Compliance Updates

Facial Recognition and Privacy: Updated OAIC Guidance (Post-Bunnings ART Decision)

A recent Privacy Commissioner determination against a major Australian retailer — and the subsequent updated OAIC guidance on facial recognition technology (FRT) — has significant implications for any organisation using CCTV systems with facial recognition or analytics capability. For facilities managers and strata committees who have deployed, or are considering, smart camera systems with FRT features, this determination is essential reading.

What happened

The Privacy Commissioner investigated a retailer’s use of FRT to capture facial images from in-store CCTV footage, convert them into “vector sets” representing facial features, and compare these against a database of individuals previously flagged for incidents such as theft or violent behaviour. Even where no match was found — with the image and vector set discarded in around 4.17 milliseconds — the Commissioner found this brief processing still constituted “collection” of sensitive information under the Privacy Act 1988 (Cth).

The determination found the retailer breached the Privacy Act on several fronts: it failed to obtain valid consent, its in-store signage did not clearly disclose that FRT (as opposed to generic “video surveillance”) was in use, it had not conducted a privacy impact assessment (PIA), and its privacy policy did not adequately describe the FRT system. The Commissioner ordered destruction of all information collected via the system within 12 months and one day of a public statement being published. The retailer has indicated it will seek review before the Administrative Review Tribunal, citing a reported 50 per cent increase in threatening incidents in its stores over the past year.

Operational implications for security integrators and site operators

This determination matters well beyond large retail chains. Many modern VMS platforms and edge cameras now ship with facial recognition, face-matching watchlists, or similar analytics enabled or available as an add-on module. Facilities managers, strata committees and club operators running these systems — even at a smaller scale than the retailer in question — should take note of several practical takeaways:

  • Generic “CCTV in operation” or “video surveillance” signage is very unlikely to satisfy notification obligations if any form of facial recognition or biometric matching is enabled. Signage needs to explicitly reference facial recognition and explain the purpose of collection.
  • Consent exceptions under the Privacy Act are narrow. Relying on the “serious threat” or “unlawful activity” permitted situations requires a genuine, reasonable, case-by-case belief — not a standing watchlist system used as a general deterrent.
  • Momentary processing (matching against a database in milliseconds before discarding) does not avoid the definition of “collection.” Any FRT-capable system, even one that only retains match hits, is likely to be caught by the Privacy Act.
  • A privacy impact assessment — or at minimum a documented privacy threshold assessment — is considered best practice before deploying or expanding any FRT capability.
  • Privacy policies need specific reference to facial recognition and biometric processing where these features are enabled, not just general references to “security cameras.”

The Mallen take

Most sites we work with in NSW are not running dedicated FRT watchlist systems, but an increasing number of VMS and camera platforms bundle facial recognition or face-matching as a licensed feature that can be switched on with a few clicks. That ease of activation is exactly the risk this determination highlights: enabling a feature because it’s available is not the same as having a lawful basis to use it.

Before any client enables facial recognition or biometric analytics on an existing camera estate, we’d recommend treating it as a genuinely new system deployment — with its own consent, signage, policy and impact assessment requirements — rather than a configuration toggle on an existing CCTV installation. This is a good moment for building owners and operations managers to check what analytics licences are actually enabled on their VMS, and whether site signage and privacy documentation match what the system is actually doing. This is exactly the kind of gap that shows up during the Mallen site audit process, alongside broader documentation of camera coverage and device registers.

For sites using CCTV and video analytics platforms such as Milestone or exacqVision, it’s worth confirming with your integrator exactly which analytics modules are licensed and active, and ensuring privacy documentation is updated accordingly — well before any regulator or reviewing tribunal asks the question for you.

Original source: Norton Rose Fulbright