• Mon - Thur 8:45 am to 5:30 pm, Friday - 8:45 am to 5:00 pm, Weekends - By Appointment Only

CCTV Policy

CCTV Policy

Contents

Introduction

This CCTV system and the images produced by this practice are controlled by:Mere Dentistry (the Data Controller) who is responsible for how the system is used under the UK GDPR and Data Protection Act 2018.

Purpose

This policy outlines the use of CCTV within Mere Dentistry.

We have considered the need for using CCTV and decided that it is necessary to:

  • Promote the safety and security of the patients, staff and visitors
  • Protect practice property and assets
  • Assist in the prevention, detection and investigation of crime, vandalism and anti-social behaviour
  • Support clinical governance and the management of complaints (only where audio or video is lawfully captured)

We have completed a Data Protection Impact Assessment (DPIA) to make sure our use of CCTV is necessary, proportionate, and respectful of people's privacy.

We will not use the system for any incompatible purposes, and we conduct regular reviews of our use of CCTV to ensure that it is still necessary and proportionate.

The practice recognises that CCTV constitute the processing of personal data and will ensure all usage complies with the UK GDPR and the Data Protection Act 2018, and the ICO’s Guide to Video Surveillance.

Scope

This policy applies to:

  • All CCTV operated by the practice.
  • All staff, contractors, patients and visitors to the premises.
  • All areas under surveillance, including both visual and (where applicable) audio capture zones.

Types of Recording

Overt recording :

This is done with obvious cameras. Public areas that could be under surveillance include the waiting room, reception area or car park. Cameras must not record personal areas such as toilets or changing rooms.

Private areas would be the dental treatment room. Equipment should not be used to record private conversations in the dental treatment room.

It must be clear to patients when they enter a public area under surveillance that recording is taking place. Signage must:

  • be clear and prominent
  • explain, the purpose of recording
  • include the name and contact details of those operating the surveillance scheme.

Covert recording :

This is where recording is done without the explicit knowledge of the subjects. This would not normally be undertaken in a dental practice.

CCTV will only be used in appropriate areas and for legitimate purposes. No covert or secret recording will take place.

Areas covered by CCTV

  • Public and communal areas: Reception, waiting areas, corridors, staff entrances and the exterior of the building.
  • Clinical areas: Visual recording may be used for safety or security reasons only, and never for the recording of treatment without explicit patient consent.

Audio Recording

(As referenced in policy – included under lawful capture conditions where applicable.)

Signage and Notification

Clear signage is displayed throughout the building to ensure all individuals are aware that CCTV is in operation.

Signs include the following information:

  • The purpose of recording.
  • The Data Controllers Name.
  • Contact details for further information.

Our Privacy Notice for Patients also includes information on CCTV usage within the practice.

Data Controller and Practice Responsibilities

The Data Controller for the CCTV and audio system is:

Mere Dentistry
Address: Duchy Manor, Springfield Road, Mere BA12 6EW
Email: contact@meredentistry.co.uk

The Practice Manager is responsible for:

  • Ensuring CCTV systems are operated in compliance with data protection law.
  • Managing data access requests (with support from the data controller where appropriate).
  • Maintaining a log of maintenance, access and data sharing.

Data Storage, Retention and Security

  • Recorded footage is securely stored using encrypted systems.
  • Access is restricted to authorised personnel only.
  • Footage is retained for no longer than 30 days unless required for ongoing investigations, legal proceedings, or as evidence.
  • All deletions or data extractions are logged and auditable.

Access to Recorded Data

It is important that access to, and disclosure of, images recorded by CCTV is restricted and carefully controlled, not only to ensure that the rights of individuals are preserved, but also to ensure that the chain of evidence remains intact should the images be required for evidential purposes.

Access to recordings is strictly limited to authorised individuals and only for legitimate reasons such as:

  • Investigating security incidents
  • Responding to data subject access requests
  • Providing evidence to the police or insurers

Requests for disclosure of recordings should be addressed to the practice manager or data controller but must be approved by the data controller. If a data subject makes a request to access images, the ‘Application to access CCTV images’ form should be completed (Compliance Suite > GDPR > CCTV > Subject Access Request for CCTV Images).

Disclosure to third parties will only occur where there is a lawful basis under the UK GDPR.

We will ensure that any disclosure of information to third parties from our surveillance system is controlled and that the disclosure itself is consistent with the purpose(s) for which the system is set up.

For example, in most cases it is appropriate to disclose video surveillance information to law enforcement when the purpose of the system is to contribute to the prevention and detection of crime. Unless a court order applies, this is not a legal requirement and is often voluntary.

You should note that even if your surveillance system was not established to prevent and detect crime, it is still acceptable to disclose information to law enforcement agencies, if relevant. Failure to do so could prejudice an ongoing investigation.

Data Subject Rights

Individuals recorded by CCTV or audio systems have the following rights:

  • To request access to their personal data (subject access request)
  • To request rectification or deletion of data (where appropriate)
  • To object to processing in certain circumstances

Requests should be made in writing and addressed to the practice manager or data controller but must be approved by the data controller.

Staff Training and Conduct

All staff involved in operating, maintaining, or reviewing CCTV or audio recordings must receive training on:

  • Data protection principles
  • Appropriate and lawful usage of recording equipment
  • Confidentiality and handling of recorded data

Unauthorised access, misuse, or disclosure of recordings will be treated as a disciplinary offence.

System Maintenance and Review

  • Equipment will be regularly inspected and maintained to ensure quality and reliability.
  • This policy will be reviewed annually, or following any significant changes to guidance, legislation or technology.
  • A Data Protection Impact Assessment (DPIA) will be completed prior to installation or modification of any recording system.
  • We will regularly complete/review the CCTV compliance audit checklist to ensure we remain compliant. A copy can be found on the DCME portal (Compliance Suite > GDPR > CCTV > CCTV Audit), alternatively this can be completed through the ICO website: CCTV checklist ICO

Complaints

Complaints relating to the use of CCTV should be sent to Jyothsna Mekala, these should then be forwarded to the Data Controller where appropriate. If unresolved, individuals may raise concerns with the ICO at: www.ico.org.uk

Book Appointment