Guidance

Body Worn Video Policy

Updated 9 October 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dwp-procurement-security-policies-and-standards/body-worn-video-policy

Overview

The Department for Work and Pensions (DWP) Body Worn Video Security Policy sets out the operational framework governing DWP’s use of body worn video cameras, also known as Body Worn Cameras (BWCs).

Purpose

This policy sets out the requirements to ensure the legitimate, lawful, appropriate, and responsible use of Body Worn Videos (BWVs) within, and on behalf of, the DWP. It aims to ensure the maintenance of proportionality, legality, accountability, and necessity, and to mitigate against the risks associated with BWVs.

These objectives will serve to ensure that public trust is maintained, consolidating confidence in the DWP’s commitment to the fair and transparent use of surveillance technology. Above all, BWVs should be seen as a valuable and supporting tool to DWP security.

BWVs are used to:

  • Capture a clear evidential record of actions during an event
  • Provide additional security within DWP buildings
  • Enhance building, site, staff, and customer protection
  • Provide a deterrent to potentially abusive and/or abusive behaviour.

Where appropriate, BWVs may also be used for the prevention and detection of crime, safeguarding people, and preventing threats to public security.

In using considering the use of BWVs, due regard must always be given to appropriate legal, regulatory, and statutory guidance. This includes, but is not limited to:

  • UK General Data Protection Regulation (GDPR)
  • The Data Protection Act (2018)
  • Data (Use and Access) Act (2025)
  • Equality Act (2010)
  • The Freedom of Information Act (FOI) (2000)
  • Protection of Freedom’s Act (PoFA) (2012)
  • The Regulation of Investigatory Powers Act (RIPA) (2000)
  • Code of Practice for Surveillance Cameras and personal information produced by the Information Commissioner’s Office (ICO)
  • Human Rights Act (1988)
  • Investigatory Powers Act (2016)
  • The Police and Criminal Evidence Act (PACE) (1984)
  • The Surveillance Camera Code of Practice (2021)
  • The Health and Safety at Work Act (1974)
  • The Management of Health and Safety at Work Regulations (1999)

This policy should be read in conjunction with

  • the Civil Service code
  • the DWP Acceptable Use Policy
  • the Standards of Behaviour Policy
  • the DWP Physical Security Policy
  • the Physical Technical Standard

Scope

This policy applies to:

a. DWP employees (including contractors, consultants, and other workers), system users, and system operators involved in the provision and lifecycle management of BWVs for the DWP, referred to from now on as “users”.

b. All contracted suppliers whose systems or services store, handle, or process DWP information, or are involved in the provision and lifecycle management of hardware for the DWP; to ensure the appropriate levels of assurance for the confidentiality, integrity, and availability of the DWP’s assets.

c. This policy does not replace any legal or statutory requirements.

Definitions

2WA

Two-way audio in CCTV technology allows for bidirectional communication, allowing users to both listen and speak through the security camera system.

Body Worn Video

Body Worn Video (BWV) refers to small, portable recording devices, featuring the ability to capture audio and video.

Commissioner

Refers to the role undertaken by the Surveillance Camera Commissioner, as set out in Section 34(2) of the Protection of Freedoms Act (PoFA) 2012. Their function is to encourage compliance, review the operation of, and provide advice regarding the Surveillance Camera Code of Practice.

Controller

A controller is the natural or legal person, public authority, agency, or other entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data

Data is information about people, things, and systems.

Data Owner

An individual responsible for a logical grouping of data (for example, areas of interest for an organisation such as a business process of domains such as customers, benefits, or a service).

Data Subject

A data subject is the person that the personal data is about.

Biometric Data

Refers, under Article 4 (14) UK GDPR, to personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.

Personal Data

Refers, under Article 4(1) UK GDPR to any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data (GPS location), an online identifier (IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach

This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Processor

A processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Processing

Refers to the use of personal data in any way, including collecting, recording, organising, analysing, sharing, storing, and destroying data.

Recipient

A recipient is a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Surveillance

Is defined by Section 48(2) of RIPA (Regulation of Investigatory Powers Act 2000 (RIPA) - GOV.UK (www.gov.uk)) as including monitoring, observing, listening to individual(s), their movements, conversations, other activities, and communications.

Surveillance Camera System

Refers to the meaning given by Section 29(6) of PoFA 2012 and is taken to include:

a. closed circuit television (CCTV)

b. any other systems for recording or viewing visual image material for surveillance purposes

c. any systems for storing, receiving, transmitting, processing, or checking images or information obtained by a) or b) and

d. any other systems associated with, or otherwise connected with a), b), or c).

Special Category Data

Data protection law has stricter rules for ‘special category personal data’, which is data of a particularly sensitive nature requiring extra protection and safeguarding. Special category data includes:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data
  • data concerning health, including disability and gender reassignment
  • data concerning an individual’s sex life or sexual orientation

System Operator

Refers to a person or persons that take a decision to deploy a surveillance camera system, and /or are responsible for defining its purpose, and/or are responsible for the control of the use or processing of images or other information obtained by any such system.

System User

Refers to a person or persons who may be employed or contracted by the system operator who have access to live or recorded images or other information obtained by any such system.

Policy Statements

1. DWP is the Controller where we determine the purposes and means of processing data arising from the use of BWV within the DWP estate, and where this is the case DWP is accountable for the quality, integrity, and protection of this data.

2. When developing processes and procedures relating to the gathering of information, the Data Protection by Design process must be followed. In addition, you must follow the Data Protection Impact Assessment (DPIA) process.

3. Personal data (including images, audio, and information captured and contained within BWV footage) must be processed lawfully, fairly, and in a transparent manner.

4. To ensure purpose limitation, personal data must be collected for an explicit, specific, and legitimate purpose. It must not be processed further than is compatible with these aims.

5. To ensure data minimisation, collected personal data must be limited (not excessive), relevant, and adequate to what is necessary to meet the purposes for which it is processed.

6. To ensure accuracy, personal data should be precise and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data are erased, or rectified without delay, having due regard to the purposes for which they are processed.

7. BWV footage shall be kept for no longer than 30 calendar days from the date the recording was made.

8. Where a need arises to continue storing data beyond the 30-day standard retention period, this must be for a specific and legitimate purpose (for example, to assist DWP or the Police during an investigation, comply with a data subject’s right to restrict processing, assist in the exercise or defence of a legal claim, or assist in a matter of public interest). The justification and need for continuing to do so must be reviewed at least annually. A record of the review, and the rationale for continuing storage (where applicable) must be retained and be available for review.

9. The data owner must ensure that information obtained through the use of BWV is stored securely and is encrypted when necessary. Further guidance may be found in the Security standard SS-007: Use of Cryptography. Further guidance may also be found in the DWP Cryptographic Key Management Policy and Security standard SS-002: Public Key Infrastructure & Key Management.

10. To ensure integrity and confidentiality, data must be processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. This shall be achieved through the use of appropriate organisational and technical measures, including adherence to all requisite DWP security policies and standards.

11. Where the retention of information is no longer required, it must be securely destroyed in accordance with the Security Standard Secure Sanitisation and Destruction (SS-036) and the DWP Information Management Policy. This process, including method of destruction, date, and authorising individual, must be recorded in a destruction log maintained by the System Owner, which shall be available for audit.

12. Where the use, development, or review of a surveillance camera system (including BWVs) is being considered, a data protection impact assessment (DPIA) must be considered. This is to ensure that the use and deployment of the system is justified, the potential impact on privacy is questioned, and appropriate mitigation measure are put into place.

13. Where a BWV is activated, users must not intentionally obscure the camera lens, or any part of the recording equipment indicating a positive recording status (such as a LED) or fail to record all or part of an incident without a reasonable cause or justification.

14. A user must not access footage obtained through the use of a BWV without permission and must only do so where there is a clear and justifiable need to do so. This would include:

  • for controlled and authorised quality assurance of equipment and processes
  • conducting training or professional development or supervising and assisting therewith
  • investigating a specific allegation or conducting disciplinary investigations
  • viewing footage where specific intelligence or information has been received and it would be reasonable, proportionate, and necessary to do so

15. Any misuse of BWV equipment may result in disciplinary action being undertaken, possibly resulting in a sanction, dismissal, and referral to law enforcement agencies. Where the misuse arises from the actions of a security officer managed by a guarding services supplier, any disciplinary action would be the responsibility and management of the service supplier.

16. BWV operators should consider and give due regard to the Public Sector Equality Duty (PSED); particularly in order to ensure that a surveillance camera system does not impact disproportionately or unlawfully discriminate against individuals likely to be captured by its operation.

17. Where an individual provides a security industry service, such as guarding or carrying out any form of surveillance (as provided by the Private Security Industry Act (2001)), they must be licensed in accordance with the Act.

18. Clearly visible and appropriately sized signage must be provided where BWVs are in operation. This must alert individuals to the use of BWVs. Signage must:

  • be clearly visible and readable
  • identify the organisation operating the system
  • the purpose for the use of BWVs
  • a point of contact regarding the BWVs and related footage

19. If audio recording is in use as part of BWV capabilities, this must be stated explicitly and prominently.

20. BWV footage must be classified according to the DWP Security Classification Policy.

21. All DWP staff and contractors involved in the operation, management, monitoring, or administration of BWV systems, or who have access to BWV footage, must receive appropriate training commensurate with their roles and responsibilities.

Ethical Use and Prevention of Bias

22. DWP is committed to ensuring that BWV will not be used in a manner that unfairly targets or profiles individuals based on:

  • Race, ethnicity, or national origin
  • Gender, age, sexual orientation, or gender identity
  • Religion or belief
  • Age, disability, or socioeconomic status

23. Where BWV systems employ advanced analytical capabilities, including Artificial Intelligence (AI), facial recognition, or other biometric processing, a DPIA must be undertaken to explicitly address the ethical implications (for example, the risk of discrimination), and ensure that algorithms and datasets are reviewed to identify, assess, and prevent unfair bias.

24. Human oversight must be involved in any significant decisions based on AI-driven BWV analysis upon individuals.

25. Where such analytic capabilities are deployed, their use must be authorised by senior leadership.

26. Where personal data relating to protected characteristics is processed by an online AI tool, an Equality Analysis will be undertaken as required by the Equality Legislation.

Disclosure

27. The disclosure of information from surveillance systems, including BWVs, must be controlled and consistent with the purpose for which the system was established.

28. The disclosure of footage from surveillance systems, including BWCs, must be lawful under Article 6 of the UK GDPR, and any disclosure must be processed lawfully in accordance with Article 5 of the UK GDPR. Due regard must be given to ensuring restrictions under the DPA do not apply, which would restrict the disclosure of information.

29. Where the disclosure of surveillance information contains the image of an individual, due regard must be given to the need to pixelate the image of third parties.

30. Where data request is made relating to a deceased individual, see the guidance about Disclosing information about deceased people DWP Intranet. Data protection laws do not apply to deceased people, but the DWP still treats their information with care.

Right of Access Request (RAR)

31. A Right of Access Request (RAR) can only be made by a data subject (or individuals acting on their behalf with their consent); the data subject is the person whose personal data (image) is being processed. This is a right enshrined within data protection legislation. Where such a request is made a response will be provided without unnecessary or unreasonable delay and must be provided within one calendar month of receipt of the request.

Request for BWV footage from Police

32. DWP will comply with requests for BWV footage from the police relating to criminal investigations in accordance with the instructions for disclosing personal data to the police.

Freedom of Information (FOI) Requests

33. Requests for CCTV footage under the Freedom of Information (FOI) Act must be dealt with by following the Freedom of Information procedures.

Complaints

34. Requests or questions regarding how information is used by DWP should be directed to the DWP Personal information charter. A complaint regarding the DWP’s use of BWV may be made in writing to:

Right of Access Requests
Mail Handling Site A
Wolverhampton
WF98 2EF

Accountabilities and Responsibilities

a. The DWP Chief Security Officer is the accountable owner of the DWP Body Worn Video Security Policy and is responsible for its maintenance and review, through the DWP Deputy Director for Security Policy and Central Services.

b. The System Owner (BWV) will be responsible for:

  • defining and documenting the specific purpose and justification for the BWV system(s) under their remit
  • initiating, completing, and regularly reviewing Data Protection Impact Assessments (DPIAs) for their systems
  • ensuring operational compliance with this policy, including signage, data handling, access controls, and retention schedules
  • acting as the Single Point of Contact (SPoC) for their specific BWV system(s).
  • overseeing the secure destruction of data in line with DWP policy, standards, and procedures

c. The BWV System Administrator(s) will be responsible for:

  • the technical installation, configuration, maintenance, and security of BWV hardware and software, in accordance with DWP policies and technical standards
  • implementing and managing access controls to BWV systems and footage
  • ensuring systems are patched and hardened against vulnerabilities
  • managing the secure storage and backup of BWV footage
  • DSRM will conduct a risk assessment, as and when required, of any non-standalone technology system

d. The Authorised BWV user(s) will include individuals (DWP employees, contractors, consultants, and other workers) authorised to view live or recorded BWV footage and will be responsible for:

  • adhering to this policy and relevant procedures when accessing or using footage
  • reporting any misuse or security concerns related to BWV

e. DWP Data Protection Officer (DPO) will be responsible for:

  • providing advice and guidance on data protection compliance related to BWV, reviewing DPIAs, and liaising with the Information Commissioner’s Office (ICO) as necessary

Compliance

a. All DWP employees, whether permanent or temporary (including DWP’s contractors) have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards.

b. Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security.

c. Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss, or destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. DWP users must report security incidents via the DWP Security Incident Referral Webform; third parties and suppliers must follow the DWP Security Incident Management Standard (SS-014).

d. DWP’s Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems, design and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners and service providers will be required to facilitate, support, and when necessary, participate in any such inspection. DWP Collaboration and Communication Services will use software filters to block access to some online websites and services, additional information can be found here DWP Employee Privacy Notice.

e. An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the Security Policy and Standards Team immediately.

Back to top