"How long do we need to keep the footage?" is one of the most common questions a Sydney commercial buyer asks after their CCTV system goes in. The honest answer is that it depends on the sector, the insurer, and what the footage is actually for. Here's the 2026 picture for NSW commercial sites, broken down so you can scope retention properly.
Why retention matters more than people realise
Retention isn't a hardware decision. It's a compliance, legal, and operational decision that drives the hardware. Get it wrong in either direction and you have a problem:
- Too short: A workplace incident happens on a Tuesday, gets reported the following Monday, and the footage is already gone. You can't respond to the SafeWork notice, the insurer's claim assessor, or the police request. Your CCTV system is effectively decorative for the events that matter most.
- Too long: You're storing months of footage you don't legally need, paying for the storage, and potentially breaching the Australian Privacy Principles around minimum-necessary data retention. Your exposure to a privacy complaint or notifiable data breach scales with the volume of footage held.
The right answer for your site is "the legal minimum, plus a buffer for how incidents actually surface". Below is what that looks like by sector.
Sector-by-sector retention requirements (NSW, 2026)
| Sector | Legal minimum | Common practice | What we recommend |
|---|---|---|---|
| Liquor and gaming venues (OLGR) | 30 days | 30 to 90 days | 60 days |
| Aged care (Commonwealth-funded) | No federal mandate; provider policy | 30 to 90 days | 60 to 90 days |
| Pharmaceutical distribution (TGA GDP) | No fixed period; "sufficient for traceability" | 90 days | 90 days |
| Healthcare and pathology | Variable by accreditation framework | 30 to 60 days | 60 days |
| Childcare (NQS) | No fixed period; provider risk policy | 14 to 30 days | 30 days |
| Warehousing and logistics | None | 30 days | 30 to 60 days |
| Corporate office | None | 14 to 30 days | 30 days |
| Retail and hospitality (non-licensed) | None | 14 to 30 days | 30 days |
| Critical infrastructure (SOCI Act) | Varies by sector designation | 90+ days | Per regulator guidance |
Where there's no legal mandate, the right number is set by your insurer, your incident-reporting cycle, and how long it typically takes incidents to surface. We almost always recommend 30 days as a floor for any commercial site, even where nothing requires it.
The sectors where retention is actually regulated
Liquor and gaming venues (OLGR)
NSW Liquor and Gaming licensing conditions for venues with gaming machines or full hotel licences require CCTV coverage of specific areas (gaming floors, cashier points, entrances) and retention of footage for a minimum of 30 days. The retention obligation is explicit in the licence conditions and is regularly checked at audit. Most venues we work with run 60 days as a buffer because the lag between an incident and a regulator query is often more than 30 days.
Pharmaceutical distribution and storage (TGA GDP)
The Therapeutic Goods Administration's Good Distribution Practice requirements don't name a number of days, but they do require "sufficient" coverage and retention to support product traceability and incident investigation. In practice the sites we install for under TGA GDP run 90 days minimum, often longer for cold-chain or controlled-substance handling areas. The auditor typically asks for evidence that retention is documented in your quality system and matches your stated retention period.
Aged care
There's no Commonwealth mandate for CCTV retention in residential aged care, but the Aged Care Quality Standards effectively require that you can investigate complaints and incidents. In a sector where a complaint can be lodged weeks after the event and the investigation can take months, 30 days of footage is often not enough. Most providers we work with run 60 to 90 days, with the policy formally documented in their incident-management procedure.
Critical infrastructure (SOCI Act)
Operators designated under the Security of Critical Infrastructure Act have sector-specific obligations that can include enhanced CCTV coverage and longer retention periods. The Cyber and Infrastructure Security Centre publishes sector guidance. If you're a designated operator, the answer comes from your sector's risk-management program rather than from this article.
Insurance often sets the floor
Even where there's no regulator requirement, your insurer frequently has expectations baked into the policy. Common patterns we see in commercial property and business-pack policies:
- Coverage of all entry points and cash-handling areas as a condition of theft cover
- Minimum 30 days of footage retention to support claims
- Evidence the system is professionally maintained (a documented annual service is often the minimum)
If you're scoping a new commercial CCTV install, ask your broker what the policy requires before you sign the install contract. It's much cheaper to size the storage right at install than to add capacity 18 months later when the insurer changes their mind.
What "30 days of footage" actually costs
Retention drives storage, and storage is one of the cost levers in a CCTV install. Rough numbers for a typical 16-camera commercial site running 4K at 15 fps with H.265 encoding:
| Retention period | Storage required (approx) | Hardware impact |
|---|---|---|
| 14 days | ~14 TB | Single NVR with 16 TB raw |
| 30 days | ~30 TB | Single NVR with 32 TB raw |
| 60 days | ~60 TB | NVR with expansion bay or larger drives |
| 90 days | ~90 TB | Multi-drive NVR or RAID array |
The numbers move significantly with camera count, resolution, frame rate, and motion-only vs continuous recording. Modern encoders make longer retention much cheaper than it was five years ago, but it still scales linearly with retention period. Get this wrong at design and you're either paying to retrofit storage later or running at a lower retention than you think you are because the system is overwriting earlier than expected.
Privacy obligations under the Australian Privacy Principles
CCTV footage of identifiable individuals is personal information under the Privacy Act 1988. For organisations covered by the APPs (most commercial businesses with annual turnover over $3 million, plus all health service providers regardless of size), this triggers a few obligations relevant to retention:
- APP 5: notification of collection. Visible CCTV signage at site entrances satisfies most of this.
- APP 11: security of personal information. Your footage needs reasonable protection from unauthorised access. In practice this means access-controlled NVR rooms, named user accounts on the management software, and audit logging of who pulled what footage when.
- APP 11.2: destruction or de-identification when no longer needed. This is the privacy-side argument against keeping footage longer than you can justify. If you're holding 12 months of footage on a site where 30 days satisfies every legal and operational need, you have exposure you don't need to have.
The pragmatic answer is to set a retention policy in writing, size the storage to match it, and let the system overwrite on schedule. Don't hoard footage you don't need.
Frequently asked questions
Can I keep footage longer than the recommended period?
Yes, where you have a documented reason (active investigation, legal hold, incident response). The expectation under APP 11.2 is that you don't hold personal information indefinitely without a purpose. A documented policy with a stated retention period and a process for putting specific footage on legal hold satisfies the principle in nearly all cases.
What if police request footage older than my retention period?
If the footage is gone, it's gone. There's no obligation to retain footage beyond your stated retention period in case it might be requested later. Document your retention policy and you're on solid ground.
Does retention apply to access control event logs too?
Different framework. Access control event logs (who badged where, when) are typically retained much longer than CCTV footage because the data volume is trivial. We usually configure 12 to 24 months of audit-log retention as standard, with longer retention for compliance-driven sectors.
Can footage be exported and provided to a third party?
Yes, where there's a lawful basis (police request, insurer claim, workplace investigation). The export should be documented (who requested it, what timeframe was exported, who it was provided to) and the integrity of the file should be preserved (most NVR platforms produce a watermarked, hash-verified export for evidentiary use).
What about cloud storage of CCTV footage?
Increasingly common, particularly for multi-site retailers. The retention question doesn't change, but you add Australian-region hosting and vendor SLA considerations. We'll cover that in a separate article.
The practical answer
For a typical Sydney commercial site in 2026, 30 days of footage retention is the right floor. Step it up to 60 or 90 days where sector regulation, insurer requirements, or incident-reporting cycles make the longer window worthwhile. Document the retention period in a one-page policy, size your storage to match, and review it annually. Don't over-retain footage you can't justify holding.
If you'd like a quote that prices a CCTV install around the right retention period for your sector, get in touch. We'll walk the site, ask the right compliance questions, and put a system in that's sized properly the first time.
