Security Camera Laws In Australia: What Businesses Must Know

Installing security cameras can help reduce theft, protect your team and customers, and provide useful evidence when incidents occur. But in Australia, how you install, use and manage CCTV is governed by several laws – including state and territory surveillance device laws, workplace monitoring rules, and privacy obligations.

If you’re considering CCTV for your business (or reviewing what you already have), this guide breaks down the essentials in plain English so you can stay compliant and confident.

Are Security Cameras Legal For Businesses In Australia?

Yes, security cameras are generally legal for businesses across Australia. The key is how you use them. Your obligations come from a mix of federal and state/territory laws. Broadly, most businesses can install CCTV to protect people and property, provided you:

• Use cameras for a legitimate business purpose (safety, security, loss prevention) and in a way that’s reasonable and proportionate.
• Avoid filming in places where people reasonably expect privacy (for example, bathrooms and change rooms).
• Give clear notice that surveillance is happening (typically signage at entry points and in monitored areas).
• Handle footage responsibly – secure it, restrict access, and only keep it for as long as you genuinely need it.

It’s also useful to understand the broader framework of CCTV laws in Australia and how those rules apply in different states and territories.

If cameras will capture staff at work, extra rules can apply. Some jurisdictions have dedicated workplace surveillance laws (for example, NSW and the ACT) that set out notice requirements and limits. For a closer look at those obligations, see our explainer on cameras in the workplace.

Where Can You Place Cameras (And Where Is Off‑Limits)?

Location is one of the most important decisions you’ll make. The law draws a line around spaces where privacy is expected, and you should design your system around those boundaries.

Generally Appropriate Locations

• Public-facing areas of your premises, such as shop floors, reception areas, building entrances and exits, and car parks.
• Back-of-house areas used for safety and loss prevention (for example, loading docks or stock rooms), as long as staff have been properly notified.
• Perimeter and access points to record who is entering or leaving your site.

Areas To Avoid (Or Treat With Extreme Caution)

• Bathrooms, showers and change rooms (these are typically off-limits).
• Spaces where a person reasonably expects privacy, such as prayer rooms or first aid rooms.
• Private offices or meeting rooms if audio or sensitive conversations could be captured, unless you have a clear lawful basis and meet any notice/consent requirements.

What about staff break rooms? There isn’t a blanket nationwide “ban”, but these areas can raise privacy and workplace relations concerns. In some jurisdictions, monitoring staff in non-public areas requires specific written notice and may be restricted to defined purposes. If you believe you have a genuine security need, get tailored advice before you proceed and make sure you satisfy any local requirements.

What About Audio Recording?

Audio is far more restricted than video, and rules differ between states and territories.

In some jurisdictions, recording a “private conversation” without consent may be unlawful unless a specific exception applies. Elsewhere, one-party consent may be enough, but the definition of a private conversation and available exceptions still matter a lot.

Because these rules vary, the safest approach is to disable microphones unless you have a clear legal basis and a robust consent process. If you are considering audio capture (for example, body‑worn cameras or devices with built‑in mics), review the recording laws in Australia and get advice for your state or territory before switching audio on.

Do You Need Consent, Signage Or Written Notice?

“Consent” and “notice” mean different things depending on context – customers in a public‑facing area, employees in back‑of‑house spaces, or audio capture all raise different requirements.

Customers and Visitors (Video Only)

• Clear signage is typically sufficient notice when you’re operating video‑only CCTV in public‑facing areas of your premises.
• Place signs at entry points and in monitored zones, and state the purpose (for example, “CCTV in operation for safety and security”).
• Avoid pointing cameras outside your property boundary where possible; capturing neighbouring premises or private homes can raise privacy and nuisance concerns.

Employees and Contractors

Some states and territories (for example, NSW and the ACT) have specific workplace surveillance laws that require written notice to employees before surveillance starts, mandate signage in certain circumstances, and limit where and how workplace monitoring can occur.

Even where a dedicated workplace surveillance law doesn’t apply, it’s best practice to give staff clear written notice and set out expectations in a documented policy. Many businesses cover this in a broader workplace policy or staff handbook during onboarding.

• Explain what areas are monitored (and confirm that private areas are not recorded).
• State your purpose (security, safety, loss prevention) and who can access footage.
• Outline how long footage is kept and how staff can request access to footage that involves them, where appropriate.

Audio, Phone Calls and “All‑Party Consent”

Audio recording often requires specific consent depending on your location and the circumstances. Don’t assume that “all‑party consent” applies everywhere, or that “one‑party consent” always makes it lawful. It turns on whether the conversation is “private”, the device used, and the relevant state/territory law.

If you record customer calls for training or quality, separate rules apply to call recording. Make sure your phone system announcements and processes align with business call recording laws.

Privacy Notices and Policies

When your cameras capture people who can be reasonably identified, that footage will often be “personal information”. If the Privacy Act 1988 (Cth) applies to your business (for example, you have an annual turnover of $3 million or more, or you fall into certain small‑business categories such as health services or trading in personal information), you’ll need to meet the Australian Privacy Principles.

In practice, it’s smart risk management for most businesses to explain CCTV practices in their Privacy Policy, including what you collect, why you collect it, how long you keep it and who you may disclose it to.

How Should You Handle, Store And Share CCTV Footage?

Footage isn’t just “security footage” – it’s data. If it can identify a person, handle it like any other personal information and build practical controls around it.

Security and Retention

• Secure storage: Use encryption where available, restrict access to a strict need‑to‑know basis, and keep your systems patched.
• Retention limits: Set a clear retention period based on your legitimate business needs (for example, a defined number of days unless a specific incident requires longer retention).
• Access logs: Record who accessed footage, when and why.
• Vendors and cloud: If a third party installs, monitors or stores your footage, include strong confidentiality, security and breach‑notification clauses in your contract.

Your retention approach should align with your broader information governance. A quick refresher on data retention laws can help you set sensible timeframes and deletion processes.

Access Requests From Individuals

People may request access to footage that includes them. How you handle this will depend on whether the Privacy Act applies and whether disclosing the footage would impact the privacy of others or an ongoing investigation.

Common options include providing a copy, arranging a view‑only session, or refusing with reasons where lawful (for example, if disclosure would unreasonably affect someone else’s privacy). Build a simple process and train staff so requests are handled consistently.

Requests From Police or Regulators

Law enforcement requests need a lawful basis. You can disclose footage where required by law (for example, under a warrant, subpoena or statutory notice) and, in some cases, where permitted by law for the purposes of reporting or assisting an investigation.

Don’t hand over footage “just because it was asked for”. Confirm the requester’s authority, check the scope of the request, and keep a record of what you provide and when. If in doubt, seek legal advice before disclosing.

Practical Setup Tips And Common Pitfalls

Good compliance is mostly about good design and habits. A few practical steps go a long way.

Design Your System Thoughtfully

• Map your premises: Plan camera locations and fields of view to avoid private spaces and minimise capture outside your property boundary.
• Disable unnecessary features: Many systems enable audio, analytics or remote access by default. Turn off functions you don’t need and document your configuration.
• Standardise signage: Use clear, consistent signage at entry points and in monitored areas. Walk your premises like a customer to check visibility.
• Adopt least‑privilege access: Limit who can view live feeds or retrieve footage, and log all access.

Train Your Team

• Provide short, practical training on when cameras can be used, how to respond to footage requests, and what to do if something goes wrong.
• Include surveillance disclosure as part of onboarding, supported by a written policy that staff acknowledge.

Set Up The Right Documents

• Privacy Policy: Explain how you collect, use, disclose and secure personal information, including CCTV footage. Publishing a current Privacy Policy and making it available on request builds trust.
• Workplace Surveillance/Technology Policy: Document where monitoring occurs, why, retention periods and access rules. This can form part of your broader workplace policy framework.
• Data Breach Response Plan: Outline your steps if footage is accessed without authorisation or lost, including escalation and notification processes.
• Vendor Contracts: If you use security or cloud providers, ensure confidentiality, security controls and breach notification obligations are clearly set out.
• Call Recording Scripts: If you also record calls, align your announcements and processes with call recording laws.

Avoid These Common Mistakes

• No signage or weak signage: This is one of the easiest issues to fix – ensure signs are visible and consistent.
• Audio recording without a legal basis: Treat audio as high‑risk. Confirm the rules in your state or territory before enabling microphones.
• Keeping footage “just in case”: Long, undefined retention periods increase risk. Set a reasonable timeframe and implement auto‑deletion.
• Monitoring staff without proper notice: In some jurisdictions, written notice is mandatory. Build notice into your onboarding and policy processes.
• Publishing images without consent: If you post footage or photos that feature customers or staff, be mindful of image rights. If in doubt, consult your process for consent and review the basics of photography consent laws.

Industry Scenarios (Extra Tips)

While the core rules are the same, different settings raise different practical issues:

• Retail and hospitality: Focus on entrances, points of sale and public areas; avoid angles that capture private spaces. If you monitor staff‑only areas (for example, stock rooms), ensure clear staff notice and internal policy coverage.
• Gyms and studios: Never record bathrooms or change rooms. Use prominent signage in member areas, and if classes are filmed, have a simple consent process.
• Clinics and professional offices: Entrances and reception are usually fine; avoid audio in consultation spaces. Health services should treat footage as highly sensitive and limit access/retention accordingly.
• Body‑worn cameras, dashcams and mobile devices: Audio and “private conversation” issues are common here. Set clear rules on when these devices can be used and the notice staff must give.

For a broader overview you can also refer to our guide to recording laws in Australia to understand how audio and image capture intersect in real‑world workflows.

Key Takeaways

• Security cameras are lawful in Australia when used reasonably for legitimate business purposes, with clear notice and respect for private spaces.
• Rules differ between states and territories, especially for audio and workplace monitoring, so don’t assume the same consent rules apply everywhere.
• Give customers and staff clear notice; in some jurisdictions, employees must receive written notice before workplace surveillance begins.
• Treat footage as personal information: secure it, restrict access, set retention limits and document a simple access‑request process.
• Only disclose footage to police or regulators where required or permitted by law, and keep records of the basis and scope of any disclosure.
• Support day‑to‑day compliance with clear signage, staff training, internal policies and a current Privacy Policy; use contracts to lock in vendor security obligations.

If you’d like a consultation on setting up security cameras lawfully for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.