Bunnings "wins" appeal on Facial Recognition Technology: Key takeaways for businesses and privacy law

On 4 February 2026, the Administrative Review Tribunal set aside an earlier determination, made by the Privacy Commissioner, that Bunnings had contravened the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth).

Bunnings used FRT between 6 November 2018 and 30 November 2021 at a number of stores across Australia and New Zealand. The system maintained a database of individuals considered a risk based on prior criminal conduct or incidents involving staff or customers.

CCTV cameras captured facial images of all individuals entering stores and compared those images against the database. Where a match was identified, an alert was sent to staff. Facial data used in the matching process was deleted within milliseconds.

Following an OAIC investigation, the Privacy Commissioner determined on 29 October 2024 that Bunnings had breached APPs 1.2, 1.3, 3.3 and 5.1, relating to transparency, collection and notification obligations.

The Appeal and the Tribunal's Ruling

On 4 February 2026, the Tribunal affirmed the Commissioner’s findings that Bunnings contravened APP 1 and APP 5. However, it set aside the finding that Bunnings breached APP 3 by collecting sensitive information without consent.

The Tribunal found that:

• Bunnings "collected" facial images captured by CCTV, which constituted "biometric information" and therefore "sensitive information" under the Privacy Act;

• consent was not obtained, which would ordinarily breach APP 3.3; but

• APP 3.4 applied, as a "permitted general situation" existed during the relevant period.

The relevant "permitted general situation" is set out in item 1 of section 16A of the Privacy Act, which permits the collection of sensitive information without consent where:

• (a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and

• (b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

The Tribunal accepted that Bunnings’ use of FRT was a reasonable and proportionate response to legitimate business concerns, namely the prevention of retail crime and the protection of staff and customers from violence and abuse.

We discuss the key takeaways from the Tribunal's decision and reasoning below.

Key Takeaway # 1 Privacy won't necessarily trump business interests

The Privacy Commissioner initially found that Bunnings’ use of FRT was the most intrusive option and disproportionately interfered with the privacy of all store entrants, not just high-risk individuals.

However, the Tribunal overturned the Commissioner's decision stating that Bunnings was entitled to use FRT for the limited purpose of combatting very significant retail crime and protecting their staff and customers from violence, abuse and intimidation within its stores. Whilst the Commissioner's decision prioritised the privacy of all store entrants, the Tribunal's decision recognised Bunnings' interest of combatting retail crime and protecting their staff and customers.

Notwithstanding that the Tribunal found that in this case, business interests prevailed over privacy interests, this decision will not necessarily be generally applicable to all businesses using FRT or other technologies to collect personal information. This assessment will turn on the specific facts of your business.

Key takeaway #2: Collection

A central issue was whether Bunnings had "collected" personal information through its FRT system. Bunnings argued that facial vector sets were merely "created" during a real-time matching process and retained only briefly in Random Access Memory (RAM).

The Tribunal found that Bunnings collected personal information for inclusion in a "record", including both input facial images and the associated vector sets, regardless of the brief retention period or the fact the process occurred in RAM.

This aspect of the decision has broader ramifications for privacy compliance. It confirms that the threshold for "collection" under the Privacy Act is a low one, and that even fleeting or transient handling of personal information (in this case for 4.17 milliseconds per image) may constitute "collection." It must also follow that where there is a collection, there may be a "use". Hence, privacy issues arise in respect of non-matched data

Organisations should therefore carefully review their systems and practices, including automated or real-time processes, as they may be collecting personal information in circumstances where they do not consider themselves to be doing so. Organisations should also be conscious that privacy obligations may arise in respect of data that is unmatched in data matching processes.

Key takeaway #3: Specificity in collection purposes

The Tribunal agreed with the Commissioner that Bunnings breached APP 5.1 and APP 1.3 by failing to take steps that were reasonable in the circumstances to notify individuals whose sensitive information was collected of such collection in its Privacy Collection notice and Privacy Policy.

Bunnings had displayed two entry notices at all entry points in each of their stores and a privacy information poster in various places within their stores. However, the Tribunal found that, given Bunnings’ size, the resources available to it, and the sensitive nature of the information collected, it was reasonable to expect Bunnings to take further steps to provide more specific information about its use of FRT, the purposes for which sensitive information was collected, and the consequences for customers if that information was not collected.

In light of this, the key takeaway for businesses is to consider providing detailed information about the exact type of personal information being collected, the method and technologies being used and the specific purposes for which the information is collected in their privacy collection statements and Privacy Policies.

Key takeaway #4: Privacy Risk Assessments

The Tribunal found that Bunnings failed to comply with APP 1.2, which requires entities to take "reasonable steps in the circumstances" to implement practices, procedures and systems to ensure compliance with the APPs in relation to their functions and activities.

In reaching that conclusion, the Tribunal placed significant weight on the fact that FRT involves the collection of sensitive information. The Tribunal observed that the collection of sensitive information "represents a serious intrusion of privacy" and considered that, in those circumstances, it would have been reasonable for Bunnings to conduct a formal, structured and documented privacy risk assessment of the FRT system from the outset of the relevant period.

Instead, the steps taken by Bunnings were described as "random enquiries and actions", which were insufficient to demonstrate the implementation of appropriate privacy governance.

The key takeaway is that the Privacy legislation requires organisations specifically to consider privacy risks generally associated with their practices - particularly where sensitive information is collected. Proactive and documented privacy risk management is central to compliance with APP 1.2, even where sensitive information is not involved.