Video cameras in schools and education settings: Responding to requests for video footage under privacy law
Video cameras in schools and education settings: Responding to requests for video footage under privacy law
Under data protection and privacy laws, people can request access to videos captured by CCTV and surveillance cameras. This can be a difficult legal area for schools, which must respond in a way that complies with the law, respects parents’ rights, and protects student privacy.
This article explores some of the most common questions from schools about sharing video monitoring footage with parents. We’ll look at what the law says in the EU, the UK, and the US, including whether you have to use software for blurring faces in videos before sharing them with parents.
CCTV recordings and the right of access under the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) applies across the European Economic Area (EEA), which covers the EU’s 27 member states plus Iceland, Liechtenstein, and Norway. The UK also has a version of the GDPR that is near-identical to the original.
The GDPR is the most relevant law for educational institutions when dealing with CCTV access requests.
Schools and other public bodies also have obligations under the European Convention on Human Rights (ECHR), freedom of information legislation, and national education laws, but we’ll focus on the GDPR.
Are CCTV recordings covered by the GDPR’s ‘right of access’?
Yes, CCTV recordings are covered by the GDPR’s right of access if they contain personal data.
Here are the basic principles regarding the right of access and video monitoring in schools and other educational institutions:
- With some limited exceptions, the GDPR requires data controllers (including educational institutions) to give people access to a copy of their personal data on request.
- This process is sometimes called a Data Subject Access Request (DSAR), and it’s covered under Article 15 of the GDPR.
- “Personal data” means information relating to an identifiable individual. Personal data includes a video featuring schoolchildren or other individuals if you can tell who is in the video.
- A controller can refuse a request that is “manifestly unfounded or excessive.” This exception sets a high bar and rarely applies to a request for a specific piece of CCTV footage.
- Controllers must respond to a DSAR within one month of receiving a request. Under certain conditions, a controller can extend this period by a further two months.
- When providing someone with a copy of a security camera video, you must not infringe the rights of other people. This means you should generally avoid providing videos that depict other people.
- To avoid violating the GDPR, schools and universities can blur the faces of anyone who is not the subject of an access request before providing access to the video.
Can parents request CCTV footage of their child?
Generally, parents can make access requests on behalf of their children. However, this is a complex area that is not covered directly in the GDPR and is often dealt with under national data protection laws or regulations.
Controllers should generally only give parents access to their children’s personal data if doing so would be in the child's best interests. But schools should check local laws and regulatory guidance to ensure they get this right (we’ll look at how the UK handles this below).
What happens if CCTV footage includes shows more than one child?
Article 15(4) of the GDPR says that you must not “adversely affect the rights and freedoms of others” when responding to a DSAR.
“Adversely affecting the rights of others” can include revealing personal data about people other than the person making the request (the “data subject”).
This rule is particularly important in schools, as the GDPR emphasizes that “children merit specific protection with regard to their personal data.”
So, what should you do if a parent or student requests a video featuring other children or other identifiers in general? For example, footage of a school corridor showing other students’ faces or a video of a university parking facility revealing other people’s license plates.
How schools can respond to a GDPR request for video footage
To avoid violating the GDPR when responding to requests for video footage, controllers can use anonymization software to blur images of other people.
This approach is endorsed in some official guidance from the European Data Protection Board (EDPB), which represents every data protection regulator in the EEA.
The EDPB says that to avoid violating people’s rights, a controller should generally not provide video footage that includes other data subjects in response to a DSAR.
However, the EDPB says that this is not “an excuse” to reject a valid request. Instead, the controller should use “technical measures” to remove other people’s personal data from the video.
Here’s a quote from the EDPB’s guidelines on video recording:
“…the controller should not in some cases hand out video footage where other data subjects can be identified. The protection of the rights of third parties should however not be used as an excuse to prevent legitimate claims of access by individuals, the controller should in those cases implement technical measures to fulfil the access request (for example, image editing such as masking or scrambling)...”
Technical measures to protect other people’s rights can include blurring the video footage using anonymization software.
The EDPB refers to this blurring method in a hypothetical example of a DSAR involving CCTV footage:
“If other data subjects can be identified… the material should be anonymised (for example by blurring the copy or parts thereof) before giving the copy to the data subject that filed the request.
The EDPB states that blurring identifiers in a video effectively erases the personal data:
For video surveillance it is worth noticing that by for instance blurring the picture with no retroactive
ability to recover the personal data that the picture previously contained, the personal data are
considered erased in accordance with GDPR.
The GDPR does not cover anonymous data, so once other people’s faces—and other identifiers, such as license plates—have been blurred in a video, it’s safe to share (at least as far as data protection law is concerned).
Schools can meet the EDPB’s recommendations by using video editing software for blurring faces before providing access to the video as part of a DSAR.
Schools and access to video footage under the UK GDPR
The UK’s version of the GDPR, the UK GDPR, is substantially the same as the original EU version. The Data Protection Act 2018 (DPA 2018) supplements the UK GDPR and relates part of it to other UK laws.
UK law provides two routes for parents to access personal data about their children:
- A DSAR under the UK GDPR
- A request for access to a student’s education record under education regulations
The UK GDPR is almost certainly the most relevant process for requesting video monitoring footage recorded by a school.
The Information Commissioner’s Office’s (ICO) guidance on CCTV and video surveillance explains how controllers should handle DSARs when video footage depicts other people.
The ICO says that organizations should be able to redact video footage, including by “blurring (or) masking” it, where necessary.
You should ensure that your systems have the capability to redact footage if third parties need to be blurred or obscured… Available techniques include blurring, masking, or using a solid fill to completely obscure parts of the footage.”
As such, the rules are effectively the same in the UK as in EEA countries. The UK GDPR provides the same DSAR process and imposes the same obligations on schools and other controllers to protect personal data about third parties in response to a DSAR.
United States: Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal US law that allows parents and eligible students to access education records (among other provisions).
Here’s how the rules on accessing education records under FERPA relate to video surveillance cameras in schools, universities, and other educational institutions across the US.
Can a security camera recording be an “education record” under FERPA?
Under FERPA, any information that is “directly related to a student” and maintained by an educational institution (or a third party acting on its behalf) counts as an “education record”.
Educational records can include security camera videos, meaning that parents often have the right to demand recordings of their children.
Whether a video is “directly related to a student”—and therefore an education record—depends on the context. The US Department of Education says videos are likely FERPA education records if they, for example:
- Focus on a specific student
- Show a student breaking the law
- Show a student being attacked, victimized, or having a health incident
- Otherwise contain personally identifiable information (PII) contained in an education record
A video used for disciplinary purposes will usually be part of an education record and could be the education record of both the perpetrator and the victim of the incident, depending on who the video features.
Schools are not generally required to distribute copies of videos to parents, but parents have the right to inspect or review the videos that form part of their child’s education record. A school can securely share a copy of the video or invite the parents to view the video in person.
Video recordings featuring multiple students under FERPA
If a video recording features multiple students, it might constitute multiple students’ education records. School districts and other FERPA-covered entities should avoid disclosing a student’s education record to another student or another student’s parents.
According to the Department of Education, FERPA means that an educational institution must redact the video if it can reasonably do so:
“If the educational agency or institution can reasonably redact or segregate out the portions of the video directly related to other students, without destroying the meaning of the record, then the educational agency or institution would be required to do so prior to providing the parent or eligible student with access.”
So, if it is “reasonable” to redact a video to protect other students’ rights under FERPA, a school must do so before showing the video to parents. If the educational institution cannot reasonably redact the video without destroying it, the parents still have the right to view the unredacted video.
Is ‘redacting or segregating’ a video ‘reasonable’ under FERPA?
In the past, manual video redaction processes were costly and time-consuming, and redacting CCTV footage might not have been deemed “reasonable” under FERPA.
This came up in 2017 correspondence between the Department of Education and a Pennsylvania school about a request to view a video involving multiple students. The school argued that it lacked the resources required to blur other students’ faces in a video requested by parents.
However, anonymization software has significantly advanced since that 2017 correspondence. Schools can access apps to auto blur faces in video much more efficiently and at a much lower cost.
Now that schools have access to an easy way to blur faces in videos, redacting videos by blurring other students’ faces is increasingly likely to be seen as “reasonable” and thus required under FERPA.
United States: State Laws
As a federal law, FERPA applies to school districts and educational institutions across the US. States cannot limit the rights of parents or students provided by FERPA.
However, some states have introduced laws requiring video cameras in classrooms providing special education services. These laws aim to tackle the possible abuse of children with special educational needs.
Such laws have been enacted in the following states:
- Alabama: SB 56, which passed in 2023
- Florida, Broward County: A pilot program to this effect runs from July 2021 to June 2024
- West Virginia: Section 18-20-11 of the West Virginia Code, enacted in 2019.
Under each of these laws, school districts must provide access to video recordings to employees, parents, and other parties involved in investigations into allegations of abuse and other inappropriate behavior.
Crucially, each of these laws requires school districts to take “necessary precautions to conceal the identity of any student who appears in a video or audio recording who is not personally involved,” including “blurring the face of any uninvolved student.”
These laws provide a similar rule as under FERPA, but are more explicit: When responding to requests for surveillance camera footage under these new laws, schools must conceal the identity of any uninvolved students, including by blurring their faces.
How schools should respond to requests to access CCTV and surveillance camera footage
While the GDPR and FERPA are very different laws, they provide some similar general principles for educational institutions when providing recordings from surveillance cameras:
- Schools and other educational institutions should generally respect requests from parents to access CCTV footage relating to their children. Students may also be eligible to make such a request.
- Schools should consider all relevant laws when responding to a request. This includes education regulations as well as data protection or privacy laws.
- Video footage provided to a parent or student should generally not feature other identifiable students.
- Where possible, schools and other educational institutions should use anonymization software to blur the faces of people who are not the subject of the request.
Installing security cameras in a school requires extremely careful consideration. We’ve looked at how to handle requests to access camera footage, but remember that data protection and privacy law applies to the entire process.
If people request access to recordings depicting them, schools need a way to ensure video clips do not violate other people’s privacy. Now that there’s a simple way to blur faces in videos, there’s no reason to neglect this crucial step.