Video Surveillance

Procedure

Category: Privacy
Subject: Video Surveillance
Division: Human Resources and Corporate Services
Procedure Number: CA.58.02.106
Effective Date: August 1, 2015

PROCEDURE

This procedure will apply to all types of camera surveillance systems, monitors and recording devices utilized at all Wellington-Dufferin-Guelph Public Health (WDGPH) owned and leased properties. 

Utilizing Video Surveillance Equipment

When utilizing the video surveillance system, the following must be considered: 

  • Operators’ ability to adjust cameras shall be restricted, so that Operators cannot adjust or manipulate cameras to overlook spaces that are not intended to be covered by the video surveillance program.
  • Equipment must never monitor the inside of areas where the public and employees have a higher expectation of privacy (e.g. change rooms and washrooms).
  • Recording equipment must be located in a strictly controlled access area. Only designated staff, or those properly authorized by the Chief Privacy Officer (CPO), shall have access to the controlled access area and the recording equipment.
  • Every reasonable attempt should be made to ensure video monitors are not in a position that enables the public and/or unauthorized staff to view the monitors. 
Notice of Use of Video Systems

In order to provide notice to individuals that video is in use: 

  • WDGPH shall post signs, visible to members of the public, at all entrances and should be prominently displayed on the perimeter of the grounds under video surveillance.
  • The notification requirements of the sign informs the principal purpose for the use of the equipment and a method of accessing further information.
Personnel Authorized to Operate Video Equipment
  • Only employees (Operators) and contractors designated by the CPO shall be permitted to operate video surveillance systems.     
Types of Recording Devices
  • WDGPH will use digital video recorders (DVR) in its video systems. Facilities using video recorders will retain these records for a period of seven calendar days.
  • A record of an incident will only be stored longer than the seven calendar days where it may be required as part of a criminal, safety, and security investigation or for evidentiary purposes.                                                                                                                                                    
Record Identification                                                                                                                      
  • Each Operator shall maintain a logbook to record all activities related to video devices and records.  The activities include all information regarding the use, maintenance and storage of records, and all instances of access to, and use of, recorded material.
  • All logbook entries will detail authorized staff, date, time and activity. This logbook must remain in a safe and secure location with the video recording equipment. 
  • Only the CPO or designate is authorized to remove this logbook from the secure location.
  • Access to the video surveillance records, e.g. logbook entries, CD, etc., shall be restricted to authorized personnel only in order to comply with their roles and responsibilities as outlined in policy CA.58.01.100 Privacy Governance.
Storage
  • All DVDs or other storage devices that are not in use must be stored securely in a locked receptacle located in an access-controlled area. 
Access: Law Enforcement
  • If access to a video surveillance record is required for the purpose of a law enforcement investigation, the requesting police officer must complete the WDGPH Law Enforcement Officer Request Form (See Appendix 1) and forward this form to the CPO or designate. The CPO or designate will provide the recording for the specified date and time of the incident as requested by the police officer. The CPO or designate will record the following information in the facility’s video logbook:
    • The date and time of the original, recorded incident including the designated name/number of the applicable camera and DVR;
    • The time and date the copy of the original record was sealed;
    • The time and date the sealed record was provided to the requesting police officer; and
    • If the record will be returned or destroyed after use by the law enforcement agency.
Formal Access Requests Process
  • See procedure CA.58.02.104 Access and Release of Information.
Viewing Images
  • When recorded images from the cameras must be viewed for law enforcement or investigative reasons, this must only be completed by an individual(s) authorized by the CPO or designate in a private, controlled area that is not accessible to other staff and/or visitors. 
Custody, Control, Retention and Disposal of Video Records / Recordings
  • WDGPH must retain custody and control of all original video records not provided to law enforcement. Video records are subject to the access and privacy requirements of the MFIPPA, which includes, but is not limited to, the prohibition of all staff from access or use of information from the video surveillance system, its components, files, or database for personal reasons. 
  • With the exception of records retained for criminal, safety, or security investigations or evidentiary purposes, WDGPH should not maintain a copy of recordings for longer than the recording systems seven-day time frame. 
  • WDGPH should take all reasonable efforts to ensure the security of records in its control/custody and ensure their safe and secure disposal. Old storage devices must be disposed of in accordance with an applicable technology asset disposal process ensuring personal information is erased prior to disposal, and cannot be retrieved or reconstructed. Disposal methods may include shredding, burning, or erasing depending on the type of storage device. 
Unauthorized Access and/or Disclosure (Privacy Breach)
  • Any employee that becomes aware of any unauthorized disclosure of a video record in contravention of this policy and/or a potential privacy breach must immediately notify the CPO.
  • After an unauthorized disclosure or potential privacy breach is reported, the employee shall follow procedure CA.58.02.103 Privacy Breach Protocol.
  • Intentional wrongful disclosure, or disclosure caused by negligence by employees may result in disciplinary action up to and including dismissal. Intentional wrongful disclosure or disclosure caused by negligence, by service providers (contractors) to WDGPH may result in termination of their contract.  

RESPONSIBILITIES

Directors will:
  • Monitor adherence to policy CA.58.01.100 Privacy Governance; and
  • Be accountable for completion of all procedures regarding video surveillance.
Manager/Supervisor will:
  • Ensure employees adhere to policy CA.58.01.100 Privacy Governance; and
  • Ensure Directors and the CPO is immediately notified of any breach of video surveillance procedure.
Chief Privacy Officer will:
  • Ensure video surveillance procedure is administered as written/intended; and
  • Provide guidance and direction, if required.
Employees will:
  • Adhere to policies and procedures regarding a video surveillance.

DEFINITIONS

Breach – Any unauthorized collection, use, retention, or disclosure of personal or personal health and business information. A breach also encompasses the loss of custody or control over confidential, personal or personal health information intentional or unintentional.

Confidentiality – The duty to protect, respect and maintain privacy of confidential, personal and personal health information. As an Agency, WDGPH is obligated to refrain from disclosing personal health information outside to others not involved in the use of the information in their authorized work.

Direct notification – Refers to notifying individuals who have been affected by a privacy breach through direct means, including telephone, letter or in person.

Indirect notification – Refers to notifying individuals who have been affected by a privacy breach through indirect means including website information, posted notices or the media.

Third party contractor – Individual, institution, organization or government agency that is not directly employed by WDGPH, but is or may be contracted to provide specific services over a specified period of time. 

REFERENCES AND RELATED FORMS, POLICIES AND PROCEDURES

Corresponding Policy: N/A
CA.30.01.806  Reporting Form: Information Breach or Complaint
CA.58.01.100 and CA.58.02.100 Privacy Governance
CA.58.02.103 Privacy Breach Protocol

What to do when faced with a privacy breach? Guidelines for Health Sector (Information and Privacy Commissioner/Ontario) http://www.ipc.on.ca/images/Resources/hprivbreach-e.pdf
Privacy Breach Protocol- Guidelines for Government Organizations (IPC) http://www.ipc.on.ca/images/Resources/Privacy%20Breach-e.pdf
Hospital Privacy toolkit- Guide to Ontario Personal Health Information Protection Act http://www.oha.com/KnowledgeCentre/Library/Toolkits/PublishingImages/Hos…
IPC Breach Notification Assessment Tool  

CONTACT FOR INQUIRIES

Director, Human Resources and Corporate Services

APPROVED BY

Director, Human Resources and Corporate Services