Guidelines for Video Surveillance in Commercial Settings

Video surveillance in commercial and institutional settings is not just a technical deployment problem. In Ontario, it carries legal obligations under provincial privacy law, and getting the installation wrong, either technically or procedurally, creates real liability. The Information and Privacy Commissioner of Ontario published guidelines specifically addressing how organizations should plan, implement, and manage video surveillance systems. What follows is a practical walkthrough of those guidelines, structured for the people who actually design and operate these systems.

This guide follows the IPC Ontario’s published surveillance guidelines closely. The framing is technical and operational, aimed at facility managers, IT managers, and the cabling and security contractors working alongside them. Every major point traces back to that source document. Nothing here is invented.

Step 1: Establish a Legitimate Purpose Before Anything Is Installed

The IPC guidelines are explicit: the decision to deploy video surveillance must be justified by a clear, documented purpose. That purpose has to be specific. “General security” is not enough. You need to identify what threat or operational problem the cameras are meant to address, whether that is theft in a particular area, after-hours access control, or safety monitoring in a hazardous work zone.

The guidelines require that organizations ask whether the surveillance is actually necessary. This means considering whether less privacy-invasive alternatives could achieve the same result. If better lighting and access control would solve the problem, cameras may not be warranted. Document this analysis. If you are ever challenged, your written rationale is your first line of defense.

Key questions to answer in writing before any equipment is ordered:

• What specific problem does this surveillance address?
• What evidence exists that the problem is real and ongoing?
• Have less intrusive measures been tried or evaluated?
• Who has authorized this deployment, and at what organizational level?

Step 2: Limit Scope to What the Purpose Actually Requires

Once you have a legitimate purpose, camera placement and field of view must be limited strictly to what is needed to fulfill it. The IPC guidelines stress that surveillance should be no more extensive than necessary. Cameras should not be positioned to capture areas beyond the defined scope, and they should never be placed in areas where people have a heightened expectation of privacy, specifically washrooms, change rooms, and medical examination areas.

In practice, this means doing a proper site survey before finalizing any camera layout. Walk the space. Map the coverage zones. Identify where the field of view will reach. If a camera monitoring a warehouse loading dock also captures a portion of a staff lounge through a window, that is a problem that needs to be corrected at the design stage, not after installation.

The guidelines also note that covert surveillance is only justifiable in exceptional circumstances, and even then requires strong justification. The default is always overt, visible cameras. Covert installation without proper justification is not a grey area under Ontario privacy law.

Step 3: Develop a Written Privacy Policy for the System

A privacy policy for a surveillance system is not a corporate formality. It is an operational document. The IPC guidelines specify that organizations must have a written policy governing how the system works and how the recorded information is handled. This policy should cover:

• The stated purpose of each camera or camera zone
• Who is authorized to access live feeds and recorded footage
• How long recordings are retained and on what media or platform
• How recordings are securely deleted or destroyed at end of retention
• The process for handling access requests from individuals who appear in footage
• How security incidents or unauthorized access to footage are handled

Retention periods should be as short as possible. The IPC guidelines do not mandate a specific number of days, but they are clear that footage should not be kept longer than is necessary for the purpose it was collected for. Many organizations use 30 days as a default. If your purpose is to investigate incidents after the fact, consider what your actual incident detection lag is, then set retention accordingly and document the reasoning.

Step 4: Post Clear and Conspicuous Notice

People entering a surveilled space must know that surveillance is in operation. The IPC guidelines require that notice be posted at all entrances to areas where cameras are in use. The notice cannot be hidden, small, or ambiguous. It needs to be visible before a person enters the surveilled zone, not after.

Each notice should include:

• A clear statement that video surveillance is in use
• The name of the organization conducting the surveillance
• The contact information for the person responsible for the system
• The purpose of the surveillance

Step 5: Control and Audit Access to Footage

Who can watch the live feed? Who can review recorded footage? Who can export a clip? These are not casual decisions. The IPC guidelines require that access to surveillance footage be restricted to authorized individuals, and that access be tied to the legitimate purpose of the system. A manager who has no operational reason to review warehouse camera footage should not have login credentials to the NVR.

From a technical standpoint, this means configuring your VMS or NVR with role-based access controls. Do not share administrator credentials. Assign view-only roles to staff who need situational awareness but not playback. Log access events. Most enterprise-grade NVR and VMS platforms support access logging natively. Enable it, and review those logs periodically.

The guidelines also address third-party access. If law enforcement requests footage, or if footage is needed for a legal proceeding, that process should be defined in your policy before the request arrives. Know what your organization’s legal obligations are, and do not release footage informally.

Step 6: Secure the System Against Unauthorized Access

Physical and cybersecurity of the surveillance infrastructure is part of privacy compliance, not separate from it. The IPC guidelines state that organizations must protect personal information against unauthorized access, use, or disclosure. For a networked camera system, that is a meaningful technical obligation.

Baseline requirements for any commercial IP camera deployment:

• Change default credentials on every camera and NVR before the system goes live
• Isolate camera traffic on a dedicated VLAN, separate from general corporate LAN traffic
• Restrict NVR and VMS management interfaces to specific internal IP ranges, not the open internet
• Apply firmware updates on a regular schedule, cameras are an active attack surface
• Encrypt footage in transit and at rest where the platform supports it
• Lock the NVR cabinet or server room; physical access to the recorder is access to the footage

Cloud-managed camera systems introduce additional considerations around where footage is stored and who the cloud provider’s staff can access it. Your privacy policy needs to address this, and your vendor agreement should specify what the provider can and cannot do with the data.

Step 7: Establish a Process for Individual Access Requests

Under Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the Freedom of Information and Protection of Privacy Act (FIPPA), individuals may have the right to request access to recordings in which they appear. For private sector organizations, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario’s private sector privacy legislation create similar obligations.

The IPC guidelines are clear that organizations need a defined process for responding to these requests. That process should include who receives the request, how identity is verified, how footage is located and reviewed, and how third-party privacy in the same footage is handled before disclosure. Often, footage that captures one person also captures others, and those individuals’ images may need to be obscured before releasing a clip to the requestor.

Designate a privacy officer or responsible individual before the system is operational. That person’s contact information should be on your public notice signs. They should know the applicable legislation and understand the response timelines.

Step 8: Review the System Periodically

Surveillance systems tend to expand over time. A camera added for a specific purpose gets repurposed. Retention periods set at deployment never get revisited. Staff turnover means credentials get shared. The IPC guidelines recommend periodic review of the entire surveillance program to confirm that it is still operating within its stated purpose and that privacy safeguards are holding.

A practical annual review should cover:

Document the review. If issues are found, record what corrective action was taken and when. This documentation matters if a complaint is ever filed with the IPC or if the system becomes evidence in a legal matter.

How These Steps Work Together

The guidelines are not a checklist to run through once at installation and then forget. They describe an ongoing governance posture. Purpose justification defines scope. Scope defines camera placement. Placement determines what your notice signs need to say. The privacy policy governs access, retention, and response to requests. Security controls protect the system. Periodic review keeps everything honest over time.

For contractors and integrators, the practical takeaway is that you should be raising these questions with clients before the design is finalized. A client who has not documented their purpose, has not designated a privacy officer, and has no policy for retention or access requests is not ready to deploy a compliant system. Flagging that early is part of doing the job properly.