What "privacy by design" actually means
Privacy by design is widely cited and widely misunderstood. Many organisations treat it as a compliance checkbox: "We encrypted the data, so we have privacy by design." That is not what GDPR Article 25 requires.
Article 25 states that the data controller shall implement "appropriate technical and organisational measures" to ensure that, by default, only personal data that is necessary for each specific purpose is processed. This applies to the amount of data collected, the extent of processing, the period of storage, and the accessibility of the data.
In plain language: before you collect any data, ask whether you actually need it. If you can achieve your objective with less data, or with anonymous data instead of personal data, you are legally required to do so.
This is not aspirational guidance. It is a binding obligation. The ICO, the BfDI, the CNIL, and other supervisory authorities across Europe can and do assess whether organisations have genuinely embedded privacy by design into their systems and processes.
Applied to elderly monitoring: what data do you actually need?
When a care provider decides to monitor a client or resident, the underlying objective is almost always one of these:
- Detect falls quickly to reduce time on the floor and improve outcomes
- Identify changes in daily activity patterns that may indicate health decline
- Confirm the person is moving around their home (proof of life/wellness)
- Alert carers to emergencies (prolonged inactivity, leaving the home at unusual hours)
None of these objectives require knowing what the person looks like, what they are wearing, what they are saying, or what their facial expression is. None require video. None require audio.
Put simply: you need to know IF someone fell, not WHAT they look like when they fell.
The data hierarchy
Think of monitoring data on a hierarchy from most intrusive to least intrusive:
- Video with audio -- captures identity, appearance, speech, behaviour (highest intrusion)
- Video without audio -- captures identity and appearance
- Location tracking -- captures movement patterns linked to a specific individual
- Biometric wearable data -- captures health metrics linked to a specific individual
- Named motion data -- captures movement patterns linked to a room but associated with a named individual
- Anonymous motion and presence data -- captures movement patterns with no link to any individual (lowest intrusion)
Privacy by design means starting at the bottom of this hierarchy and only moving up if the lower level genuinely cannot meet your safety objective. For fall detection and activity monitoring, anonymous motion data is sufficient. There is no lawful justification for collecting video when radar data achieves the same result.
Radar vs cameras: data minimisation in practice
Comparing radar-based monitoring to camera monitoring makes data minimisation concrete.
| Aspect | Camera system | Radar system (e.g., 60GHz) |
|---|---|---|
| Data collected | Identifiable video (faces, bodies, behaviour) | Anonymous motion patterns, presence, fall events |
| Personal data? | Yes, always | No, cannot identify individuals |
| Detects falls? | Only if someone watches the feed | Yes, automatically with alerts |
| Covers bedrooms/bathrooms? | No, legally prohibited | Yes, no privacy intrusion |
| Data storage requirement | 10–15 GB per camera per day | Kilobytes of event data per day |
| Subject access request risk | High: must review and redact footage | Negligible: no identifiable data |
| Data breach severity | High: leaked footage of vulnerable adults | Low: leaked data cannot identify anyone |
| DPIA complexity | High: extensive risk assessment required | Low: minimal data protection risk |
From a data minimisation standpoint, radar monitoring achieves comparable or better safety outcomes (automatic fall detection, round-the-clock coverage including bathrooms) while collecting far less data, none of it personal. This is what regulators mean by privacy by design.
How regulators evaluate monitoring systems
When the ICO, CQC, or an EU supervisory authority reviews a care provider's monitoring arrangements, they typically assess:
Necessity
Is monitoring genuinely necessary for the stated purpose? A care home that installs CCTV "just in case" without a documented safety rationale is on weak ground. Monitoring should be a response to an identified risk, not a default position.
Proportionality
Is the monitoring proportionate to the risk? If the concern is undetected falls, a system that detects falls using anonymous motion data is proportionate. A camera system that records continuous identifiable video to detect falls is disproportionate because it collects vastly more data than the objective requires.
Alternatives considered
Did the provider evaluate less intrusive alternatives? This is increasingly important. A DPIA that does not document consideration of non-camera options may be found deficient. Regulators expect care providers to demonstrate that they chose the least intrusive technology capable of meeting their safety needs.
Resident impact
What is the actual impact on residents' rights and dignity? This goes beyond data protection into care quality. The CQC assesses whether monitoring respects residents' dignity and autonomy, which falls under the "Caring" and "Responsive" Key Lines of Enquiry.
Ongoing review
Is the monitoring arrangement reviewed periodically? Regulators expect care providers to reassess whether monitoring is still necessary, proportionate, and using the least intrusive means available. Technology evolves; what was the best available option three years ago may no longer be.
Benefits beyond compliance
Choosing a privacy-first monitoring approach does more than satisfy regulators. There are practical operational benefits too.
Resident acceptance
Whether a monitoring system actually works depends heavily on whether the person being monitored accepts it. Research from the University of Sheffield's School of Nursing found that elderly people overwhelmingly reject camera monitoring in their private spaces but accept passive, non-camera systems at rates above 90%. A system that residents resist is a system that gets switched off.
Family trust
Families choosing a care provider increasingly ask about monitoring. Being able to say "we use privacy-first monitoring that works in every room without cameras" is a genuine advantage. It shows you take both safety and dignity seriously.
Staff relations
Staff working under constant camera surveillance report lower job satisfaction and higher turnover. In a sector already struggling with recruitment and retention, removing cameras while maintaining monitoring through non-identifiable means can improve the working environment without compromising safety.
Lower data breach risk
If your monitoring system does not collect personal data, a data breach involving monitoring data is effectively a non-event. There is nothing to leak, nothing to report, and nothing that could harm individuals. For care providers who have experienced the operational disruption of a data breach, this alone justifies the switch.
Reduced operational overhead
You do not need to store footage, fulfil video SARs, perform redaction, or enforce retention schedules for video data. The operational savings from moving away from camera-based monitoring add up, particularly for organisations managing multiple sites.
Making the shift
For care providers currently using cameras, the transition to privacy-first monitoring does not have to be immediate or total. A practical approach:
- Start with the highest-risk gap. Cameras cannot cover bedrooms and bathrooms, which are the rooms where falls are most common. Deploy radar-based sensors in these rooms first. You are not replacing cameras; you are filling a coverage gap.
- Evaluate outcomes. Compare fall detection rates and response times between camera-monitored areas and radar-monitored areas. In most cases, the radar system outperforms cameras because it detects falls automatically rather than relying on someone watching a feed.
- Extend to communal areas. Once you have evidence that radar monitoring is effective, you can begin replacing cameras in common areas, reducing your GDPR compliance burden with each camera removed.
- Document the transition. Update your DPIA to reflect the reduced privacy risk. This strengthens your compliance position and demonstrates to regulators that you are actively improving your data protection practices.
The regulatory direction across the UK and EU is clear: privacy-first monitoring is becoming the expected standard. Care providers who move now will be in a stronger position than those forced to change after an enforcement action.
What to read next
- GDPR-Compliant Elderly Monitoring: A Care Provider's Guide -- the full compliance framework
- Why Cameras Are Becoming a Liability in Residential Care -- the problems with camera monitoring in detail