CCTV in schools in 2026 — security, safeguarding, and privacy can (and should) coexist

News and information from the Advent IM team.

Schools have always had to think about site security: keeping pupils safe, keeping the premises secure, and keeping the day moving without turning reception into passport control. What’s changed is the threat landscape and the scrutiny.

It’s no longer just “will CCTV deter vandalism?” It’s also “what happens when a camera system is offline?”, “who can access footage remotely?”, “are we accidentally filming private spaces?”, and “can we evidence that our surveillance is lawful, proportionate, and well-governed if a parent, the ICO, governors, or the police ask tomorrow?”

A physical security review that includes CCTV/surveillance should now do three things at once:

  1. Reduce real-world risk (intrusion, violence, vandalism, theft, safeguarding incidents).
  2. Protect privacy and meet UK data protection requirements.
  3. Build resilience and reassurance for stakeholders: parents, governors, staff, insurers, and (in some settings) local authorities and partners.

CCTV is not “just cameras”. It’s a safety system… and a data system.

CCTV footage is usually personal data because people can be identified. That means UK GDPR and the Data Protection Act 2018 apply.

The ICO’s guidance is blunt in the best way: you need a clear lawful basis, clear purpose, transparency (signage and privacy information), and a system that’s operated in a controlled way.

And there’s a second governance layer for many education settings in England and Wales: the Surveillance Camera Code of Practice under the Protection of Freedoms Act 2012, which relevant authorities must “have regard” to when using surveillance camera systems.

In plain English: if you can’t explain why the cameras exist, what they’re for, how long you keep footage, who can view it, and how you stop misuse, you’re carrying avoidable risk.

Stakeholder reassurance: the awkward questions you should be able to answer

Governors, parents and senior leaders tend to ask variations of the same questions (sometimes politely, sometimes at speed, sometimes after an incident):

  • “What problem does CCTV solve here, specifically?”
  • “Are we monitoring pupils or staff in a way that feels excessive?”
  • “What’s our lawful basis — and can we evidence it?”
  • “How do we prevent CCTV being used for ‘mission creep’ (discipline, performance management, curiosity-viewing)?”
  • “If there’s an incident, can we actually retrieve the footage quickly and securely?”
  • “Could our cameras be accessed remotely by the wrong people?”

A decent review turns those into documented answers, with evidence.

Security: what good looks like on a school site

The Department for Education’s site security guidance still holds up as a practical baseline: controlled entry, locked secondary entrances, sensible perimeter measures, and design choices that support safe working.

The National Protective Security Authority (NPSA) goes further in how CCTV supports detection and verification as part of an overall system, rather than being a shiny bolt-on.

A review should test whether CCTV is positioned and configured to support real operational decisions, for example:

  • Reception and main entry: verification before granting access.
  • Perimeter and car parks: coverage that supports detection, not just “pretty footage”.
  • Key internal routes: proportionate coverage where it supports safeguarding and safety.
  • Storage and retention: long enough to investigate, not “forever because storage is cheap”.

Privacy and data protection: where schools most often trip up

These are the common failure points we see across organisations (schools included), because they’re easy to overlook until someone complains.

Lawful basis confusion. Consent is rarely the right answer for CCTV in public spaces; the ICO notes it’s difficult to obtain genuine consent in those contexts, so organisations typically rely on public task (where applicable) or legitimate interests.

No DPIA (or a “thin” one). If surveillance is likely to be high risk, you’re expected to carry out a Data Protection Impact Assessment (DPIA), and the ICO explicitly flags surveillance as an area where DPIAs are often required.

Poor transparency. Signs that are hidden, unclear, or missing entirely; privacy information that doesn’t explain what’s happening in practice. The ICO provides CCTV checklists that are genuinely usable.

Over-collection. Cameras covering private areas (or near-private areas) by accident. Audio recording is a classic high-intrusion pitfall.

Access control and misuse. Too many users, shared logins, no audit trail, or ad-hoc exporting of clips. A school environment makes this more sensitive because footage may involve children.

The cyber twist: CCTV systems are now part of your attack surface

Most modern CCTV is network-connected. That’s operationally useful, but it means your physical security stack has cyber risk baked in.

The NCSC has long warned that “smart” cameras need secure setup and ongoing management to reduce common attacks.
NPSA guidance on network-connected security technologies also emphasises secure configuration (“hardening”), limiting unnecessary interfaces, and building resilience into how these systems are deployed.

Procurement matters here. The UK’s consumer connectable product security regime came into effect on 29 April 2024, pushing baseline security requirements (for in-scope consumer products) such as unique passwords, a vulnerability reporting route, and transparency on security update periods. Even where school CCTV is “commercial” rather than consumer, that direction of travel is helpful: buy kit with credible security commitments, not mystery firmware and indefinite cloud dependencies.

A strong review will ask:

  • Are cameras/NVRs on a segmented network (not the same place as admin systems)?
  • Are remote access features tightly controlled and logged?
  • Are default settings removed and credentials managed properly?
  • Is patching realistic, contracted, and evidenced?
  • Do you know where footage is stored (on-site, cloud, which country, which supplier chain)?
  • If the internet dies, do you still record locally?

That last line is the resilience piece. Security that fails “open” during disruption is theatre.

Biometrics and facial recognition: treat as a separate (higher-risk) conversation

Some camera platforms now “offer” facial recognition and behavioural analytics as an upgrade. In schools, this is where governance needs to be especially adult-in-the-room.

The ICO is clear that facial recognition in schools involves children’s biometric data, and it’s not something to drift into because a vendor demo looked slick.
The DfE has separate guidance on biometric data in schools and colleges, including expectations around consent/objection handling and security of biometric data.

If a school is even considering biometric surveillance, it should be ringfenced into its own formal assessment, with senior accountability and specialist advice. It’s not “CCTV, but smarter”; it’s a different class of risk.

A quick “what to include” in a school CCTV / physical security review

A review worth paying attention to usually covers:

  • Threat-led risk assessment (your context, your site, your local issues, your safeguarding realities).
  • CCTV purpose statement and governance: who owns it, who approves changes, who audits use.
  • Coverage mapping: what’s filmed, what isn’t, and why.
  • Data protection pack: lawful basis, DPIA, signage, privacy notice wording, retention rules, access controls, subject access request handling.
  • Security architecture: network segmentation, remote access controls, patching, supplier support model, resilience testing.
  • Incident readiness: how footage is exported, to whom, how you preserve evidential integrity, and how you prevent “helpful sharing” becoming a breach.

Verified research and facts you can cite internally (clearly labelled)

  • The ICO provides detailed guidance and checklists for operating CCTV in line with UK GDPR expectations, including lawful basis, transparency, and operational controls.
  • The ICO states consent is often difficult to rely on for surveillance in public spaces; organisations typically need to use an appropriate lawful basis such as public task (where applicable) or legitimate interests.
  • The UK’s consumer connectable product security regime took effect on 29 April 2024, setting baseline security requirements for in-scope consumer smart devices.
  • NPSA provides guidance on CCTV and on network-connected security technologies, including secure configuration and resilience considerations.
  • Insurer survey insight (use as “sector intelligence”, not official crime stats): Ecclesiastical reported that, on average, crime over the past 12 months cost schools more than £26,000 (article summarising their findings).
  • ONS headline crime reporting highlights fraud at scale (millions of incidents annually in the Crime Survey for England and Wales), reinforcing that modern threat isn’t only physical. Useful context when explaining why network-connected systems need hardening.

A school that gets CCTV right isn’t the one with the most cameras. It’s the one that can calmly evidence: “This is why we have it, this is how we prevent misuse, this is how we keep it secure, and this is how it continues to work when things go wrong.”

That’s safeguarding, governance, and resilience pulling in the same direction instead of fighting in the car park.

Luckily Advent IM can cover Governance requirements with security expertise in physical, cyber and information security as well as Data Protection expertise and training.

Get in touch today: 0121 559 699 | bestpractice@advent-im.co.uk

Share this Post

© 2026 Advent IM Limited.