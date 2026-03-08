The Administrative Review Tribunal (Tribunal) recently set aside the Privacy Commissioner's (Commissioner) 2024 determination1 that Bunnings Group Limited's (Bunnings) had acted unlawfully in its use of facial recognition technology (FRT) in stores, finding that Bunnings conduct in scanning customer faces fell within a statutory exception of the Privacy Act 1998 (Cth) (Privacy Act).

Despite the Tribunal's finding that during the relevant period Bunnings was permitted to use the FRT technology for the limited purpose of combatting significant retail crime and protecting staff and customers from abuse, violence, and intimidation within its stores,2 the Tribunal maintained that Bunnings was still in breach of key Australian Privacy Principles (APPs) contained within Schedule 1 of the Privacy Act, including failing to comply with obligations to clearly notify individuals of the use of FRT (APP 5.1)3 and failing to properly manage personal information (APP 1.3)4.

The Tribunal emphasised that this case highlights an inherent conflict within the Privacy Act: that is, safeguarding individuals' personal information alongside the legitimate operational needs of organisations performing their functions and activities.

Background:

Between November 2018 and November 2021, Bunnings operated a FRT system in up to 62 of its stores.5 The FRT system involved Bunnings keeping a database of individuals considered to present a risk to its operations due to their criminal or violent conduct.6 CCTV cameras were positioned in Bunnings' stores to capture an image of entrants' faces as they entered the store, and those images were converted into biometric data for comparison against the stored data of known individuals stored on a database maintained by Bunnings in search of a match.7 Where the FRT system identified a match between the facial image captured in store and its database, it generated a notification to authorised team members of Bunnings, who could then respond as necessary, including alerting staff, security guards or relevant authorities. Once the matching process was complete, the biometric data (known as a vector set) from the image captured was automatically deleted – on average, within 4.17 milliseconds.8

Bunnings main drive to implement the FRT system was to combat the rate of organised retail crime and violent and aggressive behaviour within certain stores, with the goal of identifying and monitoring known offenders.9 The use of the FRT system initially started with a two month trial in 1 store and was later included in 62 stores which were deemed high risk stores.10

In October 2024, the Commissioner initiated an investigation and made a determination that the use of the FRT system by Bunnings involved the collection of sensitive information within the meaning of the Privacy Act and that Bunnings had breached its obligations under the Australian Privacy Principles, specifically APPs 1.2, 1.3, 3.3 and 5.1, in relation to its use of the FRT system in 62 of its retail stores.11

The Tribunal decision:

A key issue in review by the Tribunal was whether Bunnings had breached APP 3.3 by collecting sensitive information in circumstances where a permitted general situation did not exist, which required the Tribunal to consider:

Whether there was a 'collection' of personal information by Bunnings. If there was a 'collection', whether the collected information was 'sensitive information'. If there was a 'collection' of 'sensitive information', whether a permitted general situation existed pursuant to section 16A of the Privacy Act.12

Did Bunnings 'collect' personal information?

The Privacy Act defines 'Collects' as an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.13

The Tribunal noted that there was no dispute that the personal information of persons enrolled in Bunnings database that were assessed as posing a risk to its operations because of their violent or criminal conduct was 'collected' by Bunnings within the meaning of the Privacy Act.14

However, Bunnings contended that its FRT system did not 'collect' personal information of persons entering the store who were not enrolled in the database as the information was collected by the CCTC system, not the FRT system, and, all that was occurring within the FRT system was that the information was momentarily analysed to determine whether to delete or collect it.15 Bunnings further contended that the FRT system lacked the necessary purpose as it was designed with the intention of excluding unmatched images and all vector sets from any record.16

The Tribunal found that the CCTV cameras were a necessary and integral component of Bunnings FRT system as the vector sets used by the FRT system were created from the images taken by the CCTV cameras and therefore the information was collected by the FRT system.17

The speed of the matching process did not mean that the information was not collected. The Tribunal found that the information was collected from persons entering the store and held on the local server's RAM, albeit momentarily, and this was a necessary pre-requisite to the matching process.18 This finding demonstrates that there is no minimum temporal threshold for collection, meaning information held merely momentarily is still considered 'collected'.

Sensitive information?

The Tribunal considered whether the information collected by Bunnings was 'sensitive information' or 'personal information'. This is an important distinction as APP 3.3 sets out, for example, that an APP entity (as defined by the Privacy Act) must not collect 'sensitive information' about an individual unless a permitted general situation under APP 3.4 exists in relation to the collection of the information by the APP entity.

The term 'sensitive information' is defined in the Privacy Act and includes:

(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

(e) biometric templates.19

It was found that the facial images captured by the CCTV cameras of the FRT system did constitute biometric information and therefore 'sensitive information' for the purposes of the Privacy Act.20

Did a permitted general situation exist?

Permitted general situations are contained in section 16A of the Privacy Act. If a permitted general situation exists, the APP Entity is not required to obtain the individual's consent to lawfully collect sensitive information.21 Bunnings claimed that a permitted general situation existed in relation to the collection of personal information based on item 2 of section 16A of the Privacy Act,22 which provides that:

(a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity's functions or activities has been, is being or may be engaged in; and

(b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.23

There was no dispute that retail crime committed by customers of Bunnings was unlawful activity that related to Bunnings functions or activities.24 Bunnings established that it faced a problem of violence and theft in its stores and there was a significant level of theft and violence by repeat offenders which included organised retail crime.

The Tribunal highlighted the need to show a 'reason to suspect' unlawful activity as a "relatively low bar".25 This meant that Bunnings only needed to show that it had a reason to suspect unlawful activity. The Tribunal agreed with the Commissioner's finding that Bunnings "could reasonably suspect that such activity was occurring and would continue to occur".26

Bunnings held the reasonable belief that using FRT system and therefore the collection of sensitive information was necessary in order for Bunnings to take appropriate action against repeat offenders. The Tribunal found that "collecting sensitive information by the FRT in conjunction with the other security controls was effective and suitable to identify known offenders and if necessary to monitor them so as to reduce the likelihood of them engaging in theft or violent or threatening behaviour". 27

Accordingly, the Tribunal found that there was no breach of APP 3.3 by Bunnings as APP 3.4 applied and a permitted general situation existed in relation to the collection of personal information by the FRT system.

Findings the Tribunal Affirmed:

The Tribunal affirmed the Commissioner's findings that Bunnings had breached APP 1.2 (by failing to implement adequate practices and procedures), APP 1.3 (by failing to have an adequate privacy policy as Bunnings' privacy policy made no mention of the use of FRT system) and APP 5.1 (as there was insufficient notification to individuals about the collection of their personal information through the use of the FRT system). Even though Bunnings had a first entry notice which stated that 'video surveillance is utilised', a second entry notice and a privacy poster, these notices were found to be insufficient as for example, the Tribunal held that first entry notice failed to notify individuals that the FRT system was being used, the purpose of the collection and the main consequences of not collecting the information through the FRT system. 28

Key Takeaways:

The Tribunal's decision highlights the tension between the objects of the Privacy Act to promote the protection of an individual's privacy and the interests of entities in carrying out their functions or activities.

It is important to remember that information collected and held, even momentarily, may still be considered to be 'collected' information for the purposes of the Privacy Act.

While the Tribunal found that a permitted general situation existed, which enabled Bunnings to collect sensitive information without consent, any organisation contemplating the adoption of FRT should first undertake a thorough evaluation of its specific risk profile, operational environment, and internal processes and procedures before proceeding.

Each APP Entity must carefully assess the purpose of collecting information and ensure that it complies with its obligations under the APPs including those relating to collection, notification and management of personal information.

Should you wish to discuss these issues further, or understand how they may relate to your business and privacy practices, please contact Michael Bishop, Felicity Cara-Carson and Jess Tomlinson.

