Watching the watchers

MDDUS receives regular calls from members in relation to the use of video surveillance within their premises. Requests for advice range from members wishing to monitor the waiting room or staff areas – because they have a specific suspicion about bad (or even criminal) behaviour or simply as a precaution – to requests for third-party access to CCTV or video surveillance footage after an incident has occurred.

The Information Commissioner’s Office (ICO) has significantly revised its CCTV code of practice in recent years and these changes must be considered in addition to data protection requirements and developments in the technologies by which CCTV can be delivered.

The underlying principles of data protection legislation in relation to video surveillance remain the same – for example the need for transparency about camera position/use, security and rights of access. However, practices will need to demonstrate that they comply with:

•  more prescriptive transparency requirements
• security protocols in the light of more stringent obligations, particularly around breach notification.

The ICO advises that a data protection impact assessment (DPIA) will be required before implementing video surveillance within your practice. Developing a DPIA in relation to installing video surveillance is the most effective way to comply with obligations and also to demonstrate that appropriate measures have been undertaken to ensure compliance.

Practices already using video surveillance tools should also consider undertaking a DPIA now. Normally these will be conducted before implementing any new method of processing personal data, but they should be treated as a continual process and updated throughout the lifecycle of a project, especially if there are any significant changes to procedures.

What is required in a DPIA?

• A description of the method of video surveillance and its purpose. This should include what the project aims to achieve and what the benefits will be to the practice, patients and staff. This will identify the ‘legitimate interests’ of the practice in implementing this form of data processing (a legitimate interest is a business interest which has been balanced against the interest of the individual(s) concerned).
• An assessment of the necessity and proportionality of the processing (e.g. video surveillance) in relation to the stated purpose. The views of individuals should be taken into consideration (e.g. a patient participation group/employees as relevant), including expectations about how their data will be used and whether it will have unjustified effects on them.
• An assessment of the risks to individuals.
• The measures in place to address these risks. Measures are likely to include information to patients and staff, and security safeguards, storage, access and reasonable retention protocols which are directly aligned to their purpose.

For further assistance, see the ICO’s code of practice on data protection impactassessments.

In relation to mitigating the risk of a security breach, it is also important to update your practice on the notification requirements in relation to data breaches. Under the DPA 2018, practices are required to report a personal data breach of sensitive patient information to the ICO no later than 72 hours after having become aware of it. If in doubt, contact the ICO and/or MDDUS for advice if a breach occurs.

As digital cameras become more prevalent, more information will be sent and received via the internet. Backups can be located in local or cloud storage and can be available to users over the web. Whilst many systems provide opportunities for enhanced and often automatic protocols – including autodeletion after specific periods, audit trails of individual access, and encryption and pseudo-anonymisation techniques – the associated risks must be documented and mitigated. Risks include unauthorised access, the ability to disable cameras remotely and failure to ensure appropriate security updates are installed. If a third-party organisation is contracted to manage your system, a robust data-sharing agreement should also be in place. Guidance on this is also available from the ICO.

Practices will need to be transparent about the uses of video surveillance. It should be clear to individuals – in this case mainly patients or employees – where, when, how and by whom their data will be processed. This can be achieved with the use of clear signage and privacy notices, which will need to include details such as:

What information is being collected?

Who is collecting it along with contact details?

How and why it is being collected?

How will it be used?

Who will it be shared with?

How long will it be retained?

Whether the data will be transferred outside the E.U. (e.g. for cloud hosting).

Individual rights to access personal information/raise a complaint about how information is handled – and how to do so.

Liz Price is senior risk adviser at MDDUS