Guidance

Closed-Circuit Television Security Policy

Updated 9 October 2025

Overview

The DWP Closed Circuit Television Security Policy sets out the operational framework governing DWP’s use of Visual Surveillance Systems (VSS) systems, also known as CCTV.    

Purpose

This policy sets out the requirements to ensure the legitimate, lawful, appropriate and responsible use of CCTV within, and on behalf of, the DWP. It aims to ensure the maintenance of proportionality, legality, accountability, and necessity, and mitigate against the risks associated with CCTV.

These objectives will serve to ensure that public trust is maintained, consolidating confidence in the DWP’s commitment to the fair and transparent use of CCTV. Above all, CCTV should be seen as a valuable and supporting tool to DWP security.  

CCTV is installed and utilised for the security of staff, visitors, contractors, information and equipment across the DWP.

Internal cameras are used to:

• provide additional security within DWP buildings

External cameras are used:

• to enhance building, site, staff, and public protection inside and outside of normal working hours

In considering the use of CCTV, due regard must always be given to appropriate legal, regulatory, and statutory frameworks. This includes, but is not limited to:

• UK General Data Protection Regulation (GDPR)
• Data Protection Act (2018)
• Data (Use & Access) Act 2025
• Equality Act (2010)
• Freedom of Information Act (FOIA) 2000
• Code of Practice for Surveillance Cameras and personal information produced by the Information Commissioner’s Office (ICO)
• CCTV within the workplace (NPSA)
• Digital Economy Act (2017)
• Protection of Freedoms Act (PoFA) (2012)
• Government Functional Standard GovS 007: Security
• Standards – UK Government Security – Beta
• Human Rights Act (1988)
• Health and Safety at Work Act (1974)
• The Surveillance Camera Code of Practice (2021)
• The Public Records Act (1958)
• Private Security Industry Act (2001)
• Investigatory Powers Act (2016)
• Regulation of Investigatory Powers Act (RIPA) (2000)
• Security policy framework: protecting government assets
• The Management of Health and Safety at Work Regulations (1999)

This policy should be read in conjunction with:

• The Civil Service code
• DWP Acceptable Use Policy
• DWP Standards of Behaviour Policy
• DWP Physical Security Policy
• DWP Physical Technical Standard

Scope

This policy applies to:

• DWP employees (including contractors, consultants and other workers), system users, and system operators involved in the provision and lifecycle management of CCTV for the DWP, referred to from now on as “users”

• all suppliers whose systems or services store, handle, or process DWP information, or are involved in the use, delivery, provision, maintenance or lifecycle management of hardware for the DWP; to ensure the appropriate levels of assurance for the confidentiality, integrity, and availability of the DWP’s assets

• this policy does not replace any legal or regulatory requirements

Definitions

2WA

Two-way audio in CCTV technology allows for bidirectional communication, allowing users to both listen and speak through the security camera system.

Body Worn Video

Body Worn Video (BWV) refers to small, portable recording devices, featuring the ability to capture audio and video. 

Commissioner

Refers to the role undertaken by the Surveillance Camera Commissioner, as set out in Section 34(2) of the Protection of Freedoms Act (PoFA) 2012. Their function is to encourage compliance, review the operation of, and provide advice regarding the Surveillance Camera Code of Practice.

Controller

A controller is the natural or legal person, public authority, agency or other entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data

Data is information about people, things, and systems.

Biometric Data

Refers, under Article 4 (14) UK GDPR, to personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.

Data Owner

An individual responsible for a logical grouping of data (for example, areas of interest for an organisation such as a business process of domains such as customers, benefits or a service).

Data Subject 

A data subject is the person that the personal data is about.

Personal Data

Refers, under Article 4(1) UK GDPR to any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data (GPS location), an online identifier (IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Personal Data Breach

This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 

Processing

Refers to the use of personal data in any way, including collecting, recording, organising, analysing, sharing, storing, and destroying data.

Recipient

A recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Surveillance

Is defined by Section 48(2) of RIPA (Regulation of Investigatory Powers Act 2000 (RIPA)) as including monitoring, observing, listening to individual(s), their movements, conversations, other activities, and communications. Surveillance can be physical or electronic (including undertaking OSINT).

Surveillance Camera System

Refers to the meaning given by Section 29(6) of PoFA 2012 and is taken to include: a) closed circuit television (CCTV)

b) any other systems for recording or viewing visual image material for surveillance purposes

c) any systems for storing, receiving, transmitting, processing or checking images or information obtained by a) or b) and

d) any other systems associated with, or otherwise connected with a), b), or c)

Special Category Data

Data protection law has stricter rules for ‘special category personal data’, which is data of a particularly sensitive nature requiring extra protection and safeguarding. Special category data includes:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data
• data concerning health, including disability and gender reassignment
• data concerning an individual’s sex life or sexual orientation

System Operator

Refers to a person or persons that take a decision to deploy a surveillance camera system, and/or are responsible for defining its purpose, and/or are responsible for the control of the use or processing of images or other information obtained by any such system.

System User

Refers to a person or persons who may be employed or contracted by the system operator who have access to live or recorded images or other information obtained by any such system.

Policy Statements

1. DWP is the Controller where we determine the purposes and means of processing data arising from the use of CCTV within the DWP estate, and where this is the case DWP is accountable for the quality, integrity, and protection of this data.

2. When developing processes and procedures relating to the gathering of information, the Data Protection by Design process must be followed. In addition, you must follow the Data Protection Impact Assessment (DPIA) process.

3. Personal data (including images, audio, and information captured and contained within CCTV footage) must be processed lawfully, fairly, and in a transparent manner.

4. To ensure purpose limitation, personal data must be collected for an explicit, specific, and legitimate purpose, and must not be further processed in a manner that is incompatible with these explicit aims.

5. To ensure data minimisation, collected personal data must be limited (not excessive), relevant, and adequate to what is necessary to meet the purposes for which it is processed.

6. To ensure accuracy, personal data should be precise and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data are erased or rectified without delay, having due regard to the purposes for which they are processed.

7. CCTV footage shall be kept for no longer than 30 calendar days from the date the recording was made.

8. Where a need arises to continue storing data beyond the 30-day standard retention period, this must be for a specific and legitimate purpose (for example, to assist DWP or the Police during an investigation, comply with a data subject’s right to restrict processing, assist in the exercise or defence of a legal claim, or assist in a matter of public interest). The justification and need for continuing to do so must be reviewed at least annually. A record of the review, and the rationale for continuing storage (where applicable) must be retained and be available for review.

9. Where the retention of information is no longer required, it must be securely destroyed in accordance with the Security Standard Secure Sanitisation and Destruction (SS-036) and the DWP Information Management Policy. This process, including method of destruction, date, and authorising individual, must be recorded in a destruction log maintained by the System Owner, which shall be available for audit.

10. To ensure integrity and confidentiality, data shall be processed in a manner that ensures the security of personal data, including protection against unauthorised or unlawful processing, accidental loss, damage, or destruction. This shall be achieved through the use of appropriate organisational and technical measures, including adherence to all requisite DWP security policies and standards. Information obtained through the use of CCTV must be stored securely.

11. The data owner must ensure that information obtained through the use of CCTV is stored securely and is encrypted when necessary. Further guidance may be found in the Security standard SS-007: Use of Cryptography . Further guidance may also be found in the DWP Cryptographic Key Management Policy and Security standard SS-002: Public Key Infrastructure & Key Management.

12. Data Protection Impact Assessment (DPIA) must be conducted by a System Owner or delegate prior to the procurement or deployment of any new surveillance camera system, or before any significant changes are made to an existing system or its purpose to inform system design and mitigate privacy risk. DPIAs must be undertaken according to DWP guidance and procedures and be formally reviewed and signed off by the relevant SRO or designated data protection lead. The DPIA must be recorded in a central register and must be subject to an annual review.

13. CCTV operators should consider and give due regard to the Public Sector Equality Duty (PSED); particularly in order to ensure that a surveillance camera system does not impact disproportionately or unlawfully discriminate against individuals likely to be captured by its operation.

14. Where an individual provides a security industry service, such as guarding or carrying out any form of surveillance (as provided by the Private Security Industry Act 2001); they must be licensed in accordance with the Act.

15. Where CCTV is deployed and in operation, staff and members of the public must be made aware of the system being in operation, and the reason for its use. Clearly visible and appropriately sized signage must be provided where CCTV is in operation to alert individuals to the use of CCTV cameras. Signage must:

• be clearly visible and readable
• identify the organisation operating the system,
• be the purpose for the use of CCTV
• be at point of contact regarding the CCTV

16. Permanent and moveable cameras must be positioned in a manner to ensure that the only images captured are of areas that are the subject of permitted surveillance.

17. CCTV must not be used in areas where there is a heightened expectation of privacy (for example, toilets, bathroom).

CCTV System Security

18. All CCTV system components (including cameras, recorders, servers, network devices, and software) must be procured, installed, configured, and maintained in accordance with the Hardware Lifecycle Management Security Policy and DWP Technical Security Standards.

19. The technical and operational management of CCTV systems must include (but is not limited to):

• changing all default administrator and user credentials before deployment and enforcing strong, unique passwords. See SS-033 Security Standard - Security Patching
• regularly applying security patches and firmware updates to all components
• secure network configuration, including consideration of network segregation for CCTV systems where appropriate
• disabling all unnecessary services and ports on CCTV devices
• physical security measures to protect recording devices and critical infrastructure from unauthorised access, tampering, or damage, as defined in site specific physical security risk assessments
• implementing appropriate access controls to system administration interfaces
• regular vulnerability assessments of the CCTV infrastructure. See SS-027 Security Standard - Security Testing v2.0

Procurement and Deployment of CCTV systems

20. The procurement and deployment of all new CCTV, or significant upgrades to existing systems must be subject to a formal risk assessment process.

21. In line with the Hardware Lifecycle Management Security Policy and DWP Physical Security Policy procurement teams must engage with DWP Enterprise Security Risk Management (ESRM) and DWP Estates security specialists prior to contract commitment. This engagement must define the appropriate technical, operational, and security standards for the proposed CCTV system based the identified risks and specific site requirements.

Training and Competency

22. All DWP staff and contractors involved in the operation, management, monitoring or administration of CCTV systems, or who have access to CCTV footage, must receive appropriate training commensurate with their roles and responsibilities.

23. Any such training must cover:

• relevant legal obligations, including the UK GDPR, Data Protection Act (DPA) (2018), and the Human Rights Act (1998)
• the content of this DWP CCTV Security Policy and associated policies and procedures
• the technical operation of the specific CCTV systems they use or manage
• data protection principles, privacy, and the ethical use of CCTV
• procedures for handling data, access requests, disclosures, and incident reporting
• recognising and responding to security risks or potential misuse of CCTV systems

24. Records of completed training must be maintained and reviewed regularly to ensure compliance.

25. All users of DWP surveillance systems must hold a valid Public Space Surveillance (CCTV) licence.

Ethical Use and Prevention of Bias

26. DWP is committed to ensuring that CCTV will not be used in a manner that unfairly targets or profiles individuals based on:

• race, ethnicity, or national origin
• gender, age, sexual orientation, or gender identity
• religion or belief
• age, disability, or socioeconomic status

27. Where CCTV systems employ advanced analytical capabilities, including Artificial Intelligence (AI), facial recognition, or other biometric processing, a DPIA must be undertaken to address ethical implications and prevent unfair bias.

28. DPIAs for such systems must explicitly assess the risks of discrimination and ensure that algorithms and datasets are reviewed to assess potential bias.

29. Human oversight must be involved in any significant decisions based on AI-driven CCTV analysis upon individuals.

30. Where such analytic capabilities are deployed, their use must be authorised by senior leadership.

31. Where personal data relating to protected characteristics is processed by an online AI tool, an Equality Analysis will be undertaken as required by Equality Legislation.

Review and Audit of CCTV

32. The DWP Data Protection Team and the security team, or other nominated body, shall conduct regular reviews and audits of CCTV systems administration processes, including right of access requests, to ensure compliance with this policy. The Audits should occur at least annually.  Where a system is identified as high-risk through compliance, risk, assurance, or other activity, such audit activity should be undertaken periodically as determined by ongoing risk assessment.

33. Where CCTV has internet connectivity and its security (for example, patching, configuration, maintenance) is managed remotely, the Digital Security Risk Management (DSRM) team will assess and understand any control gaps through a risk assessment.

34. Audits must assess:

• the effectiveness of CCTV and subsequent analysis of CCTV outputs in mitigating the physical safety risks to customers and staff
• the continued necessity and proportionality of each CCTV system against its stated purpose(s)
• compliance with data protection requirements and scrutiny of existing DPIAs
• adherence to data retention and secure destruction procedures
• effectiveness and visibility of signage
• security of CCTV access controls
• security of role-based CCTV access
• compliance with training requirements
• the technical security of CCTV system components (for example, the system patch status, secure configuration)

36. Audit findings and recommendations must be reported to the relevant System Owner(s). A summary of audit outcomes and actions taken should be documented to demonstrate ongoing oversight, and consideration given to publishing anonymised summary information.

Viewing of CCTV footage

37. The viewing of live or recorded images must be restricted (except where live feeds are intended for public display as a visual deterrent to inappropriate customer behaviour), with permission to grant access to be determined by the DWP. This must be limited to individuals who require such access as a necessary part of their duties.

38. Staff operating a surveillance system should be able to recognise and understand a request to access, erase, or restrict personal data, and any such requests must be dealt with in accordance with DWP policies and procedures.

Disclosure

39. The disclosure of information from surveillance systems must be controlled, logged, and consistent with the purpose for which the system was established.

40. The disclosure of footage from surveillance systems must be lawful under Article 6 of the UK GDPR, and any disclosure must be processed lawfully in accordance with Article 5 of the UK GDPR.

41. Where the disclosure of surveillance information contains the image of an individual, due regard must be given to the need to redact or obfuscate the image of third parties.

42. Where data request is made relating to a deceased individual, see the guidance about ‘Disclosing information about deceased people’. Data protection laws do not apply to deceased people, but the DWP still treats their information with care.

Right of Access Request (RAR)

43. A Right of Access Request (RAR) can only be made by a data subject (or individuals acting on their behalf with their consent); the data subject is the person whose personal data (image) is being processed. This is a right enshrined within data protection legislation. Where such a request is made a response will be provided without unnecessary or unreasonable delay and must be provided within one calendar month of receipt of the request. See the Right of Access Request instructions.

Request for CCTV footage from Police

44. DWP will comply with requests for CCTV footage from the police relating to criminal investigations in accordance with the instructions for Disclosing personal data to the police.

Freedom of Information (FOI) Requests  

45. Requests for CCTV footage under the Freedom of Information (FOI) Act must be dealt with by following the Freedom of Information procedures.

Complaints

46. Requests or questions regarding how information is used by DWP should be directed to the DWP Personal information charter. A complaint regarding the DWP’s use of CCTV may be made in writing to:

Right of Access Requests
Mail Handling Site A
Wolverhampton
WF98 2EF

Accountabilities and Responsibilities

a. the DWP Chief Security Officer is the accountable owner of the DWP CCTV Security Policy and is responsible for its maintenance and review, through the DWP Deputy Director for Security Policy and Central Services.

b. the System Owner (CCTV) will be responsible for:

• defining and documenting the specific purpose and justification for the CCTV system(s) under their remit

• initiating, completing, and regularly reviewing DPIAs for their system(s)

• ensuring operational compliance with this policy, including signage, data handling, access controls, and retention schedules

• acting as the Single Point of Contact (SPoC) for their specific CCTV system(s)

• overseeing the secure destruction of data in line with DWP policy, standards, and procedures

c. the CCTV System Administrator(s) will be responsible for:

• the technical installation, configuration, maintenance, and security of CCTV hardware and software, in accordance with DWP policies and technical standards
• implementing and managing access controls to CCTV systems and footage
• ensuring systems are patched and hardened against vulnerabilities
• managing the secure storage and backup of CCTV footage
• DSRM will conduct a risk assessment, as and when required, of any non-standalone technology system

d. the Authorised CCTV user(s) will include individuals (DWP employees, contractors, consultants and other workers) authorised to view live or recorded CCTV footage and will be responsible for:

• adhering to this policy and relevant procedures when accessing or using footage

• reporting any misuse or security concerns related to CCTV

e. DWP Data Protection Officer (DPO) will be responsible for:

• providing advice and guidance on data protection compliance related to CCTV, reviewing DPIAs, and liaising with the Information Commissioner’s Office (ICO) as necessary

Compliance

a. All DWP employees, whether permanent or temporary (including DWP’s contractors) have security responsibilities and must be aware of, and comply with, DWP’s security policies and standards.

b. Many of DWP’s employees and contractors handle sensitive information daily and so need to be enacting minimum baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security.

c. Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. DWP users must report security incidents via the DWP Security Incident Referral Webform; third parties and suppliers must follow the DWP Security Incident Management Standard (SS-014).

d. DWP’s Security and Data Protection Team will regularly assess for compliance with this policy utilising a sample-based audit approach to inspect physical locations, technology systems, design and processes and speak to people to facilitate this. All DWP employees, agents, contractors, consultants, business partners and service providers will be required to facilitate, support, and when necessary, participate in any such inspection. DWP Collaboration and Communication Services will use software filters to block access to some online websites and services, additional information can be found here DWP Employee Privacy Notice.

An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP’s Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they should notify the Security Policy and Standards Team immediately.