CCTV Subject Access Request: What UK Employers Must Disclose
Published 9 July 2026 · Last reviewed 23 June 2026
CCTV footage of an employee is their personal data. That means it falls within a subject access request, and you must search your CCTV system when a SAR arrives — just as you would search email or HR records.
This guide explains what you must disclose, how to handle footage showing other people, what the ICO's CCTV guidance says for employers, and the practical steps for a CCTV-specific SAR response.
This guide covers CCTV SAR obligations under UK GDPR and the Data Protection Act 2018. It is not legal advice.
Is CCTV footage personal data?
Yes, if the individual is identifiable in it. UK GDPR Article 4(1) defines personal data as any information relating to an identified or identifiable natural person. CCTV footage that shows an employee's face, badge, or other identifiable features is unambiguously their personal data.
This covers standard CCTV cameras, body-worn cameras, dashcam footage, and any other video surveillance where the requester is identifiable.
What you must disclose
Under UK GDPR Article 15, when a SAR covers CCTV footage:
- You must disclose footage in which the requester is identifiable within the SAR's scope (dates, locations specified)
- If the request does not specify dates or locations, apply a reasonable scope — where and when would the requester likely appear?
- You must provide a copy of the footage, not just confirm it exists
The ICO's CCTV and video surveillance guidance states that individuals have the right to receive footage of themselves even where it also shows others.
Third parties in the footage — redaction
Almost all workplace CCTV footage shows other employees, visitors, or customers alongside the requester. UK GDPR protects those third parties too — you cannot disclose footage that makes other individuals identifiable without their consent (unless doing so is reasonable in all the circumstances under Article 15(4)).
Your options:
- Redact (blur) third parties in the footage before disclosure. Blurring software or the ICO's guidance on "blurring faces" is the standard approach.
- Consider whether third parties have consented — if they were told their footage may be shared with the individual (uncommon), disclosure may be reasonable.
- Provide a still-frame summary in genuinely difficult cases where blurring would make the footage meaningless — but this rarely satisfies the Article 15 disclosure obligation and should not be the default.
The ICO is clear: the existence of other people in the footage does not justify withholding it entirely — it justifies redaction of those people.
Practical point: Where the requester is the only person in a corridor or access-control camera, there is nothing to redact. Only invest in blurring where other identifiable individuals appear.
Retention: footage that no longer exists
Employers are not obliged to retain CCTV footage beyond their stated retention period. If the footage has been deleted in line with your data retention policy, you must:
- Tell the requester the footage no longer exists
- Explain your retention period and when the footage was deleted
- Document that the deletion was routine, not triggered by the SAR
Deleting footage in response to a SAR once a request arrives is a serious problem — it could amount to obstruction and trigger an ICO investigation. If the SAR arrives and footage is within your retention period, treat it as subject to the SAR immediately.
What if the footage is also relevant to a disciplinary or legal matter?
CCTV footage relevant to ongoing disciplinary proceedings may be withheld under specific DPA 2018 exemptions. Schedule 2, Part 4, paragraph 22 (management forecasts) and paragraph 19 (legal professional privilege) may apply in specific circumstances. These are narrow exemptions — assess each clip individually, document your reasoning, and disclose what is not covered by an exemption.
Blanket "we're withholding all CCTV footage because of legal proceedings" will not satisfy the ICO. You must disclose footage that does not fall within an applicable exemption.
Format of disclosure
You must provide footage in a commonly used, machine-readable format. Proprietary CCTV file formats that require specialist software are problematic. Options:
- Convert to MP4 or another standard video format before disclosure
- Provide the footage on a USB drive or secure file-sharing link
- If conversion is technically impossible, explain why and provide the footage in its native format with instructions for accessing it
The key test is whether the requester can actually use what you provide.
Common ICO complaint triggers for CCTV SARs
From reported ICO cases and enforcement actions:
- Failing to search CCTV — treating CCTV as outside the SAR scope when the request said "all personal data"
- Blanket refusal — citing third parties as a reason to withhold footage entirely rather than redacting
- Providing degraded copies — deliberately reducing quality to make the footage less useful
- Disclosure delay — CCTV processing taking longer than the SAR deadline without a valid extension notice
Connecting CCTV handling to your SAR process
CCTV is one data category among many in a SAR. Incorporate it into your standard SAR workflow — add CCTV systems to your data search checklist alongside HR records, emails, and payroll. The Subject Access Request Process guide explains how to set up a consistent workflow across all data categories. For the overall employer SAR guide including CCTV, see How to Respond to a Subject Access Request from an Employee.
If CCTV processing is the only reason you need extra time, it can justify a two-month extension under UK GDPR Article 12A(3) (inserted by DUAA 2025 s.76) — but you must serve the extension notice within the first month. See Subject Access Request Time Limit UK for the deadline rules.
For the response letters you will need — including the cover letter explaining your search scope — see the DSAR template guide for UK employers.
Checklist: CCTV SAR response
- Confirmed whether requester is identifiable in footage from the relevant dates/locations
- Confirmed footage has not been deleted since the SAR arrived
- Checked retention period — footage within period has been preserved
- Third parties in footage identified — blurring/redaction applied
- Considered exemptions (legal privilege, management forecasts) on a clip-by-clip basis
- Footage converted to a usable format (MP4 or equivalent)
- Footage included in the SAR response alongside other data categories
- CCTV search documented in the response cover letter (dates, cameras, duration checked)
Sources
- UK GDPR — Article 15 (right of access)
- UK GDPR — Article 4 (definitions, including personal data)
- Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
- ICO — CCTV and video surveillance guidance
This guide provides general information about CCTV and subject access requests under UK GDPR and the Data Protection Act 2018. It is not a substitute for legal advice.
Handle your next SAR step by step
dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.
Related guides
DSAR Template for UK Employers: Examples and How to Use Them
Free DSAR template examples for UK employers — acknowledgement, extension notice, and response cover letter — with guidance on adapting each for your SAR.
GDPR and Subject Access Requests: An Employer's Legal Duties
What UK GDPR requires of employers when a subject access request arrives — the right of access, your obligations, the 2025 law changes, and where SMEs go wrong.
The Subject Access Request Process: How UK SMEs Should Set It Up
How to set up a repeatable subject access request process for a UK SME — the workflow stages, who does what, and how to make every SAR defensible to the ICO.