When consumer advocacy body CHOICE last month went public with its investigation into the use of facial recognition by major Australian retailers, the public reaction was swift – and negative. No surprise, given we already knew that the majority of Australians are uncomfortable with the collection of their biometric information to shop in a retail store.
Much of the online chatter, the media coverage and the defensive comms swirled around in circles, sometimes getting lost in the minutiae of topics like the size of the font on the signage at stores, or how long images of customers are held for, or who is recognisable from the images, or arguing about whether customers ‘consent’ by walking into a store, or going through privacy policies with a fine-toothed comb. Another common angle of exploration was facial recognition technology itself, including its questionable accuracy and potential discriminatory impacts.
The OAIC has since launched an investigation into the use of facial recognition technology by Bunnings and Kmart. (By comparison, by pausing its use of the tech in response to the CHOICE investigation, third retailer The Good Guys seems to have turned down the regulatory heat, and has thus far avoided a formal investigation.)
But it’s not only facial recognition technology which might create privacy concerns for customers. Nor are these data management issues and PR headaches limited to the retail sector. I see similar concerns raised in discussions about other forms of data collection and use, such as customer profiling, online tracking and marketing. So there are lessons to be learned for all types organisations, collecting all sorts of personal information.
In particular, this incident has highlighted a lot of confusion about the rules when collecting personal information, and the roles of notice and consent, including what is needed when, under Australian privacy law.
Happily we don’t need to wait for the OAIC to conclude its investigation, before we can clear up some of that confusion. We already have the Privacy Act 1988, existing OAIC publications and formal determinations to guide us.
So here’s your quick and dirty, 8-point cheat sheet guide to collecting personal information under the Privacy Act.
1. The act of creating new data, such as by drawing inferences, generating insights or producing biometric vectors, is a fresh ‘collection’, which must comply with the Collection principles
Let’s start by looking at what constitutes a ‘collection’ of personal information, for the purposes of compliance with the Collection principles, which are in found in Australian Privacy Principles (APPs) 3-5 in the Privacy Act.
Collection isn’t just about when you ask customers to fill out a form. The ‘creation’ of new personal information, such as by way of combining data or inferring information from existing data, will also constitute a ‘collection’ for the purposes of the APPs.
For example in the Uber case, the OAIC stated that “The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means”, such as via online cookies.
And in the Clearview case, the OAIC found that the vectors used for its facial recognition technology, which were generated from images drawn from photographs scraped from the web, were also ‘collected’, noting that “‘collects’ includes collection by ‘creation’ which may occur when information is created with reference to, or generated from, other information”.
2. You will be ‘collecting’ personal information even if it is only transient
The act of taking a photo of a customer, to be used to generate a faceprint, is a ‘collection’ of personal information, no matter how ephemeral that image is, and even if the image is not going to be stored.
In the 7-Eleven case, the OAIC found that even a transient collection, such as images which were stored on a tablet for around 20 seconds before being uploaded to a server in the cloud, will constitute a ‘collection’ for the purposes of the APPs.
So Electronic Frontiers Australia’s Chair Justin Warren was spot on when he compared the use of facial recognition on retail customers to taking a fingerprint of every customer as they enter the store and checking it against a file of previous fingerprints: “The fact they then throw away that piece of paper isn’t the problem, it’s that they took the customer’s fingerprints in the first place”.
3. All collection must be reasonably necessary, and proportionate to a legitimate business objective
The collection of any type of personal information, no matter how benign, must be reasonably necessary for a legitimate purpose. From the 7-Eleven case we know that under APP 3, collecting personal information because it will be “helpful, desirable or convenient” is not enough; your collection of personal information must be “reasonably necessary” for one of your organisation’s “functions or activities”.
The OAIC has formulated this test as involving consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought”. In the case of 7-Eleven, while the OAIC noted that “implementing systems to understand and improve customers’ in-store experience” was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim, and thus was in breach of APP 3.
Plus, all collection of personal information must also be by lawful and fair means (APP 3.5), and collected directly from the individual unless an exception applies (APP 3.6).
4. All collection requires a collection notice to be provided that is specific to that collection
APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why. That notice must be provided at or before the time of the collection.
Not to be confused with your Privacy Policy (which talks in general terms about the whole organisation), a collection notice must be specific to the personal information being collected at that point. Privacy regulators stress the need to keep notices concise and in plain language, while also offering enough detail about how you propose to collect, use or disclose the individual’s personal information.
The objective of a collection notice is to prevent anyone getting a nasty surprise later; and it can enable the individual to make an informed choice about whether to provide you with their information (if they even have that much choice).
But remember that a collection notice is not a free pass to collect anything you like. You can still only collect personal information if your reason for asking for the personal information is reasonably necessary – see point #3 above.
Another tip: make sure you don’t confuse collection notices with consent forms. Collection notices are a one-way form of communication. The person does not need to indicate their agreement; they are simply being put ‘on notice’.
5. A Privacy Policy is not a collection notice
The obligation to have a Privacy Policy comes from APP 1. It’s a separate requirement to your APP 5 collection notices.
As described by the OAIC, a Privacy Policy is simply “a transparency mechanism”, which “must include information about an entity’s personal information handling practices including how an individual may complain and how any complaints will be dealt with”.
So your Privacy Policy is not magic. It cannot authorise your organisation to do anything that the APPs don’t already allow you to do.
6. Some acts of collection (or use, or disclosure) also require the prior consent of the individual, unless a public interest exception applies
Asking for a person’s consent is a separate process to either providing a collection notice or publishing a Privacy Policy.
Importantly, you don’t need consent for everything! Seeking consent is only necessary when the APPs say that you need a person’s consent, in order to lawfully collect, use or disclose their personal information.
This is most commonly when you are either:
• collecting information about a person’s health or disability, unless that information is necessary to provide a health service to the individual, or
• collecting other types of ‘sensitive information’ about a person, such as biometrics (hello, facial recognition tech), genetic information, or information about the person’s ethnicity, sexuality, criminal record, religion, religious or philosophical or political beliefs, or membership of a trade union, political association or professional association, or
• proposing to use or disclose personal information for a purpose unrelated to the primary purpose for which you collected it, or
• disclosing personal information overseas
… and no exemption applies.
So check the APPs to find out whether or not any particular activity (whether a collection, use or disclosure of personal information) first requires the person’s consent, in order to be lawfully authorised.
But heads up: a valid consent is hard to get.
7. If you do need consent to authorise your conduct, that consent will only be valid if it is voluntary, informed, specific, current, and given by a person with capacity
The OAIC has said that in order to be valid, a consent must be voluntary, informed, specific, current, and given by a person with the capacity to consent.
I like to describe consent as the ‘Would you like fries with that?’ question. The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, the default position must be ‘no’, and the customer must be completely free to say either yes or no to the fries, and still get their burger.
So notice alone typically does not allow you to infer consent. (For anyone who still thinks that posting a notice outside a store is the same as getting consent from customers who enter the store, please consider this: if providing a notice was enough to infer consent, the Privacy Act would not need to require both.)
‘Opt out’ is not consent either; the OAIC has made clear that an individual’s silence cannot be confidently taken as an indication of consent.
8. Consent cannot be obtained by making your customers ‘agree’ to your Privacy Policy, a collection notice, or your Terms and Conditions
In the Flight Centre case, the OAIC noted that a Privacy Policy is not a tool for obtaining consent. Making your customers ‘agree’ to your Privacy Policy, or to a collection notice, or to Ts&Cs, before they can access a service, download an app, enter a store or buy a product removes the voluntary aspect needed to gain a valid consent.
So, if you want to collect (including create) personal information from or about your customers, make sure that you:
• can demonstrate that your collection is reasonably necessary, for a legitimate aim, and proportionate to that aim (APP 3.1- 3.3)
• only use lawful and fair means (APP 3.5)
• collect information directly from each customer unless you are authorised otherwise (APP 3.6)
• provide a collection notice to every customer (APP 5), and
• publish a Privacy Policy, such as on your website (APP 1).
Plus, if the personal information you are collecting / creating is ‘sensitive information’, you will also require each customer’s consent, unless an exemption applies.
Easy, right? Now we’ve got that sorted, you can go and enjoy your fries. Or not. It’s completely up to you.
Love these insights but need something more formal to put in front of your boss or colleagues? Check out our guide: The Privacy Act in a Nutshell – An Executive Briefing Paper.
Or grab our Template Collection Notices and Consent Forms in one of our Compliance Kits.
Want more caselaw insights? Watch our video here.
Photograph © Mitchell Luo on Unsplash