CCTV Policy for Schools: UK Compliance Guide for Education Settings

Schools install CCTV for the same reasons businesses do — security, theft prevention, safeguarding. But recording children introduces additional obligations that a generic CCTV policy doesn't cover. Governors, headteachers, and school business managers who treat school CCTV as "the same as any other building" are missing critical requirements.

This guide covers what a UK school CCTV policy must include, where education settings differ from commercial premises, and the specific pitfalls that catch schools out.

Why Schools Need a Specific CCTV Policy

A general CCTV data protection policy covers the core obligations: lawful basis, retention, access controls, subject access requests. A school policy needs all of that plus:

Children's data protections — UK GDPR Recital 38 states that children "merit specific protection" regarding their personal data. The ICO weighs children's privacy interests more heavily than adults' in any proportionality assessment.
Parental awareness — parents and carers must be informed that children are recorded, what the footage is used for, and how they can exercise rights on behalf of their children.
Safeguarding integration — CCTV footage may become evidence in safeguarding investigations. Your policy needs to address how this intersects with your safeguarding procedures.
Staff monitoring considerations — teachers and support staff are employees whose rights under employment law interact with CCTV monitoring. Union consultation may be expected.
Governor oversight — the governing body (or academy trust board) is typically the data controller and must approve the policy.

What Your School CCTV Policy Must Include

1. Data Controller Identity

State who is responsible for the CCTV system. For maintained schools, this is usually the governing body. For academies, it's the academy trust. Name the organisation, provide a contact address, and identify the Data Protection Officer (DPO) if one is appointed.

Schools with more than 250 employees, or any school that is a public authority (which includes maintained schools and most academies), are required to have a DPO under UK GDPR Article 37. The DPO should be named in the policy.

2. Purpose of CCTV

Be specific about why cameras are installed. Generic "security" is insufficient. Typical lawful purposes for school CCTV:

Safeguarding pupils — monitoring entrances and exits, perimeter security, preventing unauthorised access to the site
Deterring and detecting crime — theft, vandalism, trespass
Staff and pupil safety — monitoring corridors, car parks, and drop-off areas
Supporting disciplinary investigations — where incidents are captured on camera

Critical distinction: You cannot use CCTV to generally monitor pupil behaviour or teacher performance. If your cameras exist for "security," reviewing footage to check whether a teacher followed the lesson plan is purpose creep — and a data protection violation.

3. Camera Locations and Coverage

Document every camera location and what it covers. Your policy should include a camera schedule (a table or appendix listing each camera) and be consistent with your DPIA.

Areas where cameras are typically proportionate:

External building entrances and exits
Car parks and drop-off zones
Perimeter fencing and gates
Main corridors and stairwells
Bike storage areas

Areas where cameras are difficult to justify:

Classrooms — recording lessons raises significant proportionality issues. The ICO would expect strong justification (specific documented incidents, no less intrusive alternative) and union/staff consultation before classroom cameras are installed.
Staff rooms and offices — high privacy expectation. Almost never proportionate.
Toilets and changing rooms — never lawful to place cameras in these areas, regardless of safeguarding concerns.
Playgrounds — depends on context. Perimeter-facing cameras for security are easier to justify than cameras systematically monitoring children's behaviour during break times.

4. Lawful Basis

Most schools rely on legitimate interests (UK GDPR Article 6(1)(f)) or public task (Article 6(1)(e)) as their lawful basis.

Public task is often the stronger basis for maintained schools and academies: the school has a statutory duty to safeguard pupils (under the Education Act 2002, Section 175 for maintained schools, Section 157 for academies), and CCTV can be a proportionate measure to fulfil that duty.

Legitimate interests works where the public task basis doesn't clearly apply — for example, protecting school property from vandalism.

Whichever basis you choose, document the reasoning in your DPIA and reference it in the policy.

5. Retention Periods

The same storage limitation principle applies: keep footage only as long as necessary. For schools, the ICO's general CCTV guidance applies — there is no education-specific retention period.

Typical school CCTV retention:

Purpose	Recommended Retention
General security (entrances, corridors, perimeter)	30 days
Car park and drop-off monitoring	14–30 days
Incident-related (safeguarding, disciplinary, criminal)	Duration of investigation plus any appeals period

Safeguarding footage: If footage is relevant to a safeguarding concern, preserve it immediately and flag it to your Designated Safeguarding Lead (DSL). Do not allow it to be overwritten by normal retention cycles. Document the reason for preservation and the date it was flagged.

Use our retention calculator to determine appropriate periods for each camera group.

6. Access Controls

Restrict access to footage to named individuals with specific roles:

Headteacher / Principal — overall access for incident review and DSL-related matters
Site manager / facilities — technical access for system maintenance and camera positioning
DPO — oversight access for compliance monitoring

Access should be via individual credentials, not a shared password. Log who accessed footage, when, and why. This is an accountability requirement — if the ICO investigates, they'll ask for access logs.

Who should NOT have routine access: Class teachers, teaching assistants, governors (unless specifically authorised for a particular investigation), parents, pupils.

7. Subject Access Requests

Parents and carers can submit a subject access request for footage of their child. Pupils aged 13 and over can submit their own SAR, provided they have sufficient understanding — though in practice most will come via parents.

Key differences from business DSARs:

Third-party redaction is more complex. School footage almost always shows multiple children. Before releasing footage of one child, you must redact or blur other identifiable children. This is the same obligation businesses face with third-party data, but schools have more of it in every frame.
Safeguarding override. If releasing footage could put a child at risk — for example, revealing the location of a child in a safeguarding situation — you may need to refuse the request under the safeguarding exemption. Seek DPO or legal advice before refusing.
Staff in footage. Footage will likely show staff. Teachers' personal data rights apply — you cannot release footage that identifies a teacher to a parent without either the teacher's consent or another lawful basis for disclosure.

The one-month deadline applies from receipt of a valid request. For the full process, see our DSAR guide.

8. Signage

The same signage requirements apply to schools as to any other premises. Signs must be displayed before entry to surveilled areas and must include the data controller's name, purpose, and contact details.

Additional consideration: Signs should be understandable to parents and older pupils — avoid dense legal language that only a DPO would read.

9. Staff Consultation

Before installing or changing CCTV that monitors areas where staff work, consult with staff and their union representatives. This isn't just good practice — your DPIA requires evidence of consultation with affected individuals.

Document the consultation: when it happened, who was involved, what concerns were raised, and how they were addressed. If a union raised objections and you proceeded anyway, document why.

10. Review and Governance

Annual review — the policy should be reviewed at least annually, typically by the governing body or trust board
DPIA review — whenever cameras are added, moved, or upgraded
Incident-triggered review — after any data breach, ICO complaint, or safeguarding investigation that involved CCTV footage

Common Mistakes in School CCTV Policies

Using a business template unchanged. A school is not a shop. Children's data, safeguarding duties, governor responsibilities, and DPO requirements all need specific treatment. A generic policy that mentions "customers" instead of "pupils" will not satisfy the ICO.

No DPIA. Schools are particularly likely to need a DPIA because they systematically monitor a public-access area (the school is accessible to pupils, parents, staff, and visitors) involving children's data. If you don't have a DPIA, this is your highest-priority gap.

Cameras in classrooms without justification. "We want to be able to review incidents" is not sufficient justification for recording every lesson. The ICO would expect evidence of specific, documented incidents that cannot be addressed by less intrusive means (such as additional staff presence, behaviour policies, or corridor cameras).

Not informing parents. Parents must know that their children are recorded at school, what the footage is used for, and how to exercise their rights. Include CCTV information in your privacy notice (which you should already provide to parents), reference it in admission documents, and display signage at every entrance.

Footage shared informally. Showing footage to a parent in the headteacher's office to "prove" what happened in a bullying incident is a data disclosure. If other children are visible and identifiable in the footage, you've just disclosed their personal data without a lawful basis. Redact first, or describe what the footage shows without displaying it.

Connecting the Policy to Your Broader Compliance

Your CCTV policy doesn't exist in isolation:

Privacy notice — your school privacy notice (provided to parents and staff) must reference CCTV
DPIA — your DPIA must be consistent with the policy on purposes, retention, and access
Data protection fee — schools processing personal data must pay the ICO data protection fee
Safeguarding policy — cross-reference how CCTV footage is handled in safeguarding investigations
Staff acceptable use policy — if applicable, reference CCTV in relation to staff monitoring

For a complete view of CCTV obligations, read our UK CCTV regulations guide. To check your school's compliance position against all requirements, use our free compliance checker.

This guide covers CCTV policy requirements for UK schools under UK GDPR, the Data Protection Act 2018, and relevant education legislation as of March 2026. Schools with complex deployments (facial recognition for attendance, body-worn cameras, multi-site trusts) should seek specialist data protection advice. This is not legal advice.