{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Use of CCTV and Surveillance in Service Users’ Homes Policy

1. Purpose

The purpose of this policy is to provide clear guidance on the lawful, ethical, necessary and proportionate use of CCTV, cameras, microphones, audio recording, monitoring devices, doorbell cameras, body-worn cameras, sensor-based monitoring and any other surveillance or recording technology in the homes of people we support. This policy supports compliance with the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, CQC Fundamental Standards, CQC guidance on using surveillance in care services, the UK General Data Protection Regulation, the Data Protection Act 2018, the Human Rights Act 1998, the Mental Capacity Act 2005, the Care Act 2014 safeguarding duties, and relevant Information Commissioner’s Office guidance. The policy aims to protect people’s safety while respecting their right to privacy, dignity, autonomy, family life, confidentiality, tenancy rights and freedom from unnecessary restriction.

2. Scope

This policy applies to all staff, service users, families, visitors, and external agencies involved in the installation, monitoring, and use of CCTV and surveillance within supported living environments managed by {{org_field_name}}.

In supported living, the person’s accommodation is their own home. {{org_field_name}} will not install, operate, access, monitor or rely on surveillance in a person’s home unless there is a clearly documented lawful basis, the person’s rights and tenancy arrangements have been considered, the least restrictive and least intrusive option has been chosen, and all people who may be affected have been consulted wherever practicable. This includes other tenants, housemates, family members, visitors, advocates, staff, contractors and professionals who may be recorded or monitored.

This policy covers:

• Overt and covert surveillance
• Audio and visual recording
• Data protection, retention, and security
• Service user rights and consent

For the purpose of this policy, “surveillance” includes CCTV, fixed cameras, portable cameras, hidden cameras, doorbell cameras, body-worn cameras, webcams, microphones, audio recording, video recording, sensor-based monitoring, movement monitoring, remote monitoring, smart speakers or smart home devices capable of recording, and any other technology that captures, records, monitors or transmits information about a person, their home, their care, staff activity or visitors.

3. Related Policies

• Confidentiality and Data Protection (GDPR) Policy (SL34)
• Dignity and Respect Policy (SL08)
• Safeguarding Adults from Abuse and Improper Treatment Policy (SL13)
• Mental Capacity and Deprivation of Liberty Safeguards Policy (SL39)
• Health and Safety at Work Policy (SL16)
• Good Governance Policy (SL04)
• Complaints Policy (SL14)
• Duty of Candour Policy
• Incident Reporting and Notifications Policy
• Whistleblowing Policy
• Records Management Policy
• Information Governance Policy
• Consent to Care and Treatment Policy
• Equality, Diversity and Human Rights Policy
• Staff Code of Conduct / Disciplinary Policy
• Tenancy, Housing and Visitors Policy, where applicable
• Positive Behaviour Support / Restrictive Practice Policy, where applicable

4. Policy Statement

{{org_field_name}} recognises the potential benefits of CCTV and surveillance systems in enhancing security, preventing harm, and protecting individuals from abuse. However, the use of such systems must be lawful, ethical, necessary, and proportionate. The dignity, privacy, and autonomy of individuals must always be prioritised.

{{org_field_name}} will not use surveillance as a routine, blanket or convenience-based measure. Surveillance must never be used to replace safe staffing, person-centred care, supervision, meaningful engagement, safeguarding practice, positive behaviour support, or appropriate risk management. Surveillance will only be considered where there is a specific, evidenced and current risk or legitimate purpose that cannot be managed effectively by less intrusive means.

5. Principles Governing the Use of CCTV and Surveillance

• Legal Compliance: All surveillance must comply with the Health and Social Care Act 2008 regulatory framework, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, CQC Fundamental Standards, CQC surveillance guidance, the UK GDPR, the Data Protection Act 2018, the Human Rights Act 1998, the Mental Capacity Act 2005, safeguarding law and relevant ICO guidance.
• Necessity and Proportionality: CCTV should only be used where other measures are insufficient to address risks.
• Transparency, Lawful Basis and Consent: People must be told clearly what surveillance is proposed, why it is proposed, what will be recorded, who will have access, how long information will be kept, and how they can object or raise concerns. Consent must be sought where consent is required, but {{org_field_name}} must also identify and document an appropriate lawful basis under the UK GDPR and Data Protection Act 2018 before any surveillance begins. Where a person lacks capacity, decisions must follow the Mental Capacity Act 2005 and must not be made by family members or others unless they have lawful authority to act on the person’s behalf.
• Safeguarding and Dignity: CCTV should never be used in a way that undermines dignity or independence.
• Security and Data Protection: All recordings must be stored securely, with access limited to authorised personnel only.
• Data Protection by Design and Default: Surveillance must be designed and configured to collect the minimum information necessary for the specified purpose.
• Accountability: The decision-making process, risk assessment, consultation, lawful basis, DPIA, privacy impact, review dates and management approval must be recorded.
• Least Restrictive Practice: Surveillance must be the least restrictive and least intrusive option available and must be reviewed regularly to confirm it remains necessary.
• Equality and Human Rights: Decisions must consider the person’s protected characteristics, communication needs, trauma history, cultural and religious needs, relationships, family life and Article 8 right to private and family life.
• No Intimate Monitoring Except in Exceptional Circumstances: Surveillance must not record intimate care, personal care, toileting, bathing, dressing, sexual activity, private conversations, religious observance or other highly private activity unless there is an exceptional, evidenced, lawful and time-limited safeguarding reason and senior approval has been obtained.

5.1 Lawful Basis, ICO Registration and Data Protection Impact Assessment

Before any surveillance is installed, activated, accessed or monitored by {{org_field_name}}, the Registered Manager and Data Protection Officer must ensure that:

• {{org_field_name}} is registered with, or has confirmed its registration requirement with, the Information Commissioner’s Office.
• A Data Protection Impact Assessment has been completed where surveillance is likely to result in a high risk to people’s rights and freedoms.
• The purpose of the surveillance has been clearly defined and recorded.
• The lawful basis under Article 6 UK GDPR has been identified and documented.
• Where special category data may be captured, an Article 9 condition and Data Protection Act 2018 Schedule 1 condition have been identified and documented.
• Less intrusive alternatives have been considered and recorded.
• The expected benefit is proportionate to the impact on privacy and human rights.
• The proposed surveillance is consistent with the person’s care plan, risk assessment, mental capacity assessment, best interests decision, tenancy arrangements and safeguarding plan.
• The provider has decided who is the data controller for the system and whether any third party is a processor, joint controller or separate controller.
• A privacy notice has been given to affected people in an accessible format.
• A review date has been set before surveillance starts.

6. Implementation Procedures

6.1 Assessing the Need for CCTV or Surveillance

Before installing, activating, accessing or monitoring CCTV or any surveillance system in a person’s home, communal area or any area connected with supported living, the Registered Manager must ensure that the following questions are answered and recorded:

• What specific risk, safeguarding concern, security concern or care-related purpose is the surveillance intended to address?
• Is the purpose legitimate, current, evidenced and specific?
• What less intrusive options have been tried or considered, and why are they insufficient?
• What is the expected benefit to the person or others?
• What are the risks to privacy, dignity, autonomy, family life, relationships, staff rights and visitors’ rights?
• Will the surveillance capture personal care, intimate care, bedrooms, bathrooms, private conversations, religious observance, visitors, other tenants, staff breaks or confidential professional discussions?
• Who may be recorded or monitored, including housemates, staff, family members, visitors, advocates, contractors and professionals?
• Has each affected person been consulted unless there is a clear, documented reason why consultation is not possible or would increase risk?
• Has the person’s tenancy agreement, landlord permission and housing status been considered?
• Has a mental capacity assessment been completed if there is any doubt about the person’s capacity to consent to the specific surveillance decision?
• Has a best interests decision been completed where the person lacks capacity, involving the person, family, advocate, relevant professionals and any attorney or deputy where appropriate?
• Has the lawful basis under UK GDPR and any special category data condition been recorded?
• Has a Data Protection Impact Assessment been completed where required?
• Has the ICO registration/licensing position been checked?
• Has a privacy notice/signage/accessibility plan been prepared?
• Who will own, operate, access, monitor and maintain the equipment?
• How will footage be stored, protected, accessed, shared, retained and deleted?
• What is the start date, review date and end date?
• How will the system be reviewed to confirm it remains necessary, proportionate and the least restrictive option?

A formal risk assessment, privacy assessment and written rationale must be completed before any surveillance is approved. The decision must be signed off by the Registered Manager and Data Protection Officer and must be reviewed at the agreed review date or sooner if the person’s needs, wishes, risks, capacity, tenancy arrangements or safeguarding circumstances change.

6.2 Obtaining Consent

The person’s informed consent must be sought before any overt surveillance is installed, activated, accessed or monitored, unless there is a clearly documented lawful reason why consent is not the appropriate legal basis and the use of surveillance is otherwise lawful, necessary and proportionate.

Consent must be specific, informed, voluntary, recorded, time-limited and reviewable. The person must be told what will be recorded, where, why, when, by whom, who will see it, how long it will be kept, their right to refuse or withdraw consent, and how refusal or withdrawal will be managed.

Where the person lacks capacity to make the specific decision about surveillance, a mental capacity assessment must be completed under the Mental Capacity Act 2005. Any best interests decision must involve the person as far as possible, and must consult relevant others, which may include family, advocates, commissioners, professionals and any person with lawful authority such as a health and welfare attorney or Court of Protection deputy. Family members must not be treated as having authority to consent unless they have lawful authority for that decision.

If consent is refused or withdrawn, the surveillance must stop unless there is a separate, clearly documented lawful basis and an urgent, necessary and proportionate safeguarding reason to continue temporarily while advice is sought. Any decision to continue without consent must be approved by the Registered Manager, Data Protection Officer and, where relevant, the local authority safeguarding team, commissioner, Court of Protection or legal adviser.

6.3 Location and Type of Surveillance

Cameras, microphones or monitoring devices must only be placed in locations that have been risk assessed, agreed and documented. The field of view and recording capability must be limited to the minimum necessary for the approved purpose.

Surveillance must not normally be used in bedrooms, bathrooms, toilets, areas where intimate or personal care is provided, areas used for private religious observance, private visiting spaces or any place where people reasonably expect a high level of privacy. Any exceptional use in such areas must be supported by a serious and evidenced safeguarding rationale, a DPIA, senior approval, legal advice where required, and a clear time-limited review plan.

Audio recording is more intrusive than visual-only monitoring and must not be used unless there is an evidenced and justified need, no less intrusive option is sufficient, and the reason has been specifically approved and documented. Audio recording must not be enabled by default.

Where cameras may capture other tenants, staff, visitors, neighbours, public areas or communal areas, {{org_field_name}} must consider whether the surveillance is lawful and proportionate, consult affected people where possible, provide appropriate privacy information, and use masking, restricted angles, restricted recording times or other technical measures to reduce privacy intrusion.

6.4 Data Security, Access, Retention and Information Rights

All surveillance images, recordings, logs and metadata are personal data where a person can be identified directly or indirectly. They must be managed in line with the UK GDPR, Data Protection Act 2018, {{org_field_name}}’s information governance policies and ICO guidance.

{{org_field_name}} must ensure that:

• the data controller and, where relevant, processor arrangements are identified and documented;
• recordings are stored securely using encrypted systems where available;
• default passwords are changed before use;
• access is restricted to named authorised persons only;
• access permissions are reviewed regularly;
• an access log is maintained showing who viewed, downloaded, copied, deleted or shared footage, when and why;
• remote access is disabled unless necessary, secure and approved;
• cloud storage or third-party monitoring arrangements are covered by a written contract and data protection assessment;
• footage is not viewed for curiosity, convenience, staff monitoring or any purpose outside the approved rationale;
• footage is not shared externally unless there is a lawful basis, such as safeguarding, police investigation, legal obligation, court order, regulatory requirement, serious incident investigation, complaint investigation or the person’s valid consent;
• people are informed how to make a subject access request or raise an objection;
• requests for footage from service users, staff, visitors, family members, police, commissioners, safeguarding teams or CQC are handled by the Registered Manager and Data Protection Officer;
• any personal data breach is reported internally immediately and assessed for ICO notification and affected-person notification where required.

The standard retention period for routine footage is 30 days unless a shorter period is sufficient or a longer period is necessary for a safeguarding enquiry, complaint, incident investigation, police investigation, legal claim, regulatory request or disciplinary process. Retention must be justified, documented and reviewed. Footage must be securely deleted when no longer required.

6.5 Covert Surveillance

Covert surveillance means surveillance that is hidden or carried out without the knowledge of one or more people who may be recorded or monitored. Covert surveillance is highly intrusive and will only be considered in exceptional circumstances where there is a serious and evidenced safeguarding, criminal, abuse, neglect or serious safety concern, and where telling the person or others about the surveillance would be likely to defeat the purpose or increase the risk of harm.

Covert surveillance must never be used for general staff performance management, routine monitoring, convenience, curiosity, speculative concerns or as a substitute for safe staffing, supervision, safeguarding procedures or proper investigation.

Before covert surveillance is used, the Registered Manager must ensure that:

• the concern is serious, specific, current and evidenced;
• less intrusive options have been considered and found insufficient;
• a safeguarding referral has been made where appropriate;
• advice has been sought from the local authority safeguarding team, commissioner, police or legal adviser where appropriate;
• the Data Protection Officer has completed or reviewed the DPIA;
• the lawful basis and any special category data condition have been documented;
• the privacy impact on the person, other tenants, visitors and staff has been assessed;
• senior approval has been obtained from the nominated responsible individual or provider representative;
• the surveillance is time limited, with a clear start date, end date and review date;
• the areas monitored are strictly limited;
• audio recording is not used unless specifically justified and approved;
• arrangements are in place for secure storage, restricted access, review, deletion and escalation of concerns.

Covert surveillance must be stopped as soon as the purpose has been achieved, the risk changes, the surveillance is no longer necessary or proportionate, or a review concludes that it should not continue. The decision-making record must be retained securely.

6.6 Staff Responsibilities

Registered Manager: Responsible for ensuring this policy is implemented, surveillance decisions are lawful and proportionate, care plans and risk assessments are updated, consultation is completed, safeguarding concerns are escalated, reviews take place, and staff are trained.

Data Protection Officer / Information Governance Lead: Responsible for advising on lawful basis, DPIAs, privacy notices, data security, retention, subject access requests, data sharing, processor arrangements, data breaches and ICO matters.

Nominated Individual / Provider Representative: Responsible for approving any high-risk, intrusive or covert surveillance and ensuring provider-level oversight.

Care Staff and Support Workers: Must respect privacy and dignity, follow care plans and risk assessments, report any concerns or misuse, and must not install, access, move, disable, view, copy, share or delete footage unless authorised.

Maintenance / IT Personnel: Must only access equipment or systems where authorised and must maintain confidentiality and security at all times.

All Staff: Must complete required training and report immediately any unauthorised surveillance, suspected misuse, data breach, safeguarding concern, equipment fault or privacy concern.

6.7 Consultation and Accessible Information

Before overt surveillance is introduced, {{org_field_name}} will consult people who may be affected, unless there is a documented reason why consultation is not possible or would increase risk. This may include the person, other tenants, family members, advocates, staff, visitors, commissioners, the landlord or housing provider, and relevant professionals.

Information must be provided in a format the person can understand, including easy read, large print, translated information, communication aids, pictures, objects of reference, or support from an advocate or interpreter where required.

The consultation record must include who was consulted, what information was provided, what views were expressed, how objections were considered, what adjustments were made, and the final decision.

6.8 Privacy Notices and Signage

Where overt surveillance is used, clear privacy information must be available to people who may be recorded. This may include signs, privacy notices, easy-read notices, tenant information, staff information and visitor information. The information must explain:

• who is operating the surveillance;
• why it is being used;
• what areas are covered;
• whether audio is recorded;
• when recording takes place;
• who can access recordings;
• how long recordings are kept;
• who recordings may be shared with;
• how people can raise a concern, object or request access to their personal data.

Signs and notices must not disclose confidential information about the person or the reason for surveillance.

6.9 Surveillance by People We Support, Families or Visitors

People we support, relatives or visitors may sometimes wish to use cameras, recording devices, smart doorbells or other monitoring equipment. {{org_field_name}} will respond proportionately and will not automatically remove, damage, delete or interfere with such equipment.

Where such equipment is identified or proposed, the Registered Manager must consider:

• who owns the equipment;
• whether the person has capacity to decide to use it;
• whether any attorney or deputy has lawful authority;
• whether the equipment records staff, visitors, other tenants or communal areas;
• whether the use affects the privacy, dignity, rights or safety of others;
• whether there are safeguarding concerns;
• whether the landlord or housing provider needs to be involved;
• whether the person, family or visitor needs information about privacy and data protection responsibilities.

{{org_field_name}} will seek to resolve concerns through discussion, risk assessment, consent, safeguarding procedures and legal advice where required.

6.10 Staff Monitoring and Employment Issues

Surveillance must not be used for routine staff monitoring, performance management or disciplinary investigation unless this purpose has been clearly identified, assessed as lawful and proportionate, communicated where appropriate, and handled in line with employment law, data protection law, staff privacy rights and {{org_field_name}}’s HR policies.

Staff must be told where overt surveillance is in use, what it records, why it is used, who may access recordings, and how concerns can be raised. Staff must not be asked to work in environments where surveillance is used unlawfully, excessively or without proper safeguards.

6.11 Review, Audit and Removal of Surveillance

All surveillance arrangements must be reviewed at least monthly for the first three months and then at a frequency proportionate to the risk, but no less than every six months. Reviews must also take place after any incident, complaint, safeguarding concern, change in capacity, change in care needs, change in tenancy/household arrangements, equipment change, data breach or objection.

The review must consider whether:

• the original purpose remains valid;
• the surveillance is still necessary and proportionate;
• less intrusive alternatives are now available;
• the person continues to consent, where consent is relied on;
• the surveillance is affecting dignity, privacy, wellbeing or relationships;
• footage access, sharing, retention and deletion records are complete;
• any complaints or concerns have been addressed;
• equipment remains secure and fit for purpose.

Surveillance must be removed or deactivated when it is no longer necessary, proportionate or lawful.

7. Safeguarding Considerations

• Service users must feel safe and respected, with CCTV used only as a last resort.
• CCTV must not replace human care and supervision.
• If surveillance identifies abuse, it must be reported immediately under the Safeguarding Policy (SL13).
• Any footage or information suggesting abuse, neglect, exploitation, criminal conduct, unsafe care, unlawful restriction, staff misconduct or a serious incident must be escalated immediately under the Safeguarding Adults from Abuse and Improper Treatment Policy, Incident Reporting Policy, Duty of Candour Policy and CQC notification procedures where applicable.
• Surveillance evidence must be preserved securely where it may be needed for safeguarding, police, disciplinary, regulatory or legal processes.
• Surveillance must not be used to delay immediate action to protect a person from harm.
• Families, advocates and representatives should be consulted where appropriate and where this is lawful and in the person’s interests. However, family members must not be treated as having authority to consent to surveillance unless they hold relevant legal authority, such as a health and welfare lasting power of attorney or Court of Protection deputyship covering the decision.

8. CQC Compliance

This policy supports compliance with the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 and CQC Fundamental Standards, including:

• Regulation 9 – Person-centred care: Surveillance decisions must be based on the person’s individual needs, preferences, risks, rights, communication needs and care plan.
• Regulation 10 – Dignity and respect: Surveillance must protect privacy, dignity, autonomy and family life and must not be excessive, degrading or unnecessarily intrusive.
• Regulation 11 – Need for consent: Consent must be obtained where required, and where the person lacks capacity the Mental Capacity Act 2005 must be followed.
• Regulation 12 – Safe care and treatment: Surveillance may only be used where it contributes to safe care and treatment and does not create additional avoidable risk.
• Regulation 13 – Safeguarding service users from abuse and improper treatment: Surveillance must not amount to abuse, improper treatment, unlawful restraint, unnecessary restriction or neglect, and must be used only to protect people where necessary and proportionate.
• Regulation 16 – Receiving and acting on complaints: Concerns or complaints about surveillance must be investigated, recorded, responded to and used to improve practice.
• Regulation 17 – Good governance: Decisions, risk assessments, DPIAs, reviews, audits, access logs, retention records and improvement actions must be maintained.
• Regulation 18 – Staffing: Staff must receive training appropriate to their role on privacy, dignity, consent, safeguarding, information governance and this policy.
• Regulation 19 – Fit and proper persons employed: Misuse of surveillance, unauthorised recording, unauthorised access or inappropriate sharing may raise conduct, disciplinary and fitness concerns.
• Regulation 20 – Duty of candour: Where surveillance identifies or relates to a notifiable safety incident, {{org_field_name}} will act in an open and transparent way in line with the Duty of Candour Policy.

{{org_field_name}} will also follow CQC guidance on using surveillance in care services, including setting out reasons, consulting people, protecting privacy, ensuring equipment and staff training are appropriate, and maintaining records.

9. Handling Complaints, Concerns and Misuse

Any person we support, family member, advocate, visitor, staff member, professional or other affected person may raise a concern about surveillance. Concerns may relate to privacy, dignity, consent, data protection, staff conduct, safeguarding, equipment placement, footage access, recording of visitors or other tenants, or the continued need for surveillance.

Concerns should be reported to {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}, Registered Manager, or to the Data Protection Officer / Information Governance Lead where the concern relates to personal data. Complaints will be investigated in line with {{org_field_name}}’s Complaints Policy (SL14).

Where a concern indicates possible abuse, neglect, unlawful restriction, criminal conduct, staff misconduct or a serious incident, it must be escalated immediately under safeguarding, whistleblowing, incident reporting, duty of candour and CQC notification procedures as applicable.

Unauthorised installation, access, viewing, downloading, copying, sharing, deletion, tampering with or misuse of surveillance equipment or footage may result in disciplinary action, safeguarding referral, police referral, regulatory notification or legal action.

People must be informed of their right to complain to the Information Commissioner’s Office where their concern relates to the handling of personal data.

10. Policy Review

This policy will be reviewed annually, or sooner if there are legislative changes, regulatory updates, or operational needs. Individual surveillance arrangements must be reviewed at the frequency recorded in the person’s care plan, risk assessment and DPIA. High-risk or intrusive surveillance, including any surveillance in private areas or any covert surveillance, must be reviewed more frequently and must stop as soon as it is no longer necessary, proportionate and lawful.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.