Graphic illustration vector showing facial recognition technology

Bunnings use of Facial Recognition Technology: Mixed result from the ART

Published at 08:59 on 09 Feb 2026

In early February 2026, the Administrative Review Tribunal (ART) handed down its decision in its review of the OAIC’s Bunnings decision.  In a mixed decision, the Privacy Commissioner’s finding that Bunnings Collection of biometric information was not authorised was overturned, with the ART instead finding that it was authorised under APP 3.4.  However, the ART confirmed breaches of APP 1 and APP 5 relating to transparency, notice and privacy management.

There are some important findings for privacy practitioners in the decision which are worth reviewing.

We covered the OAIC’s original determination here

Table of Contents

Management of Personal Information

The ART affirmed the Privacy Commissioner’s finding that Bunnings contravened APP 1.2, confirming that Bunnings  should have completed a ‘formal, structured and documented’ risk assessment of its FRT system which considered the privacy implications.

In practice, this means that there should have been a detailed privacy impact assessment completed before the use of FRT to consider the privacy implications and any mitigations that could be implemented.

Notice of collection and transparency

Like the Privacy Commissioner, the ART also found that Bunnings had breached APP 5.1 by not adequately informing its customers about its collection of their sensitive information (their facial biometric), the purpose for collecting it or the consequences of not collecting it. This notice should have been given either at or before the time of collection or, if that is not practicable, as soon as practicable after.

This is an area where it will be interesting to see what might be required to provide the type of notice that the ART agreed was required. The standard “CCTV is in use” sign probably will not be enough but what will constitute proper and timely notice may be a question for another day.

There was also a breach under APP 1.3 because none of Bunnings’ privacy policies at the time referred to its use of an FRT system, its collection of sensitive information or how this information was collected and held by Bunnings.

Collection

An important finding of the ART was that even the momentary collection of personal information (in this case for less than a second to compare images) constitutes a ‘collection’ under the Privacy Act.  This was consistent with the OAIC’s view on the threshold issue of whether there had been a collection, which had been challenged by Bunnings in the initial determination.

Bunnings argued that its FRT system did not collect personal information of non-enrolled persons (i.e. anyone not on their watch list who entered their stores) because the CCTV and FRT systems are two separate systems (and Bunnings did not control the FRT system). The ART disagreed, finding that the FRT system included the CCTV cameras as part of its operation, meaning the system (in its entirety) did collect personal information in the form of facial images from everyone captured when entering Bunnings stores.

Again, this may be a very important finding for organisations using third party systems for separate functions.

The requirement for consent to the collection is the area where the ART disagreed with the OAIC, deciding that Bunnings was entitled to rely on an exemption, for the limited purpose of combatting retail crime and protecting their staff and customers from violence, abuse and intimidation within their stores

The Tribunal confirmed that, when considering whether Bunnings was entitled to rely on an exemption, it was important to consider whether the FRT was a suitable and effective response to the problem of repeat offenders, whether less privacy-intrusive alternatives were available, and whether the use of FRT was proportionate.  This is again useful for privacy practitioners in setting out what should be considered when determining if any exemption is available.

What happens next?

In its statement on the decision, the OAIC said it “confirms the Privacy Act contains strong protections for individual privacy that are applicable in the context of emerging technologies. It underscored the importance of APP entities maintaining good privacy governance and complying with the Australian Privacy Principles in adopting new tech, and that limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis”.

The OAIC is being upbeat about the finding – noting the importance of legal review, saying “We particularly welcome that the decision reaffirmed a range of key interpretive positions taken by the OAIC.”

However, the OAIC also confirmed that it is carefully considering the ART decision and its implications. An appeal period applies to the ART’s decision.

Will there be another chapter in the Bunnings FRT story?

References:

Bunnings Group Limited and Privacy Commissioner (Guidance and Appeals Panel) [2024] ARTA 42 (17 December 2024) 

OAIC Statement https://www.oaic.gov.au/news/media-centre/oaic-statement-on-administrative-review-tribunals-bunnings-decision

 

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.