Surveillance Methods: What Is Legal in the UK? (2026 Guide)

UK surveillance law is strict, specific and carries criminal penalties for non-compliance

Surveillance in the United Kingdom is governed by multiple overlapping statutes: the Regulation of Investigatory Powers Act 2000 (RIPA), the Investigatory Powers Act 2016, the Data Protection Act 2018 (UK GDPR), the Human Rights Act 1998, and the Protection of Freedoms Act 2012. For businesses and private investigators, understanding where the legal boundaries sit is not optional. Evidence gathered unlawfully is inadmissible and the person who gathered it may face prosecution.

This guide explains what surveillance methods are lawful in the UK, who can use them, and the conditions under which they are permitted. It reflects the law as of 2026, including recent ICO enforcement guidance on workplace monitoring.

Types of surveillance and their legal status

Physical surveillance (following and observation)

Observing a person in a public place is not illegal. A private investigator can follow a subject along public streets, sit in a parked car on a public road, and take photographs of what can be seen from a public vantage point. This is because there is no reasonable expectation of privacy in public spaces under English law.

The limits are practical and legal. Surveillance must not amount to harassment under the Protection from Harassment Act 1997. Following someone repeatedly, approaching them, or conducting surveillance in a way that causes alarm or distress crosses the line from lawful observation to unlawful harassment. The test is whether a reasonable person would consider the conduct to amount to harassment.

Surveillance of a person’s home from outside is lawful provided the investigator is positioned on public land and is only recording what is visible to any member of the public. Entering private property, using equipment to see through walls or curtains, or positioning cameras to capture areas that would not normally be visible from a public location is unlawful.

Photographic and video evidence

Taking photographs and video of a person in public places is lawful. There is no law in the UK that prohibits photography in public. The resulting images and footage are personal data under UK GDPR and must be processed lawfully, but the act of capture itself is not restricted.

Recording inside private premises without consent raises different issues. An employer can install CCTV in the workplace, but must comply with ICO guidance: employees must be informed, the monitoring must be proportionate to a legitimate aim, and the footage must be handled as personal data. Covert workplace CCTV is only justifiable where there is a specific suspicion of criminal activity and overt monitoring would not achieve the objective.

Audio recording

Recording a conversation you are part of is lawful under UK law. You do not need the other party’s consent. This is why a complainant can legitimately record a meeting with their employer or a client can record a phone call with a contractor.

Recording a conversation between two other people, where you are not a participant, is a different matter. Under RIPA, the interception of communications in the course of their transmission is a criminal offence unless authorised by a warrant. A private citizen or business cannot obtain such a warrant. This means bugging a room, tapping a phone line, or intercepting emails are all criminal offences when done by private parties.

GPS tracking

Placing a GPS tracker on a vehicle you own is lawful. An employer can track company vehicles, and a person can track their own car. Placing a tracker on someone else’s vehicle without their knowledge or consent is likely to constitute harassment and may amount to stalking under the Protection of Freedoms Act 2012.

The ICO has stated that tracking company vehicles is a form of monitoring that requires a data protection impact assessment and employee notification. Covert tracking of company vehicles is only justifiable where there is a specific suspicion of misconduct and other methods of investigation have been considered and rejected as insufficient.

Social media and open source investigation

Reviewing a person’s publicly available social media posts is lawful. The information has been published by the data subject and is available to any member of the public. This includes posts, photographs, check-ins, connections, and any other information the person has made public.

Creating fake profiles to connect with a subject and access private content is a grey area. While not specifically prohibited by statute, it may constitute fraud by false representation under the Fraud Act 2006 if the fake identity is used to obtain information for financial advantage or to cause loss. Many professional investigator associations, including the IAAR, prohibit this practice in their codes of conduct.

Computer and phone monitoring

An employer can monitor company-owned devices provided the employee has been informed, the monitoring is proportionate, and it complies with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. This permits monitoring for quality control, crime prevention, and ensuring compliance with company policy.

Accessing a person’s personal devices, accounts, or passwords without authorisation is a criminal offence under the Computer Misuse Act 1990. This applies even if the person is your spouse, employee, or family member. We regularly encounter situations where a client has accessed their partner’s phone and found evidence of infidelity, but that evidence may be inadmissible and the client may have carried out a criminal offence in obtaining it.

The legal rules in detail

Regulation of Investigatory Powers Act 2000 (RIPA)

RIPA governs the use of covert surveillance by public authorities, not by private citizens or businesses. However, it sets the standard against which private surveillance is often judged. RIPA distinguishes between directed surveillance (covert observation of a specific person), intrusive surveillance (surveillance inside a residential premises or private vehicle), and the use of covert human intelligence sources (informants).

Only public authorities can authorise intrusive surveillance, and only with senior approval. Private investigators and businesses cannot conduct intrusive surveillance under any circumstances. This prohibition is absolute: no amount of justification makes it lawful for a private party to place a covert camera inside someone’s home.

UK GDPR and the Data Protection Act 2018

All surveillance by private parties that captures personal data must comply with the UK GDPR. The lawful basis for processing will usually be legitimate interest (Article 6(1)(f)). The data controller must demonstrate that the surveillance is necessary for a legitimate purpose, that it is proportionate, and that the data subject’s interests do not override the controller’s legitimate interest.

In practice, this means documenting the justification for surveillance before it begins, minimising the amount of data captured, retaining it only as long as necessary, and securing it against unauthorised access. A data protection impact assessment is required for any systematic monitoring.

Human Rights Act 1998

Article 8 of the European Convention on Human Rights, as incorporated by the Human Rights Act, protects the right to respect for private and family life. This right is not absolute; it can be interfered with where the interference is lawful, necessary, and proportionate to a legitimate aim. Courts balance the subject’s Article 8 rights against the investigator’s purpose when determining whether surveillance was lawful.

In family proceedings, courts have consistently held that surveillance evidence obtained in public places is admissible, even where the subject was unaware of being observed. The subject’s Article 8 rights were not infringed because they had no reasonable expectation of privacy in a public place.

What private investigators can and cannot do

Private investigators in the UK have no special legal powers. They have the same rights as any member of the public. What distinguishes a professional investigator is not additional authority but skill in gathering evidence within legal boundaries and presenting it in a form that courts accept.

Lawful activities: Physical observation in public places. Photography and videography in public. Reviewing publicly available information, including social media, Companies House records, Land Registry data, court records, and electoral registers. Conducting interviews with willing participants. Receiving information from whistleblowers. Analysing financial documents provided by the client.

Unlawful activities: Intercepting communications (phone tapping, email interception). Accessing computer systems without authorisation. Placing tracking devices on vehicles they do not own. Trespassing on private property. Impersonating police officers or other officials. Bribing public officials for information. Obtaining personal data from confidential databases through deception (known as blagging).

Surveillance in the workplace

Workplace surveillance is a growing area of law, particularly with the increase in remote and hybrid working. The ICO published updated employment practices guidance in 2023 that addresses monitoring of remote workers.

Key principles for lawful workplace surveillance: inform employees in advance through policies and employment contracts. Use the least intrusive method available. Conduct a data protection impact assessment before implementing monitoring. Review the monitoring periodically to ensure it remains proportionate. Do not monitor areas where employees have a heightened expectation of privacy (toilets, changing rooms, break rooms used exclusively for personal time).

Covert monitoring is only permissible where there is a reasonable suspicion of criminal activity, open monitoring would prejudice the investigation, and a senior manager has approved the surveillance with documented justification. Even then, the monitoring should be time-limited, targeted at specific individuals or activities, and reviewed by someone not involved in the investigation.

Admissibility of surveillance evidence in UK courts

Evidence gathered through surveillance is admissible in UK courts provided it was obtained lawfully. The court has discretion under section 78 of the Police and Criminal Evidence Act 1984 to exclude evidence if admitting it would have such an adverse effect on the fairness of proceedings that it ought not to be admitted.

In civil cases, including family proceedings, the court applies a broader test. Evidence obtained in breach of privacy rights may still be admitted if it is relevant and its probative value outweighs the prejudice caused by the manner of its collection. However, evidence obtained through criminal conduct (phone hacking, computer intrusion) is almost always excluded.

The quality of surveillance evidence matters as much as its legality. Photographs must be clear enough to identify the subject. Video must have timestamps. Observation logs must be contemporaneous and detailed. A professional investigator’s evidence is given more weight than amateur surveillance precisely because it follows established protocols for evidence handling.

Common mistakes that compromise surveillance evidence

Conducting surveillance without a clear objective. “See what they are doing” is not a sufficient basis for surveillance under data protection law. The objective should be specific: “Determine whether the employee is working during the hours they claim to be working” or “Establish whether the claimant’s reported disability prevents them from performing physical activities.”

Continuing surveillance beyond the point at which the objective has been achieved. Once you have the evidence you need, continuing to monitor the person is disproportionate and may amount to harassment.

Failing to maintain proper records. Every surveillance operation should produce a written log that records the date, time, location, observations, and the identity of the operative. Without this log, the evidence lacks context and credibility.

Sharing surveillance evidence unnecessarily. The footage or photographs should be seen only by those who need to see them for the purposes of the investigation or legal proceedings. Circulating surveillance footage of an employee to their colleagues would be a serious data protection breach.

Getting surveillance right

UKPI has conducted surveillance operations across the UK for over 29 years. Every operation we conduct has a documented justification, a defined objective, and a proportionality assessment before the first operative is deployed. Our operatives are accredited, insured, and trained to gather evidence that meets the standards required by UK courts.

If you need surveillance for a legal case, workplace investigation, or personal matter, we can advise on what is lawful, what is proportionate, and what evidence is likely to be admissible. Call us on 0800 043 1754 for a confidential conversation.