Body-Worn Video Policy
A written policy under the UK GDPR setting out how body-worn cameras are used by door staff or security personnel at a venue.
Body-worn video (BWV) is now standard at many UK licensed venues. Cameras worn by door supervisors record interactions, support incident investigation, and provide evidence for prosecutions. They also create data protection responsibilities under the UK GDPR. A written body-worn video policy is the document that explains how the venue uses BWV, when recording starts, how subjects are notified, retention periods, subject access procedures, and storage security. The Information Commissioner's Office expects venues using BWV to have a documented policy.
Key Points
- Body-worn video creates UK GDPR responsibilities; a written policy is expected.
- Policy must cover lawful basis, recording start/stop, notification, retention, SAR handling, storage.
- Subjects can request copies of BWV footage as personal data.
- Recording should generally not be "always on"; start when an interaction needs it.
- Storage should be encrypted with logged access and automatic retention.
What a BWV policy needs to cover
At minimum: lawful basis for recording (typically legitimate interest under the UK GDPR), when recording starts and stops (the "always-on" approach is generally inappropriate; recording typically starts when the door supervisor judges an interaction needs recording), how subjects are notified (usually a clear sign at the door), retention period (commonly 30 days unless tied to an incident), how subject access requests are handled, who has access to footage, where footage is stored and how it is secured, and how it is shared with police or other authorities.
Subject access requests
Under the UK GDPR, individuals have the right to access personal data held about them, including BWV footage. Requests must normally be responded to within one calendar month. The venue must locate the footage, redact other identifiable individuals where appropriate (typically using video redaction software), and supply a copy. Most venues delegate redaction to the security firm or to a specialist provider; either way, the venue (as data controller) is ultimately responsible.
Storage and access
BWV footage is sensitive personal data. Storage should be encrypted at rest, access should be logged and limited to named individuals, retention should be automatic (footage deleted on schedule unless flagged for an incident), and any sharing with police should be evidenced (a written request, a brief description of the footage shared, the date). Most venues use a dedicated video evidence platform rather than ad-hoc storage on USB drives.
Frequently Asked Questions
Is a body-worn video policy a legal requirement?
A specific BWV policy is not a statutory requirement, but the UK GDPR and Data Protection Act 2018 require data controllers to have appropriate technical and organisational measures. The ICO's guidance on overt surveillance treats a documented BWV policy as a clear expectation. Many premises licences also explicitly require it.
Do customers have to consent to being recorded?
Under the UK GDPR, the lawful basis for BWV is typically "legitimate interests" rather than consent. The venue must demonstrate that recording is necessary for crime prevention or public safety and that individuals are notified (typically through clear signage at the entrance).
How long should BWV footage be kept?
Common practice: 30 days unless flagged for an incident, then retained for the life of any investigation, prosecution, or appeal. Excessive retention beyond what is necessary breaches the UK GDPR's storage limitation principle.
Can I share BWV with the police?
Yes, where the police have a lawful basis to receive it (typically a Section 29 disclosure under the Data Protection Act 2018). Document the request, the footage shared, and the date. Sharing without a documented basis can breach UK GDPR.
Ready to simplify your compliance?
Start your free 14-day trial and see how Paddl makes food safety management effortless.