Skip to content

CCTV and the Data Protection Act

CCTV and Personal Information

Most usage of CCTV will be covered by the Data Protection Act. This gives you the right to see information held about you, including CCTV images of you, or images which give away information about you (such as your car number plate).

The Data Protection Act sets rules which CCTV operators must follow when they gather, store and release CCTV images of individuals. The Information Commissioner can enforce these rules.

You can see the ICO's advice to operators in The Information Commissioner's CCTV Code of Practice.

Some uses of CCTV are not covered by the Data Protection Act. For example, the use of cameras for limited household purposes (such as to protect a home from a burglary) - even if the camera overlooks the street (for more information on this, see The Information Commissioner’s FAQs).

If you are concerned that CCTV is being used for harassment, anti social behaviour or other matters dealt with under  criminal law, then these are matters for the police. Images taken for recreation, such as on mobile phones, digital cameras and camcorders, are also exempt from the Act.

Law enforcement covert surveillance activities are covered by a separate Act - the Regulation of Investigatory Powers Act (RIPA) 2000 and the Regulation of Investigatory Powers (Scotland) Act (RIPSA) 2000.

Data Protection Subject Access CCTV

Public CCTV is a successful part of the tools developed during recent years to assist with efforts to combat crime and disorder whilst enhancing community safety.

Equally, it may be regarded by some as the most potent infringement of people's liberty. If users, owners and managers of such systems, are to command the respect and support of the general public, the systems must not only be used with the utmost probity at all times, they must be used in a manner which stands up to scrutiny and is accountable to the very people they are aiming to protect.

We are committed to the belief that everyone has the right to respect for his or her private and family life.

Although the use of Public CCTV cameras has become widely accepted in the UK as an effective security tool, those people who do express concern tend to do so over the handling of the information (or data) which the system gathers.

After considerable research and consultation, this Council has adopted a nationally recommended standard.

  • Please read this page fully before applying for data. The forms to apply for data are at the bottom of this page

  • Please also note: CCTV images are kept secure for 31 days - after which they are destroyed unless the footage is required by the police in connection with a crime

Primary request to view data

Primary requests to view data generated by a CCTV system are likely to be made by third parties for any one or more of the following purposes:

  • Providing evidence in criminal proceedings (e.g. Police and Criminal Evidence Act 1984, Criminal Procedures & Investigations Act 1996, etc.)
  • Providing evidence in civil proceedings or tribunals
  • The prevention of crime
  • The investigation and detection of crime (may include identification of offenders)
  • Identification of witnesses

Third parties, which should be required to show adequate grounds for disclosure of data within the above criteria, may include, but are not limited to:

  • Police
  • Statutory authorities with powers to prosecute, (e.g. Customs and Excise, Trading Standards etc)
  • Solicitors
  • Claimants in civil proceedings
  • Accused persons or defendants in criminal proceedings
  • Other agencies, according to purpose and legal status, as agreed by the Data Controller and notified to the Information Commissioner

Upon receipt from a third party of a bona fide request for the release of data, the scheme owner (or representative) should:

  • Not unduly obstruct a third party investigation to verify the existence of relevant data
  • Ensure the retention of data which may be relevant to a request, but which may be pending application for, or the issue of, a court order or subpoena, (it may be appropriate to impose a time limit on such retention which should be notified at the time of the request)

A time limit could apply providing reasonable notice was issued to the agent, prior to the destruction of the held data, (eg a time limit was about to expire).

Where requests fall outside the terms of disclosure and Subject Access legislation, the data controller, or nominated representatives, shall:

  • Be satisfied that there is no connection with any existing data held by the police in connection with the same investigation
  • Treat all such enquiries with strict confidentiality

A Data Controller can refuse an individual request to view if insufficient or inaccurate information is provided. A search request should specify reasonable accuracy (could be specified in ½ hour).

Secondary request to view data

A 'secondary' request for access to data may be defined as any request being made, which does not fall into the category of a primary request.

Before complying with a secondary request, the scheme owner should ensure that:

  • The request does not contravene, and that compliance with the request would not breach, current relevant legislation, (e.g. Data Protection, section 163 Criminal Justice and Public Order Act 1994, etc.)
  • Any legislative requirements have been complied with, (e.g. the requirements of the Data Protection Act)
  • Due regard has been taken of any known case law (current or past) which may be relevant, (e.g. R v Brentwood BC ex p. Peck) and
  • The request would pass a test of 'disclosure in the public interest'

If, in compliance with a secondary request to view data, a decision is taken to release material to a third party, the following safeguards should be put in place before surrendering the material:

  • In respect of material to be released under the auspices of 'crime prevention', written agreement to the release of the material should be obtained from a police officer, not below the rank of Inspector. The officer should have personal knowledge of the circumstances of the crime/s to be prevented and an understanding of the CCTV System Code of Practice
  • If the material is to be released under the auspices of 'public well being, health or safety', written agreement to the release of material should be obtained from a senior officer within the Local Authority. The officer should have personal knowledge of the potential benefit to be derived from releasing the material and an understanding of the CCTV System Code of Practice

Recorded material may be used for bona fide training purposes such as police or staff training. Under no circumstances will recorded material be released for commercial sale of material for training or entertainment purposes.

Individual subject access under data protection legislation

Under the terms of Data Protection legislation, individual access to personal data, of which that individual is the data subject, must be permitted providing:

  • The request is made in on the correct form giving correct information
  • A specified fee is paid for each individual search
  • The Data Controller is supplied with sufficient information to satisfy him or herself as to the identity of the person making the request
  • The person making the request provides sufficient and accurate information about the time, date and place to enable the data controller to locate the information, which that person seeks, (it is recognised that a person making a request is unlikely to know the precise time. Under those circumstances, it is suggested that within one hour of accuracy would be a reasonable requirement) Under those circumstances, it is suggested that within one hour of accuracy would be a reasonable requirement)
  • The person making the request provides sufficient and accurate information relevant to the particular search and which contains personal data of him or herself only, unless all other individuals who may be identified from the same information have consented to the disclosure

In the event of the scheme owner complying with a request to supply a copy of the data to the subject, only data pertaining to the individual should be copied, (all other personal data which may facilitate the identification of any other person should be concealed or erased). Under these circumstances an additional fee may be payable.

The data controller is entitled to refuse an individual request to view data under these provisions if insufficient or inaccurate information is provided. However every effort should be made to comply with subject access procedures and each request should be treated on its own merit.

In addition to the principles contained within the Data Protection legislation, the data controller should be satisfied that the data is:

  • Not currently and, as far as can be reasonably ascertained, not likely to become, part of a 'live' criminal investigation
  • Not currently and, as far as can be reasonably ascertained, not likely to become, relevant to civil proceedings
  • Not the subject of a complaint or dispute which has not been actioned
  • The original data and that the audit trail has been maintained
  • Not removed or copied without proper authority
  • For individual disclosure only (i.e. to be disclosed to a named subject)

Process of disclosure

Verify the accuracy of the request.

Replay the data to the requester only, (or responsible person acting on behalf of the person making the request)

The viewing should take place in a separate room and not in the control or monitoring area. Only data, which is specific to the search request, should be shown

It must not be possible to identify any other individual from the information being shown; (any such information should be blanked-out, either by means of electronic screening or manual editing on the monitor screen).

If a copy of the material is requested and there is no on-site means of editing out other personal data, then the material should be sent to an editing house for processing prior to being sent to the requester.

Media disclosure

In the event of a request from the media for access to recorded material, the procedures outlined under 'secondary request to view data' should be followed. If material is to be released the following procedures should be adopted:

  • The release of the material must be accompanied by a signed release document that clearly states what the data will be used for and sets out the limits on its use
  • The release form should state that the receiver must process the data in a manner prescribed by the data controller, e.g. specify identities/data that must not be revealed
  • It may also require that proof of editing must be passed back to the data controller, either for approval or final consent, prior to its intended use by the media (protecting the position of the data controller who would be responsible for any infringement of Data Protection legislation and the System's Code of Practice)
  • The release form should be considered a contract and signed by both parties

Access forms

The following subject access forms can also be found in the relevant documents below

NWLDC CCTV Subject Access Request (Individual) (PDF Document, 0.24 Mb)

DPA Section 35 (2) Request for CCTV Images Form (Insurance Companies/Solicitor) (PDF Document, 0.1 Mb)

Additional information about CCTV in general can also be obtained from the relevant links section of this page:

Share this page:

Last updated:

Back to top