20 Jul The OAIC opens investigations into Bunnings and Kmart for using Biometric Data
Author: Helaine Leggat, ICTLC Australian Managing Partner
The Office of the Australian Information Commissioner (OAIC) has opened investigations into the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology.
The OAIC has commenced preliminary inquiries with Good Guys Discount Warehouses (Australia) Pty Ltd following public reports that the company has paused its use of facial recognition technology.
The investigations follow a report from the consumer advocacy group CHOICE about the retailers’ use of facial recognition technology, where images are held to have been collected without proper consent and at odds with consumer expectations.
Both Bunnings and Kmart have responded that customers “know the technology is in use” through store entrance signage and because such information is made available in the privacy policies published on their websites.
Not surprisingly, as Bunnings and Kmart are both owned by Wesfarmers, the policies are almost identical. From its origins in 1914, Wesfarmers has grown into one of Australia’s largest listed companies with diversified business operations covering home improvement and outdoor living; apparel and general merchandise; office supplies; health, beauty and wellbeing; chemicals, energy and fertilisers, and industrial and safety products. Wesfarmers is also one of Australia’s largest employers with some 107,000 employees.
These numbers and industry sectors give an idea of the scale and scope that collection, as well as the use and distribution of sensitive personal information which may have continuing and serious effects.
Without wishing to pre-empt any findings of the OAIC, it is interesting to see what the current policies of Bunnings and Kmart say in relation to biometric data. Some samples from the policies are provided below.
“The types of information that we collect about you could include:
- images from video surveillance, body cameras and other cameras used in and around our stores (including in car parks, pick up areas, store entrances and publicly accessible spaces)
- images from facial recognition software
- inferred information and characteristics as a result of undertaking data analysis
We may also collect deidentified data from (and share deidentified data with) Related Companies for data analysis purposes.”
Use and disclosure of personal information
“We use and disclose your personal information in connection with carrying on our business … for the businesses of the Wesfarmers group of companies.
The main ways we collect personal information are:
- through our security cameras, body cameras or other cameras used in our stores (including in car parks, pick up areas, store entrances and publicly accessible areas)
- from publicly available sources, including from Australian or New Zealand Government agencies, internet search platforms and social media platforms such as Facebook”
“We may use your personal information to:
- undertake database compilation and management, data processing, data analysis and matching, market research or trend analysis (including with information obtained from our Related Companies and Flybuys) to better understand our customers’ preferences, personalise websites/apps and (where you have consented to receiving offers or direct marketing) to offer products or provide services of greater interest to you or engage in direct marketing;
- in the case of images from facial recognition software and body cameras, for loss prevention or store safety purposes;
- in the case of inferred characteristics produced through data analysis, for improving products and service offerings.”
“We work with a number of third parties in carrying on our business and may disclose your personal information to:
- third parties who provide services to us… including data monitoring, data analysis and data matching activities, monitoring trends in customer preferences …”
Australian Community Attitudes to Privacy
A 2020 survey by the OAIC into Australian Community Attitudes (including biometrics, artificial intelligence and location data) confirmed that privacy is a major concern for 70% of Australians. 66% of Australians are reluctant to provide biometric information to a business, organisation or government, and Australians are much more likely to trust government than businesses to collect and use biometric information.
Comfort with providing Biometric Information for Different Purposes
Half of Australians are comfortable providing their biometric information to verify their identity to access government services, 49% to do banking or to get on a flight. The Federal Government and financial institutions are the most trusted organisations with regard to the way they protect or use Australians’ personal information.
On the other hand, the majority of Australians are uncomfortable with the collection of their biometric information to shop in a retail store or to verify their identity to access services provided by a business or private organisation. This correlates with a lower level of trust in retail, with 42% considering retail stores to be untrustworthy in the way they protect or use personal information.
Identification Versus Verification
There is a difference in how biometric systems are used – either for identification or for verification.
In verification, an image is matched to only one image in the database (1:1). For example, an image taken of a subject may be matched to an image in a business database to verify the subject is who they say they are.
If identification is the goal, then the image is compared to all images in the database resulting in a score for each potential match (1:N). In this instance, an image is compared to a database of many images to identify who the subject is.
With face recognition technologies, this means that for identification the business has a repository of many images. If an individual passes a camera the business can say, with a degree of confidence, “This is you”. With verification, the business can say, “This is you, and say with certainty that you are you.”
Some experts in AI and facial recognition do not believe that facial recognition technology should be banned outright, arguing that a key distinction needs to be made between face-scanning systems that are used to identify and/or verify an individual.
Others think that facial recognition technology should absolutely not be used in the workplace. “No one should have to give up their biometric data in order to get a paycheck”.
Proportionality and Purpose – Tracking in the Workplace
In Australia, under the Privacy Act, biometric data is treated as sensitive personal information (s6), which means:
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
Australian Privacy Principle 6 on the use or disclosure of personal information provides for biometric information in relation to an “APP entity that is an agency”, and subsection 6.4, where the APP entity is an organisation. Subsection 16B(2) applies in relation to the collection of the personal information by the entity. Subsection 16B(2) provides for health situations, and requires, inter alia, that the entity takes reasonable steps to de-identified before disclosing it.
Interestingly, while “employee records” are excluded from protection under the Privacy Act, examples of an employee record include “health information” about the employee. “Biometric information”, however, is not defined as “health information” in the Privacy Act.
“Facial recognition technology should absolutely not be used in the workplace. Period. End of sentence. No one should have to give up their biometric data in order to get a paycheck,” Seeley George, campaign director for technology watchdog Fight for the Future said.
How does this translate in the Australian experience?
Employer – Employee relationships
In Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946, the Full Bench of the Fair Work Commission (the Full Bench) upheld an appeal from sawmill employee Jeremy Lee (Lee), determining that he was unfairly dismissed for refusing to use fingerprint scanners to sign in and out of work.
Lee’s claim was based on ownership of the biometric data contained within his fingerprint. Lee submitted that a direction from his employer, Superior Wood Pty Ltd (Superior Wood), to register fingerprints was captured by prohibitions under the Privacy Act 1988 (Cth) (the Privacy Act). The Full Bench accepted that the fingerprint data was subject to collection restrictions as “sensitive personal information” which, significantly, required consent from individual employees.
In November 2021, the Australian Information Commissioner and Privacy Commissioner found that Clearview AI, Inc. had breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool. The determination followed a joint investigation by the OAIC and the UK’s Information Commissioner’s Office (ICO).
Commissioner found that Clearview AI breached the Australian Privacy Act 1988 by:
- collecting Australians’ sensitive information without consent;
- collecting personal information by unfair means;
- not taking reasonable steps to notify individuals of the collection of personal information;
- not taking reasonable steps to ensure that personal information it disclosed was accurate, having regard to the purpose of disclosure;
- not taking reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.
Clearview AI was ordered to cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia.
The OAIC’s investigation into the use of biometric data by Bunnings and Kmart is happening at the same time as the Australian Government Attorney-General Department’s Review of the Privacy Act, and after the Department of Home Affairs amended the Security of Critical Infrastructure Act 2018 (Cth) (SOCI) which includes retail and logistics as a critical infrastructure sector which is subject to SOCI.
We look forward to seeing how these components will be resolved.
 The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of the Australian Privacy Principles under section 40(2) of the Privacy Act 1988 (Cth).