If you have a surveillance camera system you have duties to protect the privacy of the people who may be captured by the footage and should be aware of recent data protection law changes. These laws are regulated by the Information Commissioner’s Office (ICO). If you decide to install CCTV that could capture images of people, and you’re not already registered with the ICO, you must register with them and pay their data protection fee.
A new law, the Data (Use and Access) Act (DUAA) was passed at the end of June and some provisions came into force in August but most changes will be phased in up till June 2026. Overall, the scope of this Act was more limited than a previous piece of legislation that the last Conservative Government was closed to passing before the General Election in 2024.
In its guidance on the DUAA, the ICO stated that it amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).
The ICO said: “Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law. “
One part of the previous Conservative legislation, which was criticised within the security industry, was the proposed abolition of the position of the Biometrics and Surveillance Camera Commissioner, which had been created as two separate roles in 2012. The Surveillance Camera Commissioner is responsible for ensuring adherence to the Surveillance Camera Code of Practice and this would also have been scrapped. While many aspects of the Code had become part of the legal requirements of the DPA 2018, scrapping it would have meant all CCTV compliance would have come under the ICO’s data protection remit.
The Code and the positions now remain, although the last Biometrics and Surveillance Camera Commissioner, Tony Eastaugh, resigned in August 2024. In July this year, Francesca Whitelaw was appointed as an interim Biometrics Commissioner. She is due to be in this position for up to six months until the new Biometrics and Surveillance Camera Commissioner is appointed, and the Surveillance Camera Commissioner role will be vacant until then.
Organisations operating CCTV systems looking for specific guidance should be aware that the ICO states on its website that this will be updated in the coming months to reflect data protection law changes brought about by the DUAA. The ICO indicates that the DUAA has been designed to make some areas of data protection compliance easier for organisations. For example, if somebody submits a subject access request (SAR), to obtain access to the personal information you hold. The DUAA “makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal information”.
Meanwhile, if you don’t already do so, the DUAA requires you to take steps to help people who want to make complaints about how you use their personal information, such as providing an electronic complaints form. You also have to acknowledge complaints within 30 days and respond to them ‘without undue delay’.
Separately, the ICO itself is being replaced the Information Commission and all the work and duties of the ICO will be continued by this body.
When we design and install the advanced CCTV systems we offer, we can support organisations with their data protection and Surveillance Camera Code compliance. This includes ensuring organisations meet their transparency requirements by providing signs, so people know when CCTV cameras have been installed, and that there is a published contact point for access to information and complaints. Our maintenance and support contracts also ensure that your surveillance camera system will meet requirements that footage is of a high quality and personal data is kept secure. Please get in touch if you want to know more.