Grandma, what big cameras you have

Not a phrase that works well within a nursery rhyme, but is this something that could soon become part and parcel of the Care Home experience?

In September a north-east care home group announced plans to install CCTV cameras in all of its homes after an initial trial proved to be successful. Following a consultation with the residents, staff and family members of Glenholme House in Sunderland, Wellburn Care Homes installed surveillance cameras in communal areas and bedrooms in an attempt to demonstrate 'openness' and 'transparency'.

From the press statements released it would appear that this drive is in response to the suspicion in the care sector that carers abuse or do not deliver a good standard of care to those within their care. Families where they have suspected such abuse have often resorted to placing CCTV (covertly) in the room of their loved ones in order to catch the 'culprit' red handed and show it to the care home for action. Such cases have appeared in the press a number of times, as recently at July of this year. Including, back in May 2019, BBC's Panorama did a big expose on Whorlton Hall after their secret recording (and that of family members) revealed patients with learning difficulties being mistreated. Other cases included;

The group’s chairman (to which Glenholme Hose belongs), Rachel Beckett, said;

“With the introduction of the duty of candour we feel this is a positive move, to show transparency within the industry and to regain confidence of the public. We feel this will show potential new residents and their families that they have that extra element of safety."

The Wellburn Care Home Group also went on to outline how the cameras can also be used for less invasive observation of sleep patterns (which means fewer disturbances overnight). So without seeing the DPIA (because one hasn't been published and there is nothing on their website about it) it would appear the purposes of the cameras are as such;

  • Health & Safety of the Resident
  • Prevention & Detection of Crime
  • Staff discplinary & Performance Management
  • Support the medical diagnosis and monitoring of the resident

The question is, is it ever acceptable to put such invasive technolgy in the homes and private spaces of those that may lack capacity just because a care home want's to cut costs?

Now that is quite a powerful question and I have written it like that for a reason. One of themes that comes across in the various articles about care homes and CCTV use is that on almost every occasion and investigation found that due to a lack of staff that particular staff member was not properly supervised and/or had not been correctly trained. So is the use of CCTV here simply a hammer to crack a nut and a cheaper way of getting out of adequate training needs? Call me synical, but I can perfectly well see a situation were abuse has been captured by the CCTV, the care home has dealt with the staff member, but the family are never informed. Currently, if a family member installs CCTV and they find something they will hold the care home to account. Under this programme however, that is entirely down to the care home's discretion.

According to the article the home has consulted with residents, families and staff before looking to proceed. Given the public 'willingness' to lean towards having CCTV in care homes and even a Change.org petition to make it a requirement to install CCTV in care homes, is this something that will become the norm in the future?

Lets put it through a very basic DPIA shall we?

Now I could spend hours pickng through the rights and wrongs of our care system, and personally I do think this is a plaster to get around the issues facing our care system, but for the purposes of this article I want to focus on the GDPR and Survelliance aspects. So come with me as we explore the aspects of this idea through the lense of a DPIA (Data Protection Impact Assessment). NOTE, this is done with the publically available information therefore may not be 100% what they are doing. However the points, standards and guidance to follow for each section is still relevant as as the issues this proposed setup will throw up.

For this purpose I'm going to use the ICO template DPIA as everyone has seen that and it's basic enough to cover our needs. 

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?

 The CCTV images will pick up pretty much everything that goes on in the bedrooms and communal areas. Treatements, social actions, privacy conversations, intimate moments, family discussions, anything really. The information will not only be on the resident but also the staff member, the resident's family or indeed any visitor to the resident in question. This would definately be Personal Data with a very high likelyhood of it also capturing special category data as well.

Based on the above purposes, it is highly likely that the data will be shared with third parties although access and storage have both been restricted according to the public statements made to date. What is missing from the public statements are the processes around monitoring the images and what happens when one of the triggers for the purposes above occurs. Who is responsible for that process? How does that process work? How long are the images retained either on the system or as evidence?

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

Phsyically these cameras will only cover care home premises so that should mean that no where 'public' is being captured. However this will be for all residents across their numerous locations (20 or so) therefore the number of individuals concerned will be in the 1000s. Depending on how the system is technically setup, if each home has it's own system then it is unlikely to be any more than a 100 individuals (residents, visitors, staff etc) on each database. 

This is where it is important to ensure your scope of technical setup and use of CCTV follows the CCTV Code of Practice from the Home Office. The 12 principles will cover these aspects off and give you a clear set of specific questions/areas of focus.

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

Each resident (and or the resident's family) have agreed a contract for the provision of the care. Where a resident has agreed the contract this would be in line with their capacity to do so for which the care home should have processes and standards in place for. However, where a family member has signed the agreement under a Power of Attorney (POA) or similar then while this is legally permissable the question of CCTV use is an 'add on' concern to the ethics of a family member placing someone in care. Is it then ethical for them to also agree to the use of survelliance therefore signing away that residents free will and privacy too? 

The use of CCTV in Care Homes is a growing trend, but more for use by resident's families etc to catch care homes not delivering a decent level of care. Wide scale monitoring like this is few and far between. However the technology of CCTV is well advanced now, capable of capturing high quality video and audio data.

As above, while the public are very supportive of initiatives that improve the quality of care homes and indeed on CCTV usage to catch abuse, the specific topic of wide spread and constant use of CCTV within a care home has not been a specific area of public debate. Therefore any DPIA would not only need to consider the DPA/GDPR aspects of this, but also the Surveillance and ethical elements of this.

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for  you, and more broadly?

The specific list of reasons/outcomes has not been published as yet, however the statements made by the care home imply that the purposes are the following;

    • Health & Safety of the Resident
    • Prevention & Detection of Crime
    • Staff discplinary & Performance Management
    • Support the medical diagnosis and monitoring of the resident

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

The care home has outlined that they have consulted with residents, family members and staff and to date there has been enough support to give the programme the go-ahead. They have not said if the original scope has changed since its initial proposal based on stakeholder concerns. Or, if the scope has indeed been widened based on stakeholder feedback. While this is conjecture on my part, where the Chairman states that the CCTV is about transparency and security where did the idea of sleep and health monitoring come from?

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?

All the purposes above are 'legitimate', in that you could find a grounds for processing under Article 6 & 9 of the GDPR (and no, I'm not listing them as that's borderline consultancy work right there - work it out for yourself). But does that make them fair? Can a care home legitimately say that it is being fair to a resident that lack capacity to monitor them 24 hours a day video and audio? As established with the CCTV in Taxi's debate a few years ago, is it reasonable to have both turned on all the time? Or is it better to have images on and audio on turned on when required? Therefore giving the resident some degree of privacy and not absolute intrusion?

That list of purposes is quite exhaustive, therefore if it is accurate then they have thought of most possible uses and want to use the data for those reasons. But just because I have a shopping list of reasons up front, does that make my use of such data for those purposes any more ethical? Or is each one on a sliding scale, therefore putting them all through the same technical setup and standards could then mean one purpose is more 'instrusive' than the others?

So what do we think?

Is it fair to monitor residents visual and audio actions 24 hours a day in order to catch the odd incident of abuse in the context of a series of care homes that as recently as this year have won awards for the standards of their care?

It is fair to record all residents to only physically check on a handful for their sleeping patterns because they have sleeping issues?

Is it fair to record all residents and play back the images to improve staff training and standards?

Is it fair to record all residents movements and actions to ensure if they start to become distressed (for example) we can respond to them?

Is it fair to monitor all actions that a staff member takes with a resident in the communal and bedroom areas where, again, there are no current accusations or other suspicious circumstances. Does this just send a message to staff (that have helped win that award) you cannot be trusted?

Or, is it actually better to find ways of using but limiting the use of this technology. For example, is there a need for audio recording to be on all the time? Can this either be off or only switched on when needed? Could limit the use for staff performance only where there are serious allegations of gross misconduct. And not "we've had complaints about the standards of your cleaning" which can easily be corrected with adequate supervision?

I can see the argument both ways here which is why it is messy, emotional and not something that can be resolved overnight. If you are considering such a programme, or even indeed for any UK Government that is considering it, avoid 'in for a penny, in for a pound' and seriously think about the outcomes you want to achieve. As we have seem time and again, the road to hell is paved with good intentions so ensure your DPIA looks at everything. Have a in depth debate with key stakeholders and agree something that puts the resident and their needs and reservations first and all other priorities second.

Leave a Comment

Your email address will not be published. Required fields are marked *