How organisations can balance CCTV, privacy, and GDPR compliance

CCTV systems used by organisations and public entities can be used to deter crime and provide footage of incidents and altercations to insurance companies, law enforcement, courts, and third parties when requested as a Subject Access Request (SAR). 

In cases of sharing footage or using it for internal purposes, organisations must redact the personal data of any third parties who appear in the footage — unless those individuals have consented to disclosure, or it is otherwise reasonable to disclose their information without consent.

This means blurring faces, bodies, and any other identifying features of bystanders, staff, or anyone else who is not the subject of the request. Vehicle licence plates must also be redacted where they could identify a third party.

Keep reading to find out more about relevant privacy regulations, CCTV usage best practices, and redaction requirements for compliant footage sharing. We’ll also present our solution, Identity Cloak, that helps automate CCTV footage redaction and anonymise videos in a compliant manner.

#GDPR privacy regulations and ICO guidelines

#GDPR and CCTV privacy

The General Data Protection Regulation (GDPR) and Data Protection Act apply to CCTV systems because they record personal information. GDPR defines personal information as any information that could identify a living individual — which includes visual images of faces and any identifying elements. Audio data from CCTV systems is also subject to GDPR.

#ICO guidance on CCTV and privacy

The Information Commissioner's Office (ICO) offers extensive guidance on video surveillance. The ICO focuses on helping organisations comply with GDPR. 

Read this article for an in-depth guide on ensuring GDPR compliance when relying on CCTV in the workplace.

#Checklist for CCTV privacy considerations

Ultimately, the use of CCTV should be guided by principles of proportionality, necessity and transparency. Key points to consider regarding CCTV and privacy:

1. Purpose and justification
   The use of CCTV should be justified by a legitimate purpose, such as enhancing public safety or protecting property. The benefits should outweigh the potential invasion of privacy. Having a written record of the scope and nature of your CCTV system is essential. A typical CCTV policy will confirm standard matters, such as: the location of cameras, the purpose of CCTV (such as crime prevention or staff safety), the contact details of the person in charge of the CCTV system, and CCTV footage storage practices.

2. Placement and coverage
   CCTV cameras should be strategically placed to maximise security while minimising intrusion into private spaces. Cameras should avoid areas where individuals have a reasonable expectation of privacy, such as bathrooms or changing rooms. Privacy regulations and the ICO require compelling reasons for camera placement and usage. The most common reasons are crime prevention and staff protection.

3. Data storage and access
   Data collected by CCTV systems should be securely stored and accessed only by authorised personnel for legitimate purposes. There should be clear policies regarding who can access the footage and under what circumstances.

4. Notice and consent
   In public spaces where CCTV is used, there should be clear signage notifying individuals of its presence. In some jurisdictions, obtaining consent may be required, especially in areas where individuals have a heightened expectation of privacy.

5. Data retention and deletion
   There should be clear guidelines for the retention and deletion of CCTV footage. Retaining data for longer than necessary increases the risk of privacy breaches and misuse.

6. Accountability and oversight
   There should be mechanisms in place to hold organisations accountable for the use of CCTV systems. This may include independent oversight bodies, audits, or transparency reports.

7. Encryption and security
   CCTV systems should employ encryption and other security measures to protect the integrity and confidentiality of the data collected. Security measures help prevent unauthorised access and tampering.

8. Public debate and consultation
   When relevant, the deployment of CCTV systems should involve public debate and consultation to weigh the benefits against the potential impacts on privacy. Community input can help shape policies and guidelines that strike an appropriate balance.

#Examples of CCTV uses across industries

Historically, the majority of CCTV systems were operated by businesses and public bodies such as highways agencies and local authorities. That remains true today — but the range of commercial applications has expanded. Here are some examples:

• Retail
  Retail is one of the heaviest users of commercial CCTV. Cameras deter shoplifting and vandalism, support insurance claims, and provide evidence in the event of incidents.

• Transport
  Bus and rail operators run some of the most camera-dense environments in the UK. Cameras protect passengers and drivers, support incident investigations, and provide footage for insurance and legal purposes. 

• Healthcare
  NHS trusts and private hospitals use CCTV to protect staff from violence, monitor patient safety, and support investigations into incidents. Hospitals are also frequent recipients of subject access requests — patients, staff, and visitors all have the right to request footage in which they appear. 

• Local governments
  CCTV cameras in courts, government offices, and public spaces can be used to monitor traffic, ensure public safety and deter crime. Local governments may need to share footage of incidents, provide it as a proof of incidents or as a response to third-party requests.

• Education
  Schools and universities use CCTV to maintain site security and respond to incidents. Educational institutions are also subject to data protection law and must handle footage requests from students, parents, and staff in line with GDPR or, for some of the educational institutions based in the USA, FERPA obligations.

• Venues and museums
  Venues and museums may be required to put CCTV systems in place to comply with regulations like Martyn’s law, or may want to have surveillance cameras to monitor employees, deter crime, and safeguard art on display. They may need to be able to quickly process multiple requests or quickly share footage of incidents with law enforcement.

#Subject access requests: what CCTV operators must know

A Subject Access Request (SAR) — sometimes called a DSAR (Data Subject Access Request) — is a formal request from an individual to access the personal data an organisation holds about them. Under UK GDPR, this right extends to CCTV footage.

Any individual who appears in your CCTV footage can submit a SAR asking for a copy of that footage. This applies regardless of whether they are a customer, employee, visitor, or member of the public. 

#Common SAR scenarios

• An employee requests footage from a disciplinary hearing

• A customer requests footage following a slip-and-fall incident

• A passenger requests bus or train footage after an altercation

• A patient requests hospital corridor footage following a complaint

• A visitor requests footage from a retail premises after a dispute

Each of these scenarios requires the organisation to locate the relevant footage, identify the subject, redact all third-party personal data, and provide the footage within the one-month window.

#What counts as personal data in CCTV footage

The scope of personal data in video is broader than many organisations realise. Under GDPR, the following all constitute personally identifiable information (PII) when captured on camera:

• Faces

• Tattoos and distinguishing marks

• Vehicle number plates

• Signage, words, and location indicators

• Information visible on computer screens

All of this must be redacted before CCTV footage is shared with the SAR requester or any other third party.

#SAR response deadline

Organisations must respond to a SAR within one calendar month of receiving it. A two-month extension is permitted where the request is complex or where multiple requests have been received simultaneously — but the organisation must notify the requester within the first month that an extension is being applied and explain why.

Failing to respond within the deadline is a breach of UK GDPR. The ICO will issue enforcement notices even where no financial penalty is applied. 

#Refusing Subject Access Requests

The inability to redact CCTV footage is not a lawful reason to refuse a SAR. The ICO expects organisations to have the means to redact footage before providing access. If an organisation lacks the tools or resources to do this, that is their problem to solve — not a justification for refusal. Organisations that cannot redact footage risk enforcement action if an individual escalates their request to the ICO.

Read our guide on common myths about subject access requests — including why you cannot refuse a SAR simply because redaction is difficult.

#Identity Cloak for compliant video redaction 

Facit's Identity Cloak is built for organisations that need to respond to SARs and share CCTV footage compliantly. We have processed over 15,000 videos for customers. On recommended hardware, the typical end-to-end redaction time — from import to export — is 12 minutes or less.

#Key Identity Cloak features

#AI-powered tracking and blurring

Identity Cloak automatically detects, tracks, and blurs all people and vehicles in a video. You then select the subject of interest to unblur, and the software tracks them automatically throughout the clip. This removes the need to manually blur every bystander frame by frame.

#Automated face, full body and licence plate redaction

Identity Cloak by default can automate faces, full bodies and vehicle number plates — covering the full scope of PII that GDPR requires you to protect. You can unmask relevant people or cars with one click, speeding up the redaction process.

#Custom blur shapes and masked zones

To mask static areas of footage, such as signage, computer screens, or areas of a room that should not be disclosed, Identity Cloak users can create custom-shaped masked areas that stay blurred throughout the video clip. Layered blurring keeps the person of interest visible even if they walk through a masked zone.

#Audio redaction

Identity Cloak’s audio editing removes an audio track where it’s not essential for the request or mutes spoken personal information to ensure compliance when sharing bodycam footage or mobile phone recordings.

#Video trimming and cropping

When processing the video, you can cut footage to only blur the relevant section and then crop the view to only redact relevant areas, so you only share what is necessary – and speed up the redaction timeline.

#Offline, on-premise operation 

Identity Cloak is stored and operated on your own device. No footage is uploaded to the cloud, reducing the risk of data breaches during the redaction process. It can also be air-gapped.

#Wide format compatibility

Video import supports AVI and MP4 formats. You can also import footage from legacy systems or in a different format with our built-in on-screen recorder. File export supports AVI and MP4 formats.

#Milestone XProtect and API integration 

For organisations using Milestone's XProtect, Identity Cloak plug-ins allow redaction of live video feeds and recorded footage directly within XProtect, without needing to export footage first.

Identity Cloak can also be integrated with other VMS via API.

#Identity Cloak case studies 

#Nottingham City Transport

Nottingham City Transport operates 289 buses with over 4,000 cameras across its fleet. The volume of footage requests — from passengers, staff, and legal teams — required a redaction solution that was fast and required minimal manual intervention.

"Facit software is quick and easy to use. It's so intuitive that all of our staff can use it more or less straight away. The changeover from the old system to the new system was very, very quick."
— Geoff Shepherd, CCTV Supervisor, Nottingham City Transport

A 1-minute video takes approximately 8 minutes to process from start to finish — uploading, processing, and exporting.

Read the full case study

#King's College Hospital

As one of London's largest and busiest teaching hospitals, King's College Hospital receives a significant volume of SARs from patients, staff, and visitors. The Trust needed a way to fulfil these requests and comply with data privacy regulations without depleting clinical budgets or pulling expert staff away from patient-facing work.

Identity Cloak gave the Trust an in-house redaction capability that is fast, reliable, and cost-effective — removing the need to outsource redaction or delay responses.

Read the full case study

#Tate Foundation

Barry Palmer, Head of Safety and Security at the Tate Foundation, highlighted the broader value of having a video redaction solution in place:

"The investment in Identity Cloak is value for money. There are many ways in which the software has paid for itself, from risk and reputation management to cost-effective compliance with GDPR — as failure to comply with GDPR carries hefty fines."
— Barry Palmer, Head of Safety and Security, Tate Foundation

Read the full case study

#The Paris Police Department

The Paris Police Department adopted Identity Cloak to comply with France’s new SREN Law and stricter GDPR enforcement around video data privacy. Read more about the benefits of deploying an automated, GDPR-compliant video redaction solution.

Read the full case study

#Córas Iompair Éireann (CIÉ) 

Córas Iompair Éireann (CIÉ), Ireland’s state-owned public transport group, switched to Identity Cloak from outsourcing video redaction, achieving a 90% cut in redaction time and reducing redaction costs.

“It’s made an unbelievable difference - like night and day. Even in complex scenes, Identity Cloak finds and redacts the vast majority of sensitive material automatically and minimises the need for manual intervention.”

– Paul Whelan, Data Protection Officer (DPO) at CIÉ 

Read the full case study

#Related Articles

• CCTV in the workplace

• Guide to CCTV Video Redaction and GDPR Compliance

• CCTV redaction software for public spaces: how to choose the right tool