Tackling video DSARs in schools: Protect children’s data

Schools are busy places where teachers, visitors, inspectors, parents, and other members of the public move in and out of the building. This can be hard to track, especially if schools are understaffed. 

CCTV is used in schools across the country as a way to help maintain and track the safety of students and staff. For example, CCTV is used in nurseries to help keep children safe or ANPR is used in school car parks/roads to help keep track of school visitors. This includes covering incidents such as:

• A child or member of staff has been involved in a physical/verbal altercation on school grounds,

• A child has been a victim of abuse on school grounds, 

• Theft or vandalism of student or staff property,

• Bullying or harassment, 

• Improper behaviour, 

• Classroom/playground accidents, 

• Incidents in the school car park, 

• Unauthorised access - monitoring entrances and exits.

There are limits to this surveillance and some recent uses have received concern and criticism - e.g. use of CCTV in school bathrooms. 

Schools are particularly vulnerable environments. Protecting all students of all ages and needs - from a safeguarding perspective and when considering personal data captured - is vital. This includes personal and medical records, and visual data from video - all of which, in the context of children, are considered extremely sensitive and need to be kept secure and private. 

What happens when CCTV footage is requested from a school?

CCTV footage may be requested from an incident - whether this be an internal request or a way to aid a public incident that a school’s CCTV may have captured. This could come in the form of a data subject access request (DSAR). 

Data subject access requests give people the right to a copy of their personal data - this includes video footage of them. Individuals can also ask a third party to submit a DSAR on their behalf, provided there is sufficient proof of this request and the identities of the requesting parties are verified. In an education setting, DSARs could be sent on behalf of a child by parents, guardians, social services, legal professionals, and the police - provided the child consents to the requests or is not competent to make the request on their own. 

Once this DSAR is received, the data controller/processor is legally obligated to respond within 30 days of the request, or be reprimanded by the Information Commissioner’s Office (ICO).

How can video DSARs in schools go wrong?

There can sometimes be confusion about the correct practice for handling video footage when DSARs are received. Often, schools may invite parents or the relevant authority to the premises and show them the footage in-house, believing that’s good enough. Others may simply send a cut-down clip of an incident without editing it any further and leaving the faces of other parties in the video.

This is incorrect and is a breach of the data of other parties in the video. 

This has clearly been an issue - according to an ICO review into subject access request handling within educational establishments, the most common data protection complaint received by the ICO about schools was regarding DSARs.

It is essential that those working in schools know how to handle DSARs, what the correct protocols are, and how to responsibly share that video footage. 

What does the law say about children’s data?

The sensitivity of children’s data is recognised in the different requirements for processing their data in different settings. Under UK GDPR, when relying on consent as a lawful basis for processing and marketing to children, only those 13 and older can consent. Decisions based solely on automated processing (e.g. profiling) about children should not be made if there is a chance of a significant effect on them. 

When completing DSARs in schools, it is very important that the data of other students are not compromised. Redaction is a way to remove any third-party information to prevent other pupils or staff from being identified. 

Redaction is usually a case-by-case process, and the context of the video should always be taken into account. In an educational setting, sometimes simply redacting faces is not enough, and you may need also to redact clothing, scars, or any other identifiable features in the video that could be traced back to an individual. 

The difference between DSARs and right of access requests

It is important to differentiate between a DSAR and a right of access to education records. There are two rights of access regarding information schools hold on students: 

• Right of access under Article 15 of UK GDPR

• The parent’s right of access to their child’s “educational record”

Parents are only entitled to access their children’s educational records, and these must be answered within 15 days. With DSARs, parents may only send requests with the consent of the child or if they are not competent to do it themselves.

Having a good idea of how the personal data of students and staff is collected and stored will help deal with these requests in a timely manner. Usually, your DPO should be in charge of handling DSARs but it is important that all staff members know the process for handling them. 

Step-by-step guide when tackling a video DSAR in schools