Best Practice Update

AI-manipulated images of smiling children, symbolizing the urgent online safety risks for schools

This article combines guidance from the Guardians of Privacy series, produced by Data Protection Education in collaboration with Litus Digital, with urgent new advice issued in May 2026 following confirmed blackmail attempts against UK schools using AI-manipulated images of children. Key sources include the UK Safer Internet Centre (8 May 2026) and the Internet Watch Foundation.

A security camera representing CCTV compliance, UK GDPR, and data protection legal obligations.

Following the popularity of our recent CCTV webinar, we've published some pointers for headteachers, governance professionals, head of operations and estates managers about CCTV compliance.


We discuss the legal obligations and common pitfalls of CCTV surveillance under the UK GDPR and Data Protection law.

Legal Foundations for Organisations

To operate CCTV lawfully, organisations must move beyond just installing camera.

  • Lawful basis - every camera must have a lawful basis.
  • DPIA - is mandatory and should be completed before installation to prove the system is necessary and proportionate/
  • Special category data - CCTV cameras capture sensitive information (i.e. race, health/disability), which requires a specific article 9 condition for processing.

High Risk Locations: Toilets & Changing Rooms

Placing cameras in or near private areas carries extreme legal risk under the Human Rights Act 1998.

  • Expectation of Privacy: pupils and staff have a high expectation of privacy in toilets.
  • Proportionality Test: you must prove that less intrusive methods failed before installing CCTV. This might include increased supervision, better lighting, vaping sensors for example.
  • Criminal Liability: capturing intimate footage of minors can lead to criminal changes.

Top 10 CCTV Compliance Essentials

Mistake

Fix

No DPIA

Conduct an assessment for existing systems immediately.

Wrong Lawful Basis

Update policies appropriately.

Outdated Policy

Review CCTV policies annually; include 2025 Act updates.

Conduct a DPIA for new CCTV systems.

Poor Signage or No Signage

Ensure signs list the operator, purpose, and contact details at appropriate locations. Someone should know they are being filmed!

Excessive Retention

Stick to 14–28 days; set up auto-overwrite.  Ensure your ACTUAL retention period meets your DOCUMENTED retention period in  your retention/CCTV policy. Review our article: The importance of knowing how to access your CCTV footage!

Ensure your footage is long enough to cover a holiday period in the event of a SAR receipt.  Deleting footage relating to a SAR could be a criminal offence (Section 173 Data Protection Act 2018).

Audio Recording

Disable it. Audio capture is rarely justifiable in schools.

No Access Log

Record every time footage is viewed, by whom, and why.

SAR Mishandling

Respond within one month; redact third parties in footage. You will likely need specialised redaction software.

Contact DPE for more advice on CCTV redaction.

Neighbour Privacy

Use digital masking to avoid filming residential properties. Ensure you know what your camera is recording.

Late DPO

 Involvement

Consult your DPO before making system changes.

Summary Checklist

  1. Appoint/Consult a DPO for all CCTV decisions.

  2. Layer your notices: Short signs at entrances, full policy on the website.

  3. Be transparent: Tell parents and staff why and where cameras are used.

  4. Report Breaches: If footage is lost or misused, you must notify the ICO within 72 hours.

Contact for Support: Data Protection Education provides DPO services, DPIA templates, and redaction support. Email: This email address is being protected from spambots. You need JavaScript enabled to view it. | Phone: 0800 0862018

DPE Customers Resources

DPE customers have access to the CCTV Best Practice Area which includes signs, template policies and guidance. We can also do a review of the CCTV when visiting during our data walks (Making the Rounds) or we can come and do a full CCTV Audit.  Customers may also choose to complete the CCTV Checklist as part of their compliance documentation.

DfE Digital Standards guidance for Wi-Fi networks, highlighting new Wi-Fi 7 and Wi

The DfE Wireless Networks is part of the DfE Digital Standards guidance and has recently been updated to include references to Wi-Fi7. You must check with this standard before you plan any Wi-Fi upgrades!


What's New?

There is a now clear guidance that specifies that any new wireless solution or upgrade must, at a minimum, meet the Wi-Fi 8 standard.

What is Wi-Fi 7?

Wi-Fi 7 provides significantly higher throughput and lower latency. In a classroom where 30 students might simultaneously stream high-definition educational videos or engage in augmented reality (AR) lessons, Wi-Fi 7 ensures the connection remains stable and fast.

What is the DfE Wireless Network Standard?

Icon representing the DfE Digital Core Standards for Cyber Security updates in Schools and Colleges. The Wireless Network Standard is part of the set of DfE Digital Standards and one of the main core six which the DfE require schools to be meeting by 2030.

The core sections are:

🛜Wireless Standard

  • A high performance solution is needed to make sure that the speed of the connection does not slow down as more devices connect to the wireless network.

🛜Wireless Signal

  • A good wireless connection relies on signal strength. It's important to make sure there is strong signal coverage in all areas of your school or college where mobile devices are to be used.

🛜Central Management

  • A wireless network will be made up of many wireless access points. A central management solution will allow your support team to monitor and configure your network and identify and resolve issues.

🛜Security Features

  • Your school or college IT networks should prevent access by unauthorised users while providing access to regular and guest users.

Wireless Checklist:

Feature Standard Requirement
Minimum Standard Wi-Fi 7 (802.11be)
Authentication WPA3 / Certificate-based / MFA for admins
Coverage 100% of learning and admin areas (verified by heat maps)
Management Centralized, manufacturer-approved management tool
Resilience Manufacturer warranty and 24/7 support arrangements

When do I need do this?

Whenever you upgrade or change your current Wireless Network, review the latest guidance in the DfE Wireless Network Standards to ensure you are meeting the standard. 

You should upgrade or change your network if it is no longer meeting your device requirements.

DPE Tracker Update

  • Replaced Wi-Fi 6 with Wi-Fi 7 reference and question.
  • Added clear statement about the DfE Cyber Security Standards being one of the six core standards.
  • Additional links to the Cyber Security Standard as a dependency.

Where do I start?

If you're unclear about where to start with this, we would advise initially assigning an SLT digital lead in your organisation and work from there. The responsibility of meeting the standard lies with the school, it is up to you to ask your IT provider if you are meeting the standard and how to meet the standard.  The DfE Digital Standards are a series of standards in document form that help you work towards being cyber resilient in all aspects of the organisation.

Making the Rounds: we will ask some of these questions when we come and visit your school or trust as part of our Making the Rounds or data walk.  We will then provide feedback via a report.

Redaction guide for PEX panels, illustrating how schools manage sensitive information for permanent exclusion

Schools are increasingly required to manage sensitive information in ways that balance transparency, fairness, and data protection. One area that frequently creates confusion is the difference between redaction undertaken for a Subject Access Request (SAR) and redaction applied when preparing documentation for a Permanent Exclusion (PEX) Review Panel. The Redaction Guide for PEX Panels has been introduced to address this issue and provide clear, practical guidance for staff.

  1. Records Management Toolkit: Where do I start with records management?
  2. What type of request have you received? SAR? Educational Record? Or FOI?
  3. SAR Extension Template
  4. Leavers' Memorabilia
  5. Sharing photos on World Book Day: Privacy considerations
  6. Make sure DPE is your registered DPO with the ICO
  7. Supplier Due Diligence Step by Step: Are you sharing personal data with a third party organisation?
  8. Time to kick-start your Clear Desk and Screen policy?
  9. Are Governors the Frontline of Cyber Security? (February 12th is Governors Awareness Day)
  10. DPE Webinar Schedule
  11. The Danger of the 'Data Dump': Why more information isn't always better!
  12. Introducing our new Recording and Transcription Policy
  13. Parents and students covertly recording conversations
  14. New DfE AI Standards
  15. Shareable Snippet: Office Security Best Practices for the Holidays
  16. CCTV Policy update: retention
  17. Shareable Snippet: Confidential waste
  18. Sharing information to safeguard children and young people in the education sector in the UK
  19. Fraud awareness from the DfE
  20. Complaints vs. Data Rights: A Guide
  21. Data Breach: School sends out names and contact details in a spreadsheet.
  22. September 2025 Policy and Document Updates
  23. KCSIE 2025: Data Protection, AI, and Cyber Security
  24. The Online SCR Data Breach: What You Need to Know
  25. Back to School Basics for Data Protection and Cyber Security Compliance
  26. Building a Secure School: Using the ICO Accountability Framework to Meet DfE Digital Standards
  27. Why Physical and Data Security Must Go Hand-In-Hand
  28. Digital Safeguarding: DfE announces statutory DfE Digital Standards
  29. The Data Protection Lead/Champion Role
  30. Changes to the Academy Trust Handbook 2025
  31. Social Media Day 2025
  32. How Ofsted looks at AI during inspection and regulation
  33. Preschool Employment tribunal for the use of WhatsApp
  34. Data Breaches 2025 Report Highlights
  35. Not everyone needs access: The Key to Protecting Sensitive Data
  36. West Lothian Schools in Cyber Attack
  37. National Honesty Day: Transparency
  38. FOI Request - BBC News
  39. Social Media and Marketing Guidelines and Training
  40. New Governor Resources
  41. Does stress lead to more data breaches?
  42. Are teachers using AI? 83% say its a time-saver
  43. DfE Digital Standards - narrowing the digital divide
  44. Arbor AI - On By Default
  45. DfE Guidance: Choosing a new MIS
  46. HCRG Care Group data breach
  47. The Importance of AI literacy and training staff
  48. Short Guide to AI Video
  49. Safer Internet Day, Cyber Security & Data Protection
  50. The Cyber Resilience Championship
  51. The Multiple Dimensions of Supplier Due Diligence
  52. School shares sensitive pupil information as part of an FOI response
  53. AI (Artificial Intelligence) Best Practice Area & Policy
  54. Blacon High School Cyber Attack
  55. WhatsApp and FOI's: ICO Warnings
  56. New AI Guidance from the DfE
  57. What the proposed Government legislative proposal around cyber crime means
  58. ICO report on AI tools in recruitment
  59. DfE update to record keeping and management
  60. Update to data sharing for school immunisation programmes
  61. Early Years Settings and Cyber Security
  62. SLT Digital Lead Profile
  63. The role of governors in cyber security and data protection
  64. Navigating Privacy at the End of Term , Special Occasions and End of Year
  65. Contracts Register
  66. DfE Digital Standards Autumn Update
  67. The importance of knowing how to access your CCTV footage!
  68. Cyber Attack on a Special School
  69. Stealing children's data
  70. What is dark data? (and why does it matter?)
  71. Ofqual highlights the value of cyber security training in schools
  72. Searching for data when you receive a Subject Access Request
  73. Fylde Coast Academy Trust Cyber Attack This Week
  74. Calling all IT leads in schools and mult academy trusts!
  75. Ransomware cyber attack on a school in Bromley
  76. Join Our Social Media Family!
  77. School hit by Cyber Attack
  78. Cyber Security Best Practice Area
  79. DfE Digital Standards for Schools and Colleges Tracker
  80. New Policies, Documents, Letters and Posters page
  81. Schools and Trusts Best Practice Area
  82. The DPE Retention Schedule
  83. Making the Rounds Update (now includes reporting)
  84. ESFA Cyber Essentials Requirement for Colleges from 2024/2025
  85. ICO Reprimands a School
  86. Out of date technology
  87. Data Retention and the Pupil File
  88. Have you assigned your SLT Digital Lead yet?
  89. Getting Started with AI (Artificial Intelligence)
  90. Cyber attack on a school during half term
  91. The rise of cyber attacks in schools are causing pupils to miss classes
  92. ICO: Learning from the mistakes of others report
  93. Cyber attack on a Trust; the aftermath
  94. School Focus: The Vale Federation | Aylesbury
  95. DfE Dealing with Subject Access Requests (SARs) Guidance
  96. Update to the Guidance on Information Sharing from the DfE
  97. FOI Requests generated by Artificial Intelligence
  98. Social Media Best Practice Area
  99. Lettings Best Practice Area
  100. MFA Bombing - What is it?
  101. Protecting your Social Media Accounts
  102. Checklists - Are They Your Most Powerful Compliance Tool?
  103. Product Focus on Checklists : Initial Trust Plan
  104. Product Focus on Checklists : End of Term Checklist
  105. Product Focus on Checklists : Information and Cyber Security
  106. Product Focus on Checklists : Social Media
  107. Product Focus on Checklists : Lettings
  108. Product Focus on Checklists : Record of Processing
  109. Milk Island: The secret location that allows children to view restricted content on Google Maps
  110. Why Data Should Stay Put: Benefits of Keeping Data in Its Original System
  111. Product Focus on Checklists : Data Retention and Destruction
  112. Product Focus on Checklists : Data Migration
  113. Product Focus on Checklists : Biometrics
  114. Product Focus on Checklists : Supplier Due Diligence
  115. Free Cyber help, advice and training with the Cyber Resilience Centres
  116. The Perils of Paper: The Printing Vulnerability
  117. Product Focus on Checklists : FOI
  118. Product Focus on Checklists : Governors and Data
  119. Product Focus on Checklists : DPIA
  120. Product Focus on Checklists : Site Moves
  121. Product Focus on Checklists : Data Breaches
  122. Product Focus on Checklists : Subject Access Requests
  123. Product Focus on Checklists : Bring your own device
  124. Product Focus on Checklists : Working out of school/offsite
  125. Cyber Attack on a School
  126. Product Focus on Checklists : Redaction
  127. Why Due Diligence is Important: Fake apps
  128. Product Focus on Checklists : CCTV
  129. Product Focus on Checklists : Clear desk
  130. Product Focus on Checklists : Commitment to compliance
  131. Product Focus on Checklists : Photos and video
  132. Product Focus on Checklists : Passwords
  133. Product Focus on Checklists : Information Classification
  134. Free cyber training for staff
  135. DfE Digital Standards Update
  136. The Mother of all Breaches
  137. International Data Transfers (part 1): Navigating Cross-Border Data Transfers: Understanding EU SCCs, UK Addendum, and UK IDTA
  138. ClassCharts Possible Data Breach
  139. Where is your data stored?
  140. IAPP looks at AI privacy risks
  141. If you suspect a financial scam .....
  142. School Focus: St Bernadette's Catholic Primary School | Brighton
  143. Guardians of Privacy: 16. Social Media Checklist
  144. Guardians of Privacy: 15. Navigating Social Media in Educational Settings Summary
  145. Guardians of Privacy: 14. Social Media and Cyber Bullying
  146. Guardians of Privacy: 13. Social Media, Copyright and Intellectual Property
  147. Guardians of Privacy: 12. Social Media and Going Viral
  148. Guardians of Privacy: 11. Staff Social Media Accounts
  149. Guardians of Privacy: 10. Social Media and Cookies
  150. Guardians of Privacy: 9. Social Media and Morality
  151. New Resources for Schools from the ICO
  152. Guardians of Privacy: 8. Social Media Policies
  153. Guardians of Privacy: 7. Social Media Data Retention
  154. Guardians of Privacy: 6. Posting Safely
  155. Guardians of Privacy: 5. Social Media and Consent
  156. Guardians of Privacy: 4. Social Media Access Control
  157. Guardians of Privacy: 3. Social Media Channels
  158. Guardians of Privacy: 2. Law and Regulations
  159. The ICO reprimands a Multi Academy Trust
  160. Guidance for the use of school email and applying email retention in schools
  161. Data Protection Tips for Early Years Settings
  162. Children's Privacy around the world is a puzzle
  163. Trust Initial Plan Checklist Update
  164. Records Management Best Practice Update
  165. What do I need to redact?
  166. Trust Initial Plan for Data Protection Compliance (for Multi Academy Trusts)
  167. Google for Education Resources: Helping IT Admins meet DfE digital and technology standards
  168. Lettings Best Practice and Guidance
  169. Considerations when migrating to a new MIS
  170. Public bodies and sensitive data
  171. Get a DPE Badge for your website!
  172. ICO: 10 Step guide to sharing information to safeguard children
  173. Help after a Cyber Attack/Incident
  174. Data Protection and Cyber Security (Inset Day) Training Ideas
  175. How KCSIE is linked to Cyber Strategy
  176. Handling Freedom of Information Requests the right way
  177. Where's Harry the Hacker?
  178. The ICO Reprimands a school
  179. Redaction Guidelines Updated
  180. Using WhatsApp in Schools
  181. How to contact us for support, subject access requests, data breaches and FOI's
  182. FOI: Reinforced Autoclaved Aerated Concrete
  183. FOI: Henry Jackson Society
  184. FOI: Vaccination Justifications
  185. How the Record of Processing Can Help You
  186. What does a Data Protection Officer Do?
  187. Carrying out Supplier Due Diligence
  188. How Long Should You Keep Personal Data For?
  189. B&H FoI: Racist/religious incidents/bullying
  190. Protocol for Setting Up and Delivery of Online Teaching and Learning
  191. Class Dojo International Data Sharing
  192. Model Publication Scheme: Amendments, Improvements and Updates
  193. Transparency
  194. Research projects and GDPR
  195. Secure file transfer of files using Royal Mail
  196. Emergency contacts and consent
  197. Key elements of a successful DPIA
  198. FOI Publication Schemes
  199. Best Practice for Managing Photos and Video
  200. New Drip Feeds: Recognise and Respond to Subject Access Request
  201. When to contact the Data Protection Officer?
  202. National child measurement programme
  203. Headteacher fined for breach of data protection legislation
  204. Acceptable Use Policy

Search