POPIA and CCTV: Workplace Surveillance Done Right

POPIA and CCTV: Workplace Surveillance Done Right

CCTV cameras are a practical reality for many South African businesses — whether you are protecting stock in a retail store, securing a warehouse, or monitoring access to a server room. But footage of identifiable employees and visitors is personal information under the Protection of Personal Information Act (POPIA), and that changes how you must think about your cameras.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including whether your monitoring practices comply with applicable labour law and POPIA — consult a qualified attorney.

---

Why CCTV footage counts as personal information

POPIA defines personal information broadly. Video footage that captures an identifiable person — their face, their gait, their vehicle, their behaviour at a particular time and place — falls squarely within that definition. The moment you record such footage, you become a responsible party processing personal information, and POPIA's eight conditions for lawful processing (section 8) apply.

---

The lawful basis question

Before you install a camera — or review existing ones — the first question is: what justifies the processing? POPIA section 11 sets out the permitted grounds. For most workplace CCTV, employers typically rely on one or more of the following:

• Legitimate interest (section 11): The employer has a genuine, proportionate interest in protecting property, preventing theft, or ensuring safety — provided that interest is not overridden by the employee's right to privacy.
• Legal obligation (section 11): Certain industries may have a regulatory requirement to maintain security footage (for example, under financial-sector or gaming-industry rules).
• Contract (section 11): Employment contracts sometimes reference monitoring, though reliance on this ground alone is not straightforward for covert or extensive surveillance.

The key word is proportionate. A camera covering the till in a cash-handling environment is more readily justifiable than a camera pointed at a bathroom entrance or a smoking area. The Information Regulator's published guidance emphasises that the least privacy-invasive means should be used to achieve a legitimate purpose.

---

Telling people the cameras are there (section 18)

POPIA section 18 requires that data subjects be notified when their personal information is collected. In a CCTV context, this has two practical dimensions:

1. Signage. Visible, legible notices at entry points informing people that CCTV is in operation, who operates it, and for what purpose are the standard way to satisfy the notification requirement for members of the public and visitors.
2. Employee notice. For employees, notification should also appear in employment contracts, workplace policies, or a dedicated CCTV policy. Employees should know where cameras are located (or at least which zones are covered), why footage is recorded, how long it is kept, and who may access it.

Covert surveillance of employees is a substantially more complex area — it may be permissible in limited, specific circumstances (for example, an active fraud investigation), but it carries significant legal and labour-relations risk. Legal advice is strongly recommended before any covert monitoring is deployed.

---

Purpose limitation and retention (sections 13 and 14)

POPIA section 13 requires that personal information be collected for a specific, explicitly defined purpose. Your CCTV policy should state the purpose clearly: security, asset protection, access control, and so on.

Section 14 addresses how long you may retain records. Footage should not be kept longer than necessary to fulfil that stated purpose. In practice, many businesses retain general surveillance footage for 30 to 90 days and overwrite it on a rolling basis — but where footage is relevant to an incident, disciplinary process, or legal matter, retention for the duration of that process is appropriate. Document your retention periods in writing.

---

Security of the footage (section 19)

POPIA section 19 requires that a responsible party take reasonable technical and organisational measures to secure personal information against loss, damage, or unauthorised access. For CCTV systems this means:

• Restricting access to live feeds and recorded footage to authorised staff only.
• Password-protecting DVR/NVR systems with strong, unique credentials.
• Storing footage on secure, access-controlled infrastructure (whether on-premises or cloud-based).
• Keeping a log of who accessed footage and when.

If footage is shared with a third party — a security company, an investigator, law enforcement — that transfer must itself be handled within POPIA's framework.

---

Employees' right to access their own footage (section 23)

POPIA section 23 gives data subjects the right to request access to personal information held about them. An employee could therefore request access to footage in which they appear. This right intersects with the Promotion of Access to Information Act (PAIA), which governs the mechanics of access requests to private bodies. Your PAIA manual (required for businesses with 50 or more employees, and advisable for smaller ones) should address how such requests are handled.

---

Breach notification (section 22)

If your CCTV system is compromised — footage is accessed without authorisation, a DVR is stolen, or a cloud account is breached — POPIA section 22 requires you to notify the Information Regulator and affected data subjects as soon as reasonably possible. Build this scenario into your incident-response plan.

---

Your Information Officer's role (section 55)

Every business that processes personal information must designate an Information Officer. Under POPIA section 55, that officer is responsible for ensuring the business complies with POPIA. Workplace CCTV should be an explicit item in your Information Officer's compliance register and reviewed periodically.

---

A practical checklist

Before you switch a camera on — or audit the ones already running — work through these questions:

• [ ] Have we identified a lawful basis for each camera location under section 11?
• [ ] Is there visible signage at all entry points?
• [ ] Have employees been notified in writing (policy, contract, or both)?
• [ ] Does our CCTV policy specify the purpose, retention period, and access controls?
• [ ] Are live feeds and recordings secured against unauthorised access?
• [ ] Do we have a process for handling data-subject access requests?
• [ ] Is CCTV included in our breach-response plan?
• [ ] Has our Information Officer reviewed and signed off on the arrangement?

---

Where to find primary guidance

• Information Regulator (South Africa): www.inforegulator.org.za — published guidance, complaint forms, and the POPIA Act itself.
• POPIA (Act 4 of 2013): Available via the Government Gazette and the Information Regulator's website.
• Labour matters: The Department of Employment and Labour and the Labour Court have addressed employee monitoring; specialist labour-law advice is recommended where employment relationships are involved.

---

> Reminder: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. Camera placement, monitoring practices, and data-retention decisions carry both POPIA and labour-law implications unique to your business. Consult a qualified attorney before making compliance decisions.