Video retention: Does security trump privacy?
Jennifer BrownNews Data Security
In a busy urban hospital surveillance cameras capture the comings and goings of staff and the public. For the most part, human eyes won’t view much of the video captured. But when it’s needed, video can serve as the ultimate deciding witness.
“Our video has exonerated our security officers more times than it has shown them doing anything wrong,” says Paul Greenwood, Manager of Security and Safety at St. Michael’s Hospital in Toronto. “We’ve had blatant lies told against them and when we review the video we find nothing of the sort happened. It’s a nice feeling to know that video is there.”
St. Mike’s security department receives a lot of requests from individuals, lawyers and the police for video captured on the grounds of the facility which is located at Queen and Yonge Street. Due to the nature of the diverse clientele and neighbourhood it serves, there are typically two or three police cars at the hospital at any given time. If there is an allegation of abuse by police, or, if there is alleged abuse against police officers, the video is captured and stored in anticipation that it may be needed in the future.
“It’s not something formal we have in our retention policy now, but we do grab the video whether someone has a court order or not, just in case,” says Greenwood. “We had one incident where we dealt with an individual who had claimed he was injured by a security guard and escorted off our property. Luckily he came to us within our 31-day retention period so we were able to show him being spoken to and escorted out and there was no chance had been injured.”
The individual later admitted to other incidents where he had made similar claims against transit companies and taxis. His last words to Greenwood and his team was that he needed money.
“He made multiple calls to our claims department. That’s an ideal example of why we need to retain video. Slip and falls in the winter are a given and will happen in a building and we’re trying to protect against those. We also deal with mental health clients and others who don’t want to tell the truth. I’m all for keeping video for as long as we can,” says Greenwood.
At St. Joseph’s Health Centre in Toronto, any time an incident occurs the first step Noreen Jivraj takes is to advise her staff to capture the video in the event it is needed to help demonstrate the actual events.
“We specialize in mental health and have these types of allegations all the time. What I’ve told my security officers is they need to let me know whenever there’s a potential claim against them and we need to keep the video. This is what we do to try and protect ourselves,” says Jivraj, Manager of Emergency Planning and Security Services at St. Joseph’s.
So how long is long enough when it comes to retaining video surveillance footage at a hospital? What about the Ontario Privacy Commissioner’s guideline issued in 2007 that suggests retaining video for between 48 and 72 hours? Most security managers say that period is too short. So should privacy trump the need to retain video longer to protect a facility in the event of a lawsuit?
These are questions managers of security at four large Toronto hospitals have been debating with themselves and their legal and privacy teams since the Ontario Privacy Commissioner issued the guideline back in 2007.
“For me, this started in 2008 when the privacy office of the hospital contacted me to let me know my CCTV policy had to comply with the guideline issued by the privacy commissioner,” says Andrew Aris, Manager of Security Services at the Centre for Addiction Services and Mental Health (CAMH) in Toronto. “Do we need to comply with the guideline?”
Aris revised his policy to meet most of the issues in the guideline document but had some concerns about some of the items in the document — the main one being that the recommended retention period of 48 hours to 72 hours be the maximum for retention unless the information is specific to an incident or on-going investigation.
“I went to our privacy office and said I just don’t feel comfortable doing that,” says Aris.
“The industry standard is 30 days. I feel we are putting the hospital at risk if we only keep it for the 72-hour period. If an incident happens on the Friday of a long weekend the images are gone by Tuesday of the following week.”
Aris consulted with the hospital’s lawyers but they were inclined to agree with the guideline, and suggested 14 days should be the policy. Aris still felt it wasn’t long enough. So he started to reach out to his colleagues in other hospitals to see how they were handling the retention policy.
“We looked at an average of when request for video came in and it was typically at the four-to-five day period. Requests were generally coming in to request to view video in that time frame. If we went with a 72-hour policy then this information would be lost and we wouldn’t be able to provide the information,” he says.
What struck Aris was that while most organizations were looking to increase the amount of video being stored, the hospital wanted to reduce theirs. Cost wasn’t a factor; rather it was a concern that retaining video any longer would be a violation of a privacy guideline. His policy is still under review and has been in the works since last June.
But some experts question whether the guideline should be the primary factor. Shouldn’t protection of a facility against a lawsuit be the lead determination?
Aris wasn’t alone in his quest to nail down a video retention policy that covered a longer time period. Paul Greenwood at St. Michael’s Hospital was making phone calls outside the health care industry and was surprised by how many companies and educational institutions didn’t have a policy in place that addressed retention time as well as issues such as who can watch video surveillance and how access is gained.
“I was surprised at how many institutions that document everything else to death don’t have something around video,” says Greenwood. “We started from scratch and used the exact same guideline as Andrew referenced but used it only as a guideline and used things only that made sense for St. Mike’s.”
University Health Network in Toronto is also working on its retention policy.
“They have pretty much left that scope open,” says Todd Milne, Manager of Security for UHN which includes Toronto Western, Toronto General and Princess Margaret Hospitals. “Our legal team hasn’t pushed us to any one direction. Our policy is pretty much complete and we are looking at 31 days retention.”
For Noreen Jivraj of St Joseph’s hospital, it’s still early days.
“We’re currently moving to an IP-based solution and currently our analogue system is only capable of retaining a certain amount. I’m in the process of creating a policy and mine would be based on best practices. I’m waiting to see what everyone else is doing and what is best for us,” she says.
Greenwood’s retention policy is still under review a year-and-a-half after he first started the discussion with the hospital’s lawyers and privacy office, but he hopes to stick with a 31-day retention policy for non-incident related recording and two years for incident-related recordings. St. Mike’s shares some similarities with the CAMH property in that it has a large mental health clientele.
“We knew the guideline of 72 hours was not going to work,” says Greenwood. “We have mental health patients who will say something happened to them a month after an incident. We’ve also had cases where it’s two or three months after the fact.”
The other challenge Greenwood, Aris and his peers have is that hospital personnel often think video footage is kept indefinitely. Education of hospital staff on issues related to video surveillance is badly needed, he says.
“We’ve had cases where they are surprised that we don’t have the video going back three or six months. If there’s no incident it gets written over after 31 days,” says Greenwood.
Milne has had similar experiences at UHN where the policy currently is to retain images recorded on storage devices for no less than a period of 10 days, at which time they are automatically recorded over if there have been no reports of possible law enforcement or public safety incidents.
“I prefer 10 days because not all of my recording devices have capacity for longer than that. Some are 60 or 21 days depending on motion,” says Milne.
Images are not accessed for viewing unless an incident has been reported or to investigate a potential crime. If personal information recorded on storage devices is to be used for law enforcement or public safety purposes, the images are copied and retained for two years.
“Right now we’ll get calls from the legal department saying: ‘We had a slip and fall incident that happened two years ago. Do you have the video footage? And no, we don’t, unless it’s from a known incident.”
Greenwood would like to have a policy that allows him to retain video from more high-risk areas for a longer time.
“We’re going in the opposite route some privacy people would like us to go in that we’re trying to increase our storage in key areas where we have problems, like our emergency department and mental health areas,” he says. “I’m sure lots of lawyers who like to litigate against us know if you want to launch a lawsuit after us do it 60 days in or later because they know we don’t have the video anymore,” says Greenwood.
Legal expert Elliott Goldstein who writes the column CCTV & The Law in Canadian Security magazine, says security officials should look at the privacy commissioner’s guideline as just that — a guideline and not the law.
“I think the recommendation is there as a guideline to prevent the abuse of using the recordings to embarrass, humiliate or ridicule people. As long as the video is secure and others can’t access it to put it on YouTube. Do what’s best for your organization,” he says.
What’s really important he and others suggest is that security departments have strict guidelines for disclosure and use of video information when requested by both outside parties and in-house personnel.
“I don’t think retention should be the issue; I think disclosure and use should be the focus. Having that video sit there on your system — whether it’s 72 hours or 72 days, doesn’t make a difference unless it’s accessed. It’s about when you first view the image — that’s when the clock should start ticking,” says Goldstein.
Improved storage technology is also making it less costly for large organizations to increase the quantity of video they are storing, says George Tomlinson, president of Protocol Computers in Brampton, Ont. The company has designed storage systems for the likes of the Art Gallery of Ontario, Queens University and Queen Elizabeth II Health Science Centre in Halifax, N.S. Some of the systems Tomlinson has worked on have up to 1,500 cameras. Many of his clients are moving to a year or more of storage.
“We do a lot of work with a large pharmaceutical company and they retain 365 days of footage,” says Tomlinson. “We just finished a project late last year at a large government data centre and they’re retaining video for two years plus an additional year of taped back up.”
“What we usually see is the client wants to retain the video for as long as possible — a minimum of 30 days. But we have run into problems where the client wants to retain video for 90 days and then cost becomes a problem. At the Queen Elizabeth II they wanted to maintain the video for 45 days, however they were required to use a platform specified by their IT department that was going to cost them $10,000 a terabyte. It was a fairly small system of 65 cameras and they had to go with a retention period of 15 days of storage,” he says.
The reality is whether it’s an altercation with a guard or a slip and fall claim made well after the fact, hospitals should protect themselves the best they can with a solid video retention policy.
“I had two clients that received claims past the threshold of 90 days almost simultaneously. That struck a chord with me — why would a lawyer wait past 90 days to write a statement of claim against someone?” says Paul Carson of ASG Security in Markham, Ont. “They may be very busy lawyers it becomes a risk management issue and we have to let our clients know that there is risk based on the guidelines we have from the privacy commissioner.”
Carson says that from his past experiences working with financial institutions and government facilities the retention guideline is not being observed by other industries.
“Financial institutions are looking at 90 days retention. Governments are getting savvy about slip and falls and theft because they can be in the millions of dollars,” he says.
“The privacy laws are designed to protect individuals not organizations and that’s the problem,” says Goldstein. “I would advise people to take a common sense approach and not worry about privacy as long as you can prove you did not use or disclose it in a way that is improper.”
Print this page