How to Respond to a DSAR Involving CCTV Footage

Every UK organization operating CCTV is legally obligated to respond to Data Subject Access Requests that include video footage. That includes nurseries, schools, hospitals, retailers, housing associations, leisure centers, and offices. Most of them have no formal process for it.

When a DSAR lands on the desk of a DPO or IT manager, the work looks the same whether the organization has five cameras or five hundred. Find the footage. Confirm the data subject is in it. Redact everyone else. Deliver it within the deadline. Document every decision.

This guide walks through what the law actually requires, where organizations most often get it wrong, and what a compliant, scalable response process looks like.

What a DSAR Is and When CCTV Falls in Scope

A Data Subject Access Request is a formal request from an individual to receive a copy of the personal data an organization holds about them. Under UK GDPR, anyone can make one. No fee is required in most cases, and the request does not need to be in writing or use any specific format.

CCTV footage is personal data whenever an individual is identifiable in it. A recognizable face counts. A distinguishing feature, a name badge, a vehicle number plate, or contextual detail that identifies someone can also count. If your cameras captured the requester at a time and location they can specify, you almost certainly have personal data in scope of their request.

The scope covers the recording itself, plus any associated metadata: timestamps, camera location, retention information, and the basis on which you are holding it.

What UK GDPR Article 15 Actually Requires

Article 15 of UK GDPR gives the data subject the right to obtain confirmation that their personal data is being processed, a copy of that data, and information about how it is being handled. For CCTV, that means providing the footage itself in an intelligible format, along with context on why it was recorded and how long it will be retained.

The law does not allow you to refuse simply because the footage contains other people. It requires you to balance the requester's right of access against the rights and freedoms of third parties who also appear in the recording. In practice, that balance is almost always struck by redacting the footage rather than withholding it.

Withholding is only appropriate in narrow circumstances, such as an active criminal investigation where disclosure would prejudice the case, and even then you typically need to document the reasoning and notify the requester of the reason. For a deeper look at how GDPR video redaction requirements work across different disclosure scenarios, the obligations are consistent regardless of sector.

The 30-Day Deadline

The response clock starts the day you receive the request. UK GDPR requires organizations to respond within one calendar month. The clock does not pause while you locate the footage, retrieve it from storage, or figure out which cameras were running. It starts the moment the request arrives, regardless of who in the organization receives it first.

Extensions of up to two additional months are permitted when the request is complex or when multiple requests are involved, but you must notify the requester within the original month and explain why the extension is necessary. Routine CCTV retrieval does not qualify as complexity. Volume, multi-site coordination, and internal process friction are operational problems, not legal extensions.

For organizations with manual redaction processes, the deadline is where most DSAR responses break down. A single hour of CCTV footage can take a human reviewer four to eight hours to redact properly. Multiply that by multiple camera angles, multi-hour recordings, or multi-site incidents, and a month disappears quickly.

The Third-Party Redaction Obligation

When a DSAR involving CCTV lands, the organization does not simply hand over the raw recording. Everyone else in the frame — employees, other customers, delivery drivers, visitors, children, and anyone passing through the view of the camera — also has rights under UK GDPR. Their faces, badges, license plates, and other identifying features must be obscured before the footage is disclosed.

This is not optional. Releasing unredacted footage that identifies third parties is itself a breach of UK GDPR, because you have disclosed their personal data to a recipient with no lawful basis to receive it. Organizations have been fined for doing exactly this in response to DSARs they thought they were handling properly.

The redaction obligation covers faces, distinguishing physical features, name badges, license plates, screens showing personal data, and any visible documents or identifiers. In audio-enabled CCTV, it also covers voices and spoken personal information.

Special Categories: Children, Patients, and Other Sensitive Subjects

Some DSARs arrive with an additional layer of sensitivity. Nurseries and schools receive requests that include other children. Hospitals receive requests that include other patients. Housing associations and social services often receive requests involving minors, vulnerable adults, or people whose presence in a particular location is itself sensitive information.

These cases require extra care because the footage may reveal special category data under UK GDPR Article 9: health information, data concerning vulnerable groups, or biometric data. Redaction for healthcare environments follows the same principle applied to any setting where sensitive personal data appears in video — the coverage must extend beyond faces to contextual identifiers and environmental details that could reveal someone's presence at a clinic, care facility, or school.

Face blurring alone is sometimes insufficient here. If a child is identifiable by clothing, a distinctive walk, or their interaction with the requester's child, deeper redaction or fuller person silhouetting may be required.

What Good Practice Looks Like

UK regulatory guidance on CCTV disclosure is clear on the core principle: third parties in footage must be protected before disclosure, and the default approach is redaction rather than refusal. Good practice means treating third-party redaction as a standard step in every DSAR response, not a case-by-case judgment call.

It also means keeping the original recording intact. The redacted copy is what gets disclosed; the original stays in your evidence chain. If the requester challenges the redaction, or if a regulator later audits your response, you need to be able to show both the original footage and the redaction decisions you made against it.

Audit trails matter. Every redaction decision should be logged with timestamps, the user who performed it, and the basis for the decision. This is what makes a DSAR response defensible if it is ever challenged.

Why Face Blurring Alone May Not Be Enough

Simple face blurring applied in a video editor is a common first attempt. It breaks down in predictable ways.

Moving subjects can move in and out of detection between frames, leaving intermittent unblurred images. Bystanders may turn away from the camera briefly, and a basic blur tool will lose them. Voices in audio tracks are ignored entirely. License plates, name badges, and documents on screens require separate detection. Reflections in windows and mirrors often contain unredacted third parties that manual reviewers miss.

Defensible CCTV redaction requires persistent tracking across frames, coverage across object types (faces, persons, vehicles, plates, screens), and audio redaction where the camera captured sound. A patchwork of manual steps in different tools is where most mistakes happen. For a broader view of how leading redaction platforms compare on these capabilities, this review of video redaction software covers the key differentiators to evaluate.

The Operational Reality

For a single-site retailer with one or two DSARs a year, manual redaction is survivable, even if time-consuming. For organizations with multiple sites, high footfall, or regulated populations, the volume makes manual processes unsustainable.

A multi-site retailer pulling footage from 40 stores for a slip-and-fall DSAR is working against the clock from the moment the request arrives. A hospital handling a patient DSAR across three wards has multiple feeds to process. A housing association responding to a complaint about a communal area has to extract, redact, and deliver, all while other compliance work continues. The retail surveillance redaction challenge illustrates how DSAR volume scales with footfall and site count, a pattern that applies equally across sectors.

The organizations that do this well have moved to automated redaction with human review — not replaced reviewers with software. The AI does the heavy lifting on detection and tracking across footage volumes that a human reviewer cannot scan in time. The reviewer makes the final call on edge cases and signs off on the release.

Sectors Most Exposed

Nurseries and schools face DSARs from parents reviewing interactions involving their own child. Healthcare providers receive requests from patients, families of patients, and, in some cases, litigation-adjacent requests. Retailers face DSARs around incidents, disputes, and claims. Housing associations handle requests tied to neighbor disputes, antisocial behavior reports, and tenancy matters. Government bodies face similar pressure under both UK GDPR and FOIA frameworks.

What unites them is the combination of high camera density, diverse data subjects in frame, and no dedicated CCTV redaction capability. The deadline is the same for all of them.

How Automated Redaction Makes This Repeatable

VIDIZMO Redactor automates the operational steps of CCTV redaction so the compliance process becomes predictable.

The platform auto-detects faces, persons, license plates, vehicles, and screens across video. Detections are tracked persistently across frames, so a bystander turning their head does not break the redaction. Output styles (blur, pixelate, or black box) are configurable, and audio tracks can be redacted alongside the video to cover spoken personal data.

Proprietary CCTV auto-rewrapping handles the H.264 files that come out of most camera systems, converting them to standard playable formats automatically. Bulk processing handles volume without manual intervention, and the platform has been tested against 1.1 million recordings in deployment.

Every redaction action is logged with user ID, timestamp, and decision metadata, stored in tamper-proof audit logs. The original footage is preserved; the redacted copy is the one disclosed to the requester. For UK data residency, Redactor can be deployed on Azure UK South with support for UK NCSC 14 Cloud Security Principles, and the platform holds ISO 27001:2022 certification.