Handling NHS video DSARs: a quick and easy guide to protecting patient and practitioner data
Across NHS hospitals and trusts, video data is recorded and collected from CCTV cameras, bodyworn camera footage, ANPR cameras, telehealth video footage, and more. Hospitals have an important duty of care towards patient privacy, and there are strict guidelines regarding how video recording and sharing is carried out.
As data processors and controllers, NHS Trusts have a responsibility under the GDPR and the Data Protection Act 2018 to provide people with their personal data within 30 days of it being requested.
Data subject access requests include video footage of people - whether that be within medical consultations or simply walking in and out of hospitals or medical facilities. In both contexts, personal data is extremely sensitive and needs to be protected and anonymised. This data can also be released to third parties and public bodies who can prove a legitimate reason for access, provided their identity can be verified.
What kind of DSARs can health providers get?
The types of DSARs differ depending on what sector of healthcare is involved.
NHS requests are usually incident-based requests, such as issues of staff or patient abuse or traffic incidents.
Smaller NHS trusts may receive roughly 2-10 requests per year, while larger NHS hospitals can receive anywhere between 10-50 (or more) within a year.
“To whom it may concern,
I am making a data subject access request pursuant to the UK GDPR and the Data Protection Act 2018 which allows me access to my personal data.
My name is Sandra Wright. I am requesting CCTV video footage of an incident that occurred between me and another patient on January 15th 2023 at Royal Free Hospital, London. This happened in the A&E between roughly the hours of 18:00 and 19:00. This is required for legal proceedings.
I am roughly 5’5 with long brown hair and was wearing a brown jumper, black jeans, and white trainers.
Please provide me with any footage of this incident within the prescribed month’s time limit. I would prefer this as a downloadable mp4 file.
Please find attached a copy of my ID and address for verification purposes.
Regards,
Sandra Wright”
Can we refuse a DSAR?
The short answer is yes. There will, of course, be times when fulfilling a DSAR is not possible. This is the case if:
It is a vexatious request, e.g. someone making the same request every day for a month.
You do not have the information requested on your system.
You have not received sufficient evidence of identification/proof that the requester is acting legitimately on behalf of the data subject.
There is no proof of consent if the requester is acting on behalf of the data subject.
A similar DSAR by the same person has been completed.
Regardless of what the reason may be to deny a request, it is important to communicate this with the applicant, explaining your duties under GDPR and why the request is unable to be fulfilled in that circumstance.
How can video DSARs go wrong?
Hospitals and NHS surgeries are particularly sensitive environments where adults and children are receiving care, and extra sensitivity needs to be taken with how video data is handled.
The GDPR prevents you from releasing the personal information of third parties without their consent. This can often be a roadblock for NHS Trusts as requested footage may include the personal information of numerous other data subjects.
This is where video redaction is fundamental.
“NHS hospitals and trusts often don’t fulfil DSAR requests because they don’t know how to redact or how to submit a video in compliance with data protection law.”
Secure Redact is a quick and efficient tool to handle all your video redaction needs, as our video privacy platform automatically picks up faces and number plates and blurs them. You are able to use intelligent object tracking to blur out any other personal or identifying information - such as documents or computer screens.
Quick step-by-step guide when tackling a video DSAR
Step 1: Once you receive the request, log it into your internal systems and inform HR about the request.
Step 2: Verify the identity of the applicant.
Requests can be applied on behalf of the data subject by a third party, e.g. a parent on behalf of a child or someone applying on behalf of someone who has died. In these cases, proof will need to be provided that they are permitted to act on their behalf student of the data subject and this proof should be verified.
Step 3: Locate the video from the incident/time period being requested.
Step 4: Upload the video to Secure Redact to redact any third-party personal data.
The system will automatically detect faces and number plates ready for redaction. Once finished, you can save and download the full redacted video.
Step 5: Often the data provided will have to be reviewed by the relevant authority in the Trust, e.g. an Information Governance Manager before it is sent off.
Step 6: Respond to the applicant with the final video within the 30-day window.
Inform the applicant of what they requested, and what has been provided. If the information is unable to be released or is not available, ensure you inform the applicant of this.
Step 7: Log and close the request.
Note: many NHS networks have several internet domains blocked. Before using Secure Redact, make sure to speak to your IT team - all they need to access Secure Redact is to whitelist the domain.