business7 min read·

Your ADI dashcam may make you an unlawful data controller - £52 fix

A dashcam in an instructor's car is no longer unusual. After a wave of false accusations from pupils and parents, rising insurance premiums, and a general feeling that "if it happens, I want it on record," more and more ADIs have installed forward-facing or cabin-facing dash cameras in their tuition vehicles. Insurers encourage it. Most instructor insurance policies now ask if you have one and sometimes offer a small discount if you do.

Nobody tells you the legal bit: the moment your dashcam records pupils inside the car, you become a data controller under UK GDPR. That triggers ICO registration, a privacy notice obligation, data retention rules, and a range of other compliance steps that most ADIs haven't realised apply to them.

This guide walks through exactly when a dashcam makes you a data controller, what you need to do to stay compliant, and the specific fixes that take the whole thing from "quietly illegal" to "sorted" in 15 minutes.

When a dashcam triggers GDPR

A dashcam that only ever records the external road and never captures identifiable people (because cars don't have drivers' faces visible at the angle you use, or because you only ever record for insurance claims and delete otherwise) may fall outside GDPR's scope. In practice this is very rare for an ADI.

A dashcam that captures the inside of the car - even as a secondary effect of the main forward-facing view - records identifiable people. Your pupils. Sometimes their family members in the back seat. Sometimes children. The moment it records identifiable individuals for any purpose other than the purely personal (which doesn't apply because you're running a business), you are a data controller processing personal data.

Most instructor dashcams sit between these extremes. A forward-facing camera picks up the road plus your pupil's hand on the wheel and occasionally their face when they turn to look at you. A dual-facing camera (increasingly common) captures the pupil continuously. Either way, if you can identify individuals from the footage, you're in GDPR territory.

The ICO's guidance (published and updated through 2025 and 2026) is clear: if you're using a dashcam for business purposes and it records individuals, you're the data controller for that footage, and the full GDPR framework applies.

What that means in practice

Being a data controller for dashcam footage requires you to:

  1. Register with the ICO and pay the annual data protection fee (£40 for most ADIs; £52 for those who run the dashcam through a vehicle covered under a separate business registration, hence the "£52" in the title of this post).
  2. Have a lawful basis for recording and storing the footage.
  3. Provide notice to the people being recorded (the pupils) before or at the point of recording.
  4. Minimise the data you capture - only what's actually needed for the stated purpose.
  5. Set a retention period and delete footage after it.
  6. Keep the data secure from unauthorised access.
  7. Respond to data subject rights requests - if a pupil asks for a copy of footage of them, you're obliged to provide it (with exceptions for other people visible in the recording).
  8. Report breaches if something goes wrong.

Each of these has a short answer for a typical ADI running a dashcam. Below is how to do each.

Step 1: ICO registration

Pay the annual data protection fee at ico.org.uk. The base rate for sole traders and small businesses is £40/year. If you're already registered for other data processing (as you should be - all ADIs are data controllers, as covered in our GDPR for driving instructors post), your dashcam use is covered by the same registration. You don't need to register twice.

The £52 figure comes up because some dashcam use cases (specifically, where a dashcam is sold and configured as part of a vehicle fleet or commercial business rather than a sole trader) push you into the Tier 2 fee band at £60. For virtually all solo ADIs, Tier 1 at £40 applies.

Action: If you haven't registered, register. 10 minutes, £40.

Step 2: Lawful basis

You need a "lawful basis" under GDPR Article 6 to process personal data. For dashcam recording by a driving instructor, the most appropriate bases are:

  • Legitimate interest - you have a business interest in recording for insurance and safeguarding purposes, this interest is not overridden by the pupil's rights, and the pupil can reasonably expect the recording given the context.
  • Contract performance - recording is part of the service you're providing (though this is a weaker basis and only applies if recording is clearly part of the contract from the start).

Legitimate interest is the normal route. You don't need explicit consent from pupils to record them in the tuition car if your purpose is genuine and proportionate, but you do need to be able to explain why the interest is legitimate and why it outweighs the pupil's privacy interest.

The legitimate interest test has three parts:

  1. Purpose test - is there a legitimate interest? Yes: insurance claims protection, safeguarding, resolving disputes.
  2. Necessity test - is the processing necessary for the purpose? Yes: alternative methods (witnesses, written statements) are less reliable.
  3. Balancing test - does the individual's rights override the interest? In most ADI dashcam cases, no, because the pupil can reasonably expect to be recorded in a tuition vehicle where the instructor has commercial and safety responsibilities.

Action: Document your legitimate interest assessment in writing. It doesn't need to be long - half a page covering the three tests above is fine. Keep it with your business records in case you ever need to demonstrate it.

Step 3: Privacy notice for pupils

Under GDPR, you must tell pupils they're being recorded and why, before the recording starts. In practice, this means:

  • A visible sign inside the car (a small window sticker or a note on the dashboard) confirming that the dashcam is recording for insurance and safeguarding purposes
  • A written notice in your pupil intake documentation or T&Cs explaining the recording, how long it's kept, who might see it, and the pupil's right to request access or object
  • A verbal mention at the first lesson confirming the recording and inviting questions

The written notice should include, at minimum:

  • What is being recorded (video, audio if applicable, both)
  • The purpose of recording
  • The legal basis (legitimate interest)
  • How long footage is retained before deletion
  • Who has access to the footage
  • How a pupil can request a copy of footage featuring them
  • How a pupil can object to the recording and what that means for their lessons (in most cases, they can continue lessons but you'll note their objection)

Action: Write the notice once, add it to your pupil intake pack, and make a permanent sticker for the car windscreen.

Step 4: Audio recording - a specific warning

Many dashcams have the capability to record audio as well as video. A surprising number of ADIs have this turned on by default without realising the legal implications.

Recording audio inside a car is much more intrusive than recording video. It captures everything said - personal conversations, health disclosures, complaints about other road users, jokes, anything. The GDPR threshold for audio recording is higher than for video recording, and the pupil's reasonable expectation of privacy over their spoken conversation with you is stronger.

The ICO's general guidance on CCTV (which applies by analogy to dashcams) recommends not recording audio unless there is a specific justified reason. For most ADIs, there isn't one. The insurance and safeguarding use cases are satisfied by video alone.

Action: Go into your dashcam settings right now and turn audio recording off. If you later discover a specific reason you need audio, you can turn it back on and document the justification. Until then, leave it off.

Step 5: Retention period

GDPR requires you to delete personal data when you no longer need it for the purpose you collected it. For dashcam footage, the typical ADI retention period should be short.

A reasonable default: footage is retained for 7-14 days on a rolling loop (most modern dashcams overwrite automatically), and any footage that's flagged for a specific reason (an incident, a dispute, an insurance claim) is saved separately and kept until the relevant issue is resolved.

Avoid:

  • Permanent archives of all footage "just in case"
  • Mixing saved footage with your personal files
  • Sharing footage with social media, friends, or other instructors without the pupils' explicit consent

The rolling loop is your friend here. Most dashcams are configured to overwrite old footage automatically as the SD card fills up. This is compliant by default because you're not actively retaining anything beyond the immediate term. The moment you copy footage off the card for "safekeeping," you're now actively retaining personal data and your obligations increase.

Action: Check your dashcam settings. Confirm the loop is set to something between 1 and 14 days. If you've been copying footage off and saving it, review what's on your phone/laptop/cloud storage and delete anything you don't specifically need for an active reason.

Step 6: Security

GDPR requires you to keep personal data secure. For dashcam footage, this means:

  • The SD card is not accessible to unauthorised people (don't leave the car with the SD card loose or the dashcam's settings menu unlocked)
  • Any footage you copy off the card is stored securely (encrypted laptop, cloud storage with strong password and 2FA)
  • The dashcam itself is password-protected if it has a management app

Most modern ADI dashcams have WiFi-enabled management apps. Make sure those apps are password-protected - leaving the default password means anyone who guesses it could pull footage off your camera.

Action: Change the default password on your dashcam app. Enable 2FA on any cloud storage where you keep saved footage. Don't leave the car with the SD card exposed.

Step 7: Subject access requests

If a pupil asks for a copy of any footage that features them, you're obliged to provide it. This is a "subject access request" under GDPR, and you have one month to respond.

The complication: dashcam footage often features other people too - other pupils, passing members of the public, other road users. You can't just hand over the raw footage because that would reveal others' personal data. The ICO's guidance is to either redact or blur the other individuals before handing over the footage.

For most solo ADIs, the simplest approach is to only hold short-term rolling footage (which avoids most requests because the footage is already gone by the time someone asks) and to negotiate with the pupil about what they actually want - often, a verbal explanation of what the footage would have shown is enough.

Action: If you receive a subject access request, respond promptly. If you don't have the technical capability to redact other individuals, tell the pupil honestly and offer a written summary of the relevant events instead. Keep a log of requests received and how you responded.

Step 8: Breach reporting

If footage is stolen, accidentally disclosed, or otherwise compromised, it's a personal data breach. You should assess the risk and report to the ICO if the risk is meaningful (see the full GDPR breach procedure post).

Realistic breach scenarios for dashcam:

  • Your SD card is stolen from the car
  • You upload footage to social media without redaction
  • You lend your car (with the dashcam fitted) to someone else without securing the data
  • You lose your phone and the dashcam app on it exposes footage

Action: Have a brief breach plan - what to do if your car is stolen, how to remotely wipe or disable the dashcam, who to notify. For most ADIs this is a paragraph in their business notes, not a 30-page document.

The 15-minute checklist

If you run a dashcam and want to get to compliance quickly, here's the full checklist.

  1. Register with the ICO (£40/year) if you haven't already - 10 minutes
  2. Turn audio recording OFF on your dashcam - 2 minutes
  3. Set the rolling loop to 7-14 days and confirm nothing longer is being saved - 1 minute
  4. Add a visible notice in the car (sticker or note) - 1 minute (do this immediately; order a proper printed one later)
  5. Add a written notice to your pupil intake pack - 15 minutes (one-time)
  6. Change the default password on your dashcam app - 1 minute
  7. Document your legitimate interest in a half-page note - 5 minutes
  8. Delete any saved footage you no longer need from your phone/laptop - variable

Total active time: 15-30 minutes depending on how much old footage you have to clean up. Total ongoing burden: close to zero, because the dashcam handles most of the compliance automatically once configured properly.

What insurers actually want

A common misconception: insurers want you to keep all footage forever in case a claim comes in later. This isn't true. Insurers want footage when a specific incident happens, and they want it quickly after the event. If your dashcam is overwriting footage on a 7-14 day loop, an incident-specific save will still be captured if you act within that window.

The moment you know an incident has happened (e.g., a near-miss, a complaint, a minor collision), save the relevant footage off the loop and into a secure folder. That footage is then "actively retained for an insurance claim" which is a separate legitimate interest and a different retention period (until the claim is resolved, potentially years).

The rolling loop is the default; the save-on-event workflow is the exception. Done this way, you can satisfy both the ICO (minimum retention) and your insurer (footage available when actually needed).

The bigger picture

The GDPR obligations around dashcam use sound onerous when you list them all out, but the practical effect for a typical ADI is small. Pay the ICO fee, turn audio off, use a rolling loop, have a notice, change the default password, document your legitimate interest. That's it.

Most of the instructors getting caught out aren't doing anything malicious. They've just installed a dashcam because it seemed sensible and never considered the data protection implications. Fixing the baseline takes half an hour and makes you bulletproof against the usual complaints.

If you're using DrivePro, the platform doesn't touch dashcam footage - that sits entirely on your local hardware - but the broader GDPR compliance pieces (privacy notices, ICO registration documentation, pupil data handling) are all in the same compliance package. Handling both at once is efficient.

Don't wait for a complaint before you fix the dashcam side. It's cheaper, faster, and easier to do it now.

For Driving Instructors

Are you a driving instructor?

Manage your diary, accept online bookings, and grow your business with DrivePro’s all-in-one platform for ADIs.

Learn more

Already qualified? Start your free trial

Related articles

business

Motability-funded driving lessons: how ADIs qualify and get paid

9 min readbusiness

Driving lesson refunds: the one clause every instructor contract must have

8 min readbusiness

Is your driving lesson cancellation fee actually enforceable? A CRA 2015 check

8 min read