Nearly four years after first deploying facial recognition technology (FRT) in selected stores across NSW and Victoria, Bunnings has been granted permission to use the technology in their CCTV-linked system to screen customers entering their store against a database of individuals who had been banned from Bunnings stores.
In an Australian Privacy Commissioner's (APC) 2024 ruling it was found that Bunnings invaded the privacy of customers by scanning their faces on-premises using FRT between 2018 and 2021. In that ruling the Privacy Commissioner said, “just because a technology may be helpful or convenient, does not mean its use is justifiable,” advising that “Any possible benefits need to be weighed against the impact on privacy rights, as well as our collective values as a society.”
The APC found that Bunnings had breached three Australian Privacy Principles (APP). Principle 1 – open and transparent management of personal information, principle 3.3 – collection of solicited personal information, and principle 5 – notification of the collection of personal information. The APC ordered Bunnings to “not repeat or continue” the acts which “led to interference with individuals’ privacy”. Bunnings responded by releasing a CCTV montage of violent or intimidating incidents against its staff and appealed to the Administrative Review Tribunal (ART) for a review of the APC decision.
Last week the ART’s decision confirmed that Bunnings had contravened privacy principles in failing to provide appropriate notice to individuals of its use of FRT. However, the ART was satisfied that in the case of APP 3.3 Bunnings was entitled to rely on exemptions to the requirement to obtain consent, for the specific purpose of addressing retail crime and protecting staff and customers from violence, abuse and intimidation within their stores.
The 3-person ART Panel heard that Bunnings used the technology to maintain a database of people who posed a risk to its operations because of their prior violent or criminal conduct in its hardware stores. When detected a database-matched customer entering the store team members were alerted to act and inform relevant workers and police.
Whenever the FRT detected that a face didn't match any in the database, the data on that face was deleted.
In considering whether Bunnings collected relevant personal information, Deputy President Britten-Jones and Senior Members Murphy and Simon noted it was necessary to understand how FRT operated.
The ART members rejected Bunnings' submission that CCTV images of most people entering its stores weren't collected because they were deleted almost immediately, stating "The fact that the unmatched data and the matched data were treated differentially after collection does not alter the fact that a collection of both the unmatched data and the matched data took place," they said.
The ART members then turned to whether a permitted situation existed and allowed Bunnings to collect the information.
Bunnings contended that a permitted situation existed - i.e. many of its stores experienced theft and threatening behaviour towards workers, much of which was attributable to repeat offenders, and these incidents left workers visibly shaken and upset. The company submitted video footage of threatening incidents involving weapons in their stores.
The ART accepted that it was safer to proactively identify and confront high-risk individuals as they entered a store, than reactively "challenging an individual who is already handling stolen goods". They accepted that Bunnings "faces unique challenges" when attempting to prevent theft and violence. Its large stores have multiple entry and exit points, and they carry products can be used as weapons, such as axes, screwdrivers and drills.
The collection of sensitive customer information in this context constituted a genuine attempt to improve worker and customer safety, the ART found.