Bunnings is in the news (and breach) for using biometrics contrary to the nation’s privacy laws and principles. It’s topical and it’s relevant even though biometrics have been around for decades and the subject of privacy, the source of much angst, has been hashed over and over. The Bunnings situation usefully addresses the core privacy issues around the use of biometrics.

Privacy Commissioner Kind found Bunnings collected individuals’ sensitive information without consent, failed to take reasonable steps to notify individuals that their personal information was being collected, and did not include required information in its privacy policy.

“Individuals who entered the relevant Bunnings stores at the time would not have been aware that facial recognition technology was in use and especially that their sensitive information was being collected, even if briefly,” said Commissioner Kind. Specifically, according to the Office of the Australian Information Commissioner, Bunnings was guilty of:

  • [interfering] with the privacy of the individuals whose personal information and sensitive information it collected through its facial recognition technology system.
  • Bunnings collected the sensitive information of individuals without their consent. (Exceptions under the Privacy Act did not apply.)
  • Bunnings failed to take reasonable steps to notify individuals about the facts, circumstances and purposes of their personal information being collected, as well as the consequences for them if their personal information was not collected.
  • Bunnings failed to take reasonable steps to implement practices, procedures and systems to ensure it complied with the APPs.
  • Bunnings failed to include in its privacy policies information about the kinds of personal information it collected and held, and how it collected and held that personal information.

Australia’s 13 Privacy Principles can be dry reading. You can find them here. But Bunnings has helpfully put some colour into them. The principles in breach, as outlined by the Commissioner, are:

  • APP 3.3 says an entity must not collect sensitive information unless the individual consents or an exception applies.
  • APP 5.1 requires an entity to take reasonable steps to notify an individual, or make sure they are aware, of certain matters around the handling of their personal information.
  • APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems to ensure they comply with the APPs.
  • APP 1.3 requires an entity to have a clearly expressed and up-to-date privacy policy.

What does all this mean for me? Simple really. If I am going to implement a biometric solution of any sort in my business I need to get familiar with (and apply) the Privacy Principles. The good news is that they are quite straight forward and you do not need to be a lawyer to understand them.

Equally good news is the fact that some biometrics can only be used if you wittingly engage them – your biometric data cannot be covertly gained without your knowledge.  Iris recognition is one of those biometrics. You cannot not know that your iris biometric is being captured or used. That does not mean a business using iris recognition is excused from complying with the 13 Privacy Principles. However there is great assurance that your data is not being gathered without your knowledge.

Another assurance worth considering is the proposition that some biometrics are privacy enhancing technologies (PET), rather than privacy inhibiting (PIT). Twenty years ago in 2004 the inaugural Australian Privacy Commissioner Malcolm Crompton borrowed this concept from Dutch and Canadian studies. He explored what a biometric PET might look like and went so far as to suggest iris recognition is a PET, perhaps even to the exclusion of other biometrics. The PET concept has stood the test of time and is a key consideration by law enforcement and healthcare institutions when designing biometric solutions.

What would a biometric PET look like? The key attributes would be that the biometric identifier carries no additional information. It would link a biometric template to a specific application. It would only authenticate what needed to be authenticated. Multiple identities would be allowed. Data is siloed.

Iris recognition goes a long way towards presenting as a Privacy Enhancing Technology. The templates and the databases in which they are stored are anonymous by design. That’s right – anonymous identification. Break into an encrypted iris template database (if you can) and all you have is a meaningless collection of ASCII code. One iris application template cannot be reverse engineered to be applied to another application – allowing multiple applications of the one identity. As we discussed elsewhere there is no scope to discern health or other physiological attributes. A user has to knowingly be enrolled and can only derive services by knowingly engaging with an iris camera.

A PET biometric such as iris recognition technology, combined with the proper observance of the 13 Privacy Principles can make the application of a biometric incredibly compelling in numerous business environments.

Back To Blogs