Key lessons from the Bunnings facial recognition decision

You can read our article Bunnings use of facial recognition - Appeal Panel decision decided collection is authorised for more insight.

The Appeal Panel’s decision in Bunnings Group Limited and Privacy Commissioner offers important guidance for any organisation considering the use of facial recognition technology (FRT).

While the Panel ultimately found that Bunnings’ collection of biometric information was authorised under APP 3.4, it also highlighted the significant responsibilities that come with deploying such a system, finding that Bunnings had failed to comply with its obligations under APPs 1.2, 1.3 and 5.1.

Balancing Privacy Intrusion and Benefit

Implementing FRT inevitably involves collecting and handling sensitive information. Because this represents a substantial intrusion into individual privacy, organisations must be able to clearly demonstrate that the benefits of using FRT outweigh the intrusion. This begins with defining the problem the technology is intended to address and showing that FRT is a proportionate response to the risks/problems identified.

Establishing the need for FRT

A strong justification requires evidence that the issue cannot be effectively addressed through less privacy‑intrusive measures. In the Bunnings case, the company had extensive documentation of repeat offending, prior initiatives that had failed to resolve the problem, and due diligence showing that FRT was the only measure capable of reliably identifying recidivist offenders.

Testing and phased implementation

A pilot or phased rollout can help demonstrate the system’s effectiveness, identify technical issues early, and provide evidence that the technology meaningfully addresses the defined problem.

Maintaining human oversight

Human agency remains essential. Human oversight and intervention helps mitigate risks associated with false positives or false negatives and ensures that decisions do not occur in isolation.

Embedding privacy by design

A privacy‑by‑design approach requires conducting a privacy impact assessment and other relevant risk assessments—such as cybersecurity assessments—before implementation.

Seeking privacy advice at the procurement stage helps ensure that contractual arrangements with third‑party providers uphold strong privacy and security standards.

Obtaining a comprehensive privacy assessment during the design phase will ensure appropriate policies and procedures are implemented (in compliance with APP 1.2), for example in relation to the development of a policy for your FRT system watchlist/Enrolled Person database identifying when to enrol a person, when to remove a person, reasons for enrolling a person and escalation procedures.

Transparency and social licence

Clear communication builds trust. Privacy notices, policies posters and signs must clearly and in sufficient detail, explain what information is collected, why it is collected, how it is handled, and what happens if it is not provided. Transparency is central to maintaining community confidence in the use of FRT.

Documenting reliance on exceptions

Where an organisation relies on an exception that permits the collection of sensitive information without consent, the basis for that reliance must be thoroughly documented and supported by evidence. A privacy impact assessment is a key tool for doing so.

If you would like to discuss any of these key takeaways in more detail, please contact Partner and Privacy specialist, Kelly Matheson.