How Long is
CCTV Footage Kept UK

UK CCTV retention periods explained by use case

UK CCTV retention periods vary widely by use case and risk level. The fundamental UK GDPR principle is data minimisation: footage kept only as long as necessary. ICO guidance provides typical periods but operators must justify their specific retention period in writing.

Domestic CCTV retention (UK 2026):

• Typical retention. 14-30 days. ICO guidance suggests 30 days as upper limit.
• Justification. Crime prevention and security. Minimal data needed for typical purposes.
• Common UK domestic systems. Hikvision NVR, Dahua, Reolink with 1-2TB drives commonly retain 14-30 days continuous.
• Cloud (Ring, Nest, Eufy). Subscription tier dependent. Ring Protect Basic 30 days.
• Longer than 30 days. Requires specific written justification (e.g. recent burglary, ongoing investigation).

Small business CCTV retention:

• Typical retention. 30 days standard. Most small UK businesses settle here.
• Justification. Crime prevention plus incident investigation needs.
• Up to 60 days. Justifiable if business handles cash, high-value goods or has higher theft risk.
• Up to 90 days. Possible with documented risk assessment and Data Protection Impact Assessment.
• Office environments. Often shorter retention (14-30 days) - lower risk.

Retail and high-risk business:

• Retail shops. 30-90 days typical. Shoplifting investigations may take time.
• Supermarkets. 30-90 days. Some chains retain 90 days for refund disputes.
• Pubs and clubs. 30-90 days. Incident investigations and licensing requirements.
• Hotels. 30-90 days. Guest incident investigations.
• Petrol stations. 30-90 days. Drive-off and theft investigations.
• Documented risk assessment. Justifies extended retention beyond domestic norms.

Banks, ATMs and financial services:

• ATM CCTV. 31-90 days standard. Some banks retain up to 6 months.
• Branch CCTV. 31-90 days. Internal investigations of fraud or incidents.
• Mortgage and loan offices. 31-90 days for KYC verification disputes.
• Justification. Financial crime prevention and FCA regulatory compliance.
• Specific incidents. Indefinite while fraud or crime under investigation.

Council and public space CCTV:

• Town centre CCTV. 31 days typical. Standard UK council practice.
• Council estate CCTV. 31 days typical. Anti-social behaviour evidence.
• Traffic cameras. 28-31 days. Road incident evidence.
• School CCTV. 30-31 days standard. Safeguarding investigations.
• Library and public buildings. 30-31 days standard.

Workplace and HR-related CCTV:

• Office workplace. 30-90 days. Investigations of misconduct or incidents.
• Industrial sites. 30-90 days. Safety incident investigations.
• Warehouses. 60-90 days. Theft and damage investigations.
• Construction sites. 30-90 days. Safety and theft monitoring.
• Workplace audio CCTV. Stricter rules. Shorter retention typical.

Specialist environments:

• Care homes. 30-90 days. Safeguarding investigations. CQC may require specific retention.
• Hospitals. 30-90 days general areas. Specific clinical areas have separate rules.
• Prisons. 31 days standard. Longer for specific incidents.
• Police custody. Variable. PACE 1984 governs.
• Court buildings. 30-90 days standard. Longer for specific cases.

How retention is enforced in UK CCTV systems:

• FIFO storage rotation. Hard drive fills, oldest footage overwritten. Capacity-based deletion.
• Time-based retention. System set to delete after specific number of days. Calendar-based.
• Cloud subscription rules. Ring, Nest, Eufy delete based on tier. End of subscription deletes all.
• Manual deletion. Possible but rare in practice.
• Export before deletion. Specific incidents preserved separately.

UK GDPR data minimisation requirements:

• Article 5(1)(e). Personal data kept in form permitting identification only as long as necessary.
• Stated purpose. Retention tied directly to documented purpose.
• Written justification. Required for retention longer than typical industry norms.
• Regular review. Operators should review retention periods annually.
• Data Protection Impact Assessment. May be needed for high-risk processing including extended retention.

What happens if retention is too long:

• UK GDPR breach. ICO can investigate following complaint.
• Enforcement notice may require deletion of excessive footage.
• Fines possible: up to £17.5 million or 4% turnover for severe corporate breaches.
• Domestic fines typically much smaller.
• Reputational impact and Subject Access Request burden increases.

What happens if retention is too short:

• Footage of legitimate incidents may be lost before action can be taken.
• Subject Access Requests may return 'no footage' if request comes after deletion.
• Insurance claims may fail without supporting CCTV evidence.
• Police investigations limited if footage already deleted.
• Balance retention against UK GDPR data minimisation principle.

How to set retention on UK CCTV systems:

• Hikvision. Storage > Schedule > Overwrite + retention days.
• Dahua. Storage Manager > HDD Settings > Recording duration.
• Reolink. Settings > Storage > Recording > Retention Days.
• Ring. No manual setting - subscription tier rules.
• Nest. Subscription tier rules apply.
• Eufy. Storage Settings > Retention Period.

Knowing UK CCTV retention rules helps homes and businesses comply with UK GDPR easily. Our full CCTV Help hub covers CCTV laws, footage retention, audio recording rules and broader CCTV guidance for UK homes and businesses.