This guide to facial recognition and Australian Privacy Laws was written by Shah Rusiti, Accredited Specialist – Business Law, Teece Hodgson & Ward Solicitors.
Shah was admitted to practice in 1983. He has been a NSW Law Society Accredited Specialist in Business Law since 1994 and has over 30 years' experience in business
and commercial law. Shah works extensively with business owners and creators through the full spectrum of the business cycle, from establishment to development and growth and ultimately sale or business succession planning and implementation.
A Member of the NSW Law Society Business Law Specialist Accreditation Committee and regular speaker for Legal Education Conferences, including TVED, Legalwise and UNSW, Shah is also an editor of several chapters in LexisNexis Australian Encyclopedia of Forms and Precedents, including Agency and Distributorship Agreements.
Biometric data is data derived from scans or images of an individual’s distinct features or identifiers which can be used to identify an individual.
These include fingerprints, palm prints, voice recordings, images of a person’s face, facial structure, for example, shape of eyes, distance between eyes, size of jaw and other facial characteristics. Once obtained, biometric data can be matched against previously recorded data to verify the identity of the individual.
Facial recognition systems are becoming increasingly common, not only in commercial contexts but also in consumer products. For example, Apple introduced one of the first widely available consumer biometric identification systems when it introduced fingerprint technology known as ‘Touch ID’ in its iPhone 5S in 2013. Today, new iPhones ship with built-in facial recognition software, which indicates how quickly this technology can be adapted.
AFRT involves the automated collection, digitisation and comparison of spatial and geometric facial features to identify unique facial characteristics. Using algorithms similar those in fingerprint recognition, AFRT compares a new image of a face with images stored in a database. The accuracy of recognition improves if multiple images are taken and new images matched against previously collected image data. According to the US Centre for Strategic International Studies:
In ideal conditions, facial recognition systems can have near- perfect accuracy. Verification algorithms used to match subjects to clear reference images (like a passport photo or mugshot) can achieve accuracy scores as high as 99.97% on standard assessments like NIST’s Facial Recognition Vendor Test. This is comparable to the best results of iris scanners. This kind of face verification has become so reliable that even banks feel comfortable relying on it to log users into their accounts.1
The use of biometric data for identification is not new. Biometric data has been used in passports by many countries. Fingerprint recognition as we know it dates back to the 1960’s when the FBI began developing automated fingerprint recognition technology. By the 1990’s sophisticated systems had been developed by the FBI to enable fingerprint comparisons across a wide array of systems in what by the 1990’s became known as IAFIS (Integrated Automated Fingerprint Identification System). IAFIS enabled fingerprint data to be collected and searched across local, state and federal law enforcement agencies in the USA.
As computers developed and storage became affordable and reliable, new technologies developed, leading to automated boarder control systems (eGates), facial recognition system at airports. While the availability of biometric identification systems in consumer products such as the iPhone has led to a degree of acceptance of the technology and these developments might be seen as simply a natural progression as technology improves, there are nevertheless concerns about the potential for such data to be misused or to be collected without individuals being aware or without their consent (express or implied).
Regulators, consumers and privacy advocates have become increasingly concerned about the nature and prevalence of biometric data being collected and the
potential for misuse. This has led to many Western countries developing or enhancing their privacy laws to capture biometric data as ‘personal information’ which is subject to their privacy laws. However, if you consider Facebook, Twitter and other online social media platforms, where millions of people provide their personal information and multiple images of themselves, their family and friends, you would be forgiven for thinking that most people care very little about their privacy or their sensitive information being disclosed. Despite consumers seeming to be less concerned about posting personal information online, large companies such as Facebook and Twitter are aware of the need to meet privacy obligations and ensure that users have the opportunity to understand how\ their data is collected, stored and used.
Facebook has gone to significant lengths to provide detailed explanations and customisation options for users, partly to protect against suggestions that their policies and procedures may be hard to discern, but also to proactively enable users to understand and manage their own settings.
Of course, this is not purely a matter of ‘noblese oblige’, as significant reputational damage has been done to these organisations when personal data has not been properly protected and organisations have been the subject of various actions arising out of very significant data breaches. The need to comply with GDPR privacy regulations in Europe has also meant that organisations like Facebook and others (for example Cambridge Analytica), have been forced to substantially improve their privacy compliance and communication.
Generally, an organisation or agency may only scan and use a person’s biometric information for the purposes of identifying the individual, or as part of an automated biometric verification system, if either:
The Australian Privacy Act states that an organisation must only collect sensitive information about an individual if:
Express or implied consent raises a question – what is the threshold for this consent? How can organisations ensure that their consent is ‘informed consent?’ Does the individual actually understand the implications of giving their consent to the collection of the information? The Privacy Commissioner sums this up as follows:
You give express consent if you give it openly and obviously, either verbally or in writing. For example, when you sign your name (by hand, or by an electronic or voice signature). An organisation or agency must get your express consent before handling your sensitive information. An organisation or agency doesn’t need your express consent to handle your non-sensitive personal information; but they need to reasonably believe that they have your implied consent. It’s not sufficient for an organisation or agency simply to tell you of their collection, use or disclosure of your personal information. Unless they presented you with an opt-out option they cannot assume your implied consent.2
In Australia, the definition of ‘sensitive information’ has been expanded to include biometric information that is to be used for the purpose of automated biometric verification or biometric identification or ‘biometric templates’. Biometric information is ‘sensitive information’ under the Privacy Act. This means that the organisation or agency collecting sensitive information must obtain consent from individuals and also make sure they maintain a high level of privacy protection for sensitive information.3
Certain Government Agencies, such as the Department of Immigration and Home Affairs, do not need to obtain consent and are entitled to require individuals to provide biometrics including photographs of face and digital finger/hand print scans. This is commonly used at boarder control and, in the case of photos, passport applications.
3 - Sensitive information can sometimes be collected without consent – for example, for urgent medical treatment when the individual is unable to give consent.
"For security and safety purposes, your image or other personal identifiers may be collected and stored by us for safety, health and security purposes. By entering our premises you are consenting to us collecting and storing this information and agree to the use of our data collection technology for these purposes."
"It is a condition of your employment that you agree to comply with our safety, health and security policies and procedures as varied from time to time. You acknowledge that we may use various technology from time to time for the purposes of identifying you, recording your time of entry or exit from our premises or giving or restricting your access to our premises or facilities or parts thereof, or for health and safety purposes. The information we collect can include: facial images, fingerprint scans and other biometric identifiers we use from time to time. We may collect this information for the purposes of recording your attendance, for security purposes and for health and safety purposes. This can include checks as well as information such temperature checks."
Organisations should ensure that they tailor their privacy statements and consents to reflect the privacy requirements and obligations of the organisation and the way it collects and actually uses personal information.
Personal information about a person’s health is ‘sensitive information’. Biometric data, such as fingerprint scans and facial scans is also sensitive information. An organisation must only collect an individual’s sensitive information if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities exception applies (APP 3).4
If an employer does not obtain an employees consent to collect sensitive personal information as a condition in the employee’s original employment agreement, they may be prevented from adding that as a condition of employment later on, unless the employee gives consent.
4. APP 3: An organisation must not collect sensitive information (for example, details of a person’s race, religion, sexual preferences or health) unless the individual has consented and the collection is reasonably necessary for one or more of the organisation’s functions or activities.
Consent required for collection and use of ‘sensitive’ personal information.
In late 2019 the Fair Work Commission heard a case in which an employee was dismissed when he refused to agree to use the company’s new fingerprint technology to sign in. He argued that he could not be compelled to use the technology because it was not a condition of his employment contract.
The employer’s decision to dismiss him because he refused to use the technology, was found to be a wrongful termination because his employment contract did not include consent to provide fingerprint scans and the employee was not obliged give his consent to the collection of his sensitive personal information.
The take away here is that, if an organisation is implementing the use of this technology, it should:
If an employee’s contract does not include either:
then the employer should seek the employee’s consent to the collection of this sensitive personal information for access, attendance and security purposes connected with their employment.
If an employee’s contract does not include consent to collect sensitive personal information and they have not otherwise given that consent, then they may need to be given an alternative method of clocking in and out, which could be a basic sign-in register, a swipe card or other technology used by the organisation, or else they may be required to manually sign in and out in a paper register.
Fair Work Australia recommends that employers require workers to report to their employer as soon as possible, even if they are working from home:
Government Agencies use personal information for a wide range of purposes, including for border control, passport verification, drivers licence verification, policing and other government purposes. Recent legislation by State and Territory Governments empowers the sharing of facial recognition data.6
However, draft Federal legislation in the form of the proposed Identity Matching Services Bill, first introduced in 2019, has yet to be approved and is being rewritten. We can expect that identity matching by Governments Agencies will become the norm in the near future.
The National Facial Biometric Matching Capability (NFBMC) service provided by the Commonwealth Attorney General’s Department (AGD) to manage the Interoperability Hub (‘the Hub’) facilitates secure exchange of biometric data between Commonwealth, State and Territory participating agencies. The Hub supports facial identification and verification services, which includes national access to driver’s licence databases for face matching purposes.
While the Privacy Commissioner is tasked with providing dedicated specialist assistance and support to the AGD and to be able to appropriately respond to relevant privacy issues in connection with the NMBFC, State legislation expressly authorises government agencies to collect keep and use photographs and associated personal information from the NMBFC for any lawful purpose in connection with the exercise of their functions and they can release any photographs and personal information they hold – ie. a very wide discretion.
6. The National Agreement for Facial Biometric Matching Capability is a service administered by the Commonwealth Government. States and territories have access to this Capability and have introduced legislation for that purpose. For example, the NSW Road Transport Amendment (National Facial Biometric Matching Capability) Act 2018, authorises Roads and Maritime Services and other government agencies to collect, keep, use and release identity information in accordance with the national arrangements for the sharing and matching of that information and for related purposes.
Organisations with an annual turnover of $3m or more must comply with the Privacy Act. All business other than ‘small businesses’ (under $3m annual turnover7) have specific and enforceable privacy obligations. These are set out in the Privacy Act and its associated Privacy Principles.
Privacy breaches can be a source of complaints and potential penalties for significant breaches, so there is an incentive for organisations to implement appropriate, and business-relevant privacy policies, procedures and internal controls, or else face the risk privacy complaints and potential action by the Privacy Commissioner.
It is important that businesses understand these obligations and develop privacy policies and internal privacy compliance strategies to meet their obligations.
Organisations (other than ‘small businesses’) obtaining, storing or using personal information must comply with the Privacy Act. They must obtain consent for the collection, storage and use of sensitive personal information. Consent can be obtained in a variety of ways, for example:
An APP entity must:
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. What are reasonable steps, depends on the circumstances, including:
8. See OAIC APPP Guidelines, : Chapter 11: APP 1 – Security of personal Information – for further details https://www.oaic.gov.au/privacy
‘Sensitive information’ is defined in s 6(1), and in more detail in Chapter B (Key concepts). ‘Consent’ is defined in s 6(1) as ‘express consent or implied consent’.
The four key concepts of consent are:
APP 3 imposes strict additional requirements for collecting ‘sensitive information’ about an individual. Generally, an APP entity must not collect sensitive information about an individual unless:
An APP entity should seek express consent from an individual before collecting and handling the individual’s sensitive information, given the greater privacy impact this could have, unless an exception applies, and may only solicit and collect sensitive information if the individual consents to the sensitive information being collected, unless an exception applies.
The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means, including from:
Sensitive information must only be collected if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities, or an exception applies. Sensitive information may be collected about an individual where:
the entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the collection;
Personal information is irrelevant if it does not have a bearing upon or connection to the purpose for which the personal information is used or disclosed, so an APP entity should avoid collecting information which is not relevant to the purpose for which the information is needed. For example, information relating to an employee’s work attendance may be relevant, but their marital status or social activities may not be relevant.
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised
access, modification or disclosure.
Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. This requirement applies except where:
– the personal information is part of a Commonwealth record, or
– the APP entity is required by law or a court/tribunal order to retain the personal information.
APP’s 12 and 13 APP 12 (access to personal information) and APP 13 (correction of personal information).
Providing an individual with access to their personal information under APP 12 will allow the individual to identify whether any personal information is inaccurate, out-of-date, incomplete or irrelevant.
Similarly, taking reasonable steps to correct incorrect personal information at the request of an individual under APP 13 can also enhance the quality of that information.
APP 13 requires an APP entity to take reasonable steps to correct personal information where an APP entity is satisfied, independently of any request, that personal information it holds, is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which the information is held.
The OAIC APP Guidelines9 indicate that whether an individual is ‘reasonably identifiable’ from particular information will depend on considerations that include:
Whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.
Analyse your business – what information do you collect?
Consider whether you really need the information and why, for example:
Consider your Privacy compliance obligations and assess your needs against those obligations:
AFRT involves the collection of sensitive personal information, so the collection, use, retention and disclosure of that sensitive information requires consent from the individual.
In the case of employees, that consent may be contained in employment contracts or it may be obtained in other ways, such as employees consenting to updated policies and procedures.
The collection of sensitive personal information, such as images generated using facial recognition and other biometric data technology require express consent, either in employment terms or by way of separate consent.
Visitors, customers and other non-staff persons can be asked to give their consent as a condition of entry to an organisation’s premises, but their personal information may only be used for the purposes for which it was collected and should not be retained for longer than reasonably necessary.
Introducing new technology offers an opportunity to review an organisation’s policies and procedures and enhance its privacy policies and compliance procedures. Doing so, and being able to give staff and customers comfort that appropriate measures are to be taken to ensure their information is secure and will only be used for legitimate purposes, will assist in obtaining consents need for the collection and use of biometric data.