CCTV Privacy Policies in New Zealand: What Businesses Need to Cover

If your business uses CCTV, a vague sign on the wall is not enough. Many New Zealand businesses install cameras for security, then make the same mistakes: they record more than they need to, fail to tell people clearly what is happening, or keep footage for too long without a clear reason. Others copy a generic privacy policy that says almost nothing about surveillance in practice.

The problem is that CCTV collects personal information, and that brings your business into Privacy Act territory. Customers, staff, contractors and visitors may all be affected. If your cameras cover entrances, counters, stockrooms, shared work areas or outdoor areas, your policy needs to match what your business is actually doing.

This guide explains what a CCTV privacy policy should cover in New Zealand, when you need one, the practical steps to take before you spend money on setup, and the common traps that catch founders and SME owners.

Overview

A CCTV privacy policy should tell people, in plain language, that your business uses surveillance, why you use it, what areas are covered, who can access footage, how long it is kept, and how someone can request access or raise a concern. In New Zealand, that policy should line up with the Privacy Act 2020 and the way your cameras actually operate day to day.

A good policy is only one part of the job. Your signs, internal procedures, staff training and storage settings all need to match.

• State why CCTV is being used, such as site security, staff safety, loss prevention or incident investigation.
• Describe the locations or types of areas monitored.
• Explain what personal information is collected, including images, video, date and time stamps, and whether audio is captured.
• Set out who can view, use and disclose footage.
• Say how long footage is retained and when it is deleted.
• Explain how people can request access to footage that relates to them.
• Address how footage is stored and protected from misuse.
• Make sure signs and notices at the premises match the policy.
• Review whether camera placement is proportionate and reasonably necessary.
• Cover staff-facing issues if workers are monitored in the workplace.

What CCTV Privacy Policies in What Businesses Need to Cover Means For New Zealand Businesses

CCTV is not just a security purchase, it is a privacy issue that needs active management. If your business records identifiable people, you should treat that footage as personal information and document how you collect, use and protect it.

Under the Privacy Act 2020, New Zealand businesses generally need a lawful and fair reason to collect personal information. They should also be open about the collection, avoid collecting more than necessary, keep information secure, and not hold it longer than needed for the purpose it was collected.

That matters for CCTV because cameras can be easy to install and easy to forget. A founder might put cameras in place after a theft, then months later discover they are filming a neighbouring entrance, a staff break area, or a public footpath more than intended. This is where businesses often get caught. The camera setup expands beyond the original purpose, but the paperwork and internal rules never catch up.

Why a written CCTV privacy policy matters

A written policy helps your business show that it has thought through why surveillance is necessary and how it will be managed. It also gives staff a clear internal reference point, which matters when someone asks for footage or complains about a camera angle.

For many SMEs, the real value is consistency. Without a policy, one manager may share footage too freely, another may refuse an access request without checking, and another may leave recordings stored indefinitely.

What the policy should actually say

Your CCTV privacy policy should be specific to your premises and operations. A short but clear policy is far better than a long generic document that does not reflect reality.

Most businesses should include:

• The name of the business collecting the footage.
• The purpose of surveillance.
• The sites, rooms, entrances or operational areas under CCTV.
• Whether cameras record continuously or only at certain times.
• Whether audio is captured. If it is, this needs careful review because audio recording is more intrusive.
• Who can access footage internally, such as an owner, operations manager or security lead.
• When footage may be shared externally, such as with Police, insurers, legal advisers or service providers.
• The retention period and the reason for that period.
• The security measures used to protect recordings.
• How an individual can request access to footage of themselves or seek correction where relevant.
• Who to contact about privacy concerns.

Signs are not the same thing as a policy

A sign at the door helps with transparency, but it does not replace a policy. Signage should give a clear heads-up that CCTV is in use and identify the business operating the cameras. Your full policy does the deeper work by explaining the purpose, handling rules and access process.

Think of it this way: the sign tells people they are being recorded, the policy tells them what that means.

Workplace monitoring needs extra care

If you have cameras in a workplace, staff privacy should be considered separately from customer-facing surveillance. Employers may have legitimate reasons to monitor entrances, tills, stock areas or health and safety risks. But covert or excessive monitoring can create serious issues, especially if employees were never told what was happening.

Your CCTV policy should line up with employment contracts and internal workplace policies. If cameras could be used in disciplinary investigations, that should not come as a surprise to staff. Before you sign off on installation, check that the camera placement and purpose make sense for your workplace, not just for general security.

When This Issue Comes Up

The need for a CCTV privacy policy usually appears at the exact moment a business is focused on something else, such as a break-in, a new lease, a shop fit-out or a staff incident. That is why it helps to deal with privacy settings before you spend money on setup.

When opening a new site

Many retail, hospitality, warehouse, childcare, health, fitness and office-based businesses include CCTV in a new premises fit-out. If cameras are part of your opening plan, privacy should be part of the setup checklist alongside commercial leases, supplier contracts, insurance and health and safety processes.

This is the best time to decide:

• What exact problem the cameras are solving.
• Which areas need coverage and which do not.
• Who in the business will control access.
• What signage is needed at entrances and monitored areas.
• How long recordings will be stored.

After a theft, complaint or safety incident

Businesses often install cameras quickly after something goes wrong. That response is understandable, but urgency can lead to poor decisions. A rushed installation might cover more space than needed, record staff continuously without a clear rationale, or rely on a cloud platform with weak access controls.

When CCTV is added after an incident, pause long enough to document the purpose and operating rules. If not, the system may solve one problem while creating a privacy one.

When staff are being monitored

The issue becomes more sensitive when surveillance is aimed at internal conduct, performance concerns or suspected misconduct. Cameras should not become a substitute for proper management processes. They also should not be installed in places where privacy expectations are higher, such as bathrooms, changing rooms or other clearly private spaces.

If your business is considering monitoring in staff areas, this is where founders should get careful before rollout. The question is not only whether surveillance is useful, but whether it is proportionate and properly disclosed.

When a customer asks for footage

A privacy policy matters the moment someone asks to see footage of themselves. This might happen after a slip, a lost item, an altercation, or a complaint about service. If your business has no process, staff can panic and either hand over too much or refuse without proper grounds.

A clear policy should support a practical procedure for handling requests, verifying identity, reviewing whether other people appear in the footage, and deciding whether editing or withholding is needed.

When using third party providers

Many CCTV systems are now hosted, monitored or maintained by external technology providers. If your footage sits on a cloud platform, your business still needs to know where the data is stored, who can access it, and what contractual protections apply.

This is especially relevant before you sign a service agreement with an installer or software provider. The supplier agreement should match your privacy promises.

Practical Steps And Common Mistakes

The safest approach is to build your CCTV policy around how your business actually uses surveillance, then make sure the hardware, staff practices and documents all match. Most privacy problems come from the gap between what a business says and what it does.

1. Define the purpose before installation

Start with the business reason. You may need CCTV for after-hours security, customer and staff safety, asset protection, or investigating incidents. Write the purpose down in clear language.

If your reason is too broad, your collection may become excessive. “General monitoring” is weak. “Monitoring entrance points, till areas and stock exits for security incidents and loss prevention” is much clearer.

2. Limit camera coverage to what is reasonably needed

Camera placement should reflect the stated purpose. If your concern is theft at the front counter, that does not justify filming a staff lunch area. If your concern is access control, you may not need wide-angle coverage of public space well beyond your boundary.

Review camera placement for:

• Private or sensitive areas that should never be filmed.
• Areas where staff may reasonably expect more privacy.
• Neighbouring businesses, homes or public areas captured unintentionally.
• Zoom, tilt or motion settings that collect more than you intended.

3. Use clear signage and layered notice

People should know they are entering a monitored area before or at the point footage is collected. Entrance signage is usually the starting point. The notice should be easy to spot and easy to understand.

Good signage commonly includes:

• A statement that CCTV is in operation.
• The business name.
• A short purpose statement, such as security or safety.
• Contact details or a reference to where further privacy information can be obtained.

Your written policy can then provide the fuller explanation.

4. Set a realistic retention period

Do not keep footage forever just because storage is cheap. Retention should be tied to the reason for collection. Some businesses only need a short period unless footage is required for an active investigation, insurance issue or safety review.

The right period depends on your operations, risks and incident patterns. What matters is that you can explain why you keep recordings for that long and that deletion happens in practice, not just on paper, ideally under a data retention policy.

5. Control access tightly

Only authorised people should be able to view, download or share footage. Access logs, passwords, role-based permissions and internal approval steps all help reduce misuse.

This is where small businesses can slip. Everyone knows the shared password, footage is checked casually on a phone app, and clips are sent around without a record. That creates unnecessary risk and can undermine trust with staff and customers.

6. Plan for access requests and complaints

Your business should have a simple process for handling privacy requests. A person may ask whether you hold footage of them and, if so, request access. You may need to confirm identity, locate the relevant time period, review whether others are visible, and decide how access can be given appropriately.

You should also have a contact point for complaints about surveillance. If no one owns the process, issues tend to bounce between managers and get worse.

7. Align your policy with employment documents and internal procedures

If employees are affected, your workplace documents should not contradict your CCTV policy. Staff should understand where cameras are located, the reasons for monitoring, and who can use footage internally. This should sit consistently with onboarding materials, workplace policies and disciplinary processes.

If your business has contractors, franchise-style arrangements, shared premises or multiple managers, consistency matters even more.

8. Check your technology and supplier contracts

Your privacy obligations do not disappear because a third party hosts the platform. Before you sign, understand how the system works and what your provider can access.

Check matters such as:

• Whether footage is stored in New Zealand or overseas.
• What security features are available.
• Who owns the data.
• Whether the provider can access footage for maintenance or support.
• How footage is deleted on termination.
• What happens if there is a data breach or service outage.

Common mistakes businesses make

The most common legal and operational mistakes are surprisingly ordinary. They usually come from assumptions, not bad intent.

• Installing cameras first and writing a policy later.
• Using generic signage that does not identify the business or purpose.
• Recording audio without careful thought.
• Keeping footage indefinitely.
• Allowing too many staff to access clips.
• Using footage for a new purpose that was never explained.
• Failing to account for employee monitoring issues.
• Ignoring the privacy impact of cloud storage and vendor access.
• Not having a clear process for access requests.

If any of those sound familiar, the fix is usually practical. Update the policy, review your settings, tighten access, and make sure your notices and internal processes are accurate.

FAQs

Do all New Zealand businesses with CCTV need a privacy policy?

If your cameras collect identifiable images of people, having a clear CCTV privacy policy is strongly recommended and, in practice, often necessary to meet transparency and privacy obligations. The policy should reflect your actual use of surveillance.

Can my business record audio as well as video?

It can be much harder to justify audio recording because it is more intrusive. If your system captures sound, review that feature carefully and make sure your notices and policy clearly explain it.

How long can CCTV footage be kept?

There is no single retention period that suits every business. You should keep footage only for as long as reasonably necessary for the purpose you collected it, then delete it securely.

Can an employee or customer ask to see CCTV footage of themselves?

Often, yes. Requests need to be assessed properly because footage may also show other people or raise other privacy issues. Your business should have a process for reviewing and responding to these requests.

Is a sign at the entrance enough?

No. Signage is important, but it is only part of the picture. Your business should also have a written policy and internal procedures covering access, retention, security and complaint handling.

Key Takeaways

• CCTV footage usually counts as personal information, so New Zealand privacy rules can apply to how your business collects, stores, uses and shares it.
• A proper CCTV privacy policy should explain the purpose of surveillance, what areas are monitored, who can access footage, how long it is kept, and how people can make requests or complaints.
• Signage helps with transparency, but it does not replace a written policy or clear internal procedures.
• Workplace monitoring needs extra care, especially where employees may be affected by camera use or footage may be used in investigations.
• Most business risks come from over-collection, poor camera placement, weak access controls, and keeping footage longer than necessary.
• Supplier contracts, cloud storage arrangements and internal workplace documents should all line up with your CCTV policy before you sign and before you rely on the system.

If your business is dealing with CCTV privacy policies in what businesses need to cover and wants help with privacy policies, workplace monitoring rules, supplier contracts, data handling procedures, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.