CCTV Footage Subject Access Requests: How to Handle Requests for Video Data

CCTV Footage Is Personal Data

If your CCTV system captures images of identifiable individuals, the footage is personal data. It does not matter whether you actively use the footage to identify people — the fact that individuals can be identified from it is enough. This means the right of access under GDPR, UK GDPR, and other privacy laws applies to CCTV footage just as it applies to emails, database records, or HR files.

CCTV subject access requests (SARs) are among the most practically challenging requests a business can receive. The footage involves multiple people, the files are large, redaction is time-consuming, and retention periods mean the footage may not exist for long. But none of these challenges is a valid reason to refuse the request. This guide covers the legal framework, practical search and retrieval, third-party redaction, format requirements, exemptions, and the policies you need in place.

For the fundamentals of responding to any SAR, see our step-by-step response guide.

The Legal Basis for CCTV

Before addressing SARs, it is worth understanding why you are processing this data in the first place. Under the GDPR, you need a lawful basis for operating CCTV and capturing personal data.

The most common legal basis for CCTV is legitimate interests (Article 6(1)(f)), typically relying on one or more of the following:

• Security — protecting premises, staff, and visitors from crime
• Crime prevention and detection — deterring and recording criminal activity
• Health and safety — monitoring for safety hazards or incidents
• Dispute resolution — providing evidence in case of accidents, complaints, or legal claims

You must document this basis. If you rely on legitimate interests, you need a Legitimate Interests Assessment (LIA) that demonstrates the processing is necessary for your purposes and does not override the rights and freedoms of the individuals being filmed.

Some organisations attempt to rely on consent as their legal basis for CCTV. This is almost always inappropriate. Consent must be freely given, specific, informed, and unambiguous. In most CCTV scenarios — shops, offices, public-facing buildings — individuals cannot meaningfully consent to being filmed, and they cannot withdraw consent without leaving the area. Legitimate interests is the correct basis for the vast majority of CCTV systems.

Identifying the Requester in Footage

When someone submits a SAR for CCTV footage, your first challenge is finding them in potentially hundreds of hours of recordings. You are not required to review all footage with no guidance from the requester.

What to Ask For

Contact the requester and ask them to provide as much of the following as possible:

• Date and time — as specific as possible (a range of 15–30 minutes is ideal)
• Location — which camera, entrance, floor, or area of the premises
• Description of appearance — what they were wearing, hair colour, distinguishing features
• What they were doing — "I was at the checkout," "I entered through the main door," "I was in the car park near the north entrance"
• Who they were with — if applicable, this helps identify the right group
• Reference to an incident — if the request relates to a specific event (a fall, an altercation, a transaction), this narrows the search considerably

The ICO has confirmed that asking for this information is reasonable and expected. It is not an identity verification barrier — it is a practical necessity for locating the relevant footage.

What If the Requester Cannot Narrow It Down?

If the requester can only provide a date with no time or location, you should make reasonable efforts to search — but you are not required to review an entire day of footage across every camera on your premises. If the search would require disproportionate effort, explain this to the requester and ask them to provide more detail so you can conduct a targeted search.

Importantly, "disproportionate effort" does not entitle you to refuse the request. It allows you to ask the requester to refine their request so you can comply. If the requester provides sufficient detail and you can locate the footage, you must provide it.

Searching and Retrieving Footage

Check Your Retention Period First

CCTV systems overwrite footage on a rolling basis. Typical retention periods vary by context:

| Context | Typical Retention Period | |---|---| | Retail premises | 14–31 days | | Office buildings | 14–30 days | | Licensed premises (pubs, clubs) | 31 days (often required by licensing conditions) | | Town centre / public space CCTV | 31 days | | Transport (buses, trains, stations) | 7–30 days | | Banks and financial institutions | 90 days or longer | | High-security environments | 90+ days |

The ICO's position is that you should retain CCTV footage for no longer than necessary for the purpose for which it was recorded. A 30-day retention period is typical and generally considered reasonable for security purposes. Retaining footage for months or years without a specific justification is likely to be considered excessive.

If the Footage Has Already Been Overwritten

If the footage has been automatically overwritten before you received the SAR, you cannot provide it. You are not in breach — you can only provide data that you hold at the time of the request. Inform the requester that the footage no longer exists and explain your retention policy.

If the Footage Still Exists

If the footage exists when you receive the request, you must preserve it. Do not let it overwrite during the time it takes to process the request. Flag the relevant recordings, export them, or adjust your retention settings to prevent deletion of the specific footage.

This is critical: if footage exists when the request is received but is overwritten before you respond, you may face a complaint. The ICO expects you to take reasonable steps to preserve data once a SAR has been received.

Third-Party Redaction: The Biggest Challenge

CCTV footage almost always contains images of people other than the requester. These individuals have their own privacy rights, and you cannot disclose their personal data (their images) in response to someone else's SAR.

The Obligation to Redact

Under GDPR and the Data Protection Act 2018, you must not disclose personal data about third parties in response to a SAR unless:

• The third party has consented to disclosure, or
• It is reasonable in all the circumstances to disclose without consent

In practice, obtaining consent from strangers captured on CCTV is rarely feasible. This means you will almost always need to redact — blur, pixelate, or mask — other individuals who appear in the footage.

ICO Position on Redaction

The ICO has been clear on several points:

1. Redaction is expected. When third parties appear in footage, you should redact them before providing the footage to the requester.
2. Difficulty is not a reason to refuse. You cannot refuse the entire SAR simply because redaction is technically challenging or time-consuming. The ICO expects you to make reasonable efforts.
3. Consider whether redaction is necessary. In some cases, the third parties are not identifiable (they are distant, blurred, or their backs are turned). If they cannot reasonably be identified from the footage, redaction may not be necessary for those individuals.
4. The requester's rights are not diminished. You must provide the requester's own footage. The question is how to do so while protecting others — not whether to do so.

Technical Options for Redaction

| Method | Description | Suitability | |---|---|---| | Manual frame-by-frame editing | Using video editing software to blur or pixelate faces and identifying features manually | Accurate but very time-consuming; suitable for short clips | | AI-based automated blurring | Software that uses facial detection to automatically blur faces | Faster for longer footage; may require manual review for accuracy | | Object tracking tools | Software that tracks and masks specific individuals throughout the footage | Good for footage where the requester and others move through the scene | | Cropping | Cutting the frame to show only the area where the requester appears | Only works if the requester is spatially separated from others | | Outsourcing | Sending footage to a specialist redaction provider | Suitable for organisations that lack in-house capability; ensure data processing agreement is in place |

For more on the legal framework for redacting third-party data in DSAR responses, see our third-party redaction guide.

Providing the Footage

Format

There is no legally prescribed format for providing CCTV footage. Common options include:

• MP4 or AVI video file — the most common and widely compatible formats
• USB drive — posted securely to the requester, suitable for large files
• Secure download link — a password-protected link sent by email, with the password communicated separately
• Viewing at your premises — in some cases, you may offer the requester the opportunity to view the footage at your premises rather than providing a copy. However, the ICO has clarified that the requester is entitled to a copy of their personal data (GDPR Article 15(3)), not merely a viewing. A viewing can supplement a copy but generally should not replace it.

Avoid providing footage in proprietary formats that require specialist software to view. If your CCTV system exports in a proprietary format, convert it to a standard format before providing it.

Audio

If your CCTV system records audio, the audio recording is also personal data. The same rules apply: you must provide the requester's audio data, redact third parties where possible, and consider exemptions. Audio recording in CCTV raises additional privacy considerations — many jurisdictions impose stricter rules on audio surveillance than on video surveillance.

Stills vs. Video

In some cases, providing still images extracted from the footage may be appropriate — for example, if the requester only needs to see a specific moment or if redaction of video is impracticable. However, the requester is entitled to the footage (their personal data), and you should not substitute stills for video unless you have a good reason and the requester agrees.

Timeline

The timeline for responding to a CCTV SAR is the same as for any other SAR:

• GDPR / UK GDPR: One calendar month from receipt of the request
• Extension: Up to two additional months if the request is complex or you have received a number of requests from the same individual. You must inform the requester within the first month that you are extending the deadline, and explain why.

Given the technical challenges of CCTV redaction, CCTV SARs are more likely to qualify for the two-month extension than a standard SAR. However, you must still respond within the initial one-month period to inform the requester of the extension.

For full details on DSAR deadlines across jurisdictions, see our DSAR response deadlines guide.

When You Can Refuse or Limit Disclosure

There are limited circumstances in which you can refuse or restrict a CCTV SAR:

Crime Prevention Exemption

Under the Data Protection Act 2018 (Schedule 2, Part 1, Paragraph 2), you can restrict the right of access where compliance would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.

This exemption is applied on a case-by-case basis. You cannot apply it as a blanket policy to all CCTV SARs. Examples where it might apply:

• Police have asked you to preserve and not disclose footage that is relevant to an ongoing investigation
• The footage shows criminal activity by the requester, and disclosing it could help them destroy other evidence or intimidate witnesses
• The footage is part of an active prosecution

Even when this exemption applies, it only applies to the extent that disclosure would prejudice crime prevention or detection. You cannot withhold the entire response if only a portion of the footage is affected.

Third-Party Rights

You can limit disclosure to protect the rights and freedoms of third parties — but this means redacting, not refusing. As discussed above, the presence of third parties is a reason to redact, not a reason to refuse the request entirely.

Manifestly Unfounded or Excessive

As with any SAR, you can refuse a CCTV SAR that is manifestly unfounded or manifestly excessive (GDPR Article 12(5)). For detailed guidance on this exemption, see our DSAR exemptions guide.

Disproportionate Effort

"Disproportionate effort" is not a standalone exemption under GDPR or UK GDPR. You cannot refuse a SAR simply because it would take significant effort to locate, retrieve, or redact the footage. However, you can ask the requester to narrow the scope of their request so that your search is practicable.

CCTV Policies Every Business Should Have

If you operate CCTV, you need these policies in place:

1. Retention Policy

Define how long you retain footage and apply the policy consistently. Your retention period should be:

• Documented — written down and approved
• Justified — based on the purpose of your CCTV (security, safety, etc.)
• Consistently applied — do not retain footage indefinitely "just in case"
• Communicated — staff should know the retention period so they can advise requesters

2. CCTV Signage (GDPR Article 13)

Individuals must know they are being filmed. Under GDPR Article 13, you must provide information about your processing at the point of collection. For CCTV, this means clear and prominent signage that includes:

• The identity and contact details of the controller
• The purposes of the processing
• The contact details of the DPO (if you have one)
• A reference to the right of access and how to exercise it

The ICO recommends a layered approach: a brief sign at the point of capture with the key information, and a more detailed privacy notice available on request or on your website.

3. DSAR Procedure for CCTV

Your general DSAR procedure should include specific steps for CCTV requests:

• Who is responsible for searching CCTV systems
• How to export and preserve footage once a request is received
• The redaction process (in-house or outsourced)
• The format for providing footage
• How to handle requests where the footage has already been overwritten

4. Redaction Capability

Ensure you have the tools or vendor relationships needed to redact footage. If you do not have in-house capability, identify a specialist provider before you receive a request — not after.

5. Data Protection Impact Assessment (DPIA)

Under GDPR Article 35, a DPIA is likely required for systematic monitoring of a publicly accessible area on a large scale. If your CCTV system covers public spaces, customer areas, or employee work areas, you should conduct a DPIA that covers the necessity and proportionality of the surveillance, the risks to individuals, and the measures you have in place to mitigate those risks.

Body-Worn Cameras

Body-worn cameras (BWCs) are increasingly common in retail, security, healthcare, and law enforcement settings. The same data protection rules apply:

• BWC footage is personal data if individuals can be identified from it
• The right of access applies
• You need a lawful basis for the recording (usually legitimate interests)
• Third-party redaction is required
• Signage or verbal notification that recording is taking place is necessary
• Retention periods should be defined and applied consistently

BWC footage can be more challenging than fixed CCTV because it is often higher-resolution, captures audio, and may involve close-up recordings of individuals. The redaction burden can be significant.

Staff wearing body-worn cameras should be trained on when to activate and deactivate recording, how to inform individuals they are being recorded, and how to handle SAR requests that relate to BWC footage.

Domestic CCTV: The Household Exemption

Under GDPR Article 2(2)(c), the GDPR does not apply to data processing by a natural person "in the course of a purely personal or household activity." This means domestic CCTV used solely to monitor your own property — a doorbell camera pointed at your front door, for example — may fall outside the scope of the GDPR.

However, the household exemption has limits:

• If your camera captures public spaces (pavements, roads) or neighbours' property, the GDPR may apply to that footage. The CJEU confirmed this in Rynes v Urad pro ochranu osobnich udaju (Case C-212/13), holding that a camera system monitoring a public space outside the owner's home was not covered by the household exemption.
• The ICO has published specific guidance on domestic CCTV, advising homeowners to consider the privacy of neighbours and passers-by and to comply with data protection law if their cameras capture anything beyond their own property.

If you are a business, the household exemption does not apply. All business CCTV is subject to data protection law.

ICO Enforcement

The ICO has taken enforcement action in relation to CCTV and SARs. Common issues include:

• Refusing CCTV SARs outright — the ICO has upheld complaints where organisations refused to provide footage, citing technical difficulty or the presence of third parties, without making reasonable efforts to redact and disclose
• Excessive retention — the ICO has criticised organisations that retain CCTV footage for extended periods without justification
• Inadequate signage — failure to inform individuals that CCTV is in operation is a breach of Article 13, and the ICO has issued enforcement notices requiring organisations to install proper signage
• Failure to conduct a DPIA — organisations operating large-scale CCTV systems without a DPIA have been criticised in ICO audits and assessments

The ICO's approach is practical: it expects organisations to make reasonable efforts to comply with CCTV SARs, to have clear policies, and to document their decisions. Perfection is not required — but genuine effort is.

Quick Reference: CCTV SAR Response Checklist

1. Receive the request. Log it and start the one-month clock.
2. Verify identity. Confirm the requester is who they claim to be. See our identity verification guide.
3. Ask for specifics. Request date, time, location, and description to enable a targeted search.
4. Check retention. Has the footage been overwritten? If so, inform the requester.
5. Preserve footage. If it exists, prevent it from being overwritten during processing.
6. Search and locate. Find the relevant footage based on the requester's information.
7. Assess for exemptions. Does the crime prevention exemption apply? Are there safeguarding concerns?
8. Redact third parties. Blur or pixelate other individuals in the footage.
9. Prepare the response. Export in a standard format (MP4/AVI). Write a covering letter explaining what you are providing and any exemptions applied.
10. Provide securely. Deliver via secure download link, encrypted USB drive, or another secure method.
11. Document. Record what you searched, what you found, what you provided, and what you withheld (with reasons).

References

• GDPR: Article 6(1)(f) — legitimate interests; Article 13 — information to be provided at collection; Article 15 — right of access; Article 15(3) — right to obtain a copy; Article 35 — data protection impact assessments. GDPR Article 15
• Data Protection Act 2018: Schedule 2, Part 1, Paragraph 2 — crime prevention exemption. DPA 2018
• ICO CCTV guidance. ICO CCTV page
• ICO domestic CCTV guidance. ICO domestic CCTV
• CJEU: Rynes v Urad pro ochranu osobnich udaju (Case C-212/13) — household exemption and CCTV monitoring public spaces.
• EDPB Guidelines 3/2019 on processing of personal data through video devices, adopted 29 January 2020.