How to Set Up Internet for a Strata Building So the CCTV Can Be Accessed: A Deep Dive

How to Set Up Internet for a Strata Building So the CCTV Can Be Accessed: A Deep Dive

Putting cameras up is the easy part. The hard part is everything around them: getting an internet connection that's actually owned by the owners corporation, making the footage viewable from somewhere other than the basement, doing it without exposing the building to ransomware botnets, and making sure the whole thing complies with eight different surveillance laws plus the federal Privacy Act.

This article walks through the full picture: how the connection itself gets installed, what ISPs and connection types are realistic, how the network needs to be designed to be remotely accessible and safe, what it costs and who pays, the legal framework in every Australian state and territory, and the long list of pitfalls you only find out about when something has already gone wrong.

It's written for committees and building managers, not network engineers, but it doesn't shy away from the technical detail, because that's where most of the bad decisions get made.

The setup at a glance

A modern strata CCTV system that you can access remotely has five layers. Each one has decisions to make and ways to get it wrong.

1. Cameras and cabling on common property. IP cameras (almost always Power-over-Ethernet) wired back to a central comms cupboard.
2. The recorder. A Network Video Recorder (NVR) that stores footage on local hard drives, sometimes with a parallel cloud copy.
3. The network. The switch and router gear that connects cameras to the NVR, and the NVR to the outside world.
4. The internet connection. A service in the owners corporation's name, dedicated to common-area infrastructure.
5. The remote access path. How committee members or the building manager actually view the footage when they're not on site.

Each layer is owned by the OC. Each layer requires a contract or a by-law or both. And each layer has a corresponding way to get hacked, get sued, or waste money, which is what the rest of this article is about.

Part 1: The internet connection itself

Why the OC needs its own connection

A common mistake is assuming the building's residential NBN setup covers the cameras. It doesn't. Residential NBN connections are for individual lots: each apartment has its own service, in the resident's name, paid for by them.

Common-area infrastructure (CCTV, intercoms, lift phones, access control, EV chargers, solar monitoring) needs its own internet service, in the owners corporation's name, paid for from levies. NBN treats this as a "common area service" and charges connection fees per service the same way it charges per apartment. Under the current full-fibre upgrade program, common area connections are billed at $275 (incl. GST) each.

If the OC doesn't have a connection of its own, the alternatives are all bad:

• Piggybacking off a resident's connection. Creates legal mess (whose contract? what happens when they move out?), poor reliability, and potential privacy issues if footage flows through a private household network.
• Piggybacking off the building manager's connection. Same issues, plus when the manager leaves, the cameras go dark.
• No remote access at all. The system becomes a "go to the basement to view the DVR" relic that gets used maybe once every two years.

What connection types are realistic

There are three viable options for OC-owned common-area internet in 2026.

1. NBN: the default choice.

NBN is the practical baseline. Fibre to the Premises (FTTP) is now available to most apartment buildings either originally or via the Multi-Dwelling Property full-fibre upgrade program. Fibre to the Building (FTTB) is common in older blocks where fibre runs to the comms room and existing copper distributes to apartments. For a single OC service in the comms room itself, this is fine.

For the OC's common-area service specifically, you don't need a residential plan. NBN sells business nbn as well, which gives you:

• Higher upload speeds (matters for cameras, since they're constantly uploading footage if you use cloud storage or remote viewing)
• Service Level Agreements (SLAs) with target restore times
• Static IPv4 addresses (useful for VPN setup and remote access)
• Priority technical support

For a single NVR with 8–16 cameras, a residential plan technically works. For 32+ cameras, especially in a large building, business NBN is worth the difference. A residential NBN 100/40 plan is typically around $90–$110/month; equivalent business NBN with SLAs and a static IP is around $140–$200/month. Aussie Broadband, Superloop, Telstra Business and Optus Business all sell business NBN; Aussie Broadband in particular is popular with smaller commercial customers because of its Australian support and per-service static IPs.

2. 4G or 5G fixed wireless: fallback or primary in some cases.

Telstra, Optus, and Vodafone all sell fixed wireless plans intended as either home internet or business backup. For a small or geographically isolated building where NBN install is complicated, 5G fixed wireless can work as the primary connection. Realistic 5G speeds in Australian cities are around 250–600 Mbps down and 30–80 Mbps up, but with significant variability based on tower distance, congestion, and obstructions. Concrete-cored apartment buildings are particularly bad for 5G signal.

The bigger use case is failover: a 4G/5G modem sitting alongside the NBN connection, kicking in within seconds if the fibre drops. For a CCTV system that the committee actually relies on, this is genuinely worth doing. NBN outages of 4–24 hours happen regularly enough that "the cameras went down at exactly the wrong moment" becomes a real problem.

A common architecture:

• Primary: business NBN FTTP, 100/40 or 250/100 plan
• Failover: a Cradlepoint, Peplink or similar dual-WAN router with a 4G SIM (Telstra Business or Optus Business; avoid prepaid plans, they often deactivate dormant SIMs)
• Failover triggers automatically when the primary fails health checks (typically pings to a known endpoint every few seconds)

3. Private fibre networks.

In some inner-city Sydney, Melbourne, Brisbane, Adelaide and Perth apartment buildings, private fibre operators (TPG, Opticomm, Lightning Broadband, Real Utilities) have struck exclusive or quasi-exclusive deals with the developer or the OC. If your building was built or renovated under such an arrangement, the OC may already have a connection option that bypasses NBN entirely. These are sometimes cheaper and faster, but read the contract carefully: they often have very long terms (10–25 years), restrictive exit clauses, and sometimes lock residents into specific retail providers.

What you actually need from the connection

For OC common-area internet supporting CCTV remote access, these are the realistic requirements:

• Upload speed. This matters more than download. Each camera streamed remotely needs 1–4 Mbps depending on resolution. A 16-camera system where all feeds are pulled remotely at once needs ~30–50 Mbps upload sustained. NBN 100/40 (40 Mbps up) is the practical floor; 100/100 or 250/100 is more comfortable.
• Static IP address. Strongly recommended if using VPN remote access. Without a static IP you need a dynamic DNS service (added complexity, another point of failure, and another credential to manage).
• Low jitter. For live viewing, smooth video matters more than peak speed. FTTP is best; HFC is fine; FTTN can be inconsistent.
• Decent SLA. The point of a business plan. A 4-hour or 8-hour business-day target restore time is reasonable for CCTV.

You almost certainly don't need ultra-high download speeds (500+ Mbps), gigabit, or anything exotic. CCTV is a low-bandwidth application; the tricky part is the direction of traffic.

The cabling and install side

Getting the connection into the building is straightforward when NBN is already there: a service is provisioned to a Network Termination Device (NTD) in the comms room, and from there your installer plugs in a router. The complications are physical:

• Where is the comms room? In older buildings, often a cupboard in a basement or ground-floor utility area, sometimes shared with electrical switchgear. If that's the case, you have a problem the day NBN tries to install fibre and finds it can't run cabling without trades coordination.
• Is there power? The NTD needs a permanent 240V outlet on a circuit that won't get switched off when someone re-organises the comms room. Ideally, the entire CCTV stack (NTD, router, switch, NVR) sits behind a small UPS so it survives short power cuts.
• Is there ventilation? A rack with a router, PoE switch, NVR, and possibly UPS can put out 200–400W of heat. Hot comms rooms kill electronics. In a north-facing concrete cupboard with no airflow, summer is a problem.
• Is the cabling structured properly? Cameras connect to the NVR using PoE: the same Cat6 Ethernet cable carries both data and power. PoE has a 100-metre limit per run; in larger buildings, you need PoE switches (not just the NVR's built-in ports) and possibly switch cabinets in multiple locations linked by fibre.

The legal trap with cabling. All cabling work in Australia (anything that connects to the telecoms network or carries communication signals) must be done by an Australian Cabling Provider Rules (ACRS) registered cabler. DIY runs to save money are not just unsafe; they're illegal, and they'll void building insurance the moment something goes wrong. This applies to running CCTV cable through common property too.

Part 2: The CCTV system that connects to it

Cameras

Modern strata installations are almost universally IP cameras over PoE. Analogue and HDCVI systems still exist and are cheaper for small installs, but they don't integrate cleanly with remote access and they're a dead-end technology.

Resolution-wise, 4MP (1440p) is the sensible default for general common-area coverage. 8MP (4K) is worth it for entry points where you actually need to read faces or licence plates. Higher resolution increases storage and bandwidth requirements: a 4MP camera on H.265 compression typically uses 4–8 GB of NVR storage per day; an 8MP camera, 8–15 GB.

On vendors: Hikvision and Dahua dominate the global market, including Australia, and you'll find them quoted by most installers. They're well-priced and feature-rich, but they come with significant baggage worth understanding.

In 2023, the Australian government announced it would remove around 900 Hikvision and Dahua cameras from defence and government sites following security reviews, mirroring earlier US government bans under the National Defense Authorization Act. The concerns are twofold: documented histories of severe security vulnerabilities (including a 2017 backdoor that allowed unauthenticated user impersonation, a 2021 Hikvision vulnerability rated by IPVM as the highest level of critical, and ongoing reports of cameras phoning home to servers in China), and broader supply-chain national security concerns given partial Chinese state ownership.

For private residential strata, none of this is illegal. The cameras are still legal to buy, install, and use, and the Australian Cyber Security Centre (ACSC) hasn't issued a general consumer ban. But the security history matters: it's a reminder that camera firmware must be kept up to date and the cameras must never, ever be exposed directly to the internet. (More on that in the security section.)

Alternatives include Axis (Swedish, premium, well-regarded for security and longevity but 3–5x the price of Hikvision/Dahua), Hanwha (Korean, NDAA-compliant, mid-range), Uniview (Chinese but typically considered better-managed than Hikvision/Dahua on security), Bosch (premium, expensive), and Ubiquiti UniFi Protect (popular with technical buyers, integrated with their network gear, but with periodic firmware quality issues).

The Network Video Recorder (NVR)

The NVR is where footage is stored. For a strata install, this is almost always a dedicated hardware appliance: a small server with hard drives sized for your retention period.

Storage sizing is a function of:

• Number of cameras
• Resolution and frame rate
• Compression (H.264 vs H.265; H.265 is roughly half the size for same quality)
• Retention period

A typical 16-camera system at 4MP/H.265/15fps with 30 days of retention needs roughly 6–10 TB of storage. Most NVRs ship with 2–4 drive bays and support up to 16TB drives.

Hard drives matter. Do not let an installer put consumer drives in an NVR. Surveillance-grade drives (WD Purple, Seagate SkyHawk) are designed for the constant-write workload of CCTV; consumer drives fail much faster under that load.

For redundancy, RAID-1 (mirroring) across two drives is basic resilience. A drive failure shouldn't lose footage. Consider whether you need RAID-5 or RAID-6 for larger systems.

Cloud-only systems

Some vendors (Verkada, Eagle Eye Networks, Reolink Cloud) sell cameras that record directly to the cloud with no on-premises NVR. These are simpler to install and remove a major attack surface, but:

• Monthly subscription costs add up (typically $15–$40 per camera per month)
• They depend on a stable, reasonable-bandwidth internet connection at all times; losing the internet means losing recording
• Footage is stored offshore (usually US), which has Privacy Act implications
• Vendor lock-in is severe; if you stop paying, you lose access to historical footage

For a strata committee specifically, the recurring cost is usually the deal-breaker. A $30/camera/month cloud plan on 16 cameras is $5,760/year forever: more than the entire upfront cost of an on-premises system in 2–3 years.

A sensible middle ground used by some installers: on-premises NVR with selective cloud backup, where only motion-triggered events or critical zones get pushed to cloud, full footage stays local.

Part 3: How remote access actually works (and how it goes wrong)

This is the single most important part of the article. Most strata CCTV security incidents don't come from sophisticated attacks; they come from someone setting up remote access the easy/wrong way.

There are three ways to make a CCTV system remotely accessible.

Method 1: Port forwarding (DO NOT DO THIS)

Port forwarding is the old-school approach. The router is configured to take incoming traffic on a specific port from anywhere on the internet and pass it through to the NVR. You then connect from your phone or laptop directly to the building's public IP address.

This is unambiguously the wrong approach. Every credible source (the Australian Cyber Security Centre, IPVM, security camera professionals, the Hikvision and Dahua security advisories themselves) warns against it.

Why it's bad:

• The NVR is now exposed directly to the entire internet, with only its username and password protecting it.
• Automated bots constantly scan the internet for exposed CCTV equipment. A new device on the public internet is typically found and probed within minutes.
• CCTV gear has a long, ugly history of authentication bypasses, hardcoded credentials and unpatched vulnerabilities. The Mirai botnet, which took down major chunks of the internet in 2016, was largely built from compromised IoT devices including CCTV recorders with default passwords.
• Even with strong passwords, exposed devices give attackers unlimited time to find new vulnerabilities. Once a vulnerability is published, exposed devices typically get exploited within days, sometimes hours.

If a CCTV installer suggests port forwarding to "make it easier", that's a red flag about the installer, not a viable approach.

Method 2: Manufacturer P2P / cloud apps

Most modern NVRs and cameras come with a smartphone app and a "P2P" or cloud-relay service: Hik-Connect (Hikvision), DMSS (Dahua), Reolink, EZVIZ, Lorex Home, etc. You scan a QR code on the NVR, log into the app, and the app brokers a connection between your phone and the NVR through the manufacturer's cloud servers.

This is dramatically safer than port forwarding because the NVR makes outbound connections only: there are no inbound ports open on the building's router. From a network-security perspective, this is acceptable.

The trade-offs:

• You're trusting the manufacturer's cloud infrastructure and its security. Hikvision and Dahua's specifically have a chequered history.
• All metadata about your camera system flows through manufacturer servers, often based offshore. Some footage is cached there too.
• If the manufacturer's cloud goes down, remote access goes with it.
• Account compromise (someone phishing the building manager's Hik-Connect password) gives them full access to the camera system.

For a small residential building where the alternative is "no remote access at all", manufacturer P2P is a reasonable choice, with strong, unique passwords and two-factor authentication enabled.

Method 3: VPN, the right answer for any building that takes this seriously

A VPN (Virtual Private Network) is, in effect, a secure tunnel between an authorised remote user and the building's network. Once connected, the user's phone or laptop behaves as if it's on the building's local network: they can access the NVR using its internal IP address, just as if they were sitting in the comms room.

This is the approach used by every security professional and recommended by every reputable source. The cameras and NVR are never directly exposed to the internet. Only the VPN endpoint accepts connections, and modern VPN protocols (WireGuard, OpenVPN with current configuration) are designed specifically to be exposed to the internet.

The components:

• A router that supports VPN server functionality. Common options: Ubiquiti UniFi Cloud Gateway, Mikrotik, Peplink, Cisco/Meraki, or a small dedicated firewall like Firewalla, OPNsense, or pfSense. Consumer-grade routers sometimes include this but the implementations are often dated; a business-grade router is worth the difference.
• A static IP from the ISP (or a dynamic DNS service)
• A list of authorised users, each with their own credentials and individually revokable access
• WireGuard (preferred: fast, modern, well-regarded) or OpenVPN (older but very mature)

Setting this up properly requires someone competent. It's not a DIY job for a strata committee member who watched a YouTube tutorial. Budget $400–$1,200 for a one-off professional setup including the VPN router, plus the cost of testing with each authorised user's device.

What "authorised users" actually means

This is where governance meets technology. The VPN gives access to whoever has the credentials. You need:

• A documented list of who has VPN access (typically the building manager, the chair, the secretary, possibly the strata manager)
• Individual VPN profiles per person, not a shared account
• A process for revoking access when someone leaves the role (revoking VPN profiles is trivial if they're individual; impossible if they're shared)
• A documented process for accessing footage that includes who reviewed what and why
• Logs of access kept somewhere the person being logged can't delete them

This is the part that strata committees consistently underestimate. The technology can be perfect; the governance is what fails. The chair leaves, no one revokes their VPN access, two years later they're still able to view footage of their old building.

Network segmentation: keeping CCTV away from everything else

A final piece of network design worth mentioning: cameras and NVRs should be on a separate VLAN from everything else.

The reason: CCTV equipment historically has poor security. If someone compromises a camera (perhaps by exploiting an unpatched firmware vulnerability), you don't want them to then have free access to the building manager's PC, the access-control system, the EV charger management portal, and so on.

A properly designed setup has:

• A dedicated CCTV VLAN containing the cameras, the PoE switches, and the NVR
• A separate "common-property management" VLAN for the building manager's workstation, intercom system, access control, BMS
• Firewall rules between them allowing only what's strictly necessary (e.g. the building manager's PC can connect to the NVR's web interface, but the NVR cannot initiate connections back to the workstation)
• The CCTV VLAN typically blocked from the internet entirely except for the specific outbound connections required for time sync, firmware updates, and (if used) cloud access

This sounds like enterprise-grade overkill for a residential strata block. It isn't: it's actually how every reputable security install in 2026 is designed, and the gear to do it properly costs no more than a single mid-range camera.

Part 4: Cybersecurity, the things that go wrong

A summary checklist of what's caused real CCTV breaches in real Australian buildings:

Default credentials. The most common single cause. NVR ships with admin/12345 or admin/admin, the installer never changes it, the system goes online, the bots find it within hours. Always change defaults; always use unique strong passwords.

Reused credentials. The installer uses the same password across every system they install. One breach exposes hundreds of buildings. Insist on unique credentials per site.

No firmware updates. CCTV vendors release security patches regularly, sometimes very frequently. If no one is responsible for applying them, the system gradually accumulates known, exploitable vulnerabilities. Build firmware update responsibility into the building manager's role or the maintenance contract; quarterly is a reasonable cadence.

Exposed NVRs (port forwarding, UPnP). Covered above. Many cheap consumer routers have UPnP enabled by default, which lets the NVR automatically request port forwarding without anyone realising. Disable UPnP on the router unless you have a specific reason.

Cloud account compromise. Someone phishes the Hik-Connect or DMSS login. With no two-factor authentication, they're in. Always enable 2FA on any cloud surveillance account.

Insider misuse. The committee member with VPN access uses the cameras to track an estranged ex-partner who lives in the building. This is technically a Surveillance Devices Act / Privacy Act offence; in practice it happens, and it happens because access wasn't properly controlled or logged. Hence the importance of access logs, periodic access reviews, and a written by-law making consequences clear.

Stolen footage / extortion. Increasingly common in 2024–2026: ransomware groups specifically targeting NVRs, encrypting footage, and demanding payment. Mitigations: keep the NVR off the public internet, segment the network, maintain an offline or cloud backup of critical footage windows.

Hikvision and Dahua specifically. Beyond the geopolitical concerns, these are statistically the most-attacked brands because they're the most installed. If you have them, you must, non-negotiably, keep firmware current, change all default passwords, never expose them directly to the internet, and prefer VPN-only remote access.

Part 5: The legal layer in every jurisdiction

Australian CCTV law is split across federal, state and strata legislation. There's no single source of truth. Here's the framework, then each jurisdiction.

The federal layer: the Privacy Act 1988

The Privacy Act applies to organisations with annual turnover over $3 million, plus certain other categories. Most owners corporations are below this threshold and so the Australian Privacy Principles don't directly apply.

However, the Act applies if your building has on-site staff (a building manager, concierge, cleaning staff), because the Workplace Surveillance Act in some states (and good practice in all of them) brings employees within scope. And the Privacy Act applies if your strata managing agent's business is large enough to be covered, which means anything handed to them is governed by their privacy obligations.

In practice: assume Privacy Act-style obligations apply, even if you're technically exempt. It's better practice and it future-proofs you against legislative change.

The state surveillance device acts

Every state and territory has its own surveillance devices legislation. They differ in detail but have common themes:

Three universals across all jurisdictions:

1. Audio recording is the danger zone. Almost every Australian CCTV-related prosecution involves audio. In all-party-consent states (NSW, VIC, SA, WA, TAS, ACT) recording private conversations is a criminal offence regardless of whether you're part of the conversation. The simplest and safest approach: turn audio recording off on every camera, everywhere, and document this in the by-law. This dodges 90% of legal risk.
2. "Private activity" is not the same as "private property". Common property areas are private property, but courts have repeatedly held that residents have a reasonable expectation of privacy in some common areas: change rooms by a pool, bathroom corridors, areas outside bedroom windows, balconies of individual lots visible from common areas. Camera placement matters more than camera ownership.
3. Workplace surveillance acts apply if you have on-site staff. NSW (Workplace Surveillance Act 2005) and ACT (Workplace Privacy Act 2011) require notice (typically 14 days written notice before commencing surveillance), visible signage at every entrance, and consultation with the affected workers. This means if your building has a manager, concierge or regular cleaning staff, you can't just install cameras silently; you need formal notice and signage.

The state strata acts

On top of surveillance devices law, each state's strata legislation governs how the OC must approve and document the system.

NSW. Under the Strata Schemes Management Act 2015, the OC needs a special by-law (s.108) to install CCTV on common property. Two recent NCAT decisions have ruled against lot owners who installed cameras on common property without OC consent, requiring removal at the owner's expense. The Appeal Panel has also held (Benoit De Tarle v The Owners Corporation Strata Plan 576 [2022] NSWCATAP 77) that lot owners do not have an automatic right to inspect CCTV footage: access must follow a process the OC has established, and is reasonably limited to formal requests from the OC or police.

VIC. Under the Owners Corporations Act 2006, the OC can install CCTV on common property subject to passing a special resolution (75% majority). Owners corporations rules must address camera operation. Surveillance Devices Act 1999 (Vic) constraints apply to placement.

QLD. Under the Body Corporate and Community Management Act 1997 (BCCMA) and applicable regulation module, installing CCTV is an "improvement" to common property: it requires committee resolution or special resolution depending on cost thresholds. A 2025 decision (Calmwater Shores [2025] QBCCMCmr 330) created a wrinkle: in that case the adjudicator found CCTV footage was not a record of the body corporate, and the body corporate didn't have to retain or produce it. Earlier decisions had gone the other way; this is now a grey area requiring explicit by-laws to clarify.

WA. Under the Strata Titles Act 1985 (WA), the strata company can resolve to install CCTV. Surveillance Devices Act 1998 (WA) has stricter "private activity" definitions than other states; placement matters.

SA. Under the Strata Titles Act 1988 (SA) or Community Titles Act 1996 (SA) (depending on scheme type), the OC can install CCTV by resolution. Surveillance Devices Act 2016 (SA) applies; the 2016 Act substantially increased penalties (up to $75,000 for a body corporate for unlawful surveillance).

TAS. Under the Strata Titles Act 1998 (Tas), the body corporate can resolve to install CCTV. The Listening Devices Act 1991 (Tas) targets audio specifically; visual surveillance is mainly regulated by the Police Offences Act 1935 (Tas) where it captures private activity.

ACT. Under the Unit Titles (Management) Act 2011 (ACT), the OC can install CCTV. The Workplace Privacy Act 2011 (ACT) is among the strictest in Australia for any building with on-site staff.

NT. Under the Unit Titles Act 1975 (NT) or Unit Titles Schemes Act 2009 (NT), the body corporate can resolve to install CCTV. Surveillance Devices Act (NT) restricts recording of private activity.

What a CCTV by-law needs to cover

Whatever the jurisdiction, a properly drafted CCTV by-law should address:

• The purpose of the surveillance (security, deterrence, evidence), which matters for "lawful interest" defences
• Camera locations and what each camera covers (with explicit prohibition on capturing into private lots, bathrooms, change rooms, etc.)
• Confirmation that audio recording is disabled
• Mandatory signage at every common-area entrance ("CCTV in operation"; required in NSW workplace contexts, recommended everywhere)
• Footage retention period (30 days is the most common; standard NCAT view in NSW is that 30–60 days is reasonable; longer than 90 days creates privacy risk)
• Storage security requirements (encrypted at rest, password-protected, on a network-segmented system)
• Who has access to live footage and to recordings (typically: the building manager and 1–2 named committee members)
• The process for requesting footage (written request, log entry, fee for retrieval if applicable)
• Police access provisions (typically: cooperate with formal requests, advise on receipt of warrants)
• Lot owner access rights (NSW: limited; QLD: historically broad but now contested; document the process)
• Maintenance and firmware update responsibility
• Privacy breach response (what happens if footage leaks, how to notify affected parties)

This is not a DIY drafting exercise. Engaging a strata lawyer to draft or review the by-law is genuinely worth the $1,500–$3,000 it typically costs.

Part 6: Cost, contracts, and who pays

Indicative cost ranges

These are 2026 ballpark figures for an OC-funded common-property CCTV system in Australia, including network-grade install:

Upfront covers cameras, NVR, PoE switches, business-grade router with VPN, structured cabling, comms-room rack and UPS, install labour, configuration, and initial commissioning. Ongoing covers internet service ($1,200–$2,400/year), maintenance contract ($600–$3,000/year for medium buildings), firmware update and review labour, and a sinking-fund allocation toward eventual replacement (cameras typically last 7–10 years; NVR drives 4–6 years).

These numbers exclude:

• Legal costs to draft the by-law ($1,500–$3,000 once)
• The NBN connection fee for OC common-area service ($275 incl. GST per common-area service if upgrading via the multi-dwelling fibre program)
• Any building works needed to make the comms room fit for purpose
• Cloud surveillance subscriptions if used (substantial; see Part 2)

Who pays: funding source

CCTV on common property is, almost universally, funded from the OC's administrative fund (or capital works fund for replacement cycles), paid for by all lot owners proportionally to their unit entitlements. This is true in all jurisdictions.

Exceptions:

• If a single lot owner wants CCTV for their lot's exclusive benefit (e.g. covering their front door specifically), they typically need to apply for a by-law granting exclusive use of the relevant common property and bear the cost personally. NCAT and equivalent tribunals have repeatedly held that owners cannot install cameras on common property without OC consent.
• Some buildings have negotiated cost-sharing where a particular tier of CCTV (e.g. a forensic-grade system at a building entrance) is part-funded by a commercial tenant.
• If the system is installed for the benefit of a specific commercial tenant (e.g. a pharmacy on the ground floor), exclusive-use cost allocations can be negotiated.

Contracts to be careful about

CCTV installs come with a stack of contracts. The ones to read carefully:

The installer's contract. Watch for: long-term monitoring contracts bundled in by default, ownership of footage (some installers reserve "rights to footage for system improvement"), warranties tied to using their proprietary cloud service, and exit clauses.

The maintenance contract. Watch for: response times, what's actually covered (firmware updates? hard drive replacement? camera failures?), whether the maintenance provider has remote access (and if so, how that's secured), and termination provisions.

The cloud surveillance subscription, if any. Watch for: data location (is footage stored offshore?), what happens to footage if the OC stops paying, whether the provider can use footage for training AI models or "service improvement", and notice periods for price changes.

Private fibre/internet supply contracts (if applicable). Watch for: exclusivity clauses, building access rights, term length, exit fees, and restrictions on supplementary services (e.g. preventing the OC from also having NBN as a backup).

The internet service plan. Standard business NBN plans are usually fine. The trap is plans that bundle in "free" hardware that's actually owned by the ISP. When you switch, the router goes with them, including the VPN configuration on it.

Part 7: The three starting scenarios

Scenario 1: Brand new building, designing from scratch

This is the easy one. The developer builds the cabling pathways, the comms room is purpose-designed, and the OC inherits a functional system on Day 1.

The traps:

• The developer's preferred installer may be using cheap kit and an exclusive cloud service
• The initial 12–24 months of operation are typically managed by the developer-controlled committee, so by the time owners take real control, the contracts and architecture are already locked in
• Common-area internet may have been signed over to a private fibre provider on a 25-year deal

Action items for owners taking control of a new building:

• Review every common-property service contract within the first 6 months
• Verify that the CCTV system has a documented architecture (network diagram, camera list, retention policy)
• Insist on a handover including all admin credentials, firmware versions, and a security review
• Get a CCTV by-law drafted and registered

Scenario 2: Existing building, retrofitting CCTV + internet

This is the most common starting scenario.

The order of operations:

1. Resolve the legal layer first. Get a draft by-law from a strata lawyer covering camera policy, audio prohibition, retention, access. Pass it as a special resolution at general meeting.
2. Get an OC-named internet service installed. This is independent of the CCTV system: it's just provisioning a service to the comms room in the OC's name. Business NBN with a static IP is the sensible default.
3. Get 2–3 quotes from CCTV installers specifying:
   • PoE IP cameras, audio disabled
   • On-premises NVR with surveillance-grade drives
   • Network segmentation (separate VLAN for cameras)
   • VPN-based remote access (specify WireGuard or equivalent)
   • Documented camera coverage map showing what each camera sees
   • Initial firmware and password setup, with handover of credentials
   • Maintenance contract with quarterly firmware updates
4. Insist on a security review before going live: confirm port forwarding is disabled, default passwords are changed, audio is off, retention is set correctly, and only authorised users have remote access.
5. Document everything. Camera positions, who has VPN access, retention policy, the by-law itself: all in the strata records.

Scenario 3: Existing CCTV but no remote access, adding internet

Adding remote access to a legacy system is the trickiest of the three because the existing system may have been built around assumptions you don't want to inherit.

First, audit what you have:

• What brand and model are the cameras? (Critical: if they're old Hikvision or Dahua units with EOL firmware, the security position is genuinely concerning)
• What's the NVR? Is it patchable? Is there current firmware support?
• How is footage currently accessed? On-site only, or via some sketchy port-forwarding arrangement set up years ago?
• Is there even network cabling infrastructure capable of supporting modern remote access?

Then a decision: retrofit or replace?

Retrofit makes sense if the cameras are recent (≤5 years), the brand has current firmware, and the cabling is structured. You add a business-grade router with VPN capability, segment the network, ensure firmware is current and passwords are unique, disable any port forwarding, and bring an OC-owned internet service in. Cost: $2,000–$8,000 plus install labour.

Replace makes sense if the kit is end-of-life, the cabling is non-standard or non-compliant, or there's no realistic path to a secure architecture. You're effectively in Scenario 2 territory; budget accordingly.

A frequent pitfall: someone tries to get remote access working "quickly" by enabling the old NVR's manufacturer cloud service or port-forwarding it. This often results in the system being compromised within months. Don't shortcut this. If remote access is being added, do it properly with VPN.

Part 8: Common pitfalls

A consolidated list of things that go wrong:

Legal pitfalls

• Installing on common property without a special resolution / by-law
• Installing without registering the by-law (so it's not enforceable against future owners)
• Audio enabled by default: almost always illegal
• Cameras pointing at private lot windows, balconies, or capturing into bedrooms
• No signage where on-site workers are present
• Excessive retention periods creating privacy exposure
• No documented process for footage access: opens the OC to discrimination claims
• Using a draft by-law from a generic template rather than jurisdiction-specific drafting

Technical pitfalls

• Port forwarding the NVR to the internet
• Default passwords left in place
• No firmware update process
• Cameras and other building systems on a flat (unsegmented) network
• Consumer-grade hard drives in NVRs
• No UPS: system goes down whenever power flickers
• No 4G/5G failover: system goes down whenever NBN flickers
• Ethernet cable runs over the 100m PoE limit without proper planning
• NVR storage too small, retention silently shorter than the by-law specifies
• Cloud service subscriptions piled up over multiple years that the committee has lost track of

Procurement pitfalls

• Going with the cheapest quote without specifying security requirements
• Letting the installer choose all gear without independent review
• Long-term monitoring or cloud contracts bundled into the install at quote time
• No documented architecture handed over: you can't manage what you don't understand
• No maintenance contract: system gradually decays over 3–5 years
• Single source of failure: one person on the committee knows how everything works, then leaves

Governance pitfalls

• Shared admin credentials passed around the committee verbally
• VPN access never revoked when committee members rotate
• No log of who accessed footage when and why
• Committee members using the system to monitor specific neighbours (this happens, and it's a serious legal risk)
• Strata manager has remote access but isn't covered by the by-law's access controls
• No periodic review (annual is reasonable) of who has access to what

Internet service pitfalls

• Service in a resident's name rather than the OC's
• Service in the building manager's personal name: when they leave, ownership is contested
• Cheap residential plan with no SLA when the system is genuinely safety-relevant
• Bundled ISP hardware with the VPN configuration locked to the ISP's gear: can't switch without rebuilding
• No static IP, so VPN access depends on dynamic DNS that periodically fails

Closing thought: the OC's actual job here

The temptation, looking at all of the above, is to defer to the installer. They're the experts; let them handle it. This is the single biggest mistake a strata committee can make with CCTV.

The installer's incentive is to install cameras quickly and move on. The OC's incentive is to have a system that works, is legal, doesn't expose the building to data breaches, and is still working properly in five years. These are not the same thing.

What the committee actually needs to do:

1. Pass a proper by-law, drafted by a strata lawyer who knows the jurisdiction
2. Procure an OC-owned internet service in the OC's name
3. Specify security requirements in the install brief: VPN remote access, network segmentation, no port forwarding, no audio, surveillance-grade storage
4. Get the install done by someone who can demonstrate they understand all of those
5. Get a security review of the finished install before signing it off
6. Document everything (architecture, access list, by-law, contracts) and keep it in the strata records
7. Build firmware updates and access reviews into ongoing operations
8. Review the whole arrangement every 2–3 years

None of this is hard individually. The skill is in not skipping any of the steps, even though every one of them is annoying and the system would technically work without it.

That, in essence, is the difference between a strata CCTV install that's still functioning, legal, and trusted in 2031, and one that's quietly become a botnet member, sitting on the building's roof, broadcasting footage of the basement carpark to whoever finds it.

Further reading

• NSW: Requirements for installing CCTV cameras on common property in NSW strata schemes — via LookUpStrata
• NSW: Can strata committees restrict access to CCTV footage on common property? — via LookUpStrata