Facial recognition technology (FRT) is back in focus after the Administrative Review Tribunal’s decision in Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2026] ARTA 130. The case is a useful reminder that extra care is required when relying on a permitted general situation to implement video surveillance.
What happened?
After seeing an increase in violence against staff, Bunnings trialled FRT in stores between 2018 and 2021 to help prevent these incidents. The system captured faces at store entry and compared them against a watchlist to identify banned or high-risk individuals, with rapid deletion where there was no match. Bunnings argued a permitted general situation applied (e.g. to prevent a serious threat to safety), which allowed it to implement the FRT without consent.
The Privacy Commissioner initially found that Bunnings had breached multiple Australian Privacy Principles (APPs), including governance/transparency and notification requirements. It also found that Bunnings had unlawfully collected sensitive information without consent. The Privacy Commissioner placed particular emphasis on the FRT being the most intrusive option available, which disproportionately interfered with the privacy of everyone who entered the stores (not just high risk individuals).
On review, the Tribunal:
- agreed with the Privacy Commissioner’s positions in relation to Bunnings’ lack of transparency (APP 1) and inadequate disclosures (APP 5); but
- departed from the Privacy Commissioner’s finding that Bunnings was not permitted to implement the FRT (APP 3.3) and decided Bunnings was entitled to do so to prevent serious crime and protect staff and customers.
The Privacy Commissioner may appeal the Tribunal’s decision.
Practical takeaways for businesses for now
1. Don’t assume a criminal, health or safety issue justifies the collection of sensitive information
The Privacy Commissioner and the Tribunal interpreted the permitted general situations differently, with the Privacy Commissioner having a narrower interpretation and considering proportionality a critical factor. Only collect sensitive information if it is essential for the specific purpose.
2. Document a privacy risk assessment with narrow purposes
Sensitive information requires a higher degree of protection. Businesses should document the risk being addressed and why less intrusive controls are insufficient. Keep the purpose narrow and evidence-based.
3. Clear and prominent notice still matters — even if consent isn’t required
Individuals should be clearly informed that their personal information is being collected, as well as how that information will be used and disclosed. Have prominent signage and notices in plain English.
Get in touch
If you’re considering FRT or other biometric tools, we can help assess whether you are likely to be compliant with the APPs and what risk mitigation controls should be implemented.
