The use of CCTV in care homes — The legal issues
Is the use of surveillance cameras in care homes an acceptable practice? We look at the legal issues to be considered in making an informed decision.
This question has been subject to regular debate in the care home sector and the media, often in the context of cases where care homes have been seen to have failed their residents.
Some supporters of the use of CCTV have welcomed it as a way of providing additional protection to vulnerable residents, but opponents have expressed concerns about the adverse implications for the privacy and dignity of residents, particularly if filming is proposed to include bedroom areas.
The debate has included discussion on whether covert filming can ever be appropriate in care homes, but this briefing focuses on the use of non-covert cameras in care homes.
Care Quality Commission (CQC)
The CQC has recognised that the use of CCTV cameras may be the best way to ensure safety or quality of care but highlights the need to consider whether less intrusive steps can be taken by providers to ensure the same aims are achieved.
The CQC emphasises the need to consult with the people who use the care service, including residents, families and other visitors to care homes and also staff when deciding about whether and how to use surveillance.
Where a decision has been made to use surveillance, the relevant consideration should be carefully documented as it is a matter that may be subject to scrutiny in the context of a CQC inspection.
General Data Protection Regulation (GDPR)
GDPR came into effect in the UK in May 2018, replacing the Data Protection Act 2018. Given that CCTV recordings in the care home environment will almost certainly contain information that identifies individuals and the recordings are also likely to include information about the health of residents, it is very important that those considering whether to place cameras in care homes consider the relevant legal provisions relating to data protection to ensure compliance with the law. The Information Commissioners Office (ICO) regulates matters relevant to surveillance and will therefore be likely to raise concerns if he use of cameras is not compliant with GDPR.
If a care home provider has given proper consideration to the legal issues under the previous data protection legislation, namely the Data Protection Act 1998, this will be a positive step towards legal compliance but there are likely to be additional complexities in ensuring that the rights of data subjects are dealt with in a lawful manner under GDPR.
The GDPR requires compliance with various data protection principles that are broadly similar to those within the previous Data Protection Act 1998.
A new accountability principle specifically requires those processing data to take responsibility for complying with the principles and to have appropriate processes and records in place to demonstrate compliance.
The principles impose obligations on data controllers to ensure that personal data is collected for “specified, explicit and legitimate purposes”. This article does not propose to discuss processing conditions in any degree of detail.
It is important for care homes to recognise that as data controllers it is incumbent on them to identify the relevant lawful bases for processing for both personal and special category data; this should be reflected in the organisation’s privacy notice.
Transparency is at the heart of the GDPR and care homes that propose to use CCTV, particularly in bedroom areas, should review how to ensure transparency and deal with objections. It is important to note that if consent is relied upon as the lawful ground for processing, it must be express and not inferred and that there must be simple ways by which the data subject can withdraw consent.
Obtaining consent in the care home setting will often be impracticable given that some residents will suffer from dementia or other conditions affecting their ability to comprehend information relevant to the consent process.
The Mental Capacity Act and the MCA Code of Practice will be important in such situations. Controllers will typically seek to avoid reliance on consent for GDPR purposes and thus will need to identify at least one appropriate ground in Article 6 and Article 9(2).
Central to whether the use of CCTV is justified will be how it will support the needs and interests of the residents of the home.
Particular thought will need to be given to whether CCTV can be used in bedroom areas having regard to the legal requirements on sensitive personal data, including data concerning a person’s health.
Under the GDPR, the processing of such data will only be lawful if the data subject (in this case the resident) has given explicit consent to the processing of that data for one or more specified purposes or one of the other exemptions in Article 9(2) applies.
Where reliance is placed on the “legitimate interest” ground in Article 6 GDPR, the care home will need to give consideration to whether there is a legitimate interest (such as the protection of a resident in a suspected case of ill-treatment by a member of the home’s staff), whether the processing of the data is necessary for that purpose and whether the legitimate interest is overridden by the individual’s interests, rights or freedoms.
The risks that the use of CCTV may create should be considered and appropriate mitigation should be implemented.
Care home operators are advised to undertake an assessment to determine whether the use of CCTV is justified, taking into account the benefits of filming in the care home against any disadvantages, including the impact on residents’ dignity.
Care home operators need to address whether the use of cameras is proportionate to specific concerns that may have arisen in the home or whether a less privacy intrusive solution could achieve the same objectives.
If cameras are to be used, the care home operator will have to make decisions about various matters relevant to the GDPR, including who has access to the CCTV and for what reasons.
If a policy is not already in place addressing the relevant issues and providing guidance to staff, it is advisable for the care home operator to make sure a policy is put in place.
A home operator will also need to consider where best to place monitors for viewing CCTV so that only appropriate and authorised people are able to access recordings. It will be important for security measures to be put in place to prevent unauthorised access.
Where cameras are placed in residents’ bedrooms, this will require an additional level of security. As with the previous data protection legislation, residents have a qualified right of access under the GDPR to their own personal data and this will include access to recordings of them made by the CCTV.
Storage and use of footage
There is an express requirement under the GDPR that personal data is to be processed for only as long as its purpose requires it to be. The care home operator will therefore need to consider for what period footage should be stored by the home and any policy on CCTV should reflect this.
In determining the storage period, the care home operator will need to have regard to whether an incident has occurred that will result in an investigation not only internally by the care home operator but by any external body such as the police.
As with other forms of data processing, care home operators will need to consider the specific arrangements which they make for processing the CCTV images and the implications of using third party processors, such as cloud storage services.
Where a resident lacks capacity
Given that the use of CCTV in the bedroom area will usually give rise to “continuous supervision” of a resident, if the purpose of the CCTV is to prevent the resident from leaving the premises of the home and the resident lacks capacity to consent to those arrangements there is a risk that this may amount to a “deprivation of liberty” such that the care home may need to consider applying for relevant authorisation in respect of any such resident affected.
This briefing highlights only some of the large number of legal complexities of introducing CCTV into care homes. Care home operators will need to undertake a careful review of their policies, to ensure they reflect the GDPR and are advised to seek legal input where CCTV is to be used in care homes.
Operators should also have regard to the Code of Practice issued by the Surveillance Camera Code of Practice.
For further advice on CQC investigations and how care home providers can prepare, visit our CQC investigations advice page.