Biometric information under the Privacy Act — facial recognition and the OAIC's 2024 determination

Biometric information as sensitive information

Biometric information falls under the definition of 'sensitive information' as outlined in section 6 of the Privacy Act 1988 (Cth). This classification applies specifically to biometric information used for automated biometric verification or identification. Furthermore, biometric templates that are derived from this information are also considered sensitive information.

The designation as sensitive information means that biometric data receives a higher level of protection compared to ordinary personal information. This heightened protection reflects the increased potential for harm that can arise from misuse or compromise of this type of data.

Generally, Australian Privacy Principle 3.3 requires organisations to obtain consent before collecting sensitive information. However, this requirement is subject to exceptions, meaning consent is not always mandatory.

The Bunnings FRT determination

The Australian Information Commissioner made a determination on 19 November 2024 concerning Bunnings Group Limited’s use of facial recognition technology. The determination found that Bunnings had breached the Privacy Act between November 2018 and November 2021.

The Commissioner’s assessment identified specific breaches of the Act. Bunnings was found to have collected sensitive information without consent, contravening Australian Privacy Principle 3.3. Additionally, the organisation failed to take reasonable steps to notify individuals about the collection of their personal information (APP 5) and had inadequate content in its privacy policy (APP 1.3 / 1.4).

As a result of the determination, Bunnings is required to destroy personal information that is no longer needed and to publish a statement regarding the breaches.

When FRT can lawfully be used

Facial recognition technology (FRT) involving the collection of biometric information generally requires express, informed consent from individuals. This consent is typically needed when the FRT is used for verification or identification purposes.

However, there are limited exceptions to this requirement. These exceptions allow for the use of FRT without consent in circumstances involving serious threats to life, health or safety, and when undertaken by enforcement bodies for law-enforcement-related activities.

Regardless of whether consent is obtained or an exception applies, organisations deploying FRT should conduct Privacy Impact Assessments. Furthermore, all entities must adhere to the security requirements outlined in Australian Privacy Principle 11 when handling biometric templates.

What's coming next

The Privacy and Other Legislation Amendment Act 2024 introduces significant changes to privacy protections in Australia. Most notably, a statutory tort of serious invasions of privacy will commence on 10 June 2025. This provides individuals with a new avenue for redress if their privacy has been seriously interfered with.

Misuse of biometric data is likely to be considered a potential basis for a claim under this new tort, meaning individuals may be able to seek compensation independently of any determination made by the Office of the Australian Information Commissioner (OAIC). This expands the avenues for accountability beyond existing privacy legislation.

The Government has indicated further reforms to the Privacy Act are planned, referred to as Tranche 2. These reforms may include specific requirements around consent and transparency, particularly concerning high-risk personal information like biometric data.