In this third blog in our five-part series on surveillance in healthcare, we consider best practices for surveillance in healthcare settings.
Implementing lawful, appropriate surveillance demands careful planning, robust governance, and ongoing management. The stakes are high: surveillance systems can play a vital role in safeguarding patients, staff, and organisational assets, but if not managed correctly, they can also introduce significant legal, ethical, and reputational risks. For healthcare leaders, the challenge is to harness the benefits of surveillance while upholding the highest standards of privacy, data protection, and professional integrity.
The first step in establishing effective surveillance practices is to ensure that the technologies chosen are genuinely fit for purpose. This means selecting systems that address specific operational needs such as securing emergency departments, or investigating incidents while minimising unnecessary data collection.
Surveillance should never be implemented as a blanket measure; rather, it should be targeted, proportionate, and justified by a clear business or safety rationale. By focusing on areas of genuine risk, healthcare organisations can reduce the volume of personal data collected, thereby limiting potential privacy intrusions and simplifying compliance obligations.
Practical implementation requires careful consideration of how and where surveillance devices are positioned. Cameras and recording devices should be installed in a way that avoids capturing unnecessary or sensitive areas, such as staff rest rooms, patient consultation spaces, or private offices. Regular reviews of system quality and accuracy are essential; this includes checking that cameras are functioning correctly, timestamps are accurate, and footage is clear and fit for purpose.
Healthcare organisations must also avoid the temptation to retain surveillance footage or records “just in case” they might be useful in the future. Instead, retention periods should be determined by the specific purpose for which the data was collected, and these periods must be clearly documented in organisational policies. For example, footage from a CCTV system in a hospital corridor might only need to be retained for a few days unless an incident has occurred, whereas records relating to a misconduct investigation may require far longer retention. Regular audits should be conducted to ensure that data is deleted promptly and securely once it is no longer needed, reducing the risk of unauthorised access or data breaches.
Securing access to surveillance data is another cornerstone of best practice. Only authorised personnel should be able to view or retrieve footage, and robust technical and organisational measures must be in place to prevent unauthorised access, loss, or misuse. This includes the use of strong passwords, encryption, and secure transfer protocols, as well as clear policies outlining who can access data and under what circumstances. Maintaining detailed audit trails is essential - not only for accountability but also for demonstrating compliance in the event of a regulatory investigation or subject access request. Staff who operate or manage surveillance systems should receive regular training on data protection, security procedures, and the organisation’s surveillance policies.
Taking a thoughtful and well-governed approach to surveillance fosters trust among staff and patients, reinforces organisational integrity, and ensures that surveillance serves as a tool for good rather than a source of risk.
You can read our first blog on balancing safety and privacy here and second blog on what staff need to know about monitoring here.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.