Bunnings breaches the Privacy Act by using facial recognition technology

On 29 October 2024, the Australian Privacy Commissioner has determined that the use of facial recognition technology (FRT) by Bunnings Group Limited (Bunnings) breached the privacy of individuals by collecting their personal and sensitive information.[1]

In her determination, the Privacy Commissioner noted that “There has been, and continues to be, significant public interest in the privacy aspects of FRT and its potential to increase surveillance and monitoring of individuals, as well as some of its limitations relating to bias and discrimination”.

What does this mean for businesses using (or considering using) FRT?

Background

Between November 2018 and November 2021, Bunnings, Australia’s largest hardware retailer, used a FRT system in 63 of its New South Wales and Victorian stores which operated via Closed Circuit Television (CCTV). The FRT system captured the faces of all shoppers entering the stores. Bunnings’ rationale for using the FRT was to identify individuals entering the stores that posed a risk to the safety and security of staff, other shoppers and/or stock, for example, due to previously behaving violently in a store. The majority of facial images were only captured for 4.17 milliseconds to compare against faces of individuals (previously involved in in-store incidents) which Bunnings had entered into a database. Bunnings considered that, while individuals posing risk could be banned from stores, it was very difficult to enforce bans given stores had thousands of visitors each day.  Using FRT made the process of removing identified individuals from stores easier.

The Privacy Commissioner’s determination sets out a detailed explanation regarding how the FRT system operated and was used by personnel.

What does the Privacy Act 1988 say?

The Australian Privacy Principles (APPs) are in Schedule 1 of the Privacy Act. The Office of the Australian Information Commissioner’s (OAIC) investigation considered whether Bunnings had complied with the following APPs:

• APP 3.3 – sensitive information can only be collected if an individual consents to the collection or an exception applies.
• APP 5.1 – reasonable steps must be taken to notify individuals about various matters concerning how their personal information is handled. Signs at the front of the stores stated initially “Video surveillance is utilised” and later “Video surveillance, which may include facial recognition, is utilised”.
• APP 1.2 –reasonable steps must be taken to implement practices, processes and procedures to ensure compliance with the Privacy Act
• APP 1.3 –Privacy Policies must be clearly expressed and up-to-date.

Facial images captured by FRT is biometric information, which is “sensitive information” under the Privacy Act. Sensitive information has greater privacy protections under the Privacy Act than ordinary personal information, such as an individual’s name and address.

Privacy Commissioner’s Determination

The Privacy Commissioner determined that Bunnings had interfered with the privacy of individuals by failing to comply with the APPs, in particular, Bunnings did not:

• collect the facial images (ie sensitive biometric information) with the individuals’ consent and none of the exceptions which permit collection without consent were applicable.
• notify individuals about the purposes of the collection – the signs and privacy posters at the front of the stores were not sufficiently clear.
• take reasonable steps to implement practices, procedures and processes to comply with the APPs. Bunnings had not implemented written policies and procedures concerning the use of FRT before it commenced use – the policies and procedures could have addressed, for example, circumstances in which FRT can be used, staff access controls, the process for assessing positive matches and staff training.
• include that the facial images were being collected in its Privacy Policy and how that information was being collected and held.

The use of FRT in Bunnings’ stores indiscriminately collected individuals’ sensitive information without adequate notification and consent. The use of the FRT was not reasonable to stop actual or suspected unlawful activity given the very small number of individuals who posed risk.

Bunnings must by 20 December 2024 make a statement available on its homepage at www.bunnings.com.au (for at least 30 days) which sets out detailed information regarding its use of the FRT.

What does this mean for other businesses?

In determining that Bunnings had interfered with the privacy of individuals by its use of FRT, the Privacy Commissioner has noted that this determination was based on very specific facts and circumstances in a retail setting. While Bunnings had submitted that many other entities use FRT, the Privacy Commissioner noted that the use of FRT at entry points of retail stores is not comparable to the use of FRT in settings such as stadiums or airports “because those facilities have a different purpose and risk profile”. Nor can the respondent’s use of the FRT system be compared to users of smart devices in situations where those users consent to and proactively enable a facial recognition function”.

Businesses already using (or wishing to use) FRT should be studying this decision closely and assessing whether the use of FRT is reasonable in all of the circumstances. Where FRT is used, adequate notice must be provided to individuals before any facial recognition images are collected, the use of FRT must also be addressed in the business’ Privacy Policy and the business must ensure that it has adequate policies and procedures for the use of FRT in place and that staff training has been conducted.

What next for Bunnings?

Bunnings has stated that it will be seeking a review of the Privacy Commissioner’s determination on the basis that it considers that using the FRT balanced privacy appropriately with Bunnings’ need to protect staff from violence and organised crime.

We will be following closely any review of the Privacy Commissioner’s decision by the Administrative Review Tribunal while we await the outcome of the OAIC’s investigation into the use of FRT by Kmart.