Article Summary
A recent Administrative Review Tribunal decision has clarified how Australian organisations can use facial recognition technology while remaining compliant with privacy law. The ruling reinforces that while facial recognition may be justified in limited circumstances such as crime prevention, businesses must ensure transparent practices, undertake proper risk assessments, and carefully balance safety objectives against individual privacy rights.
A recent decision by the Administrative Review Tribunal has affirmed the importance of responsible use of facial recognition technology (FRT), cementing key principles and protections within Australian privacy law.
Under the Australian Privacy Principles (APP’s), organisations and agencies covered by the Privacy Act (1988) must comply with the stipulated regulations in certain areas of conduct, including dealings with or collection of unsolicited personal information and the security of personal information. These principles are outlined by the Office of the Australian Information Commissioner (OAIC) and emphasise open and transparent management of information.
Between November 2018 and November 2021, Bunnings Australia Limited trialed facial recognition CCTV throughout NSW and Victoria in order to identify repeat offenders of theft or violence against staff. The corporation has maintained that its intent was to protect the store, employees, and general public from “serious criminal conduct and organised retail crime”.
Under the trial system, facial scans of persons entering the stores were converted to a digital vector set and compared to a database of registered offenders. The images were immediately discarded if no correlation was found, but in the case of a match, staff would be notified to take appropriate action.
The Tribunal recently affirmed the OAIC’s finding that Bunnings contravened several of the APP’s with its use of FRT, where the corporation failed to provide appropriate notice to individuals of its technological activity and should have completed a “formal, structured and documented” risk assessment, as its FRT system compromised general civic privacy.
However, for the limited purpose of combatting retail crime and protecting individuals from theft and violence, the Tribunal found that Bunnings’ collection of solicited personal information was valid and the corporation was entitled to rely on exemptions to the requirement to obtain consent. This determination departed from that of the OAIC.
Where the Tribunal reiterated the relevant factors to consider when judging whether an organisation is entitled to rely on exemptions to specific requirements, it was affirmed that, despite failing to notify consumers appropriately, Bunnings’ approach was suitable and effective insofar as it limited the impact on privacy “so as not to be disproportionate” when considered against the “benefits of providing a safer environment” for employees and the public.
It was also noted by the Tribunal that the company reasonably believed that collection of sensitive information could potentially assist in avoiding repeat offence of violence and theft.
The Tribunal emphasised the “strong protections for individual privacy” in the context of evolving technology, and how the significance and importance of APP entities in sustaining privacy governance cannot be understated.
In light of this matter, it is essential that organisations or agencies covered by the Privacy Act comply with the stated principles and regulations, and maintain honest and transparent management of developing technologies in the workforce.
Following the previous determination of the OAIC, it was surmised initially that a crackdown on privacy breaches would ensue, particularly in the retail division; coincidentally, this decision was compounded with a similar interpretation of irresponsible FRT use by Kmart Australia Limited.
While safe and regulation compliant use of FRT was certainly emphasised by the Tribunal in its recent judgment, it has also affirmed that, to some extent, collection of unsolicited personal information and the use of FRT is on occasion necessary to protect individuals and prevent crime. Following Kmart’s breach of privacy regulations, they were required to issue digital and physical public apologies.
If you have any questions regarding the APP’s or need support to understand if your workplace complies with the requirements of the Privacy Act, please contact our Intellectual Property + Technology team.
For further information contact Managing Director Ben Gouldson.
Property Developers – will you be ready to comply with AML/CTF laws on 1 July?