The Administrative Review Tribunal (ART) has held that Bunnings Group Limited’s (Bunnings) use of facial recognition technology (FRT) to identify high-risk individuals entering its stores was permitted under the Privacy Act ([2026] ARTA 130).
This decision overturns a key part of an earlier finding by the Australian Privacy Commissioner, which, in short, held that Bunnings had breached the Privacy Act in using FRT ([2024] AICmr 230). The decision is instructive for businesses considering similar technologies.
Background
Between 2018 and 2021, Bunnings implemented FRT in several of its stores. The FRT analysed the CCTV footage of people entering Bunnings’ stores and compared their faces against a database of individuals considered high-risk. This database of high-risk individuals included people who had previously engaged in actual or threatened violence at Bunnings, organised retail crime and other inappropriate or criminal conduct.
When a match was detected with an individual on the database, the FRT system would send an alert to a Bunnings’ employee who would then visually compare the CCTV footage with the image stored in the database. If confident of a match, further action would then be taken, such as notifying in-store security guards and store managers.
If no match was detected, then the information would be automatically deleted from the FRT system. This process occurred within an average of 4.17 milliseconds, from when the footage was entered into the FRT system to when it was deleted.
ART decision: key finding
The key finding of the ART is that Bunnings’ use of its FRT system (and associated collection and use of personal information and sensitive information) fell within a ‘permitted general situation’ (see Australian Privacy Principle (APP) 3.4(b) and section 16A of the Privacy Act).
This finding matters because where a permitted general situation applies, Bunnings is not required to obtain individuals’ consent before collecting and using their sensitive information through the FRT. Given the nature of Bunnings’ operations and interactions with customers, and the purpose of the FRT, it would be impossible for Bunnings to seek and obtain this kind of consent.
Bunnings argued that two permitted general situations arose:
Bunnings reasonably believed the collection, use or disclosure was necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
Bunnings suspected unlawful activity or serious misconduct and reasonably believed that the collection, use or disclosure was necessary to take appropriate action.
In assessing what is a ‘reasonable belief’, the ART considered the objective facts and circumstances at the relevant time, and whether such facts and circumstances were sufficient to induce the belief in a reasonable person.
Here, the ART had regard to the seriousness of the conduct that Bunnings sought to address (that is, repeat offending including theft, violence and abuse), and assessed the reasonableness of Bunnings’ belief that FRT could address these issues by considering:
Whether the collection of sensitive information using FRT was a suitable and effective response to the problem of repeat offenders (suitability).
Whether less privacy-intrusive alternatives were available to address that problem (alternatives).
Whether the collection of sensitive information using FRT was proportionate, which involved balancing the privacy impacts resulting from the collection of sensitive information against the benefits gained by using FRT to collect sensitive information (proportionality).
The Privacy Commissioner considered these factors when assessing whether the collection, use or disclosure was “necessary” under section 16A, rather than whether Bunnings held a reasonable belief.
The ART came to a different conclusion from the Privacy Commissioner in finding that Bunnings’ use of FRT was suitable, there were no comparable alternatives to the FRT, and the impact on privacy was not disproportionate to the benefits achieved in both relevant categories of permitted general situations. Evidence about the decision-making process that led to Bunnings’ deployment of FRT (including its assessment of alternative solutions), its assessment of the privacy risks with the FRT, as well as evidence of case studies of its use of FRT, formed a key part of the ART’s decision.
Collection can occur even if momentary
The ART agreed with the Privacy Commissioner on the issue of whether Bunnings collected personal information of both matched and unmatched individuals in the FRT, even though the relevant image was held for only 4.17 milliseconds, on average. As stated at [59], the ART accepted the Privacy Commissioner’s views (albeit also conceded by Bunnings) that there is “no minimum temporal threshold for collection”.
In the end, Bunnings did not need to succeed on this point, as it succeeded on the permitted general situation issue. However, this issue highlights that even a momentary holding of personal information can amount to a collection “for inclusion in a record” under the APPs.
Facial images can constitute biometric information
The ART also confirmed that a facial image collected by an entity for the purpose of biometric identification will constitute biometric information and, therefore, be sensitive information, under the Privacy Act.
This matters because the standards that apply to the collection, use and disclosure of sensitive information under the Privacy Act are higher than compared to personal information which is not sensitive (although it should be noted that biometric information as a category of sensitive information under the Privacy Act does not also have to be personal information like other categories of sensitive information). Entities that are considering deploying FRT or other biometric identification systems will need to consider whether the relevant source data they are collecting is or will become biometric information when used with such systems.
Key takeaways
A central takeaway from this decision is that any assessment as to whether the use of FRT (or any other privacy-impacting technology) falls within a permitted general situation must be done within the specific facts and circumstances that apply to the relevant entity.
Bunnings’ success on the key issue in the case turned on a very specific assessment of the FRT in question, as well as the particulars of Bunnings’ business. As such, the ‘green light’ for Bunnings’ use of FRT should not be seen as general approval of FRT, or of the use of FRT in different kinds of businesses or in different circumstances.
A further takeaway is ensuring that an appropriate privacy impact assessment is performed as part of the assessment and decision-making process of new privacy-impacting tools or systems. Although Bunnings succeeded on the main issue, the ART agreed with the Privacy Commissioner that Bunnings had failed to:
Give sufficient notice to its customers that FRT was being used in its stores (per APP 5.1).
Ensure its privacy policy appropriately documented its use of FRT (per APP 1.3).
Take reasonable steps in the circumstances to implement appropriate practices, procedures and systems relating to its deployment of FRT (per APP 1.2). While Bunnings had taken some steps to do so, the ART found that these were ad hoc and reactive and did not ensure that Bunnings’ use of FRT complied with the APPs.
In light of the inherent privacy risks entailed in the use of FRT, the ART states that it would have been reasonable in the circumstances for Bunnings to have conducted a formal, structured and documented risk assessment of the FRT system from the outset.
Such a risk assessment would also likely have addressed the deficiencies identified under APP 5.1 and 1.3.