« Back to Glossary Index
The ICO is the independent UK body responsible for enforcing data protection law. For fleet operators, the ICO is relevant because in-vehicle cameras that record drivers are classified as processing personal data, which means the operator must comply with UK GDPR rules and, in some cases, pay a data protection registration fee.
The ICO publishes guidance on vehicle surveillance that covers lawful basis, data retention, subject access handling, and employee notification requirements. All of this guidance is under formal review following the Data (Use and Access) Act 2025. Key obligations the ICO enforces for fleet camera operators:
- Lawful basis – must have a documented lawful reason for recording drivers (usually legitimate interests)
- Driver notification – drivers must be informed in writing and by signage in the vehicle
- Data retention – footage must be deleted after a defined period; keeping it indefinitely is non-compliant
- Access controls – footage must only be accessible to authorised personnel for defined purposes
- Subject access requests – drivers can request footage of themselves and must receive a response within 30 days