The aim of the guidance (and its accompanying policy) is to ensure that there is a full sharing of information between schools and their staff about the purpose of CCTV, and the extent of its usage. Only by a clear, open exchange of information will the current climate of potential mistrust on this issue be eased.
There are a number of legal requirements with which every school installing CCTV has to comply. Firstly, schools have a statutory requirement to notify the Information Commissioner that they are installing CCTV and also to state clearly and precisely the purposes for which it is being employed, including the dissemination and distribution of all data collected. The Information Commissioner's Office is the UK's independent authority overseeing protection of personal information. Schools have to renew the notification annually as well as inform the Information Commissioner within 28 days if any changes are made to the use of CCTV.
The Information Commissioner must be informed of the identity of the data controller. The data controller is likely to be either the school (preferably a named employee) or the local authority - whoever is responsible for the CCTV systems. If there are two or more parties involved, as will often be the case, then all parties should be fully aware of their responsibilities and obligations.
The actual use of CCTV can be affected by statutory legislation, including the Data Protection Act 1998, the Human Rights Act 1998 and, on occasion, the Regulation of Investigatory Powers Act 2000. Schools must ensure that they not in possible breach of these regulations.
Assessing the impact of CCTV
When schools decide to use CCTV or are reviewing its continued use, they should take into account the benefits of using surveillance cameras. They must also consider whether better solutions exist, as well as the effect it may have on individuals within the school. The latter should form part of an assessment to determine whether CCTV is justified and its impact.
ATL has produced a model impact assessment form, which members should consider putting forward for the school to use. It is extremely important that schools seek the views of all those who are subject to surveillance - teachers, pupils and, significantly, their parents - and respond to these views accordingly. Without this communication, is it highly likely that staff and pupils may become suspicious. In short, CCTV should not be introduced without extensive consultation.
Installation and placement of CCTV
When installing CCTV, management should state precisely and publicly the objective of the installation. For different locations the objectives may vary, some being common (eg security and protection of property) and others specific (eg monitoring movement and behaviour in a communal area).
ATL has serious reservations about the use of CCTV in classrooms, especially for performance management purposes or in capability procedures, where any use should be resisted. If the intended use includes streaming to any external agency, members should seek further advice from ATL.
A school's management needs to have clear procedures to determine how the CCTV system operates. An authorised person (the data controlling officer) has to be responsible for ensuring that the procedures are followed. ATL recommends that the data controlling officer conducts a full consultation with all school staff on the usage of CCTV.
The consultation should include an explanation of all the purposes for which the CCTV cameras are being, or have been, installed and confirmation that they comply with the law. As an outcome of the consultation, the school should implement a policy on its use of CCTV, which is made available to all staff and, preferably, provide a briefing on the policy for all staff.
When a CCTV system is installed in the school, signs must be put up to state its purposes. The signs must be placed in prominent positions to inform the public that they are entering a place where CCTV is in operation. The sign must identify the data controller, which may be the school or local authority, and give a contact number where further information can be obtained. ATL recommends that every school should have a data controlling officer on site, appointed from the senior management team.
The siting of cameras must also be carefully planned and justified. The school should state where the cameras have been installed and whether they are fixed or dome cameras. In areas where staff and pupils have a heightened expectancy of privacy, eg changing rooms or toilet areas, cameras should not be used unless there are exceptional circumstances such as if schools have very serious concerns that make it necessary for them to be fitted. Such an exceptional circumstance might be when vandalism has occurred in the entrance areas to changing rooms or if it is suspected that bullying has taken place. However, even in those circumstances, this should be time limited, and all staff and pupils should be informed of the reason the cameras are there.
In no circumstances should CCTV be placed such that it could capture images of pupils changing. Cameras should not be fitted in staff rooms unless required for security reasons when the rooms are not occupied. In this case, it should only be switched on during those periods. Schools must be careful not to include captured images of surrounding properties, as this will contravene data protection regulations.
The initial viewing of live and recorded images of CCTV should be restricted to the data controlling officer only. It may be necessary to appoint and train a deputy controlling officer to cover any absence, or if the chief controlling officer is not normally on site or otherwise not readily available. Special arrangements should be in place, and published, if for any reason the installation and control of the CCTV and images collected are under ultimate control of an outside agency, eg under a PFI arrangement.
ATL, in general, considers that the outsourcing of any monitoring of surveillance CCTV could have serious implications. Members should contact ATL in such circumstances so the arrangements can be scrutinised and suitable advice given. The school's policy should contain clear information about the security of such images and access to them. Requests for access to images should be dealt with under the policy and decisions on such requests made by the data controlling officer, who should have been fully trained in the use of the school's policy, and the Data Protection Act and its subsequent code of practice.
Any recorded images should be viewed in a restricted area such as an office, where content cannot be seen from the outside. If a school has more than one person authorised to operate the CCTV system, it is imperative a mechanism is in place to allow for communication and transfer of information, ensuring that there is a consistent approach to managing access to the CCTV images.
Storage and retention of CCTV images
The school's policy should also cover the retention of images taken by the CCTV cameras. The policy on retention of images should align with the school's purposes in recording them. For example, if the objective of the CCTV is as a deterrent to vandalism, the policy should state that once images are viewed, and with no reports of vandalism, the images should be destroyed as soon as possible.
In essence, schools should strive to keep images for the shortest period possible. It is absolutely paramount that images taken and stored before they are destroyed are secure and that nobody other than the data controlling officer has access to them.
If the CCTV system uses video or DVD recordings, the tapes/discs should be indexed, stored for the appropriate amount of time and wiped clean after that time expires, ready for reuse. If using hard drive technology, the data controlling officer should be fully trained in its use and how to index, store and wipe clean, as well as ensure that security measures are in place to prevent external sources accessing the footage. Where dissemination of data is possible, particularly with (hard drive) digital systems, it must be clear who is authorised to carry out such processing, the restrictions under which they operate and the limitations of what they are authorised to do.
For all data that is stored for possible future viewing, a register must be maintained, detailing relevant information such as date, time and length of the original recording, as well as the locations covered and groups or individuals recorded. Reviews of stored images should be regularly conducted, so that obsolete stored material can be deleted securely.
Requests for CCTV images
The data controlling officer should also be trained in issues such as what to do if a request for the images is received from an outside source, eg the police, who are able to make such an application for purposes of preventing or detecting crime. The procedure for dealing with such requests should be outlined in the school's policy and made clear for all staff to see. In particular, the details of any data released to a third party should be formally recorded, to also include the date of the disclosure, to whom, reasons for the request and any other relevant information, such as a crime incident number.
Review of CCTV systems
All school CCTV systems should be constantly reviewed to monitor their effectiveness and impact on the school community. It is not acceptable for a school simply to install CCTV cameras and forget about the impact they may be having.
A policy of constant review is one way of demonstrating that the use of CCTV is only for specific purposes. Should cameras be present in classrooms, staff must remain confident that the system's use has not been extended, even inadvertently or casually, into any formal or informal process of performance management or capability procedures.
Complaints about non-compliance with the Data Protection Act can be made to the UK Information Commissioner (some areas, such as Scotland, have their own Information Commissioner but it is the UK-wide IC who deals with non-compliance). The UK Information Commissioner has the power to serve on a data controller either:
an information notice, requiring the data controller to provide details as to that data and the process taking place, or
an enforcement notice, requiring the data controller to take specific steps, such as to stop processing or to rectify, erase or destroy the data.
Needless to say, failure to comply may lead to a criminal prosecution.
Ultimately, compliance with this guidance will result in schools being protected from claims that they are breaching the law around surveillance and the use of CCTV cameras. It will also serve to dispel many of the justifiable fears and concerns that school staff and parents have about the increasing use of surveillance in their schools.
By sharing information, school leaders are likely to find that their comments, observations and opinions can be used to integrate into a school-wide policy that makes the use of CCTV cameras specific and purposeful.
There is a balance to be made between the intrusion into privacy that CCTV cameras clearly can make, and the security and protection of anyone who uses a school. As technology continues to advance at a rapid rate, maintaining that balance is a challenge that schools will need to continue to be aware of and address over coming years.