Picture the scene: you’re juggling emails, safeguarding logs, and the eternal mystery of the staffroom milk, when someone appears at reception. It’s not Ofsted. It’s not a parent. It’s a police officer with a calm but direct request:
“We’d like to see the CCTV from Tuesday afternoon. Also, we need some information about one of your students.”
At that moment, your brain does a quick GDPR shuffle. Because as helpful as we all want to be when the police get in touch, you can’t simply hand over personal data and hope for the best.
You’re a data controller in a regulated environment, and every decision you make needs to balance cooperation with lawful, proportionate processing.
CCTV Footage: Press Play, With Care
Take a common example: there’s been an incident in the playground, and the police believe the CCTV might help with their investigation.
Reasonable? Yes. Automatic? No.
Always check the request is specific, proportionate, and targeted to the incident. Ideally, it should come with a formal written request and a defined time and location.
If the footage contains unrelated students or staff, redaction (such as blurring faces, cropping, or extracting only the relevant clip) should be considered. If redaction isn’t practical, you’ll need to weigh public interest against privacy rights and, if necessary, consult your Data Protection Officer (DPO).
Student Information: Proceed on a Solid Legal Basis
For personal details like a student’s home address, attendance records, or behaviour history, you must confirm a valid lawful basis before disclosure. Common examples include:
- Legal obligation – where a statutory duty requires it.
- Vital interests – where there’s a risk to life or serious harm.
- Law enforcement purposes – typically for crime detection or prevention.
- Recognised legitimate interests – a formal ground that can apply where sharing supports safeguarding or crime prevention, provided it’s necessary and proportionate.
Regardless of basis, ensure the request is relevant, proportionate, and justified. It’s fine to pause while you confirm details, request a formal form, or check with your DPO. This isn’t obstruction, it’s responsible compliance.
Redaction: Not Just for Government Files
Whether it’s a behaviour log, email exchange, or video clip, remove personal data not relevant to the investigation.
This is data minimisation in practice, sharing only what’s needed for the stated purpose. Other students’ or staff members’ details should be excluded unless their involvement is directly relevant.
Verification: Trust, But Verify
Uniforms don’t replace process. Before releasing data:
- Confirm the officer’s identity.
- Request a written, signed request.
- Confirm the lawful basis for access.
- Decide whether immediate disclosure is necessary or if a short delay is appropriate to clarify scope or seek advice.
Your role is not to default to “yes” or “no”. It’s to say “yes, where lawful and appropriate; no, where it’s not.”
Handling Requests Efficiently and Defensibly
Current standards also emphasise the importance of:
- Keeping searches reasonable and proportionate – you are not obliged to trawl through every system if it’s not necessary.
- Being able to pause the process while clarifying unclear or overly broad requests.
- Maintaining clear, accessible channels for anyone to raise concerns about data handling and responding promptly and transparently.
These aren’t just compliance points. They also protect staff time, reduce errors, and ensure decisions are fully defensible.
Working with the police is an important part of keeping school communities safe. That cooperation must be balanced with the rights of individuals and the principles of lawful data handling.
When a request comes in:
- Stay calm.
- Clarify what’s needed.
- Ensure a lawful basis.
- Redact where necessary.
- Document decisions.
- Consult your DPO when in doubt.
Data protection isn’t about blocking cooperation. It’s about enabling it to happen the right way, every time.
