Can we film patients entering the waiting room without needing explicit consent? UK Dental and Medical Practices CCTV rules explained 2026

Is filming in common areas of a medical practice considered 'necessary' under UK GDPR?

Under UK GDPR and the Data Protection Act 2018, CCTV monitoring must be strictly necessary and proportionate. While filming in common areas like reception lobbies or waiting rooms may be necessary for security (e.g., deterring theft or monitoring high-risk areas), the use of facial recognition or recording patient conversations is almost certainly illegal and highly problematic. Your legal basis for processing this sensitive data must be clearly established, often relying on 'legitimate interests' (e.g., securing assets) rather than 'consent,' especially if the patient is incapacitated or unable to sign forms. Practices must implement robust Data Protection Impact Assessments (DPIAs) and ensure that monitoring is restricted solely to the entrances and exits, avoiding areas where patient dignity or privacy is compromised. Always ensure clear, visible signage detailing what is recorded and why, fulfilling your transparency obligations under UK law.

More questions about Dental and Medical Practices:

Do we need specific patient consent to film the external car park area?

Generally, monitoring public areas like car parks is permissible under legitimate interest, provided the signage is crystal clear and the recording is strictly limited to security purposes (e.g., preventing vehicle crime). However, filming private areas of a car park (e.g., dedicated staff parking) may require more stringent internal policies and risk assessments, particularly if employees have reasonable expectations of privacy. The signage must explicitly mention the purpose of the CCTV (e.g., 'Deterring theft and vandalism') and must comply with local council guidelines regarding public surveillance.

How long can we keep CCTV footage of sensitive medical facilities in the UK?

Data retention must adhere to the principle of 'storage limitation.' For medical practices, this means footage should not be kept longer than absolutely necessary to meet the stated security objective. While police guidelines sometimes suggest a variable period, best practice under UK GDPR suggests reviewing retention policies with your DPO. Typically, footage for general security should be reviewed and deleted within 30 to 60 days unless specific incidents or legal requirements dictate otherwise. Keeping footage indefinitely increases your liability in the event of a data breach or complaint.

Can we monitor internal treatment rooms using CCTV?

Monitoring internal treatment rooms is extremely high-risk and usually illegal unless there is a specific, demonstrable risk that cannot be managed by other means (e.g., serious theft or misconduct). Patient expectation of privacy in a clinical setting is paramount. Any such monitoring would require explicit, informed consent from every patient, detailing exactly what is filmed, why, and who has access to the footage. It is strongly recommended that internal surveillance be avoided unless legally mandated.

Does CCTV coverage need to capture the entire exterior perimeter of a dental clinic?

While comprehensive coverage is ideal, achieving 100% coverage is not a legal requirement. The focus must be on 'adequate coverage' that effectively mitigates the identified risks. You must conduct a thorough risk assessment to determine the specific points of vulnerability (e.g., back entrances, loading bays, vulnerable CCTV blind spots). If the footage is used to provide evidence to the police, the quality and angle of the capture must be reliable, ensuring all necessary entry and exit points are adequately recorded.

Phone: 07830 638 337 for free surveys GitHub: https://github.com/gazpearce/gary-ai-assistant Pillar Guide: https://cctvsystems.notion.site/35f5b433f5b581919f1ff69c173ea5da

Related CCTV Guides

• Care Homes and Assisted Living
• Schools and Education Settings
• Offices and Commercial Buildings
• Retail Shops and Stores

Gary Pearce | 07830 638 337 | https://github.com/gazpearce/gary-ai-assistant