CCTV and Video Surveillance at Work: PDPA Rules for Singapore Businesses

If you run a retail shop, F&B outlet, office, or warehouse in Singapore, chances are you have CCTV cameras installed. They are cheap, easy to set up, and give you peace of mind about security and theft prevention. What many business owners do not realise is that the moment those cameras start recording people, you are collecting personal data under the Personal Data Protection Act 2012 (PDPA) and a specific set of legal obligations kicks in.

This guide explains exactly what Singapore's PDPA requires of your business when it comes to CCTV and video surveillance, in plain English and with practical steps you can act on today.

Why CCTV Footage Counts as Personal Data

Under the PDPA, "personal data" is any data that can identify an individual, whether on its own or combined with other information the organisation has access to. CCTV footage almost always meets this definition. A camera recording a customer walking into your shop captures their face, body, clothing, and sometimes their car licence plate. That is enough to identify a specific person.

The Personal Data Protection Commission (PDPC) has confirmed this in its Advisory Guidelines on Selected Topics (revised May 2024): video and audio recordings of individuals constitute personal data, and the use of CCTV therefore constitutes the collection of personal data.

This means your CCTV system is not just a security tool. It is a personal data collection system, and your business is the data controller responsible for complying with the PDPA.

Your Five Core Obligations

1. Purpose Limitation: Know Why You Are Recording

Before you install a single camera, you need a clear, documented purpose. The PDPA requires that personal data be collected only for purposes that a reasonable person would consider appropriate in the circumstances.

For most Singapore SMEs, legitimate purposes include:

• Security and theft prevention in retail or warehouse environments
• Workplace safety monitoring in factories, kitchens, or construction sites
• Access control at building entrances and restricted areas
• Dispute resolution for customer-facing businesses like F&B or service counters

What you cannot do is install cameras for one stated purpose and then use the footage for something else entirely. If your signs say the cameras are for security, you should not be reviewing footage to check if staff are taking long breaks. That would breach the purpose limitation obligation.

2. Notification: Tell People They Are Being Recorded

The PDPC's advisory guidelines are clear: organisations must place notices at locations that give individuals sufficient awareness that CCTV is in operation. This is not optional. It is a core part of your notification obligation under Section 20 of the PDPA.

What your signage must include:

• A clear statement that CCTV recording is in operation
• The purpose of the surveillance (e.g., "for security and safety purposes")
• If audio is also being recorded, this must be explicitly stated
• Contact details of your Data Protection Officer (DPO) so individuals know who to reach

Where to place signs:

• At every entrance to the monitored area
• At eye level and in a size that is easily readable (the PDPC recommends signage of approximately 90cm by 60cm at main entrances)
• Inside the monitored area if the entrance signage might be missed

A common mistake among Singapore SMEs is installing cameras first and putting up signs months later, or not at all. PDPC audits have found that roughly 63% of retail stores needed signage upgrades, so this is a widespread gap.

3. Consent: When You Need It and When You Do Not

Here is where things get slightly nuanced. The PDPA operates on a consent model, but there are practical exceptions that apply to CCTV.

Public-facing areas (shop floor, restaurant dining area, lobby): Signage and the concept of "deemed consent" typically apply. Under Section 15 of the PDPA, an individual who enters your premises after being notified by clear signage that CCTV is in operation is generally deemed to have consented to the collection of their footage. The individual's continued presence after seeing the notice constitutes voluntary provision of their personal data.

Non-public work areas (staff rooms, stockrooms, back offices): For employees being monitored in areas that are not open to the public, you should obtain explicit written consent. This is typically handled through your employment contract or a separate CCTV policy acknowledgement form. The "reasonable purpose" test applies: you need a strong business justification for cameras in break rooms or changing areas.

Legitimate interests exception: The 2021 amendments to the PDPA introduced a legitimate interests exception under the First Schedule. This allows organisations to collect and use personal data without consent where the organisation's legitimate interest outweighs any adverse effect on the individual. Security surveillance in business premises generally qualifies, but you should still document your assessment.

Areas where cameras should never be placed: Toilets, changing rooms, prayer rooms, and other areas where individuals have a reasonable expectation of privacy. Placing cameras in these locations would almost certainly be deemed unreasonable and could trigger enforcement action.

4. Retention: Do Not Keep Footage Longer Than Necessary

The PDPA's retention limitation obligation (Section 25) requires organisations to stop retaining personal data when it is no longer needed for the purpose it was collected, or for legal or business purposes.

Practical benchmarks:

• General business CCTV: 30 days is the commonly accepted standard. The PDPC considers this reasonable for most security purposes
• Workplace safety incidents: If your business falls under the Workplace Safety and Health Act, footage related to incidents must be retained for at least 180 days
• Financial institutions and high-security facilities: Regulatory requirements may mandate 90 days or longer
• Footage subject to an ongoing investigation or legal dispute: Retain until the matter is resolved, but document the reason for extended retention

Your CCTV system should be configured to automatically overwrite or delete footage after your stated retention period. Many modern systems do this by default with loop recording, but you need to verify the settings match your stated policy.

5. Protection: Secure the Footage

Under the protection obligation (Section 24), you must make reasonable security arrangements to protect the personal data you hold. For CCTV, this means:

• Access controls: Only authorised personnel should be able to view, download, or export footage. Maintain a log of who accesses the system
• Password protection: Default passwords on CCTV systems are a common vulnerability. Change them immediately after installation
• Encryption: Where possible, use encrypted storage for recorded footage
• Physical security: DVR/NVR units should be kept in locked rooms or cabinets, not sitting on a shelf behind the counter
• Network security: If your CCTV system is connected to the internet for remote viewing, ensure it uses secure connections. Unsecured IP cameras are frequently found in public search engines like Shodan

The PDPC enforcement case against MCST 3593 and New-E Security illustrates what happens when protection falls short. The organisations were fined S$5,000 for failing to implement reasonable security arrangements for CCTV footage and not appointing a Data Protection Officer.

Employees vs Visitors: Different Rules Apply

The PDPA applies to footage of both employees and visitors, but the practical obligations differ.

For visitors and customers:

• Clear signage at entry points is generally sufficient
• Deemed consent applies when they enter after seeing the notice
• Access requests from visitors must be handled (they have the right to request footage of themselves)

For employees:

• Notification through signage alone may not be enough for non-public areas
• Include CCTV monitoring details in employment contracts or staff handbooks
• Employees have the right to request access to footage of themselves
• When providing access, you must mask or redact footage of other individuals to protect their data
• Covert surveillance of employees is restricted unless investigating suspected criminal activity, and even then should be time-limited and proportionate

Data Breach Obligations: What If Your Footage Is Compromised

Since 1 February 2021, the PDPA includes mandatory data breach notification requirements. If your CCTV footage is compromised through a hack, theft of the recording device, or unauthorised access, you may be required to notify the PDPC.

A data breach involving CCTV footage is notifiable if:

1. Significant harm threshold: The breach is likely to result in significant harm to affected individuals (e.g., footage could be used for blackmail, identity theft, or cause reputational damage), OR
2. Scale threshold: The breach affects 500 or more individuals, regardless of the type of harm

Notification timeline: You must notify the PDPC within three calendar days of determining that the breach is notifiable. If significant harm is likely, you must also notify the affected individuals.

For a busy retail shop or restaurant, a single day of stolen footage could easily contain recordings of 500 or more people, triggering the scale threshold. This is why securing your CCTV system is not just good practice; it is a legal necessity.

Penalties: What Non-Compliance Costs

The financial penalties under the PDPA are significant and have been strengthened through recent amendments:

• Organisations with annual local turnover of S$10 million or less: Financial penalties of up to S$1 million
• Organisations with annual turnover exceeding S$10 million: Penalties of up to 10% of annual turnover in Singapore

Beyond financial penalties, the PDPC can issue directions requiring organisations to stop collecting data, destroy data, or implement specific compliance measures. Enforcement decisions are published, which means reputational damage on top of the fine.

Recent enforcement actions demonstrate that the PDPC takes these obligations seriously. In 2025, Marina Bay Sands was penalised for a data breach, and multiple SMEs have faced fines ranging from S$5,000 to S$20,000 for failures in their protection and accountability obligations. These are not theoretical risks.

Appointing a Data Protection Officer

Every organisation covered by the PDPA must designate at least one Data Protection Officer (DPO). For CCTV compliance, your DPO is responsible for:

• Handling access requests from individuals who want to see their footage
• Managing retention schedules and ensuring old footage is deleted on time
• Responding to data breach incidents involving footage
• Conducting periodic reviews of your CCTV practices
• Training staff who interact with the surveillance system

For SMEs, the DPO does not need to be a dedicated full-time role. It can be an existing manager or director, but they need to be properly identified and their contact details included on your CCTV signage. Tools like ComplyHQ can help you set up and manage your DPO obligations with AI-powered compliance workflows, handling the documentation and process requirements in minutes rather than weeks.

Handling Access Requests

Under the PDPA, individuals have the right to request access to their personal data, including CCTV footage of themselves. When you receive such a request:

1. Verify identity: Confirm the requestor is who they claim to be
2. Respond within 30 days: This is the statutory timeline for access requests
3. Mask other individuals: If the requested footage contains other people, you must redact or mask their images before providing access
4. Document the request: Keep a record of all access requests and how they were handled
5. You may charge a reasonable fee: The PDPA allows organisations to charge a reasonable fee for providing access, but it must not be excessive

The PDPC enforcement case involving MCST 4599 (The Scotts Tower) is a cautionary tale. A resident's access request for CCTV footage was denied, and the footage was later overwritten before it could be provided. The PDPC found the MCST in breach of its accountability obligation for failing to have procedures in place.

Practical Compliance Checklist for Singapore SMEs

Use this checklist to assess your current CCTV compliance:

Signage and Notification

• Prominent signs at all entrances to monitored areas
• Signs state that CCTV is in operation and the purpose of recording
• Signs include DPO contact information
• Audio recording is disclosed separately if applicable

Documentation

• Written CCTV policy documenting purpose, scope, and retention period
• Data Protection Officer formally designated
• Employee acknowledgement forms for non-public area monitoring
• Legitimate interests assessment documented (if relying on this exception)

Technical Controls

• Default passwords changed on all CCTV equipment
• Footage access restricted to authorised personnel only
• Access log maintained for the CCTV system
• Automatic deletion or overwriting after the stated retention period
• DVR/NVR physically secured in a locked location
• Internet-connected cameras use encrypted connections

Processes

• Procedure for handling individual access requests within 30 days
• Data breach response plan covering CCTV footage scenarios
• Regular review of camera placement and purpose (at least annually)
• Staff training on CCTV data handling responsibilities

If you are unsure where your business stands, ComplyHQ's AI-powered compliance platform can walk you through a guided PDPA assessment covering CCTV and all other data protection obligations, so you can close gaps before the PDPC finds them.

The Bottom Line

CCTV cameras are a practical tool for Singapore businesses, but they come with real legal obligations under the PDPA. The good news is that compliance is straightforward once you understand the rules: be transparent about what you are recording and why, keep footage only as long as you need it, secure it properly, and have a plan for when someone asks to see their data or something goes wrong.

The cost of getting it right is minimal. The cost of getting it wrong can be up to S$1 million or 10% of your annual turnover, plus the reputational damage of a published PDPC enforcement decision. For any Singapore SME, that is a risk not worth taking.

References

• Personal Data Protection Act 2012 — Singapore Statutes Online
• PDPC Advisory Guidelines on Selected Topics
• PDPC Enforcement Decisions
• Workplace Safety and Health Act — Singapore Statutes Online
• PDPC — Personal Data Protection Commission