Caught on Camera: Getting CCTV Right in Schools

DPIAs are a process required under UK GDPR when an organisation is planning any activity that is likely to pose a high risk to individuals’ privacy. CCTV is classed as high-risk processing because it is intrusive and continuous.

New CCTV: You must do a DPIA before installation.

Current CCTV: If your CCTV has been in operation for several years and is ready to be upgraded, you should do a DPIA, as it's considered new technology with more risk. A common question we get is, ‘What should I do if our CCTV system was implemented pre-2018?’ A DPIA won't be automatically required, but if the purpose has changed or you have concerns, it's strongly recommended to carry out a review of an existing DPIA or do a new one. 

CCTV LOG

• Keep a record of any previous requests, who they came from and why
• Monitor who can view the footage, when and how often

Every school setting will be different, so consider the appropriateness of who has access to CCTV footage and why it is necessary.

Data requests

This can often be requested by the police.

This can be an uncertain area for most schools, as providing that footage means you’re sharing the data of all individuals caught within the video.  

Consider before providing the footage: 

• Whether the request is specific enough – have they filled in a data request form or simply phoned into school to request this without giving a valid reason?  

• Are individuals identifiable 

• Does your CCTV have the capability to blur / crop 

• Is there a different method you can use outside of providing the footage? 

• This is considered to be a subject access request, so schools must follow the ICO guidance when releasing the footage. 

What Steps to Take to Minimise Data Protection Risk

How Long Should You Keep CCTV Footage?  

There is no legal time frame for how long to maintain footage. Essentially, the guidance is that you should only keep footage for as long as necessary. Practically speaking, most footage should be kept for no longer than 30 days, and your retention limit should be outlined in your Data Retention Policy and CCTV Policy.  

The only time you may hold footage for longer is when there is a concern, such as when someone has made a data request.   

Is It Okay to Fit CCTV Cameras in Any Location? 

Externally: To the best of your ability, these should not cover people's houses or public footpaths. This is not always possible when cameras are facing the front/back gate. Some overspill is okay, just as long as it is not facing into another property.  

Internally: Avoid CCTV in sensitive areas such as bathrooms, toilets, and changing rooms, which are places where pupils and staff have a high expectation of privacy.   

As part of improving our CCTV governance, we’ve been working closely and openly with the ICO, especially when looking at higher‑risk areas, such as spaces near bathroom facilities. 

We carried out a series of DPIAs, and instead of avoiding the difficult questions, we actively brought the grey areas to the ICO’s attention. The aim was to understand the risks properly and make sure they were addressed in the right way. 

Through those conversations, the ICO advised us to pause submitting further DPIAs while they undertook a wider review of CCTV use in and around bathroom environments. 

Our engagement helped highlight this as an area that needs broader regulatory guidance, and it reflects our commitment to taking a responsible, leading role in shaping good practice in a space where the rules are still evolving. 

How Can We Cover the Data Protection Principle of Transparency?  

Make sure staff, parents and pupils are aware that CCTV is in operation. This can be done through appropriate signage in areas where CCTV is located and recording. Appropriate signage should be clear that CCTV is in operation, there should be a named contact and a method to contact that individual, e.g. a phone number. Where CCTV is yet to be implemented – informing the various stakeholders in the school, either via letters, briefings sessions, or consultations, is a great way to field any concerns early.

If your school has a lot of CCTV,  you do not need signage for every camera. However, there should be sufficient and clear signage in areas with high presence of CCTV throughout the school premises.

Key takeaways

1. Consult your DPO before installing/upgrading CCTV. 
2. Review whether a DPIA is necessary. 
3. Consider camera placement and awareness.
4. Have a specific CCTV policy.
5. Speak to your DPO when handling data requests.

Don't Miss our next DPO Digest on CCTV in School Settings 

Tuesday 21st April | 10-10:45am 

Register Here

How Judicium can help...

You can find information regarding our School Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you in managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone about some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU.

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you from accessing our sessions and/or follow-up content.