Search

Quality and consistency through collaboration

All.FirmWide services.Cyber and Privacy

You can read our article Key lessons from the Bunnings facial recognition decision for more insight.

What you need to know

The Guidance and Appeal Panel (GAP) of the Administrative Review Tribunal (ART) has handed down its decision in the matter of Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2024] ARTA 42 (17 December 2024) setting aside the Privacy Commissioner’s finding that Bunnings Collection of biometric information (sensitive information) was not authorised under APP 3.3 and instead finding that it was authorised under APP 3.4.

The GAP also affirmed the Privacy Commissioner’s finding that Bunnings had failed to comply with its obligations:

  • under APP 5.1 by not adequately informing its customers about its collection of their sensitive information, the purpose for collecting it or the consequences of not collecting it. It also failed to inform its customer of the relevant facts at or before the time or, if that is not practicable, as soon as practicable after

  • under APP 1.2 by not completing a formal privacy threshold assessment or privacy impact assessment prior to implementing its FRT system, and

  • under APP 1.3 because none of its privacy policies at the relevant time referred to its use of an FRT system, its collection of sensitive information or how this information was collected and held by Bunnings.

The OAIC’s statement on the GAP’s decision can be accessed here: OAIC statement on Administrative Review Tribunal’s Bunnings decision | OAIC

Background

A landmark decision was handed down by the Australian Information Commission (OAIC) on 29 October 2024, finding that Bunnings Group Limited’s (Bunnings) had interfered with the privacy of the individuals whose personal information and sensitive information it collected through its facial recognition technology (FRT) system (Commissioner Initiated Investigation into Bunnings Group Ltd (Privacy) [2024] AICmr 230).

Specifically, the Privacy Commissioner found that Bunnings breached:

  • APP 3.3 in relation to the collection of sensitive information (Issue 1)
  • APP 5.1 in relation to adequate notice (Issue 2); and
  • APP 1.2 and 1.3 in respect of transparency (Issue 3)

The case, already notable for its implications for digital privacy, took on added weight when it was referred to the ART’s GAP, a mechanism reserved for matters of broad public and administrative significance.

Issue 1 – Did Bunnings Collect Sensitive Information And If So, Was It Authorised?

Was personal information collected by Bunnings?

A key case in the Bunnings facial recognition case was whether the company collected personal information for the purposes of the Privacy Act 1988 (Cth) (Privacy Act). The GAP examined several arguments raised by Bunnings and ultimately rejected each of them.

The CCTV and FRT Systems Were Not Separate

Bunnings argued that its FRT system did not collect personal information of non-enrolled persons because the CCTV and FRT systems are two separate systems. The GAP disagreed. It found that the FRT system included the CCTV cameras as part of its operation, meaning the system did collect personal information in the form of facial images from everyone captured.

Image Vector Was Still ‘Collection’

Bunnings also claimed that creating vector sets and running the matching process were merely steps taken to decide whether to collect information, not a collection itself. The GAP rejected this argument finding that:

  • creating information (such as vector sets) is a recognised form of collection (i.e. collection by creation)
  • the vector sets were stored in the local server’s RAM, even if only for 4.7 milliseconds. The RAM is the short-term memory of a computer, the primary location for data to be stored during execution of a program, and
  • the Privacy Act does not impose any minimum time threshold for collection.

Because the data was held in RAM to enable the matching process, it was considered to have been collected.

Excluding Unmatched Data Did Not Avoid Collection

Bunnings contended that because unmatched images and vector sets were immediately discarded and never written to a permanent record, they were not ‘collected’ because they were matched for the purposes of excluding rather than including in a record. The GAP again disagreed. It found that:

  • facial images and vector sets were still input into the system
  • they were held in RAM long enough to complete the matching process, and
  • this temporal storage constituted collection for inclusion in a record.

The GAP concluded that Bunnings collected the personal information of both enrolled and non-enrolled individuals. Even momentary storage in RAM was sufficient to constitute collection under the Privacy Act.

Is the information collected by Bunnings ‘sensitive information’ as defined under the Privacy Act?

In finding that the facial images collected by the CCTV component of Bunnings’ FRT system was sensitive information as defined in s 6(1) of the Privacy Act, the context of the collection was central to this conclusion.

The Gap emphasised that when an entity collects biometric images for the purposes of biometric identification, those images fall within the definition of sensitive information even if they have not been processed, extracted or mathematically transformed into biometric templates. The mere act of collecting facial images for identification purposes using an FRT system, is enough to bring them within the statutory definition.

This meant that the images captured by the CCTV cameras, when used as part of the FRT workflow, constituted sensitive information form the moment of capture.

Did a permitted general situation exist to authorise the collection of sensitive information?

In accordance with APP 3.3, an APP entity may only collect sensitive information if the information is reasonably necessary for, (or directly related to for agency’s), one or more of the entity’s functions or activities and the individual to whom the information relates consents to the collection or, an exception under APP 3.4 applies.

One such exception under APP 3.4 is where a permitted general situation (PGS) exists. PGS are contained in s 16A of the Privacy Act and if a PGA applies, Bunnings is not required to obtain consent to collect biometric information.

PGS Item 2 – Unlawful Activity

Item 2 in s 16A is a two limbed test:

  • (a) the entity has reason to suspect that unlawful activity of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
  • (b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.

In relation to the first limb of the test the GAP noted that Bunnings ’faced a very real and serious problem of violence and theft in its stores’[1] and had invested significant resources into dealing with the issue. In finding that the first limb was met, the GAP noted that the evidence provided by Bunnings, which included examples of the unlawful activity experiences by Bunnings staff over a period of time and various witnesses statements, including from the National Investigations and Security Manager from Bunnings who stated that, during his employment with Bunnings he supervised hundreds of investigations into criminal and abusive activity committed in Bunnings stores against staff and customers.

In relation to the second limb, the GAP identified the following:

  • Bunnings must show that, on the balance of probabilities, it holds a reasonable belief that the collection of sensitive information is necessary in order for it to take appropriate action in relation to the unlawful activity - It is Bunning’s belief as to what action was appropriate to take that is relevant. The starting point is to consider the evidence as to what Bunnings believed was appropriate action and then to consider whether the objective facts and circumstances were sufficient to induce that belief in a reasonable person.
  • Bunning’s belief was expressed through the evidence of its National Investigations and Security Manager who believed it was reasonable to use certain security measures because violent and abusive behaviour posed serious risks to staff and customers, and theft significantly affected Bunnings’ profits. This had been supported by significant evidence . The APP Guidelines state that ’appropriate action’ depends on the nature of the suspected unlawful activity and may include investigating or reporting misconduct when necessary.
  • experts called as witnesses by Bunnings and the Commissioner provided a Joint Report to the GAP in which they agreed that, given the incidents experienced in Bunnings stores, it was reasonable for Bunnings to explore new security controls aimed at recidivist offenders. Although Bunnings recognised that FRT had limitations, particularly with first‑time offenders, it believed the system still delivered meaningful benefits.
  • the opinions of the experts were relevant to the reasonableness of the belief and that the benefits of the FRT system must be weighed against the privacy intrusions inherent in the FRT system.
  • it must assess whether that belief was reasonable by weighing those benefits against the privacy impacts. Three factors guide that assessment:
    • Suitability: whether FRT was an effective response to repeat offending
    • Alternatives: whether less privacy‑intrusive options were available
    • Proportionality: whether the privacy intrusion was justified by the benefits gained

Suitability – Bunnings submitted that its FRT system generated a significant number (high hundreds) of alerts during the period it was in operation, and staff consistently found the system to be highly effective in identifying known offenders. Bunnings provided multiple examples where FRT successfully detected previous or repeat offenders, demonstrating practical value in addressing in-store crime.

Bunnings acknowledged that the system produced some false positives. However, the risk of acting on an incorrect match was mitigated through human intervention: every match was manually reviewed by a staff member before any action was taken. This oversight ensured that false positives did not lead to inappropriate responses.

The GAP ultimately concluded was a suitable and effective tool for addressing retail crime committed by repeat offenders in the circumstances. When used alongside Bunnings’ existing security measures, collecting sensitive information through FRT enabled the company to identify and, where necessary, monitor known offenders, reducing the likelihood of theft, violence or threatening behaviour in its stores.

Alternatives – Prior to implement the FRT system Bunnings had various systems in place for address retail crime including CCTV, covert security guards, prohibition notices and a system of security alerts so that Bunnings team members and covert loss prevention officers could keep a lookout for offenders depicted in these alerts.

The GAP found that no other security measure could reliably and consistently identify repeat offenders in Bunnings’ large, complex retail environment. Expert evidence showed that options such as staff recognition, CCTV monitored by humans, covert or non-covert guards, and anti-theft devices were all less effective. While some experts suggested these measures could compliment FRT, none could replace it. The GAP concluded that no less privacy intrusive alternative could achieve the same outcome.

Proportionality – The GAP accepted that FRT involved a serious intrusion into privacy because it captured facial images of almost all customers. However, it also noted that the system held non-matched data only momentarily in RAM and deleted it almost instantly, reducing the risk of misuse.

When weighed against the serious safety risks posed by repeat offenders and the unique challenges of Bunnings’ stores, the Panel found that the privacy impact was not disproportionate to the benefits of improved safety and crime prevention.

Conclusion on reasonable belief

The GAP was satisfied that Bunnings faced a genuine and significant problem with repeat offenders and that FRT enabled the identification of known offenders in a way no other security measure could. On this basis, it was reasonable for Bunnings to believe that using FRT would help reduce further offending and improve safety for staff and customers.

Although the technology involved a notable intrusion into customer privacy, the system’s design minimised that intrusion by holding sensitive information only momentarily before permanently deleting it.

The legislation centres on whether Bunnings reasonably believed the collection was necessary. The GAP found that Bunnings did hold a reasonable belief, and that the belief was reasonable in light of the objective circumstances.

Issue 2 - Did Bunnings Adequately Notify Customers?

After determining Bunnings did collect sensitive information, the GAP assessed Bunnings complied with APP 5.

Bunnings displayed several notices over time, including an initial entry notice (first entry notice) a later revised notice and a privacy poster, displayed throughout the relevant stores.

Because the collection involved sensitive information and represented a serious intrusion into privacy, the GAP found it reasonable to expect Bunnings to clearly notify customers of the matters in
APP 5.2(b), (d) and (e), namely, what was being collected, why and the consequences of not collecting it. 

Findings:

  • the first entry notice: Non-compliant. It did not tell customers it was collecting their sensitive information via FRT system, the purpose of collection or the consequences of not collecting it
  • second entry notice: Non-compliant. It made no reference to FRT, and the privacy policies it directed customers to also failed to mention FRT or the collection of sensitive information, and
  • privacy poster: Non-compliant. The use of the word ‘may’ to clearly communicate that FRT was in use, and the notice did not explain the purpose of collection or the consequences of opting out, as required by APP 5.2.

The GAP emphasised that APP 5.1 requires notification at or before the time or, if that is not practicable, as soon as practicable after. Across all notices, Bunnings did not provide customers with the essential information needed to understand that FRT was operating in its stores.

Issue 3 – Governance and Privacy Management

The GAP found that Bunnings failed to comply with both APP 1.2 and 1.3 in relation to its governance of the FRT system.

APP 1.2

Because Bunnings was collecting sensitive information and doing so in a way that constituted a serious privacy intrusion, the GAP held that reasonable steps required a formal, structured and documents privacy impact assessment from the outset. This assessment should have examined the privacy risks associated with implementing FRT and informed Bunnings’ decision-making.

Bunnings’ did not conduct such an assessment before deploying the system, and the GAP concluded that this omission meant that it had not taken reasonable steps to ensure compliance with the APPs or to manage privacy risks appropriately.

APP 1.3

The GAP also found that Bunnings failed to comply with APP 1.3 which requires an entity to have a clearly expressed and up to date privacy policy which contains the information in APP 1.4.

None of Bunnings privacy policies at the relevant time referred to:

  • its use of FRT
  • its collection of sensitive information, and
  • how that information was collected, stored and handled.

These omissions meant the policies did not meet the content requirements under APP 1.4, and customers were not provided with the transparency required under the Privacy Act.

If you would like to discuss any of these key takeaways in more detail, please contact Partner and Privacy specialist, Kelly Matheson.

 

[1] Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130 (4 February 2026) at [97]

Return To Top
Related articles
Media room