On November 19, 2024, the Office of the Australian Information Commissioner (OAIC) published a guide to assessing the privacy risks of facial recognition technology (FRT). The guide sets out general considerations for private sector organizations that are considering using FRT to undertake facial identification in a commercial or retail setting. Further, the guide outlines the Australian Privacy Principles (APPs) that are relevant when considering the use of FRT.

What is facial recognition technology?

The guide explains that FRT involves the collection of a digital image of an individual's face and the extraction of their distinct features into a biometric template which is then compared against one or more pre-extracted biometric templates for facial verification or identification. Notably, the guide distinguishes facial verification, which is defined as 'one-to-one' matching to determine whether a face matches a single biometric template, and facial identification which refers to 'one-to-many' matching to determine whether a face matches any biometric template in a database.

What are the privacy considerations when using FRT?

The guide recommends that organizations considering using FRT should undertake a Privacy Impact Assessment (PIA) to identify potential privacy impacts at the outset and implement recommendations to manage, minimize, or eliminate them. As part of the privacy-by-design approach, the guide notes that the following principles should be explored to support the appropriate use of sensitive information when using FRT:

• necessity and proportionality (APP 3) – personal information for use in FRT must only be collected when it is necessary and proportionate in the circumstances and where the purpose cannot be reasonably achieved by less privacy intrusive means;
• consent and transparency (APPs 3 and 5) – individuals need to be proactively provided with sufficient notice and information to allow them to provide meaningful consent to the collection of their information;
• accuracy, bias, and discrimination (APP 10) – organizations need to ensure that the biometric information used in FRT is accurate and steps need to be taken to address any risk of bias; and
• governance and ongoing assurance (APP 1) – organizations that decide to use FRT need to have clear governance arrangements in place, including privacy risk management practices and policies that are effectively implemented, and ensure that they are regularly reviewed.

You can read the guide here.