The "Privacy Sweep" Alert in Australia: Is Your CCTV System Compliant?

Australia’s privacy regulator is starting 2026 with a targeted compliance check of how businesses explain their information handling. That might sound like paperwork, but it has a practical edge for sites that record people as they enter, browse, or work. Treat the Privacy Sweep alert in Australia as a timely nudge to check whether your CCTV setup matches what you tell customers and staff, and what you actually do with the footage.

What the OAIC is sweeping and why it matters

The Office of the Australian Information Commissioner (OAIC) says it will review the privacy policies of around 60 businesses across several sectors where personal information is often collected in person. The focus is on transparency, including whether policies contain the information required by Australian Privacy Principle (APP) 1.4.

The OAIC has also pointed to enforcement options where privacy policies don’t meet the required standard, including infringement notices with penalties up to $66,000 for certain breaches.

What’s the CCTV privacy compliance in Australia

CCTV often captures faces, movements, timestamps, and context that can identify someone. When that happens, it can be personal information.

For organisations covered by the Privacy Act, the OAIC expects three basics: tell people before you record them, keep footage secure, and destroy or de-identify it when you no longer need it.

While this regulation is simple, the hard part is proving you actually follow it across camera placement, system settings, access rights, and day-to-day habits.

Notice is more than a sign on the wall

A sign at the entrance is a good start, but it rarely answers the questions people reasonably have.

Under APP 5, organisations must take reasonable steps to notify people (or make sure they’re aware) of key collection details, including why the information is collected, usual disclosures, and whether overseas disclosure is likely.

Many businesses handle this with layered notice: a short sign plus a link or QR code to a longer explanation. Keep it readable.

If your notice says “security only” but footage is also used to review staff performance or customer disputes, the words and the practice are out of step.

Footage handling that stands up to scrutiny

Compliance gaps usually show up after installation, not during it. A few habits make the biggest difference:

• Access control: Decide who can view footage, when, and how access is recorded. Shared logins and “everyone can see everything” are common weak points.
• Retention: Set a timeframe that suits your risk profile and incident reporting, then automate deletion where you can. Keeping footage “just in case” invites avoidable risk.
• Secure storage: Check where footage is stored, who can export it, and whether remote viewing is locked down with strong authentication.

If you rely on a managed provider, ask what your CCTV service covers beyond the cameras themselves. The most useful support is often the unglamorous stuff: secure configuration, account management, and documentation that matches your real practices.

Workplace CCTV has extra moving parts

The Privacy Act doesn’t specifically regulate surveillance in the workplace in a neat, one-stop way. The OAIC notes that employers still need to follow relevant state and territory surveillance and workplace laws, which can differ across jurisdictions.

That’s where many businesses trip. They focus on customer-facing signage and forget staff notice, consultation expectations, or restrictions on certain locations. It’s also worth checking whether audio recording is enabled on any device, even accidentally, because separate rules can apply.

A quick self-audit you can do this week

You don’t need a full legal review to spot obvious issues. Walk through your premises and ask:

• Are signs visible before someone enters camera coverage?
• Does your privacy policy mention CCTV, the purpose, and how people can ask questions or request access?
• Do you know your retention period, and can you prove deletion happens?
• Can you list who has access today (including contractors) and how access is revoked?
• If footage is stored offshore or accessed by an overseas vendor, is that disclosed in your notice where practicable?

If any answer is vague, that’s the place to tighten up first.

Want a quick, practical check of your camera setup, notices and retention settings in light of the OAIC sweep? Smart WiFi can review your CCTV configuration and help you line up signage, access controls and footage handling.

Frequently Asked Questions:

1) Does the OAIC sweep mean my business is being investigated?

Not necessarily. The OAIC has said it is reviewing a set of selected businesses as part of its first compliance sweep, with attention on whether privacy policies meet APP 1.4 requirements. Even if you aren’t in the sweep, it signals closer scrutiny of privacy documentation and whether real practices match published statements.

2) Does CCTV footage count as personal information?

It can. If footage shows a person in a way that makes them identifiable, especially when combined with time, place, or other details, it may be personal information for Privacy Act purposes. The OAIC treats recorded images as something organisations must handle carefully, including keeping it secure and deleting it when no longer needed.

3) What should my CCTV signage and privacy wording include?

CCTV signage should notify individuals before recording begins, state the purpose of collection, and direct them to a full privacy notice. That notice must explain uses, usual disclosures, access to the privacy policy, and any overseas disclosures, including countries if practicable, ensuring compliance with APP 5 transparency requirements.

4) How long should we keep CCTV recordings?

There’s no single number that fits every site. The better approach is to choose a retention period based on your security needs and the time it usually takes for incidents to be reported, then delete footage when it’s no longer required. The OAIC says recorded personal information should be destroyed or de-identified when no longer needed.

5) Can someone request access to footage showing them?

Requests can come from customers, visitors, or staff. Privacy obligations around access depend on context and any applicable exceptions, and footage may include other individuals. What helps most is having a process: confirm identity, locate the relevant time window, assess third-party privacy impacts, and respond within a clear timeframe. Your APP 5 notice should also explain how people can contact you about their information.