Can employees or members of the public request their CCTV footage?

Yes. Under UK GDPR, individuals have the right to request access to footage in which they appear. You must respond within one month and provide the footage in a format they can view. Your CCTV policy should set out how you handle these requests.

CCTV Policy Template for UK Businesses

Q: What does the ICO require for business CCTV?

The ICO requires businesses to: identify a lawful basis for using CCTV, display clear signage, limit access to footage, set a retention period (usually 30 days or less unless footage is needed as evidence), and respond to subject access requests for footage within one month.

CCTV footage is personal data under UK GDPR. If your business operates cameras — in your premises, car park, or as a doorbell camera — you need a written CCTV policy that meets ICO requirements.

Get CCTV Policy — £15 Get all 10 documents — £69

Instant PDF & Word download · 14-day money-back guarantee

What is a CCTV policy?

A CCTV policy sets out the rules for how your business operates its surveillance camera system. Because CCTV footage can identify individuals, it is personal data under UK GDPR — which means the same rules that apply to customer records apply to surveillance footage.

The ICO's surveillance camera code of practice sets out expectations for businesses: clear signage, limited access, defined retention periods, and a process for handling requests from individuals who want to see footage of themselves. A written policy is how you demonstrate you are meeting those expectations.

What your CCTV policy should cover

The purpose of your CCTV system (security, health and safety, evidence gathering)
The lawful basis for processing footage under UK GDPR
Where cameras are located and what areas they cover
Who has access to live and recorded footage
How long footage is retained before being overwritten or deleted
Signage requirements to notify individuals they are being recorded
How to handle subject access requests for footage
Data breach procedures for footage loss or unauthorised access

Get your CCTV policy today

£15

CCTV Policy only

Single document

Get this document

£69

10 docs incl. Privacy Policy & SAR procedure

Professional plan

Get all 10 documents

£99

All 14 compliance documents

Complete plan

Get all 14 documents

Common questions about CCTV policies

Do I need a CCTV policy for my business?

Yes. If your business operates any CCTV system — including doorbell cameras or dashcams used for work — UK GDPR applies. The ICO expects a written policy covering how footage is used, stored, accessed, and deleted.

What does the ICO require for business CCTV?

The ICO requires businesses to identify a lawful basis for CCTV, display clear signage, limit access to footage, set a retention period (usually 31 days or less), and respond to subject access requests for footage within one month.

How long can I keep CCTV footage?

The ICO recommends keeping CCTV footage for no longer than 31 days unless there is a specific reason to retain it, such as an ongoing incident or investigation. Keeping footage longer than necessary without justification breaches the UK GDPR storage limitation principle.

Can people request their CCTV footage?

Yes. Individuals have the right under UK GDPR to request access to footage in which they appear. You must respond within one month. Your CCTV policy should set out how your business handles these requests and in what format footage will be provided.

All 14 UK compliance documents

Privacy Policy Data Protection Policy Data Retention Policy Health & Safety Policy Risk Assessment Employee Privacy Notice Cookie Policy CCTV Policy Data Breach Procedure SAR Procedure Acceptable Use Policy Social Media Policy Fire Safety Policy Lone Worker Policy