Maximizing Staff Awareness Is The Key To A Smooth GDPR Transition

BlogBusiness Processes

With D-Day fast approaching, full GDPR readiness should almost be complete. But does your staff really understand their role in the transition? Staff awareness is not only a key part of compliance, it can strengthen your organisation’s long-term po...

Read more

Data Protection Impact Assessments: What Are They and Why The GDPR Insists On Them

BlogBusiness Processes

With the GDPR around the corner, companies throughout Europe have had to re-examine both their business structures and practices. With the new regulations relating to data protection, Data Protection Impact Assessments are set to become compulsory. B...

Read more

5 Benefits Getting GDPR Ready Brings To Your Business

BlogBusiness Processes

For many business owners, the imminent arrival of the EU’s General Data Protection Regulations (GDPR) next year is something that is keeping them up at night. But initiatives associated with getting GDPR-ready are set to also bring real benefits to...

Read more

Why Storing Dark Data and Mining Its Secrets Benefits Businesses

BlogBusiness Processes

With a name that, alone, suggests it’s something no enterprise should want to keep, Dark Data is often a misunderstood presence in company servers. In fact, despite its ominous name, it is actually a highly-valuable asset, and storing Dark Data and...

Read more

The GDPR and Cloud Hosting

BlogBusiness Processes

For a while now, talk amongst the information technology community has been rife with conversation about the upcoming EU General Data Protection Regulation (GPDR). The legislation is to be finalised this year and will be effective from May 2018. The ...

Read more

Get in touch

Ireland
53 Park West Road
Dublin 12, D12 F8RK
T: +353 (0)1 438 0200

Connect with us

TwitterYouTubeInstagramLinkedInFacebookVimeo

  • Privacy Statement
  • Terms And Conditions
  • Sitemap

© Copyright 2025 Kefron. All Rights Reserved

Please confirm your country

  • Ireland
  • United Kingdom
  • United States
  • Rest of the World

Confirm

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies.

Cookie Settings Accept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept