Redaction of CCTV footage for Subject Access Requests: feel the pain?

When someone submits a subject access request for CCTV footage that shows them, your legal obligation is clear. You must provide a copy of their personal data within one month, free of charge in most circumstances. What complicates matters is that CCTV rarely captures just one person. The moment other individuals appear in the frame, you face a balancing act between the requester’s right to access and third parties’ right to privacy.

Getting this wrong risks regulatory action from the Information Commissioner’s Office. Getting it right requires understanding what redaction actually means in practice, when you need to do it, and which tools can help you comply efficiently.

Why Redaction Matters for CCTV SARs

CCTV footage containing other people will probably need to be redacted so they cannot be identified. That “probably” reflects the fact that each request requires case-by-case assessment. You must consider the level of harm that could arise if you release un-redacted footage showing third parties, particularly where the footage captures sensitive contexts such as healthcare settings, domestic incidents or workplace disputes.

The ICO’s position is straightforward. Your obligations under UK GDPR are to provide a copy of information about the requester rather than a complete version of footage, whilst ensuring doing so does not adversely affect the rights and freedoms of others. This means redaction is not about refusing the request; it is about fulfilling it whilst protecting others.

The consequence of failing to redact appropriately is not merely theoretical. In one case involving a leisure centre worker who requested CCTV footage of a car park incident, the centre initially refused to disclose footage because it contained images of other people and claimed it could not redact them. The ICO advised the centre to provide stills of the footage with other identities redacted. The practical lesson here is that claiming technical inability to redact will not excuse non-compliance.

What You Actually Need to Redact

Redaction is not limited to blurring faces. Available techniques include blurring, masking, or using a solid fill to completely obscure parts of the footage. What requires redaction depends on what could identify a third party in context. This includes faces, vehicle registration plates, distinctive tattoos, name badges visible on clothing, and even audio where conversations identify individuals.

The nature and context of the footage matters when determining the level of redaction required. Body-worn video captured during a domestic incident will contain far more identifying and sensitive information than CCTV footage from a retail car park. You need to assess each request individually rather than applying a blanket approach.

One common misunderstanding concerns the use of still images. Providing an individual with a transcript of either audio or visual information contained in footage is not enough to comply in most circumstances, because a transcript or still photograph is unlikely to fully communicate all contextual information within the footage that could be considered the data subject’s personal data. In other words, cherry-picking frames to avoid redaction work will not satisfy your obligations.

The Balancing Act: When Consent Is Not Practical

You have three routes when footage contains third parties. First, you can seek their consent to disclosure. Second, if consent is not obtained or practical, you can redact their identities. Third, you can decide it is reasonable to disclose without consent after weighing the requester’s rights against the third party’s privacy rights.

You are not obliged to ask for consent from third parties, but where you choose not to, you must be able to justify that decision. For instance, where footage shows a minor incident in a staff car park, and third parties are merely passing through the frame, seeking individual consent from dozens of people would be disproportionate. Redaction becomes the practical solution.

What you must not do is use the presence of third parties as a blanket excuse for refusal. You should look to disclose personal data if you can, but it is a balancing act, and you must document the reasons for your decision.

See ICO guidance below.

Choosing Redaction Tools That Work

Manual redaction using basic video editing software is slow, expensive and error-prone. A 10-minute CCTV clip can take hours to redact frame by frame. The good news is that AI-powered redaction software has become both more accurate and more accessible in recent years.

When evaluating redaction tools, you should look for greater than 95% detection rates with manual override options, and ensure the solution aligns with GDPR, FOI Act requirements and evidential rules.

The ICO recognises that it may be necessary to contract out the redaction process to a specialist organisation, and in this context the third party is likely to become a processor, so you would need a written data processing agreement (DPA) specifying exactly how the information is to be used and providing explicit guarantees in terms of quality and security. This is what we ‘do for a living’, so we will ensure you have an appropriate DPA before any data is processed.

Cloud vs On-Premise Solutions

iCompli uses an on-premises solution ensuring your personal data remain secure in the UK. Transfer of files between you and us will employ either encrypted email or, if you request, via Microsoft or Google cloud services (SharePoint, Google Workspace).

One practical consideration is format compatibility. Your CCTV system may output footage in proprietary formats that not all redaction tools support. Before committing to any solution, you will need to verify we can handle your specific file types, currently .mp4 and .avi files.

Building a Defensible Process

The ICO’s updated guidance, following the Data (Use and Access) Act 2025, emphasises that when installing CCTV, you should ensure you choose a system that allows you to easily locate and extract personal information in response to subject access requests, and that allows for redaction of third-party information where necessary. This is a forward-looking obligation. If you are procuring new CCTV systems, redaction capability should be part of your specification.

For existing systems without built-in redaction functionality, you still need to endeavour to comply with your obligations. This means investing in standalone redaction software or engaging specialist providers.

Whatever approach you adopt, document your decisions. When you decide not to redact certain footage, when you determine that consent from third parties is impractical, or when you assess that disclosure without consent is reasonable, record your reasoning. The ICO can require you to justify these decisions, and proper documentation demonstrates you approached the request seriously rather than arbitrarily.

Practical Steps for Your SAR Process

When a SAR for CCTV footage arrives, your process should look something like this.

• First, locate and preserve and/or extract the relevant footage covering the period and location specified.
• Second, review the footage to identify whether third parties appear and, if so, whether their presence is incidental or material to the context.
• Third, decide whether to seek consent, redact, or disclose without redaction based on your balancing exercise.
• Fourth, apply redaction using appropriate software or services.
• Fifth, provide the redacted footage to the requester with any necessary explanations about why certain portions have been obscured. This process needs to happen within one month. Automated redaction tools that can process a 10-minute clip in the same amount of time represent a significant advantage over manual methods that might take an entire working day.
• Finally, ensure whoever operates your CCTV systems understands they may receive SARs. Staff who operate surveillance systems should be able to recognise a request to access, erase or restrict personal data, and help progress these requests efficiently. Training and documented procedures prevent requests from languishing unrecognised in the wrong department.

The Bottom Line

Redacting CCTV footage for subject access requests is not optional. It is a legal requirement designed to balance competing privacy rights. The practical challenge is doing it efficiently and accurately without creating unreasonable delays for the requester or disproportionate costs for your organisation.

Investing in automated redaction tools is a smart choice for organisations that have CCTV installations. The technology has matured to the point where accuracy exceeds 95%, processing times have collapsed, and costs have become manageable even for smaller organisations.

If you currently rely on manual redaction or have been refusing CCTV SARs because you lack redaction capability, now is the time to address that gap. The ICO’s enforcement approach assumes organisations will adopt reasonable technical measures to comply, and those measures are now widely available. iCompli’s Managed Video Redaction Service could be the answer you are looking for.

Resources

ICO Right of Access Guidance

• URL: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/

ICO CCTV and Video Surveillance Guidance

• URL: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cctv-and-video-surveillance/guidance-on-video-surveillance-including-cctv/

ICO Third Party Information Exemption

• URL: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/exemptions-can-we-refuse-a-sar-if-it-involves-information-about-other-people/