CCTV cameras in hospitals and GP practices can be useful in helping to deter or monitor crime in public areas, but it's important to understand the confidentiality implications of having a surveillance system in place, as well as the legal obligations.

National guidance

The government's Surveillance camera code of practice, which contains detailed information on what CCTV operators must do to comply with data protection law. The amended code came into effect on 12 January 2022 and applies to local authorities and the police.

Other operators and users of surveillance camera systems in England and Wales - including healthcare settings - are encouraged to make a public commitment to adopt it voluntarily. The government's code is intended to be used in conjunction with the guidance provided by the Information Commissioner's Office (ICO).

The National Strategy for Public Space CCTV in Scotland does not impose requirements on organisations although adopting the standards in chapter two of the strategy is encouraged, and there is significant crossover with the above Surveillance camera code of practice.

However, the ICO guidance referred to in this guide applies across the UK.

The 12 guiding principles of the code include the requirement to:

be clear about the purpose of the surveillance system
be as transparent as possible in the use of CCTV
conduct regular reviews to ensure CCTV use remains justified
images and information should be stored only if required and deleted once no longer needed
access to secured images and information must be limited, including for law enforcement purposes
have clearly communicated rules, policies and procedures in place.

Ethical guidance

The GMC has not published specific guidance on the use of CCTV, but it's clear that any disclosure of CCTV footage must comply with its guidance on confidentiality.

This states that personal information may be disclosed in the public interest, without consent, "if the benefits to an individual or society outweigh both the public and the patient's interest in keeping information confidential".

You should generally seek consent unless it is not practicable to do so because it would "undermine the purpose of the disclosure - for example, by prejudicing the prevention, detection or prosecution of a serious crime".

If, for example, a patient had been identified on a CCTV image following a serious assault in the practice waiting room, a doctor is unlikely to be criticised for disclosing to the police that the patient had attended the practice (but the doctor should not normally provide details of their medical history or reason for their attendance).

However, each disclosure decision should be considered on its own merits, and it's a good idea to check with us.

MDU CCTV checklist

If you're planning to install CCTV, consider the following learning points.

Record your reasons for installing CCTV and ensure they are proportionate and legitimate, such as crime prevention. The ICO says the use of CCTV should be reviewed each year. Seek advice from your local Caldicott Guardian or data protection officer (DPO), if necessary.
Ask one person within the practice, ideally the data controller, to be responsible for ensuring your CCTV system complies with the law and your ethical duty to protect patients.
Seek professional advice about the most appropriate surveillance technology, the location of cameras, facial recognition, time/date stamps, etc. As with any third-party supplier, put in place a contract which includes guarantees about issues such as security and patient confidentiality when processing images.
Install clearly visible signs that state CCTV cameras have been installed.
Restrict access to stored CCTV images and only view them in a secure area. Do not retain images for longer than necessary, unless they are needed as evidence.
Do not disclose images of patients without consent, except in exceptional circumstances when this can be justified in the public interest. Where other people are recorded on the same footage, their image should be blurred to protect their confidentiality.
Your practice privacy policy should cover the installation of cameras, the safe storage of images, retention periods, disclosure to the police and subject access requests.

CCTV in healthcare

Related articles

Membership in your pocket