Bunnings Caught in the Spotlight over Facial Recognition Breach 

26/11/2024

facial recognition

The Office of the Australian Information Commissioner (OAIC) has found that the use of facial recognition technology by hardware giant Bunnings breached the privacy of “hundreds of thousands” of Australians between 2018 and 2021. The finding followed a lengthy Commissioner Initiated Investigation by Privacy Commissioner Carly Kind, after Bunnings’ use of the controversial technology was revealed in 2022. 

In simple terms, the facial recognition technology allowed Bunnings to create and maintain a database of individuals who it claims posed a risk to its operations and detect when those individuals entered a store. The technology was deployed via CCTV in at least 62 stores in Victoria and NSW, scanning the faces of every person who entered the stores, regardless of their age or other characteristics. This included customers, staff, visitors and contractors. The images on the live CCTV footage were then analysed by the facial recognition system to create a ‘real-time facial image,’ which was compared against a database of prohibited individuals. 

The OAIC found that the use of this technology breached several of the Australian Privacy Principles (APPs), including: 

  • APP 3.3, by collecting the sensitive information of individuals in circumstances where the individuals did not consent to the collection; 
  • APP 5.1.2, by failing to take reasonable steps to notify those individuals about the facts, circumstances and purposes of collection; 
  • APP 1.2, by failing to ensure that it complied with the APPs; 
  • APP 1.3, by failing to include in its privacy policies information about the kinds of personal information that it collected and held, and how it collected and held that personal information. 

Bunnings denied that it had breached the Privacy Act, claiming that it did not ‘collect’ personal information, because the information was not intended to be stored in a ‘record’. The OAIC rejected this claim, finding that “the concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means, including from biometric technology such as voice or facial recognition.” 

Bunnings also claimed that it took reasonable steps to notify individuals of the collection by posting notices at the entrances of stores. However, the OAIC found that those privacy notices did not contain sufficient information about the kinds of personal information that would be collected from customers. 

This is a timely reminder to APP entities that consent must be informed, voluntary, current and specific. It is important to take a proactive approach to privacy by establishing and maintaining internal practices, procedures and systems that ensure compliance with the APPs. The obligation is a constant one. 

Bunnings has claimed that it will be seeking a review of the decision. 

Please get in touch with our experienced privacy team to discuss what this finding means for you and your agency or business.  

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more