We installed CCTV in our car park following a review of security arrangements. A patient has asked the practice for a copy of video footage showing him parking his car and entering the building. The patient says that another driver is contesting an insurance claim and he requires the CCTV footage to show that his car was undamaged when he entered our car park. Are we obliged to facilitate his request?
The Information Commissioner’s Office (ICO) has issued a code of practice that provides advice for organisations involved in operating CCTV systems.1
It highlights that recognisable recordings and images captured by CCTV systems are considered to be “personal data” and as such, are subject to the provisions of data protection legislation. Therefore, any person whose image is recorded on a CCTV system has a right to request a copy of their own personal data from the footage.
With respect to disclosing information, the ICO code of practice states:
“Judgements about disclosure should be made by the organisation operating the CCTV system. They have discretion to refuse any request of information unless there is an overriding legal obligation such as a court order or information access rights.”
However, unlike CCTV footage of public roads, a practice car park will identify those individuals who visit the practice and, as the data controller for the CCTV footage, you need to consider the confidentiality of other patients when determining whether or not to disclose the information to a third party.
The ICO advises:
“When disclosing surveillance images of individuals, particularly when responding to subject access requests, you need to consider whether the identifying features of any of the other individuals in the image need to be obscured.”
The doctors at the practice need to be mindful of GMC guidance on confidentiality. The guidance outlines that to disclose personal information, one of 4 situations must apply:
- The patient has provided consent.
- The disclosure is of overall benefit to a patient lacking capacity.
- The disclosure is required by law.
- The disclosure can be justified in the public interest.2
In this scenario, none of the above would apply. Therefore consideration should be given as to whether the patient can be provided with his image without identifying other patients, either by providing a dated and timed still image of his car, or by obscuring the identity of other patients.
In obscuring images of other patients, the onus lies on the practice to arrange this. If you are considering outsourcing the redaction to another organisation, you will need to have a written contract with the processor that specifies exactly how the information is to be used and provides you with explicit security guarantees.
If a situation occurred where you felt you had to refuse a request to disclose footage – for example if it wasn’t practical or possible to redact third party identities – the General Data Protection Regulation states that subject access requests may be refused if a request is “manifestly unfounded or excessive”, although you would have to be able to justify this decision.3
If you have concerns about a request for CCTV footage from a patient, you could either discuss this with the ICO, or alternatively, you can contact the Medical Protection advice line and discuss the case in more detail with an expert from our medicolegal team.
- ICO. CCTV. Available from https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/scenarios/cctv/
- GMC. Confidentiality: good practice in handling patient information (Updated 2018). Available from https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality
- ICO. Right of access. Available from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/