{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Use of CCTV and Surveillance in Care Homes Policy

1. Purpose

The purpose of this policy is to ensure that the use of Closed-Circuit Television (CCTV) and surveillance systems at {{org_field_name}} is conducted ethically, lawfully, and in line with best practice. This policy outlines how CCTV is used to enhance safety, protect service users and staff, and comply with legal requirements while ensuring privacy, dignity, and data protection.

This policy aligns with:

• The Regulation and Inspection of Social Care (Wales) Act 2016.
• The Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended.
• Welsh Government statutory guidance for providers and responsible individuals of care home services, including the requirement to have a written policy on the use of CCTV by the service and by individuals, families and staff.
• Care Inspectorate Wales requirements relating to safe care, dignity, privacy, safeguarding, records, notifications and quality assurance.
• The UK General Data Protection Regulation, the Data Protection Act 2018 and current Information Commissioner’s Office guidance on CCTV and video surveillance.
• The Data (Use and Access) Act 2025, insofar as it amends or affects data protection requirements and future ICO guidance.
• The Human Rights Act 1998, including Article 8, the right to respect for private and family life.
• The Equality Act 2010.
• The Mental Capacity Act 2005 and Deprivation of Liberty Safeguards, where surveillance affects a person who may lack capacity to consent to or understand the arrangements.
• The Protection of Freedoms Act 2012 and the Surveillance Camera Code of Practice, where applicable, and as good practice where not directly applicable.

2. Scope

This policy applies to:

• All staff members, including care workers, management, and administrative staff.
• Service users and their families, ensuring they understand their rights regarding CCTV use.
• Visitors and contractors, ensuring compliance with our surveillance procedures.
• Third-party service providers, such as CCTV installation and monitoring services.

• Individuals living at the home who request or use personal surveillance equipment, including cameras, smart doorbells, audio/video devices, monitoring devices or recording equipment.
• Families, representatives, attorneys, deputies or advocates who request, install, access or use any surveillance or monitoring equipment.
• Staff, volunteers, agency workers, contractors and visitors who may request or use recording equipment while at the home.
• Any CCTV, video, audio, smart camera, body-worn camera, doorbell camera, remote monitoring, motion-activated recording, facial recognition or other surveillance technology used at, near or in connection with the care home.

The policy covers:

• The purpose and justification for using CCTV.
• Legal considerations and compliance with GDPR.
• Where CCTV cameras are located and how footage is used.
• Rights of service users, staff, and visitors.
• Access, storage, and security of recorded footage.

This policy applies to all surveillance and monitoring activity at {{org_field_name}}, whether operated by the service, by a third-party processor on behalf of the service, or by an individual, family member, representative, staff member, contractor or visitor. No person may install, use or access surveillance or recording equipment within the home without prior written authorisation from the Registered Manager and, where required, the Responsible Individual and Data Protection Officer.

3. Principles for CCTV and Surveillance Use

3.1 Justification, Necessity and Proportionality

CCTV and surveillance systems are used only where {{org_field_name}} has identified a clear, lawful, necessary and proportionate purpose. CCTV is not used as a substitute for safe staffing, supervision, person-centred care, safeguarding procedures or good management oversight.

CCTV may be used for the following purposes:

• To support the security of the premises, including entrances, exits, external areas and car parks.
• To help prevent, detect and investigate unauthorised access, theft, vandalism, aggression, violence or other security incidents.
• To support safeguarding where there is a clearly identified and documented risk.
• To assist with the investigation of serious accidents, incidents, complaints, allegations of abuse, neglect, misconduct or criminal activity.
• To support health and safety where this cannot reasonably be achieved by less intrusive means.

Before CCTV is installed or extended, {{org_field_name}} will consider whether the purpose can be achieved by less intrusive measures, such as improved lighting, staffing, access control, environmental changes, supervision, risk assessment or changes to practice.

CCTV will not be used for general performance management, routine staff supervision, constant monitoring of individuals, or monitoring private life unless this has been specifically assessed as lawful, necessary and proportionate.

3.2 Data Protection, Lawful Basis and Accountability

CCTV images and recordings are personal data where an individual can be identified. {{org_field_name}} will process CCTV data in accordance with the UK GDPR, the Data Protection Act 2018 and current ICO guidance.

For routine CCTV used for security, safety and safeguarding purposes, {{org_field_name}} will not normally rely on consent as the lawful basis for processing. The usual lawful basis will be:

• Legitimate interests, where {{org_field_name}} is a private or voluntary sector provider and the processing is necessary for a legitimate security, safety or safeguarding purpose and does not override the rights and freedoms of individuals; or
• Public task, where the provider is a public authority or is carrying out a task in the public interest or under official authority.

Where CCTV captures special category data, including information about health, disability, care needs, religious observance or other sensitive matters, {{org_field_name}} will identify and document both a lawful basis under Article 6 UK GDPR and a special category condition under Article 9 UK GDPR.

{{org_field_name}} will maintain the following records:

• A CCTV Data Protection Impact Assessment.
• A lawful basis assessment or legitimate interests assessment, where applicable.
• A record of processing activity for CCTV.
• A camera location schedule.
• A retention and deletion schedule.
• A log of access to CCTV footage.
• A disclosure log for any footage shared with police, safeguarding bodies, CIW, commissioners, insurers, legal advisers or other third parties.
• Records of reviews, audits and decisions about the continued use of CCTV.

A Data Protection Impact Assessment must be completed before any new CCTV or surveillance system is installed, before cameras are moved to new areas, before audio recording is enabled, before remote access is introduced, before facial recognition or analytics are used, and before surveillance is used in any area where individuals have a heightened expectation of privacy.

3.3 Camera Locations and Privacy Controls

CCTV cameras may only be located where there is a documented need and where the level of monitoring is proportionate to the risk being addressed.

CCTV may be used in:

• External areas, including entrances, exits, paths, gates, external doors, delivery areas and car parks.
• Reception areas and access points where this is necessary for security.
• Corridors or circulation areas where there is a specific security, safety or safeguarding reason.
• Communal areas only where the need has been assessed and the privacy impact is proportionate.
• Medication storage access points only where the camera is positioned to monitor access and security, and not to capture medication labels, MAR charts, personal records, clinical information or private care.

CCTV must not normally be used in:

• Bedrooms.
• Bathrooms, toilets, shower rooms or assisted bathing areas.
• Changing areas.
• Staff rest rooms.
• Rooms used for private visits, confidential meetings, consultation or personal care.
• Any area where intimate care is provided.

CCTV must not be positioned in a way that unnecessarily captures neighbouring properties, public areas, private gardens, bedroom windows, confidential records, medication records, computer screens or sensitive personal information.

Where surveillance may affect an individual’s privacy, dignity or confidentiality, the decision must be reflected in the relevant risk assessment and, where appropriate, in the individual’s personal plan.

3.4 Exceptional Use of Surveillance in Bedrooms or Private Areas

CCTV or surveillance in bedrooms, bathrooms, toilets, rooms used for personal care, or other private areas is not permitted as routine practice.

Surveillance in a bedroom or private area may only be considered in exceptional circumstances where all of the following apply:

• There is a specific, serious and documented risk to the individual or others.
• Less intrusive options have been considered and found insufficient.
• The surveillance is necessary, proportionate, time-limited and targeted.
• A Data Protection Impact Assessment has been completed.
• The individual has been consulted and their views, wishes and feelings have been recorded.
• Where the individual lacks capacity to make the decision, a mental capacity assessment and best-interest decision have been completed under the Mental Capacity Act 2005.
• The individual’s representative, attorney, deputy, advocate, commissioner or placing authority has been consulted where appropriate.
• The decision is recorded in the individual’s personal plan and risk assessment.
• The Responsible Individual and Data Protection Officer have approved the arrangement.
• The arrangement is reviewed at least monthly, or sooner if the risk changes.

Surveillance in private areas must never be used for staff convenience, routine observation, general reassurance, disciplinary fishing exercises, or as an alternative to safe staffing and direct care.

Audio recording in private areas is prohibited unless there is a separate, documented, lawful and exceptional justification.

3.5 Information, Individual Rights and Objections

{{org_field_name}} will provide privacy information through:

• Clear CCTV signage before a person enters a monitored area.
• The written guide to the service.
• The privacy notice for individuals, staff and visitors.
• Admission information and service agreements where relevant.
• Staff induction and employment privacy information.
• Additional accessible formats where needed, including large print, easy read, Welsh language or other communication support.

Individuals have the right to:

• Be told where CCTV is used and why.
• Be told the lawful basis for processing.
• Request access to CCTV footage that contains their personal data.
• Object to CCTV processing.
• Request erasure or restriction where the legal conditions apply.
• Complain to {{org_field_name}} and to the ICO about the use of CCTV.
• Raise concerns through safeguarding, complaints or advocacy routes where the use of CCTV affects their dignity, privacy, rights or well-being.

Staff have the right to be informed about workplace monitoring. CCTV will not be used for covert monitoring, routine performance management or disciplinary purposes unless the use is lawful, necessary, proportionate and connected to a legitimate investigation.

A person’s objection to CCTV will be considered by the Registered Manager and Data Protection Officer. The outcome and reasons will be recorded. Where CCTV is necessary for safety, security or safeguarding, the objection may not automatically result in CCTV being stopped, but reasonable steps will be taken to reduce the impact on the person’s privacy.

3.6 CCTV or Recording Equipment Used by Individuals, Families, Staff or Visitors

No individual, family member, representative, attorney, deputy, advocate, staff member, contractor or visitor may install, operate, conceal or access CCTV, audio recording, video recording, smart cameras, doorbell cameras, monitoring devices or other surveillance equipment within the home without prior written approval.

Requests to install or use personal surveillance equipment must be submitted to the Registered Manager. The request will be considered on a case-by-case basis and must include:

• The reason for the request.
• The area to be monitored.
• Whether audio, video or remote access is proposed.
• Who will view or access recordings.
• How recordings will be stored, secured and deleted.
• The likely impact on the individual, other individuals, staff, visitors and the running of the service.
• Whether the request relates to a safeguarding concern, complaint, care concern or family concern.

Before approving any request, {{org_field_name}} will consider:

• The individual’s views, wishes and feelings.
• The individual’s capacity to understand and agree to the proposed monitoring.
• Any best-interest decision required under the Mental Capacity Act 2005.
• The rights and privacy of other individuals, staff and visitors.
• Whether the request can be met by less intrusive means.
• Whether the proposed equipment creates safety, dignity, confidentiality, cybersecurity or data protection risks.
• Whether the arrangement must be included in the individual’s personal plan or risk assessment.
• Whether a safeguarding referral, complaint investigation, commissioner discussion or CIW notification is required.

Personal surveillance equipment must not record other individuals, staff or visitors without a lawful basis and suitable safeguards. Hidden recording devices are not permitted unless required by law enforcement or another lawful authority.

Where a request is refused, the reasons will be recorded and explained to the requester. Where a request is approved, the approval will be time-limited, reviewed regularly and documented in the individual’s records.

3.7 Access, Storage, Retention and Deletion

CCTV footage will be stored securely and protected against unauthorised access, loss, alteration, disclosure or misuse.

Access to CCTV footage is restricted to:

• The Registered Manager.
• The Responsible Individual, where required.
• The Data Protection Officer or person responsible for data protection.
• Other specifically authorised senior staff where access is necessary and approved.
• External parties only where disclosure is lawful and recorded.

CCTV footage must not be viewed casually or used for curiosity, entertainment, informal monitoring or general staff supervision.

The standard retention period for CCTV footage is 30 days, unless a shorter period is appropriate or unless footage must be retained for a specific lawful purpose, such as:

• A safeguarding concern.
• A complaint.
• A serious accident or incident.
• A police investigation.
• A CIW notification or regulatory investigation.
• An insurance, legal or employment investigation.

Where footage is retained beyond the standard retention period, the reason, authorising person, retention period and deletion date must be recorded.

CCTV footage must be stored in encrypted or otherwise secure systems. Passwords must be unique, access must be role-based, and remote access must only be permitted where necessary, secure and approved by the Data Protection Officer.

All viewing, copying, downloading, exporting, sharing or deletion of CCTV footage must be recorded in the CCTV access and disclosure log.

3.8 Requests to Access CCTV Footage

Individuals, staff and visitors may request access to CCTV footage that contains their personal data. Such requests will be treated as subject access requests under data protection law.

Requests should be passed immediately to the Registered Manager and Data Protection Officer. {{org_field_name}} will respond without undue delay and normally within one month of receipt.

Before footage is disclosed, {{org_field_name}} will:

• Verify the identity and authority of the requester.
• Identify the relevant date, time and location.
• Check whether the footage still exists within the retention period.
• Consider whether the footage contains personal data of other individuals, staff, visitors or vulnerable people.
• Redact, blur, obscure or withhold third-party information where required.
• Consider safeguarding, legal privilege, crime prevention, regulatory or confidentiality issues.
• Record the decision and any disclosure made.

Footage must be supplied securely. Staff must not provide CCTV images or recordings informally, by personal phone, by personal email or through unauthorised messaging platforms.

3.9 Use and Disclosure of Footage for Investigations

CCTV footage may be reviewed where there is a specific and documented reason, including:

• A safeguarding concern, allegation of abuse, neglect or improper treatment.
• A serious accident, injury, fall, medication security incident or health and safety incident.
• A security incident, theft, vandalism, violence or unauthorised access.
• A complaint or concern about care, treatment or conduct.
• A police request or criminal investigation.
• An allegation of staff misconduct.

The review must be authorised by the Registered Manager, Responsible Individual or Data Protection Officer, unless urgent action is required to protect a person from immediate risk.

Where footage indicates abuse, neglect, improper treatment, criminal activity, serious injury, staff misconduct or a notifiable event, {{org_field_name}} will follow the Safeguarding Policy, Complaints Policy, Disciplinary Policy, Duty of Candour Policy and CIW notification procedures.

Footage may be shared with CIW, the local authority safeguarding team, police, commissioners, placing authorities, insurers, legal advisers or professional regulators only where there is a lawful basis to do so. Any disclosure must be limited to what is necessary and recorded in the CCTV disclosure log.

Where CCTV footage is used as part of a staff investigation, staff will be treated fairly and in line with employment law, data protection law and the organisation’s disciplinary procedures.

3.10 Data Breaches and Unauthorised Access

A CCTV data breach includes any loss, theft, unauthorised viewing, unauthorised disclosure, accidental deletion, cyber incident, inappropriate sharing, unauthorised download, unauthorised screenshot, failure to redact third-party information, or access to footage by a person who is not authorised.

If a CCTV data breach occurs, {{org_field_name}} will:

1. Report it immediately to the Data Protection Officer: {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}.
2. Take immediate action to contain the breach and protect individuals.
3. Record the breach in the data breach log.
4. Assess the risk to individuals’ rights, privacy, dignity, safety and well-being.
5. Notify the Information Commissioner’s Office within 72 hours where legally required.
6. Notify affected individuals where legally required.
7. Consider whether safeguarding, police, commissioner, placing authority, professional regulator or CIW notification is required.
8. Investigate the cause and implement corrective actions.
9. Review whether staff training, technical controls or policy changes are required.

All unauthorised access attempts must be logged and reviewed as part of governance, quality assurance and information security audits.

3.11 Covert Surveillance

{{org_field_name}} does not use covert surveillance as part of routine care, monitoring, supervision, staffing, quality assurance or security.

Covert surveillance may only be considered in exceptional circumstances where there is a serious concern such as suspected abuse, neglect, criminal activity or serious misconduct, and where overt methods would be insufficient or would prejudice the investigation.

Covert surveillance must not be used unless:

• It has been authorised by the Responsible Individual and senior management.
• The Data Protection Officer has been consulted.
• A Data Protection Impact Assessment has been completed.
• The purpose is specific, lawful, necessary and proportionate.
• The surveillance is time-limited and targeted.
• Less intrusive methods have been considered.
• The rights and safety of individuals, staff and visitors have been assessed.
• Relevant safeguarding, police, legal or regulatory advice has been obtained where appropriate.
• The decision and rationale have been fully recorded.

Covert surveillance must never be used for general monitoring, staff convenience, routine performance management or to replace safeguarding procedures.

3.12 Audio Recording, Facial Recognition and Advanced Surveillance

Audio recording is more intrusive than video-only CCTV and is not used routinely at {{org_field_name}}.

Audio recording, facial recognition, biometric identification, behavioural analytics, automated monitoring, remote live viewing or artificial intelligence-enabled surveillance must not be introduced unless:

• There is a specific and documented lawful purpose.
• The Data Protection Officer has reviewed the proposal.
• A Data Protection Impact Assessment has been completed.
• The arrangement has been approved by the Responsible Individual.
• Individuals, representatives, staff and visitors have been informed where required.
• The system is necessary and proportionate.
• Less intrusive options have been considered and found insufficient.
• The processing complies with UK GDPR, the Data Protection Act 2018, human rights requirements and ICO guidance.

Facial recognition or biometric surveillance must not be used unless there is a compelling lawful justification and explicit senior approval.

4. Managing CCTV and Surveillance Efficiently

4.1. Leadership and Accountability

The Registered Manager is responsible for the day-to-day operation of CCTV and for ensuring that CCTV is used in accordance with this policy.

The Responsible Individual is responsible for oversight of governance, quality assurance, regulatory compliance and ensuring that CCTV use is consistent with the service’s statement of purpose, CIW requirements, safeguarding duties and the rights and well-being of individuals.

The Data Protection Officer, or person responsible for data protection, is responsible for advising on UK GDPR, Data Protection Act 2018, DPIAs, lawful basis assessments, subject access requests, breaches, retention, disclosure and information security.

The Maintenance Team or authorised contractor is responsible for ensuring that CCTV equipment is maintained, secure and functioning correctly. Maintenance staff and contractors must not access or view footage unless specifically authorised.

The service provider will ensure CCTV arrangements are reviewed as part of quality assurance, health and safety, safeguarding, information governance and premises management.

4.2. Staff Training and Awareness

All staff will receive training appropriate to their role on:

• Why CCTV is used in the home.
• Where CCTV is located.
• Privacy, dignity and confidentiality.
• UK GDPR and data protection responsibilities.
• Recognising and escalating subject access requests.
• Recognising and reporting data breaches.
• Safeguarding and the use of CCTV footage in safeguarding concerns.
• Restrictions on viewing, recording, copying, downloading or sharing footage.
• The prohibition on unauthorised personal recording or hidden recording.
• The process for family or individual requests to use surveillance equipment.
• How CCTV links to complaints, incident reporting, duty of candour and CIW notifications.

Staff must not use personal phones, cameras, smart devices or personal accounts to record individuals, staff, visitors, care delivery, incidents or CCTV screens unless this has been specifically authorised in line with policy and is necessary for a lawful purpose.

Training will be provided at induction, refreshed annually, and repeated where there are changes to legislation, ICO guidance, CIW expectations, technology or internal procedures.

4.3 Monitoring, Audit and Continuous Improvement

The use of CCTV will be reviewed at least annually and sooner where there is a change in risk, technology, premises, law, guidance, complaints, safeguarding concerns or CIW feedback.

The review will consider:

• Whether each camera remains necessary and proportionate.
• Whether camera locations remain appropriate.
• Whether signage and privacy information remain clear and accessible.
• Whether retention periods remain appropriate.
• Whether access controls remain effective.
• Whether subject access requests have been handled properly.
• Whether disclosures have been lawful and recorded.
• Whether any breaches, complaints or concerns have occurred.
• Whether CCTV has affected individuals’ privacy, dignity, independence or well-being.
• Whether any surveillance is recorded in personal plans where required.
• Whether staff, individuals and representatives understand the policy.
• Whether any changes are required to the statement of purpose, written guide or privacy notices.

The outcome of CCTV reviews will be recorded and reported through the service’s governance and quality assurance arrangements.

4.4 Written Guide, Privacy Notices and Signage

Information about CCTV will be included in the written guide to the service and in privacy information provided to individuals, representatives, staff and visitors.

CCTV signage will be displayed before a person enters a monitored area and will include, as a minimum:

• That CCTV is in operation.
• The purpose of the CCTV.
• The identity of the organisation responsible for the CCTV.
• Contact details for queries.
• Where further privacy information can be obtained.

Information will be provided in accessible formats where required, including easy read, large print, Welsh language or other communication formats suited to the person’s needs.

5. Related Policies

This policy is supported by:

• CHW11 – Safe Care and Treatment Policy
• CHW16 – Health and Safety at Work Policy
• CHW18 – Risk Management and Assessment Policy
• CHW19 – Emergency and Business Continuity Plan
• CHW34 – Confidentiality and Data Protection (GDPR) Policy
• CHW41 – Managing Service User Finances Policy

6. Policy Review

This policy will be reviewed at least annually, or sooner if:

• There is a change in legislation, Welsh Government guidance, CIW expectations or ICO guidance.
• CCTV equipment, camera locations, access arrangements or retention periods change.
• Audio recording, remote access, facial recognition, analytics or other new surveillance technology is proposed.
• A safeguarding concern, complaint, data breach, subject access issue or CIW inspection identifies a concern about CCTV.
• An individual, representative, staff member or visitor raises a significant concern about privacy, dignity, rights or surveillance.
• The statement of purpose, written guide or privacy notices are updated in a way that affects CCTV use.

Staff, individuals and representatives will be informed of relevant changes, and additional training or accessible information will be provided where required.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.