In recent times, and following on from incidents such as Winterbourne View, there has been an increase in the use of audio and video surveillance in relation to staff and service users in care settings. In recognition of this and following consultation with providers and families last year, England’s health and social care regulator, the Care Quality Commission (CQC) has recently published two pieces of guidance on the appropriate use of surveillance systems in care settings. The Using Surveillance guidance, December 2014 (the Provider Guidance) is aimed at providers of health and social care services and a second, complementary pamphlet released in February 2015, provides guidance to families and carers of service users who are thinking of installing hidden recording devices to monitor someone’s care (the User Guidance).

Provider Guidance – Key Considerations

By their very nature, surveillance systems intrude into a person’s privacy. Surveillance of individuals therefore engages the Data Protection Act 1998 (DPA) as it involves the processing of personal data about the individuals captured in audio and video recordings. The Information Commissioner’s Office (ICO) has been involved in advising the CQC on the data protection issues in using surveillance systems and the guidance contains useful signposts to relevant ICO guidance and advice.

The CQC considers the surveillance of service users to be an aspect of their care. The guidance therefore makes it clear that providers must ensure when operating surveillance systems that they comply with the Health and Social Care Act 2008 (Regulated Activities) Regulations 2010 and provides references to the relevant parts of the Regulations. In addition, the guidance advises that the use of surveillance systems must be lawful under the DPA, and where provider is a public authority, the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000 (in certain circumstances).

The guidance sets out the key points the CQC expects providers to take into account when installing and operating surveillance systems. It also recommends that where providers are already operating surveillance, they review its continued use to ensure that it takes into account the considerations raised in the CQC’s guidance. Some of the key points which providers will need to consider - which include steps required to comply with the DPA - include:

  • Identifying what the legitimate purpose(s) of the surveillance is and whether the surveillance is necessary, proportionate and fair to meet an identified and pressing need.
  • Identifying whether the planned surveillance is likely to meet one of the lawful conditions for processing set out in Schedule 2 of the DPA. Where sensitive personal data is obtained, such as health information, an additional condition under Schedule 3 of the DPA must also be met.
  • Consulting with service users, their families, regular visitors, trade unions and staff where possible prior to a decision being taken or in respect of continued use. The privacy issues identified must then be addressed by providers. The CQC warns that inspectors may wish to see records of what steps providers have taken to consult appropriately and how they have addressed privacy concerns raised.
  • Considering consent. The guidance notes that consent must be freely given and where surveillance involves health information, explicit. Where consent is relied on, individuals must also have a right to withdraw or refuse to consent. For these reasons the CQC suggests that consent may not always be well suited to surveillance, including where a service user lacks capacity to consent, but that other lawful conditions for using surveillance may apply. However the guidance states that more intrusive surveillance such as the observation of medical treatment, intimate care or someone’s private religious practices is unlikely to be lawful without the explicit consent of the individuals concerned.
  • Informing people about surveillance. The CQC advises that wherever possible providers must ensure that staff, service users and visitors are informed about the use of surveillance and suggests that this can be achieved by use of appropriate privacy notices and signs.
  • Operating systems appropriately and securely, for instance ensuring that there are clear policies on access to the information recorded and for the secure retention and destruction of the information. The guidance identified that security measures must also be  in place to safeguard against unauthorised access and staff who have access to the information should be trained on it use.

Where to start?

The CQC recommends that providers document the steps that have taken when deciding to use surveillance, as evidence of these steps may be required by a CQC inspector. The guidance suggests that carrying out a Privacy Impact Assessment (PIA) may help providers to consider and address privacy issues in a structured way. A PIA is a process by which an organisation can identify privacy risks at an early stage of a project and identify how these risks can be minimised whilst still achieving the project’s intended aims.

The ICO has published a detailed PIA Code of Practice which guides organisations through the process of conducting a PIA and provides a useful template report for recording the findings. The approach can be tailored to the size of an organisation and the degree of formality required.

Service User Guidance

This related publication is aimed at concerned relatives and friends of service users in care settings who are thinking of installing hidden cameras in bedrooms. Key points for providers to be aware of are that:

  • the CQC does not prohibit the use of videoing by service users or relatives (covert or overt).
  • it is not aware of any instances (yet) where recording equipment used by family members has been legally challenged.
  • relatives and friends must ensure that installing recording equipment does not breach any contract of service with the provider, or any house rules set by the provider.
  • the CQC considers that an individual’s consent must be gained where possible before installing surveillance.

The two pieces of guidance have been published in response to the consultation held by the CQC last year in which the public and providers said they wanted more information from the regulator. The guidance goes some way towards meeting this – but they place the decision-making responsibility firmly in the hands of providers. The message from the CQC on using surveillance is clear – this is a complex area and it expects providers to carefully consider all of the issues in striking the right balance in each case between the right to privacy and protecting people. In particular circumstances it also strongly recommends that providers seek specialist legal advice. Providers may therefore feel that the guidance does not go far enough.

If you are a provider who already uses surveillance, or are considering doing so, we strongly recommend that you familiarise yourself with the CQC guidance, and review your use or intended use of surveillance against the key points highlighted by the CQC. We have a specialist data protection team who can provide you with support or further advice if required.