How we check the use of surveillance

Page last updated: 12 May 2022
Categories
Organisations we regulate


How we check that surveillance is being used in a safe and appropriate way.

We are committed to embedding human rights into our regulatory approach. Assessing the safe and appropriate use of CCTV supports our ability to comment on equality and human rights in health and social care.

If you are using CCTV in your service, you must be registered/licensed with the Information Commissioner's Office (ICO).

Your reasons for using CCTV should be covered in your data protection impact assessment (DPIA).

Both the ICO and the Surveillance Camera Commissioner (SCC) provide guidance on how to complete the DPIA:

You must carry out a DPIA where CCTV is likely to result in a high risk to people's rights and freedoms.

We would expect to see a completed DPIA for services using CCTV as many services are people’s homes, and/or provide diagnosis and treatment.

The 7 principles

If a provider is using CCTV or other forms of surveillance, we will check them against these 7 principles:

  1. Safeguarded: Recording equipment has appropriate safeguards (Reg 12 and 13 of HSCA 2014 Regs)
  2. Secured: Recording equipment is housed securely and be appropriate to the purpose for which it is used (Reg 15 of HSCA 2014 Regs)
  3. Privacy: Privacy and dignity of people is at the heart of any considerations when deploying recording equipment (Reg 10 of HSCA 2014 Regs)
  4. Involved: People must be involved in decisions when using recording equipment in private rooms (Reg 9 & 11 of HSCA 2014 Regs: i.e. have appropriate consent and follow the MCA 2005 principles)
  5. Lawful: Recording equipment has a specific legal basis for its use and complies with all relevant legislation and codes of practice (Reg 17 of HSCA 2014 Regs: i.e. GDPR, HRA 1998, ICO, SCC)
  6. Trained: Staff are trained on the use of the recording equipment (Reg 18 of HSCA 2014 Regs)
  7. Transparent: Recording equipment is used in a transparent manner (GDPR article 5 principles)

Taking each of the 7 principles outlined above in turn, a provider can:

Demonstrate people are safeguarded by showing:

  • Policy on disclosure of recordings to appropriate bodies, safeguarding, CQC, Police, Coroner.
  • Equipment is secured in a way which reduces risk of recordings being shared in an unauthorised way by staff.
  • Equipment is used in a way which promotes safe care and treatment.
  • Appropriate authorisation where applicable of deprivation of liberty e.g. DoLs, if used in private areas and notifications made to CQC.
  • Consultation with ICO on DPIA where a high risk (recording in private rooms).

Demonstrate recordings and information are secured by showing:

  • Policy on security of recording equipment
  • Access to system by login and password with full audit trail, with need to know access.
  • Equipment is kept in a private area not accessible to public.
  • Encryption of recordings.
  • Ability to restore the availability and access to personal data in case of data loss.
  • Appropriate security if remote access to system.

Demonstrate people’s privacy is protected by showing:

  • Data Protection Impact Assessment – Documenting purpose, necessity and assessment of risks.
  • Privacy by design – Evidence showing the consideration of privacy from the outset, considering less intrusive methods.
  • Discussions with people who use services and their families about the implementation of recording equipment.
  • Documented consent making it clear no one will be disadvantaged if they refuse consent.
  • Documented best interests’ decisions where individuals lack mental capacity to consent.

Demonstrate people are involved by showing:

  • Discussions with people who use services and their families about the implementation of recording equipment and the impact it could have.
  • Documented consent making it clear no one will be disadvantaged if they refuse consent. Consent is regularly reviewed.
  • Documented best interests’ decisions where individuals lack the mental capacity to consent.
  • Consultation with third parties (other care professionals, Information Commissioners Office, visitors to the service) note: requirement to consult with ICO on high risk processing as part of DPIA process.

Demonstrate the use of surveillance is lawful by showing:

  • Documented lawful basis within DPIA.
  • Regular evaluation of whether it is necessary and proportionate to continue using it.
  • Where using a third-party processor, should be governed by a contract.
  • Data Protection Policy with specific reference to the use of recording equipment.
  • Appropriate privacy notice provided to all persons liable to be recorded (staff, people, visitors) including on website.
  • Compliance with right of data subjects (access, restriction, erasure).
  • ICO registration.

Demonstrate that staff using the system are trained by showing:

  • Staff should have annual information governance training according to Data Protection Statutory Training (DPST).
  • Staff should receive specific training on the use of the equipment.
  • HR policies should explain the disciplinary actions for misuse of the system.

Demonstrate it is a transparent use of CCTV by showing:

  • Discussions with people who use the service and their families about the implementation of recording equipment and the impact it could have.
  • Appropriate signage warning of the use of recording equipment.
  • Appropriate privacy notice provided to all persons liable to be recorded (staff, people, visitors) including on website.
  • Publication of the DPIA.