Are you considering setting up a CCTV system to monitor what your employees are doing? Have you considered the drawbacks that might ensue and are you prepared for the legal ramifications?

Why use monitoring?

Organisations may use CCTV monitoring for a number of reasons:

  • Compliance with legal or regulatory obligations

  • Preventing theft, violence or other crime

  • Assessing and improving productivity

  • Protecting business interests by preventing misconduct

  • Ensuring that footage is available in the event of a breach of legislation/company rules

Monitoring and Compliance

Employees are not likely to expect to be recorded or monitored by surveillance systems whilst carrying out their day-to-day roles.

Therefore, if an organisation is considering whether to introduce a surveillance system into the workplace, they will need to ensure that the seven principles of the UK GDPR are at the forefront of their mind. To lawfully implement and use a surveillance system, organisations need to be able to identify a lawful basis under the UK GDPR to process individuals’ personal data. It is unlikely, particularly in the context of the employer/employee relationship, that you will be able to obtain genuine consent.

It is likely that organisations will have already identified their lawful basis prior to the processing. However, where this is not the case, a legitimate interests assessment (LIA) would need to be completed prior to processing personal data to help document the consideration and decision-making involved when deciding whether to implement the system.


Fairness, transparency and purpose

Organisations will also need to consider the fairness, transparency and purpose of any surveillance system. Those factors are outlined as follows:


  • Personal data should be handled in ways that people would expect.

  • The handling of personal data should not have any unjustified adverse effects on individuals.

  • Organisations should think about whether they should use the personal data in the way that they intend to.

  • Individuals should be clearly made aware that they are being monitored, which is discussed further below.


Organisations must clearly provide individuals with information about the surveillance system i.e. with clear signage before they enter the area which is being monitored.


Purpose Limitation

  • Organisations should be clear on the purposes for processing the personal data from the surveillance system prior to its implementation.

  • These purposes should be documented clearly in relevant policies and signage.

  • Personal data can then only be processed for a new purpose if:

  • it is compatible with the original purpose;

  • individuals give consent (which is unlikely to be genuine in an employer/employee relationship);

  • there is a clear obligation set out within the law.

Implementation of monitoring within the workforce

As mentioned above, it is unlikely employees would expect to be monitored continuously doing day-to-day tasks. Mishandling of personal data gathered from the system, or improper implementation and use of the system could lead to complaints or claims from individuals whose data rights have been breached. This in turn could lead to civil claims and/or an investigation from the Information Commissioner’s Office.


The Legitimate Interests Assessment

Before surveillance is implemented, organisations should complete a LIA to establish any risks associated with the processing of the personal data. The LIA will then help to feed into the completion of a Data Protection Impact Assessment (DPIA) which will then identify risks in relation to the proposed surveillance system. Whilst completing the DPIA, organisations should consult with the workforce and ensure that employees are aware of what is going on to allow them to raise any concerns or suggestions.



There should be adequate notices throughout the workplace to clearly inform employees (and other individuals that may be inadvertently captured) about the nature of the surveillance and the purposes.


CCTV Policy

Organisations should have a CCTV policy, which can either be separate to or included in the employee employment contract and handbook, which clearly explains the purposes and extent of the monitoring to ensure that employees are aware and understand. For example, if you intend to use the footage in any disciplinary proceeding in the future should the need arise, then employees need to be clearly made aware of this.



The surveillance system should be confined to areas of particular risk and confined to areas where privacy expectations are low. For example, the use of monitoring within changing rooms or toilets is unlikely to be lawful unless there are very rare or extenuating circumstances that may justify it.

Covert monitoring and the use of audio monitoring are intrusive methods of monitoring which are unlikely to be justified unless the circumstances are very rare. Before considering whether to do this, employers should seek legal advice.

The Information Commissioner’s Office has a useful checklist that can be found here and the website has an updated Surveillance Camera Code of Practice which can be found here.



If you do decide to install a CCTV system and the organisation is not already registered with the ICO, then you will likely be required to pay a Data Protection Fee to the ICO to utilise the surveillance system. More information can be found here.

If you are considering whether to implement a surveillance system or need any further advice on whether your current system is compliant, then you should contact our dedicated legal services team who can provide assistance.