Lights, camera, privacy!

New video surveillance technology present privacy issues for Australian retailers

Retailers have long used CCTV as a security measure to reduce shoplifting and employee theft. Today, with advances in technology and greater competition in the retail market, CCTV is used for promoting workplace safety, improving productivity and as a business intelligence tool. 

429444511 data security.jpg

Typically, surveillance systems comprise two elements – the physical in-store hardware and its link to a cloud solution, which enables data analytics, unlimited storage and remote monitoring through desktop and mobile apps.

This improved technology, increased use and broader adoption means that privacy issues are becoming obvious and more acute.

Australian private sector retailers broadly have to comply with three levels of regulation – State and territory surveillance legislation, State and territory workplace regulation, and the Privacy Act 1988 (Cth) (Privacy Act).

The State and territory laws can generally be complied with through providing appropriate notifications. Surveillance legislation prohibits a person from installing, maintaining or using CCTV cameras to monitor or record private activities without the express or implied consent of the parties to that activity. Consent can generally be implied from the fact that an individual stays in their premises even after seeing signs that state that CCTV cameras are in use.  Workplace legislation typically requires employees to be notified about what electronic surveillance is used in their workplace. 

By contrast, the requirements of the Australian Privacy Principles (APPs) under the Privacy Act, are more problematic.

For retailers, the Privacy Act and the APPs generally only apply to large retailers with a turnover of more than $3 million.

While the Privacy Act does not specifically deal with the use of CCTV cameras, the definition of ‘personal information’ is broad enough to include images and video recordings of individuals. This means a retailer does not need to know an individual’s name or details – it is enough that the individual is capable of being identified from the images or video recordings.

In practical terms, this means that recording CCTV footage involves the collection of significant amounts of personal information, and this triggers specific obligations under the Privacy Act around collection, use and disclosure of that information.

The most critical issues for retailers to consider in ensuring they are operating their CCTV solutions in compliance with the APPs are:

  • having a clear and current privacy policy that explains how you use CCTV cameras and what you do with the footage;
  • having in-store signs telling people about the CCTV cameras, perhaps even with information about your privacy policy and practices;
  • ensuring contracts with the surveillance software provider ensures compliance with the Privacy Act (including as to where the data is stored, the security in place and rights of access/updating); and
  • if you store recorded footage, ensure you take all reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, and manage the lifecycle of information.

With the recent passing of mandatory data breach notification laws, these issues become even more important. A larger pool of personal information increases the risk of a data breach and certain breaches must be reported to the regulator and affected individuals. The financial and reputational issues for retailers who fail to comply are now greater than ever before. 

For further information about your obligations under the Privacy Act, visit or contact Alex Hutchens on 02 8241 5609 or


About the authors

Alex Hutchens, Partner, McCullough Robertson
Alex heads up McCullough Robertson’s Technology, Media and Telecommunications group. He is a leading lawyer in emerging areas such as cloud computing, M2M technology and provides specialist regulatory advice around privacy, data protection, and e-commerce.

Jeremy Perier, Lawyer, McCullough Robertson
Jeremy has extensive experience in providing advice to large corporations in relation to privacy, surveillance, data protection and information technology contracts.



MST Marquee – The impact of migration on retail

Retail businesses setting budgets and forecasting are understandably finding it difficult to navigate the uncertain economic conditions. Our research can help educate retailers about industry profitability benchmarks, wage growth and inventory levels, so that businesses can better prepare for the future.

Now more than ever

If business, and retail especially, must reflect the zeitgeist in order to remain relevant, then in this unique inflection point in history, the rights of Indigenous people must be incorporated

Retail Voice CEO Message: 8 May 2024

Achieving a unified voice for retail has been a compelling focus for our industry for many years. It is in the spirit of this endeavour that we are delighted to

Retail Voice CEO Message: 1 May 2024

Yesterday, the Australian Bureau of Statistics released retail trade data for March, with a modest increase of just 0.8% compared to the same month last year, despite being bolstered by