Last updated:
The Home Ministry ordered a nationwide CCTV audit after secret cameras were installed at Indian railway stations by a spy ring linked to Pakistan’s ISI. Know your rights, laws and penalties.
Delhi Police CCTV Surveillance System. (Image courtesy: moneycontrol)
After the Ghaziabad Police busted a Pakistan-linked espionage ring with direct ISI connections, the Home Ministry has ordered a pan-India audit of CCTV networks in major cities including Delhi and Mumbai. As reported news18The network secretly installed cameras at Delhi Cantonment railway station and Sonipat railway station, equipped with solar panels to ensure round-the-clock footage, relayed live to ISI-linked operators across the border.
A key accused was reportedly paid Rs 10,000 for handing over a video clip. Police departments have been instructed to conduct physical verification of each camera under their jurisdiction and flag any units that cannot be accounted for.
Here are 12 things every Indian should know
1. The Constitution is the foundation on which everything else rests
According to the CCTV Rulebook of India 2026, the Supreme Court KS Puttaswamy vs Union of India (2017) The judgment affirmed privacy as a fundamental right under Article 21. Any surveillance by the state must overcome four hurdles: it must be legally sanctioned, serve a legitimate state purpose, remain proportional to that purpose, and have procedural safeguards. Any surveillance that cannot satisfy all four is unconstitutional.
2. Police stations have their own Supreme Court order
In Paramveer Singh Saini vs Baljeet Singh (2020)The Supreme Court specifically issued binding directions for CCTV systems inside all police stations and central investigating agencies. As recorded in India’s CCTV Rulebook 2026, the cameras must have night vision and audio recording capabilities, cover all lock-ups, entry and exit points and corridors and retain recordings for at least 18 months. Independent monitoring bodies, an inspection committee at the district level and a state level inspection committee should be established to enforce compliance.
3. April 1, 2026 is a tough deadline for camera vendors
According to the office memorandum dated January 16, 2026, from April 1, 2026, only CCTV cameras that conform to the essential requirements of MeitY, are certified by STQC, and are registered under the BIS Compulsory Registration Order, can be legally sold in India. STQC, the Directorate of Standardization Testing and Quality Certification under MeitY, conducts physical testing of devices against a control set that mandates secure boot, digitally signed firmware, disabled physical debug interfaces, no default credentials, encrypted data in transit and at rest and a published software bill of contents detailing the origin of critical components. The STQC certificate is valid for three years, after which recertification is mandatory.
4. Camera operators are data fiduciaries under the law
As established under the Digital Personal Data Protection Act, 2023, any entity operating CCTV is a data fiduciary, with video footage legally treated as personal data. Operators must display physical signage at entry points and publish a detailed notice specifying what is collected, why and who handles complaints. High-risk activities such as large-scale public surveillance may trigger critical data fiduciary status, which requires a dedicated data protection officer and periodic data protection impact assessments.
5. Violations must be reported within six hours, logs must be kept for 180 days
According to CERT-In instructions issued on April 28, 2022, cyber security incidents, including unauthorized camera access, should be reported to CERT-In within six hours of detection, and a detailed follow-up report should be submitted to the Data Protection Board within 72 hours. All system logs covering VMS, access and network activity must be stored in Indian jurisdiction for a period of 180 days. Each DVR, NVR and server must synchronize its clock with the National Physical Laboratory’s NTP server for forensically valid timestamps.
6. Surveillance data cannot leave Indian soil
According to the Home Ministry’s office memorandum dated April 30, 2024, footage of CCTV installed at government establishments and public places should be stored within India, even on cloud platforms. International data residency is no longer legally acceptable for sensitive surveillance feeds.
7. What each state actually demands
State laws add additional obligations on top of the central rules. As documented in India’s CCTV Rulebook 2026, minimum retention and technical requirements vary by geography, and operators must adhere to whichever standard is strictest.
| State | minimum retention | major orders |
| Delhi | 90 days (local instructions) | Form-I Police Registration; ONVIF/PSIA standard |
| Andhra Pradesh | 30 day | Full HD, 24/7 recording, 0.01 lux sensitivity |
| Telangana | 30 day | 50-yard IR range; Form 15 Half Yearly Return |
| Maharashtra | 30 days (180 for ANPR) | 1080p, 2FA for remote access, city integration |
| Karnataka | 30 day | Applicable to premises with up to 100 persons at a time |
8. Sectors have their own monitoring floors
Beyond state law, regional regulators enforce independent mandates. As listed in India’s CCTV Rulebook 2026, the 30-day retention limit is repeated in almost every regulated industry.
| Sector | regulator | Main requirements |
| Banking and ATM | reserve Bank of India | Mandatory CCTV; Preserve investigation-relevant footage |
| airports | bcas | 30 day retention; DG-BCAS approval for footage sharing |
| Railway | RDSO | IP based CCTV in coaches; Retention approximately 30 days |
| hospital | sky | Restrictions on recording of intimate patient care areas |
| medical college | NMC | NVR storage minimum 30 days; Regulator access to live feed |
| education and examination | NTA, CBSE | Continuous recording; Local NVR; UPS backup required |
| hotel | State Tourism Act | No surveillance in guest rooms under any circumstances |
9. CCTV footage in court requires a specific certificate
As required under the Indian Evidence Act, secondary evidence such as a copy of footage on a USB or DVD is inadmissible in court without a Section 65B(4) certificate. If the original DVR or NVR is seized directly, the certificate is not required. To prevent tampering challenges, operators must maintain an unbroken chain of custody by preparing a seizure memo, generating SHA-256 cryptographic hashes of digital files at the point of copying, and maintaining detailed custody logs thereafter.
10. Facial recognition is high-risk and comes with legal stipulations
While no standalone FRT law exists in India, facial recognition is governed by the DPDP Act, which treats biometric data as sensitive personal data and the Puttaswamy proportionality test. As classified by NITI Aayog, FRT is a high-risk technology, with potential for inaccuracy, systemic bias and abuse of mass surveillance. The deployment requires mandatory data protection impact assessments, independent bias audits and public complaint mechanisms. Large-scale use of FRT triggers significant data fiduciary obligations under the DPDP Act, including a mandatory data protection officer.
11. The penalty matrix is ​​serious
As set out in India’s CCTV Rulebook 2026 under multiple legal regimes, non-compliance is a board-level financial and criminal risk.
| governing law | Violation | maximum penalty |
| DPDP Act, 2023 | Failure to implement security measures | Rs 250 crore |
| DPDP Act, 2023 | Failure to notify DPB about violation | Rs 200 crore |
| IT Act, Section 66E | unauthorized occupation of private areas | 3 years jail or Rs 2 lakh |
| IT Act, Section 72/72A | Unlawful disclosure of data | 3 years jail or Rs 1-5 lakh |
| bis act | Selling non-compliant equipment | Product License Cancellation |
12. The six-step compliance SOP every operator needs
As consolidated in India’s CCTV Rulebook 2026, operators will be required to purchase only ER-compliant, STQC-certified, BIS-registered devices. The default password should be changed immediately, encryption should be enabled at rest and in transit, and clocks should be synced with NTP. A written monitoring policy should be in place, with clear signage and local police registration where necessary. The 30 day minimum retention policy should be automated with scheduled deletion. Access should be role-based with immutable audit logs retained for 180 days. Each third-party vendor must sign a data processing agreement confirming India data residency.
March 26, 2026, 12:10 IST
read more
