CCTV and Workplace Monitoring: GDPR Rules for UK Employers
CCTV and workplace monitoring can help UK employers protect their business, but they also involve processing personal data. Under UK GDPR, employers must have a lawful basis, be transparent with staff, keep monitoring proportionate and respect employee rights. This guide explains what’s allowed, where the risks sit, and how HR teams, managers and business owners can monitor lawfully without crossing privacy boundaries.
C
Charlotte Pembroke
Jul 13, 2026
8 min read
CCTV and workplace monitoring compliance under GDPR

CCTV GDPR UK employers need to understand a straightforward but often overlooked fact: cameras and monitoring tools capture personal data, and that means UK GDPR applies in full. Whether it's a camera above the till, software tracking internet use, or email monitoring on company devices, employers are processing personal data about identifiable staff, and that processing needs a lawful basis, proportionality, and transparency.

This guide sets out what UK employers can and can't do when it comes to CCTV and workplace monitoring, drawing on ICO employment practices guidance to help HR, facilities, and business owners get it right.

Does UK GDPR Apply to CCTV and Workplace Monitoring?

Yes. Any footage, log, or record that can identify an individual — including CCTV images, email content, browsing history, or device activity — counts as personal data under UK GDPR. This means all the usual data protection principles apply: lawfulness, purpose limitation, data minimisation, and storage limitation, among others.

This is often the first misconception employers need to correct: CCTV and monitoring tools aren't a separate category sitting outside data protection law. They're treated the same as any other form of personal data processing, and the ICO has specific guidance addressing how the general principles apply to the employment context.

Lawful Basis for Monitoring Employees

As with any processing activity, employers need to identify a lawful basis before implementing CCTV or monitoring tools. In the employment context, this is typically one of:

  • Legitimate interests — often used for general workplace security and loss prevention, provided the monitoring is necessary and proportionate, and doesn't override employees' reasonable expectations of privacy
  • Legal obligation — where monitoring is required to comply with specific regulatory or health and safety requirements
  • Contract — rarely the right basis for monitoring itself, though it may apply to related processing

Consent is generally unsuitable here. Because of the inherent power imbalance between employer and employee, consent is difficult to demonstrate as freely given in most workplace monitoring contexts — a point covered in more depth in our Consent Under UK GDPR overview.

Whichever basis applies, employers should carry out a proportionality and necessity test before introducing monitoring: is this the least intrusive way to achieve a legitimate business purpose, and does the benefit genuinely outweigh the impact on staff privacy? For any large-scale or particularly intrusive monitoring — such as continuous CCTV across an entire workplace or comprehensive email monitoring — a Data Protection Impact Assessment (DPIA) is generally required to document this reasoning properly.

Getting the lawful basis right at the outset avoids much larger problems later. Our Data Protection & GDPR Compliance training course covers how to select and document a lawful basis correctly across different workplace scenarios, including monitoring.

CCTV in the Workplace — What's Allowed?

CCTV is commonly used for security, loss prevention, and health and safety purposes, and UK GDPR doesn't prohibit this — but it does require it to be done properly. Key requirements include:

  • Clear purpose — CCTV should be installed for a specific, documented reason (such as preventing theft or ensuring site security), not vague or open-ended "monitoring"
  • Proportionate placement — cameras should cover areas relevant to the stated purpose, avoiding spaces like staff rest areas, toilets, or changing rooms, which carry a much higher expectation of privacy
  • Visible signage — clear, visible signs informing staff and visitors that CCTV is in operation, including who operates it and how to find out more
  • Defined retention periods — footage should only be kept for as long as necessary for the stated purpose, then securely deleted
  • Restricted access — footage should only be accessible to individuals who genuinely need it, with access logged where practical

CCTV that's been installed for one purpose (such as security) shouldn't quietly be repurposed for something else (such as monitoring general staff performance or timekeeping) without reassessing the lawful basis and being transparent about the change.

Monitoring Emails, Internet Use and Devices

Monitoring emails, internet activity, and company devices raises similar issues to CCTV, but often carries a higher risk of overreach because it can capture more granular, personal detail about an individual's activity and communications.

Key considerations include:

  • Employees generally have a reasonable expectation of privacy, even on company-owned devices and email accounts, particularly for anything that could reasonably be considered personal rather than work-related
  • Blanket, unrestricted monitoring of all email content or browsing activity is difficult to justify as proportionate in most circumstances
  • Monitoring should be targeted at specific, legitimate purposes — such as security, regulatory compliance, or investigating a specific concern — rather than routine, unexplained surveillance
  • Where monitoring software is used (such as keystroke logging or screen capture tools), the intrusiveness of the tool should be weighed carefully against the purpose it serves

As with CCTV, a documented assessment of necessity and proportionality — supported by a DPIA where the monitoring is extensive — helps demonstrate that the employer has genuinely considered the impact on staff before implementing monitoring tools.

Covert Monitoring — When Is It Justified?

Covert monitoring — where staff aren't told monitoring is taking place — is treated as a significant departure from the transparency principle and is only justified in limited circumstances.

The ICO's position is that covert monitoring should generally only be used where:

  • There's reasonable suspicion of serious misconduct or criminal activity
  • Informing staff in advance would likely prejudice the investigation or allow the activity to be concealed
  • Less intrusive methods of investigation aren't practical or appropriate
  • The covert monitoring is targeted and time-limited, rather than open-ended or applied to the whole workforce
  • Senior management has authorised the covert monitoring, ideally following a documented decision-making process

Covert monitoring used for anything less serious — general performance concerns, ordinary timekeeping issues, or routine oversight — is very difficult to justify and carries significant legal risk if challenged.

Given the risks involved, employers considering covert monitoring should seek proper guidance before proceeding. Our GDPR Essentials for UK Businesses course covers the boundaries around covert monitoring and when it can and can't be justified.

Being Transparent With Staff

Transparency is one of the core UK GDPR principles, and it applies directly to workplace monitoring. Employers should ensure:

  • A clear privacy notice explains what monitoring takes place, why, and how the resulting data is used and retained
  • Monitored areas and activities are clearly signposted — for CCTV, this means visible signage; for digital monitoring, this means clear policies communicated to staff
  • Staff handbooks or contracts reference monitoring practices where relevant, so expectations are set from the outset of employment
  • Any significant change to monitoring practices is communicated to staff before it takes effect, not discovered after the fact

Being upfront about monitoring isn't just a legal requirement — it also reduces the risk of disputes and grievances, since staff are far less likely to feel misled if monitoring practices were clearly explained from the start.

Data Subject Rights and Monitoring Footage

CCTV footage and monitoring records are personal data, which means employees retain their full data subject rights in relation to them, including the right of access.

Practical implications include:

  • An employee can submit a subject access request for CCTV footage of themselves, and the employer must respond within the statutory timeframe
  • Where footage includes other identifiable individuals, employers typically need to redact or obscure those third parties before disclosure, unless there's a valid reason not to
  • Requests should be handled consistently with the organisation's wider subject access request process, not treated as a one-off exception
  • Employees also have rights around erasure and objection, though these are balanced against the employer's legitimate purposes for retaining the footage

For a fuller breakdown of the rights involved — access, erasure, objection, and more — see our data subject rights guide, which covers how these rights apply across all types of personal data, not just monitoring footage.

Training Managers on Lawful Monitoring

Monitoring decisions are often made or implemented at line manager level — deciding to review an employee's emails, requesting CCTV footage, or installing new monitoring software — which makes manager training essential to staying compliant.

Effective training for managers should cover:

  • When monitoring requires a documented lawful basis and proportionality assessment
  • The difference between routine, transparent monitoring and covert monitoring, and why the latter needs senior authorisation
  • How to handle a subject access request involving CCTV or monitoring data
  • Why monitoring decisions shouldn't be made informally or without HR and data protection input
  • The reputational and legal risk of introducing monitoring tools without proper assessment

Structured GDPR training for employers ensures monitoring decisions are made consistently and lawfully across the organisation, rather than depending on individual managers' personal judgement.

FAQs

Do employers need consent to use CCTV?
No, consent is rarely the appropriate lawful basis for workplace CCTV given the employment power imbalance. Employers typically rely on legitimate interests instead, supported by a documented proportionality assessment and clear signage.

Can an employer monitor staff emails under UK GDPR?
Yes, but only where it's necessary and proportionate for a legitimate purpose, and staff have a reasonable expectation of privacy that must be respected. Blanket, unrestricted monitoring of all email content is difficult to justify and should be avoided.

Is covert monitoring of employees legal?
It can be, but only in limited circumstances involving suspected serious misconduct or criminal activity, where informing staff would undermine the investigation. It should be targeted, time-limited, and authorised at a senior level rather than used routinely.

How long can CCTV footage be kept?
There's no fixed statutory retention period, but footage should only be kept for as long as necessary for the stated purpose, then securely deleted. Retention periods should be documented and reviewed as part of the organisation's data protection policies.

Can an employee request CCTV footage of themselves?
Yes, employees can submit a subject access request for CCTV footage showing them, and employers must respond within the statutory timeframe. Footage showing other identifiable individuals typically needs to be redacted before it's disclosed.

Ensure your monitoring practices are lawful — explore our Data Protection & GDPR Compliance course and give your managers the confidence to implement CCTV and monitoring the right way.

Start your learning journey with KitLearn

Discover courses designed to help you grow faster, learn smarter, and achieve more.