Australia: Adopted OAIC guidance on use of facial recognition technology by private sector organisations

On 19 November 2024, the Office of the Australian Information Commissioner (OAIC) issued guidance for private sector organisations using facial recognition technology (FRT) in commercial or retail settings. This guidance aims to ensure compliance with the Australian Privacy Principles (APP) set out in the Privacy Act 1988. It outlines the sensitive nature of biometric data and the need for robust protection against misuse, loss, and unauthorised access. The guidance emphasises adopting a “privacy by design” approach, including conducting Privacy Impact Assessments (PIAs) to identify and mitigate risks. It addresses the necessity and proportionality of data collection, requiring that biometric information is collected only when necessary and no less privacy-intrusive means are available. It also covers obtaining informed, voluntary, current, and specific consent from individuals, alongside clear communication about data usage. It highlights the importance of ensuring data accuracy, addressing biases, and preventing discrimination. Additionally, it outlines the need for strong governance frameworks, including the appointment of privacy officers, regular audits, and the continuous review and updating of privacy policies and practices to align with technological advancements.