Facial Recognition and Australian Privacy Laws

This guide to facial recognition and Australian Privacy Laws was written by Shah Rusiti, Accredited Specialist – Business Law, Teece Hodgson & Ward Solicitors.

Shah was admitted to practice in 1983. He has been a NSW Law Society Accredited Specialist in Business Law since 1994 and has over 30 years' experience in business
and commercial law. Shah works extensively with business owners and creators through the full spectrum of the business cycle, from establishment to development and growth and ultimately sale or business succession planning and implementation.

A Member of the NSW Law Society Business Law Specialist Accreditation Committee and regular speaker for Legal Education Conferences, including TVED, Legalwise and UNSW, Shah is also an editor of several chapters in LexisNexis Australian Encyclopedia of Forms and Precedents, including Agency and Distributorship Agreements.

Background

Biometric data is data derived from scans or images of an individual’s distinct features or identifiers which can be used to identify an individual.

These include fingerprints, palm prints, voice recordings, images of a person’s face, facial structure, for example, shape of eyes, distance between eyes, size of jaw and other facial characteristics. Once obtained, biometric data can be matched against previously recorded data to verify the identity of the individual.

Facial recognition systems are becoming increasingly common, not only in commercial contexts but also in consumer products. For example, Apple introduced one of the first widely available consumer biometric identification systems when it introduced fingerprint technology known as ‘Touch ID’ in its iPhone 5S in 2013. Today, new iPhones ship with built-in facial recognition software, which indicates how quickly this technology can be adapted.

Automatic Facial Recognition Technology (AFRT)

AFRT involves the automated collection, digitisation and comparison of spatial and geometric facial features to identify unique facial characteristics. Using algorithms similar those in fingerprint recognition, AFRT compares a new image of a face with images stored in a database. The accuracy of recognition improves if multiple images are taken and new images matched against previously collected image data. According to the US Centre for Strategic International Studies:

In ideal conditions, facial recognition systems can have near- perfect accuracy. Verification algorithms used to match subjects to clear reference images (like a passport photo or mugshot) can achieve accuracy scores as high as 99.97% on standard assessments like NIST’s Facial Recognition Vendor Test. This is comparable to the best results of iris scanners. This kind of face verification has become so reliable that even banks feel comfortable relying on it to log users into their accounts.1

History

The use of biometric data for identification is not new. Biometric data has been used in passports by many countries. Fingerprint recognition as we know it dates back to the 1960’s when the FBI began developing automated fingerprint recognition technology. By the 1990’s sophisticated systems had been developed by the FBI to enable fingerprint comparisons across a wide array of systems in what by the 1990’s became known as IAFIS (Integrated Automated Fingerprint Identification System). IAFIS enabled fingerprint data to be collected and searched across local, state and federal law enforcement agencies in the USA.

As computers developed and storage became affordable and reliable, new technologies developed, leading to automated boarder control systems (eGates), facial recognition system at airports. While the availability of biometric identification systems in consumer products such as the iPhone has led to a degree of acceptance of the technology and these developments might be seen as simply a natural progression as technology improves, there are nevertheless concerns about the potential for such data to be misused or to be collected without individuals being aware or without their consent (express or implied).

Privacy Compliance

Regulators, consumers and privacy advocates have become increasingly concerned about the nature and prevalence of biometric data being collected and the
potential for misuse. This has led to many Western countries developing or enhancing their privacy laws to capture biometric data as ‘personal information’ which is subject to their privacy laws. However, if you consider Facebook, Twitter and other online social media platforms, where millions of people provide their personal information and multiple images of themselves, their family and friends, you would be forgiven for thinking that most people care very little about their privacy or their sensitive information being disclosed. Despite consumers seeming to be less concerned about posting personal information online, large companies such as Facebook and Twitter are aware of the need to meet privacy obligations and ensure that users have the opportunity to understand how\ their data is collected, stored and used.
Facebook has gone to significant lengths to provide detailed explanations and customisation options for users, partly to protect against suggestions that their policies and procedures may be hard to discern, but also to proactively enable users to understand and manage their own settings.

Of course, this is not purely a matter of ‘noblese oblige’, as significant reputational damage has been done to these organisations when personal data has not been properly protected and organisations have been the subject of various actions arising out of very significant data breaches. The need to comply with GDPR privacy regulations in Europe has also meant that organisations like Facebook and others (for example Cambridge Analytica), have been forced to substantially improve their privacy compliance and communication.

Generally, an organisation or agency may only scan and use a person’s biometric information for the purposes of identifying the individual, or as part of an automated biometric verification system, if either:

  • the law authorises or requires them to collect it; or
  • it is necessary to prevent a serious threat to the life, health or safety of any individual; or
  • the organisation has obtained the individual’s consent. That consent may be express or implied (eg. clicking on the ‘I agree’ button on a website privacy statement).

Privacy Act Australia

The Australian Privacy Act states that an organisation must only collect sensitive information about an individual if:

  • the individual consents to the collection; and
  • the information is reasonably necessary for the organisation’s functions or activities.

Express or implied consent raises a question – what is the threshold for this consent? How can organisations ensure that their consent is ‘informed consent?’ Does the individual actually understand the implications of giving their consent to the collection of the information? The Privacy Commissioner sums this up as follows:

You give express consent if you give it openly and obviously, either verbally or in writing. For example, when you sign your name (by hand, or by an electronic or voice signature). An organisation or agency must get your express consent before handling your sensitive information. An organisation or agency doesn’t need your express consent to handle your non-sensitive personal information; but they need to reasonably believe that they have your implied consent. It’s not sufficient for an organisation or agency simply to tell you of their collection, use or disclosure of your personal information. Unless they presented you with an opt-out option they cannot assume your implied consent.2

In Australia, the definition of ‘sensitive information’ has been expanded to include biometric information that is to be used for the purpose of automated biometric verification or biometric identification or ‘biometric templates’. Biometric information is ‘sensitive information’ under the Privacy Act. This means that the organisation or agency collecting sensitive information must obtain consent from individuals and also make sure they maintain a high level of privacy protection for sensitive information.3

Certain Government Agencies, such as the Department of Immigration and Home Affairs, do not need to obtain consent and are entitled to require individuals to provide biometrics including photographs of face and digital finger/hand print scans. This is commonly used at boarder control and, in the case of photos, passport applications.

3 - Sensitive information can sometimes be collected without consent – for example, for urgent medical treatment when the individual is unable to give consent.

Privacy compliance is an essential feature of all businesses today. In Australia, the Privacy Act and Privacy Principles lay out a clearly defined set of rules and obligations organisations must comply with when collecting, using and storing personal information. The main privacy concerns associated with AFRT relate to:
  • when consent needs to be obtained
  • the way in which personal information is obtained using AFRT products
  • the purposes for which the information is obtained and used
  • where the information is stored and for how long
  • who the information is shared with
  • when can it be disclosed
  • whether the information is ‘sensitive’ personal information

Key points for AFRT and other personal identification technology:
  • facial features, fingerprints and other biometric information is ‘sensitive personal information. You must obtain consent in order to collect it.
  • for visitors to your business, the requirement for consent to be givenshould be explained clearly, in plain language.
Example for general visitors or customers:
"For security and safety purposes, your image or other personal identifiers may be collected and stored by us for safety, health and security purposes. By entering our premises you are consenting to us collecting and storing this information and agree to the use of our data collection technology for these purposes."

Example for staff policies and contracts:
"It is a condition of your employment that you agree to comply with our safety, health and security policies and procedures as varied from time to time. You acknowledge that we may use various technology from time to time for the purposes of identifying you, recording your time of entry or exit from our premises or giving or restricting your access to our premises or facilities or parts thereof, or for health and safety purposes. The information we collect can include: facial images, fingerprint scans and other biometric identifiers we use from time to time. We may collect this information for the purposes of recording your attendance, for security purposes and for health and safety purposes. This can include checks as well as information such temperature checks."

Organisations should ensure that they tailor their privacy statements and consents to reflect the privacy requirements and obligations of the organisation and the way it collects and actually uses personal information.

Employment Contracts

Personal information about a person’s health is ‘sensitive information’. Biometric data, such as fingerprint scans and facial scans is also sensitive information. An organisation must only collect an individual’s sensitive information if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities exception applies (APP 3).4

If an employer does not obtain an employees consent to collect sensitive personal information as a condition in the employee’s original employment agreement, they may be prevented from adding that as a condition of employment later on, unless the employee gives consent.

4. APP 3: An organisation must not collect sensitive information (for example, details of a person’s race, religion, sexual preferences or health) unless the individual has consented and the collection is reasonably necessary for one or more of the organisation’s functions or activities.

Case Study: Jeremy Lee v Superior Wood

Consent required for collection and use of ‘sensitive’ personal information.

In late 2019 the Fair Work Commission heard a case in which an employee was dismissed when he refused to agree to use the company’s new fingerprint technology to sign in. He argued that he could not be compelled to use the technology because it was not a condition of his employment contract.
The employer’s decision to dismiss him because he refused to use the technology, was found to be a wrongful termination because his employment contract did not include consent to provide fingerprint scans and the employee was not obliged give his consent to the collection of his sensitive personal information.

The take away here is that, if an organisation is implementing the use of this technology, it should:

  • check that its employment contracts include an express consent to use of biometric identification technology such AFRT or fingerprint scans.
  • if existing staff contracts do not include consents and ARFT technology is being introduced, consult with staff, explain the reasons for introducing the technology and seek their informed consent to the use of the technology. Provided the reasons for implementing the technology are explained and employee questions are answered, more employees are likely to consent if they are given the opportunity to understand why the technology is being introduced and what steps the organisation is taking to protect their information.

If an employee’s contract does not include either:

  • an existing consent to the use the technology and collect sensitive personal information; or
  • a term which states that the employee agrees to abide by the employer’s privacy policy as amended from time to time (including collection of personal information and sensitive personal information), and that the employee agrees to such amendments being made from time to time;

then the employer should seek the employee’s consent to the collection of this sensitive personal information for access, attendance and security purposes connected with their employment.

  • how long you will keep the information – this may vary considerably depending on the circumstances. For example, a café or shop should not need to keep personal information of patrons for more than 14 days, whereas a hospital may need to keep records for much longer.
  • who it may be disclosed to (eg. government authorities, data storage in the case of injury).
  • who it may be disclosed to (eg. government authorities, data storage providers, persons in the organisation who need to know or relatives, in the case of injury).


If an employee’s contract does not include consent to collect sensitive personal information and they have not otherwise given that consent, then they may need to be given an alternative method of clocking in and out, which could be a basic sign-in register, a swipe card or other technology used by the organisation, or else they may be required to manually sign in and out in a paper register.

COVID-19

Fair Work Australia recommends that employers require workers to report to their employer as soon as possible, even if they are working from home:

  • if they are experiencing symptoms of COVID-19
  • if they have been, or have potentially been, exposed to a person who has been diagnosed with COVID-19 or is suspected to have COVID-19 (even if the person who is suspected to have COVID-19 has not yet been tested), or
  • if they have undertaken, or are planning to undertake, any travel.5

Government Agencies

Government Agencies use personal information for a wide range of purposes, including for border control, passport verification, drivers licence verification, policing and other government purposes. Recent legislation by State and Territory Governments empowers the sharing of facial recognition data.6

However, draft Federal legislation in the form of the proposed Identity Matching Services Bill, first introduced in 2019, has yet to be approved and is being rewritten. We can expect that identity matching by Governments Agencies will become the norm in the near future.

The National Facial Biometric Matching Capability (NFBMC) service provided by the Commonwealth Attorney General’s Department (AGD) to manage the Interoperability Hub (‘the Hub’) facilitates secure exchange of biometric data between Commonwealth, State and Territory participating agencies. The Hub supports facial identification and verification services, which includes national access to driver’s licence databases for face matching purposes.

While the Privacy Commissioner is tasked with providing dedicated specialist assistance and support to the AGD and to be able to appropriately respond to relevant privacy issues in connection with the NMBFC, State legislation expressly authorises government agencies to collect keep and use photographs and associated personal information from the NMBFC for any lawful purpose in connection with the exercise of their functions and they can release any photographs and personal information they hold – ie. a very wide discretion.

6. The National Agreement for Facial Biometric Matching Capability is a service administered by the Commonwealth Government. States and territories have access to this Capability and have introduced legislation for that purpose. For example, the NSW Road Transport Amendment (National Facial Biometric Matching Capability) Act 2018, authorises Roads and Maritime Services and other government agencies to collect, keep, use and release identity information in accordance with the national arrangements for the sharing and matching of that information and for related purposes.

Organisations with an annual turnover of $3m or more must comply with the Privacy Act. All business other than ‘small businesses’ (under $3m annual turnover7) have specific and enforceable privacy obligations. These are set out in the Privacy Act and its associated Privacy Principles.

Privacy breaches can be a source of complaints and potential penalties for significant breaches, so there is an incentive for organisations to implement appropriate, and business-relevant privacy policies, procedures and internal controls, or else face the risk privacy complaints and potential action by the Privacy Commissioner.

It is important that businesses understand these obligations and develop privacy policies and internal privacy compliance strategies to meet their obligations.
The Privacy Act sets out certain rules and obligations for organisations when dealing with personal information. It is important that organisations have a clear and concise privacy policy which explains:

  • what personal information they collect and why
  • how they collect it
  • what they use is for
  • how they store personal information
  • how long they keep information
  • how individuals can seek to have their information corrected

Organisations (other than ‘small businesses’) obtaining, storing or using personal information must comply with the Privacy Act. They must obtain consent for the collection, storage and use of sensitive personal information. Consent can be obtained in a variety of ways, for example:

  • as a condition of entry, customers or visitors may be required to sign in and provide personal information such as name, address and contact number. QR code scanning devices have become the norm in cafes, restaurants, galleries and other public venues as a method of obtaining personal information in the event of a COVID-19 event, to assist in contact tracing.
  • as a condition of membership of clubs, organisations or other bodies, members and their guests may be required to give consent to the collection of personal information, including sensitive information, as a condition of entry to premises.
  • a hospital may collect patient information from the patient or a third party. Normally this information should be collected directly from the patient wherever possible. Any health information collected will usually be sensitive personal information, which should not be disclosed to third parties without the patient’s consent. Life threatening situations are an exception.

Key Privacy Obligations for Businesses

The following National Privacy Principles set out the key responsibilities and obligations for businesses which are required to comply with the Privacy Act.
APP 1 – Open and transparent management of personal information

An APP entity must:

  • take reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs.
  • manage personal information in an open and transparent way.
  • have a clearly expressed and up to date privacy policy which is available if requested.
  • take reasonable steps to implement practices, procedures and systems that will:
  • ensure it complies with the APPs;
    – enable it to deal with privacy enquiries or complaints
    – take proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs.
APP 11 – Reasonable Steps

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. What are reasonable steps, depends on the circumstances, including:

  • the nature of the personal information and the amount and sensitivity of that information.
  • possible adverse consequences if an individual’s personal information is not handled as required by the APPs.
  • the nature of the APP entity – for example, the ‘reasonable steps’ expected of a business which outsources management of its database of personal information may need to take more precautions to ensure security and prevent inappropriate access then an entity which controls and manages all information internally.
  • the practicability, including time and cost involved. What are ‘reasonable steps’ must be viewed in the context of the practical options available to the APP entity. However, an entity is not excused from implementing particular practices, procedures or systems by reason only that it would be inconvenient, time- consuming or impose some cost to do so. 
APP 3 – Collection of solicited Personal Information other than ‘Sensitive Information’
  • An organisation may only solicit and collect personal information directly related to one of more of its functions.
  • A clear and direct connection must exist between the personal information being collected and an agency function or activity that is reasonably necessary for one or more of its functions or activities.
  • An organisation should not collect more personal information than is required for a function or activity, such as providing goods or services.

APP 11 – Security of Personal Information
  • An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.8‘Reasonable steps’ can vary depending on an APP entity’s size, resources, the complexity of its operations and its business mode; the amount and sensitivity of the personal information held; the possible adverse consequences for an individual in the case of a breach.
  • Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified.
  • An APP entity ‘holds’ personal information if ‘the entity has possession or control of a record that contains the personal information’ – s.6(1) of the Act. This can be physical possession, or control of information held by a third party on its behalf (eg. a data centre).
  • An APP must ensure they have security systems for protecting personal information from misuse, interference and loss and from unauthorised access, modification or disclosure (such as IT systems, internal access controls and audit trails).
What constitutes a ‘record’ of personal information?
  • A ‘record’ is defined in s 6(1) and includes a document or an electronic or other device (with certain exceptions such as things in libraries or museums).

8. See OAIC APPP Guidelines, : Chapter 11: APP 1 – Security of personal Information – for further details https://www.oaic.gov.au/privacy

APP 3.3 Sensitive Information

‘Sensitive information’ is defined in s 6(1), and in more detail in Chapter B (Key concepts). ‘Consent’ is defined in s 6(1) as ‘express consent or implied consent’.

The four key concepts of consent are:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent

Collecting Sensitive Information

APP 3 imposes strict additional requirements for collecting ‘sensitive information’ about an individual. Generally, an APP entity must not collect sensitive information about an individual unless:

  • the individual consents to the collection of the information; and
  • the information is reasonably necessary for one or more of the entity’s functions or activities; or
  • subclause 3.4 applies in relation to certain other information, such as information provided by another entity in response to a request, and information provided by the individual, such as business cards, job applications, membership applications, entries to competitions.


An APP entity should seek express consent from an individual before collecting and handling the individual’s sensitive information, given the greater privacy impact this could have, unless an exception applies, and may only solicit and collect sensitive information if the individual consents to the sensitive information being collected, unless an exception applies.

The concept of ‘collecting’ information – Chapter B – Key Concepts

The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means, including from:

  • individuals
  • other entities
  • generally available publications
  • surveillance cameras, where an individual is identifiable or reasonably identifiable
  • information associated with web browsing, such as personal information collected by cookies
  • biometric technology, such as voice or facial recognition
  • Collection may also take place when an APP entity generates personal information from other data it holds, such as the generation of an audit log. Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where there is duress, coercion or pressure that could overpower the person’s will. An organisation may only collect this information where it is reasonably necessary for, or directly related to, the organisation’s functions or activities.
Factors relevant to deciding whether consent is voluntary include:
  • the alternatives open to the individual, if they choose not to consent
  • the seriousness of any consequences if an individual refuses to consent any adverse consequences for family members or associates of the individual if the individual
  • refuses to consent
‘Health information’ Chapter B – Key Concepts – means information or an opinion, that is also Personal Information, about:
  • the health or a disability (at any time) of an individual;
  • an individual’s expressed wishes about the future provision of health services or information about an individual’s physical or mental health;
  • a health service provided, or to be provided, to an individual; or
  • other personal information collected to provide, or in providing, a health service
Unless an exception applies:
  • an APP entity must not collect personal information unless the information is reasonably necessary for one or more of the organisation’s functions or activities
  • an APP entity must only collect personal information from the individual, unless it is unreasonable or impracticable to do so
  • sensitive information must only be collected with an individual’s consent and if the collection is reasonably necessary for one or more of the organisation’s functions or activities
APP 3.4 lists exceptions to the requirements of APP 3:
  • where it is impracticable for the organisation to deal with an individual who has not identified themselves
  • where the law or a court/tribunal order requires or authorises the organisation to deal with individuals who have identified themselves

Sensitive information must only be collected if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities, or an exception applies. Sensitive information may be collected about an individual where:


the entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the collection;

  • if required or authorised by or under an Australian law or a court/ tribunal order;
  • the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and the entity reasonably believes that the collection is necessary for the entity to take appropriate action in relation to the matter;
  • the entity reasonably believes that the collection is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing;
  • the collection of the sensitive information is reasonably necessary for one or more of the entity’s functions or activities, and
  • the individual about whom the sensitive information relates must consent to the collection (APP 3.3(a))
  • APP 3.3 – an APP entity may only solicit and collect sensitive information if the individual consents to the sensitive information being collected, unless an exception applies.
APP 10 – Nature and Quality of Information


Personal information is irrelevant if it does not have a bearing upon or connection to the purpose for which the personal information is used or disclosed, so an APP entity should avoid collecting information which is not relevant to the purpose for which the information is needed. For example, information relating to an employee’s work attendance may be relevant, but their marital status or social activities may not be relevant.

  • An APP entity must take reasonable steps to ensure that the personal information it collects is it uses and discloses is, having regard to the purpose of the use or disclosure, accurate, up- to-date and complete. Personal information is inaccurate if it contains an error or defect. Personal information is also inaccurate if it is misleading. Examples of incorrect factual information include information about a person’s name, date of birth, residential address – but this could also include personal identifiers.
  • An APP entity ‘holds’ personal information if ‘the entity has possession or control of a record that contains the personal information’ (eg. patient records, employee records, payroll records).
  • An APP entity must generally take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
  • However, a private sector employer’s handling of employee records in relation to current and former employment relationships is exempt from the Australian Privacy Principles in certain circumstances, but only if the practice is directly related to either:

    – a current or former employment relationship between the employer and the individual
    – an employee record held by the organisation relating to the individual
  • Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. This requirement applies except where:

    – the personal information is part of a Commonwealth record, or
    – the APP entity is required by law or a court/tribunal order to retain the personal information.
  • The quality of the information collected should be measured at several points:

    – first at the time of collection;

    – second at the time the information is used or disclosed; and

    – at other appropriate times (for example to ensure information is up to date).
  • In some circumstances it will be reasonable for an APP entity to take no steps to ensure the quality of personal information. For example, where an entity collects personal information directly from the individual concerned it may be reasonable to take no steps to ensure the quality of personal information. It is the responsibility of the entity to be able to justify that this is reasonable.
  • The following are given as examples of reasonable steps that an APP entity could consider:

    – implementing internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems). For example, if the entity commonly uses or discloses personal information in time-critical situations such that it may not be
    possible to take steps to ensure quality at the time of the use or disclosure, the entity might take steps to ensure the quality of personal information at regular intervals.

    – implementing protocols that ensure personal information is collected and recorded in a consistent format. For example, to help assess whether personal information is up-to-date, an entity might, where practicable, note on a record when the personal information was collected and the point in time to which it relates, and if it is an opinion, that fact.

    – ensuring updated or new personal information is promptly added to relevant existing records.

    – providing individuals with a simple means to review and update their personal information on an on-going basis, for example through an online portal.

    – reminding individuals to update their personal information each time the entity engages with\ the individual.

    – contacting the individual to verify the quality of personal information when it is used or disclosed, particularly if there has been a lengthy period since collection.

    – checking that a third party, from whom personal information is collected, has implemented appropriate practices, procedures and systems to ensure the quality of personal information.
APP 11 — Security of Personal Information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised
access, modification or disclosure.

Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. This requirement applies except where:

– the personal information is part of a Commonwealth record, or

– the APP entity is required by law or a court/tribunal order to retain the personal information.

APP’s 12 and 13 APP 12 (access to personal information) and APP 13 (correction of personal information).

Providing an individual with access to their personal information under APP 12 will allow the individual to identify whether any personal information is inaccurate, out-of-date, incomplete or irrelevant.

Similarly, taking reasonable steps to correct incorrect personal information at the request of an individual under APP 13 can also enhance the quality of that information.

APP 13 requires an APP entity to take reasonable steps to correct personal information where an APP entity is satisfied, independently of any request, that personal information it holds, is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which the information is held.

The OAIC APP Guidelines9 indicate that whether an individual is ‘reasonably identifiable’ from particular information will depend on considerations that include:

  • the nature and amount of information.
  • the circumstances of its receipt.
  • who will have access to the information.
  • other information either held by or available to the APP entity that holds the information.
  • whether it is possible for the individual or entity that holds the information to identify the individual, using available resources (including other information available to that individual or entity). Where it may be possible to identify an individual using available resources, the practicability, including the time and cost involved, will be relevant to deciding whether an individual is ‘reasonably identifiable’.
  • if the information is publicly released, whether a reasonable member of the public who accesses that information would be able to identify the individual.

Whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.

What should you do?

Analyse your business – what information do you collect?

  • Personal information of employees
  • Personal information of customers
  • Personal information of visitors
Why do you want it?

Consider whether you really need the information and why, for example:

  • To monitor employee attendance:
    – ‘Clocking in’ – arrival time
    – Access to areas in building/office
    – Security
  • To automate access and access restrictions for visitors, guest or the public generally
  • To replace paper based log in/log out
  • To augment or replace swipe cards or manual records
  • To monitor for health reasons

Privacy Compliance Summary – what you can and can’t do

Consider your Privacy compliance obligations and assess your needs against those obligations:

  • what are your obligations?
  • test your policy against what the Privacy Act requires.
  • only retain data for a reasonable time – identify what that is for your business – eg. for visitors – 14 days, for staff – a longer or shorter period?
  • key point: get informed consent.
  • make your consent explanation SIMPLE and CLEAR but do get legal advice to make sure you are compliant.
  • remember – who can give consent? Adults, not children or mentally incapacitated adults.
  • collecting sensitive information requires prior consent. This information should only be kept for as long as reasonably required. Once we are through COVID-19, will you still have a legitimate reason to keep that data?
  • if you are going to collect employee sensitive information, make sure they consent or that giving their consent is a condition of their employment contract.
  • privacy compliance can be managed well, but you need to have a person or team who are specifically responsible for ensuring you have adequate policies, procedures and safeguards in place to monitor your privacy compliance.

Conclusion

AFRT involves the collection of sensitive personal information, so the collection, use, retention and disclosure of that sensitive information requires consent from the individual.

In the case of employees, that consent may be contained in employment contracts or it may be obtained in other ways, such as employees consenting to updated policies and procedures.

The collection of sensitive personal information, such as images generated using facial recognition and other biometric data technology require express consent, either in employment terms or by way of separate consent.

Visitors, customers and other non-staff persons can be asked to give their consent as a condition of entry to an organisation’s premises, but their personal information may only be used for the purposes for which it was collected and should not be retained for longer than reasonably necessary.

Taking time to simply and clearly explain an organisation’s reasons for collecting personal information, how it will be used, where it will be stored and for how long and what safeguards will be taken to prevent inappropriate access to that information, are all elements of a properly drafted privacy policy.

Introducing new technology offers an opportunity to review an organisation’s policies and procedures and enhance its privacy policies and compliance procedures. Doing so, and being able to give staff and customers comfort that appropriate measures are to be taken to ensure their information is secure and will only be used for legitimate purposes, will assist in obtaining consents need for the collection and use of biometric data.