CCTV and Telephone Systems
Both systems can be easy to install and very useful to operate but practices must be aware that they also come with responsibilities around data protection. Both system process personal data and as such must be covered by a policy that sets out how they will be operated. Both would be in scope for a Subject Access Request from an individual for a copy of their data. In both systems it would be reasonable to require the requester to identify a time period for their request, so it may be for a phone call or the images from a visit to the practice between 9am and 10 am on a given date. A wider request for all the phone calls and images of me taken during the month of June could be exempted on the basis of cost. You then need to consider how the data would be presented back to the requester, would a transcript of the phone call be acceptable or a sound file? For the CCTV would still images be accepted or is the actual footage required, and you need to consider how to block out the images of any other patients who may be visible.
One of the main issues you must address is the retention period for the data. Phone and CCTV systems may well be able to retain data for significant periods, 2 or 3 years is not uncommon. But do you actually need this, and should you set a time that better reflects the actual requirement you have at the practice. There is no set time defined for this type of data retention and as Data Controllers you must decide. It could be anywhere from days to months or even a year, its for your assessment. Remember that you can always download specific calls or images for additional retention. This retention period must then be recorded in the system policy. It could be that you set the standard retention at 7 days with the exception that anything deemed necessary could be retained further for up to 6 months. In this way specific calls could be downloaded from the system for further actions if needed but all routine ones are deleted after the 7 days.
Finally, you must ensure you system provider is actually following your requirements. And of course add this to your practice Privacy Notice and for CCTV ensure you have sufficient signs around to inform the public.