Use of CCTV in Nursery Settings

Ten Things to Consider

CCTV has played a decisive role in recent investigations, helping to protect children, staff and settings alike. Its use in nursery settings has also been talked about in parliament lately, with the Department for Education bringing together a group of experts to shape new guidance.

We know many of you already have CCTV in place. So to support you, we’ve put together this practical guide with Stephensons Solicitors, one of our trusted legal partners. Our thanks go to them for sharing their expertise.

Below, we cover ten things to think about when using CCTV in your setting.

1. Lawful basis for use

The data your CCTV cameras collect identifies both staff and children, so it counts as personal data under UK GDPR. That means you need a lawful basis to use it. Article 6 of the GDPR sets out the following principles, and at least one must apply for you to have a lawful basis to install CCTV in your setting:

  • The data subject has given consent for one or more specific purposes
  • It’s necessary to process the information as part of a contract that the data subject is a party to
  • Processing is necessary to comply with a legal obligation you as controller are subject to
  • Processing is necessary to protect the vital interests of the data subject or another person
  • Processing is necessary to perform a task carried out in the public interest, or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of a legitimate interest, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject

It may well be the case that in the near future you’ll be able to rely on a legal obligation for CCTV being in place within nursery settings, but at this stage you’ll most likely be relying on the legitimate interests of your company to safeguard the children in your care, and on CCTV protecting their vital interests.

While that may be enough to have the cameras in place, to avoid any future issues around using CCTV in the workplace to monitor staff, it’s worth getting their specific consent too, for example through a policy they sign to confirm they’re happy with its use.

2. Consent

When installing cameras in the workplace, it’s best practice to get consent from everyone whose data will be captured. Updating your employee handbook and data use policies, and having staff agree to CCTV being in use, is a good way to do this. Be clear about why the data is being collected. If you don’t state that CCTV is being used to monitor staff, you may not be able to rely on it later in a performance or disciplinary matter without risking a GDPR breach.

Remember, data subjects aren’t just your team, they include the children too, through their parents or guardians. So it’s important to update your customer terms and conditions and data use policies, so families understand CCTV is in use, what it’s used for, and have accepted this as part of their child’s time with you.

3. Transparency

UK GDPR requires you to be open about how and why personal data is processed. Staff and parents need to know what’s collected and how it’s used. In practice, that means clear CCTV signage, sharing your privacy policy, and communicating in language that’s concise, clear and easy to understand. It’s also worth preparing in advance for how you’ll respond to queries, subject access requests, or any data breach correspondence.

4. Data minimisation

Article 5(1)(c) of UK GDPR says you should collect no more data than you need. CCTV should be limited to working areas where staff performance is monitored, and never used in sensitive spaces like toilets or changing rooms.

5. Audio recordings

If you’re thinking about adding audio, the bar is higher. You’d need to show that video alone can’t achieve your safeguarding and monitoring purposes, and that audio is genuinely necessary. You’ll also need clear consent from staff and parents, and a clear, lawful reason for it.

6. Data retention

Only keep footage for as long as you need it. There’s no fixed time limit in UK GDPR, but ICO guidance is clear that retention shouldn’t be driven by system storage or “it might be useful one day.” Set a defined retention period linked to your lawful purpose, and keep it as short as possible.

7. Maintaining security

CCTV data is sensitive, so it needs to be properly protected against hacking and unauthorised access. Work closely with your IT support, limit who can access footage, and keep that list tight. A breach involving CCTV could lead to serious reputational and legal consequences.

8. Subject access requests (SARs)

If someone makes a SAR, you have to provide the information you hold on them. With CCTV, that’s tricky, because footage will usually include other staff and children. You’ll need tools and processes in place to anonymise others, such as blurring faces, before sharing. This is another good reason not to hold more footage than you need.

9. Third party agreements

If you use a third party to install or monitor your CCTV, they’ll be processing personal data on your behalf. Make sure your contract clearly sets out their GDPR responsibilities, and gives you proper recourse if something goes wrong.

10. Using CCTV in disciplinary proceedings

CCTV footage can be used in disciplinary cases, but only if it’s been used fairly and transparently. Staff must be made aware that CCTV is in place, ideally before installation, and know where the cameras are. Without that, you risk the evidence being challenged.

Need to talk it through?

If you’d like to chat about how any of this applies to your setting, the dot2dot team is here to help. Give us a call on 01204 570390.

Our greatest of thanks to Aaron O’Brien and the team at Stephensons Solicitors for their expertise in putting this guide together.