cctv

Can private commercial corridors be recorded by CCTV without explicit employee consent? UK Offices and Commercial Buildings CCTV rules explained 2026

Published on

Can private commercial corridors be recorded by CCTV without explicit employee consent? UK Offices and Commercial Buildings CCTV rules explained 2026

Recording CCTV in private employee corridors presents significant challenges regarding the proportionality of surveillance and the expectation of privacy under UK law. While employers may claim a legitimate interest in security, the deployment of cameras must comply strictly with the UK GDPR and the Data Protection Act 2017. Generally, surveillance must be limited to areas where there is a genuine security risk, such as entrances, exits, and high-value asset storage, rather than routine pathways. If a corridor is considered a private area where employees have a reasonable expectation of privacy, continuous recording may be deemed excessive. You must perform a Data Protection Impact Assessment (DPIA) before installation, demonstrating that the camera is strictly necessary and that less intrusive measures are insufficient. Furthermore, clear, visible signage detailing the purpose, scope, and retention period of the monitoring is a legal requirement.

More questions about Offices and Commercial Buildings:

Must CCTV record everything when I only need to monitor specific incidents?

No, continuous recording is often unnecessary and overly intrusive. Instead, your system should utilize 'spot monitoring' or targeted recording triggered by specific events, such as alarm activation or unauthorized access attempts. To comply with UK GDPR principles, you must ensure that the footage is only reviewed when a defined incident occurs, limiting the scope of monitoring to the minimum necessary. This practice demonstrates that the system is proportionate and that you are not conducting general, constant surveillance of staff.

Does recording staff in employee kitchen or break rooms violate my duty of care?

Yes, recording staff in areas where they have a clear expectation of privacy, such as break rooms or kitchenettes, is highly likely to breach UK GDPR and common law expectations. Such recording is rarely considered proportionate unless the area is being used for illegal activities that are demonstrably traceable by CCTV. Best practice dictates that such areas should be excluded from camera coverage entirely, or the cameras must be positioned to monitor only the entry/exit points rather than the activity within.

How long can I legally keep CCTV footage of employees in the UK?

Under UK GDPR, data retention must adhere to the principle of storage limitation, meaning you cannot keep footage indefinitely. The retention period must be directly linked to the stated purpose of the recording. For general security monitoring, the standard maximum retention period is typically 28 to 30 days, unless a specific incident or investigation requires a longer period, which must be logged and justified. Once the purpose is served, the footage must be securely deleted, regardless of whether it is available on backup media.

If I use facial recognition CCTV, is a DPIA mandatory under UK law?

Yes, using biometric data, especially facial recognition, constitutes a high-risk processing activity and triggers the mandatory requirement for a comprehensive Data Protection Impact Assessment (DPIA). You must consult the ICO's guidance before deployment, as this technology involves sensitive personal data. The DPIA must explicitly address the necessity, proportionality, and risk mitigation strategies, including securing explicit, written consent from every individual being processed.

Need advice on CCTV compliance and UK GDPR?

Phone: 07830 638 337 for free surveys

GitHub: https://github.com/gazpearce/gary-ai-assistant

Pillar Guide: https://cctvsystems.notion.site/35f5b433f5b581808431f658b5d46d99

Gary Pearce | 07830 638 337 | https://github.com/gazpearce/gary-ai-assistant