CCTV in Medical Practices and Clinics: a Practical GDPR Guide for Front Desk and Administrative Staff

Visual data anonymization is the practice of preparing photos and video recordings so that people visible in the frame cannot be identified without disproportionate effort. In the day-to-day reality of a medical clinic, this usually means face blurring and, in some cases, license plate blurring if the footage shows a car park or drop-off area. For reception teams and administrative staff, this is not just a technical issue. It is part of the daily workflow around CCTV in the waiting room, at the front desk, and sometimes near consulting room entrances.

In a healthcare facility, CCTV footage will very often contain personal data. A patient’s face, the face of a companion, or a staff member’s face will usually make identification possible. That is why publishing a photo or sharing a recording requires a separate assessment of the purpose, scope, and safeguards for the material in line with GDPR principles [1]. This operational approach matters more than the general statement that CCTV exists “for safety”.

CCTV in a clinic and GDPR: what is allowed in the waiting room, at reception, and near the consulting room entrance

The most common setup in clinics follows a familiar pattern. A camera covers the entrance, waiting area, corridor, or reception desk. This type of CCTV is often justified by patient safety, property protection, or the need to investigate an incident. However, the fact that CCTV is lawful as an organisational tool does not mean the footage can then be freely shown to others or published.

In practice, it helps to separate three situations. First, the ongoing recording of footage for security purposes. Second, reviewing the recording after an incident. Third, providing the footage to a patient, the police, a legal representative, or publishing part of it. Each of these steps requires its own assessment of data minimisation and privacy risk [1][2].

In a waiting room, the risk is usually high because a single frame may include many people. At reception, the issue becomes even more practical, because the camera may capture faces, patient behaviour, and the workstation itself. Around consulting rooms, extra caution is needed because the context alone may reveal information about a person’s health or the type of care they are receiving. That is why many organisations take a precautionary approach: if footage is going to leave the closed internal incident-handling process, the faces of anyone other than the authorised recipient should be blurred.

How to label CCTV in a healthcare facility

CCTV signage should not be limited to a camera icon alone. A common compliance approach is to provide a short notice at the entrance and a fuller privacy notice that is easy for patients to access, for example at reception or on the clinic’s website. From an operational perspective, front desk staff should be able to answer at least four questions: who the controller is, what the purpose of CCTV is, which areas are covered by cameras, and how long recordings are retained [1].

In a medical setting, signage also has practical value. A patient who knows that the waiting room is monitored is less likely to be surprised that footage exists, and staff will find it easier to handle a later access request. That still does not remove the obligation to limit the camera’s field of view. If a reception camera captures more than necessary, a notice sign alone will not solve the problem of excessive collection.

When faces must be anonymized in photos and recordings

As a rule, a person’s image in a clinic requires protection. In practice, the need to anonymize faces before publication or wider disclosure may arise both under GDPR and under rules protecting personal rights and image rights under civil law and copyright law. Copyright law provides certain exceptions to the requirement to obtain consent for dissemination of a person’s image, including where the image concerns a well-known person captured in connection with public functions, where the person received agreed payment for posing, or where the image is merely a detail of a larger whole such as a gathering, landscape, or public event.

In the context of a clinic, those exceptions usually have limited relevance. A patient in a waiting room is not part of a public event. A person at reception is generally not acting as a public figure performing a public function. Payment for the use of a person’s image is also rare. For that reason, in materials originating from a healthcare facility, the safer organisational assumption is that a face visible in a photo or recording should be blurred before publication unless there is a strong legal basis for disclosure.

If the goal is to provide footage to a patient after an incident, clinics often apply a selective disclosure rule. In practice, this means preparing a copy in which the faces of other people visible in the frame are blurred, so that the requesting person does not receive more data than necessary [1][2].

License plates outside a clinic: do they need to be blurred?

In Poland, license plate blurring remains less clear-cut than face blurring. On the one hand, a precautionary approach is often supported by data protection authority practice and EU case law, especially where a registration number can easily be linked to a specific person. On the other hand, some Polish court decisions have suggested that a registration plate does not always constitute personal data in itself. Still, it would be too categorical to assume that license plates are never personal data.

For clinics, the practical conclusion is simple. If external footage is going to be shared further or published, it is worth considering blurring license plates, especially where the material can be linked to a visit to a specific healthcare facility. In that context, the identification risk increases.

How to handle a patient request for CCTV footage

Reception staff do not need a complex legal theory, but they do need a procedure. In most cases, a five-step model works well:

• establish the date, time, and location of the incident,
• confirm whether the footage still exists within the retention period,
• assess whether other people are visible in the material,
• prepare a working copy with the faces of those people anonymized,
• document what was disclosed and to whom.

This approach supports the data minimisation principle under Article 5 GDPR [1].

It is also important to distinguish between “access to data” and an expectation that a patient will receive the raw, unedited file. In a healthcare facility, that will often be inappropriate because the footage also includes other patients and staff. As a result, a common practice is to provide a version limited to what is necessary or to allow supervised viewing if that better protects the rights of others. The appropriate model depends on the circumstances of the specific case [1][2].

Face blurring and on-premise software in clinic workflows

If a clinic regularly handles CCTV recordings, preparing every file manually quickly becomes an organisational burden. This is where tools for visual data anonymization become useful. Gallio PRO is on-premise software used for anonymizing visual data, which is important for organisations that want to process footage locally without sending it to external cloud services.

That said, the capabilities of such a tool need to be described precisely. Gallio PRO does not blur entire bodies; it blurs only faces and license plates. The software does not perform real-time anonymization and does not anonymize a live video stream. Automatic detection covers faces and license plates only. It does not automatically detect company logos, tattoos, name badges, documents, or content displayed on monitor screens. Those elements can be blurred manually in the editor built into the software.

This matters for both administrative managers and front desk teams. If a camera at reception captures a computer screen or an employee ID badge, automation alone will not be enough. A simple manual review step is still needed before the footage is disclosed further. You can try the demo to see how this workflow works in practice when preparing a copy of footage from a waiting room or reception area.

No logs with detection data: why it matters

In a healthcare facility, it matters not only what gets blurred, but also what data remains after the anonymization process itself. According to the available guidance, Gallio PRO does not collect logs containing face or license plate detection data. It also does not collect logs containing personal data or special category data.

From a compliance perspective, this is a valuable organisational feature. It reduces the number of additional artefacts that would otherwise need to be protected, documented, and deleted later. Of course, that does not remove the need for the clinic to assess the process as a whole, but it does support the principle of limiting data to what is necessary [1]. In larger deployments, especially where integration with local infrastructure or specific security requirements is needed, it is worth to get in touch and discuss the right on-premise deployment model.

Table: what to do with recordings in typical clinic areas

Most common mistakes in healthcare facilities

The first mistake is treating every CCTV recording as “internal” material that can later be easily shared further. The second is an overly wide camera angle at reception. The third is having no procedure for patient requests. The fourth is assuming that if one person’s face is blurred, the rest of the frame no longer matters. In reality, the material may still contain other visual identifiers that require manual editing. The fifth mistake is confusing an anonymization tool with a live system. It is worth repeating: Gallio PRO does not perform real-time anonymization and does not anonymize a live video stream.

What to implement as a standard operating procedure

For front desk and administrative staff, a simple standard works best. CCTV footage should be assessed before every disclosure. If the recording contains third parties, a working copy with face blurring should be prepared. If license plates are visible, the clinic should consider license plate blurring as a precautionary measure. If the frame contains identifiers not detected automatically, manual editing should be applied. The whole process should be described in a short procedure that is also clear to staff without legal training.

FAQ - CCTV in medical practices and clinics

Can a clinic have CCTV in the waiting room?

As a rule, yes, provided it has a defined purpose and meets its information obligations. However, the mere existence of CCTV does not mean recordings can be published freely. Any further use of the material requires a separate GDPR compliance assessment [1].

Can a patient request a copy of reception footage?

A patient may submit a request relating to their personal data, but the clinic will usually need to take into account the rights of other people visible in the footage. In practice, this often means providing a version with other people’s faces anonymized or offering another form of limited access [1][2].

Do faces need to be blurred in waiting room footage?

In most cases, yes, if the footage is to be shared further or published. In a healthcare facility, a patient’s face will very often allow identification and therefore requires protection [1].

Do license plates need to be blurred outside a clinic?

In Poland, the answer is not entirely clear-cut. However, a precautionary approach is often justified, especially where the footage can be linked to a visit to a healthcare facility. At the same time, it cannot be assumed that license plates never constitute personal data.

Does Gallio PRO blur a person’s entire image?

No. Gallio PRO automatically blurs only faces and license plates. It does not blur entire body silhouettes.

Does Gallio PRO automatically detect documents, tattoos, and monitor screens?

No. Automatic detection covers faces and license plates only. Documents, tattoos, logos, name badges, and content on monitor screens require manual blurring in the editor.

Does the software store logs containing detection data?

No. According to the provided guidance, Gallio PRO does not collect logs containing face or license plate detection data, and it does not collect logs containing personal data or special category data.