Key takeaways
- In a 2024 determination, the Privacy Commissioner (Commissioner) found that Bunnings Group Limited (Bunnings) had acted unlawfully in the way it implemented facial recognition technology (FRT) in its stores to identify people known to them as a safety risk (the Determination).
- However, the Administrative Review Tribunal (Tribunal) has recently set aside the Determination, finding that Bunnings’ conduct fell within a statutory exception because Bunnings reasonably believed the use of FRT was necessary to address significant levels of violent and criminal conduct within its stores.
- Despite succeeding on the use of FRT itself, the Tribunal nonetheless found that Bunnings still fell short of key privacy obligations, including failing to clearly notify individuals that FRT was in use, failing to properly explain its purpose, and lacking strong, documented privacy governance from the outset, as required under the Privacy Act 1988 (Cth) (Privacy Act).
- The Tribunal made clear that its findings were based on Bunnings’ specific operating environment and risk profile, and that similar circumstances will not exist for all retailers. Any organisation considering implementing FRT must assess its own risks, context and procedures before moving forward.
The background
In October 2024, following its own investigation, the Commissioner concluded that Bunnings’ use of FRT amounted to the unauthorised collection of “sensitive information” under section 6 of the Privacy Act. The Commissioner found that this conduct also breached several key privacy obligations including requirements to have adequate privacy governance in place, maintain an accurate and up‑to‑date privacy policy, and properly inform individuals when their personal information was collected.
The investigation focused on Bunnings’ use of FRT to manage risks associated with violent and criminal behaviour in its stores. Between November 2018 and November 2021, Bunnings used FRT in up to 62 stores. The Commissioner found that Bunnings interfered with individuals’ privacy by maintaining a database of people identified as potential risks and using FRT to compare images captured by in-store CCTV against the database to alert staff when a match occurred.
The technology
Bunnings’ facial recognition system used CCTV cameras at store entry points to capture facial images of people as they entered. Those images were converted by the system into an “Input Vector Set” (a numerical template of facial features) and compared against “Enrolled Vector Sets” stored in Bunnings’ watchlist database. If a match was detected, the system generated an alert to authorised staff, and if not, the Input Vector Set was deleted from the store server’s RAM once matching was complete – a matter of milliseconds.
The Tribunal agreed with the Commissioner that this amounted to collection because the facial images and Input Vector Sets were recorded and held in the local server’s RAM as a necessary step to run the matching process, and RAM qualifies as a “record” for Privacy Act purposes, meaning the information was gathered for inclusion in a record even if only momentarily. The Tribunal also found the material was sensitive information, because the facial images were biometric information used for automated biometric identification and the vector sets were biometric templates, so the system collected sensitive biometric information from both enrolled and non enrolled individuals.
The decision
Even though the Tribunal found that Bunnings had collected sensitive biometric information without consent, it found that this did not of itself breach the Privacy Act because “a permitted general situation” existed, namely, that Bunnings:
- had reason to suspect serious unlawful activity connected with its functions or activities; and
- reasonably believed the collection was necessary to take appropriate action.
The relevant unlawful activity in this case was retail crime by repeat offenders, including theft, violence and abuse. The Tribunal noted that Bunnings had a reasonable basis for suspecting such activity and had implemented FRT to identify known repeat offenders and reduce further incidents.
It was reasonable for Bunnings to act in response to both violence (due to its impact on staff and customers) and theft (due to its significant financial impact).
The Tribunal accepted that FRT involved some intrusion into privacy but noted that the impact was limited because sensitive information was only briefly retained before deletion. The key issue was whether Bunnings reasonably believed the collection was necessary, and the Tribunal found that this belief was supported by the evidence.
Although Bunnings succeeded on the collection issue, the Tribunal upheld the Commissioner’s findings that Bunnings still breached core privacy obligations relating to privacy governance, privacy policy transparency, and front end notification. In particular, the Tribunal noted that Bunnings had not undertaken a formal privacy impact assessment before deploying facial recognition and that its privacy policy did not clearly describe the collection and use of facial recognition data, despite the technology being used at scale.
On notification, the Tribunal accepted that Bunnings’ most explicit entry signage (introduced later in the rollout) stated: “Video surveillance, which may include facial recognition, is utilised.” However, the Tribunal still found this was not enough, because the use of the word “may” meant the signage did not clearly tell customers that facial recognition was in fact operating, and it also failed to communicate key basics - including why the information was being collected and the main consequences if it were not collected.
What it means for businesses
The Tribunal was careful to emphasise that its decision turned on Bunnings’ particular circumstances, and should not be read as a general endorsement of facial recognition in retail. In reaching its conclusion, the Tribunal placed weight on:
- the scale and layout of Bunnings stores (including multiple entry points and vehicle access);
- the nature of the products sold (many of which could be used as weapons); and
- extensive evidence of ongoing violent and criminal conduct by repeat offenders posing genuine safety risks to staff and customers.
The Tribunal also took into account the specific design and operation of Bunnings’ facial recognition system, including its narrow purpose, rapid deletion of non matched data, restricted access, and low risk of misuse. Taken together, these factors meant the Tribunal’s reasoning was fact specific, and it made clear that many retailers will not be able to point to the same combination of risks, operational context and technical safeguards.
Businesses using FRT should carefully assess their compliance with their obligations under the Privacy Act and particularly the Australian Privacy Principles (APPs). In particular:
- Have you taken reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs when using FRT?
- Does your privacy policy include all information required under the APPs?
- Do you have consent for collecting biometric information, which is classed as “sensitive information” under the Privacy Act? If not, does an exception apply?
- Do you notify individuals about your use of FRT, including through clear and sufficient signage or other appropriate notifications?
How we can help
Russell Kennedy’s expert Privacy team can assist you by drafting and reviewing privacy policies, preparing compliant signage and updating practices, procedures and systems to ensure they align with the requirements of the Privacy Act.
If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.
The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy team.