Medical Protection is seeing increasing numbers of queries from GP practices faced with requests for CCTV footage to be disclosed as part of subject access requests. Dr Emma Green, Medicolegal Consultant at Medical Protection, looks at the relevant law and offers some practical steps for handling these requests
Many GP practices now have CCTV installed to help detect or monitor crime, and for those facing an increase in abuse since the pandemic began it may feel like a useful tool.
CCTV use in healthcare settings in England and Wales is encouraged to be compliant with the Government’s Surveillance Camera Code of Practice (2013)1 on a voluntary basis. The Information Commissioner’s Office (ICO) also published guidance2 for organisations in 2000 which was updated in 2008. Although it has not been updated since the Data Protection Act (DPA) (2018) came into force, the principles remain the same.
The code of practice advises that operators should adopt 12 principles in order to be compliant. These include:
- CCTV should be installed for a specific purpose. This might include the prevention and detection of crime.
- There must be transparency in use of CCTV - signs should be displayed warning patients and staff that surveillance equipment has been installed, and the complaints procedure should be visible.
- Recorded images should not be retained for longer than strictly necessary.
- Recorded images should only be disclosed in limited and prescribed instances and must comply with the purpose for which the practice or hospital can process images; for example, the prevention and detection of crime. Access should also be restricted to specific persons for a specified purpose.
As CCTV images can contain information about individuals, they are governed by the Data Protection Act 2018. Under the Act, individuals or someone acting on their behalf, have a right to request copies of their personal information as a subject access request (SAR). The ICO advises that disclosure of CCTV needs to be done in an appropriate format with appropriate security. The ICO advice applies to all organisations, however GP practices need to ensure they consider the ethical principles of confidentiality.
The GMC has not published any specific guidance in relation to CCTV. However, it’s principles of confidentiality3 apply to any potential request for disclosure of personal information. In order to justify disclosure of confidential information, practices with CCTV need to consider the following criteria:
- The patient has provided consent.
- The disclosure is of overall benefit to a patient lacking capacity.
- The disclosure is required by law.
- The disclosure can be justified in the public interest.
In most situations, if a patient is requesting disclosure of their own CCTV footage, they are consenting to disclosure. Therefore, it is the potential disclosure of information relating to others which needs to be considered.
If practical you could consider seeking consent from those individuals who may be identifiable in the footage by using practice records of who attended on the day. Realistically a busy waiting room may not allow identification, but if there are small numbers of patients it may be possible.
In this circumstance, consent would be needed from those third parties identified in the footage. In itself, this then raises the issue of whether it would potentially disclose personal data of the requester to the third party that they were not already aware of; or it would be inappropriate for the third party to know that the requester has made a SAR.
In order to fulfil the above obligation, the person requesting the disclosure would also need to consent to their information being shared with other patients in the CCTV image.
As the setting of a waiting room means that most people there are seeking medical advice, doctors need to consider their duty of confidentiality including whether disclosure could harm the doctor-patient relationship and how the request would be handled if a third party were to refuse.
Redaction of third party information
If others in the footage cannot be identified, or do not consent to disclosure of their images, redaction may be required. In CCTV terms, this would involve using technology to allow the footage to be altered in order to obscure the images of other people identifiable in the recording. This may also apply to car registration plates and other potentially identifiable information.
In some situations, disclosure may be required in the public interest. This could include the prevention or detection of serious crime but also in circumstances where the benefits of disclosure to an individual or society outweigh the patient’s interest in keeping the information confidential. Practices should be aware that “serious crime” is not clearly defined in law and the bar for this may be high however it will almost certainly include murder, manslaughter, rape and child abuse. Along with other crimes that have a high impact on the victim. The NHS Code of Practice on confidentiality4 considers disclosures in the public interest in greater detail.
Refusal of disclosure
The DPA (2018) and UK GDPR recognises that there may be circumstances when disclosure is not possible. In practice these circumstances are likely to arise in the context of potentially releasing third party information (as covered above) or if a request is considered to be manifestly excessive or manifestly unfounded, although other exemptions are covered in detail by the ICO.
Manifestly excessive requests need to be considered in the context of the balance of the burden or costs involved in dealing with the request along with other factors such as previous requests, available resources and whether it overlaps with other requests. A SAR is not necessarily excessive just because a large amount of data is requested.
Manifestly unfounded requests should be considered in relation to those situations where an individual has no intention to exercise their right of access, or when the request is malicious in intent.
These circumstances may be difficult to have a single policy on, therefore each request should be considered on its own merit and in the context in which it is made.
Where a practice feels they cannot comply with a SAR in relation to disclosure of CCTV, they should ensure that the person making the request is aware of the reason why it cannot be complied with. They should also be made aware of their right to complain to the ICO regarding the decision and their ability to enforce their right through the court.
Practices should ensure that if they have CCTV installed that they have a clear policy to comply with the ICO code of practice.
A SAR should be recognised and responded to within the time frame dictated in the DPA (2018) and CCTV may need to be considered when responding to a request.
When a request for information is received which may involve disclosure of CCTV imaging and there are concerns, members in GP practices can seek support from Medical Protection, their Caldicott guardian or the local data protection officer.
Dr T, a GP partner, recently contacted Medical Protection to request advice relating to a request for a copy of CCTV footage. A patient, recently removed from the practice list for aggression, was appealing to the CCG to be reinstated on the list. The patient wished for a copy of her CCTV footage from two incidents that the practice had cited in the letter removing her from their practice list. Dr T wished to know whether the practice had an obligation to comply with the request.
The doctor was initially unaware that this should be managed as a subject access request. After discussion with the Medicolegal team the issues were narrowed down to the fact that third-party information was contained within the CCTV footage and as no serious crime had been committed there was no obvious public interest in disclosure without consent.
The practice was able to successfully anonymise the third-party information through obscuring the other patients and complied with the request. The outcome from the appeal to the CCG is still awaited.
- Surveillance camera code of practice. Home Office. 2013
- In the picture: A data protection code of practice for surveillance cameras and personal information. Information Commissioner’s Office. Version 1.2
- Confidentiality. General Medical Council
- Confidentiality: NHS Code of Practice. Department of Health. November 2010