CCTV in healthcare

The use of surveillance in healthcare settings can be problematic because of the need to protect patients' confidentiality.

CCTV cameras in hospitals and GP practices can be useful in helping to deter or monitor crime in public areas, but it's important to understand the confidentiality implications of having a surveillance system in place, as well as the legal obligations.

National guidance

The government's Surveillance camera code of practice was published in 2013 and applies to local authorities and the police. Other operators and users of surveillance camera systems in England and Wales - including healthcare settings - are encouraged to make a public commitment to adopt it voluntarily.

The 12 guiding principles of the code include the requirement to:

  • be clear about the purpose of the surveillance system
  • be as transparent as possible in the use of CCTV
  • have clearly communicated rules, policies and procedures in place.

The Government's Code is intended to be used in conjunction with the CCTV code of practice, which contains detailed information on what CCTV operators must do to comply with data protection law. The document has not yet been updated since the Data Protection Act 2018 came into effect, but until it is revised the same principles can be seen to apply to the new regulations.

Among these:

  • CCTV should be installed for a specific purpose, such as the prevention or detection of a crime
  • signs should be displayed warning patients and staff surveillance equipment has been installed
  • images should not be retained for longer than strictly necessary
  • recorded images should only be disclosed in limited and prescribed instances and must comply with the purpose for which the practice or hospital can process images; for example, the prevention and detection of crime
  • only relevant parts of any footage should be disclosed and people unrelated to the incident should be blurred out.

Ethical guidance

The GMC has not published specific guidance on the use of CCTV, but it's clear that any disclosure of CCTV footage must comply with its guidance on confidentiality.

This states that personal information may be disclosed in the public interest, without consent, 'if the benefits to an individual or society outweigh both the public and the patient's interest in keeping information confidential'.

You should generally seek consent unless it is not practicable to do so because it would 'undermine the purpose of the disclosure - for example, by prejudicing the prevention, detection or prosecution of a serious crime'.

If, for example, a patient had been identified on a CCTV image following a serious assault in the practice waiting room, a doctor is unlikely to be criticised for disclosing to the police that they had attended the practice (but the doctor should not provide details of their medical history or reason for their attendance).

However, each disclosure decision should be considered on its own merits, and it's a good idea to check with the MDU.

MDU CCTV checklist

If you are planning to install CCTV, consider the following learning points.

  • Record your reasons for installing CCTV and ensure they are proportionate and legitimate, such as crime prevention. The ICO says the use of CCTV should be reviewed each year. Seek advice from your local Caldicott Guardian or data protection officer (DPO), if necessary.
  • Ask one person within the practice, ideally the data controller, to be responsible for ensuring your CCTV system complies with the law and your ethical duty to protect patients.
  • Seek professional advice about the most appropriate surveillance technology, the location of cameras, facial recognition, time/date stamps, etc. As with any third party supplier, put in place a contract which includes guarantees about issues such as security and patient confidentiality when processing images.
  • Install clearly visible signs which state CCTV cameras have been installed.
  • Restrict access to stored CCTV images and only view them in a secure area. Do not retain images for longer than necessary, unless they are needed as evidence.
  • Do not disclose images of patients without consent, except in exceptional circumstances when this can be justified in the public interest. Where other people are recorded on the same footage, their image should be blurred to protect their confidentiality.
  • Your practice privacy policy should cover the installation of cameras, the safe storage of images, retention periods, disclosure to the police and subject access requests.

This page was correct at publication on 30/08/2018. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

You may also be interested in

Guide

Confidentiality issues in insurance and other reports

A wide range of doctors provide reports about patients to third parties in the course of their work.

Read more
Guide

Avoiding email dangers

Security and protection of personal data is a key concern when emailing clinical information.

Read more
Guide

Confidentiality and disclosing information after death

Your duty of confidentiality to a patient continues after their death.

Read more