Use of CCTV in healthcare premises

CALLS from MDDUS members for advice on the use of CCTV in general medical and dental practices have been increasing. Typical queries from practices considering the installation of CCTV include: “We think a staff member is stealing from our petty cash – can we install CCTV to catch them in the act?” or “We have a number of known violent patients registered with the practice and we would like to install CCTV in the waiting room to deter them”.

Practices that have systems already installed most commonly contact us for advice on whether or not to disclose information captured on film. For example: “There’s been a bump in the practice car park – can we share CCTV footage with the affected party and/or police?” or “The police are investigating a rumour that a patient is dealing drugs in our waiting area and want to see our footage for last Wednesday”.

The decision to install electronic surveillance within your practice premises requires careful consideration. Is it necessary and proportionate to resolve the identified need? How will the data be stored, accessed, processed and by whom? What footage must or should be shared? These are all important points to consider before installing a CCTV system or you could find yourself in breach of data protection legislation.

The Information Commissioners Office (ICO) recently updated their guidance in this area in light of technical developments and to ensure that those who use surveillance cameras to collect personal data stay within data protection and privacy legislation. Any MDDUS members considering the need for CCTV should ensure they are familiar with this guidance, and those practices who already have surveillance in place should review it to ensure they comply fully with the requirements.

Have you identified a need for surveillance?

It is important to consider whether use of CCTV is justified. What is the purpose and is it a necessary and proportionate measure to meet that need? Could there be other more appropriate measures?

For example:

• installing enhanced lighting in an area prone to vandalism

• re-positioning a receptionist so patient areas can be closely monitored

• purchasing a secure cabinet for important documents and items

• limiting access to certain areas of the premises.

Before installing a CCTV system practices must also take into consideration GMC/GDC guidance on patient confidentiality – and also your responsibilities as an employer, particularly where you plan to use CCTV in staff areas. Just because you have information doesn’t mean that you will be able to share it.

Ensure that any planned systems and procedures comply with your legal obligations. Is the CCTV sited to only collect the necessary information required? It should not cover areas that are not of interest, as this breaches the principle that the information collected should only be that which is necessary for the identified purpose.

Is there a policy for securely storing and handling the information? How long do you keep the information? Retention times should be reasonable based on the purpose for which it is being used.

Access to data should be limited and authorised staff should be made aware that it is a criminal offence to misuse the information. They also must be competent to access and edit or extract information where disclosure is appropriate as there may be a requirement to obscure the identity of individuals.

Patients and staff must be made aware of their right of access to footage which contains their images – so the practice will have to inform individuals that the CCTV is in place and for what purpose. Notices and social media can be used for this and signage should include details of who to contact for more information, for example the practice manager. A maximum of £10 can be charged in response to a subject access request.

Clear policies should be in place for responding to requests for access to footage, including when it is likely to be appropriate to make a disclosure and when it is not.

When deciding to disclose footage that shows others, consider the expectations of those individuals involved, regulatory responsibilities and legitimate public interest in the information. As above, you may have to take steps to disguise the identity of third parties captured in any footage, for example through the use of pixelation technology When a disclosure is made you should record the date of the disclosure along with details of who the information has been provided to (the name of the person and the organisation they represent) and why they required it.

Do you already have CCTV already in place?

Practices should ensure they have notified the ICO that this type of data is being collected and being updated annually. You should regularly review whether use of surveillance is still necessary and proportionate. Check that policies and procedures are in place as above and that proactive checks are ongoing to ensure compliance with procedures around security and processing.

ACTION: Consider carefully the genuine need for electronic surveillance in a practice and ensure compliance with data protection requirements in either existing or planned CCTV installation.