CCTV in Schools and UK GDPR: What Your Data Protection Policy Actually Needs to Cover

Installing CCTV in a school is not complicated. Ensuring it is operated in a way that is legally compliant, documented well enough to survive an ICO inquiry, and consistent with the school's safeguarding policy is considerably more involved. We see a lot of school CCTV systems that are technically sound — good camera placement, solid recording infrastructure, reliable remote access — and paperwork that would not withstand scrutiny.

This matters for two reasons. First, the ICO has the power to issue enforcement notices and financial penalties to schools that operate CCTV in breach of data protection law. Second, Ofsted's updated inspection framework assesses whether schools can evidence that their safeguarding arrangements are properly documented and governed — and CCTV is part of that picture. Cameras without a proper policy are not a neutral asset. They are a liability.

The legal framework schools are working within

UK GDPR and the Data Protection Act 2018 are the primary legislation. CCTV footage is personal data because individuals — staff, pupils, visitors — can be identified from it. Processing personal data requires a lawful basis. For schools, the relevant bases are typically legitimate interests (security and safeguarding of the site) or legal obligation (where a specific legal duty requires the processing). Schools must document which basis applies and be able to explain it.

The ICO's CCTV guidance sets out the key operational requirements: a written policy, a data protection impact assessment (DPIA) before installing or significantly changing the system, appropriate signage, defined retention periods, a process for handling subject access requests, and controls on who can access footage and for what purpose.

Relevant authorities — which includes local authority maintained schools — must also have regard to the Surveillance Camera Code of Practice issued under the Protection of Freedoms Act 2012. The Code sets out twelve guiding principles for the operation of surveillance cameras in public spaces. It is not binding on academies and independent schools in the same way, but following it is good practice and provides a defensible framework.

What a DPIA for school CCTV should cover

A Data Protection Impact Assessment is required before installing CCTV in a new area or making significant changes to an existing system — adding cameras, changing retention periods, introducing remote access. It is not a form to be filled in after the work is done. It is a structured assessment of the privacy impact of the proposed processing, carried out before implementation.

For school CCTV, a DPIA should address: why CCTV is needed in each specific area and what it is intended to achieve; whether less intrusive means could achieve the same purpose; who will have access to live and recorded footage; how long footage will be retained and why that period is proportionate; what the risks are to the privacy of pupils, staff and visitors; and what controls are in place to mitigate those risks.

Pupil areas require particular care. There is a strong argument for CCTV coverage of corridors, entrances, outdoor spaces, and communal areas — these are the areas where safeguarding incidents are most likely to be captured on camera, and the legitimate interests justification is clear. CCTV in classrooms or other enclosed learning spaces is considerably harder to justify and should only be considered where a specific, documented risk requires it.

Retention periods for schools

The standard 31-day retention period that is commonly recommended for general commercial CCTV is often too short for a school context. Safeguarding investigations — particularly allegations against staff — may not surface until weeks after the relevant events. A pupil or parent may make a complaint about an incident that took place a month ago. If the footage has already been overwritten, the school has lost potentially important evidence.

Many schools operate a 90-day retention period for this reason. This is longer than the ICO's general guidance would suggest as a default, but it is defensible given the safeguarding context provided the policy documents the reasoning. The ICO's approach is proportionality, not a fixed number — a 90-day period that is properly justified is more legally sound than a 31-day period that was chosen because someone read it online.

Where footage is retained in connection with a specific incident, investigation, or subject access request, it should be preserved separately from the rolling overwrite and kept until the matter is resolved. Most NVR systems allow footage to be locked or exported for this purpose. This should be part of your procedure — not an afterthought when an incident actually arises.

Signage requirements

Every area covered by CCTV must have signage that is visible at the point of entry to that area. Signage should identify the data controller — the school — provide a contact point for enquiries and subject access requests, and explain the general purpose of the cameras. The ICO provides a template, and there are GDPR-compliant signs available from various suppliers.

A single sign at the main entrance to the school site is not sufficient if cameras also cover areas accessible from other entrances. Car parks, sports facilities, external areas, and secondary entrances all need their own signage if they are covered. This is one of the most commonly missed requirements in school CCTV installations we review.

Access controls and the audit trail

The CCTV policy should specify who is authorised to access live footage and who can access recordings, under what circumstances, and with what authorisation process. Typically, this means the headteacher, the designated safeguarding lead, and the business manager — with access by other staff only under specific authorisation from one of those three.

Access to CCTV footage by police, local authority officers, or other third parties should be recorded. The school's data protection officer should be informed of any third-party access request, and the request and response should be documented. This creates the audit trail that the ICO would expect to see if a complaint were ever made about the school's CCTV operation.

Where CCTV is installed and maintained by a third-party contractor — which is common — the school must have a data processing agreement in place with that contractor. This is a specific requirement of UK GDPR where a data processor handles personal data on behalf of a controller. If the installer retains remote access to your system, they are a processor. If they have not been issued a data processing agreement, that is a compliance gap that needs addressing.

Putting it together

A school with a well-operated CCTV system should have: a written CCTV policy reviewed annually; a DPIA on file for each phase of the system; compliant signage at every monitored area; a defined retention period with documented reasoning; a clear access control policy specifying who can view footage and when; a data processing agreement with the installation contractor; and a procedure for handling subject access requests and third-party access requests.

If your school's CCTV system was installed more than three years ago and the paperwork has not been reviewed since, it is unlikely to meet current ICO expectations. A survey from us will identify technical gaps in the system. For the data protection documentation, your DPO or data protection adviser should lead — but we can flag what we commonly find missing, and can confirm what your system actually does in terms of retention, access and remote connectivity.