
Meet Butlr
Discover what spatial intelligence can do for you.
Thank you! Your submission has been received!
Occupancy sensors are increasingly used in UK workplaces, retail, transport hubs and smart buildings to improve space utilisation, energy efficiency and safety. This guide explains how to select, deploy and manage occupancy sensors in a way that aligns with UK data protection law (UK GDPR and the Data Protection Act 2018) and good privacy practice in 2026. It is practical, vendor-agnostic and includes procurement and deployment checklists you can use today.
What is an occupancy sensor — and what are the privacy risks?
An occupancy sensor detects whether people are present in a space. Sensors use different technologies:
- Passive infrared (PIR) detects motion or heat changes.
- Thermal sensing detects heat signatures without producing visual images.
- Radar, ultrasonic and CO2 sensors infer presence via movement or air quality.
- Camera-based systems use video or images to detect and count people.
Personal data: any information relating to an identifiable person. If sensor outputs can identify or be linked to a person, they are personal data under UK GDPR.
Common privacy risks:
- Identifiability: camera imagery or connected metadata that can identify individuals.
- Unnecessary retention: storing raw sensor data longer than needed.
- Sensitive inferences: deriving health or behaviour insights that are special category data.
- Insufficient transparency: failing to inform people that sensing is happening.
- Weak vendor controls: processors lacking contractual and technical safeguards.
UK legal framework in brief
Key points to know:
- UK GDPR (post‑Brexit) and the Data Protection Act 2018 govern personal data processing in the UK.
- The Information Commissioner’s Office (ICO) provides guidance on privacy-preserving technologies and DPIAs (Data Protection Impact Assessments).
- Lawful basis: identify a lawful basis for processing personal data (e.g., legitimate interests, contract, legal obligation, or consent where appropriate).
- Special category data: health and biometric data require additional safeguards and lawful conditions.
DPIA: a Data Protection Impact Assessment is a risk assessment required when processing is likely to result in high risk to individuals’ rights and freedoms (for example, systematic monitoring of public areas).