When consumer advocacy body CHOICE last month went public with its investigation into the use of facial recognition by major Australian retailers, the public reaction was swift – and negative. No surprise, given we already knew that the majority of Australians are uncomfortable with the collection of their biometric information to shop in a retail store.
Much of the online chatter, the media coverage and the defensive comms swirled around in circles, sometimes getting lost in the minutiae of topics like the size of the font on the signage at stores, or how long images of customers are held for, or who is recognisable from the images, or arguing about whether customers ‘consent’ by walking into a store, or going through privacy policies with a fine-toothed comb. Another common angle of exploration was facial recognition technology itself, including its questionable accuracy and potential discriminatory impacts.
The OAIC has since launched an investigation into the use of facial recognition technology by Bunnings and Kmart. (By comparison, by pausing its use of the tech in response to the CHOICE investigation, third retailer The Good Guys seems to have turned down the regulatory heat, and has thus far avoided a formal investigation.)
But it’s not only facial recognition technology which might create privacy concerns for customers. Nor are these data management issues and PR headaches limited to the retail sector. I see similar concerns raised in discussions about other forms of data collection and use, such as customer profiling, online tracking and marketing. So there are lessons to be learned for all types organisations, collecting all sorts of personal information.
In particular, this incident has highlighted a lot of confusion about the rules when collecting personal information, and the roles of notice and consent, including what is needed when, under Australian privacy law.
Happily we don’t need to wait for the OAIC to conclude its investigation, before we can clear up some of that confusion. We already have the Privacy Act 1988, existing OAIC publications and formal determinations to guide us.
So here’s your quick and dirty, 8-point cheat sheet guide to collecting personal information under the Privacy Act.
1. The act of creating new data, such as by drawing inferences, generating insights or producing biometric vectors, is a fresh ‘collection’, which must comply with the Collection principles
Let’s start by looking at what constitutes a ‘collection’ of personal information, for the purposes of compliance with the Collection principles, which are in found in Australian Privacy Principles (APPs) 3-5 in the Privacy Act.
Collection isn’t just about when you ask customers to fill out a form. The ‘creation’ of new personal information, such as by way of combining data or inferring information from existing data, will also constitute a ‘collection’ for the purposes of the APPs.
For example in the Uber case, the OAIC stated that “The concept of ‘collection’ applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means”, such as via online cookies.
And in the Clearview case, the OAIC found that the vectors used for its facial recognition technology, which were generated from images drawn from photographs scraped from the web, were also ‘collected’, noting that “‘collects’ includes collection by ‘creation’ which may occur when information is created with reference to, or generated from, other information”.
2. You will be ‘collecting’ personal information even if it is only transient
The act of taking a photo of a customer, to be used to generate a faceprint, is a ‘collection’ of personal information, no matter how ephemeral that image is, and even if the image is not going to be stored.
In the 7-Eleven case, the OAIC found that even a transient collection, such as images which were stored on a tablet for around 20 seconds before being uploaded to a server in the cloud, will constitute a ‘collection’ for the purposes of the APPs.
So Electronic Frontiers Australia’s Chair Justin Warren was spot on when he compared the use of facial recognition on retail customers to taking a fingerprint of every customer as they enter the store and checking it against a file of previous fingerprints: “The fact they then throw away that piece of paper isn’t the problem, it’s that they took the customer’s fingerprints in the first place”.
3. All collection must be reasonably necessary, and proportionate to a legitimate business objective
The collection of any type of personal information, no matter how benign, must be reasonably necessary for a legitimate purpose. From the 7-Eleven case we know that under APP 3, collecting personal information because it will be “helpful, desirable or convenient” is not enough; your collection of personal information must be “reasonably necessary” for one of your organisation’s “functions or activities”.
The OAIC has formulated this test as involving consideration as to whether the impact on individuals’ privacy is “proportionate to a legitimate aim sought”. In the case of 7-Eleven, while the OAIC noted that “implementing systems to understand and improve customers’ in-store experience” was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim, and thus was in breach of APP 3.
Plus, all collection of personal information must also be by lawful and fair means (APP 3.5), and collected directly from the individual unless an exception applies (APP 3.6).
4. All collection requires a collection notice to be provided that is specific to that collection
APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why. That notice must be provided at or before the time of the collection.
The objective of a collection notice is to prevent anyone getting a nasty surprise later; and it can enable the individual to make an informed choice about whether to provide you with their information (if they even have that much choice).
But remember that a collection notice is not a free pass to collect anything you like. You can still only collect personal information if your reason for asking for the personal information is reasonably necessary – see point #3 above.
Another tip: make sure you don’t confuse collection notices with consent forms. Collection notices are a one-way form of communication. The person does not need to indicate their agreement; they are simply being put ‘on notice’.
6. Some acts of collection (or use, or disclosure) also require the prior consent of the individual, unless a public interest exception applies
Importantly, you don’t need consent for everything! Seeking consent is only necessary when the APPs say that you need a person’s consent, in order to lawfully collect, use or disclose their personal information.
This is most commonly when you are either:
• collecting information about a person’s health or disability, unless that information is necessary to provide a health service to the individual, or
• collecting other types of ‘sensitive information’ about a person, such as biometrics (hello, facial recognition tech), genetic information, or information about the person’s ethnicity, sexuality, criminal record, religion, religious or philosophical or political beliefs, or membership of a trade union, political association or professional association, or
• proposing to use or disclose personal information for a purpose unrelated to the primary purpose for which you collected it, or
• disclosing personal information overseas
… and no exemption applies.
So check the APPs to find out whether or not any particular activity (whether a collection, use or disclosure of personal information) first requires the person’s consent, in order to be lawfully authorised.
But heads up: a valid consent is hard to get.
7. If you do need consent to authorise your conduct, that consent will only be valid if it is voluntary, informed, specific, current, and given by a person with capacity
The OAIC has said that in order to be valid, a consent must be voluntary, informed, specific, current, and given by a person with the capacity to consent.
I like to describe consent as the ‘Would you like fries with that?’ question. The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, the default position must be ‘no’, and the customer must be completely free to say either yes or no to the fries, and still get their burger.
So notice alone typically does not allow you to infer consent. (For anyone who still thinks that posting a notice outside a store is the same as getting consent from customers who enter the store, please consider this: if providing a notice was enough to infer consent, the Privacy Act would not need to require both.)
‘Opt out’ is not consent either; the OAIC has made clear that an individual’s silence cannot be confidently taken as an indication of consent.
So, if you want to collect (including create) personal information from or about your customers, make sure that you:
• can demonstrate that your collection is reasonably necessary, for a legitimate aim, and proportionate to that aim (APP 3.1- 3.3)
• only use lawful and fair means (APP 3.5)
• collect information directly from each customer unless you are authorised otherwise (APP 3.6)
• provide a collection notice to every customer (APP 5), and
Plus, if the personal information you are collecting / creating is ‘sensitive information’, you will also require each customer’s consent, unless an exemption applies.
Easy, right? Now we’ve got that sorted, you can go and enjoy your fries. Or not. It’s completely up to you.
Want hands-on training about this topic? Join our small group workshop in October: Privacy Notice and Consent: How to get it right.
Or grab our Template Collection Notices and Consent Forms in one of our Compliance Kits.
Want more caselaw insights? Watch our video here.
Photograph © Mitchell Luo on Unsplash