Closed circuit television (CCTV) is installed at the Practice premises for the purposes of staff training, improving quality, staff, patient and premises security. Cameras are located at various places on the premises, which include Waiting Area’s, Corridor’s, Decontamination Room, Reception, Front External Area of the Premises and in our four surgeries.
The use of CCTV falls within the scope of the Data Protection Act 1998 (“the 1998 Act”). This code of practice follows the recommendations issued by the Data Protection Commissioner in accordance with powers under Section 51 (3)(b) of the 1998 Act.
In order to comply with the requirements of the 1998 Act, data must be:
1) CCTV is in place in the Waiting Area’s, Decontamination Room, Reception, Front External of the Building and in our four surgeries.
2) CCTV has been installed solely for the Safety and Security of our Patients, Staff, Premises and Training purposes.
3) Images are captured 24 hours a day, seven days a week and are processed via our CCTV capturing devices. These devices are securely protected and only the manager and owners of the practice have access to the equipment. The manager regularly checks that the CCTV devices are working as intended.
4) The CCTV only captures images and does not record audio.
5) All specific CCTV recordings are stored on our recording devices’ hard-drives for a maximum of 60 days before being wiped.
6) Signs informing visitors that CCTV is in place can be found at Reception, Waiting Area’s and in the surgeries.
7) Patients are explicitly made aware of CCTV being in place in the surgeries and consent is gained in their Medical History forms. We also inform visitors to our website that CCTV will be in operation.
8) The recording devices have the capability of transferring data to an external drive for cooperation with the relevant authorities. We only ever do this where there is cause to believe the safety and security of patients/staff has been compromised. We do not ever share images with other third parties.
9) Visitors to the practice have the right to request to see images of themselves on CCTV as part of a Data Protection request. Like all Data Protection requests, this request must be made in writing and the same exceptions apply. We charge an administration fee of £10 for this. We will also require information that will allow us to identify the visitor and the date/time of the visit.
10) We have followed the CCTV guidelines produced by the Information Commissioners’ Office, https://www.ico.org.uk/for_organisations/data_protection throughout.
1. Mr Taufeeq Rauf is the Data Controller under Section 4(4) of the Act and is one of the partners of SimplyOne Dental.
2. CCTV is installed for the purpose of staff, patient and premises security.
3. Images are NOT stored, however Access to hardware will be controlled on a restricted basis within the Practice.
4. Use of images, including the provision of images to a third party, will be in accordance with the Practice’s Data Protection registration.
5. Signage is displayed throughout the premises and on the Practice website stating of the presence of CCTV, and indicating the names of the Data Controllers and a contact number during office hours for enquiries.
Images from cameras are NOT recorded on disc/computer system (“the recordings”). Where specific recordings are made and retained for the purposes of Staff training, security of staff, patient and premises, these will be held in secure storage, and access controlled. Recordings which are not required for the purposes of security of staff, patient and premises, will not be retained for longer than is necessary.
It is important that access to, and disclosure of, images recorded by CCTV and similar surveillance equipment is restricted and carefully controlled, not only to ensure that the rights of individuals are preserved, but also to ensure that the chain of evidence remains intact should the images be required for evidential purposes.
Access to recorded images is restricted to the partners of SimplyOne Dental who will decide whether to allow requests for access by Data Subjects and/or third parties (see below).
Viewing of images must be documented as follows:
In cases where recordings are removed from secure storage for use in legal proceedings, the following must be documented:
Requests for access to images will be made using the ‘Application to access to CCTV images’ form (which is at Appendix 1), accompanied by a £10 fee (which is non-refundable if the request is declined).
The Data Controllers of SimplyOne Dental will assess applications and decide whether the requested access will be permitted. Disclosure of recorded images to third parties will only be made in limited and prescribed circumstances. For example, in cases of the prevention and detection of crime, disclosure to third parties will be limited to the following:
All requests for access or for disclosure should be recorded. If access or disclosure is denied, the reason should be documented as above.
If it is decided that images will be disclosed to the media (other than in the circumstances outlined above), the images of other individuals must be disguised or blurred so that they are not readily identifiable.
If the CCTV system does not have the facilities to carry out that type of editing, an editing company may need to be used to carry it out.
If an editing company is used, then the Data Controllers must ensure that there is a contractual relationship between them and the editing company, and;
This is a right of access, which is provided by section 7 of the 1998 Act. Requests for access to images will be made using the ‘Application to access to CCTV images’ form (which is at Appendix 1), accompanied by a £10 fee (non-refundable if the request is declined).
Individuals should also be provided with the CCTV Policy and Code of Practice which describes the type of images which are recorded and retained, the purposes for which those images are recorded and retained, and information about the disclosure policy in relation to those images.
All requests for access by Data Subjects will be dealt with by the Practice Manager.
The Data Controllers will locate the images requested. The Data Controllers will determine whether disclosure to the Data Subject would entail disclosing images of third parties.
The Data Controllers will need to determine whether the images of third parties are held under a duty of confidence. In all circumstances the Practice’s indemnity insurers will be asked to advise on the desirability of releasing any information.
If third party images are not to be disclosed, the Data Controllers will arrange for the third party images to be disguised or blurred. If the CCTV system does not have the facilities to carry out that type of editing, an editing company may need to be used to carry it out. If an editing company is used, then the Data Controllers must ensure that there is a contractual relationship between them and the editing company, and;
The Practice Manager will provide a written response to the Data Subject within 21 days of receiving the request setting out the Data Controllers’ decision on the request.
A copy of the request and response should be retained.
Complaints must be in writing, and addressed to the Practice Manager. Where the complainant is a third party, and the complaint or enquiry relates to someone else, the written consent of the patient or Data Subject is required. All complaints will be acknowledged within 7 days, and a written response issued within 21 days.