Last week the Privacy Commissioner found that Bunnings’ widespread use of CCTV cameras (and the footage used within a facial recognition technology (FRT) system), amounted to a breach of the Privacy Act.
Whilst many reports have focused on Bunnings use of FRT, the reach of the decision is much more broad and is relevant for any organisations which use CCTV.
In her published decision, the Privacy Commissioner found that “Bunnings collected the personal information of all individuals who entered the relevant stores during the relevant period in the form of facial images”. When processed by the FRT system, the data was found to be sensitive personal information as it then contained biometric information.
The decision provides both a guide and a warning to most organisations about their data handling practices, including in relation to the collection of personal information through the use of cameras, video and other technology. Many organisations are already in the process of reviewing their privacy practices, given the impending Privacy Act reforms which are scheduled to commence in 2025.Bunnings have stated their displeasure with the decision and have indicated their intention to appeal. No doubt aimed at the court of popular opinion they took the bold step of releasing some of the footage which had been taken from their CCTV, showing their staff being abused, threatened and assaulted at work. Other footage shows people walking naked, wearing masks and carrying firearms in their stores, which they argued supported the need to implement the technology as a preventative measure and for security purposes.
The findings highlight the challenges businesses face in balancing the adoption of technology with their legal obligations to be transparent about their privacy practices and to protect customer privacy and underscores the necessity of embedding privacy compliance into all levels of operations.
What did Bunnings do?
Between November 2018 and November 2021, Bunnings used a FRTsystem in 63 stores across Victoria and New South Wales. For some years prior to that, Bunnings has utilised CCTV cameras within many of its stores. The FRT system analysed CCTV footage and captured and processed facial features of every person entering these stores – likely hundreds of thousands of individuals. Those images were compared against a database of individuals which Bunnings had itself created, based on the conduct of those individuals in Bunnings stores. The conduct which Bunnings assessed as relevant to include an individual on its database included actual or threatened violence to staff or the public, other inappropriate behaviour resulting in exclusion and repeated or serious cases of theft. That database used images collected from Bunnings in-store CCTV and also combined independent records such as from police/criminal databases.
The FRT system processed the images taken from CCTV and compared it with the database within a fraction of a second. The images were not retained if no ‘match’ was found within the database.
Under Australian privacy law, biometric data derived from facial recognition technology is considered to be highly sensitive and as such, requires consent from the individuals being scanned.
Bunnings Argument
Bunnings stated that the technology was intended to identify repeat offenders and enhance the safety of staff and customers. Bunnings argued that they were complying with the Privacy Act, because:
- The FRT did not ‘collect’ personal information about visitors because it was compared with the database and deleted in a fraction of a second.
- It fell within scope of two ‘permitted general situations’ (which meant that they did not have to comply) namely:
- Bunnings reasonably believed that the collection was necessary to lessen or prevent a serious threat to safety and it was unreasonable or impracticable to obtain consent from individuals; and
- Bunnings suspected that unlawful activity or misconduct of a serious nature was being engaged in, and it reasonably believed that the FRT was necessary to take appropriate action; and
- Notices were placed in store and individuals were appropriately informed of the use and collection of their images (and consented).
Findings
However, the Privacy Commissioner disagreed and found significant breaches of the Privacy Act and Australian Privacy Principles (APPs), including the collection of sensitive personal information without proper consent. The Commissioner found that:
- Customers were not adequately informed about the data collection, as in store notices stating that CCTV was being used were insufficient. For example, the notices did not make clear that the information was being used for FRT.
- Bunnings had not notified customers in other ways, such as through collection statements or their Privacy Policy.
Lessons for Organisations
This case serves as a wake-up call for all organisations to consider their privacy practices, including in relation to the information they collect and why. There is particular relevance for organisations who also use CCTV or who take/collect photographs, video and other potentially sensitive information.  To avoid similar breaches, organisations should prioritise privacy compliance by taking the following steps:
- Limit Data Collection: Only collect information essential to business operations.
- Be Transparent: Clearly communicate data practices to customers and outline their rights. Make sure they understand what data is being collected and how it will be used.
- Obtain Explicit Consent: Obtain consent from individuals in particular before collecting their sensitive personal information.
- Develop Robust Policies: Create clear, legally compliant policies outlining how personal data is collected, used, and stored (and train staff on those) which also assists with transparency.
- Train Employees: Additionally provide regular training on privacy best practices and cybersecurity awareness.
- Conduct Regular Audits: Review data handling practices periodically to ensure compliance.
A Reminder for Businesses
The Privacy Commissioner emphasised the need for organisations to address transparency, lawful data collection, and safeguarding customer information. Businesses must ensure their use of technology aligns with privacy laws and ethical standards. By proactively embedding privacy considerations into their operations, organisations can achieve compliance and maintain the confidence of their customers in an increasingly data-driven world.
If you have any questions about how this judgment may impact your business, please feel free to contact me on 07 3224 0261.