Watching the watchers

MDDUS receives regular calls from members in relation to the use of video surveillance within their premises. Requests for advice range from members wishing to monitor the waiting room or staff areas – because they have a specific suspicion about bad (or even criminal) behaviour or simply as a precaution – to requests for third-party access to CCTV or video surveillance footage after an incident has occurred.

The Information Commissioner’s Office (ICO) has significantly revised their CCTV code of practice in recent years and these changes must be considered in addition to requirements from the new General Data Protection Regulation (GDPR) (via a new UK Data Protection Bill) and developments in the technologies by which CCTV can be delivered.

The underlying principles of data protection legislation in relation to video surveillance remain the same – for example the need for transparency about camera position/use, security and rights of access. However, practices will need to demonstrate that they comply with:

• more prescriptive transparency requirements
• security protocols in the light of more stringent obligations, particularly around breach notification.

In the future, it is very likely that a privacy impact assessment (PIA) will be required before implementing video surveillance within your practice. Developing a PIA in relation to installing video surveillance is the most effective way to comply with obligations and also demonstrate that appropriate measures have been undertaken to ensure compliance.

Practices already using video surveillance tools should consider undertaking a PIA now. Normally these will be conducted before implementing any new method of processing personal data, but they should be treated as a continual process and updated throughout the lifecycle of a project, especially if there are any significant changes to procedures. Taking action now will mean you are prepared and will have evidence in place to demonstrate accountability when the GDPR comes into force in May 2018.

What is required in a PIA?

• A description of the method of video surveillance and its purpose. This should include what the project aims to achieve and what the benefits will be to the practice, patients and staff. This will identify the ‘legitimate interests’ of the practice in implementing this form of data processing (a legitimate interest is a business interest which has been balanced against the interest of the individual(s) concerned).
• An assessment of the necessity and proportionality of the processing (e.g. video surveillance) in relation to the stated purpose. The views of the individuals should be taken into consideration (e.g. a patient participation group/employees as relevant), including expectations about how their data will be used and whether it will have unjustified effects on them.
• An assessment of the risks to individuals.
• The measures in place to address these risks. Measures are likely to include information to patients and staff, and security safeguards, storage, access and reasonable retention protocols.

For further assistance, see the ICO’s code of practice on privacy impact assessments.

In relation to mitigating the risk of a security breach, it is also important to update your practice on the notification requirements in relation to data breaches. Under the GDPR it is likely that practices will be required to report a personal data breach of sensitive patient information to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it. Practices should update their processes now, and information is available on the ICO website. If in doubt, contact the ICO and/or MDDUS for advice if a breach occurs.

Advancing surveillance technology

As digital cameras become more prevalent, more information will be sent and received via the internet. Backups can be located in local or cloud storage and can be available to users over the web. Whilst many systems provide opportunities for enhanced and often automatic protocols – including auto-deletion after specific periods, audit trails of individual access, and encryption and pseudo-anonymisation techniques – the associated risks must be documented and mitigated. Risks include unauthorised access, the ability to disable cameras remotely and failure to ensure appropriate security updates are installed. If a third-party organisation is contracted to manage your system, a robust data-sharing agreement should also be in place. Guidance on this is also available from the ICO here.

Transparency

Practices will need to expand the information available about the use of video surveillance. It should be clear to individuals – in this case mainly patients or employees – where, when, how and by whom their data will be processed. This can be achieved with the use of clear signage and privacy notices, which will need to include details such as:

• What information is being collected?
• Who is collecting it along with contact details?
• How is it being collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• How long you intend to keep it?
• Whether the data will be transferred outside the E.U. (e.g. for cloud hosting).
• Individual rights to access personal information/raise a complaint about how information is handled – and how to do so.

ACTIONS

• Give further consideration to whether you have a legitimate reason for using video surveillance.
• Undertake a privacy impact assessment to ensure you are able to demonstrate compliance with good information governance.
• Consider security risks and create a plan to mitigate these.
• Ensure information about your use of video surveillance is transparent and visible via signage and the use of privacy notices.

Liz Price is senior risk adviser at MDDUS