Legislation current as at 2 May 2026. Check legislation.govt.nz for any amendments.

CCTV in NZ Workplaces: Your Compliance Guide (Privacy Act 2020 & ERA)

If you operate CCTV in a New Zealand workplace, you must comply with the Privacy Act 2020 and the Employment Relations Act 2000 (ERA). This guide explains exactly what is permitted, what you must tell employees, and how to handle footage. It is written in plain English for NZ business owners, HR managers, and staff.

Key rule: You must notify employees and visitors that CCTV is in use before they enter the monitored area. This is a legal requirement under IPP 3 of the Privacy Act 2020.

1. What the Privacy Act 2020 says about workplace CCTV

The Privacy Act 2020 sets out 13 Information Privacy Principles (IPPs). The most relevant for CCTV are:

IPP 1 – Purpose: Only collect personal information (video footage) for a lawful purpose connected with your business. Common purposes: security, safety, theft prevention, monitoring of hazardous areas.
IPP 3 – Collection from the individual: You must take reasonable steps to make employees and visitors aware that CCTV is operating, why, and who will see the footage. This is usually done via signs.
IPP 4 – Manner of collection: Collection must not be intrusive or unfair. Hidden cameras are almost never lawful in workplaces except in very limited circumstances (e.g., specific criminal investigation with police approval).
IPP 5 – Storage and security: Footage must be stored securely, access restricted, and retained only as long as necessary.
IPP 6 – Access: Employees have the right to request footage of themselves (subject to some exceptions).

Warning: Covert (hidden) CCTV in NZ workplaces is almost always a breach of the Privacy Act. The Privacy Commissioner has stated that hidden cameras are only justified in exceptional circumstances, such as a genuine and documented suspicion of serious criminal activity, and only after considering less intrusive options. Even then, legal advice is essential.

2. Employment Relations Act 2000 – notification and good faith

The ERA requires employers to act in good faith. Installing CCTV without consulting employees or their representatives can breach this duty. The Employment Court has held that failure to notify and consult about CCTV can make subsequent disciplinary action based on footage unfair.

You must consult with employees (or their union) before installing or expanding CCTV.
You must notify in writing what areas are monitored, why, and how footage will be used.
Monitoring of break rooms, toilets, or changing rooms is almost always unlawful and a serious breach of privacy and good faith.

Key rule: Always consult employees before installing CCTV. Document the consultation. Provide a written policy that explains the purpose, locations, retention period, and access rights. This protects you if you ever need to use footage for disciplinary purposes.

3. What is permitted? – Acceptable uses of workplace CCTV

You may use CCTV in NZ workplaces for the following purposes, provided you have notified and consulted:

Security of premises and assets – e.g., entrances, car parks, storage areas.
Health and safety monitoring – e.g., hazardous machinery areas, warehouse traffic.
Theft or fraud prevention – e.g., cash handling areas, stock rooms.
Monitoring of public-facing areas – e.g., retail floors, reception (but not private conversations).

Not permitted: Monitoring employee performance or behaviour in non-public areas (e.g., desks, offices) unless there is a specific, documented reason (e.g., safety risk) and you have consulted. Continuous performance monitoring via CCTV is likely a breach of privacy and good faith.

4. Signage requirements

Signs must be:

Clearly visible at every entrance to a monitored area.
Legible and in plain English (consider other languages if relevant).
Include: “CCTV in use”, the purpose (e.g., “for security and safety”), and contact details of the person responsible (e.g., “Contact the HR manager for more information”).

Key rule: Signs must be in place before anyone enters the monitored zone. A small sticker on a door is not enough – use A4 or larger signs at eye level.

5. Data retention – how long can you keep footage?

The Privacy Act 2020 (IPP 9) says you must not keep personal information longer than necessary. For workplace CCTV:

General rule: 30–90 days is standard, unless an incident has occurred.
If an incident occurs: Retain footage until the matter is resolved (e.g., investigation, police involvement, disciplinary process). Then delete.
Do not keep footage indefinitely “just in case”. Set an automatic deletion schedule.

Document your retention policy in your CCTV policy and ensure your system enforces it.

6. Employee access to footage

Under IPP 6 of the Privacy Act, an employee can request access to footage that contains their personal information. You must respond within 20 working days.

You may withhold footage if it would involve unwarranted disclosure of another person’s affairs (e.g., other employees in the frame). In that case, you can blur or redact others.
You may also withhold if disclosure would prejudice the maintenance of the law (e.g., a police investigation).
If you refuse access, you must give reasons and inform the employee of their right to complain to the Privacy Commissioner.

Warning: Do not destroy footage once an employee has requested it. Doing so can result in a complaint to the Privacy Commissioner and a finding of interference with privacy, which can lead to damages of up to $10,000.

7. Practical steps for compliance

Conduct a privacy impact assessment before installing or expanding CCTV.
Consult employees and their representatives. Document the consultation.
Create a written CCTV policy covering purpose, locations, retention, access, and complaints process.
Install clear signs at all entrances to monitored areas.
Set automatic deletion (e.g., 30 days) unless an incident is recorded.
Restrict access to footage to authorised personnel only (e.g., HR manager, security manager).
Respond to access requests within 20 working days.

For a full template CCTV policy and employee notification letter, visit the ShiftScript portal.

Need a compliant CCTV policy fast?

ShiftScript’s portal includes ready-to-use templates for NZ workplace CCTV policies, employee consultation letters, and signage guides – all updated for the Privacy Act 2020 and ERA. Access the portal now.

Frequently asked questions

Do I need to tell employees about CCTV in the workplace?

Yes. Under IPP 3 of the Privacy Act 2020, you must take reasonable steps to notify employees and visitors that CCTV is operating, why, and who will see the footage. This is usually done via signs at entrances and a written policy. Failure to notify can make any footage inadmissible in disciplinary proceedings.

Can I use hidden cameras in my NZ workplace?

Almost never. Covert surveillance is a serious breach of the Privacy Act unless there is a genuine, documented suspicion of serious criminal activity (e.g., theft or fraud) and you have considered less intrusive options. Even then, you should seek legal advice and, if possible, involve the police. Hidden cameras in toilets, changing rooms, or break rooms are always unlawful.

How long can I keep CCTV footage?

Only as long as necessary for the purpose it was collected. For general security, 30–90 days is standard. If an incident occurs, keep the footage until the matter is resolved, then delete. Set an automatic deletion schedule in your system. Indefinite retention is a breach of IPP 9 of the Privacy Act.

Can an employee request to see CCTV footage of themselves?

Yes. Under IPP 6 of the Privacy Act, an employee can request access to footage that contains their personal information. You must respond within 20 working days. You may blur or redact other people in the footage to protect their privacy. If you refuse, you must give reasons and inform them of their right to complain to the Privacy Commissioner.

Can I use CCTV to monitor employee performance?

Generally no. Continuous monitoring of employee performance via CCTV in non-public areas (e.g., desks, offices) is likely a breach of privacy and the duty of good faith under the ERA. You may monitor specific areas for health and safety or security reasons, but you must consult employees first and have a clear, documented purpose.