Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

4 Things to Know When Installing CCTVs Legally

4 Things to Know When Installing CCTVs Legally

Installing CCTVs Legally requires compliance to personal data protection laws
Installing CCTVs Legally requires compliance to personal data protection laws

In the advent of technology era, security has been one of the most improved aspect of business organizations. The use of closed-circuit television (CCTV) cameras has become undeniably popular in recent years. Nowadays, you rarely find business premises without these. However, could you just install security cameras that easy? Not so fast! Here are the basic things you need to know when installing CCTVs legally.

1. Laws on installing CCTVs legally

Unlike home installations, setting up security cameras for your business can be quite complicated. The main reason is that, in contrast to private individuals, companies are considered as juridical entities and are subject to more stringent compliance with laws.

While different countries enforces different legalities, the rules on CCTV installation are primarily governed by personal data protection laws. An example of which is the Personal Data Protection of Singapore. In a nutshell, the PDPA imposes these 3 obligations (among others), on business organizations:

  • Consent Obligation: your business must not collect, use, or disclose personal data without the consent of the private individual
  • Reasonable Purpose Obligation: your business must only limit the collection, use, or disclosure of personal data for purposes a reasonable person would consider appropriate
  • Notification Obligation: your business must notify the private individual of the purposes of collection, usage, and disclosure of the data

Revolving around these three precepts, installing CCTVs legally entails several responsibilites.

Operating in Singapore? Also Read: Personal Data Protection Act Singapore: Is Your Business Compliant?

2. CCTV cameras in public and non-public premises

There are certain rules to observe in installing CCTV cameras inside or outside your business premises. Generally, national security laws exempts businesses from complying with certain obligations when it comes to publicly available personal data. That’s why you see most CCTV cameras whenever you withdraw from an ATM machine, pass by company gates, or even on several streetlights.

Below is a table summarizing the aforementioned obligations to be complied with, relative to the nature of the premises:

Consent ObligationReasonable Purposes ObligationNotification Obligation
Publicly accessible premisesNo need to obtain consent from customers (but it is good practice to do so)Need to ensure that personal data collected by the CCTV footage is used for reasonable purposes onlyNo need to notify customers that they are being monitored by CCTV cameras (but it is good practice to do so)
Non-publicly accessible premisesNeed to obtain consent from customers and should do so by putting up notices or signsNeed to ensure that personal data collected by the CCTV footage is used for reasonable purposes onlyNeed to notify customers and should do so by putting up notices or signs
There are rules when installing CCTVs legally in public and non-public premises

3. Installing CCTVs legally requires consent and notification

From what you can deduce from the table above, if you would like to install security cameras outside of your business premises in an area that is non-publicly accessible, you have to comply with the consent and notification obligation.

The law requires that you let the general public know that they are being recorded. This is generally important for most stores or offices in public. To comply, you can put up signs. You can make one yourself, but it is more practical to buy pre-printed ones because these are more durable and can withstand rain and heat.

One thing to note is that the notice should not just contain an image of a CCTV camera but should likewise state the purpose of the footage collection, i.e., it should at least be written that the camera is “installed for security purposes”.

4. Retention and deletion of CCTV camera footage

Your business must ensure to discontinue retaining CCTV footage when the purpose for which it was collected is no longer valid. Although most security laws do no stipulate a particularly fixed duration, footages should be erased when it is no longer required for security purposes. Thus, your organization is recommended to regularly review CCTV camera footage every quarter of the year.

You should likewise be guided that a private individual has the right to withdraw his consent to the collection, use, or disclosure of his personal data. As such, with a given reasonable notice, he/she may request for the discontinuation of the use of a CCTV footage that features him. However, your organization is not obliged to delete or destroy this footage, hence you may still retain it as long as it serves its legal or business purpose.

These are fundamental things to know when installing CCTVs legally. You should ensure that you are compliant with your country’s security laws in order to avoid hefty penalties and certain damage to your company’s reputation.

In both cyberworld and real-life, security and data protection should be of paramount importance. Laws can be quite strict and tedious to follow, but should be complied with, nonetheless. As your business expands and make advances on improving your company’s security features, you should consider hiring a Data Protection Officer. Today!

Also Read: Data Protection Officer Singapore | 10 FAQs

Protecting personal data that the organisation manages is the primary duty that must be upheld, or else risk the financial penalty imposed by the PDPC in case of a breach. To help organisations with their PDPA compliance, they can outsource a DPO, which is an officer responsible for ensuring that all data protection provisions are complied with at all times. 

DPOs can ensure that upon installing a CCTV, it still follows the standard that the PDPA establishes when it comes to personal data collection, use, and disclosure.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us