Contents of this article:
- Do I need to update my privacy notice?
- Do I need consent/permission to record the class?
- Do I need to tell the pupils that I'm recording?
- Who can see my recording? / Can the admins see everyone's recording?
- If I have a concern about any content on the platform what should I do?
- Who owns my videos?
- What should I think about from a GDPR and safeguarding point of view before recording?
- What should I do if I have a pupil who may not be recorded?
- Can I take my videos/account with me when moving schools?
- Can I show recordings to pupils for behaviour conversations etc?
- Are there any data security concerns about using my own device to record?
- Are there any concerns or considerations for recording pupils in their own homes when using screen capture?
- Are parents able to view recordings to reference their child's behaviour/reports?
- Am I really in control of my own recordings?
- What do I need to do as a customer of IRIS Connect to ensure we are GDPR compliant?
- Who can I share with?
- What are the considerations for sharing recordings between organisations?
- Am I able to download my recordings?
- Is it legal for a teacher to have a camera in the classroom?
- How to ensure the privacy of pupils is not being overlooked for the the benefits to CPD when using IRIS Connect?
Do I need to update my privacy notice?
See the updating privacy notice article.
Do I need consent/permission to record the class?
Please see this article on selecting a lawful basis.
Do I need to tell the pupils that I'm recording?
Yes, it's important to inform anyone that you are likely to capture in your recording that the recording is taking place and the purpose of the recording. The IRIS Connect end user licence agreement (EULA) covers this in the Code of Conduct (Clause 3.1.1.3).
Who can see my recording? / Can the admins see everyone's recording?
Administrators do not have access to your recordings unless you share with them. Only users who you specifically select to share your recordings with have access to your recordings. This access is controlled by you, the user, and can be revoked at any time.
By default, administrators of your organisation are able to view a thumbnail view of any recording to enable them to ensure the appropriateness of any uploaded recordings. These previews have no audio and only show one frame every few minutes, to ensure that the feature can not be used for other purposes.
We developed this tool as we believe it provides the right balance for administrators to achieve GDPR compliance and provide safeguarding needs as required in their role as administrators, whilst maintaining the privacy of the users' recordings.
More information about the media preview safeguarding feature can be found here.
If I have a concern about any content on the platform what should I do?
You are able to flag any concerns by contacting your IRIS Connect administrator.
If the content was shared via a group then you can also use the 'Message the administrator' function which can be found on the menu panel of each group.
Who owns the videos?
The organisation is the Data Controller for the data who has delegated day-to-day control to the users. This is explained in point 4 of the EULA:
4.1 The copyright of material generated in your organisation remains the property of your organisation - unless otherwise stated in your terms of employment or in the terms your organisation agrees to as part of their engagement with a 3rd party provider.
Users can decide:
- what to record (with the parameters of the agreed use for the system that the organisation has decided)
- whether to delete or upload the recording
- who to share the video with (within the organisation approved sharing network)
- when to delete any recording (within the parameters of the organisations data retention policy
What should I think about from a GDPR and safeguarding point of view before recording?
Your organisation should have updated any necessary policies and communicated to you any organisation specific advice they have with regard to data security and safeguarding.
IRIS Connect recommends prior to recording to:
a) Make sure your recording purpose is in line with the purpose the organisation has set. (IRIS Connect’s agreement with your organisation sets that the purpose of use must be for professional development, educational research and learning development; not used for surveillance of staff or learners).
b) Consider who you are likely to record in the video and if there are any individuals who should not be recorded.
What should I do if I have a pupil who may not be recorded?
There are several options you can consider:
1) Position the camera to ensure the pupil is not recorded
2) Use the editing tool to edit any section of the video if they are captured
3) Use the anonymisation feature
4) Do not record that class
Also, be mindful that audio data can also be considered personal data so consider if their voice has been recorded or if their name/full name has been said within the recording.
We always recommend you check with your organisation’s Data Protection Officer if unsure before making any recordings.
This article looks at these approaches in more detail
Can I take my videos/account with me when moving schools?
As data would be moving between organisations this would need to be approved by both your old and new organisation. Providing this is approved, this is very easy for us to do, however, you would not have access to any recordings that have been shared with you, unless you are in the same sharing 'network' with them in the new organisation. e.g. if you can still share with them in the new organisation then the shared content will still be available to you.
Can I show recordings to pupils for behaviour conversations etc?
This would be dependent on the policies of your organisation and the discretion of the teacher. If the recording doesn’t include any other pupils and the recording was made for that purpose then it is more likely that it would be permitted. Please refer to your organisation's Data Protection Officer if you are unsure.
Are there any data security concerns about using my own device to record?
Are there any concerns or considerations for recording pupils in their own homes when using screen capture?
We would recommend that you consult with your organisation to confirm this is ok, if in doubt you can set the screen capture to record just your webcam and/ or presentation rather than the pupils.
Are parents able to view recordings to reference their child's behaviour/reports?
This would be up to the policies of your organisation and the discretion of the teacher. If the recording doesn’t include any other pupils and the recording was made for that purpose then it is more likely that they would agree, however viewings would need to be done through a teacher's IRIS Connect access with them present.
Am I really in control of my own recordings?
Yes, in the normal course of use, the user is in control of the data that they capture and upload. The IRIS Connect EULA and Organisation Administrator Agreement outline the controls users have:
4.5 Management of Privacy and Disclosures:
The IRIS Connect system incorporates a privacy by design philosophy which on a day-to-day basis gives Users control of the following:
4.5.1 When reflections are made and deleted
4.5.2 Who has access to reflections and how long for
4.5.3 Your participation in live reflections
4.5.4 The creation of groups and the content thereof
However, ultimate ownership and control must reside with their organisation to ensure responsible data management structures.
What do I need to do as a customer of IRIS Connect to ensure we are GDPR compliant?
Please see this article on GDPR compliance.
Who can I share with?
By default, you will be able to share with anyone in your organisation. This ‘network’ is able to be expanded to sharing with individuals at other organisations either via the use of community groups or trust/collaboration networks, which both require administrator approval.
If you are working on a project or as part of a Trust, then this sharing network might already have been set up.
More information on Networks can be found here.
What are the considerations for sharing recordings between organisations?
For more information on sharing between organisations see this article.
Am I able to download my recordings?
Whilst downloading isn’t by default permitted, the downloading feature can be enabled by request by your IRIS Connect administrator for your organisation. This is a restricted feature to ensure data security is maintained, as any data downloaded from the platform is at a much greater risk of being compromised. More information can be found here.
Is it legal for a teacher to have a camera in the classroom?
Yes, provided you are adherent to your organisation's policies, have taken into account any safeguarding concerns and meet the appropriate GDPR requirements. The following resources will assist you with your GDPR requirements for recording:
1) Select and document your lawful basis
Using IRIS Connect ensures the data you collect is captured, stored and shared securely, meeting the GDPR requirements for the data, whilst enabling you to achieve the highest level of professional development through the use of the features, guides and analytical tools available on our system.
How to ensure the privacy of pupils is not being overlooked for the benefits to CPD when using IRIS Connect?
Schools have a legal and ethical responsibility to ensure that pupil privacy is fully protected when collecting any data. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, schools are the data controller for any personal data they process, including identifiable pupil information captured in classroom recordings.
The below points sets out the steps schools should follow to ensure pupil privacy:
Selecting a lawful basis
This means they must ensure all processing is lawful, fair, transparent, and limited to what is necessary for its intended purpose. In the context of CPD, the lawful basis for processing will usually be the school’s “public task” — that is, activities carried out in the public interest or as part of the school’s statutory functions — though in some instances, schools may also rely on “legitimate interests” or, where appropriate, parental consent.
Whichever lawful basis is chosen, it must be clearly documented and communicated to staff, parents, and pupils through an updated privacy notice that explains what data is recorded, why it is being processed, who will have access, how long it will be kept, and how individuals can exercise their data rights.
Data Minimisation
To ensure privacy is not overlooked in favour of staff development benefits, schools should adopt a principle of data minimisation. Only the minimum amount of pupil information necessary for the CPD purpose should be captured. Only authorised staff — such as the teacher, their coach, or a designated mentor — should be able to view the footage.
Retention and deletion policies are equally important. Schools should set clear time limits for how long recordings are kept — typically only as long as they are needed for the CPD cycle — after which they should be securely deleted or anonymised. These retention periods must be documented in the school’s data protection or records management policy and supported by IRIS Connect’s secure deletion tools. Regular audits should be carried out to confirm that access permissions, retention schedules, and deletion processes are being properly followed.
Using a secure system
IRIS Connect’s platform supports these controls by providing secure, encrypted storage, role-based permissions, and a closed sharing environment that prevents unauthorised downloads or external distribution. This ensures that data cannot be shared beyond the agreed professional learning context without the school’s explicit approval.
IRIS Connect acts as a data processor on the school’s behalf, operating under strict contractual and technical safeguards in line with UK GDPR. The platform’s data is stored securely within the UK and EU, with encryption both at rest and in transit, and access restricted to authorised users only.
Controlling data sharing
Data sharing is another critical consideration. If recordings are to be accessed by external mentors, advisers, or partner schools, a Data Sharing Agreement or Data Processing Agreement must be in place to ensure all parties uphold the same data protection standards. The school remain the data controller, meaning it retains responsibility for how data is used, stored, and deleted.
Conducting a DPIA
Schools should also complete a Data Protection Impact Assessment (DPIA) before introducing or expanding their use of IRIS Connect. The DPIA allows the school to identify any risks to pupils’ privacy and set out mitigations, such as ensuring recordings are stored securely, that only authorised individuals can access them, and that no data is used beyond the stated CPD purpose. The DPIA should be reviewed regularly and whenever the use of recordings changes, for example if they are shared externally.
Training
Users of the system should be trained in data protection principles and the school’s policy for recording lessons. A culture of privacy awareness should be embedded within the CPD process, making it clear that recordings exist to enhance professional learning — not for performance management of pupils or public sharing — and that the rights and dignity of learners must always come first.
Summary
The privacy of pupils can be robustly safeguarded by aligning the use of IRIS Connect with UK GDPR principles: establishing a clear lawful basis, maintaining transparency with pupils and parents, minimising data collection, applying strict access and sharing controls, enforcing retention and deletion limits, and embedding security and accountability through governance and staff training. By doing so, schools can ensure that professional development benefits are achieved without compromising the privacy or rights of their pupils.