“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems” – Bruce Schneier, computer security specialist.
CCTV: it seems to be everywhere these days. In fact, it is probably functionally impossible to go to any urban area in the UK without being captured on camera in some way.
In fact, there are an estimated one billion surveillance cameras in operation in the world today. Whether we approve of this or not, there doesn’t seem to be much, if anything, we can actually do about it.
We’re all being filmed and photographed, all of the time. Bizarrely, when nobody is filming or photographing us, we tend to respond by filming and photographing ourselves.
…But where does all this footage go? Who stores it? Who watches it?
In short, as the Roman poet Juvenal once asked, “Quis custodiet ipsos custodes?”
This famous utterance is best translated as ‘who will guard the guards themselves?’ or, as the saying is more commonly understood today, “who watches the watchers?”
It’s a good question, so we decided to try and answer it.
Who Can View CCTV Footage?
Aside from a nominated data controller, nobody should be able to view footage captured via CCTV. In fact, part of the data controller’s job is to ensure that this remains the case. Only in exceptional circumstances (such as instances whereby footage is used as evidence of a crime) can it be viewed by a third party.
Under the terms of the Data Protection Act 2018, anyone captured on camera who is recognisable in the footage also has a legal right to view that footage, even if other people are visible in the video.
However, there is a legal procedure in place for doing this. The person must follow a specific protocol, first notifying the data controller that they wish to review the footage, then waiting for the controller to respond (they must do so within one month). Following this, the footage must be made available to them.
Any business wishing to use CCTV must formally register with the Information Commissioner’s Office (ICO) before doing so. They must also pay a data protection fee.
There are also a number of legal conditions that must be adhered to. For example, the use of CCTV has to be accompanied by some sort of notification that people are being filmed (a sign is the method most commonly used).
Other conditions of using CCTV include only employing it for the use for which it is registered (e.g., capturing illegal activities) and nothing else. Users must not place any cameras in private areas (such as toilets or changing rooms – this would be seen as a human rights violation) and, as previously mentioned, access to all footage is limited solely to a data controller.
As additional security measures, CCTV systems that use wireless signals must always encrypt their data to a high standard. Also, every system that operates via the Internet has to either be password protected, or else must require some other form of authentication at the point of use.
These are not mere guidelines, but strict demands of the law. Therefore, they must be adhered to, lest the business or organisation lose the ability to legally operate a CCTV system.
How Long is CCTV Footage Kept?
The length of time for which footage can be kept partly depends on why the footage was captured in the first place.
For example, if the CCTV system was put in place in order to capture evidence of crimes being committed, then there is no reason whatsoever to retain footage that does not contain any evidence of crime.
Every company will have a specific policy in place that dictates how long footage will be kept after being taken. This should be reasonable and considered.
Footage that is being examined as evidence can be kept for longer periods and is subject to a different set of laws. Equally, footage that may be connected to a crime (e.g., if it shows criminals or their accomplices possibly performing reconnaissance prior to a crime being committed), might also be kept for longer periods and/or examined as evidence.
Normal, everyday footage, on the other hand, should be deleted regularly. For the majority of companies, this occurs approximately once every 30 days or so.
This ’30-day rule’ dates back to the days of VHS surveillance systems, where cameras were set up to record for 24 hours at a time, after which an operator would need to replace the tape.
These tapes were kept in storage lockers that typically held 30 or 31 tapes. Therefore, for each tape to be used and then overwritten would take 30 or 31 days. To delete footage every 30 or 31 days has since become standard security industry practice.
In many cases, companies will trim this time down to 14 days. This is as much for the footage unnecessarily taking up storage space and serving no obvious purpose as it is for reasons of data protection and privacy.
Some companies, however, have been known to store footage for 3 months or more, based on certain recurring customer issues that take longer to develop.
Essentially, it varies from company-to-company as to how long footage is kept. So, while CCTV footage is subject to the terms of the Data Protection Act 2018, there are no specific laws governing how long it can be kept.
However, keeping CCTV footage for too long without good reason is impractical, as well as potentially hazardous from a legal standpoint (because, in such cases, footage may not be serving the purpose for which it was originally assigned).
If you have any concerns regarding data storage, you may recommend to your company that they conduct a Data Protection Impact Assessment (DPIA). This is a series of tests designed to identify and minimize risks that could arise due to the way your company processes data. This procedure is highly recommended, as it removes ambiguity and at the same time acts as a legal safeguard.
How long is Street CCTV footage kept
In terms of public footage, the rules governing CCTV usage are a little bit tighter. For example, police officially recommend that private security firms delete or overwrite any non-incriminating footage after 31 days – and most companies choose to comply with this formal guideline.
It is not required by law, but it is seen as generally sensible business practice to abide by police recommendations in areas of security and/or public safety.
Footage captured by the Metropolitan Police is kept for 31 days unless it forms part of an investigation. In such cases, it becomes subject to the ‘Management of Police Information’ (MoPI) guidelines. Police footage (such as dashcam footage from police cars) is subject to numerous legislative requirements, including those outlined by both the 1998 and 2018 versions of the Data Protection Act.
Video that explicitly shows a person’s face (including footage that uses facial recognition software) is considered to be personal data and is therefore subject to the same data protection laws that govern any other personal data.
How long do Supermarket shops keep CCTV footage
Most, if not all supermarkets in the UK employ CCTV cameras as a security measure, mainly as a defensive measure against theft and antisocial behaviour. This means that when you enter a supermarket, you are likely to be captured on camera at least a couple of times.
Supermarkets are private companies and, although they sometimes retain the services of independent security firms to operate and monitor their CCTV, how long they keep the footage for is more-or-less up to them. It is therefore conceivable, if unlikely, that some supermarkets may keep security footage for longer than the standard 31 days.
However, supermarkets are, of course, subject to the same data protection laws as any other business. As a result, even if a supermarket did opt to keep CCTV for longer than 31 days, it still couldn’t do a lot with it. Remember, only the data controller can access the footage.
Today, many self-service checkouts also contain CCTV cameras. These often face the customers directly, rather than being focussed on their shopping. The exact reasons for this are unclear, but it is probably intended simply to deter theft. Supermarkets lose roughly £3.2Bn a year from goods stolen by customers using self-service checkouts. Perhaps the idea that the customer is on camera is meant to discourage them from stealing smaller items?
When asked by customers as to why self-service checkouts have CCTV that records people’s faces, major supermarkets simply affirm that it is a “security measure” and, according to one Sainsbury’s spokesperson, the cameras “facilitate a better customer journey” (whatever that means).
In any instance, footage captured by a self-service checkout counts as personal data because it clearly displays the person’s face. It is therefore protected by law, so, once again, there isn’t much that a supermarket chain can legally do with the footage.
Statements from Sainsbury’s have confirmed that the footage taken is kept for no more than 31 days before being overwritten. We can probably assume that this is standard practice for most other UK-based supermarket chains as well.
Supermarkets can be somewhat underhanded in their sales methods and have developed many sneaky tactics for making shoppers spend more money. They also already have access to what their customers buy, as well as when they buy it and how often. This is especially true in the case of loyalty card holders.
The biggest privacy issue in supermarkets, then, is not the presence of CCTV, but the many other subtle data gathering techniques and cunning sales ploys at work whenever you grab some groceries or pick up a weekly shop.
How long do pubs keep CCTV Footage
Pubs, clubs and venues are also privately owned spaces. The use and storage of CCTV remains at the discretion of the owners.
However, many premises now have it stipulated as a condition of being granted a license that they operate some form of CCTV. In such cases, these premises are obliged by the terms of their license to store any images or video for 28 – 30 days in case it needs to be reviewed by the police at any point. In such cases, a clear limit is placed upon how long footage may be kept. There would presumably be serious repercussions in cases whereby these rules were broken or ignored.
Venues serving alcohol that operate as part of the night-time economy are potentially more likely to capture incriminating footage, so insisting that CCTV be employed makes at least some sense.
Even in cases where the pub, club or venue is not mandated by the terms of their license to employ CCTV, many still opt to do so. This is done partly as a way of avoiding legal challenges and partly to protect vulnerable areas of their business (cameras may be placed over the bar, in the storerooms, at delivery points and so on).
Many door supervisors working in such environments also wear body cameras. In most cases, security firms follow the example set by the police, meaning that non-incriminating footage is deleted after 31 days. Some body cams, however, have only a limited ability to store data, meaning that this is either uploaded regularly, or simply deleted automatically by the camera itself.
Again, there are no specific laws governing this, but it seems unlikely that a pub, club or venue would consider keeping footage for longer than 31 days to be a viable or cost-effective option. Data storage can be expensive, after all and, in most cases, the data is worthless, only becoming useful in instances of crime or perhaps recording the last-known location of a missing person.
Beyond that, keeping footage for extended periods just seems costly and ultimately pointless. It seems likely that the majority of venue owners and pub landlords would see it the same way.
We hope you have found this investigation interesting (and perhaps even somewhat eye-opening). Privacy is one of the most hotly debated issues of our time. How you relate to the information presented here will, in large part, inform which side you take in the great privacy debate of the 21st century.
In summary, and to answer Juvenal’s original question, no one seems to be watching the watchers beyond a certain point, but that’s OK, because they’re all too preoccupied with watching one another.