NSW hotels and clubs with gaming machines have a new compliance obligation on the radar. On 18 March 2026, the NSW Government released the Code of Practice: Facial Recognition Technology in Hotels and Clubs under the Gaming Machines Act 2001. While the Code is currently voluntary, the Government has explicitly framed it as an interim step toward a future mandatory statewide facial recognition technology (FRT) exclusion register. For club operations managers and facilities teams, the message is clear: the infrastructure and policy groundwork you lay now will determine how smoothly you transition when mandatory requirements land.
What the Code Actually Requires
The Code addresses five distinct areas that venues must work through to demonstrate responsible FRT deployment. These are not abstract policy commitments — each area has direct operational and technical implications for the people responsible for running and maintaining venue systems:
- Hardware installation: The physical placement, field-of-view, and integration of cameras used for facial recognition are in scope. This is not a matter of repurposing an existing CCTV feed without review — FRT deployments require considered camera positioning to achieve reliable capture of patron faces at entry and gaming-floor access points.
- Data security and storage: Biometric data — which facial images and facial templates unambiguously are — carries the highest sensitivity classification under Australian privacy law. How that data is stored, who can access it, how long it is retained, and how it is disposed of must all be documented and enforced.
- Privacy protections: The Commonwealth Privacy Act 1988 applies to biometric information regardless of what a state Code does or does not require. Venues collecting facial images of patrons are handling sensitive information under the Act and must meet the Australian Privacy Principles accordingly.
- Signage display: Patrons must be informed that FRT is in use. The Code requires appropriate signage, which means venues need to consider placement at all relevant entry points — not just the gaming room door.
- Staff responses to FRT alerts: Technology alone does not enforce exclusions. When the system generates an alert for a self-excluded patron, staff need a documented, rehearsed response procedure. Without this, the FRT investment delivers limited harm-minimisation benefit and creates procedural liability.
The Privacy Act Dimension — Why This Matters Beyond Gaming Compliance
It is worth being precise about the legal context here. The NSW Gaming Machines Act 2001 provides the regulatory framework for the Code, but the Commonwealth Privacy Act 1988 operates independently and is not optional. Biometric data — including facial images used to identify individuals — constitutes sensitive information under the Act. Venues that deploy FRT without a lawful basis for collection, without adequate security measures, and without clear retention and disposal policies are exposed to regulatory action from the Office of the Australian Information Commissioner (OAIC), entirely separate from any gaming regulator inquiry.
This dual-regulator exposure is something facilities managers and club operations managers need to communicate clearly to their boards and ownership groups. The FRT Code is not just a gaming compliance checkbox — it sits at the intersection of gaming regulation and national privacy law.
Operational and Technical Implications for Your Venue
From a systems integration standpoint, deploying FRT in a hotel or club gaming environment involves more moving parts than a standard CCTV upgrade. Venues considering compliance with the Code — or preparing for when it becomes mandatory — should be thinking through the following:
- Camera specification and placement: FRT accuracy is heavily dependent on image quality, lighting consistency, and the angle at which patron faces are captured. Cameras used for general surveillance are often not positioned or specified for reliable facial recognition. A site assessment by a qualified integrator should be the starting point before any FRT software is selected or trialled.
- Network segmentation: Biometric data in transit and at rest needs to be protected. That means the network infrastructure carrying FRT data — from cameras to server or cloud endpoint — should be isolated from general venue Wi-Fi and POS networks. VLAN segmentation and appropriate firewall rules are baseline requirements, not optional extras.
- System integration with self-exclusion registers: The Code’s purpose is identifying patrons who have self-excluded. That requires the FRT system to be matched against a register of excluded patrons. Venues need to understand how that register is populated, who maintains it, and how the FRT platform interfaces with it — particularly as the NSW Government moves toward a statewide register.
- Audit logging and access controls: Any system handling sensitive biometric data should maintain tamper-evident logs of who accessed what data and when. Role-based access controls must ensure that only authorised staff can view FRT alert data or access stored facial templates.
- Data retention and disposal: Biometric data should not be retained beyond the period necessary for its purpose. Venues need a documented retention schedule and a verifiable disposal process — deletion from a server alone may not be sufficient if data has been replicated to backup systems.
Mallen Services Perspective
As an electronic security and BMS-network integrator working across NSW clubs, pubs, and entertainment venues, Mallen Services sees this Code as an inflection point for the sector. The venues that treat this voluntary period as preparation time will be in a materially better position when mandatory requirements are gazetted — both in terms of technical readiness and staff procedural confidence.
There are real risks in moving too quickly without proper groundwork. Deploying FRT hardware before the network infrastructure is ready to carry and protect biometric data, or before staff have documented response procedures, creates a system that generates alerts the venue is not equipped to act on — and that stores sensitive data without adequate controls. That combination is precisely the kind of scenario that draws regulatory attention.
If your venue is beginning to scope an FRT deployment, or if you have existing surveillance infrastructure you are considering adapting for this purpose, the starting point should be a structured site and systems assessment — not a camera purchase. Mallen Services can assist with camera placement review, network segmentation design, and integration planning for FRT environments in gaming venues. Speak with our team to understand what your current infrastructure can support and what gaps need to be addressed before any FRT system goes live.
Original source: https://truebluecompliance.com.au/blogs/news/nsw-hotels-and-clubs-new-facial-recognition-technology-code-what-you-need-to-know