Childcare CCTV Compliance in Victoria (2025–2026): Legal Requirements, Privacy & Placement Rules

Introduction to Childcare Monitoring Reforms in Victoria (2025-2026)

Victoria’s childcare sector will undergo significant updates from August 2025 to strengthen child safety following misconduct concerns. A statewide pilot will test CCTV while balancing privacy, alongside tighter device controls and new workforce oversight.

Key updates for childcare centres in Victoria (2025–2026):

CCTV pilot (Oct–Nov 2025): Approximately 300 childcare centres will participate in a statewide trial of surveillance systems, supported by $189 million in federal funding, to assess effectiveness with appropriate privacy safeguards.
Personal device ban (from 1 Sept 2025): Personal electronic devices (e.g., cell phones) are prohibited. Victorian centres must comply by 26 Sept 2025. Only service-issued devices may be used for photos, video, or recordings.
Workforce registers: A Victorian register of childcare workers will track qualifications and conduct, with a national register in 2026 to support screening and improved training.
Independent regulation: Victoria has adopted 22 recommendations from a recent report, with an independent regulator to be established by year-end to improve oversight and enforcement.
What this means for owners/directors: Map operational policies to align federal pilot expectations with state mandates, update privacy and device policies, plan CCTV governance and data retention, and prepare staff training against the new registers and regulator requirements.

Generic, off-the-shelf approaches rarely meet these obligations. A modern, integrated compliance and safety strategy is essential.

Schedule your free site visit now!

Call +61 406 432 691 or complete the form and we will contact you.

2025 Compliance Update · VIC & AU

Childcare & Education CCTV — what changed and how we make you compliant

National pilot: CCTV trial in ~300 childcare centres (2025) — higher expectations for coverage, storage and access controls.

Victoria: personal mobile device restrictions apply in early learning settings from 26 Sep 2025 — update your centre policies.

Privacy & surveillance laws: align with APPs (Privacy Act) and Surveillance Devices Act (VIC); exclude private areas and control access to footage.

Compliance Guide Secure Design Policy Pack

Last updated: 22 Aug 2025 • By Sipko Security (Melbourne)

Implementation checklist

Zone audit: entrances, corridors, play areas — exclude toilets/changerooms/sleep rooms.
NVR hardening: VLAN, MFA, no open ports, encrypted storage, audit logs.
Retention & access: 14–30 days baseline, parent access workflow, incident export.
Policy refresh: CCTV use + personal device restrictions; staff training & notices.

📹 Key Regulatory Frameworks Governing CCTV in Victorian Childcare

CCTV in Victorian childcare must comply with both federal and state laws. Providers need clear policies that meet the Privacy Act 1988 (APPs), the Surveillance Devices Act 1999 (VIC), Victoria’s Child Safe Standards, and the National Quality Framework (NQF) updates commencing 1 September 2025.

Legal and compliance essentials for centres

Privacy Act 1988 & APPs (Federal): Treat CCTV footage as personal information. Notify families, staff, and visitors; explain purposes; limit use to safety/security; store securely with restricted access; set retention and deletion rules; and respond to access requests while preventing unauthorised disclosure or breaches.
Surveillance Devices Act 1999 (VIC): Prohibits recording of private activities without consent. Open, overt CCTV in common areas with low privacy expectations can be permissible; hidden/secret recording is restricted. Breaches can attract penalties including fines or imprisonment.
Child Safe Standards (Victoria): Embed safety in governance and daily practice. Use CCTV as part of risk management (e.g., monitoring interactions and access points) while ensuring equity and fairness in how surveillance is applied.
NQF updates from 1 Sept 2025: Services must implement policies for safe digital technologies—including CCTV—covering purpose, signage/notification, access controls, retention, complaints, and incident/breach response.
Risk assessments: Conduct and document assessments that map federal and state obligations to your premises layout and operations. Identify high-risk areas, justify camera placement, define who can view/export footage, and align staff training with policy.

Off-the-shelf setups are rarely sufficient. Documented policies, clear signage/notifications, and secure workflows are essential for lawful, child-safe CCTV.

📷 Camera Placement Rules: Allowed and Prohibited Zones in Childcare Settings

Strategic camera placement for Victorian childcare (mobile-first cards) — align with the Surveillance Devices Act (VIC), the Australian Privacy Principles, Child Safe Standards, and NQF updates (from 1 Sept 2025). Keep cameras overt, fixed, and purpose-limited.

Where cameras are prohibited vs permitted

Prohibited areas (high privacy)

Toilets and bathrooms
Changing rooms / nappy-change stations
Dressing rooms or showers
Bedrooms / sleep rooms / rest areas
Private staff spaces (e.g., locker rooms)

Recording intimate activity without consent may breach the Surveillance Devices Act 1999 (VIC) and APPs. Do not install or angle into these zones.

Surveillance Devices Act (VIC) APPs — Sensitive personal info

Permitted areas (public / low-privacy)

Entrances and exits for access control
Foyers and reception for visitor monitoring
Hallways and circulation spaces
Indoor learning areas and common rooms
Outdoor play yards and perimeter gates
Pantries and kitchens for safety/security

Use open systems with signage. Angle to avoid capturing private rooms or neighbouring property.

Child Safe Standards — risk management NQF digital tech policies

Placement & signage requirements

Overt, fixed cameras — no hidden or covert devices.
Mount at child-safe heights; set tight fields of view; mask or exclude private areas.
Clear signage at entries: purpose, operator, and contact details.
Disable audio unless a lawful, documented justification exists.
Retention limits, secure storage, and role-based access; log every export/view.

APPs require transparency, purpose limitation, access on request, and breach prevention.

2025 pilot & compliance audits

Test placements in line with state guidance during the 2025 CCTV pilot.
Document camera justifications (risk addressed, location, angle, masking).
Maintain a site plan, signage record, and retention schedule.
Run periodic audits against Child Safe Standards & NQF policies.
Use findings to remediate quickly and avoid penalties.

Keep an evidence trail: risk assessment → installation plan → approval → commissioning → review.

🔒 Transparency, Consent, and Data Handling Requirements

Transparency & Notifications are central to ethical surveillance under the APPs and NQF updates. Centres must explain why CCTV is used, how footage is handled, and how families and staff can exercise their rights.

APPs/NQF transparency checklist for Victorian childcare

Signage & written notice: Place clear signs at entrances and all monitored areas and provide written notification to parents, staff, and visitors. State the purpose (e.g., safety monitoring), who operates the system, and how footage is managed.
Consent model: For overt systems with signage, consent is generally implied. Maintain explicit policies describing who may access footage and how requests are handled. Parents may request footage of their child, subject to privacy/redaction of others.
Data minimisation (APP 3): Capture only what is necessary; avoid private spaces and excessive angles. Use privacy masking where possible.
Security (APP 11): Store footage on encrypted servers, protect access with roles/MFA, and keep audit logs of viewing/export. Have a documented data-breach response plan.
Retention limits: Keep footage only as long as needed—typically 14–30 days—and delete securely unless required for an investigation, incident, insurance, or legal hold.
Access & correction (APPs 12–13): Provide a process for individuals to request access to footage about them (or their child) and to request correction, balancing others’ privacy.
2025 pilot readiness: Update CCTV/digital-risk policies, train staff on breach prevention and lawful disclosure, and align federal (APPs) and state obligations to reduce liability.

Generic notices are not enough. Use clear signage, written policies, defined retention, and secure workflows to meet APPs and NQF transparency requirements.

Sipko Security - Transparency, Consent, and Data Handling Requirements in Melbourne

📋 Incident Procedures and Access Requests

Incident response & evidence management — Centres must meet NQF reporting timelines while complying with APPs for access, security, and lawful disclosure. Use clear procedures so CCTV supports safety without breaching privacy.

What centres must do (NQF + APPs)

NQF 24-hour reporting: For any allegation, complaint, or suspected/actual abuse, notify the Regulatory Authority within 24 hours. Record the event in the service’s incident register and trigger your child-safety escalation pathway.
Preserve relevant footage (legal hold): Immediately override normal retention when footage may be evidence. Mark the camera(s)/times affected, export to a secure repository, and retain until the investigation or legal matter is finalised. Keep a chain-of-custody log (who exported, hash/checksum, where stored).
Access requests under APPs (12–13): Fulfil requests within 30 days unless a permitted exception applies (e.g., to protect an active investigation or others’ privacy). Provide redacted copies or supervised viewing, and document reasons for any refusal/deferral.
Secure sharing & audit trail (APP 11): Share footage only on a need-to-know basis using encrypted transfer, expiring links, or on-site viewing. Maintain immutable logs of who accessed what, when, and why, including any copies provided to police, insurers, or regulators.
Retention & deletion rules: Routine retention is typically 14–30 days; apply secure deletion once the period ends. If footage is subject to an incident, complaint, insurance claim, or legal hold, retain it beyond the standard window until the matter closes.
Incident playbook (quick steps): (1) Make the area safe and escalate safeguarding, (2) isolate and preserve relevant footage, (3) complete incident report & notify within 24h, (4) assess privacy impacts and redact third-party images where feasible, (5) respond to any APP access requests, (6) review and improve controls.
Reforms 2025–2026 linkage: Update policies, staff training, and audits so these procedures align with Victoria’s Child Safe Standards and NQF digital-technology requirements—reducing liability and strengthening risk response.

Incident report form Legal hold notice Footage access request Chain-of-custody log

Effective practice combines timely reporting, evidence preservation, and privacy-safe access with clear audit trails and trained staff.

Get your Victorian childcare CCTV compliance-ready

Be audit-ready for the NQF updates (from 1 Sept 2025) and the 2025 CCTV pilot. We help centres align with the APPs, Surveillance Devices Act (VIC), and Child Safe Standards—from camera placement plans and signage to retention policies, access workflows, and breach prevention training.

Book a Free Compliance Assessment Call the Compliance Team: +61 406 432 691

APPs — Privacy Act 1988 Surveillance Devices Act (VIC) Child Safe Standards NQF digital tech policies

We Help People In Solving House Security

Our works

What Our Clients Say

Frequently Asked Questions (FAQ)

1. Is CCTV mandatory for Victorian childcare centres from September 2025?

The NQF updates (from 1 Sept 2025) require clear policies for safe digital technologies, including CCTV. Victoria will pilot CCTV across ~300 centres in late 2025. CCTV use must comply with the APPs, the Surveillance Devices Act (VIC), and Child Safe Standards.

2. Where can cameras be placed—and where are they prohibited?

Place cameras in low-privacy, public areas (entries/exits, foyers, halls, indoor learning rooms, outdoor play). Do not record high-privacy areas: toilets, bathrooms, showers, changing/nappy rooms, bedrooms/sleep rooms, or private staff spaces. Angle to avoid private elements and neighbouring properties.

3. What signage and notifications are required?

Use clear entrance signage stating purpose (safety/security), operator, contact details, and that CCTV is operating. Provide written notices to parents, staff, and visitors. Overt systems with signage generally rely on implied consent under the APPs, supported by explicit internal policies.

4. How long should we retain footage?

Adopt a 14–30 day default retention window with secure deletion thereafter. If footage is relevant to an incident, complaint, insurance, or investigation, immediately place a legal hold and retain until the matter is resolved (with auditable chain-of-custody).

5. Who can access footage and how quickly must we respond?

Parents may request footage of their child; respond within 30 days under the APPs, applying redaction or supervised viewing to protect others’ privacy. Maintain role-based access, MFA, encryption, and immutable access/export logs.

6. Can we record audio?

Avoid audio by default—covert or unnecessary audio can breach the Surveillance Devices Act (VIC) and APPs. Only enable where there is a lawful, documented justification and clear notice; otherwise keep audio disabled.

7. What are our duties during incidents or allegations?

Under the NQF, notify the Regulatory Authority within 24 hours. Preserve relevant footage immediately (override normal retention), document chain-of-custody, and share securely on a need-to-know basis. After closure, delete per policy and review controls and training.