As a business, you may consider installing video surveillance on your premises to discourage theft or ensure the safety of your customers and personnel. However, your business may suffer significant legal implications if you do not adhere to legal requirements around filming or recording customers that enter your store.
This article explains the legal requirements around the use of optical surveillance devices. Additionally, it considers the potential consequences of breaching customers’ privacy, as demonstrated by the 7-Eleven case.
Is it Legal to Record Customers Who Enter My Business?
There are certain situations where it is not illegal to collect the personal information of individuals. This includes collecting their images or identity information. Installing optical surveillance devices, such as CCTV, which collect videos or images of customers that enter your business is legal. However, if you elect to record customers through these devices, you must comply with certain laws.
The Privacy Act 1998 (‘Privacy Act’) applies to personal information and governs how businesses can handle their customers’ personal information. The Act will apply to a business if the business:
- has an annual turnover of over $3 million;
- provides a health service, or holds health information;
- is a contractor for the Commonwealth government; or
- trades in personal information (e.g. sells personal information to other parties).
Such businesses will be ‘APP entities’ that must comply with the provisions of the Privacy Act.
Suppose your business is covered under the law. Then any personal information that you collect through your surveillance devices must comply with the Australian Privacy Principles under the Act, which require you to:
- inform customers that you may capture their images before recording takes place. For example, you may post clear signage at the entrance of and throughout your premises, and install cameras in clearly visible locations on your premises to ensure adequate notification to customers that they may be under surveillance;
- ensure that any personal information recorded is stored securely, and either destroyed or de-identified when you no longer require the information. For example, you may delete CCTV footage of customers every month; and
- only use or disclose the information recorded for the primary collection purpose, for example, to seek action against a person who committed theft on your premises (or for a secondary purpose if an exemption applies).