Video, Photography and Audio Protocol

Title
Title
Title
Title
Version
Author
Next Review Date
Notes
V1 (February 2025)
Emma Kitcher, Data Protection Officer
February 2026
New Draft
V2 (October 2025)
Emma Kitcher, Data Protection Officer
October 2026
Annual review – no changes.
V3 (March 2026)
Caroline Oliver
October 2026
Added Holiday Club Reference

Contents

    INTRODUCTION
    QUICK REFERENCE POINTS
    KEY DEFINITIONS
    SCOPE
    KEY LEGISLATION / FRAMEWORK
    APPROVAL OF SOFTWARE AND HARDWARE
    VIRTUAL MEETINGS WITH STAFF MEMBERS OR OTHER PROFESSIONALS
    CCTV AND TELEPHONE RECORDING
    COVERT RECORDING
    ACCURACY
    RETENTION
    SECURITY
    RIGHTS
    APPLICATION AND AUDIT
    APPENDIX A: COMPLIANT RECORDING CHECKLIST

INTRODUCTION

This protocol supports staff to manage recording practice so that Hopscotch Nurseries and Holiday Clubs complies with the requirements of privacy law and observes the rights and freedoms of data subjects.
Whatever the purpose of the recording, it is essential that there is a systematic consideration of the rights of individuals and the security of the recording as personal data.

QUICK REFERENCE POINTS

  • Recordings may be used for telephone calls for training and monitoring purposes or for marketing reasons.
  • Whatever the purposes, data protection and security must be considered
  • Privacy law deems recordings more intrusive than photographs which are in turn more intrusive than written notes
  • Approved software must be used
  • Recording and images should only be captured in limited circumstances and should be based on a particular consideration
  • Be aware of your surroundings when discussing sensitive topics via video or telephone call
  • Even when carrying out staff meetings, recordings should be used in limited circumstances because employees are deemed ‘vulnerable’ under data protection law
  • Recordings and images should be stored securely, for limited periods and should only be attached to a person’s record as an exception

KEY DEFINITIONS

Personal Confidential Information    

This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.

Recordings

Originals or copies of audio recordings, photographs, and other visual images of individuals that may be made using any recording device, including mobile phones and CCTV.

SCOPE

See Information Governance Policy for key roles.
All staff, whether management or administrative, who create, receive and use Personal Confidential Information have responsibilities to ensure effective reporting and management of information risk for Hopscotch Nurseries and Holiday Clubs. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.

KEY LEGISLATION / FRAMEWORK

  • UK GDPR / Data Protection Act 2018
  • Human Rights Act 1998
  • Various ICO Codes of Practice

APPROVAL OF SOFTWARE AND HARDWARE

  • Photography or video recording should only be undertaken using software that has been issued by your IT provider
  • Use of personal devices, in exceptional circumstances, must be approved by the Data Protection Officer
  • CCTV Providers must be notified to and approved by the Data Protection Officer

VIRTUAL MEETINGS WITH STAFF MEMBERS OR OTHER PROFESSIONALS

  • Where there is need for a virtual meeting with other professionals to discuss confidential matters such as HR issues - only approved software should be used and advice should be sought from your Data Protection Officer
  • In any circumstances, video is more intrusive than audio recording, which in turn is more intrusive than written notes and there is greater risk of misuse or harm.
  • To comply with data protection law, data collected must be limited to 'what is necessary': if there is a less intrusive alternative that meets business needs, that option should be used. If written notes would have been sufficient for a face-to-face meeting, then that method should suffice for remote working.
  • But there may be exceptions. For example, recording might be justified if:
  • there is a particular need for a verbatim account;
  • Considerations of language difficulties or an attendees’ disability.
  • Regardless, there may be a less intrusive alternative, such as audio recording or a nominated note taker
  • Even where an employee agrees, the imbalance of power between employers and employees should be considered and less intrusive routes pursued where possible
  • Confidential meetings therefore should only be recorded in very limited circumstances and the chair should undertake a brief risk-benefit evaluation to determine whether the risk to any future distress is outweighed by the need to make the recording
  • Explain why the meeting is being recorded
  • Provide various options available such as switching off cameras or exiting and requesting a copy of the recorded meeting to review later
  • You cannot record without the agreement of those present
  • Explain who will see the recording
  • How the images will be used and whether it is being stored
  • Refer to the privacy policy
  • Remind parties of confidential nature of content
  • Before the meeting starts you should ensure you are in a room where you cannot be overheard and that your equipment is working correctly.
  • Once the meeting begins you should introduce yourself and ask each of the other participants to do the same.
  • If you do not recognise any of the participants and nor do other participants, ask them to identify themselves in an appropriate way
  • Do not start discussing confidential matters until you are satisfied everyone within the meeting is intended to be there
  • Recordings must be stored securely for a defined, limited time and destroyed in accordance with documented protocol

CCTV AND TELEPHONE RECORDING

  • The appropriate lawful basis for recordings for CCTV or telephone recordings is likely to be “legitimate interests” since the activity is routine for many businesses social care organisations.
  • Hopscotch Nurseries and Holiday Clubs has carried out a ‘legitimate interests’ assessment for these activities that is held by the Data Protection Officer.
  • It is essential that the purpose for processing is specified and that any further uses are compatible with the original purpose.
  • All recording activities must be notified to Data Protection Officer and logged in the Processing Activities Log.
  • It is important to minimise the personal data and the privacy intrusion when recording.
The ICO CCTV guidance, for example, indicates that using audio on CCTV is often not necessary for the desired purpose and the same principle should be applied to all recording.
  • Consider the length of recording, the information captured, placement of recording devices (i.e. do we need CCTV only in the waiting room or also in the corridor) so that you are capturing only what is necessary for the purpose
  • All reasonable steps should be taken to ensure that data subjects are aware that both outbound and inbound calls are being recorded
  • Some providers allow granular options to switch off recording – find out what these are and use them as appropriate

ACCURACY

  • Every reasonable step must be taken to ensure that all recordings are accurate and of good quality
  • You should regularly check that the date and time stamp recorded on images and audio recordings are accurate (for example, when the UK switches between summer and winter time)
  • You should ensure that recordings are appropriately labelled to avoid mismatches with the other records
  • Old hardware resulting in poor recordings should be replaced to avoid issues with data quality

RETENTION

  • Recordings should be kept for no longer than necessary their intended purposes
  • Consideration around transcription into hard copy (such that it represents a reduced privacy intrusion) should be made
  • CCTV is usually wiped over 28 days to 3 months after recording, retention periods beyond this should be discussed with the Data Protection Officer
  • Call recordings can be kept up to 7 years to support a negligence claim
  • Fair Processing / transparency materials should include information about how long the recordings are retained

SECURITY

  • Recording activities must be added to the Processing Activities Log and have a risk score attributed
  • All physical assets capable of making audio or visual recordings should be added to an asset log so that they can be tracked and returned when required
  • All physical assets capable of making audio or visual recordings should have a nominated owner that can monitor associated risk
  • All physical assets capable of making audio or visual recordings should be destroyed in line with the Information Lifecycle and Data Quality Protocol
  • All physical assets capable of making audio or visual recordings should not be removed from the premises without being signed out on the asset log
  • Where audio or video recordings are made, this should be recorded within the main record along with the consent form (barring CCTV and general telephone recording)
  • Disclosure of audio of video recordings to third parties must be subject to an Information Sharing Agreement or discussed with the Data Protection Officer
  • Audio or video recording software that is supported by a third-party provider must be subject to a compliant contract that has been reviewed by the Data Protection Officer
  • Transfer of recordings must be through encrypted methods in the first instance. Alternative routes must be discussed with the Data Protection Officer
  • Recordings, including still images, must not be obtained using personal devices such as mobile phones.
  • Recordings must be stored securely in the shared drive and must not be stored in email accounts, personal drives or on personal devices such as mobile phones

RIGHTS

  • Individuals being recorded must be informed of their rights
  • The right to object to being recorded
  • The right to withdraw their consent to being recorded
  • The right to rectify inaccurate information that has been recorded
  • The right to have their recorded information sent to another Controller
  • The right to restrict the use of the recording
  • The right to request a copy of the information and confirmation that it is held
  • The right to be informed about the use, disclosure and retention of the recording
  • The right to make complaints
These rights are described in more detail in the Information Rights and Access Protocol.

APPLICATION AND AUDIT

Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol.
  • All staff, visitors and service users should have access to the Data Protection Officer’s contact details to support with rights
  • Staff must confirm that they have read and understood this protocol
  • This protocol will be reviewed annually or sooner in the event of significant learning or change
  • This protocol should be read in conjunction with the other protocols in the Data Protection and Security policy suite
  • Subject Access Requests are covered in the Disclosures and Access Protocol

APPENDIX A: COMPLIANT RECORDING CHECKLIST

Title
Title
I have identified all the recording that happens at our organisation, added it to the Processing Activities Log and shared with our Data Protection Officer
The entries related to recordings in our Processing Activities Log include a retention period for recordings
All relevant staff are aware of the requirements about minimisation of data captured as part of recordings
All physical assets capable of making recordings have been added to an asset log so that they can be tracked and returned when required
All physical assets capable of making recordings have a nominated owner that can monitor associated risk and usage
The nominated owner will regularly check that the date and time stamp recorded on images and audio recordings are accurate (for example, when the UK switches between summer and winter time)
All physical assets capable of making recordings will be destroyed in line with the Information Lifecycle and Data Quality Protocol
All staff involved with making recordings are aware that that should not be removed from the premises without being signed out on the asset log
Where recordings are made, this is recorded within the main record along with the consent form (barring CCTV and general telephone recording)
Disclosure of recordings to third parties is subject to an Information Sharing Agreement or discussed with the Data Protection Officer
Audio or video recording software that is supported by a third-party provider is subject to a compliant contract that has been reviewed by the Data Protection Officer
Transfer of recordings is through encrypted methods in the first instance. Alternative routes will be discussed with the Data Protection Officer
Staff involved with making recordings, including still images, are aware that they must not be obtained using personal devices such as mobile phones.
Recordings are stored securely in the shared drive and will not be stored in email accounts, personal drives or on personal devices such as mobile phones
We are not using old hardware that compromises the accuracy or quality of recordings