In October The Guardian reported how the family of an 88-year old resident with dementia at Reigate Grange in Surrey (part of the Signature Senior Lifestyle chain) installed a hidden camera which uncovered shocking abuse of their mother by care staff. The home has described conduct of its staff and the agency worker captured in the footage as “reprehensible”, adding that they were “rogue individuals” while issuing an apology to the family.
Anyone concerned about someone receiving care should raise issues in the first instance with the care provider, or alternatively with the Care Inspectorate here in Scotland, while any suspected unlawful abuse can be reported directly to Police Scotland. Using hidden cameras risks breaching the privacy rights of those who are recorded, who could potentially take legal action against whoever is responsible for the covert surveillance.
Video surveillance and monitoring raise issues which are of concern to the UK Information Commissioner’s Office (ICO) which last month published its action plan setting out its priorities for the coming three years. One of those is safeguarding and empowering the public, particularly the most vulnerable groups. Increasingly sophisticated technology makes it very easy for organisations to gather personal data about staff and those receiving care. Clearly the ICO is alert to the privacy implications, given this will inevitably capture ‘special category’ personal data relating to health, for instance.
Back in February 2022, the regulator updated its online guidance on video surveillance – which is often routinely used by care homes to monitor care provision and ensure security. In addition, the ICO has now also published draft guidance for employers on monitoring staff, with organisations invited to submit views as part of a consultation available until 11th January 2023. Its guidance reminds organisations it must be done in a way which is compliant with data protection laws.
Third sector leaders should ensure an organisation’s video surveillance and staff monitoring are lawful
Video surveillance requires having a lawful basis, as required by the UK GDPR for any processing of personal data. In relation to monitoring staff, draft ICO guidance says it is hard to envisage scenarios where monitoring is necessary for an employer to fulfil their contract with workers, so that particular lawful basis will be available in limited situations only. It adds that consent is not usually an appropriate lawful basis to rely upon in an employment context, because of the power imbalance (since workers are likely to feel that they have no choice but to give consent).
In practice, surveillance is more often carried out for business purposes. This makes it likely organisations will need to rely on one of the other six lawful bases available – such as necessary for a specific legitimate interest or, alternatively, because it is necessary to comply with a legal obligation. Those are the lawful bases often relied upon by care homes for surveillance to ensure safety and security of residents.
Care homes are required to inform residents and their families, and also staff, if the organisation uses video surveillance. Standard practice is to have a ‘privacy policy’ or ‘privacy statement’ made available, tailored to each group or category of individuals whose personal data is used in this way. It is expected this will explain to people the nature, extent and reasons for any surveillance. ICO guidance advises ensuring that information is accessible, and in addition ensuring those under surveillance are made aware that they are being recorded. An effective way to is to place signs prominently before the entrance to a surveillance system’s field of vision and reinforce this with further signs inside the area.
What are Data Protection Impact Assessments (DPIA)?
Organisations are legally required to carry out a DPIA for any activity that is likely to result in a high risk to individual’s rights.
The ICO’s position is that video surveillance involves processing special category data, as well as in many cases monitoring publicly accessible places on a large scale, and monitoring in a workplace – any one of which is likely to require completing a DPIA.
Even where not a requirement, the ICO recommend completing a DPIA as good practice, since it helps assess risk and identify whether less intrusive methods could achieve the same purpose, and demonstrates compliance with obligations in data protection law. A template form is available on the ICO website, along with general guidance on how to complete it.
Many care sector organisations cite security as the reason for surveillance, and they are expected to consider the least privacy-invasive means possible to achieve this. The UK GDPR general principles include data minimisation, which in practice means organisations should not collect more data than needed to achieve the purpose or purposes identified. It should not be used more than necessary or kept for any longer than necessary. Appropriate security arrangements should also be made: organisations are also expected to ensure restrictions on viewing and disclosing personal data are in place for those with access to footage from any video surveillance.
ICO guidance on video surveillance is available here and public consultation on the regulator’s new draft guidance for employers on monitoring closes on 11th January 2023.