Lights, camera, privacy!

New video surveillance technology present privacy issues for Australian retailers

Retailers have long used CCTV as a security measure to reduce shoplifting and employee theft. Today, with advances in technology and greater competition in the retail market, CCTV is used for promoting workplace safety, improving productivity and as a business intelligence tool. 

429444511 data security.jpg

Typically, surveillance systems comprise two elements – the physical in-store hardware and its link to a cloud solution, which enables data analytics, unlimited storage and remote monitoring through desktop and mobile apps.

This improved technology, increased use and broader adoption means that privacy issues are becoming obvious and more acute.

Australian private sector retailers broadly have to comply with three levels of regulation – State and territory surveillance legislation, State and territory workplace regulation, and the Privacy Act 1988 (Cth) (Privacy Act).

The State and territory laws can generally be complied with through providing appropriate notifications. Surveillance legislation prohibits a person from installing, maintaining or using CCTV cameras to monitor or record private activities without the express or implied consent of the parties to that activity. Consent can generally be implied from the fact that an individual stays in their premises even after seeing signs that state that CCTV cameras are in use.  Workplace legislation typically requires employees to be notified about what electronic surveillance is used in their workplace. 

By contrast, the requirements of the Australian Privacy Principles (APPs) under the Privacy Act, are more problematic.

For retailers, the Privacy Act and the APPs generally only apply to large retailers with a turnover of more than $3 million.

While the Privacy Act does not specifically deal with the use of CCTV cameras, the definition of ‘personal information’ is broad enough to include images and video recordings of individuals. This means a retailer does not need to know an individual’s name or details – it is enough that the individual is capable of being identified from the images or video recordings.

In practical terms, this means that recording CCTV footage involves the collection of significant amounts of personal information, and this triggers specific obligations under the Privacy Act around collection, use and disclosure of that information.

The most critical issues for retailers to consider in ensuring they are operating their CCTV solutions in compliance with the APPs are:

  • having a clear and current privacy policy that explains how you use CCTV cameras and what you do with the footage;
  • having in-store signs telling people about the CCTV cameras, perhaps even with information about your privacy policy and practices;
  • ensuring contracts with the surveillance software provider ensures compliance with the Privacy Act (including as to where the data is stored, the security in place and rights of access/updating); and
  • if you store recorded footage, ensure you take all reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, and manage the lifecycle of information.

With the recent passing of mandatory data breach notification laws, these issues become even more important. A larger pool of personal information increases the risk of a data breach and certain breaches must be reported to the regulator and affected individuals. The financial and reputational issues for retailers who fail to comply are now greater than ever before. 

For further information about your obligations under the Privacy Act, visit or contact Alex Hutchens on 02 8241 5609 or


About the authors

Alex Hutchens, Partner, McCullough Robertson
Alex heads up McCullough Robertson’s Technology, Media and Telecommunications group. He is a leading lawyer in emerging areas such as cloud computing, M2M technology and provides specialist regulatory advice around privacy, data protection, and e-commerce.

Jeremy Perier, Lawyer, McCullough Robertson
Jeremy has extensive experience in providing advice to large corporations in relation to privacy, surveillance, data protection and information technology contracts.



Retail Voice CEO Message: 20 September 2023

Last week, the ARA convened our inaugural Retail Crime Symposium, bringing together representatives from the nation’s top major retailers face-to-face to address this pressing issue. Distinguished speakers at the symposium

The importance of R U OK? Day

September 14 is R U OK? Day in Australia, where millions of people around Australia will take the time to check in with family, friends and peers to ask if