CCTV Systems for Commercial Buildings in Australia: A Complete Design and Compliance Guide

Installing a CCTV system in a commercial building is no longer a matter of mounting a few cameras and running a coaxial cable to a recorder in the plant room. Modern IP-based systems are networked infrastructure. They have bandwidth requirements, storage calculations, cybersecurity considerations, and legal obligations under Australian privacy law. Get the design right and you have a reliable, scalable security asset. Get it wrong and you have cameras that drop frames, a recorder that fills up in a week, footage that is legally inadmissible, or worse, an attack vector that puts your entire building network at risk.

This guide is written for building managers, facilities managers, property developers, and commercial building owners who need to understand what a properly designed CCTV system looks like before they commission one.

IP Cameras vs Analogue: Why Every Modern Deployment Should Be IP

The first design decision is also the simplest. Any commercial CCTV system installed today should use IP cameras. Analogue camera systems — which transmit video over coaxial cable to a DVR (Digital Video Recorder) — are a legacy technology with hard limits that make them unsuitable for modern commercial buildings.

Why Analogue Is No Longer Fit for Purpose

Analogue cameras are constrained by the bandwidth of a coaxial cable. Resolution tops out at 1080p in the best analogue-HD formats, and even at that resolution, image quality degrades over longer cable runs. Remote access requires additional hardware and configuration that is both expensive and unreliable. Expanding the system typically means running new coaxial cable back to a centralised DVR location — a significant cabling exercise.

What IP Cameras Deliver

IP cameras are network devices. Each camera has its own IP address, connects to a standard network switch via Cat6 cabling, and communicates with an NVR (Network Video Recorder) or cloud VMS (Video Management System) over the building's data network. This architecture delivers several practical advantages:

• Resolution: IP cameras are available from 2MP (1080p) through to 8MP (4K) and beyond. 4K IP cameras deliver four times the pixel density of 1080p, which is significant for identifying individuals in wide-angle shots such as car parks and loading docks.
• Power over Ethernet (PoE): IP cameras draw power directly from the network cable. There is no requirement to run a separate power circuit to each camera location — the PoE switch provides both data and power over a single Cat6 run.
• Remote access: When properly configured, IP systems allow authorised personnel to view live and recorded footage from anywhere via a secure VPN connection.
• Scalability: Adding cameras means adding a network port, not running new coaxial cable to a central head-end.
• Analytics: IP cameras support on-camera processing for motion detection, object classification, line crossing, and facial recognition — functions that are not possible on analogue platforms.

Network Requirements for a Commercial IP CCTV System

Because IP cameras are networked devices, the quality of the network design directly determines the quality of the CCTV system. This is the area where most building CCTV installations fail — not in the choice of camera hardware, but in the network architecture that supports it.

Dedicated VLAN for CCTV Traffic

CCTV must operate on its own VLAN (Virtual Local Area Network), isolated from every other network in the building — resident Wi-Fi, office networks, the Building Management System (BMS), and guest access points. This is not optional. As we cover in detail in our article on why CCTV needs its own network, sharing a network with CCTV creates two categories of risk:

1. Security risk: If an IP camera is compromised — and cameras are a well-documented attack vector — an attacker on a flat network can move laterally to other building systems. An isolated VLAN contains any breach to the CCTV segment.
2. Performance risk: CCTV generates continuous high-bandwidth traffic. On a shared network, this traffic competes with other building services. The result is dropped frames, buffering, and degraded video quality that renders footage unusable.

VLAN segmentation is the foundation of any properly designed building network, not just for CCTV but for access control, intercoms, and BMS as well. A correctly segmented building network assigns each system to its own VLAN with firewall rules controlling exactly which inter-VLAN communication is permitted.

PoE Switches and Wattage Budgeting

CCTV switches must be PoE-capable. The key planning consideration is the PoE wattage budget per switch. Standard PoE (IEEE 802.3af) delivers up to 15.4W per port. PoE+ (IEEE 802.3at) delivers up to 30W per port. High-performance PTZ cameras and cameras with integrated heaters may require PoE+ or higher.

When specifying PoE switches, calculate the total wattage draw of all connected cameras and confirm the switch's total PoE power budget accommodates it — typically 30–50% headroom is prudent. A 24-port switch with a 370W total PoE budget, for example, can realistically power 16 cameras drawing 15W each (240W total) with adequate headroom.

Bandwidth Planning

Every camera generates continuous network traffic. Failing to plan for this traffic is one of the most common causes of CCTV system underperformance in commercial buildings.

Approximate continuous bandwidth requirements per camera:

For a 16-camera system at 1080p using H.265, total VLAN bandwidth consumption is approximately 24–40 Mbps. At 4K H.265, the same 16-camera system consumes 64–128 Mbps. The CCTV VLAN must have sufficient dedicated capacity to carry this traffic without affecting other building services — which reinforces the necessity of VLAN isolation.

Cable Runs: Cat6, Cat6A, and the 90-Metre Rule

Structured cabling for IP CCTV follows the same standards as any other data cabling. Cat6 or Cat6A is the correct specification. The maximum horizontal cable run is 90 metres per the TIA-568 standard (leaving 10 metres for patch leads at each end, for a 100-metre channel limit). This is a hard physical limit — exceeding it results in signal degradation and unreliable PoE delivery.

In a multi-storey commercial building, camera locations beyond 90 metres from the nearest telecommunications room require either:

• A fibre uplink to an intermediate switch located closer to the camera cluster, with PoE provided by that intermediate switch, or
• An active PoE extender at the 90-metre mark.

Proper structured cabling for cameras is planned at the design stage. Retrofitting cable paths in a completed commercial building is expensive and disruptive — camera locations and cable routes should be locked in during the design and construction phase.

NVR vs DVR vs Cloud VMS: Choosing Your Recording Platform

DVR (Digital Video Recorder) — Legacy Only

A DVR accepts input from analogue cameras over coaxial cable. It is not relevant to any IP-based CCTV design. If a supplier is recommending a DVR for a new installation, that is a signal to seek a second opinion.

NVR (Network Video Recorder) — On-Premises Recording

An NVR records video streams from IP cameras over the network. It is the standard recording platform for on-premises CCTV deployments. NVRs are available in rackmount form factors for installation in the building's telecommunications room, alongside the network switches and patch panels.

Key NVR specifications to confirm:

• Camera channel count: Must match or exceed the number of cameras in the design, with headroom for future expansion.
• Incoming bandwidth capacity: Must accommodate the total bandwidth of all connected cameras simultaneously.
• Storage interface: Confirm the number and type of internal drive bays; enterprise NAS-grade hard drives are recommended over consumer desktop drives for continuous write workloads.
• VMS software capabilities: Review the software interface for ease of footage retrieval, user access management, and export functions that produce footage in a legally usable format.

Cloud VMS (Video Management System) — Off-Premises Recording

A cloud VMS eliminates the on-premises NVR. Cameras send their video streams directly to cloud storage, which is then accessed via a web or mobile application. This architecture has genuine advantages — no single point of failure for the recording device, no on-premises hardware to maintain, and remote access is inherent rather than configured.

The trade-offs are material for commercial buildings:

• Bandwidth: All camera streams must traverse the building's internet uplink continuously. A 16-camera 1080p H.265 system uploading 40 Mbps continuously will saturate a modest internet connection. Cloud VMS deployments require a dedicated internet uplink with guaranteed upload capacity.
• Ongoing cost: Cloud storage is billed by storage volume or camera count on a recurring basis. Over a 5–10 year building lifecycle, this cost typically exceeds the capital cost of an on-premises NVR.
• Data sovereignty: Confirm where the cloud provider stores footage and whether the storage location meets the building's privacy and legal obligations.

Many commercial buildings use a hybrid model — on-premises NVR for primary storage with cloud backup for critical camera feeds or overflow.

Storage Planning: How Much Do You Actually Need?

Storage is the aspect of CCTV design most commonly under-planned. The consequences range from the system automatically overwriting footage before the required retention period to the NVR filling completely and stopping recording altogether.

The Storage Calculation

Storage requirement is a function of four variables: number of cameras, resolution (bitrate), retention period in days, and compression codec. The formula is:

Storage (TB) = Cameras x Bitrate (Mbps) x 86,400 (seconds/day) x Retention (days) / 8 / 1,000,000

The table below provides reference figures for common commercial deployment scenarios, using H.265 compression at continuous recording:

These figures assume continuous 24-hour recording. Motion-triggered recording can reduce storage consumption by 40–70% depending on scene activity, but it should not be relied upon as the primary storage management strategy in environments where continuous coverage is a legal or insurance requirement.

Retention Period Requirements

Retention period is not purely a technical decision. It is often determined by:

• General commercial use: 30 days is a widely adopted baseline.
• Regulated industries (financial services, healthcare, gaming): 90 days is common.
• High-security or government facilities: 12 months or longer may be required.
• Insurance requirements: Some commercial property insurers specify minimum retention periods in their policy terms.
• Incident response: The building's security policy should specify the minimum retention required to investigate foreseeable incident types. A theft that is not reported for three weeks, for example, requires more than 30 days of footage.

Always add 20–30% buffer above the calculated storage figure to account for variance in scene activity and bitrate fluctuations.

Camera Placement for Commercial Buildings

Camera placement must be documented in a formal camera placement plan before installation commences. This plan serves as the technical specification for the installer, the evidence base for privacy compliance, and the reference document for insurance and legal proceedings.

Required Coverage Areas

For a commercial building, the following locations are standard minimum coverage zones:

• Building entrances and exits: Every publicly accessible entry and exit point, including fire escape doors where practical.
• Reception and lobby areas: Captures visitor arrival and departure.
• Car park levels: Coverage of drive aisles, access ramps, and pedestrian paths. Wide-angle or fisheye cameras on ramp entries; fixed cameras in drive aisles.
• Lift lobbies and lift interiors: Lift interiors require vandal-resistant dome cameras with wide-angle lenses.
• Loading docks: Full coverage of dock bays and adjacent access routes.
• Plant rooms and server rooms: Access monitoring at entry points; motion-triggered recording is appropriate in low-traffic areas.
• Stairwells: Ground floor and roof access stairwells at minimum; full coverage in higher-security facilities.

Where Cameras Cannot Be Directed

Australian state surveillance device legislation and the Privacy Act place firm restrictions on camera placement. Cameras must not be positioned to record:

• Individual apartments, residential dwellings, or private balconies.
• Toilet facilities, change rooms, or shower areas (this applies to commercial tenancies as well as residential).
• Areas where an individual has a reasonable expectation of privacy.

The camera placement plan should explicitly document the field of view for each camera and confirm that no camera captures any restricted area — even incidentally. This documentation is your evidence of due diligence if a placement is ever challenged.

For information on integrating CCTV with building entry points, see our guide on access control integration.

Australian Privacy and Compliance Requirements

CCTV in Australian commercial buildings intersects with two layers of law: the Commonwealth Privacy Act 1988, and state-specific surveillance device legislation. Both must be satisfied.

Privacy Act 1988 (Cth)

The Privacy Act applies to any organisation with an annual turnover exceeding $3 million, as well as smaller organisations in specific categories (health service providers, businesses that trade in personal information, and others). Because CCTV footage constitutes personal information — it depicts identifiable individuals — organisations to whom the Act applies must meet the Australian Privacy Principles (APPs).

Practical obligations for commercial CCTV operators include:

• Privacy policy: The organisation's privacy policy must address CCTV — what footage is collected, why, how long it is retained, who can access it, and when it may be disclosed to third parties (including law enforcement).
• Purpose limitation: Footage may only be used for the purpose for which it was collected. CCTV installed for security cannot be repurposed for staff performance monitoring without separate disclosure.
• Access controls: Access to live and recorded footage must be restricted to authorised personnel. Login credentials, user access logs, and a defined access authorisation process are expected.
• Security: Footage must be protected against unauthorised access, modification, or disclosure. This includes network-level security (see Cybersecurity section below) and physical security of recording hardware.
• Retention and destruction: Footage must not be retained beyond the period necessary for the stated purpose. Automated overwrite cycles on the NVR satisfy this requirement for routine surveillance footage.

The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent in December 2024, strengthened the OAIC's enforcement powers and introduced civil penalties for non-compliance with compliance notices. Organisations that have historically treated privacy obligations as a low priority should reassess their posture.

State Surveillance Device Legislation

Each Australian state and territory has its own surveillance devices legislation. The two most commonly relevant to commercial building operators are:

New South Wales — Surveillance Devices Act 2007 (NSW)

The NSW Act restricts the use of optical surveillance devices to record a private activity without the consent of the parties to that activity. In a commercial building context, CCTV in common areas — lobbies, car parks, corridors — is generally permissible because those areas are not private. The critical restrictions are:

• CCTV must not record private activities (including activities in apartments, offices used exclusively by one party, change rooms, or bathrooms).
• Audio recording is a separate and more restricted category. CCTV systems that capture audio (i.e., cameras with built-in microphones in active use) may engage the Act's provisions on listening devices. If audio is not required, disable microphone functionality on all cameras.
• In workplaces, covert surveillance of employees is prohibited except in specific, legally defined circumstances.

Victoria — Surveillance Devices Act 1999 (Vic)

The Victorian Act similarly prohibits the use of an optical surveillance device to record a private activity without consent. Installation of cameras in common areas of commercial buildings is permissible with adequate notice. Staff must be informed of surveillance, typically through employment contracts, workplace policies, and signage.

All Jurisdictions

Regardless of state, the following practices are required or strongly recommended:

• Signage: "CCTV in operation" signage must be displayed at every entrance to a surveilled area. Signage must be clearly visible and legible. This serves the dual purpose of satisfying notification requirements under state law and demonstrating compliance under the Privacy Act's notice obligations.
• Documented camera placement plan: As noted above.
• Access log for footage retrieval: Record who accessed footage, when, and for what purpose.

Cybersecurity for IP CCTV Systems

IP cameras are among the most frequently exploited devices on building networks. Compromised cameras have been used as entry points for ransomware attacks, as nodes in DDoS botnets, and as surveillance tools by unauthorised parties. The following controls are not optional in a commercial deployment.

Network Isolation

CCTV must be on an isolated VLAN with no direct route to the internet and no route to other building VLANs except where explicitly required by the firewall policy. A camera that can be accessed directly from the internet via a port-forwarding rule is a camera that will eventually be compromised. This is not a theoretical risk — it is a documented, routine occurrence. For a detailed treatment of this risk, see our guide on building cybersecurity.

Credential Management

Every IP camera ships with a factory-default username and password. These credentials are published publicly by manufacturers for setup purposes. Any camera connected to a network with factory-default credentials is effectively open to anyone who knows the manufacturer and model. Before any camera is commissioned:

• Change the admin password to a strong, unique credential.
• Disable any guest or anonymous access accounts.
• If the camera supports it, disable UPnP (Universal Plug and Play) and any cloud registration features not required by the design.

Firmware Maintenance

IP camera firmware receives periodic updates that patch security vulnerabilities. A camera running firmware from 2020 in 2026 likely has multiple known, publicly documented vulnerabilities. Establish a firmware update schedule — at minimum annually, and promptly following any manufacturer security advisory. Document the firmware version of every camera at the time of installation.

Remote Access via VPN Only

Authorised remote access to the NVR and camera feeds must be via a VPN connection to the building's managed network infrastructure. Direct port-forwarding of NVR management ports to the public internet is not an acceptable remote access solution — it exposes the management interface directly to attack. VPN-only access ensures that only authenticated users with a valid VPN credential can reach the CCTV system.

Maintenance and Ongoing Management

A CCTV system is not a set-and-forget installation. Commercial buildings should define maintenance responsibilities clearly.

Routine Maintenance Tasks

• Lens cleaning: Outdoor cameras accumulate dust, insects, and water marks. Quarterly cleaning maintains image quality.
• Firmware updates: As described above.
• Storage health monitoring: Hard drives in NVRs are operating 24 hours a day, 365 days a year. Drive failure is a when, not an if. The NVR should be configured to send alerts on drive health degradation (using S.M.A.R.T. monitoring). Drives should be replaced proactively, not after failure.
• Recording verification: Periodically confirm that all cameras are recording and that footage can be successfully retrieved and played back. A camera that appears live on a monitor but is not writing to storage is a common failure mode that is not caught until footage is needed.
• Access credential review: Annually audit who has access to the NVR and camera feeds. Remove access for staff who have left the organisation or changed roles.

Defining Responsibility in Commercial Buildings

In strata-titled or multi-tenancy commercial buildings, responsibility for the CCTV system must be explicitly allocated in the building's technology maintenance agreement or in the owners corporation / body corporate by-laws. Ambiguity about who is responsible for firmware updates, drive replacements, and incident response creates gaps that are only discovered after a security incident or a privacy complaint.

How Pickle Designs Commercial CCTV Systems

Pickle designs and installs IP CCTV systems for commercial buildings, office towers, apartment complexes, and mixed-use developments across Australia. Our approach is infrastructure-first: CCTV is designed as part of the building's overall network architecture, not bolted onto an existing shared network.

Every Pickle CCTV deployment includes:

• Dedicated CCTV VLAN with firewall-enforced isolation from all other building networks.
• PoE switch specification and wattage budgeting matched to the camera count and type.
• Storage calculation documented against the building's required retention period.
• Structured cabling design to camera locations with cable runs verified against the 90-metre limit.
• Camera placement plan documented and reviewed for privacy compliance prior to installation.
• NVR or hybrid cloud VMS configuration with VPN-only remote access.
• Handover documentation covering firmware versions, credentials management, and maintenance schedule.

If you are planning a new CCTV system or reviewing the adequacy of an existing installation, contact the Pickle team.

Phone: 1300 688 588 Email: [email protected]

Frequently Asked Questions

Q: Do I need planning approval to install CCTV cameras on a commercial building in Australia?

A: In most cases, no — CCTV installation on a commercial building does not require development or planning approval, as it is considered minor building work. However, if the building is heritage-listed, located within a heritage precinct, or subject to specific tenancy or owners corporation by-laws, restrictions may apply. Always check with the relevant local council and, in strata buildings, the owners corporation or body corporate before proceeding. The privacy and surveillance law obligations described in this guide apply regardless of whether planning approval is required.

Q: How long do I legally have to keep CCTV footage in Australia?

A: There is no single legislated minimum retention period that applies to all commercial CCTV operators in Australia. The Privacy Act 1988 requires that personal information — including CCTV footage — not be retained longer than necessary for the purpose for which it was collected, but it does not mandate a specific minimum. Thirty days is a widely adopted commercial baseline. Some regulated industries have specific requirements (financial services regulators, gaming regulators, and others may prescribe longer periods). Check your industry-specific obligations, your insurance policy terms, and your state's surveillance device legislation for any applicable requirements.

Q: Can I use Wi-Fi cameras instead of cabled IP cameras in a commercial building?

A: Wi-Fi cameras are not recommended for commercial building CCTV deployments. Commercial environments have high RF congestion from existing Wi-Fi networks, tenant devices, and neighbouring buildings — all of which can cause interference, dropped connections, and inconsistent recording. Wi-Fi cameras also complicate VLAN isolation and are generally more susceptible to physical security attacks (a camera that can be power-cycled by removing it from a mount loses its network credentials). Cabled PoE cameras on a dedicated VLAN are the correct solution for any deployment where reliability and compliance matter.

Q: What is the difference between an NVR and a DVR, and which should I use?

A: A DVR (Digital Video Recorder) is designed for analogue cameras connected via coaxial cable. An NVR (Network Video Recorder) is designed for IP cameras connected via a data network. Any new commercial CCTV installation should use an NVR. DVR-based systems are a legacy technology; they cannot support the resolution, analytics, or remote access capabilities of modern IP cameras, and they do not integrate with current network security practices.

Q: My building already has a CCTV system installed. How do I know if it is adequately designed?

A: Four questions identify the most common deficiencies in existing commercial CCTV installations. First, are the cameras on a dedicated VLAN isolated from other building networks? Second, have factory-default camera credentials been changed? Third, is remote access to the NVR via VPN, or is a port-forwarding rule exposing the management interface to the internet? Fourth, when were the cameras last updated with current firmware? If you cannot answer yes to all four, the system has known risk exposures that should be remediated. Pickle offers CCTV network and security audits for existing installations.