Using facial recognition technology in licensed venues

Following the Australian Privacy Commissioner's ruling and findings about Bunnings, the Office of Liquor and Gaming Regulation (OLGR) has considered the likely issues for licensees that use—or are considering using—facial recognition technology (FRT) to help identify patrons under a gaming exclusion who enter a licensed venue.

This information doesn't apply to FRT used as part of a mandatory networked identification (ID) scanning system to prohibit people under a banning order from entering.

Read more about privacy and ID scanning systems.

Note: This information is not legal advice. We encourage licensees who are concerned about the use of FRT or the legal implications of the Bunnings findings to seek their own legal advice.

Privacy laws

The Privacy Act 1988 (Cwlth) regulates privacy in Australia. It requires certain entities, including businesses that turn over more than $3M per year, to comply with Australian Privacy Principles (APPs). These are known as APP entities.

The APPs deal with matters such as the collection, use and disclosure of personal information and an organisation's governance and accountability in relation to privacy.

As an Australian law, the Privacy Act isn't administered by OLGR or the State of Queensland. Its interaction with Queensland's laws and regulations will often depend on the nature of the particular circumstances under consideration.

The Bunnings FRT determination

The Bunnings FRT system captured and processed facial features of every individual entering the store, without consent, and compared those images to a biometric database to identify customers they determined to be of interest from a security perspective.

Biometric data is considered 'sensitive information' under the Privacy Act and has a higher level of privacy protection than other personal information.

The Privacy Commissioner found:

  • Bunnings collected the sensitive information of individuals without their consent (exceptions under the Privacy Act did not apply).
  • Bunnings failed to take reasonable steps to notify individuals about the facts, circumstances and purposes of their personal information being collected, as well as the consequences for them if their personal information was not collected.
  • Bunnings failed to take reasonable steps to implement practices, procedures and systems to ensure it complied with the APPs.
  • Bunnings failed to include in its privacy policies information about the kinds of personal information it collected and held, and how it collected and held that personal information.

Read the Australian Privacy Commissioner's Bunnings determination factsheet.

Issues for licensed venues

Licensees who must use FRT under a licence condition

APPs require an APP entity to have the person's consent before collecting their sensitive information and that the information collected is reasonably necessary for 1 or more of the entity's functions or activities. This doesn't apply if collecting the sensitive information is authorised or required by an Australian law—including a Queensland law—or an instrument made under such a law.

As a result, when a licence condition requires you to collect information by FRT, the consent requirement—and any requirement to justify the reasonable need for using FRT for your functions or activities—may not apply.

However, other APPs continue to apply, including—but not limited to—some of the APPs that Bunnings is perceived to have breached.

We strongly recommend you seek legal advice to ensure you're meeting all of your obligations under the APPs, including—but not limited to—providing customers with appropriate information about the use of FRT at your venue.

Licensees without a licence condition requiring the use of FRT

If you don't have a licence condition requiring the use of FRT, without another applicable authorisation under an Australian law, you're not authorised or required to collect sensitive information. If you're using—or considering using—FRT, you should consider whether collecting sensitive information is reasonable and necessary to your functions and activities and be satisfied that the person has consented to the collection of their information.

It is also very important to note that the Privacy Commissioner has views on reasonable necessity and consent requirements and licensees should consider the Privacy Commissioner's published guidance on this matter as per the link below.

We advise you to seek legal advice on the use of FRT and on the other APPs you must also comply with.

Also consider…