An individual was employed at a medical practice, which used CCTV footage ofthe waiting room to assess patient waiting times. When the medical practice was reviewing the CCTV footage, in the presence of the employee, the employee realised that their image had been recorded by the CCTV system throughout their employment without being aware of it. The individual tried to resolve the issue with the medical practice but was ultimately dissatisfied with the response they received and contacted the DPC to make a complaint. 

The DPC contacted the medical practice to enquire about its legal basis for processing personal data in this manner. The medical practice advised that it had a CCTV policy in place prior to the individual commencing employment with it and that the purpose of the CCTV system was to ensure the health and safety of staff and clients of the medical practice. Having requested a copy of the CCTV policy,  upon review the DPC noted that it was drafted prior to the introduction of the GDPR and had not been updated since. 

Having engaged with the individual, the DPC established that they had not been made aware that CCTV was in operation constantly, including the areas where they worked, when they first joined the practice. There was one small sign on the entrance door of the practice that stated CCTV was in operation but the sign did not specify that the CCTV cameras were recording within the practice building. 

During the course of the DPC’s examination of the complaint the medical practice adopted measures to restrict the recording by the system so that it would no longer be in operation during business hours.

In this instance, the DPC found that the medical practice did not provide a  valid lawful basis under Article 6 of the GDPR for this type of monitoring. Furthermore, the medical practice did not fulfil its transparency obligations  under Article 13 of the GDPR, as it did not inform individuals at any point that  the CCTV system would process their personal data, by recording their image, whilst in the practice. 

In light of the medical practice’s voluntary restriction of the CCTV cameras to operate outside of business hours only, the DPC engaged with the medical practice providing recommendations and guidance around the use of CCTV. On foot of this engagement, the medical practice increased the size, and the number of signs informing staff and patients of the use of CCTV and the  contact details of the data controller in compliance with its obligations.