The National Privacy Commission (NPC) issued Circular No. 2024-02, dated August 9, 2024, to provide updated guidance on the use of closed-circuit television (CCTV) systems operating in public and semi-public areas. The circular responds to emerging privacy concerns and underscores the continuing need to balance public safety with the right to privacy.
Section 1 clarifies that the rules do not apply to CCTV systems used purely for personal, family, or household affairs—unless the cameras capture images beyond the private residence or non-commercial establishment. Also excluded are lawful surveillance activities conducted by law enforcement, intelligence, and investigative agencies.
Section 3 requires all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to adhere strictly to the principles of data protection. First, individuals must be informed that CCTV cameras are in operation. Clear and visible notices or signage should be placed in strategic locations so that people are aware of the surveillance and can make informed decisions about their actions.
Second, the purpose of capturing images through CCTV must be legitimate, clearly defined, and properly disclosed to data subjects before the cameras are used. The purpose must never be contrary to law, morals, or public policy.
Third, CCTV systems should be designed and operated to capture only what is necessary. For example, they should not record audio or capture private details unrelated to security objectives. The NPC even encourages the use of motion-activated systems that record only when movement is detected, thereby limiting unnecessary data collection.
Equally important, the means and methods of capturing and processing images must not be manipulative, oppressive, or discriminatory. PICs must also implement contractual or other reasonable means to safeguard personal information—through clear policies, proper deployment, and careful operation of CCTVs. Monitoring must exclude private spaces such as fitting rooms, restrooms, toilets, and lactation rooms. Images must be of appropriate quality, stored securely, and retained only for as long as necessary to fulfill the stated purpose—not merely because storage capacity allows it.
Section 6 affirms that any person whose personal data is recorded has the right to reasonable access to the footage, provided identity is duly verified, the purpose of the request is lawful, and specific details such as date, approximate time, and location are supplied.
Third parties may also request access to footage relating to other persons—for example, to identify malefactors, protect lawful rights, establish legal claims, or aid in law enforcement. The circular lists acceptable grounds for processing personal data of others: law enforcement or criminal investigations, court orders, administrative investigations, or media requests not intended for amusement or entertainment (unless the data subject consents). Such requests, however, must be considered case-by-case and allowed only if the third party’s need outweighs the data subject’s right to privacy.
PICs and PIPs must preserve the relevant footage until the access request is fulfilled, abandoned, or denied and such denial is confirmed by the NPC. A request is deemed abandoned if the requester fails to complete requirements within thirty days from initially notifying the PIC of the intention to view or obtain a copy.
Requests may be denied—even after giving the requester an opportunity to amend—if information is incomplete, frivolous, or vexatious; if the stated purpose is unlawful; if the request is disproportionate to its purpose; if it imposes unreasonable burden or expense; if the footage has been deleted; or if disclosure could compromise an ongoing criminal investigation.
When access is granted, the PIC must ensure that viewing or copying is done securely and that the footage is delivered only to the requesting party. A reasonable fee may be charged to cover administrative costs.
This updated circular is a timely reminder that while CCTVs serve legitimate security functions, their deployment must be carefully balanced with the public’s right to privacy. For businesses and institutions, compliance is not just a legal obligation; it is an ethical imperative to protect personal data in an increasingly surveilled world.
