Under surveillance: Why your organisation's CCTV might not be compliant
Following the popularity of our recent CCTV webinar, we've published some pointers for headteachers, governance professionals, head of operations and estates managers about CCTV compliance.
We discuss the legal obligations and common pitfalls of CCTV surveillance under the UK GDPR and Data Protection law.
Legal Foundations for Organisations
To operate CCTV lawfully, organisations must move beyond just installing camera.
- Lawful basis - every camera must have a lawful basis.
- DPIA - is mandatory and should be completed before installation to prove the system is necessary and proportionate/
- Special category data - CCTV cameras capture sensitive information (i.e. race, health/disability), which requires a specific article 9 condition for processing.
High Risk Locations: Toilets & Changing Rooms
Placing cameras in or near private areas carries extreme legal risk under the Human Rights Act 1998.
- Expectation of Privacy: pupils and staff have a high expectation of privacy in toilets.
- Proportionality Test: you must prove that less intrusive methods failed before installing CCTV. This might include increased supervision, better lighting, vaping sensors for example.
- Criminal Liability: capturing intimate footage of minors can lead to criminal changes.
Top 10 CCTV Compliance Essentials
Mistake |
Fix |
|
No DPIA
|
Conduct an assessment for existing systems immediately. |
|
Wrong Lawful Basis
|
Update policies appropriately. |
|
Outdated Policy
|
Review CCTV policies annually; include 2025 Act updates. Conduct a DPIA for new CCTV systems. |
|
Poor Signage or No Signage
|
Ensure signs list the operator, purpose, and contact details at appropriate locations. Someone should know they are being filmed! |
|
Excessive Retention
|
Stick to 14–28 days; set up auto-overwrite. Ensure your ACTUAL retention period meets your DOCUMENTED retention period in your retention/CCTV policy. Review our article: The importance of knowing how to access your CCTV footage! Ensure your footage is long enough to cover a holiday period in the event of a SAR receipt. Deleting footage relating to a SAR could be a criminal offence (Section 173 Data Protection Act 2018). |
|
Audio Recording
|
Disable it. Audio capture is rarely justifiable in schools. |
|
No Access Log
|
Record every time footage is viewed, by whom, and why. |
|
SAR Mishandling
|
Respond within one month; redact third parties in footage. You will likely need specialised redaction software. Contact DPE for more advice on CCTV redaction. |
|
Neighbour Privacy
|
Use digital masking to avoid filming residential properties. Ensure you know what your camera is recording. |
|
Late DPO Involvement |
Consult your DPO before making system changes. |
Summary Checklist
-
Appoint/Consult a DPO for all CCTV decisions.
-
Layer your notices: Short signs at entrances, full policy on the website.
-
Be transparent: Tell parents and staff why and where cameras are used.
-
Report Breaches: If footage is lost or misused, you must notify the ICO within 72 hours.
Contact for Support: Data Protection Education provides DPO services, DPIA templates, and redaction support. Email:
This email address is being protected from spambots. You need JavaScript enabled to view it. | Phone: 0800 0862018
DPE Customers Resources
DPE customers have access to the CCTV Best Practice Area which includes signs, template policies and guidance. We can also do a review of the CCTV when visiting during our data walks (Making the Rounds) or we can come and do a full CCTV Audit. Customers may also choose to complete the CCTV Checklist as part of their compliance documentation.