The Tribunal’s decision

On 4 February 2026, the Guidance and Appeals Panel (GAP) of the Administrative Review Tribunal (Tribunal) partially set aside a determination of the Privacy Commissioner which had found that Bunnings’ use of Facial Recognition Technology (FRT) contravened Australian Privacy Principles (APPs) 1.2, 1.3, 3.3 and 5.1.

The Tribunal affirmed the Commissioner’s decision that Bunnings breached APPs 1.2, 1.3 and 5.1, finding that Bunnings failed to:

• take reasonable steps in the circumstances to implement practices, procedures and systems to ensure compliance with the APPs in relation to its use of FRT (APP 1.2);

• maintain an APP privacy policy containing all information required by APP 1.4 during the relevant period (APP 1.3); and

• take reasonable steps in the circumstances to notify individuals of relevant matters relating to the collection of their personal information (APP 5.1).

The Tribunal set aside the decision under review in respect of APP 3.3, which prohibits the collection of sensitive information unless an individual consents or an exception in APP 3.4 applies. Importantly, the Tribunal was satisfied that:

• Bunnings’ collection of facial images involved the collection of sensitive information, as the images were collected for biometric identification purposes; and

• the Privacy Act 1988 (Cth) (Privacy Act) did not prevent that collection, as the permitted general situation in item 2 of s 16A of the Privacy Act applied, including because the collection was necessary.

Key takeaways for other APP entities

• The Tribunal found that the term “necessary” does not mean “essential”, as contended by the Privacy Commissioner. Rather, it means something more than merely helpful, desirable or convenient, but not essential or indispensable.

• Proportionality is important. The phrase “appropriate action in relation to the matter” requires consideration of whether the response to the unlawful activity was appropriate. The Tribunal observed that “using a sledgehammer to crack a nut” would be inappropriate.

• Alternatives should be considered where they are available, particularly where they are less privacy‑intrusive and more effective.

• Compliance with APP 5 requires specificity. Where FRT is deployed, privacy notices should specify that sensitive information is being collected through FRT, the purpose of the collection, and the main consequences if the information is not collected.

• Importantly, the Tribunal found that, given the serious intrusion into privacy associated with collecting sensitive information, it would have been reasonable for Bunnings to conduct a formal, structured and documented risk assessment of the FRT system from the outset, considering privacy implications.

Non‑judicial members of the Tribunal must have regard to GAP decisions that involve similar facts or raise similar issues – see s 110 of the Administrative Review Tribunal Act 2024 (Cth).

Background

Between 2018 and 2021, Bunnings used FRT across 62 of its stores to capture real‑time facial images of people entering the stores and to match those images against individuals in an internal database who had been identified as posing a risk due to violent or other criminal conduct.

In a 2024 determination, the Privacy Commissioner found that Bunnings’ use of FRT breached APPs 1.2, 1.3, 3.3 and 5.1.

In respect of APP 3.3, Bunnings argued that its collection of sensitive information was permitted under item 2 of s 16A of the Privacy Act, which permits an APP entity to collect, use or disclose personal information (including sensitive information) where:

• the entity has reason to suspect that unlawful activity, or serious misconduct, relating to its functions or activities has occurred, is occurring or may occur; and

• the entity reasonably believes that the collection, use or disclosure is necessary in order to take appropriate action in relation to the matter.

Contact us

If your agency or organisation requires assistance in understanding how this decision may affect you, including in relation to facial recognition or surveillance, please contact our information law experts:

James Pratt – james.pratt@adaptbl.com.au | 0423 368 823
Alex Gent – alex.gent@adaptbl.com.au
Geoff Adams – geoff.adams@adaptbl.com.au | 0404 608 231

With thanks to Sruthi Golla, Paralegal, Information Law Team, for her contribution to this article.