Note: This article provides general information about CCTV practices in the context of Singapore's Personal Data Protection Act. It is not legal advice. For specific compliance questions, consult the Personal Data Protection Commission or a qualified legal adviser.
- Installing CCTV in Singapore is perfectly legal; the compliance obligations arise from how the footage is managed afterwards, not from the installation itself.
- CCTV footage that captures identifiable individuals is generally considered personal data under the PDPA, which means organisations operating CCTV systems have data protection obligations.
- Signage notifying people that they are entering a monitored area is typically required, and should be visible before entry, not after.
- The PDPA does not specify an exact retention period, but 30 days is widely applied as a reasonable baseline consistent with industry practice.
- Access to footage should be restricted to authorised personnel with a defined and documented process for retrieval and sharing.
- Most compliance problems arise from poor management practices; casual sharing, no retention policy, unchanged default passwords, not from the CCTV technology itself.
Can I Install CCTV Legally?
Installing CCTV in Singapore is perfectly legal. The question I hear most often; whether installing cameras creates PDPA liability; reflects a common misunderstanding of where the obligations actually arise. The installation itself is not the issue. The issue is whether the footage captured by those cameras is managed in accordance with the PDPA's requirements for personal data.
If cameras capture identifiable individuals; their faces, their vehicles, their movements through a space, that footage is generally considered personal data under Singapore's Personal Data Protection Act. Organisations that collect, use, or disclose personal data in the course of their activities have obligations under the Act. For a commercial building, a condominium, a retail operation, or an office, operating CCTV for security purposes falls squarely within this framework. The good news is that compliance is usually straightforward when it is considered during system design rather than discovered as an oversight after installation.
KEY POINT
The PDPA does not prohibit CCTV. It requires organisations that collect personal data, including surveillance footage, to manage it responsibly. The compliance obligations are procedural, not technical.
Do Homeowners Need to Worry About PDPA?
This is an important distinction that many people overlook. The PDPA generally does not apply to CCTV used solely for personal or domestic purposes. A homeowner monitoring their own front gate, watching their driveway, or recording activity at their own property boundary is in a materially different position from an organisation collecting footage of members of the public or employees.
The obligations become relevant once the context shifts to a commercial or organisational setting; condominiums managing common area surveillance, office buildings monitoring staff and visitor areas, retail shops recording customer activity, factories covering production floors and perimeter areas. In these contexts, the organisation operating the cameras is collecting personal data in the course of its activities, and the PDPA's requirements apply. For MCST councils and managing agents, property managers, and business owners in Singapore, understanding those requirements and ensuring the systems are managed accordingly is part of responsible operations.
KEY POINT
The personal/domestic use exception is meaningful for homeowners with residential security cameras. For any organisation, including condominium MCSTs; operating cameras that capture identifiable individuals in the course of managing the property, PDPA obligations apply.
Signage; the Most Overlooked Requirement
Of all the practical PDPA requirements for CCTV systems, signage is the one I encounter as a gap most frequently during site assessments. The principle is straightforward: people should generally be informed that they are entering an area under CCTV surveillance before they enter it, not after they are already inside. This notification function is typically served by a visible sign at or near the entrance to the monitored area.
The sign does not need to be elaborate. A clear statement that CCTV is in operation in the area, together with an indication of the purpose; security, safety, or property protection; is typically sufficient. What matters is that it is legible, positioned where someone approaching the monitored area will see it, and not obscured by other signage or vegetation. A sign mounted inside a carpark after the barrier is not providing notice before entry. A sign at the entrance to a building lobby that is partially obscured by a planter is not providing adequate notice.
For condominiums and commercial buildings with multiple entry points, signage should cover each entry point where cameras are active. A single sign at the main entrance does not address side entrances, carpark entries, or service access points that are also under surveillance. This is one of the easiest compliance gaps to address; physical signage costs almost nothing, and one of the most commonly found in estates that have never formally reviewed their CCTV compliance posture.
KEY POINT
Place signage at every entry point to a monitored area, at a height and position where it will be seen before entry. Review signage placement periodically; vegetation grows, new entry points are created, and signs become obscured over time.
Retention; How Long Should Footage Be Kept?
The PDPA requires organisations not to retain personal data longer than is necessary for the purpose for which it was collected. For CCTV footage, the purpose is typically security monitoring; identifying incidents, supporting investigations, and providing evidence when required. The Act does not prescribe a specific number of days; instead, it requires that a rational basis exists for the retention period chosen and that footage is not kept indefinitely without reason.
In practice, 30 days has become the widely adopted baseline across Singapore's commercial and residential property sector. This period is long enough to cover the typical discovery window for incidents; most security events that are going to be reported are reported within days of occurring, but property damage or access incidents may not be discovered immediately. It is also consistent with guidance from the Singapore Police Force on footage preservation following incidents. Thirty days is not a legal requirement, but it represents a defensible position that aligns with industry practice and the PDPC's general expectation of proportionality.
Organisations with specific operational reasons to retain footage longer; a long-running investigation, a contractual obligation, a regulatory requirement; can do so, but the reason should be documented. What creates compliance risk is the absence of any policy at all: systems where footage is retained until the hard disk fills up and then overwritten, with no deliberate decision made about the appropriate retention period. The policy itself is the compliance point, not the specific number of days chosen.
KEY POINT
Establish a documented retention policy; 30 days is a sound and widely applied baseline. Configure the NVR to overwrite footage automatically at the end of the retention period. Document any exceptions and their justification.
Access; Who Should Be Able to View Footage?
Access to CCTV footage should be restricted to personnel who have a legitimate operational reason to view it. This sounds obvious, but in practice it is one of the areas where procedures break down most visibly. Footage is downloaded to a personal device for convenience. Screenshots are taken and shared in messaging groups. A manager shows footage to a colleague who was not involved in the incident under review. Each of these actions represents a disclosure of personal data that may not be justified by the original purpose of collection.
A properly managed access framework means that the NVR or VMS has individual login credentials for each authorised user rather than a single shared password. Access levels should reflect roles; a security guard may need live monitoring access but not the ability to export footage, while a security manager may need export capability for incident reporting. Changes to access rights should be processed when staff roles change or when someone leaves the organisation, following the same discipline that applies to any access credential system.
The retrieval and sharing procedure for footage requests also deserves a documented process. When an incident occurs and footage needs to be provided to police, to an insurer, or for an internal investigation, there should be a clear process for who authorises the retrieval, how the footage is transferred, and what record is kept of the disclosure. Ad hoc arrangements; whoever happens to be on duty copies footage to a USB drive and hands it over; create both a compliance gap and an evidentiary risk if the footage is later required in formal proceedings.
KEY POINT
Individual login credentials, role-based access levels, and a documented retrieval procedure are the three components of adequate access management. None of these requires additional hardware; they are configuration and process decisions.
Camera Placement; Capturing What You Need, Not Everything You Can
A camera positioned to monitor an entrance or carpark will inevitably capture some public space; the pavement beyond the gate, the road in front of the barrier, passers-by on the street. This is generally unavoidable and generally accepted, provided the primary purpose of the camera is legitimate security monitoring of the property rather than surveillance of the public area.
The compliance issue arises when cameras are positioned or angled in ways that capture significantly more than is necessary for the stated purpose. A camera monitoring the front of a shophouse that also captures the interiors of neighbouring units across the street. A residential camera aimed to cover the car porch that also records detailed footage of a neighbour's property. A lobby camera that is angled to capture faces of passers-by on the public footpath rather than visitors entering the building.
Modern cameras offer privacy masking; the ability to apply a digital block to a defined area of the frame, permanently excluding it from recording. This is a practical tool for situations where the camera's field of view inevitably includes areas that should not be captured; a neighbouring property, a public area beyond the property boundary, or a sensitive internal area within the premises. Privacy masking does not reduce the camera's usefulness for its intended purpose; it simply ensures the footage is limited to what is actually needed. The principle is to capture what the security purpose requires and not what happens to be visible.
KEY POINT
Review camera angles during commissioning to confirm they cover the intended security areas and are not capturing beyond what the purpose requires. Use privacy masking where the field of view unavoidably includes areas that should be excluded from recording.
The Five Most Common Compliance Gaps
After many years of CCTV installations and reviews across Singapore, the same issues appear with regularity. None of them is a technology problem. All of them are process and procedure gaps that can be addressed without replacing any equipment.
The absence of CCTV signage at entry points is the most common single gap; cameras recording people who have received no notification that they are entering a monitored area. Default passwords left unchanged from the factory setting are the second most frequent finding; a security vulnerability that is also a data protection risk, since an NVR with an unchanged factory password is accessible to anyone who knows the default credentials for that model. The absence of any documented retention policy is the third; footage accumulating on the hard disk until it is overwritten without any deliberate decision having been made about the appropriate period.
Casual sharing of footage is the fourth and perhaps the highest-risk gap in terms of PDPA exposure. Screenshots and video clips distributed via messaging applications, shared with people not involved in the incident under review, or sent to third parties without a clear legal basis for the disclosure all represent potential PDPA contraventions. The fifth gap is poor camera placement; cameras capturing far more than the stated security purpose requires, without privacy masking applied to exclude the unnecessary coverage. Every one of these gaps is straightforward to address once identified.
KEY POINT
A compliance review of an existing CCTV installation typically takes a few hours and addresses all five gaps. Most of the fixes are procedural or configuration changes rather than hardware replacements.
The Right Question to Ask About Compliance
The question many property owners ask is whether their camera is PDPA compliant. That framing locates the compliance question in the wrong place. The camera itself; the hardware, the brand, the resolution; has no direct bearing on PDPA compliance. A high-specification camera with no signage, no retention policy, and shared login credentials is not compliant. A basic camera with proper signage, a documented 30-day retention policy, individual access credentials, and a defined footage retrieval process is.
The more useful question is whether the CCTV procedures are compliant; how footage is stored, who can access it, how long it is kept, how it is shared, and whether people entering monitored areas are adequately notified. Those are the questions that the PDPC's enforcement actions have centred on, and they are the questions that a compliance review should address.
Securevision Verdict
Most PDPA issues involving CCTV are not caused by the technology. They are caused by poor management practices; the absence of signage, unchanged default passwords, no retention policy, casual footage sharing, and cameras capturing more than the security purpose requires. These are not difficult problems to fix. They are easy to overlook when nobody has specifically reviewed the CCTV system through a compliance lens.
A properly managed CCTV system provides security for the property and confidence that the footage is being handled responsibly. That protects the individuals being recorded and it protects the organisation operating the system. The two objectives; effective security and responsible data management; are entirely compatible, and addressing both during installation and commissioning is significantly easier than addressing a compliance gap after something has gone wrong.
In Short
CCTV compliance in Singapore is not primarily about the cameras; it is about the management practices around the footage. Most of the organisations we work with are not doing anything deliberately wrong. They simply have not thought through retention periods, access controls, or what happens when someone makes a data access request. These gaps are straightforward to address once they are identified. We include a compliance review as part of every CCTV assessment we conduct, because a system that works technically but creates legal exposure is not a fully functional security system.
Frequently asked questions
Is it legal to install CCTV in Singapore?
Yes. Installing CCTV in Singapore is legal for legitimate security purposes. The Personal Data Protection Act governs how footage that contains identifiable images of individuals is managed after capture; it does not prohibit installation. Organisations that install CCTV must comply with PDPA obligations relating to purpose, retention, access, and notification.
Do homeowners need to comply with PDPA for home CCTV?
The PDPA applies to organisations, not individuals acting in a personal or domestic capacity. A homeowner installing CCTV inside their own home for personal security is generally not subject to PDPA obligations. However, if cameras capture images of public areas or neighbouring properties, the position is less straightforward and advice from the Personal Data Protection Commission may be appropriate.
What signage is required for CCTV in Singapore?
There is no specific signage regulation under the PDPA that prescribes exact wording or format, but the Commission's guidelines recommend that organisations notify individuals that CCTV is in operation. A clearly visible sign stating that CCTV cameras are in use and identifying the purpose is considered good practice. Signs should be placed at entry points to areas under surveillance.
How long should CCTV footage be retained?
The PDPA requires that personal data should not be retained longer than is necessary for the purpose for which it was collected. For most commercial CCTV installations, a retention period of 14 to 30 days is common and generally considered proportionate. Footage should be deleted or overwritten systematically once the retention period expires.
Who is allowed to view CCTV footage in an organisation?
Access to CCTV footage should be restricted to personnel who have a legitimate operational need, typically security managers, nominated HR personnel investigating a specific incident, and senior management. There should be a clear internal policy specifying who can authorise access requests and under what circumstances.
Can employees request to see CCTV footage of themselves?
Under the PDPA, individuals have the right to request access to personal data about themselves. CCTV footage in which an individual is identifiable is personal data. An organisation receiving such a request must respond within 30 business days and provide access to the relevant footage unless an exemption applies.
What are the most common PDPA compliance gaps in CCTV systems?
The most common gaps we see are: no signage at entry points, undefined or excessively long retention periods, footage accessible to too many staff without authorisation controls, no documented process for handling data access requests, and cameras positioned to capture areas beyond what is necessary for the stated security purpose.
Do cameras in common areas of a condominium need PDPA compliance?
Yes. A management corporation (MCST) operating CCTV in common areas is an organisation for PDPA purposes and must comply with data protection obligations. This includes notifying residents that CCTV is in operation, restricting access to footage, and managing retention appropriately.
Can CCTV footage be shared with police or other authorities?
Yes. The PDPA contains a disclosure exception that allows organisations to share personal data, including CCTV footage, with law enforcement agencies when required by law or when disclosure is necessary for the investigation or prosecution of an offence. Internal records of the disclosure should be maintained.
What is the penalty for PDPA non-compliance involving CCTV?
The Personal Data Protection Commission can impose financial penalties for PDPA breaches. The maximum financial penalty under the revised PDPA is S$1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher. Penalties vary depending on the nature and severity of the breach and the harm caused.
How do we check if our CCTV system is PDPA compliant?
A compliance review should assess four areas: whether signage is adequate, whether the retention period is defined and enforced, whether access to footage is appropriately restricted, and whether camera placement is proportionate to the stated security purpose. We include a compliance review as part of our standard CCTV assessment; contact us to arrange a site visit.