With facial recognition technology continuing to advance, the benefits hold immense potential, from streamlining processes, to enhancing security and making workplaces safer. However, its implementation within the workplace naturally raises legal questions related to privacy, data protection, and consent. As a result, it’s important to have a thorough understanding of the legal framework and regulations governing the use of the technology in Australia.
In this guide, we will delve into the key legal considerations that businesses must carefully assess before implementing facial recognition technology. Our aim is to provide an overview of the legal landscape, to help businesses harness the benefits of facial recognition technology while safeguarding the rights and privacy of individuals.
It is essential to note that the information presented here does not, and is not intended to, constitute legal advice; this content is intended to provide general information in summary only. Each business's unique circumstances require tailored advice. Therefore, we strongly encourage businesses to conduct their own due diligence and consult with qualified legal professionals to ensure compliance with all relevant regulations.
Biometric data in general has a long history of being used for identification purposes, most notably in passports. The term *“biometric data”* refers to information obtained from scans or images of an individual's unique physical features or identifiers, which can be employed to identify them. Examples of biometric data include fingerprints, palm prints, voice recordings, or facial images. Once obtained, this data can be compared with previously recorded data to verify the individual's identity.
Automatic facial recognition technology (AFRT) is a method of using modern Deep Learning algorithms to extract “features” from faces using layered neural networks to create abstract representations that can identify and differentiate faces. This can include shape of eyes, distance between eyes, size of jaw and other facial characteristics.
For peace of mind, it’s worth dispelling some myths surrounding facial recognition including the common misconceptions about the technology’s use and functionality. Learn more.
As with any biometric technology, accuracy is an important component and though several factors can impact the precision of AFRT, significant advancements have been made.
In ideal conditions, facial recognition systems can have near-perfect accuracy. Verification algorithms used to match subjects to clear reference images (like a passport photo or mugshot) can achieve accuracy scores as high as 99.97% on standard assessments like NIST’s Facial Recognition Vendor Test. This is comparable to the best results of iris scanners. This kind of face verification has become so reliable that even banks feel comfortable relying on it to log users into their accounts. Source: US Centre for Strategic International Studies
Nirovision’s AI solutions are designed and tested to meet accuracy standards within a specific context, according to industry benchmarks. We measure AI accuracy in two ways: by assessing AI algorithms on a test dataset and by measuring the performance of AI-powered systems in real-world scenarios. Learn more.
While facial recognition technology dates back to the 1960’s, early iterations were limited by computational power and accuracy issues. It wasn’t until the mid-2000s, that algorithms were deemed efficient enough for real-time face detection. The proliferation of social media platforms and digital cameras further accelerated the adoption of facial recognition in various applications, from photo tagging to security surveillance.
As technology advanced and computing costs decreased, solutions like automated boarder control systems (eGates) and facial recognition at airports emerged. In addition to commercial uses, facial recognition is now making its way into consumer products. For example, Apple introduced Face ID with the iPhone in 2017, enabling users to unlock their devices and securely authenticate various functions.
Given the benefits that AI offers, the market for the technology is growing.
According to an Australian study commissioned by the CSIRO’s National Artificial Intelligence Centre (NAIC), respondents reported time savings of 30% across all AI-related initiatives that were implemented. When asked to quantify the revenue benefit of AI, Australian businesses recognised an average of AUD $361,315 from each implemented AI-related initiative. - CSIRO
In Australia, the use of video surveillance and facial recognition software by businesses is governed by three broad categories of regulation:
When it comes to surveillance, some states and territories (ACT and NSW) have specific workplace surveillance laws that require employers to inform employees of any proposed surveillance at least 14 days before it starts and to notify any new employers at the time their employment commences. While other States and Territories (NT, SA, WA, VIC) do not have specific workplace surveillance laws, workplace surveillance is still regulated by that State or Territory’s local surveillance legislation.
In the States and Territories that do not have specific workplace surveillance legislation (NT, SA, WA, VIC), employers do not have an express legal obligation to obtain consent from employees before using cameras to monitor public areas (meaning areas where access is permitted to the public, not just employees) as well as areas in the workplace where what is being observed is not considered a private activity (in other words, areas where employees ought to reasonably expect that they may be observed).
While employers in States and Territories that do not have specific workplace surveillance laws may not be legally required to provide notice of and obtain consent to workplace surveillance, informing employees of the nature and scope of any surveillance and, where appropriate, requesting their agreement to the surveillance can help a business build transparency and trust in the workplace.
In the case of Nirovision, the surveillance footage and the information collected by our facial recognition software (which includes biometric data in the form of facial images) is considered sensitive information under the Privacy Act.
Customers have control over the data our software gathers, with strict retention, deletion and access policies. However, there are still conditions that need to be met to comply with the Privacy Act when gathering and using someone’s sensitive information.
Every time an organisation collects sensitive information from an individual, the organisation needs to inform the individual of the collection and the purpose of collecting the sensitive information.
This notice of collection should happen before or as soon as possible after the information is collected (if informing beforehand is impractical or not feasible).
"For security and safety purposes, your biometric data and email address is being collected and stored by Nirovision, on behalf of [Company]. By entering our premises you are consenting to us collecting and storing this information, and agree to the use of the data for site safety and security purposes."
"By accepting your employment, you are agreeing to adhere to our evolving health, safety, and security policies and protocols. Please note that we may utilise different technologies from time to time to recognise you, log your entry or exit times on our premises, and manage your access to our facilities. This data collection encompasses biometric data that Nirovision collects on our behalf, and we employ. The objective behind gathering this information is to ensure compliance with work health and safety laws, and other relevant laws to maintain attendance records, enhance security measures, and promote a safer work environment.”
It is very important that the collection notice is written in simple language, and that reasonable steps are taken to ensure that the individuals are made aware of:
In addition to the collection notice, organisations need to ensure that the Privacy Policy is clearly-expressed and up to date. The Privacy Policy should include general practices regarding collection, use, disclosure and disposal of sensitive and personal data, and mention the processes and procedures in place to allow for this.
Organisations should also ensure their disclosure of information to any related entity or third party provider is covered by their privacy policy.
The purpose behind notification of collection is to obtain consent. Consent is valid if given freely, informed, recent, and specific, and it should be explicit if it’s the ground for collection.
This means that the individual must not only be fully informed of the purposes for which their biometric information will be collected, but also have the ability to freely choose whether to consent or not.
The power imbalance that can exist between an employer and employee is an important factor to consider when seeking an employee's consent for personal information, including biometric data. Consent is not voluntary where there is duress, coercion or pressure that could overpower the person’s will.
Employers must ensure that their data collection practices are transparent, necessary, and proportionate, and that employees are given a genuine choice about whether to participate. A genuine choice will be more apparent where there are realistic 'opt-out' mechanisms available to employees who do not consent, and it is clear to employees that they are under no threat of discipline or dismissal if they do not consent.
It’s important to note that if an employer did not obtain consent to collect sensitive personal information in the original employment agreement, they may be prevented from adding that as a condition of employment later on unless the employee gives consent.
In addition to notification of collection and obtaining consent, an organisation must have a legitimate reason for collecting and using biometric information. This involves:
It is up to an organisation to determine its usual business operations, and these will vary depending on the nature of the organisation. For example, in the case of a logistics company, its usual business operations might include warehousing and storage, transportation and fulfilment.
Such an organisation may collect biometric information to control access to secure areas or to verify the compliance of individuals entering the logistics site. This may be considered reasonably necessary if the organisation has a legitimate interest in protecting its assets or the safety of its employees and visitors, and the use of biometric information is proportionate to the risk being addressed.
In 2019, an Australian court case served as a powerful reminder of the importance of obtaining consent for the collection of private and sensitive information.
The Fair Work Commission heard a case whereby a worker faced dismissal for declining to use the company's new fingerprint technology to sign in.
The employer's decision to terminate the worker’s employment was deemed wrongful as the worker’s employment contract did not include compliance with the employer’s new site attendance policy (which involved the collection and use of the worker’s sensitive information through the fingerprint scanners), and there were other reasonable means of tracking the worker’s site attendance that did not use fingerprint scanners, and the worker could not be terminated for refusing to provide consent to the collection of his sensitive information.
This ruling highlights the importance of respecting individual privacy rights - you can learn more about this case here.
To help businesses comply with laws surrounding the collection of personal and sensitive information, we have put together a checklist below outlining the essential considerations and best practices.
In this guide we have reviewed the key rules and obligations which companies must comply with when collecting, using, and storing personal information. However we encourage you to check the local surveillance and workplace laws in your state and evaluate your policy against what the Privacy Act requires.
Here are some links for reference:
• Review the Privacy compliance obligations in your state.
• Assess your needs against those obligations.
• Conduct regular reviews and audits to ensure compliance with legal and regulatory requirements, and industry standards and best practices.
A primary purpose refers to the primary reason for which the personal information is collected, while secondary purposes refer to any additional purposes for which the information may be used.
It’s important to carefully deliberate on the primary purpose and ensure that it’s reasonably necessary for one of your business’s functions or activities.
It’s also important to make sure any secondary purposes directly align with your primary objective.
Here are some examples of primary purposes along with related secondary purposes:
• Enforce site-wide security and compliance
• Verify someone’s identity and compliance status
• Grant access if inducted and compliant
• Prevent tailgating, pass sharing and unauthorised access
• Run reports for Border Force checks
• Capture insights for site safety
• Know who is onsite at anytime
• Be alerted if non-compliant or unidentified individuals are onsite
• Run swift evacuations and practice drills
• Be alerted for failed PPE requirements
• Capture precise time and attendance
• Run payroll
• Receive attendance alerts
• Identify fraudulent sign in activity
It’s best practice to mention secondary purposes when obtaining consent unless the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose, and the secondary purpose is directly related to the primary purpose.
• Decide your primary purpose for collecting personal and sensitive data.
• Review any secondary purposes and how they relate to the primary purpose.
• If you have a need for a new primary or secondary purpose, draft a new collection notice.
Make sure individuals are made aware of the collection, use and disposal of their biometric information via a clear and concise collection notice.
Update your Privacy Policy so it details how the business handles personal information: collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have
• Draft a collection notice to give staff, contractors and visitors comfort that appropriate measures are to be taken to ensure their information is secure and will only be used for legitimate purposes.
Nirovision’s Survey feature can be leveraged for this purpose. In addition, every time someone checks in via a Doorkeeper kiosk or QR code, Nirovision displays a helpful “What happens to my data?” modal with information.
• Review your Privacy Policy, and seek legal advice to update it.
• Review third party providers’ Privacy Policies.
You can find Nirovision’s Privacy Policy here.
Make sure individuals are made aware of the collection, use and disposal of their biometric information via a clear and concise collection notice.
Update your Privacy Policy so it details how the business handles personal information: collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have.
• Ensure privacy statements and requests for consent are clearly communicated and reflect the way your organisation collects and actually uses personal information.
• Check if employment contracts include an express consent to the use of biometric identification technology and if not, seek informed consent from employees.
Nirovision surveys can also be leveraged for the above action items. Learn more.
Data minimisation is about keeping information collected to a minimum. This includes deleting information when it’s no longer required. Collecting and maintaining only what is necessary (in relation to the purpose), greatly reduces the risk of any unnecessary or unwanted exposure of private and sensitive information.
• Review your primary and secondary purposes for collecting personal and sensitive information, and decide what information is absolutely necessary for these purposes.
Nirovision allows for different onboarding requirements per personnel type, so you only request the information necessary for each group.
• Consider how long you need to keep personal information for and what can be deleted after a reasonable time.
Nirovision allows for different retention settings per document, so you retain files for the minimum time necessary.
• Establish a periodic review of all the different types of personal and sensitive information being collected and stored.
Check if your business has adequate security measures in place to protect data.
In addition to this, if the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm.
• Evaluate potential threats and vulnerabilities.
• Keep operating systems, applications, and software tools up to date.
• Enforce security policies that address data handling, password management, and acceptable use of technology resources.
Find prevention techniques recommended by Australia’s leading agency on national cybersecurity, the Australian Cyber Security Centre (ACSC), on the OAIC's website.
• Have a clear off boarding process in place to revoke access to data as soon as an employee or contractor is no longer working for the organisation.
• Create a plan to monitor and handle a data breach according to the Notifiable Data Breaches scheme.
UK organisations need to complete a data privacy impact assessment (DPIA), as required under the GDPR. In Australia, government agencies and other public bodies can be directed to complete Australia’s equivalent of a DPIA by the Australian Information Commissioner. However, one of the proposals of the 2023 Privacy Act Review is to require all entities caught by the Privacy Act to conduct a DPIA for activities with high privacy risks.
A DPIA is an important risk management tool that involves detailing the process and purpose of data collection (and where applicable, the legitimate interest for collection), assessing the necessity and proportionality of collection in pursuit of the collection purpose, assessing the rights of and risks to the data subjects whose information is being collected, and setting out the safeguards and security measures being implemented to protect the data and privacy of such data subjects. In addition to the protection of the privacy of data subjects, some of the risks to a business of data being compromised include:
• Stay informed about relevant data protection laws and regulations.
• If required, prepare a DPIA.
Understanding the relevant legislation, such as the Privacy Act and the Australian Privacy Principles, is essential to protect the rights and privacy of individuals whose biometric data may be captured.
Obtaining informed consent from individuals is not only a legal requirement but also a great step in building trust with employees and contractors. Businesses must be transparent about the purposes and methods of using facial recognition technology, assuring individuals that their data is handled responsibly.
While this guide provides valuable insights into the key legal considerations, it is essential to remember that it does not constitute official legal advice. Each business's circumstances are unique, and seeking professional legal advice and conducting due diligence are imperative steps to ensure compliance and mitigate risks effectively.
As more Australian workplaces embrace facial recognition technology, we hope this guide helps businesses enjoy the many benefits of facial recognition while upholding the principles of privacy.
Headquartered in Sydney, Australia, Nirovision is the first AI powered technology to offer access control, compliance checks and monitoring software under one platform. Whether it’s authenticating and verifying a worker’s compliance at the gate, signing in visitors, automating vehicle access or detecting missing PPE, Nirovision is making workplaces safer and more secure.
Today, some of Australia’s biggest businesses across transport, manufacturing, logistics and construction, rely on Nirovision for a safer workplace.
To learn more visit nirovision.com
1. US Centre for Strategic International Studies
2. National Artificial Intelligence Centre study commission by CSIRO
https://www.csiro.au/en/work-with-us/industries/technology/National-AI-Centre/AI-Ecosystem-Report
3. Jeremy Lee vs Superior Wood
https://globalfreedomofexpression.columbia.edu/cases/jeremy-lee-v-superior-wood/
4.Australian Cyber Security Centre