CCTV in healthcare facilities and GDPR refers to the set of legal, organisational, and technical requirements governing video recording in hospitals, clinics, outpatient centres, and other healthcare providers in a way that complies with personal data protection laws. In practice, this means determining when and under what conditions images of patients, staff, visitors, and other individuals on the premises may be recorded, as well as how such footage must be secured and its use restricted.
In healthcare settings, video surveillance involves a heightened privacy risk. A person’s facial image is personal data if it allows that person to be identified, in line with Article 4(1) GDPR: “personal data means any information relating to an identified or identifiable natural person.” In healthcare facilities, footage may also indirectly reveal information about a person’s health condition, use of medical services, place of hospitalisation, or relationship with a specific clinic. This creates a risk of processing special category data within the meaning of Article 9(1) GDPR, as well as a risk of breaching medical confidentiality, referred to, among others, in Article 13 of the Polish Act of 6 November 2008 on Patient Rights and the Patient Rights Ombudsman.
In the context of photos and video, GDPR compliance does not mean a ban on cameras. It means limiting the purpose, field of view, retention period, list of recipients, and scope of identification. If footage is to be shared, used for training, transferred to a contractor, or used outside its original security purpose, video anonymisation or at least pseudonymisation often becomes necessary. In practice, this usually means blurring faces and licence plates, while other elements such as documents, ID badges, or information visible on screens typically require manual redaction.
Legal Basis for CCTV in Healthcare Facilities
The legality of CCTV in healthcare facilities is not assessed under a single provision, but under several parallel legal frameworks. For a Data Protection Officer, it is crucial to distinguish the security purpose from the medical purpose and from the training purpose. The legal basis, data scope, and storage period will differ in each case.
The most important legal acts and reference documents are:
- GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- The Polish Act of 15 April 2011 on Medical Activity.
- The Polish Act of 6 November 2008 on Patient Rights and the Patient Rights Ombudsman.
- The Labour Code - Articles 22(2) and 22(3), where employee monitoring is involved.
- EDPB Guidelines 3/2019 on processing personal data through video devices, version adopted on 29 January 2020.
- Case law of the CJEU and national administrative courts concerning the scope of personal data and the principle of proportionality.
EDPB Guidelines 3/2019 stress that video surveillance requires a demonstrable need and proportionality. In healthcare facilities, this means in particular avoiding cameras in areas where patient privacy deserves the highest level of protection, such as examination rooms, treatment rooms, changing rooms, or toilets, unless there is a very specific legal basis and additional safeguards have been implemented.
The Importance of Medical Confidentiality and Sensitive Data in Recordings
In a hospital or clinic, simply entering a specific area may reveal health-related information. Footage of a person waiting outside an oncology, psychiatry, addiction treatment, or infectious disease clinic may allow conclusions to be drawn about their health. For this reason, a risk assessment for medical CCTV should take into account not only facial identification, but also the context of place, time, and interactions.
The most common sources of risk in video footage include:
- the facial image of the patient and staff,
- vehicle licence plates in the car park or outside the emergency department,
- signs on consulting room doors and ward names,
- patient wristbands, staff ID badges, and information notices,
- monitor screens displaying medical data that may appear in the frame,
- audio recordings, if the system also records sound.
In practice, medical confidentiality is not limited to medical records alone. It may also be breached through the disclosure or improper protection of footage showing a patient in circumstances that reveal treatment, hospitalisation, or the type of medical service received.
Anonymisation of CCTV Footage and Photos in Healthcare
If footage from a healthcare facility is to be used outside its original security purpose, it should be assessed whether video anonymisation is required. In practice, this most often concerns footage intended for incident audits, staff training, internal proceedings, publication of illustrative material, or sharing with an external party.
In video material, anonymisation usually means permanently and irreversibly limiting the ability to identify individuals. For faces and licence plates, automatic detection and blurring are commonly used. This process may rely on AI models based on deep learning, because detection must work across different face angles, partial occlusions, changing lighting, motion, reflections, and low image quality. The model is first trained on large datasets and then used for inference, meaning the detection of objects in specific footage and the application of a blur or pixelation mask.
However, automatic blurring of faces and licence plates must be distinguished from full visual redaction. Gallio PRO automatically blurs only faces and licence plates. It does not automatically detect company logos, tattoos, nameplates, documents, or information shown on screens. These elements can be blurred manually in the editor. This matters in healthcare settings, where patient data often appears on wristbands, displays, and printed documents visible in the frame.
Key Parameters for Evaluating a Video Anonymisation System
When assessing a tool, it is not enough to rely on a statement such as “it blurs faces.” In healthcare environments, parameters are needed to evaluate the risk of missed detections or excessive masking. These parameters should be verified using your own test footage, because effectiveness depends on camera quality and scene conditions.
Parameter | Practical meaning | Notes for healthcare facilities
|
|---|---|---|
Detection recall | The percentage of faces or licence plates detected by the model | Crucial for minimising undetected patients in the footage |
Detection precision | The percentage of correct detections among all detections | Affects the number of false masks and the readability of the anonymised footage |
FN rate | The percentage of missed objects | The most important metric from a data breach risk perspective |
Processing time | The time needed to anonymise the footage | Gallio PRO does not anonymise footage in real time or on a live video stream |
Deployment model | On-premises or cloud | On-premises deployment limits the transfer of medical recordings outside the organisation |
Logging scope | What events the system records | Important to ensure logs do not contain personal data or special category data |
For risk assessment, a simple anonymisation coverage indicator can be used: effectiveness = 1 - FN rate. If, in a sample of 1,000 faces, the system missed 8, then the FN rate = 0.008 and the coverage effectiveness is 99.2%. Even so, this result still requires a qualitative assessment, because what matters is which faces were missed and in what clinical context they appear.
How to Organise a GDPR-Compliant Process
In a healthcare facility, compliance does not depend on the algorithm alone. Rules on access, retention, disclosure, and documentation of processing activities are equally important. A high risk to patient rights may justify carrying out a DPIA, that is, a Data Protection Impact Assessment, in accordance with Article 35 GDPR.
A minimum security process should include:
- defining the purpose of monitoring and its legal basis,
- analysing camera-covered areas and excluding particularly sensitive zones,
- setting footage retention periods and overwrite rules,
- implementing role-based access control,
- a procedure for exporting footage and anonymising it before further use,
- a register of recipients and cases where footage is disclosed,
- verification of data processing agreements where an external provider is involved.
In an on-premises model, footage remains within the organisation’s infrastructure, which usually makes data transfer control easier. This is particularly important for recordings from hospitals and clinics, where every additional copy of the material increases the risk of a confidentiality breach.
Practical Uses of CCTV and Anonymisation in Healthcare Facilities
The most common lawful uses of CCTV in healthcare facilities concern the safety of people and property, access control to restricted areas, incident investigation, and infrastructure protection. However, if footage is to be used in training materials, presentations, external audits, or shared with a software provider, the scope of personal identification should be limited.
Practical examples of anonymisation include:
- preparing training material from an emergency department with patients’ faces and vehicle licence plates blurred,
- sharing corridor footage with a company investigating a security incident after prior redaction of personal data visible in the frame,
- providing a clip for an internal quality audit without revealing the identity of bystanders,
- preserving evidence from a hospital car park with licence plates anonymised for further recipients who are not authorised to have full identification access.
It is worth noting that in Poland the status of licence plates as personal data is sometimes assessed contextually. On the one hand, guidance from the Polish DPA, the EDPB, and part of EU case law supports a cautious approach and masking them. On the other hand, administrative court judgments have held that licence plates alone do not always constitute personal data. In practice, for healthcare facilities, a conservative approach is safer, especially where footage is shared further.
Normative References and Sources
The following sources are fundamental for interpreting requirements relating to surveillance in healthcare providers and the anonymisation of recordings:
- GDPR - Regulation (EU) 2016/679, OJ EU L 119 of 4.05.2016.
- EDPB, Guidelines 3/2019 on processing personal data through video devices, adopted on 29.01.2020.
- The Polish Act of 6.11.2008 on Patient Rights and the Patient Rights Ombudsman.
- The Polish Act of 15.04.2011 on Medical Activity.
- The Labour Code, Articles 22(2) and 22(3).
- ISO/IEC 27001:2022 - information security management system, as a reference point for organisational and technical controls.
- ISO/IEC 27701:2019 - privacy information management extension, useful when designing data protection processes.