Having the privacy conversation: a 5 step guide for system integrators

There is nothing new about collecting data in the workplace. From bundy cards to visitor logins and secure swipe access, businesses have always needed to know who is in their building to meet their compliance and governance obligations as well as protect staff, inventory, information, and assets.

Now our workforces need even more protection in COVID times, so it makes sense that we look to more advanced technology to help us do that. And technology such as facial recognition, or biometric data, has also migrated from the highest level of secured access facilities to an everyday presence on our computers, hand-held devices, and phones.

We are used to using facial recognition or thumbprints to unlock our smartphones, search our photos faster and play on social media. So why is it such a concern when it comes to business? When people use the technology in their personal life, they feel they are in control and that its use or storage is under their directive. While this
is not necessarily the case, installing a facial recognition technology can potentially concern some employees or visitors for privacy reasons.

This is an easy 5-Step Guide to having the privacy conversation with your clients that includes:

• explaining their obligations under the Privacy Act;

• how to remain compliant while meeting their business needs; and

• how to communicate to their workforces.

We have also created a whitepaper with legal expert Shah Rusiti who explains the privacy compliance topic in more detail. Facial Recognition Technology and Australian Privacy Law can be shared with your clients and is available here.

Step One: Analyse the business

The first step for you and your client is to identify and understand why they want to use this technology over different forms of security. By drilling down into their needs, they can review all possible options and know their choice is meeting their exact requirements.

Businesses all over the world are using facial recognition and COVID tracing technology to not only protect workplaces and workforces from exposure to the COVID virus and resulting impacts but also for the following reasons:

Easy identification

Identify employees and visitors automatically without needing to sign in.

Automated access restrictions

For visitors, guests, or the public generally.

Automated access control

Hands free entry into workplaces without having to touch a keypad.

Increased security

No alarm passcode to remember or protect.

Employee records

Easy tracking of arrival and departure times and entry to secure areas. Know who is on the premises at all time for workers compensation and insurance compliance.

Identification of health risks

Automatic temperature checks with alerts passed onto management.

Easy contact tracing

Know where a positive COVID person has been in your workplace so you can immediately notify contacts and shutdown the affected areas only.

Harm minimisation

Real time alerts on problem gamblers or barred individuals from clubs and hotels.

Step two: What information does your client need?

The key to increasing privacy and ensuring compliance under the Privacy Act is to keep information collected to a minimum. What information does your client really need? It’s much easier to collect only data that will be used and valuable, rather than store large amounts of unused data that could fall into a breach of the Act for unforeseen reasons.


It is important for your client to be clear about what information they collect and why they are doing so. This will be important when communicating with employees, visitors, and any stakeholders. There should be a good reason for you to collect this information.

To ensure compliance with privacy Laws, companies must understand what they can and cannot do in terms of collecting the information and how it is stored and used.

Privacy statements and policies need to be updated to include Automatic Facial Recognition Technology (AFRT), and then the policies must be tested by a legal professional against the Privacy Act requirements.

Step three: Understanding privacy obligations

Privacy compliance is an essential feature of all businesses today, regardless of whether they use AFRT or biometric technology or not. The Privacy Act and Principles lay out clearly defined rules and obligations which companies must comply with when collecting, using, and storing personal information.

In Australia, biometric information is ‘sensitive information’ under the Privacy Act. Organisations collecting biometric information must:

  • make people aware and obtain consent
  • ensure a high level of protection of sensitive information
  • be clear with consumers, employees and visitors
  • store information securely
  • delete information when no longer required

The main privacy concerns with AFRT include:

  • how information is obtained using AFRT – informed consent?
  • when is consent needed?
  • purposes for which the information is obtained and used
  • who the information is shared with?
  • where is it stored and for how long?
  • use of ‘sensitive’ personal information
  • individual’s right to have information images deleted

Step four: Preparing the business

Privacy Policy

A privacy policy is a statement explaining, in simple language, how companies handle personal information. Your client must have one. It should be clear in setting out how they comply with their obligations under the Privacy Act.

Introducing new technology offers an opportunity to review an organisation’s policies and procedures and enhance its privacy policies and compliance procedures. Doing so, and being able to give staff and customers comfort that appropriate measures are to be taken to ensure their information is secure and will only be used for legitimate purposes, will assist in obtaining consents need for the collection and use of biometric data.

The key to success is to ‘keep it simple’.

Consent

AFRT involves the collection of sensitive personal information, so the collection, use, retention, and disclosure of that sensitive information requires consent from
the individual.

In the case of employees, that consent may be contained in employment contracts or it may be obtained in other ways, such as employees consenting to
updated policies and procedures.

The collection of sensitive personal information, such as images generated using facial recognition and other biometric data technology require express consent, either in employment terms or by way of separate consent.

Visitors, customers and other non-staff persons can be asked to give their consent as a condition of entry to an organisation’s premises, but their personal information may only be used for the purposes for which it was collected and should not be retained for longer than
reasonably necessary.

Consent can be given in several ways including:

  • an ‘I agree’ link or button
  • consent in an employment contract
  • consent in membership terms and conditions

Communication

Taking time to simply and clearly explain an organisation’s reasons for collecting personal information, how it will be used, where it will be stored and for how long and what safeguards will be taken to prevent inappropriate access to that information, are all elements of a properly drafted privacy policy.

Step five: Privacy do's and don'ts

In summary, your clients need to consider their privacy compliance obligations and assess their needs against those obligations.
  • Know your obligations.
  • Test your policy against what the Privacy Act requires.
  • Only retain data for a reasonable time – identify what that is for your business – for example 14 days for visitors, but longer for staff?
  • Get informed consent.
  • Make your consent explanation SIMPLE and CLEAR but do get legal advice to make sure you are compliant.
  • Remember – who can give consent? Adults, not children or mentally incapacitated adults.
  • Collecting sensitive information requires prior consent. This information should only be kept for as long as reasonably required. Once we are through COVID-19, do you still have a legitimate reason to keep that data?
  • If you are going to collect employee sensitive information, make sure they consent or that giving their consent is a condition in their employment contract.
  • Have a person or team who are specifically responsible for ensuring you have adequate policies, procedures, and safeguards in place to monitor your privacy compliance.