CCTV Laws In Australia: Privacy, Regulations, And Compliance

Installing CCTV can help deter theft, support safety, and give you peace of mind. But once you point a camera at customers, employees or visitors, you’re handling personal information subject to strict Australian laws.

The good news? With the right setup, signage and policies, most businesses can use CCTV lawfully and responsibly.

In this guide, we’ll walk through the key rules for CCTV in Australia, how workplace surveillance works, your privacy obligations when storing footage, and practical steps to stay compliant from day one.

What Are The CCTV Laws In Australia?

There’s no single “CCTV law” that applies nationwide. Instead, a few legal frameworks work together:

• State and territory surveillance laws regulate how you can record people (especially audio) and when notice or consent is required.
• Workplace surveillance laws (in some states/territories) set rules for monitoring staff, including CCTV in offices, warehouses and retail floors.
• Federal privacy law (the Privacy Act 1988 (Cth)) governs how eligible businesses collect, store, use, and disclose personal information, which can include identifiable video footage.
• Other rules (like strata bylaws, tenancy agreements and local council conditions) can set additional, site-specific requirements.

As a starting point, most businesses can lawfully install CCTV to protect people and property, provided you’re transparent about it and avoid “private” areas like bathrooms and change rooms.

It’s also important to understand the difference between video and audio. Audio recording is usually much more restricted and, in many cases, unlawful without consent. If your cameras have built-in microphones, consider disabling audio by default. For a broader view of the legal landscape, have a look at recording laws in Australia and how they apply to businesses.

CCTV In The Workplace: Notice, Consent And Employee Rights

Using CCTV at work is common, but the rules tighten when employees are involved. Across Australia, you generally need to tell staff that surveillance is happening, where cameras are located, and why you’re using them.

Some jurisdictions go further. For example, New South Wales’ Workplace Surveillance Act requires employers to provide prior written notice and visible signage, and restricts covert surveillance except in very limited circumstances. Other states rely on their Surveillance Devices Acts and general employment law principles to guide what’s reasonable.

Practical tips for compliance include:

• Give clear, written notice to staff before surveillance starts (and when it changes).
• Use conspicuous signage at entrances and in monitored areas.
• Limit cameras to areas where there’s a legitimate business purpose (like stock rooms, entry points and shop floors).
• Avoid private spaces (bathrooms, change rooms, prayer rooms) and be cautious around break areas.
• Set rules on who can view footage and when (e.g. for security incidents or investigations).

If you also monitor business calls or have devices that capture sound, remember that audio is highly regulated. Before enabling mics or recording calls, check your obligations around cameras in the workplace and consider whether you need separate consent and processes under business call recording laws.

Privacy Act And Data Protection: Using CCTV Footage Lawfully

Even if your cameras are installed correctly under surveillance laws, your obligations don’t end there. CCTV footage that can identify a person is personal information. If your business is covered by the Privacy Act (for example, certain health providers, many franchises, and most companies with annual turnover of $3 million or more), you need to meet the Australian Privacy Principles (APPs).

In plain English, that means you should:

• Collect footage only when it’s reasonably necessary for your functions (e.g. safety and security) and in a lawful, fair and transparent way.
• Tell people about the collection through signage and your privacy notices.
• Securely store footage, restrict access, and delete it when you no longer need it.
• Only use or disclose footage for the reason you collected it (or a directly related purpose the person would reasonably expect), unless an exception applies (e.g. law enforcement request).
• Be prepared to handle access or correction requests in line with the APPs.

Having a clear, up-to-date Privacy Policy that covers CCTV is a practical way to show you’re collecting and handling footage transparently. It should explain why you capture video, how long you retain it, who you share it with (such as a cloud vendor or security company), and how someone can contact you with questions.

Security matters too. If your CCTV system is compromised and footage is accessed or leaked, it may trigger obligations under the Notifiable Data Breaches scheme. It’s wise to implement a Data Breach Response Plan so your team knows what to do if something goes wrong.

Where You Can Install Cameras (And Where You Can’t)

The law focuses on reasonableness and privacy expectations. As a rule of thumb, cameras can be used in areas where people would reasonably expect to be observed, and avoided in places where privacy is expected.

Typical “Okay” Areas (With Notice)

• Entrances, exits and reception areas.
• Retail floors and public-facing counters.
• Warehouses, loading docks and stock rooms.
• Car parks and building exteriors (be mindful of neighbouring properties).

Areas To Avoid

• Bathrooms and showers.
• Change rooms and locker rooms.
• Prayer rooms and first aid rooms.
• Any area where a person would reasonably expect privacy (context matters).

What about staff rooms and kitchens? Many businesses do monitor general staff areas to protect property or manage safety risks, but you should justify the need, keep coverage as unobtrusive as possible, and make sure your workplace notices are crystal clear.

Finally, be considerate about where cameras point. Don’t inadvertently capture neighbouring premises, private homes or sensitive sites if you can avoid it. Adjust fields of view and masking settings to reduce over-collection.

Managing Footage: Storage, Access And Sharing

Installing cameras is only half the story. Day-to-day compliance turns on how you manage the footage.

Retention And Deletion

• Keep footage only as long as you need it for your stated purpose (e.g. 30-90 days for incident review, unless it’s needed for an investigation or legal claim).
• Automatically purge old footage on a rolling basis, with exceptions documented for active matters.

Security And Access Controls

• Restrict access to authorised personnel only and log access or downloads.
• Use strong passwords, multi-factor authentication and encryption (at rest and in transit) where available.
• Define when footage can be reviewed (e.g. suspected incident, safety concern, lawful request).
• Establish vendor due diligence if your system uses cloud storage or a third-party monitoring service.

For many organisations, an internal Information Security Policy is a practical way to bring these controls to life and train staff on their responsibilities.

Disclosing Footage

• Only share footage in line with your Privacy Policy and stated purpose (e.g. providing an incident clip to police on request).
• If someone requests a copy of footage that includes other people, consider blurring faces or providing a still image where appropriate.
• Avoid posting footage online; it can breach privacy and damage trust, even if well-intentioned.

Working With Vendors

If a security company or cloud platform processes your footage, check the contract terms. Ensure they will only use the footage to provide your service, keep it secure, and delete it when you ask. A tailored Data Processing Agreement (sometimes called a data handling addendum) helps lock in those obligations.

What Legal Documents Should You Have?

The right paperwork will make your CCTV program clear and defensible if it’s ever questioned. Consider the following documents and policies:

• Privacy Policy: Explains why you collect CCTV footage, how you store it, who you share it with, and how someone can contact you; a well-drafted Privacy Policy is essential if you collect personal information.
• Workplace Surveillance/Monitoring Policy: Sets expectations for staff, clarifies where cameras are used, and explains when footage may be reviewed; this can sit within a broader Workplace Policy suite.
• Employee Privacy Guidance: Helps employees understand how their data (including CCTV) is handled; an Employee Privacy Handbook is a practical way to educate teams.
• Information Security Policy: Outlines access controls, storage, retention and deletion for systems holding CCTV footage; see the Information Security Policy above.
• Data Breach Response Plan: Sets a clear process for containing and reporting incidents if footage is accessed improperly; a structured Data Breach Response Plan reduces confusion under pressure.
• Third-Party Data Processing Terms: If you use a security contractor or cloud provider, a Data Processing Agreement helps manage privacy and security obligations.
• Consent Processes (If Needed): Some activities (like recording audio or creating marketing content from footage) require express consent; align your forms with Australia’s photography consent laws if you plan to publish identifiable images or video for promotional purposes.

Not every business needs every document on day one, but having the right core set-tailored to your operations-will keep your CCTV program compliant and proportionate to your risk.

Key Takeaways

• CCTV is lawful in Australia when used transparently and for a legitimate purpose-focus on signage, notice and avoiding private areas.
• Workplace surveillance carries extra obligations: tell staff in writing, place clear signs, and limit monitoring to what is reasonable for safety and security.
• Video that identifies a person is personal information; if the Privacy Act applies to your business, you’ll need clear notices, secure storage, limited use, and timely deletion.
• Audio recording is far more restricted-disable mics unless you have a solid, lawful basis and the right consents in place.
• Strong internal controls matter: access logs, retention schedules, and vendor agreements help you manage footage responsibly.
• Core paperwork-such as a Privacy Policy, workplace surveillance rules, an Information Security Policy and a Data Breach Response Plan-keeps your CCTV program aligned with the law.

If you’d like help setting up compliant CCTV, policies and privacy processes for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.