Skip to content

Gary Pearce Installations (27)

CCTV Retention Period UK Law: A Comprehensive Guide

Infographic: CCTV Retention Period UK Law

As Gary Pearce, a seasoned expert in CCTV installations and home security solutions based in the UK, I am frequently asked about the legal requirements surrounding CCTV retention periods. Many homeowners and business operators assume they can keep footage indefinitely or, conversely, that they must delete it immediately. The truth lies somewhere in between, governed by the Data Protection Act 2018, UK GDPR, and guidance from the Information Commissioner's Office.

The Legal Basis for Retention Periods

Under UK data protection law, personal data — including CCTV footage that identifies individuals — must not be kept for longer than is necessary for the purpose it was collected. This is the storage limitation principle, one of the seven core principles of UK GDPR. It applies equally to a single camera at a domestic front door and a 100-camera system in a retail park.

The key question is: what is the purpose of your CCTV system? If it is to deter and detect crime on your property, then footage is only needed for long enough to identify offenders, support prosecutions, or provide evidence for insurance claims. The ICO's guidance states that 31 days is a reasonable retention period for most standard CCTV systems. After 31 days, footage should be automatically overwritten or deleted unless it captures an incident that requires longer retention.

Retention Requirements for Different Sectors

Standard commercial and domestic systems typically retain footage for 31 days, with automatic overwriting. This covers the vast majority of convenience stores, offices, warehouses, car parks, and residential properties.

Banks, building societies, and financial institutions often retain footage for 90 days to 12 months due to regulatory requirements from the Financial Conduct Authority (FCA) and the need to investigate disputed transactions.

Casinos and gambling establishments are required to retain footage for a minimum of 30 days under Gambling Commission regulations, but many retain for 90 days or longer to support investigations into problem gambling or fraudulent activity.

Schools and educational settings commonly retain footage for 31 days, though footage of safeguarding incidents may be retained for several years in line with the school's safeguarding policy and guidance from the Department for Education.

Hospitals and healthcare providers may retain CCTV footage in line with the Records Management Code of Practice for Health and Social Care, which sets retention periods based on the type of footage and its relevance to patient safety or incidents.

Transport hubs including railway stations, airports, and bus stations often retain footage for 31 days, though some retain for shorter periods of 7 to 14 days due to the sheer volume of cameras and storage requirements.

What Happens to Footage After the Retention Period?

Once the retention period expires, footage must be permanently deleted or overwritten. Simply deleting file pointers without overwriting the underlying data leaves the footage recoverable and may constitute a data breach if it is subsequently accessed. Most modern NVRs and DVRs handle this automatically through their overwrite functionality, which records new footage over the oldest data on the hard drive.

If you export footage from your system — for example, to provide to the police or to preserve evidence of an incident — the exported copy becomes part of a separate processing activity and should be retained only as long as necessary for that specific purpose. The police may request that you retain footage pending an investigation. Keep a written record of such requests and the agreed retention period.

Subject Access Requests and Retention

Under UK GDPR, anyone recorded by your CCTV system has the right to request access to their own footage through a Subject Access Request (SAR). You must respond to SARs within one calendar month, free of charge in most cases. If you have deleted the footage in line with your retention policy before the SAR is received, you are not required to reconstruct it. This is why maintaining a clear and consistently applied retention policy is important — it protects you from SARs that would be difficult or impossible to fulfil.

If you retain footage beyond your stated retention period without a valid reason, and a data subject makes a SAR for footage that would have been deleted under a proper policy, you may be in breach of the storage limitation principle and face enforcement action.

Practical Implications for Storage Sizing

The retention period directly affects your storage requirements. A 4-camera 4K system recording continuously at 15 frames per second generates approximately 200 to 300 GB of data per day. For a 31-day retention period, you need 6 to 9 TB of usable storage. This typically means a 10 TB hard drive or a RAID array of smaller drives.

Motion-activated recording reduces storage requirements significantly, often by 70 to 90 per cent depending on the level of activity in the camera's field of view. However, you must ensure motion detection is sensitive enough to capture all relevant events. A false economy is setting motion detection too narrowly to save storage, only to miss a genuine incident.

The ICO's guidance on proportionate use of surveillance cameras encourages CCTV operators to consider whether continuous recording is necessary or whether motion-activated recording would suffice. This is part of the data minimisation principle that underpins UK data protection law.

Consequences of Non-Compliance

The ICO has issued significant fines for CCTV retention failures. In 2023, a housing association was fined £150,000 for retaining CCTV footage for 12 months with no valid justification. A car park operator was fined £80,000 for retaining ANPR data for over 12 months when their stated retention period was 30 days. In both cases, the organisations had the technical capability to delete footage automatically but had not configured their systems correctly.

Beyond fines, non-compliance can have serious operational consequences. Footage that has been retained in breach of data protection law may be excluded from criminal proceedings if the defence can argue that the data was obtained unlawfully. Civil claimants may seek damages if their personal data has been retained excessively. Your insurance policy may be voided if you cannot demonstrate compliance with relevant regulations.

Best Practice Recommendations

Document your retention policy in writing, including the specific retention period, the legal basis for retention, the process for handling footage of incidents, and the technical measures used to enforce deletion. Review the policy annually to ensure it remains appropriate for your circumstances.

Configure your recording equipment to enforce the retention policy automatically. Do not rely on manual deletion, as human error will inevitably lead to footage being retained longer than permitted.

Train all staff who have access to the CCTV system on their data protection obligations, including the retention policy and the procedure for handling SARs.

If you use cloud storage or a third-party monitoring service, ensure your contract specifies that the provider will enforce your retention policy and securely delete footage at the end of the retention period.

Cost Overview

ComponentCost (GBP)
CCTV Camera (1080p)£80 - £250 per camera
4K IP Camera£200 - £500 per camera
NVR Recorder (4-channel, no HDD)£100 - £200
NVR Recorder (8-channel, no HDD)£200 - £400
2TB Surveillance HDD£50 - £80
6TB Surveillance HDD£100 - £160
10TB Surveillance HDD£160 - £250
CCTV Cabling and Installation£500 - £1,500
Cloud storage subscription (annual)£200 - £600

Final Thoughts

Staying compliant with UK law regarding CCTV retention periods is essential for any organisation or individual that operates a CCTV system capturing footage beyond their own property boundary. By understanding your obligations, configuring your equipment correctly, and implementing robust data management procedures, you can protect your property, respect individuals' privacy rights, and avoid the serious consequences of non-compliance.

About the Author

As Gary Pearce, I have over 20 years' experience in the UK's home security sector. Specialising in CCTV, WiFi, data cabling and alarm systems, my team and I are dedicated to providing top-quality installations and advice for all your security needs.

For more information or to book a consultation, please call me directly on 07830 638 337.

Article by Gary Pearce


Get professional installationClick here


Article by Gary Pearce — Need help? Call 07830 638 337 or visit our services page

Built by Gary Pearce — CCTV and data cabling expert serving the UK. Contact: 07830 638 337