Work health and safety or privacy – which obligations should a business prioritise?

Between November 2018 and November 2021, Bunnings operated a FRT system in around 60 stores across Victoria and New South Wales in response to concerns regarding the safety of Bunnings team members and customers, as well as an attempt to reduce theft.

The FRT system captured the facial images of persons who entered its premises and matched these images to images of persons stored in its database of ‘enrolled individuals’, being those with a history of violence or criminal behaviour in store and against Bunnings workers.  

The information was processed by the FRT system in around 4 milliseconds. 

Where the FRT system returned a positive match to information in the database, an alert was generated and sent to Bunnings’ security team, who would review the image and determine what action to take. On the other hand, where the FRT system returned a negative match to information in the database, the information was immediately deleted.

Bunnings maintained that it never used the data for marketing purposes or to track customer behaviour (and the Privacy Commissioner did not suggest anything to the contrary). 

Biometric information, such as facial images, is a type of personal information protected by the Privacy Act. Relevantly, biometric information is considered ‘sensitive information’, which is afforded a higher level of protection.

If an entity covered by the Privacy Act (APP entity) is collecting sensitive information, it must ensure:

• the individual consents to the collection of their sensitive information; and
• collection of the sensitive information is reasonably necessary for one or more of the APP entity’s functions or activities.

The Privacy Act prohibits an APP entity from doing an act, or engaging in a practice that breaches an APP.^[2]

In July 2022, the Privacy Commissioner commenced an investigation following a report from consumer advocacy group CHOICE, raising concerns about the use of the FRT system by Bunnings as well as a number of other large retailers. 

The Privacy Commissioner found that the implementation and operation of the FRT system by Bunnings was in breach of various APPs under the Privacy Act, being: 

• APP1.2(a) – which requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure that APP entities comply with the APPs;
• APP 1.3 – which require APP entities to have a privacy policy with relevant information including the kinds of personal information that is being collected and held, and how that information is collected and held;
• APP 3.3 – which requires APP entities to obtain valid consent from individuals if collecting sensitive information. The Privacy Commissioner stated that for consent to be valid, it must be informed, voluntary, current and specific and given by individuals who have the requisite capacity; and
• APP 5.1 – which requires APP entities to take reasonable steps to notify individuals about the facts, circumstances and purposes of collection of their personal information, and the consequences of not collecting that information. 

Bunnings submitted, among other things, that it had not breached its obligations under the Privacy Act because its use of the FRT system fell within exceptions to the APPs, being that there is a ‘serious threat situation’ or an ‘unlawful activity or misconduct situation’ (permitted general situation). 

Bunnings also submitted that: 

• it took steps that were reasonable in the circumstances to notify those individuals of the collection as required by APP 5.1, including by way of entry notices displayed at entry points to stores and in-store privacy posters; and
• it implemented practices, procedures and systems to comply with the APPs which were reasonable in the circumstances (for example, it adopted a system which promoted privacy by design (immediate deletion of non-matched data), and limited access to the FRT system to a small number of staff).

In considering whether there was a ‘permitted general situation’, the Privacy Commissioner observed that it is relevant to consider the likelihood of a 'serious threat to life, health and safety' or unlawful activity occurring as well as the gravity of the consequences if such an event occurs. The Privacy Commissioner further observed there needs to be a causal link between the necessity of the collection of personal information and the action taken to lessen or prevent the serious threat or unlawful activity. 

The Privacy Commissioner accepted that the FRT system was perhaps a more convenient, efficient and proactive means of detecting and responding to the presence of individuals who posed a risk of creating a serious threat situation or engaging in unlawful activity. However, the Privacy Commissioner was not satisfied that Bunnings could have reasonably believed that the collection of personal information via FRT system was necessary to take action to lessen or prevent serious threat situations or unlawful activity.

The Privacy Commissioner also considered that the impact on the privacy of individuals outweighed the benefits that were, or could be, realised by the use of the FRT system, noting that Bunnings could only rely on the information collected by the FRT system to prevent or lessen a serious threat situation or unlawful activity on a relatively small number of occasions and in respect of a relatively small number of individuals.

While the Privacy Commissioner did not accept that a permitted general situation existed, she commented that:

I recognise and do not wish to trivialise the impact that serious threat situations have had and continue to have on the [Bunnings’] staff and other individuals who attend its stores. Many of the examples provided by [Bunnings], particularly those contained in the relevant CCTV footage and staff testimonies, were serious and confronting. I also accept that [Bunnings] was and is subject to competing obligations, including a legal duty to provide a safe environment for its staff and others who attend its stores and to mitigate risks to health and safety (our emphasis).

Bunnings has announced that it will seek review of the Privacy Commissioner’s determination, before the Administrative Review Tribunal.^[3]

WHS laws require that businesses ensure, so far as reasonably practicable, the health and safety of workers engaged in the workplace and others who attend the workplace. The Privacy Commissioner’s determination reinforces that in complying with WHS laws, businesses must also be cognisant of their privacy obligations. 

While safety in the workplace is paramount, there are steps businesses can take to ensure their WHS practices are implemented in way that complies with their obligations under other laws including the Privacy Act: 

Assess the necessity and proportionality of safety measures

Businesses should consider whether any current or proposed safety measures can impact individual privacy, such as the operation of FRT systems. If so, assess whether the implementation of the safety measure is necessary and proportionate to the risks it aims to mitigate. 

Ask: can the same objectives be achieved with less invasive methods, such as enhanced staff training or additional security personnel?        

Consider the type of information to be collected

If information is being, or will be, collected with a view to comply with WHS laws, businesses should understand whether the information is ‘personal information’ and ‘sensitive information’, as additional obligations may apply. 

Ask: what type of information is being collected and are we complying with obligations under the Privacy Act by collecting and using the information?

Obtain informed consent

Businesses should, as far as practicable, implement procedures and systems to obtain and record consent (if necessary).

Ask: are impacted individuals either expressly or impliedly consenting to the collection of their personal information, and do we have a record of it?

Update privacy policies and procedures

Privacy policies should clearly outline the kinds of personal information that will be collected, how the information is collected and held, and the purpose for its collection, including to ensure an employer complies with its WHS obligations. Regular reviews and updates are beneficial, particularly as the law progresses or when implementing new technologies. 

Ask: do we have a clearly expressed and up-to-date privacy policy that contains the requisite information per the APP requirements, including references to the methods by which we collect personal information and the primary purposes for which we propose to use that personal information?

Implement transparent notification practices

Among others thing, businesses must notify individuals at the time of collection (or as soon as practicable) of relevant information, including the kinds of personal information that is being collected and held, and how that information is collected and held.

Ask: are we required to notify individuals that their personal information is being collected? How are we currently notifying individuals of this collection and do our current notification practices adequately address this requirement?

This article was written with the assistance of Jade Wunderle. 

[1]Commissioner Initiated Investigation into Bunnings Group Ltd (Privacy) [2024] AICmr 230 (29 October 2024).
[2] S.15 of the Privacy Act 1988 (Cth).
[3] Bunnings to seek review of the Privacy Commissioner’s Determination