Back

Blogs

Why cyber security matters this Black Friday

View All

Case Studies

Supporting BrainDrip LLC's Entry into the Hydrogen Market

View All

Upcoming Events

Utility Week Awards 2024

View All

Webinars

The Future of Security: Convergence of Physical and Cyber Domain 3/3

View All

Thoughts

Balancing the increased use of surveillance in healthcare with individuals’ privacy rights

6th Oct, 2022

The use of surveillance and monitoring technology within a healthcare setting is becoming increasingly utilised to help keep people safe or monitor their wellbeing as well as facilitating the detection and prevention of crime. Given the large number of individuals who attend the healthcare environment, CCTV is deemed to be a cost-effective tool for increasing security and controlling costs along with the benefits of providing continuous real-time monitoring, increasing overall security and safety, preventing dishonest claims and long-term digital archiving.

There are certainly benefits for using surveillance and monitoring tools, particularly in terms of observing areas in real time or as a crime deterrent; however, it is essential to consider the intrusive effect of monitoring individuals using tools that track behaviour. This could mean that individuals could adapt their behaviour due to the surveillance curtailing someone’s right to privacy, which is a human rights issue. Therefore, it is imperative that installation of such technologies must be approached with an element of caution to determine whether the same outcome can be achieved by other means which would protect people’s privacy and human rights.

It’s also important to understand the confidentiality implications of having a surveillance system in place as well as the legal obligations and guidance set out by the Care Quality Commission, the Surveillance Camera Commissioner, the Biometrics Commissioner and the Information Commissioner’s Office, all of which regulate activities relevant to surveillance.

If surveillance technologies are being used to help keep people safe or monitor their wellbeing, the activity would normally be treated as part of their care. However, there may be exceptions where some public authorities will wish to exercise the powers specified in the Regulation of Investigatory Powers (RIPA) Act 2000  in relation to a specific incident or allegation. Most surveillance and monitoring activities undertaken by organisations in relation to care must meet the regulations set out under the Health and Social Care Act. Any recordings also count as information about individuals, and organisations would need to ensure those recordings are reasonable, lawful and appropriate.

When is surveillance and monitoring helpful within a healthcare environment?

Surveillance technology can help:

  • Protect people’s safety, from the risk of unsafe care or treatment – Can be used to assist with incidents or investigations
  • Keep premises secure – Can be used to monitor movement and behaviours of individuals who enter/exit buildings
  • To help individuals/patients to stay safe – Can be used within areas such Accident & Emergency to protect patients from potential aggressive behaviours from others.

Covert surveillance within healthcare

Most organisations are likely to use open surveillance, which means not using hidden cameras, to monitor individuals/patients as covert intrusive surveillance will only be justified in very exceptional circumstances.

Covert surveillance can only be used where the healthcare provider has genuine suspicions of criminal abuse, neglect or serious malpractice affecting safety, and where open use of surveillance might prejudice detection.  Its use must be authorised by a ‘Responsible Person’ as set out in RIPA. Surveillance must be strictly targeted and proportionate to the activity; it cannot go wider than what is necessary and relevant for the investigation. If during a surveillance exercise the cameras capture images of wrongdoing unrelated to the original purpose, they can only be used if the actions are sufficiently serious to make this reasonable and necessary e.g., an act of gross misconduct as opposed to minor misconduct. For example, if cameras were installed to detect suspected abuse of patients, incidental footage can’t be used as the basis for disciplining an employee for being late. Any individuals who are not the target of the investigation should be obscured or deleted in these cases.

What are the most common risks?

  • Lack of overall control of the personal data being processed. For example, who decides what is to be recorded, how it should be used and to whom it may be disclosed if needed, which could lead to information being used beyond the purpose it was intended for. This can be a common problem if responsibilities and purpose is not clearly defined, understood and communicated.
  • Written contracts do not clearly define the responsibility relating to the processing, which can lead to data being used beyond the purpose intended or inadequately secured. Third party data processors should only act on instruction from the data controllers.
  • Inadequate technical design or antiquated surveillance systems that don’t allow organisations to easily locate and extract personal data in response to individuals exercising their rights, which means footage could contain imagery of other unrelated individuals. For example, in response to disclosures to authorised third parties such as law enforcement. In essence a surveillance system must be compliant with the Data Protection Act to be admissible in court and therefore must have the functionality for third parties to be obscured and extracted.
  • Surveillance systems selected may not provide good quality imaging which means it cannot achieve its purpose. This raises questions as to why it is being used and it is therefore likely that the organisation will be unable to demonstrate compliance with data protection principles.

 

What can a healthcare provider do to meet its data protection obligations relating to surveillance?

In order to avoid potential risks, it is essential that privacy intrusive technologies comply with the principles of data protection and human rights, particularly if the main focus historically has been on technical capability rather than the type of personal data being processed.

The accountability principle requires a provider to take responsibility for what it does with personal data and how it complies with the other principles.

Appropriate measures and records must be in place along with maintaining accountability obligations to be able to demonstrate compliance. These could include:

  • Think about whether the purpose can be achieved by less privacy intrusive means to achieve the same outcome
  • Ensuring the technology allows your organisation to meet its data protection obligations, such as extracting information for disclosure, and is fit for purpose
  • Being clear about the purpose of the surveillance system
  • Seeking professional advice about the most appropriate surveillance technology: the location of cameras, facial recognition, time/date stamps, etc. As with any third-party supplier, put in place a contract which includes guarantees about issues such as security and patient confidentiality when processing images
  • Be as transparent as possible in the use of surveillance technologies
  • Conduct regular reviews to ensure surveillance remains justified
  • Images and information should be stored only if required and deleted once no longer needed
  • Access to secured images and information must be limited, including for law enforcement purposes
  • Have clearly communicated rules, policies and procedures in place
  • Install clearly visible signs that state surveillance technologies have been installed and provide required privacy information

Authors

Llinos Bradley

Principal Consultant - Data Privacy

Read Bio