Operating CCTV means operating a data processing system. The moment a camera captures an image of an identifiable individual, you are processing personal data, and UK GDPR applies. For schools and public sector organisations — which often operate CCTV across multiple sites, in complex environments, and with multiple categories of data subjects — the compliance obligations are real and the consequences of getting them wrong are significant. This guide sets out what the ICO expects and what you need to have in place.
The ICO's starting point is straightforward: you need a specific, documented purpose for operating CCTV, and you need a lawful basis under UK GDPR for processing the personal data it captures. For schools and public sector bodies, the most common lawful basis is legitimate interests — the organisation has a legitimate interest in protecting its premises, its people, and its assets that justifies the processing.
This means conducting and documenting a Legitimate Interests Assessment before the system is commissioned. The assessment must show that the purpose is genuine, that CCTV is a proportionate means of achieving it, and that the interests of the people being filmed do not override the organisation's legitimate interest. This is not a formality — it is the document you would need to produce if the ICO came knocking.
Purpose limitation follows directly: CCTV footage collected for site security cannot be used for performance management, disciplinary purposes unrelated to the security function, or any other use not covered by the original purpose statement.
Individuals have a right to know they are being filmed. This does not mean obtaining consent from every person who enters your premises — it means making the fact of surveillance sufficiently clear that someone exercising reasonable attention would be aware of it before entering the monitored area.
ICO guidance requires signs to be visible at the point of entry to monitored areas, to identify the organisation operating the system, and to direct individuals to a full privacy notice. A sign that simply says "CCTV in operation" without the organisation's identity or a contact point does not meet the standard.
Your CCTV policy should be publicly accessible — for schools, on the school website. It should cover the purpose of the system, the lawful basis, which areas are monitored, how long footage is retained, who can access it and on what basis, and how individuals can make a Subject Access Request.
The ICO recommends that most organisations retain CCTV footage for no longer than 30 days, and that the retention period is automatically enforced by the recording system rather than relying on manual deletion. Footage accumulating indefinitely is a data protection liability — data held beyond its purpose, creating a larger exposure in the event of a system breach.
There are legitimate reasons to retain footage beyond 30 days — a live investigation, a pending insurance claim, footage relevant to legal proceedings. In these cases, the decision to retain beyond the standard period should be documented, identifying the specific footage, the reason for extended retention, the anticipated duration, and who has authorised the decision.
Access to CCTV footage must be restricted to named, authorised individuals with a documented business need. The ICO expects organisations to be able to demonstrate that access is controlled and that every access to footage is logged, including who accessed it, when, and for what purpose.
Physical security of recording equipment matters as much as logical access controls. An NVR in an unlocked cupboard accessible to multiple staff is not a secure system regardless of how robust the software controls are.
Any individual whose image has been captured by your CCTV system has the right to request footage in which they appear. Subject Access Requests must be responded to within one calendar month. Footage provided must be limited to images of the requesting individual — images of other people must be redacted before disclosure.
We design and install CCTV systems with data protection compliance built in from the start — retention configuration, access controls, signage, and policy documentation. We can also review existing installations for compliance gaps.
Get in Touch →