Bunnings Facial Recognition Breach: Why Your Business Needs to Get Privacy Right
On 19 November 2024, Privacy Commissioner Carly Kind published her determination that Bunnings Group Limited breached the Privacy Act by collecting personal and sensitive information through the use of facial recognition technology.
Via the use of this technology, operated via CCTV, Bunnings captured the faces of every person entering 63 Bunnings stores in Victoria and New South Wales between November 2018 and November 2021.
Whilst Commissioner Kind highlighted that while facial recognition technology can help protect against serious issues like crime and violent behaviour, the Commissioner stressed that its use must be balanced against privacy rights and societal/moral values. In this case, the technology was deemed the most intrusive option available to Bunnings, and that it disproportionately interfered with the privacy of all individuals entering the stores, not just high-risk individuals. Further, that alternative, less intrusive options were available to achieve the same objectives.
Key Findings
The Commissioner’s key findings can be summarised as follows:
- Bunnings collected the sensitive information of individuals without their consent (exceptions under the Privacy Act did not apply);
- Bunnings failed to take reasonable steps to notify individuals about the facts, circumstances and purposes for their information being collected, as well as the consequences if they declined for their information to be collected;
- Bunnings failed to take reasonable steps to implement practices, procedures and systems to ensure its use of the facial recognition technology complied with the Australian Privacy Principles; and
- Bunnings failed to include in its privacy policy information about the kinds of personal information it collected and held, and how it collected and held that information.
Whilst Bunnings has indicated that it will seek a review of the Privacy Commissioner’s decision, this decision serves as a reminder to all organisations to consider the impact of technology on privacy and ensure compliance with privacy obligations.
Here are some essential services we offer to ensure that your business stays compliant and avoids privacy law breaches:
- Data Protection & Privacy Compliance
We can guide your business through the ins and outs of Australian privacy regulations, helping you implement robust data protection strategies. With rising concerns over data collection methods, ensuring that your business adheres to the Privacy Act is essential for avoiding penalties.
- Technology and Compliance Consulting
As Bunnings’ case illustrates, using emerging technologies such as facial recognition comes with significant responsibility. We can help you ensure that your use of technology aligns with regulatory requirements and community expectations, mitigating potential legal risks.
- Privacy Policy Reviews & Updates
We’ll ensure that your privacy policies and procedures are clear, transparent, and in compliance with all relevant laws. If your business is collecting sensitive data, it’s essential to provide proper notice to customers and obtain their consent before doing so.
- Legal Risk Management & Strategy
We offer comprehensive legal risk assessments and help businesses implement proactive strategies to manage any potential liabilities related to data privacy and consumer protection.
Don’t let privacy issues put your business at risk. Contact Quest Legal today to ensure your business is protected against the evolving landscape of privacy regulations.