Requests from employees and subcontractors for access to CCTV recordings arise more often than many organizations expect. They usually relate to a disputed incident, an accident, a situation in a locker room or at an entry point, a workplace conflict, or a parking-lot incident. The challenge is that the same frame almost always shows bystanders as well—and sometimes license plates, ID badges, screens, or documents. This is exactly where the risk of excessive disclosure begins.

The most practical safeguard when preparing a copy of the material is visual data anonymization—i.e., transforming a photo or video so that people and vehicles are not identifiable. In practice, this primarily means blurring faces and masking license plates. This allows the organization to respond to the request while keeping exposure of other individuals’ data to an absolute minimum.

Where Does Excessive Disclosure Come From—and Why Is It a Real Problem?

Workplace cameras typically cover shared areas: entrances, corridors, production floors, reception areas, loading bays, and parking lots. Even a short clip can reveal:

• the identity and movements of co-workers,
• sensitive context (e.g., a medical event, a conflict, emotional reactions),
• license plates of bystanders’ vehicles,
• indirectly identifying elements such as name badges, distinctive clothing, or reflections in glass.

When responding to access requests, organizations should avoid sharing data that is not necessary for the stated purpose. In real HR and security processes, visual redaction (blurring faces and plates) is most often what makes it possible to balance the requester’s interests with the rights of other individuals.

What to Prepare Before You Export Anything

An efficient process starts with getting the basics in order. These steps reduce handling time and minimize the risk of mistakes:

• Confirm identity and the scope of authorization. Make sure the request is submitted by the correct person or their authorized representative.
• Narrow the timeframe and location. Ask for an approximate time of the event and select only the necessary cameras. Instead of 30 minutes, 60–180 seconds is often sufficient.
• Define the purpose of disclosure. The approach will differ for incident clarification, an employment dispute, or an insurance claim.
• Choose the response format. Sometimes on-site viewing or a few still frames are enough instead of a full video. This is often the safest way to limit scope.

A Repeatable Workflow That Minimizes Data Exposure

The following process works well in organizations that want to handle requests consistently, regardless of whether the case is led by HR, security, or legal:

1. Select the minimum necessary excerpt. Cut exactly the segment that answers the requester’s question.
2. Blur faces of bystanders. If other people appear in the frame besides the requester, they create the greatest risk of excessive disclosure.
3. Mask license plates of bystanders’ vehicles. In a parking lot, a single readable frame can be enough to identify a vehicle.
4. Add manual redaction for additional elements. Name badges, documents on a desk, on-screen content, and other sensitive items may require manual masking.
5. Run quick QA. Check high-risk points: fast motion, reflective surfaces, scene transitions, and frames where subjects enter or leave the shot.
6. Deliver the file securely. Use an expiring link, an encrypted channel, and access control. Avoid emailing raw files.
7. Set retention for working copies. Keep editing copies only as long as necessary to close the case.

If an organization wants to run this process locally without sending recordings to the cloud, on-premise tools are worth considering. In practice, this often makes security approval easier and reduces transfer risk. In this model, Gallio PRO can be used. To test the workflow on your own files, you can download a free demo.

What to Anonymize First

Faces

A face is the most obvious identifier in video. In responses to employee requests, there is rarely a need to disclose the identities of third parties. Blurring bystanders’ faces is a practical data-minimization safeguard and reduces the risk of complaints or escalation.

License plates

Whether license plates are treated as personal data depends on context and on whether they can be linked to a specific person. In workplace environments, such linkage is often realistic because the parking area, work schedules, and internal knowledge can facilitate identification. That’s why masking plates of bystanders’ vehicles is a reasonable risk-reduction practice—especially when sharing a copy of a recording outside the security team.

Why On-Premise Processing Makes Requests Easier to Handle

Access requests typically involve sensitive material. Local (on-premise) processing helps maintain control over files, limit the number of people with access, and avoid creating additional copies outside the organization. This is particularly important when footage relates to:

• incidents involving third parties,
• sensitive events (an accident, an intervention, a conflict),
• parking lots and entry areas where plates and traffic flows are often visible.

The scope of automation matters. Gallio PRO automatically blurs faces and license plates in photos and video files. It does not anonymize full silhouettes and does not operate in real time or on video streams. Elements such as logos, tattoos, ID badges, documents, or on-screen content are not detected automatically and may require manual redaction in the editor.

In practice, organizations also look for solutions that do not introduce additional risk through metadata. Gallio PRO states that it does not collect logs containing face or license-plate detection events, nor logs containing personal or sensitive data, which supports a data-minimization approach in internal processes.

Quick Tips That Reduce Mistakes

• Start with the smallest excerpt, then decide whether broader context is truly necessary.
• Check the first and last second of every export—faces most often “escape” during transitions.
• Don’t rely solely on automation for screens, badges, and documents in frame.
• Set a single standard (presets) for typical requests so different teams don’t produce inconsistent versions.

FAQ — Sharing CCTV Recordings With Employees and Subcontractors

Can I provide raw footage to an employee if it shows other people?
In practice, that is risky. If bystanders appear, a safer approach is to narrow the scope and redact the image so you do not disclose other individuals’ data more than necessary.

Is face blurring always sufficient?
Not always. Identification can also come from context, badges, screens, or unique clothing. That’s why it’s worth adding quality control and—if needed—manual masks after automatic blurring.

Should license plates be masked when responding to requests?
It depends on the context and the risk of linking a plate to a person. In practice, many companies mask plates of bystanders’ vehicles as a risk-reduction measure, especially for parking-lot footage.

Does anonymization remove the material from GDPR scope?
Only if identification is not possible using methods that are reasonably likely. This is a contextual assessment and should be supported with quality control and process documentation.

Can such material be processed in the cloud?
It can, but security and processor requirements must be addressed. In many organizations, an on-premise model is more convenient because it reduces transfers and simplifies access control.

How can a repeatable process be implemented quickly?
The easiest start is presets (faces, plates), a short QA checklist, and clear retention rules. If a local tool is needed, you can download a Gallio PRO demo and test typical cases on your own recordings.

References

• Regulation (EU) 2016/679 (GDPR) — in particular Article 5, Articles 12–15, and Recital 26
• EDPB — Guidelines 3/2019 on processing personal data through video devices
• ICO (UK) — CCTV and video surveillance guidance