Taking and using photos and videos, and using CCTV in schools

Data protection considerations when taking and using photos and videos, or when using CCTV.

Schools routinely take and use photos, videos and CCTV to support learning and help keep pupils, staff and visitors safe.

Images of individuals who can be identified count as personal data. That means schools must handle them in line with data protection legislation. They must follow the same principles that apply to all personal information they collect and use. This section explains what schools need to consider when taking, storing and sharing images.

Taking and using photos and videos in schools

Schools may take and use photos and videos for a variety of purposes, such as:

  • educational activities
  • record-keeping
  • marketing
  • newsletters
  • social media
  • school trips
  • sports events
  • performances
  • classroom displays
  • identity (ID) systems

This guidance provides suggestions to help schools comply with data protection laws when taking and using photos and videos of pupils, staff and other individuals.

It covers how schools can:

  • identify a lawful basis for using photos and videos
  • manage consent and opt-outs
  • use images responsibly
  • store and share images securely
  • ensure their actions are transparent

The Information Commissioner’s Office (ICO) provides guidance on taking and using photos and videos in schools.

The Department for Education provides guidance on CCTV in schools and on protecting children’s biometric information.

Download a template for a letter to parents and carers about record-checking and consent. This includes a section about taking and using photos and videos of pupils in school.

Considering which lawful basis to use

Photos and videos of individuals who can be identified are classed as personal data under data protection law. This means you must have a valid lawful basis before taking, using or sharing them.

There are different lawful bases that you could consider. These include:

  • public task, if you need to take or use a photo or video to allow you to carry out your official duties
  • consent, if the pupil or their parent or carer has agreed that you can take and use a photo or video
  • legitimate interests, if you need to take or use a photo or video because you or a third party has legitimate interests

The ICO provides guidance on the lawful basis for processing personal data.

Using public task as a lawful basis

Photos may be required for school administration, such as:

  • ID cards
  • registers
  • classroom seating plans
  • PE peg labels
  • personal drawer labels

You may therefore rely on public task as a lawful basis because these images are needed to carry out your school’s official duties.

Example: using public task to display a photo of a pupil

There are pupils with allergies and particular dietary requirements. The kitchen staff have access to photos of these pupils to help identify them to ensure they only access food that meets their needs.

Even when processing under public task, pupils, parents or carers can opt out of having their images used. You must consider each opt-out request carefully in line with the right to object in data protection law.

Schools can continue using a photo if they can demonstrate compelling legitimate interests that override the individual’s own interests, rights or freedoms. This means that, even if a parent or carer objects, the school may lawfully continue using the photo if it is necessary and proportionate for a public task such as safeguarding or identification (for example, ID cards or MISs).

You should explain this clearly in your school’s privacy notice and respond to objections in a fair and transparent way. It is also important to have guidance on how to process these requests to ensure they are managed correctly and in accordance with the rights of the data subject under UK General Data Protection Regulation (UK GDPR).

Example: right to object

A parent requests that their child’s photo not be used on a school ID card or PE peg label for privacy or safeguarding reasons. The school considers the request and offers an alternative, such as a coded card or a label without a photo.

The ICO’s right to object guidance provides more information on handling these requests.

If you rely on consent as a lawful basis, it must meet all of the following criteria. It must be:

  • freely given
  • specific
  • informed
  • unambiguous

Consent gives individuals control over how their data is used. It can be withdrawn at any time. Once consent is withdrawn, you must stop using the individual’s data and delete it, unless you have a separate lawful basis to keep or use it.

In most cases, withdrawal of consent means you no longer have a valid reason to process the data. If a photo or video is essential to perform a task, you need to consider if this is the most appropriate lawful basis to use.

Many schools choose to review and refresh consent regularly – for example, every academic year – to make sure records are up to date. Modern MISs can make this easier.

When pupils reach an age where they can understand how their images may be used (often at around the age of 13), it is good practice to ask them directly for consent in addition to or instead of parental or carer consent.

Schools should also consider safeguarding factors when deciding whether a pupil can give valid consent, as some risks may not be fully understood by the pupil.

You must keep clear records of consent, including who gave it, when, how it was given, and what they were told.

Many schools collect parental consent at the start of the school year to record preferences for photo and video use. This helps record individual preferences, but does not always mean you can rely on that consent for all future processing.

If you plan to use images for a new or different purpose, check whether the original consent applies. If it does not, you may need to rely on a different lawful basis or obtain new, valid consent for this particular purpose.

A school collects consent (from pupil, parent or carer) for classroom photos at the start of the year. Later, they plan to create a video montage for a school performance. The original consent may not cover this purpose, so the school checks and obtains new consent.

Consent gives individuals full control over their personal data, which means they have the rights to withdraw this.

A parent withdraws consent for their child’s photo to be used in a project that will be on display to the wider community at an event. The school removes the image and confirms it will not be used in future displays or materials.

Withdrawal requests often happen because of a change in circumstances, such as a safeguarding concern or family situation. Schools should handle these sensitively and in line with safeguarding policies.

If you are unsure which lawful basis is appropriate, use the ICO’s lawful basis checker.

Using legitimate interests as a lawful basis

This lawful basis can be used for a wide variety of purposes related to processing to which the individual has not given consent. You must balance your legitimate interests and the necessity of the processing against the interests, rights and freedoms of the individual.

If using legitimate interests as your lawful basis, you should:

  • carry out a legitimate interests assessment to decide whether the planned use is reasonable
  • seek permission from pupils, parents or carers before using any photos or videos

Permission is different from consent under data protection law, but helps maintain trust and transparency.

If you rely on legitimate interests as your lawful basis, you must give pupils, parents or carers a clear way to opt out of appearing in photos or videos. Explain how they can:

  • opt out when the photo is taken
  • change their mind later

Offering an opt-out doesn’t mean you’re relying on ‘consent’ as a lawful basis under data protection law – you should consider this to be the same as pupils, parents or carers giving you their permission.

Example: offering an opt-out when using legitimate interests

A school uses legitimate interests as its lawful basis to create a sports day noticeboard that includes pupils’ photos.

Although consent is not required, the school asks for permission at the start of the year and provides an option to opt out. This helps build trust and allows families to express their preferences.

When relying on legitimate interests, you must give pupils, parents or carers a clear way to opt out of photos or videos. Explain how they can opt out at the time the photo is taken and how they can change their mind later.

Offering an opt‑out does not mean the school is relying on consent. It simply means families can choose not to take part.

Examples of opting out

A parent initially agrees to their child’s photo being used on the school website, but later opts out. The school must remove the image from the website, social media and future materials. Group photos may need editing or replacing.

If a pupil withdraws permission after a printed prospectus has already been distributed, the school cannot re-call the copies, but must stop using the photo in future versions.

Do not confuse permission with consent under data protection law. Consent must be:

  • clear
  • specific
  • informed
  • freely given

Pupils, parents or carers must:

  • take a clear action to agree
  • be able to withdraw their consent at any time

You can request permission even if relying on a different lawful basis, such as legitimate interests. This helps maintain trust, but does not replace the need for a lawful basis.

Your privacy notices must clearly explain how to opt out and what lawful basis you are using, so it is clear and transparent.

Using photos and videos responsibly

Before taking or publishing an image, check whether any pupils, parents or carers have set restrictions. You do not always need permission from a pupil, parent or carer to take a photo or video, but you should check permissions before using, storing or sharing it.

Do not publish photos or videos of pupils who should not be publicly identified, such as those with safeguarding concerns or under court orders. If you are unsure, consult your school’s safeguarding or data protection lead.

Example: a photo features a pupil with a safeguarding concern

A pupil with a safeguarding concern is in a group photo on a school trip. Before publishing the image online, the school checks with the safeguarding lead and removes the pupil from any images that could identify them.

Being transparent

It is recommended that you publish a clear photo and video policy alongside your privacy notice. This should explain:

  • how your school uses photos and videos
  • where they will be published
  • how long they will be kept

The policy can also set out expectations for pupils, parents, carers and visitors about using personal recording devices on school premises, including how to respect others’ privacy.

Photos must be stored securely and disposed of in line with your data retention policy. If you rely on consent, keep records of who gave it, when, how and what they were told. If a pupil appears in a video, consider whether you can re-edit the footage or need to withdraw it entirely

The ICO provides further guidance on taking and using photos and videos in schools.

Using photos and videos for marketing, school trips, social media and events

Schools may choose to use images for newsletters, websites, prospectuses, social media, school trips, performances, sports days, or classroom displays. The lawful basis of legitimate interests may be appropriate in some cases, but it is recommended that you consider whether the use is necessary, fair and respects the rights of pupils and staff.

Social media often requires extra care. Many schools choose to collect specific consent for posting on platforms such as Facebook, Instagram or X. You should make pupils and parents or carers aware that social media involves wider sharing and may carry higher privacy risks.

Access to school social media accounts should be limited to trained staff who understand your data protection and safeguarding policies. You should avoid relying on a single person to manage these accounts, in case of absence.

Using photos and videos for school administration and internal systems

Photos and videos may be required for school administration, such as ID cards, registers, classroom seating plans, PE peg labels or personal drawers. You may rely on public task as a lawful basis because these images are needed to carry out your school’s official duties.

Taking, storing and sharing photos and videos safely

All images must be stored securely and deleted or disposed of in line with your data retention policy. This applies to photos and videos on memory cards, school cameras, school devices, shared drives or cloud platforms.

Photos and videos taken on a school camera should be transferred to a secure school server as soon as possible. Memory cards should not leave the school unsafely.

If you use an external photographer, ensure the contract clearly defines who is responsible for data protection.

Personal devices such as phones or tablets can automatically back up images to personal cloud accounts. Staff should avoid using personal devices to take or store school photos unless explicitly authorised under your school’s policy and should ensure any images are transferred securely and deleted promptly.

If images are shared with third-party platforms, such as parent apps, social media or cloud services, check that the lawful basis and privacy settings comply with data protection law.

Future-proofing your photo and video use

Technology changes quickly. Schools should review their photo and video practices regularly to ensure they remain lawful, fair and transparent.

You should also train staff, including new starters, to ensure they are aware of their responsibilities and who they should speak to in their school for further advice.

Check that permissions and consent cover new ways of taking or sharing images, including digital learning platforms, social media, tools based on artificial intelligence (AI), or apps used by pupils to submit work.

Example: using new technology

A school introduces an online platform where pupils upload videos of their work. The school updates its photo and video policy and its privacy notice to explain:

  • how images will be used
  • who can access them
  • how consent is managed

If you introduce new systems or platforms, carry out a data protection impact assessment (DPIA) to identify and reduce privacy risks.

Ensure staff are trained and aware of your policies for handling photos and videos responsibly.

Taking personal photos and videos at school events

Even with robust school policies in place, you should also consider how parents and carers, pupils and visitors use their own cameras and devices at events. They often want to take photos or videos during school events such as plays, sports days or trips.

Data protection law does not usually apply when people take and use photos for personal use – for example, to keep in a family album or share privately with friends.

However, you can still set rules to make sure photography does not:

  • disrupt the event
  • include pupils who should not be identified
  • cause safeguarding or welfare concerns

You should explain these rules in your school’s photo and video policy, and remind parents and carers before key events.

If parents or carers share photos or videos of other pupils publicly, such as on social media or websites, this may fall under data protection law. You can ask them to remove the image if it raises privacy or safeguarding concerns.

Volunteers or contractors taking and using photos

Volunteers or contractors helping at events are not taking photos for personal use. They are acting on behalf of the school, so any photos or videos they take must follow your school’s data protection and safeguarding policies. This includes:

  • using school equipment where possible
  • not storing photos on personal devices or personal cloud accounts
  • transferring images securely to the school’s systems as soon as possible

If a volunteer wishes to take a personal photo during an event, they should only do so when not acting for the school and when it does not include identifiable pupils.

Pupils taking and using photos

Pupils may also take and use photos or videos as part of lessons, clubs or trips. If the activity is organised by the school, the same data protection rules apply.

If pupils take photos for personal reasons, such as with friends at a school disco, this is usually personal use and not covered by data protection law. You may still set clear boundaries to prevent disruption or inappropriate sharing.

CCTV

Many schools already use CCTV to enhance the safety and security of their site and protect pupils, staff and visitors. Schools may consider using CCTV to:

  • assist in emergency situations
  • manage lockdowns
  • support the application of internal policies
  • support the safeguarding of pupils
  • provide a sense of security for pupils and staff in school

The use of CCTV in schools must comply with data protection law because it captures images of people, which count as personal data.  This guidance supports you in understanding your responsibilities in line with data protection laws when implementing CCTV.

In addition to data protection law, your use of CCTV must comply with other relevant legislation including the:

  • Freedom of Information Act 2000
  • Protection of Freedoms Act 2012
  • Human Rights Act 1998
  • Surveillance Camera Code of Practice

Considering which lawful basis to use

There are different lawful bases that you could consider. These include:

  • public task, if you need to use CCTV to allow you to carry out your official duties
  • legitimate interests, if you need to take or use CCTV because you or a third party has legitimate interests

If you use the lawful basis of legitimate interests, you need to complete a legitimate interests assessment.

Unlike for photos, consent is not appropriate as a lawful basis for CCTV because:

  • it is unlikely that a school will be able to obtain consent from every person who may be captured on CCTV
  • it is very difficult for people to opt out of

The ICO provides guidance on the lawful basis for processing personal data. It includes an interactive tool to help you determine which lawful basis applies.

Installing, expanding or updating your CCTV

Before considering using CCTV in your school, you need to think about why you want to use it. CCTV can be intrusive and you need to demonstrate that this is the most appropriate method to achieve the outcomes you are looking for.

You must clearly define the purpose for its use to ensure that it is only used to achieve your aims and not for any other reason. While you are defining your purpose, you need to:

  • assess whether CCTV is the most effective option for your school’s needs
  • explore less intrusive alternatives

The use of CCTV should be a proportionate response to the issue you are addressing. If there are other options available, you should carefully consider whether CCTV is truly necessary.

Carrying out a data protection impact assessment

Before installing CCTV, you should also consider if you need to complete a data protection impact assessment (DPIA).

This will help you:

  • assess the risks involved in using CCTV to safeguard the privacy of pupils, staff and visitors
  • explore risks and mitigations to minimise the impact to the rights and freedoms of individuals

You should regularly review and update your DPIA as standard when there are changes to your CCTV technology in particular and your data processing practices in general. 

Example: considering alternative options first

The canteen can get crowded during busy times and you are concerned about overcrowding. You consider all options available to you, including installing further CCTV cameras to monitor crowd levels. You conclude that CCTV is not proportionate to the problem. Instead, you decide to implement a clearer queuing system, change the layout of the canteen to spread out pupils and avoid congestion, and stagger lunch breaks.

Example: using CCTV appropriately for pupil safety

The main stairwell can become very busy at times, with children using it to move around the school for PE, lunch breaks and assemblies. There have been incidents where a child has slipped and fallen off a step. Staff are aware that pupils congregate to have conversations on the stairs and are concerned there may be further accidents.

You have already implemented several measures, including staggered break times. You install CCTV covering the stairwell to monitor safety and be able to provide prompt support if a pupil has an accident or injury.

Example: using CCTV appropriately for school security

Staff have reported incidents where unknown individuals have attempted to access the main entrance. The receptionist felt unsafe when she was approached by these individuals. You escalated the incidents in line with your internal policies and determined that it was proportionate to the problem to implement additional security measures. To protect pupils, staff, visitors and property, the school placed CCTV on the main entrance doors and gates.

Being transparent

Consult your school’s data protection officer before deciding where to place cameras. They can help ensure your plans meet your data protection and safeguarding responsibilities.

 If you decide to install CCTV you must:

  • consult with pupils, parents or carers and staff
  • explain where the cameras will be
  • explain what the footage will be used for

You must be open and honest about your use of CCTV.

This means:

  • placing signs where CCTV is in use
  • updating your privacy notices
  • telling staff:
    • for what purposes you are using CCTV
    • for how long the footage will be kept
    • with whom it may be shared

You must ensure there are clearly visible signs in place to inform people that CCTV is in use and explain its purpose. This ensures transparency and helps build trust with pupils, parents or carers and staff about the use of CCTV.

Any guidance you create must be regularly reviewed to ensure it reflects the changes to the use of CCTV, including any modern advancements.

Considering types of CCTV

When choosing the type of CCTV that you will use, you should ensure it:

  • achieves the purpose for which you are intending to use it
  • will not collect additional unnecessary personal data

It must be:

  • of good quality
  • adequate
  • relevant
  • limited to what is necessary  

You should think carefully about the types of technology your CCTV system will use. Avoid CCTV with live facial-recognition technology. It uses sensitive biometric data that poses a high risk to the rights and freedoms of pupils, staff and visitors. You would need a very strong justification for using it, which is unlikely to apply in most schools. If the system you choose contains this feature, switch it off by default and ensure this type of data is not processed.

You should not use CCTV to record conversations. This is highly intrusive and unlikely to be justifiable. In most situations, the use of audio recording, particularly where it is continuous, is considered more privacy-intrusive than purely visual recording. You should switch off by default any capability to record audio if the system you choose has this as standard, ensuring it is not collected.

You should position cameras where there is a clear need, ensuring their use is:

  • justified
  • proportionate
  • respects the privacy of pupils, staff and visitors

If the cameras have a wider surveillance range than the area you are required to monitor, this should be restricted to capture only the relevant area.

The Department for Education provides guidance on the technical requirements for digital technology in schools as part of its estate management information.

Installing updates

CCTV is not a new technology, but as technology develops and CCTV systems are maintained, it may be that updates are required. You should cover this in your DPIA to ensure that any risks are identified, particularly if the processing might include personal data that a pupil, staff member, parent or carer would not expect.

When updates are installed, you must check the system and settings to ensure no further personal data will be captured by the changes. This includes checking that any features you switched off, such as facial recognition or audio, remain switch off by default.

Using automatic number-plate recognition (ANPR)

You may consider the use of ANPR systems in car parks. These can collect and analyse large quantities of personal data in real time. You should consider their use carefully.

ANPR systems generally capture information about a vehicle, including the registration mark displayed on its number plate and the time, date and location of the vehicle. This information is classed as personal data because, by simply processing it for that particular purpose, you can link it to an identifiable individual.

When using an ANPR system, you need to complete a DPIA to ensure your use of it is proportionate and necessary. You will need to document how you will only capture the relevant information to achieve your purpose. You will also need to install prominent signs that explain how car park users can contact you if they have a query.

Record-keeping

You must have clear, documented processes for reviewing and managing CCTV footage. Only staff who are trained and authorised should be able to access it, and it must be deleted securely, in line with your retention policy.

Your subject access request policy should cover CCTV, as people can ask to see any footage you have recorded of them. You must respond to such a request within one calendar month of receiving it.

Retaining CCTV footage

Data protection laws do not prescribe any specific minimum or maximum retention periods for CCTV footage. It is the purpose of your processing that should determine for how long you retain it. If it is held for too long, it will become unnecessary and you will be unlikely to have a valid lawful basis for keeping it.

The retention period should be set for the shortest period that meets your purpose and the footage should be deleted when no longer required. This should not be determined by the storage capacity or the manufacturer’s settings for the system you use. Just because the data can be stored and might be useful in the future is not a valid reason for retaining it.

Managing who has access and security

You should store recorded information securely to maintain its:

  • confidentiality
  • integrity
  • availability

Only approved members of staff should have access to view and manage CCTV footage. This is to ensure you protect the rights of pupils, staff and visitors.  It is important to regularly check you can access the CCTV to ensure that, as staff move roles or leave the school, those access rights remain appropriate.

You also need to ensure that the information is secure and, where necessary, encrypted, to help prevent unauthorised access to personal data. If encryption is not possible, there are other technical methods you can implement. Those include ensuring:

  • only specific staff have access
  • there are safeguards in place
  • the rooms that host the CCTV are secure
  • software updates are applied
  • the staff who use the system are:
    • trained in its use
    • understand your policies on protecting personal data

The ICO provides guidance and a checklist of data protection requirements for CCTV.