CCTV Policy
The practice operates CCTV within the premises to offer additional security for patients, staff and visitors.
Our data controller is Dr Arshad Khan.
Introduction
Policy statement
The safety and security of staff, patients, contractors and visitors at Central Medical Centre is of paramount importance. To support the management team in maintaining a safe and secure environment, a closed-circuit television (CCTV) system is used within the organisation.
This system has been installed and is used in accordance with extant legislation:
- Data Protection Act 2018 including Chapter 2 titled ‘The GDPR’
- Surveillance Camera Code of Practice 2013
This document has been produced to provide all staff at Central Medical Centre with the necessary level of information regarding the rationale for the use of CCTV systems in general practice and how to respond to patients who make enquires as to the use of such systems whilst also explaining how to respond to access requests for data generated by CCTV systems.
Status
The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact that this policy might have regarding the individual protected characteristics of those to whom it applies.
This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation. Other individuals performing functions in relation to the organisation, such as agency workers, locums and contractors, are encouraged to use it.
Legislation
Data Protection Act 2018
GDPR gives member states limited opportunities to make provisions for how it applies in their country. Following Brexit, GDPR became UK GDPR and was incorporated as Chapter 2 of DPA 2018.
It is therefore important that the GDPR and the DPA 2018 are read side-by-side.
GDPR
Central Medical Centre has a legal requirement to ensure compliance with the GDPR and that personal data will be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Further reading can be found in the UK GDPR Policy.
Surveillance Camera Code of Practice 2013
The code was released in June 2013 and then updated in both November 2021 and March 2022. It continues to detail 12 guiding principles which strike a balance between protecting the public and upholding civil liberties.
These are:
- Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
- The use of a surveillance camera system must consider its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
- There must be as much transparency regarding the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
- There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
- Clear rules, policies and procedures must be in place before a surveillance camera system is used and these must be communicated to all who need to comply with them.
- No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system and such images and information should be deleted once their purposes have been discharged.
- Access to retained images and information should be restricted and there must be clearly defined rules regarding who can gain access and for what purpose such access is granted. The disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
- Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
- Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
- There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are compiled within the organisation with regular reports being published.
- When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
- Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
Use of CCTV
Purpose
The purpose of CCTV at Central Medical Centre is to:
- Protect the safety, security and wellbeing of staff, patients, visitors and contractors
- Prevent and detect crime within the organisation and may be used to support the prosecution of offenders
- Facilitate learning through reflection because of incidents occurring within the monitored areas
CCTV will not be used for any purpose other than those specified above.
Data Protection Impact Assessment (DPIA)
Specifically, under Article 30 of the UK GDPR, organisations are required to maintain a record of the processing activities taking place. This applies to both controllers and processors using surveillance systems. The records the organisation keeps should cover areas such as the purpose(s) for the lawful use of surveillance, any data sharing agreements that are in place and the retention periods of any personal data.
For surveillance systems, the organisation must take a data protection by design and default approach and perform a Data Protection Impact Assessment (DPIA) for any processing that is likely to result in a high risk to individuals.
This includes:
- Processing special category data
- Monitoring publicly accessible places on a large scale
- Monitoring individuals at a workplace
The organisation should assess whether the use of surveillance is appropriate in the circumstances. As part of the assessment, the organisation should consider the reasonable expectations of the individuals whose personal data is processed and the potential impact on their rights and freedoms. Central Medical Centre should record its considerations and mitigations in a DPIA prior to any deployment of a surveillance system that is likely to result in a high risk to individuals.
If high risks cannot be mitigated, prior consultation with the Information Commissioners Office (ICO) is required and the organisation cannot proceed with the processing until guidance has been received from the ICO.
An example DPIA can be found in the UK GDPR Policy.
Location
CCTV cameras are positioned in the following locations:
- Reception
- Waiting rooms
- Practice Manager’s office
- Kitchen
- Corridor next to reception
- Corridor next to the staff toilets
- Outside the consultation rooms on the left side of the surgery
- Fire exit alley outside the property
- Back of the property
- Entrance lobby
Cameras are all overtly positioned and do not impede upon any clinical areas within the organisation. Appropriate signage is positioned throughout the organisation in the following locations:
- Reception noticeboard
- Entrance
In accordance with Article 13 of the UK GDPR, it is important to ensure that the areas of surveillance are identified. The signs should be placed prominently before the entrance to the system’s field of vision and reinforced with further signs within the area. They should be positioned at a reasonable distance from the places monitored and in such a way that individuals can easily recognise the circumstances of the surveillance before entering the monitored area.
It is also important to ensure that the organisation informs people other than workers, such as visitors who may inadvertently be caught by monitoring, aware of its operation and why the organisation is carrying this out.
A poster to identify that this organisation has CCTV cameras can be found here.
Retention of images and information
Principle 6 of the Surveillance Camera Code of Practice states that images and information obtained from a surveillance camera system should not be retained for longer than necessary to fulfil the purpose for which they were obtained in the first place.
The retention period for different surveillance camera systems will vary due to the purpose for the system and how long images and other information need to be retained to serve its intended purpose. It is not, therefore, possible to be prescriptive about maximum or minimum periods. Initial retention periods should be reviewed by the Practice Manager, Farah Sultana, and reset in the light of experience. A proportionate approach should always be used to inform retention periods and these should not be based upon infrequent exceptional cases.
Although images and other information should not be kept for longer than necessary to meet the purposes for recording them, on occasions a system operator may need to retain images for a longer period, for example where a law enforcement body is investigating a crime to give them the opportunity to view the images as part of an active investigation.
Accessing retained images and information
Principle 7 of the Surveillance Camera Code of Practice advises that access to retained images is restricted. At Central Medical Centre this is the data controller who is Dr Arshad Khan, GP Principal. In their absence, Farah Sultana, Practice Manager is authorised to access the retained images and information.
There may be, on occasion, requests by data subjects (individuals) to access images and information that are held about them. In accordance with the GDPR, all data subjects have a right to access their data and any supplementary information held by Central Medical Centre.
Data subjects have a right to receive:
- Confirmation that their data is being processed
- Access to their personal data
- Access to any other supplementary information held about them
The purpose for granting data subjects access is to enable them to verify the lawfulness of the processing of data held about them.
When a request to access images and information is received, the data subject is to be advised to complete the organisation’s CCTV subject access request form as detailed at Annex A. Providing an individual with a transcript of the visual information contained in the footage is not enough to comply in most circumstances.
Data controllers must respond to all data subject access requests as per the Access to Medical Records Policy.
Whilst an unusual route to obtain CCTV images, information may also be made under the Freedom of Information Act 2000. Further reading on FOI requests can be sought within the Freedom of Information Policy.
As with GDPR, no fee can be charged for processing such requests.
Third party requests for access to images and information
Requests may be received from third parties to access images and information. Such instances may include requests from solicitors to support either a claimant or defendant where a crime has been alleged or, for example, a person’s property has been damaged within the car park.
The data controller must be able to satisfy themselves that the person requesting the data has the authority of the data subject. The responsibility for providing the required authority rests with the third party and is usually in the form of a written statement or consent form, signed by the data subject. It should be noted that such requests for images or information should be approached with care and in accordance with the data protection legislation, as a wide disclosure may be an unfair intrusion into the privacy of the individuals concerned.
Disposal of images and information
As stated in Section 3.4, the images and information are stored for the minimum time period necessary to fulfil the purpose and therefore, at Central Medical Centre they will be routinely deleted after 6 months.
The deletion process is automatic.
Complaints
Should a patient, visitor or contractor have cause to complain about the organisation’s CCTV system, the data controller should be contacted.
Patients, visitors and contractors are to be advised that complaints will be processed in accordance with complaints policy.
- Complaints Procedure (England)
- Complaints Procedure (Scotland)
- Complaints Procedure (Wales)
- Complaints Procedure (Northern Ireland)
Access register
The template at Annex B is to be used to record all access to the CCTV system.
Audit
The template at Annex C is to be used to audit the CCTV system at Central Medical Centre.
Summary
CCTV systems are valuable tools that enhance the safety, security and wellbeing of services, staff and patients at Central Medical Centre and are an increasingly common sight in GP practices.
In line with the relevant legislation and code of practice referenced in this policy, it is essential that the use of such systems and the staff who use them are compliant and that all guidelines and processes are complied with.
Annex A – Application for access to personal/CCTV records (SAR)
APPLICATION FOR ACCESS TO PERSONAL/ CCTV RECORDS (SAR)
In accordance with the Data Protection Act 2018
Section 1: Personal details
|
Surname |
Title |
||
|
Forename |
Date of birth |
||
|
Address |
|||
|
Tel no. |
Email: |
||
Section 2: Record(s) requested
Please tick the relevant box below. The more specific you can be, the easier it is for us to quickly provide you with the records requested.
|
I am applying for access to view my records only |
□ |
|
I am applying for an electronic copy of my records |
□ |
|
I am applying for a printed copy of my records |
□ |
|
I am applying for CCTV records |
□ |
Please specify what information you are requesting:
|
Records between specific dates only (please give dates below) |
□ |
|
Records with regard to a specific incident (please give details below) |
□ |
|
Other (please give details below) |
□ |
Declaration
I declare that the information given by me is correct to the best of my knowledge and that I am entitled to apply for access to the records referred to above under the terms of the UK Data Protection Act 2018.
You are advised that the making of false or misleading statements to obtain personal information to which you are not entitled is a criminal offence which could lead to prosecution.
|
Signature |
Date |
Section 3: Proof of identity
Under the Data Protection Act 2018, you do not have to give a reason for applying for access to your records. You will however be asked to provide two forms of identification one of which must be photographic identification.
ADDITIONAL NOTES:
Before returning this form, please ensure that you have:
- Signed and dated the form
- Are able to provide proof of your identity
- Enclosed documentation to support your request (if applicable)
Incomplete applications will be returned; therefore, please ensure you have the correct documentation before returning the form.
For office use only:
Identification verification must be verified through two forms of ID one of which must contain a photo, e.g., passport or photo driving licence, and, for example, a bank statement.
|
Request received |
Request refused |
||
|
Reviewed by |
Request completed |
||
|
Fee |
Date sent |
||
|
Comments |
|||
|
Identity verified by |
Date |
||
|
Method |
□ Photo ID or proof of residence – Type ……………………………….. □ Photo ID or proof of residence – Type ……………………………….. |
||
Annex B – Access register
|
Central Medical Centre |
Data controller: Farah Sultana |
|
CCTV System Access Register |
Date: January |
|
Date |
Time |
Reason for access |
Outcome |
Individual |
Annex C – CCTV system audit
|
Central Medical Centre |
Data controller: Farah Sultana |
|||||
|
CCTV system audit |
Date: 03/09/2024 |
|||||
|
Requirement |
Yes |
No |
||||
|
Is the appropriate signage displayed throughout the organisation advising individuals that CCTV surveillance is taking place? |
||||||
|
Do the signs include who is responsible for operating the system and who to contact for further information? |
||||||
|
Is the system fit for purpose, i.e., does it capture quality images? |
||||||
|
Are all clinical areas excluded from CCTV surveillance? |
||||||
|
Does the system require regular maintenance or calibration? If so, is there an appropriate contract in place to facilitate this? |
||||||
|
Are images stored using encryption? |
||||||
|
Is access restricted to the images and information which are collected? |
||||||
|
Is there a CCTV subject access request form available for individuals and third parties to use to request access to images and information? |
||||||
|
Who can access images and information? Dr Khan, Farah Sultana |
||||||
|
What is the retention period? 6mo |
||||||
|
What is the disposal process? Automatically deleted by the camera app. |
||||||
|
Does the organisation have a CCTV or surveillance policy? |
||||||
|
Does the policy reflect the GDPR? |
||||||
|
Is staff aware of the organisation policy and how to deal with requests and complaints? |
||||||
|
Is the CCTV system included on the organisation asset register? |
||||||
|
Is there a log to record access and disposal? |
||||||
|
What training has staff received in relation to the use of the CCTV surveillance system? Staff do not have access, they are informed of the locations of all CCTV cameras. |
||||||
|
Additional comments: |
||||||
|
Signed: |
Name: |
|||||