Many GP practices now have CCTV installed to help detect or monitor crime, and for those facing an increase in abuse since the pandemic began it may feel like a useful tool. Medical Protection is seeing increasing numbers of queries from practices faced with requests for CCTV footage to be disclosed as part of subject access requests.
What are the rules around CCTV use?
CCTV use in healthcare settings in England and Wales is encouraged to be compliant with the Government’s Surveillance Camera Code of Practice1 on a voluntary basis. The Information Commissioner’s Office (ICO) also published guidance2 that was updated in 2008.
The code of practice advises that operators should adopt 12 principles in order to be compliant. These include:
- CCTV should be installed for a specific purpose, including the prevention and detection of crime.
- There must be transparency in use of CCTV - signs should be displayed warning patients and staff that surveillance equipment has been installed, and the complaints procedure should be visible.
- Recorded images should not be retained for longer than strictly necessary.
- Recorded images should only be disclosed in limited instances and must comply with the purpose for which the practice or hospital can process images; for example, the prevention and detection of crime. Access should also be restricted to specific persons for a specified purpose.
As CCTV images can contain information about individuals, they are governed by the Data Protection Act 2018. Under the Act, individuals or someone acting on their behalf, have a right to request copies of their personal information as a subject access request (SAR), which includes CCTV footage.
GP practices also need to ensure they consider the ethical principles of confidentiality.
The GMC has not published any specific guidance in relation to CCTV. However, its principles of confidentiality3 apply to any request for disclosure of personal information. Practices need to consider the following criteria:
- The patient has provided consent.
- The disclosure is of overall benefit to a patient lacking capacity.
- The disclosure is required by law.
- The disclosure can be justified in the public interest.
In most situations, if a patient is requesting disclosure of their own CCTV footage, they are consenting to disclosure. Therefore, it is the potential disclosure of information relating to others which needs to be considered.
If practical you could consider seeking consent from those individuals who may be identifiable in the footage by using practice records of who attended on the day. Realistically a busy waiting room may not allow identification, but it may be possible.
In this circumstance, consent would be needed from those third parties identified in the footage. This then raises the issue of whether it would potentially disclose personal data of the requester to the third party; or if it would be inappropriate for the third party to know that the requester has made a SAR.
Because of this, the person requesting the disclosure would also need to consent to their information being shared with other patients in the CCTV image.
As the setting of a waiting room means that most people there are seeking medical advice, doctors need to consider their duty of confidentiality including whether disclosure could harm the doctor-patient relationship and how the request would be handled if a third party were to refuse.
Redaction of third-party information
If others in the footage cannot be identified, or do not consent to disclosure of their images, redaction may be required. This would involve using technology to allow the footage to be altered to obscure the images of other people, which may also apply to car registration plates and other identifiable information.
In some situations, disclosure may be required in the public interest. This could include the prevention or detection of serious crime, but also in circumstances where the benefits of disclosure outweigh the patient’s interest in keeping the information confidential.
Practices should be aware that ‘serious crime’ is not clearly defined in law. The NHS Code of Practice on confidentiality4 considers disclosures in the public interest in greater detail.
Refusal of disclosure
There may be circumstances when disclosure is not possible. This is likely to arise in the context of potentially releasing third party information or if a request is considered manifestly excessive or unfounded.
A SAR is not necessarily excessive just because a large amount of data is requested. It should be considered in terms of workload involved, previous requests and available resources.
Manifestly unfounded requests could include when the request is malicious in intent.
These circumstances may be difficult to have a single policy on, therefore each request should be considered on its own merit and in the context in which it is made.
Where a practice feels they cannot comply with a SAR, they should ensure that the person making the request is aware of the reason why it cannot be complied with. They should also be made aware of their right to complain to the ICO and their ability to enforce their right through the court.
Practices should ensure that if they have CCTV installed that they have a clear policy to comply with the ICO code of practice.
When a request for information is received which may involve disclosure of CCTV imaging and there are concerns, GP practices could seek support from their medical defence organisation, Caldicott guardian or local data protection officer.
A patient, recently removed from a practice list for aggression, was appealing to the CCG to be reinstated on the list. The patient wished for a copy of her CCTV footage from two incidents that the practice had cited in the letter removing her from their practice list. A partner at the practice wanted to know whether the practice had an obligation to comply with the request.
The doctor was initially unaware that this should be managed as a subject access request. Third-party information was contained in the CCTV footage and, as no serious crime had been committed, there was no obvious public interest in disclosure without consent.
The practice was able to successfully anonymise the third-party information through obscuring the other patients and complied with the request. The outcome from the appeal to the CCG is still awaited.
- Dr Emma Green is medicolegal consultant at Medical Protection
- Surveillance camera code of practice. Home Office. 2013
- In the picture: A data protection code of practice for surveillance cameras and personal information. Information Commissioner’s Office. Version 1.2
- Confidentiality. General Medical Council
- Confidentiality: NHS Code of Practice. Department of Health. November 2010