Medical practitioners might consider the installation of closed-circuit television (CCTV) surveillance cameras in their practices as part of a strategy to prevent and detect crime and manage their security risks. These risks could include theft of medicines (in particular in the case of dispensing practices), theft of expensive medical equipment or cash and even incidents with abusive patients. Although the conservative use of CCTV cameras in a medical practice is likely to be permissible, medical practitioners should be aware of the possible implications, both for patient confidentiality and for their legal obligations.
In terms of section 14 of the Constitution of the Republic of South Africa, 1996, everyone has the right to privacy, which includes the right to protection against the unlawful collection, retention, dissemination and use of personal information. Section 36 provides that this right to privacy may only be limited to the extent that such limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom. So, medical practitioners who plan to install CCTV cameras in and around their practices should carefully consider whether this form of surveillance constitutes a justifiable limitation of their patients’ constitutional rights to privacy.
In addition, they should ensure that their use of surveillance complies with the provisions of the Protection of Personal Information Act, 2013 (“POPIA”). POPIA gives effect to the constitutional right to privacy and, amongst other matters, protects personal information which is processed by public and private bodies. It applies to the processing of all personal information and introduces certain minimum requirements for the processing thereof. POPIA defines personal information as “information relating to an identifiable, living, natural person”, including biometric information. “Processing” is defined broadly and essentially includes any handling of personal information, including its recordal or storage. The recordal and storage of CCTV footage will thus qualify as the processing of personal information.
This implies that medical practitioners who choose to have CCTV surveillance cameras installed in and around their practices are subject to POPIA. A medical practitioner will be considered a “responsible party” under POPIA to the extent that they, alone or in conjunction with others, determine the purpose of and means for the processing of personal information collected via CCTV surveillance. As a responsible party, the medical practitioner will be held accountable and must comply with the conditions for the lawful processing of personal information outlined in POPIA. The conditions for lawful processing include: (a) “accountability” in terms of section 8; (b) “processing limitation” in terms of section 9 to 12; (c) “purpose specification” in terms of section 13 and 14; (d) “further processing limitation” in terms of section 15; (e) “information quality” in terms of section 16; (f) “openness” in terms of section 17 and 18; (g) “security safeguards” in terms of section 19 to 22; and (h) “data subject participation” in terms of section 23 to 25.
Insofar as the conditions listed above relate to the use of CCTV cameras in a medical practice, the following may be particularly relevant and merit further discussion:
“Processing Limitation”
The principle of “minimality” outlined in POPIA is of particular significance. This principle requires that personal information may only be processed to the extent that is adequate, relevant and not excessive given the purpose for which it is being processed. Personal information must be processed lawfully, and in a reasonable manner that does not infringe on privacy rights. The use of CCTV cameras may arguably be considered a legitimate limitation of the right to privacy, provided that the surveillance is reasonable, proportionate to its purpose and necessary. In general, individuals do not expect privacy in public spaces, which may include entrance doors, reception, parking bays and other areas in plain view in and around the practice. Surveillance should, however, be limited to potential problem areas such as storage rooms and dispensing areas. Cameras should ideally not be directly focussed on areas where patients may be sitting, such as waiting rooms. The use of CCTV cameras in consultation rooms or other private areas such as bathrooms will be unlawful, as patients have a reasonable expectation that these areas are private. Surveillance measures should furthermore only be used if the purpose for which the footage is being collected cannot reasonably be achieved by less invasive means.
There must always be a recognised legal basis for the processing of personal information. Such a legal basis could include the data subject’s consent or one of the grounds of justification outlined in POPIA. In the case of CCTV surveillance, it may be difficult to procure consent for the processing of personal information from every individual entering the practice. It is more likely that a medical practitioner will have to prove that he or she has a legitimate interest in the collection of personal information by way of CCTV cameras, to the extent that the practitioner has a right to implement reasonable measures to maintain security at the practice.
“Purpose specification”
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the medical practitioner. Whether the collection of personal information via CCTV footage for security purposes could be described as “related to a function or activity” of the medical practitioner remains to be seen, and the Information Regulator may have to issue clear guidelines in this regard. However, the conservative and conspicuous use of CCTV cameras in and around the practice (excluding private areas) would probably be reasonable to the extent that such security measures are intended to keep patients and personnel safe.
Generally, records of personal information may not be retained any longer than is necessary to achieve the purpose for which the information was collected or subsequently processed. The CCTV footage should be destroyed once it has served its purpose. Given the limited purpose of the surveillance (prevention and detection of crime within the practice), medical practitioners would probably only be permitted to retain CCTV footage for relatively short periods. Footage should only be retained for longer periods if a crime has been committed and the footage is required as evidence. The Act provides that records must be destroyed or deidentified as soon as practicably possible after the responsible party is no longer authorised to retain them. The destruction must be done in a manner that prevents the reconstruction of the information in an intelligible form.
“Further processing limitation”
Any further processing of information must furthermore be in accordance or compatible with the initial purpose of the collection. For example, footage collected for security purposes may not subsequently be processed for some other purpose unrelated to the prevention or detection of crime.
So, while it would be reasonable to disclose CCTV footage to police if a crime was committed and captured on CCTV camera, practitioners should nevertheless be careful when disclosing footage to third parties should other patients be recorded on the same film. A patient’s visit to the doctor’s office could potentially be considered confidential and so the disclosure of such footage will have to comply with the Health Professions Council of South Africa’s rules on confidentiality. As such, material should generally not be disclosed to police without the consent of other patients recorded on the footage, unless the disclosure is justified in the public interest or otherwise required by law. Medical practitioners may have to consider blurring innocent bystanders and patients’ images to protect their confidentiality.
“Information quality”
A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the information is being collected. This requirement may be interpreted as requiring of medical practitioners to ensure that they make use of a surveillance system which is capable of producing footage of a suitable quality, having regard to the purpose of the surveillance. Where the purpose of the surveillance is the detection and prevention of crime, the CCTV cameras should be capable of recording clear footage that can be used to identify potential offenders.
“Openness”
A responsible party must maintain the documentation of all processing operations under its responsibility as required by section 51 of the Promotion of Access to Information Act 2 of 2000. Section 51 refers to a so-called PAIA manual, which must be maintained by private bodies. There are a number of template manuals available online. Medical practitioners could also consider contracting an attorney to prepare a PAIA manual for their practice. The manual should inform members of the public of the categories of information held by the practice, which may, subject to the grounds of refusal listed in the Act, be disclosed after evaluation of an access application being made in terms of the Act. This information would include CCTV footage captured on the practice premises.
Data subjects (in this context, patients and other individuals who enter the practice) must be notified of the processing of their personal information. Surveillance should not be covert and cameras should be installed in plain sight. Medical practitioners must take reasonable steps to ensure that data subjects are aware that information is being collected and the purpose thereof. In addition, the data subject must be informed of the name and address of the responsible party, whether or not the supply of the information by that data subject is voluntary or mandatory, the consequences of failure to provide the information and the particular law authorising or requiring the collection of the information. There are certain exceptions to this obligation, including where compliance is not reasonably practical. While it is probably not practical to directly inform every person entering the practice of the presence of CCTV cameras, it would be compulsory to at least display prominent signage at the entrance to the practice and other strategic points, advising members of the public that the area is monitored by CCTV cameras for purposes of crime prevention. Medical practitioners could also consider including such a notice in the visitors’ register.
“Security safeguards”
CCTV footage must be securely stored to prevent unauthorized access. Medical practitioners have a duty to take appropriate and reasonable technical and organizational measures to prevent loss, damage, unauthorized destruction and unlawful access to surveillance footage. To do so, medical practitioners have to take reasonable measures to (a) identify reasonably foreseeable internal and external risks to the personal information in their possession or under their control; (b) establish and maintain appropriate safeguards against the risks identified; (c) regularly verify that the safeguards are effectively implemented; and (d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. POPIA does not define “reasonable measures” and merely provides that, when considering what are acceptable security measures, due regard should be had to the generally accepted information security practices and procedures which apply to the industry. This could, for example, include encryption or other appropriate technical methods to ensure the safety and security of the footage.
Medical practitioners must inform their patients, the data subjects, if there are reasonable grounds to believe that their personal information has been accessed or acquired by an unauthorized person, for example, if CCTV footage is lost or stolen. The Information Regulator must also be informed. The notification must be in writing and must be communicated to the data subject in at least one of the following ways: (a) mailed to their last known address; (b) e-mailed; (c) placed in a prominent position on the medical practitioner’s website; (d) published in the news media; or (e) as directed by the Regulator. The content of the notification is prescribed in section 22 of the Act and includes, among others, a description of the possible consequences of the security breach; the measures taken to address the security compromise; what measures the data subject can take to mitigate the adverse effects of the security compromise; and, if known, the identity of the unauthorized party who may have accessed the information. It may, of course, not be practically possible to identify or notify the affected individuals in the event of CCTV footage being lost or stolen, in which case a general notice at the practice or on the practice website would suffice.
“Data subject participation”
Data subjects are entitled to request access to CCTV footage of themselves from the practice. Data subjects will also be entitled to request that such footage be deleted to the extent that the medical practitioner is no longer authorised to retain it, or the footage is irrelevant, excessive etc.
In summary, the limited use of CCTV surveillance in a medical practice is probably lawful. However, there are potential ethical and legal pitfalls. Until the Information Regulator or the Health Professions Council issues detailed guidance, medical practitioners should adopt a conservative approach and remain mindful of the following guidelines:
- Limit the surveillance to the minimum necessary.
- The surveillance should be conducted for a specific, lawful and clearly defined purpose such as maintaining safety and security at the practice.
- Notify the public of the surveillance.
- Safely store any CCTV footage.
- Destroy footage once its purpose has been served.
- Limit and control access to footage.
