top of page

Your CCTV System is processing Personal Data - Here's what the NPC requires

Jun 10, 2026

A Plain-Language Guide to NPC Circular 2024-02 for Philippine Organizations

If your organization operates a CCTV system

Whether at your office, a client site, a retail floor, or a building lobby — you are processing personal data. And under Philippine law, that processing is now governed by a detailed regulatory framework.


NPC Circular No. 2024-02 on Closed-Circuit Television Systems took effect back in August 2024. Issued by the National Privacy Commission (NPC), it applies to all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) that use CCTV to capture, store, or monitor images of individuals.


If your cameras record people, this Circular applies to you.


This article breaks down what the Circular requires, who it covers, and — critically — three issues that most organizations have not yet addressed.



What the NPC Circular 2024-02 Covers

The Circular establishes a compliance framework for CCTV systems centered on five principles drawn directly from the Data Privacy Act of 2012 (RA 10173):


Transparency. Individuals must be informed that they are being recorded. This means prominently placed signage at all surveillance areas — before a person enters the covered space, not after. The signage must identify who is operating the system and for what purpose.


Legitimate Purpose. CCTV may only be used for a clearly defined, lawful purpose — typically security, safety, or crime deterrence. Surveillance for purposes beyond what was originally declared (such as employee performance monitoring or customer behavior tracking) requires a separate lawful basis.


Proportionality and Data Minimization. Cameras must only cover areas necessary for the stated security purpose. The Circular explicitly prohibits monitoring of private spaces: restrooms, lactation rooms, fitting rooms, and similar areas are off-limits regardless of circumstances.


Secure Storage and Defined Retention. Footage must be stored securely, with access restricted to authorized personnel. Organizations must define — and enforce — a retention period. Footage that is no longer needed for its stated purpose must be deleted.


Data Subject Rights. Individuals captured in CCTV footage have the right to reasonable access to recordings in which they appear. Organizations must have a documented process for handling such

requests.



Who Is Most Exposed

The Circular applies broadly, but certain industries face heightened compliance obligations because of how deeply CCTV is embedded in their operations:


  • Private Security Agencies — whose guards monitor client-owned CCTV systems as part of their daily deployment

  • Retail and Commercial Establishments— operating multi-camera systems across floors, entrances, and stockrooms

  • Building Administrators and Property Managers — responsible for common area surveillance in condominiums, offices, and mixed-use developments

  • Financial Institutions — operating mandatory surveillance under both NPC and BSP requirements

  • Healthcare Facilities and Schools — managing sensitive environments where footage may capture especially vulnerable individuals


If your organization falls into any of these categories, the three issues below are not hypothetical — they are live compliance gaps that require action now.



Three Issues Organizations Must Address

Issue 1: Data Sharing Agreements for CCTV Access


The problem:

Many organizations allow third parties — contracted security agencies, IT service providers, maintenance personnel, or building administrators — to access or monitor their CCTV systems as part of a service arrangement. In the vast majority of these cases, no formal Data Sharing Agreement (DSA) exists.


Under NPC Circular 2024-02, when a third-party accesses CCTV footage owned by another organization, a formal legal arrangement must govern that access. The organization that owns the CCTV system is the Personal Information Controller. The third party accessing it is the PIP. The DPA requires a written contract between them — one that defines exactly what footage can be accessed, for what purpose, under what security controls, and for how long.

Without a DSA, the third party's access to footage constitutes unauthorized processing of personal data — regardless of how long the arrangement has been in place or how routine it feels.


Action items:

  • Audit which third parties currently have access to your CCTV systems — whether through direct monitoring, remote viewing, or footage retrieval.

  • For each such arrangement, confirm whether a DSA is in place.

  • Where no agreement exists, initiate drafting immediately. Prioritize active deployments and high-traffic surveillance environments.

  • Ensure DSA terms are incorporated into future service contracts before signing.



Issue 2: Staff Protocols for CCTV Access and Disclosure


The problem:

Personnel who monitor CCTV systems — whether employed directly or deployed by a service provider — routinely make decisions about footage without formal guidance: who can view it, when it can be shared, what happens when law enforcement requests it, and whether a guard can screenshot or forward an image via a messaging app.

The Circular is unambiguous: CCTV footage may only be disclosed for specific lawful purposes, including law enforcement requests supported by proper legal process, court orders, administrative investigations, or direct requests by the data subject. Informal sharing — even within the organization, even among colleagues, even with good intentions — does not meet this standard.

The practical risk is significant. A guard who takes a photo of a monitor and sends it to a supervisor via Viber has created an unauthorized copy of personal data, transmitted it outside of the controlled system, and stored it on a personal device with no security controls. This is a personal data breach under NPC Circular 16-03 — reportable to the NPC within 72 hours.


Action items:

  • Establish a written CCTV Access and Disclosure Policy. It must specify who is authorized to view footage, under what circumstances footage may be shared, the procedure for responding to law enforcement requests, and the prohibition on personal device capture of footage.

  • Incorporate CCTV access protocols into staff orientation and security briefings.

  • Brief supervisors and team leads specifically if they are the first point of contact when a disclosure request or incident occurs, and they must know the correct escalation path.

  • Treat any unauthorized sharing of CCTV footage as a security incident requiring DPO notification.



Issue 3: Compliance for Organization-Owned CCTV Installations


The problem:

Organizations that focus on their CCTV vendor contracts and third-party access arrangements often overlook compliance obligations for their own cameras — the systems in their lobby, office floor, parking area, or training facility. These installations are subject to the full requirements of the Circular, and most were set up before NPC 2024-02 took effect.

Common gaps in existing installations include: no visible signage at surveillance points, no defined or enforced retention period (footage accumulating indefinitely), no access log for who has retrieved or reviewed footage, and no process for responding to data subject access requests.


Action items:

  • Conduct a physical audit of all organization-operated CCTV installations. Document the location of each camera and what area it covers.

  • Confirm that signage meeting NPC requirements is posted at every surveillance point — before the area is entered, not inside it.

  • Establish and document a retention period for footage, depending on the security purpose and any applicable industry requirements. Configure your recording system to enforce automatic deletion at the retention period's end.

  • Implement an access log for footage retrieval. Every instance of footage being viewed, copied, or shared — for any purpose — should be recorded: date, time, person who accessed it, and the reason.

  • Draft a simple procedure for data subject access requests. If a visitor or employee asks to view footage in which they appear, your staff must know exactly what to do.



A Note on Private Security Agencies

NPC Circular 2024-02 has particular significance for the Private Security Agencies (PSAs). Security Guards are often the only personnel on-site with real-time access to client CCTV feeds — especially during overnight shifts, holidays, and emergency situations.


This means security agencies occupy a dual role: as Personal Information Processors under their clients' CCTV systems, and as Personal Information Controllers under their own installations. Both roles carry distinct obligations under the Circular, and both are active today — not contingent on a future system upgrade or contract renewal.


PSAs that have not yet addressed CCTV compliance should treat it as a priority item alongside their obligations under NPC Circular 2025-01 on Body-Worn Cameras and Alternative Recording Devices. The NPC's posture toward the security sector has become increasingly specific, and the expectation of compliance is no longer implied — it is explicit.



How Cosaint Consulting Inc. can help

Cosaint Consulting Inc. provides data privacy compliance advisory services to Philippine organizations navigating NPC regulatory requirements.


If you have questions about how NPC Circular 2024-02 applies to your organization, or if you would like to schedule a compliance review, you can send an email to info@cosaintconsulting.com.

bottom of page