Data protection: A watchful eye

Is a practice CCTV surveillance system the best way to monitor staff or address safety concerns? MDDUS senior risk adviser Liz Price advises careful consideration

FIGURES suggest there could be as many as one CCTV camera for every 11 people in the UK, making ours among the most monitored societies in the world.

Electronic surveillance has proved an invaluable tool for law enforcement organisations in recent years – but is it a solution medical and dental practices should consider?

Advice calls to MDDUS on the use of CCTV have been increasing. Typical queries from practices considering installing a system include: “We think a staff member is stealing from our petty cash – can we install CCTV to catch them in the act?” or “We have a number of known violent patients registered with the practice and we would like to install CCTV in the waiting room to deter them”.

Practices that have systems already installed most commonly contact us for advice on whether or not to disclose information captured on film. For example: “There’s been a bump in the practice car park – can we share CCTV footage with the affected party and/or police?” or “The police are investigating a rumour that a patient is dealing drugs in our waiting area and want to see our footage for last Wednesday”.

The decision to install electronic surveillance within your practice premises requires careful consideration. Is it necessary and proportionate to resolve the identified need? How will the data be stored, accessed, processed and by whom? What footage must or should be shared? These are all important points to consider before installation to avoid breaching data protection legislation.

The Information Commissioners Office (ICO) recently updated their guidance in this area (http://tinyurl.com/n3r38k2) in light of technical developments and to ensure that those who use surveillance cameras to collect personal data stay within data protection and privacy legislation. Practices who have or are considering CCTV should ensure they comply fully with the requirements.

Have you identified a need for surveillance?

It is important to consider whether use of CCTV is justified. What is the purpose and is it a necessary and proportionate measure to meet that need? Could there be other more appropriate measures? For example:

  • installing enhanced lighting in an area prone to vandalism
  • repositioning a receptionist so patient areas can be monitored
  • purchasing a secure cabinet for important documents and items
  • limiting access to certain areas of the premises.

Before installing a CCTV system practices must also take into consideration GMC/GDC guidance on patient confidentiality – and also your responsibilities as an employer, particularly where you plan to use CCTV in staff areas. Just because you have information doesn’t mean that you will be able to share it.

Ensure that any planned systems and procedures comply with your legal obligations. Is the CCTV sited to only collect the necessary information required? It should not cover areas that are not of interest, as this breaches the principle that the information collected should only be that which is necessary for the identified purpose.

Is there a policy for securely storing and handling the information? How long do you keep the information? Retention times should be reasonable, based on the purpose for which it is being used.

Access to data should be limited and authorised staff should be made aware that it is a criminal offence to misuse the information. They also must be competent to access and edit or extract information where disclosure is appropriate, as there may be a requirement to obscure the identity of individuals.

Patients and staff must be made aware of their right of access to footage which contains their images – so the practice will have to inform individuals that the CCTV is in place and for what purpose. Notices and social media can be used for this and signage should include details of who to contact for more information, for example the practice manager. A maximum of £10 can be charged in response to a subject access request.

Clear policies should be in place for responding to requests for access to footage, including when it is likely to be appropriate to make a disclosure and when it is not. When deciding to disclose footage that shows others, consider the expectations of those individuals involved, regulatory responsibilities and legitimate public interest in the information. As above, you may have to take steps to disguise the identity of third parties captured in any footage, for example through the use of pixelation technology.

When a disclosure is made you should record the date of the disclosure along with details of who the information has been provided to (the name of the person and the organisation they represent) and why they required it.

Do you already have CCTV already in place?

Practices should ensure they have notified the ICO that this type of data is being collected, and you should regularly review whether use of CCTV is still necessary and proportionate. Check that policies and procedures are in place as above and that proactive checks are ongoing to ensure compliance with procedures around security and processing.

Liz Price is a senior risk adviser at MDDUS