Commercial CCTV Requirements in NZ: Compliance, Privacy & Best Practice

Introduction

Installing CCTV in your Auckland business seems straightforward—put cameras everywhere, monitor everything, protect your assets. But New Zealand’s Privacy Act and employment law create real legal requirements that many business owners don’t fully understand.

Install CCTV without proper compliance, and you could face:

• Privacy Commission investigations
• Employee lawsuits
• Regulatory fines
• Damaged business reputation
• Inadmissible evidence in criminal proceedings

At Garrison Alarms, we’ve worked with hundreds of Auckland businesses to design compliant systems. In this guide, we’ll walk through exactly what NZ law requires, where cameras can legally go, and how to protect your business while respecting privacy.

The Legal Framework

Key NZ Legislation

1. Privacy Act 2020

The primary law governing CCTV in NZ:

Core principle: Personal information collection must be:

• Necessary for business purposes
• Proportionate to the risks
• Transparent (employees and visitors must be informed)
• Properly secured and retained only as long as necessary

For CCTV: You can collect video footage IF:

• You have a legitimate business reason (security, asset protection, safety)
• You’ve informed employees and visitors that recording occurs
• You store footage securely
• You limit access to authorized personnel
• You have documented retention schedules

What you can’t do:

• Record in bathrooms, changing rooms, or private areas
• Record audio without explicit consent (extremely restricted)
• Retain footage longer than necessary
• Collect CCTV without informing stakeholders
• Use CCTV for employee surveillance (very restricted)

2. Health and Safety at Work Act 2015

Requires employers to:

• Maintain safe workplaces
• Consider CCTV as a safety tool (e.g., monitoring hazardous areas)
• Inform employees of monitoring
• Not use monitoring to intimidate or create unsafe conditions through surveillance stress

CCTV as safety tool: Legal if used appropriately CCTV as oppressive monitoring: Illegal and creates liability

3. Employment Relations Authority Act 2000

Governs employer-employee relationships:

• Employees have reasonable expectation of privacy
• Monitoring must have legitimate business purpose
• Excessive monitoring can constitute personal grievance (unlawful conduct claim)
• Covert monitoring is generally illegal

4. Crimes Act 1961 (Audio Recording)

Recording audio in private conversations:

• Illegal without consent of all parties
• “Private” includes office conversations, phone calls, break rooms
• Video without audio is legal; audio without video consent is illegal

Practical implication: Most commercial CCTV systems disable audio recording or operate video-only to avoid legal issues.

Privacy Act Compliance: The Key Principles

Principle 1: Legitimate Purpose

You need a documented business reason for CCTV:

Legitimate purposes:

• Security against theft/burglary
• Asset protection (stock, equipment, vehicles)
• Workplace safety monitoring (hazardous areas, emergency exits)
• Reception area monitoring (track visitors, identify unauthorized entry)
• Perimeter monitoring (deter criminal activity)

Questionable purposes:

• “Monitor what employees are doing all day” (vague, potentially oppressive)
• “Make employees work harder” (coercive, may create liability)
• “Catch employees doing wrong” (should be handled through management, not surveillance)

Best practice: Document specific security risks CCTV addresses (e.g., “Retail theft $50,000 annually; office break-ins targeting equipment”)

Principle 2: Transparency

Employees and visitors must know they’re being recorded:

Required notification:

• Visible signage: “CCTV in operation” or “24/7 monitoring”
• Information provided to employees in writing
• Employee handbook inclusion
• Staff training on monitoring policies
• Visitor signage at entry points

Best practice:

• Large, clear signage at building entry
• Statement in employment contracts
• Privacy notice in reception area
• Regular staff reminders

Principle 3: Proportionality

The surveillance level must match the actual risk:

Example 1: Retail shop

• Risk: Stock theft, robbery
• Appropriate: 6–8 cameras covering sales floor, entry, exits, storage
• Excessive: 20 cameras tracking every employee movement
• Inappropriate: Cameras in staff bathroom or break room

Example 2: Office building

• Risk: After-hours break-ins, equipment theft
• Appropriate: Perimeter cameras, entry points, reception
• Excessive: Cameras in hallways tracking employee movement
• Inappropriate: Cameras in bathrooms, private offices

Principle 4: Data Security

Footage must be protected as personal information:

Requirements:

• Secure storage (not accessible to random staff)
• Limited access (only authorized personnel)
• Encryption (if cloud storage used)
• Backup procedures (if data critical)
• Secure deletion (when retention period expires)

Best practice:

• NVR/DVR stored in locked, climate-controlled room
• Access restricted to manager + security personnel
• Cloud footage password-protected
• Automatic deletion after retention period

Principle 5: Retention Limits

You can’t keep footage indefinitely:

Typical retention periods:

• General security: 30–90 days (enough for incident investigation)
• Incident-specific: Keep only if incident documented
• Regulatory requirements: Longer if legally mandated (e.g., retail/hospitality)
• Maximum: Most legal advice suggests 12 months maximum

Never record “just in case”—retain only what’s necessary.

Where You CAN Install Commercial CCTV

Entry Points: Always Appropriate

Examples:

• Main building entrance
• Loading dock
• Back door/emergency exits
• Delivery area
• Parking lot entry

Why: Protects against external criminal activity, not employee surveillance

Best practice: Angle cameras to capture people approaching, not interior hallways immediately inside

Perimeter Areas: Generally Appropriate

Examples:

• Building exterior
• Fence lines and gates
• Parking areas
• Loading zones
• Roof access points

Why: Protects assets and deters criminal approach; not employee surveillance

Compliance note: Ensure perimeter cameras don’t inadvertently capture neighboring properties or public areas unnecessarily

Common Work Areas: Carefully Regulated

Examples:

• Retail sales floor
• Warehouse working area
• Reception desk
• Manufacturing floor

Can install: Yes, if:

• Necessary for specific security purpose (e.g., retail theft prevention)
• Employees informed
• Purpose documented
• Not used to intimidate or coerce

Cannot install: Video that:

• Specifically targets individual employees
• Attempts to monitor work pace/productivity
• Creates oppressive surveillance environment

High-Risk Areas: Generally Appropriate

Examples:

• Hazardous equipment areas (workplace safety)
• Chemical storage
• IT server rooms
• Cash handling areas
• High-value asset storage

Why: Legitimate safety and security purpose

Compliance: Still requires notification and appropriate access controls

Where You CANNOT Install Commercial CCTV

Private Areas: Absolutely Prohibited

Examples:

• Bathrooms and toilets
• Changing/locker rooms
• Shower facilities
• Private offices (with expectation of privacy)
• Medical/first aid rooms
• Staff break rooms (generally—some exceptions for security-critical break rooms)

Legal consequence: Criminal and civil liability; significant penalties

Audio Recording: Extremely Restricted

General rule: Audio recording without all parties’ consent is illegal

Exceptions:

• Recording your own phone conversations (with your consent)
• Recorded announcements (music, hold messages)
• Clear notice that meetings/calls are recorded

Practical application: Commercial CCTV should disable audio or use video-only to avoid legal issues

Employee Monitoring: Special Considerations

Legal Limits on Employee CCTV

Employment law restricts using CCTV to monitor employee performance:

Prohibited uses:

• “Making sure employees are working” (oppressive surveillance)
• Tracking bathroom/break room visits
• Monitoring productivity (time-based surveillance)
• Recording private conversations
• Creating intimidating workplace through constant monitoring

Legal uses:

• Security against theft or external break-ins
• Workplace safety in hazardous areas
• Reception/entry monitoring (legitimate security)
• Incident investigation (after-the-fact review for specific events)

The “Reasonable Expectation of Privacy” Test

NZ law recognizes employees have reasonable expectation of privacy even at work:

Employees CAN expect privacy:

• In bathrooms
• In private offices (if door closes)
• In break rooms
• During private conversations
• For personal information (health, financial, family matters)

Employees CANNOT expect privacy:

• In general work areas during work hours
• On company equipment/systems
• In areas where security monitoring is disclosed

Best Practice: Employee Engagement

Rather than covert monitoring:

1. Discuss plans with employees before installation
2. Explain security purpose (“Protect company assets, not monitor work pace”)
3. Include in employment contracts (“CCTV operates in common areas for security”)
4. Get consent where possible
5. Review policies with employees regularly

Advantage: Transparency reduces legal risk and builds employee trust

Retail-Specific CCTV Compliance

Retail Is Different

Retail businesses have specific compliance considerations:

Customers present: Can’t be monitored with same restrictions as employees Stock theft: Legitimate CCTV purpose Financial transactions: May need higher-quality cameras for evidence

Retail CCTV Best Practices

Entry/exit: Clear signage required Sales floor: Monitor stock areas; minimize employee-specific monitoring Change rooms/fitting areas: Prohibited—only entrance/exit monitoring Checkout: Can monitor transactions; inform customers Staff areas: Restricted; only for security purposes, not productivity Audio: Disable; video-only recommended

Retention for Retail

Retail often needs longer retention:

• Incident disputes: 30–90 days typical
• Holiday sales period: May need 4–5 months (peak theft season)
• Maximum recommended: 12 months

Hospitality & Venue-Specific CCTV Compliance

Bars, Restaurants, Hotels

Higher CCTV justification:

• Larger public areas
• Regular incidents (theft, violence, disputes)
• Cash handling
• Patron safety

Appropriate monitoring:

• Entry/exit
• Bar areas
• Dining areas
• Outdoor/patio areas
• Parking

Prohibited areas:

• Bathrooms
• Private rooms
• Patron bedrooms (hotels)
• Staff break areas

Venue-Specific Compliance

• Signage must be prominent and clear
• Include in terms & conditions if applicable
• Privacy notice at entry
• Staff must be informed
• Retention: Typically 30–90 days unless incident

Document Your CCTV Compliance

Required Documentation

Maintain a CCTV policy document including:

1. Purpose statement

• Why CCTV is necessary
• Specific security risks addressed
• Business justification

2. Scope

• Which areas are monitored
• Which areas are NOT monitored
• Specific camera locations

3. Notification plan

• How employees are informed
• How customers are informed
• Signage used

4. Access controls

• Who can access footage
• Approval required for access
• Audit trail for access

5. Retention schedule

• How long footage retained
• Deletion procedures
• Exceptions to retention (incidents, legal holds)

6. Data security

• How footage stored/protected
• Encryption if applicable
• Backup procedures

7. Incident procedures

• How incidents investigated
• Footage preservation
• Chain of custody
• Police coordination

Template Availability

Privacy Commission provides guidance; Garrison Alarms can help develop compliant policies

CCTV and Police/Legal Proceedings

Evidence Admissibility

CCTV footage is admissible as evidence IF:

• Chain of custody documented
• Storage security demonstrated
• No evidence of tampering
• Retention policy documented
• Installation/operation documented

Implication: Maintain detailed records of CCTV system operation, not just the footage itself

Police Requests

NZ Police can request footage:

• With warrant (for serious crimes)
• With your consent (for theft, vandalism, etc.)
• In emergency situations (active crime in progress)

Best practice:

• Have documented procedure for police requests
• Require written request/warrant
• Maintain chain of custody
• Keep access log of who accessed footage when

FAQ: Commercial CCTV Compliance

Can I record audio in my retail store to catch shoplifters?

Not legally. Audio recording in areas where customers expect privacy is problematic. Video-only is fully acceptable for theft prevention.

Do I need Privacy Commission approval for my CCTV system?

No. But the Privacy Commission expects businesses to self-regulate. If complaint filed, Commission can investigate. Compliance reduces investigation risk.

What if an employee doesn’t like the monitoring?

Provided monitoring is transparent, proportionate, and disclosed in employment contract, it’s generally legal. If employee claims oppressive monitoring, they may file personal grievance claim. Documentation of legitimate business purpose is your defense.

Can I use CCTV to monitor suspected employee theft?

Yes, IF you:

1. Don’t conduct covert monitoring Better approach: Direct investigation through HR/management rather than secret surveillance.
2. Have reasonable suspicion
3. Document the suspicion
4. Conduct monitoring transparently
5. Limit monitoring to relevant areas

How long must I keep footage if there’s a criminal complaint?

Once criminal complaint filed, retain footage indefinitely until case resolved (could be 1–3 years). Communicate with police about their retention requirements.

Can CCTV be networked to my phone for remote access?

Yes, technically. But ensure:

• Security of your personal phone
• Access is password-protected
• Access is logged
• Only appropriate personnel have access
• Footage is encrypted in transit

What if someone complains to the Privacy Commission?

Commission investigates. If they find non-compliance, they may:

• Potentially levy penalties (up to $3,000 for individuals; higher for organizations) Prevention through proper compliance is far easier than remediation.
• Issue compliance order
• Recommend remedial action

Do I need to inform customers that footage is cloud-backed up?

Yes. Any footage storage method must be disclosed. If using cloud, state “CCTV footage stored in cloud” on signage or privacy notice.

Can I share CCTV footage with my insurance company?

Yes, if necessary for claim. Inform employees/customers: “Footage may be shared with insurers and police for security purposes.”

Garrison Alarms’ Commercial Compliance Approach

When installing commercial CCTV, we help you:

1. Assess compliance requirements specific to your business type
2. Design system that meets security needs AND legal requirements
3. Create documentation (policy, signage, employee notifications)
4. Install professionally with proper security and access controls
5. Provide staff training on CCTV policies and procedures
6. Support incident response with proper chain of custody

Our approach: Security AND compliance—not one or the other.

Internal Linking Notes

Link to these related Garrison Alarms resources:

• “CCTV Installation Cost Auckland: Complete 2026 Pricing Guide” (system costs)
• “How Many CCTV Cameras Do I Need?” (system design)
• “Best CCTV Cameras for Homes in New Zealand 2026” (camera selection)
• “Home Security Checklist NZ” (residential version for comparison)
• “Access Control Systems Auckland: A Complete Guide for Homes & Businesses” (integrated security)

Summary

Commercial CCTV in New Zealand must comply with Privacy Act 2020, employment law, and health and safety regulations. Key requirements:

1. Legitimate purpose—document why CCTV is necessary
2. Transparency—employees and customers must be informed
3. Proportionality—monitoring level matches actual risk
4. Data security—footage protected as personal information
5. Retention limits—keep only as long as necessary

You CAN monitor entry points, perimeter areas, and common work areas. You CANNOT monitor bathrooms, private areas, or record audio without consent.

Proper documentation protects your business legally while ensuring legitimate security needs are met.

For compliant commercial CCTV systems, contact Garrison Alarms—0800-427747.

About Garrison Alarms

Since 1989, Garrison Alarms has installed compliant commercial CCTV and security systems for Auckland businesses. We specialize in systems that meet both security needs and legal requirements. Our COC-certified installers help design systems with proper documentation, signage, and employee procedures. We represent Hikvision, Bosch, DSC, Paradox, Micron, Risco, and Panasonic.

Last updated: February 2026