Facial recognition technology: a guide to assessing the privacy risks

<!doctype html> <html lang="en"> <head> <title>Facial recognition technology: a guide to assessing the privacy risks | OAIC</title>  <meta charset="utf-8"> <meta name="mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">  <meta name="dcterms.title" content="Facial recognition technology: a guide to assessing the privacy risks"> <meta name="dcterms.creator" content="OAIC"> <meta name="dcterms.created" content="2024-11-04T12:07:19+11:00"> <meta name="dcterms.modified" content="2024-11-19T10:52:16+11:00"> <meta name="dcterms.issued" content="2024-11-19T10:52:04+11:00"> <meta name="dcterms.format" content="HTML"> <meta name="dcterms.identifier" content="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/facial-recognition-technology-a-guide-to-assessing-the-privacy-risks">    <meta name="publishedDate" content="19 November 2024"> <meta name="publishedDate_ISO" content="2024-11-19T00:00:00+11:00"> <meta name="description" content="The Office of the Australian Information Commissioner" /> <meta name="pdISO" content="2024-11-19T00:00:00+11:00" /> <meta name="robots" content="" />  <meta name="chapter-nav" content="no" /> <meta name="chapter-nav-prev" content="" /> <meta name="chapter-nav-next" content="" /> <meta name="chapter-nav-prev-btn-text" content="Previous chapter" /> <meta name="chapter-nav-next-btn-text" content="Next chapter" /> <meta name="background_color" content="chapter-navigation__wrapper--white" />  <meta name="show-related-articles" content="no" /> <meta name="topic" content="Privacy" /> <meta name="contentType" content="Guide or guideline" /> <meta name="featuredNews" content="no" /> <meta name="author-name" content="" /> <meta name="author-title" content="" /> <meta name="author-image" content="" />  <meta name="type" content="web" />  <meta name="showFeedbackWidget" content="yes" /> <meta name="showShareWidget" content="yes" />  <meta itemprop="name" content="Facial recognition technology: a guide to assessing the privacy risks" /> <meta itemprop="description" content="The Office of the Australian Information Commissioner" /> <meta itemprop="image" content="" />  <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OAICgov" /> <meta name="twitter:title" content="Facial recognition technology: a guide to assessing the privacy risks" /> <meta name="twitter:description" content="The Office of the Australian Information Commissioner" /> <meta name="twitter:image" content="" />  <meta property="og:title" content="Facial recognition technology: a guide to assessing the privacy risks" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/facial-recognition-technology-a-guide-to-assessing-the-privacy-risks" /> <meta property="og:image" content="" /> <meta property="og:description" content="The Office of the Australian Information Commissioner" /> <meta property="og:site_name" content="OAIC" /> <meta property="article:published_time" content="2024-11-19T10:52:04+11:00" /> <meta property="article:modified_time" content="2024-11-19T10:52:16+11:00" /> <meta property="article:tag" content="" /> <meta name="theme-color" content="#fafafa">  <script src="//cdn-oc.readspeaker.com/script/9755/webReader/webReader.js?pids=wr" type="text/javascript" id="rs_req_Init"></script>  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PTH9SP3B');</script>   <meta name="google-site-verification" content="sQVHBUKhjuCjBjithPialZYhGQ5SPKwjb1_rY8OqsjA" /> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/main.css?h=06ed308"> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/css_file/0024/240585/custom.css?v=0.1.202">  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Source+Code+Pro:ital,wght@0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap" rel="stylesheet">  <link rel="shortcut icon" href="https://www.oaic.gov.au/__data/assets/image/0016/14182/favicon-32x32.png"> <link rel="apple-touch-icon" href="https://www.oaic.gov.au/__data/assets/image/0015/14181/apple-touch-icon.png">  </head> <body class="inside">  <section class="cookie-banner" aria-labelledby="cookie-heading"> <h2 class="visuallyhidden" id="cookie-heading">We use cookies on this site</h2> <div class="cookie-banner__content"> <div> <p>We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy">privacy policy</a>.</p> </div> <button class="cookie-banner__close primary-button" id="close-cookie-banner" aria-label="Close and accept cookie policy">Close</button> </div> </section>   <div class="skip-to-content"> <a href="#main-content-area" class="skip-to-content__link visuallyhidden focusable">Skip to main content</a> </div>  <div class="page-wrapper">     <header class="site-header"> <div class="utility-nav"> <div class="utility-nav__wrapper"> <a href="/news" class="utility-nav__link ">News</a> <a href="/about-the-OAIC/join-our-team" class="utility-nav__link ">Join our team</a> <a href="/contact-us" class="utility-nav__link ">Contact us</a> </div> </div> <div class="header-content"> <a href="https://www.oaic.gov.au" class="header-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/13664/oaic-header-logo.svg" alt="OAIC - Australian Government - Office of the Australian Information Commissioner"> </a> <button class="mobile-menu" aria-controls="header-nav" aria-expanded="false"> <img class="menu-icon menu-icon--burger" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/hamburger-menu.svg" alt="open menu"> <img class="menu-icon menu-icon--close" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/cancel-icon-white.svg" alt="close menu"> </button> <div class="search-container search-container--header"> <form class="input-form" action="https://www.oaic.gov.au/search" data-action="https://www.oaic.gov.au/search?SQ_ASSET_CONTENTS_RAW"> <input name="query" autocomplete="off" id="autoComplete" placeholder="Search…" class="search-box" aria-label="Search input" data-autocomplete-endpoint="https://dxp-au-search.funnelback.squiz.cloud/s/suggest.json?collection=113e9365-ffcc-4320-a995-5c1b98bea3bb~sp-oaic-web-new&profile=auto-completion-global&fmt=json%2B%2B&alpha=0.5&show=10"> <input type="hidden" name="form" value="result"> <button type="button" id="clear-text-btn" class="cancel-logo" aria-label="Clear text"> <img src="https://www.oaic.gov.au/__data/assets/file/0022/13666/cancel-icon.svg" alt="clear text cancel icon"> </button> <button type="submit" aria-label="Submit search"> <img class="search-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/13667/search-outline.svg" alt="search icon thst submits form"> </button> </form> </div> <div id="header-nav" class="header-nav"> <nav class="header-nav__nav"> <div class="header-nav__item"> <a href="https://www.oaic.gov.au" class="header-nav__link " > Home </a> </div> <div class="header-nav__item"> <button class="header-nav__button current" aria-expanded="false" > Privacy <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/privacy" class="header-nav__sub-link"> Privacy </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/privacy/your-privacy-rights" class="header-nav__sub-link"> Your privacy rights </a> <a href="https://www.oaic.gov.au/privacy/privacy-complaints" class="header-nav__sub-link"> Privacy complaints </a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles" class="header-nav__sub-link"> Australian Privacy Principles </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies" class="header-nav__sub-link"> Privacy guidance for organisations and government agencies </a> <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches" class="header-nav__sub-link"> Notifiable data breaches </a> <a href="https://www.oaic.gov.au/privacy/privacy-legislation" class="header-nav__sub-link"> Privacy legislation </a> <a href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions" class="header-nav__sub-link"> Privacy assessments and decisions </a> <a href="https://www.oaic.gov.au/privacy/privacy-registers" class="header-nav__sub-link"> Privacy registers </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Freedom of information <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/freedom-of-information" class="header-nav__sub-link"> Freedom of information </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/freedom-of-information/your-freedom-of-information-rights" class="header-nav__sub-link"> Your freedom of information rights </a> <a href="https://www.oaic.gov.au/freedom-of-information/how-to-access-government-information" class="header-nav__sub-link"> How to access government information </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies" class="header-nav__sub-link"> Freedom of information guidance for government agencies </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-legislation-and-determinations" class="header-nav__sub-link"> Freedom of information legislation and determinations </a> <a href="https://www.oaic.gov.au/freedom-of-information/information-commissioner-decisions-and-reports" class="header-nav__sub-link"> Information Commissioner decisions and reports </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-statistics-for-the-oaic" class="header-nav__sub-link"> Freedom of information statistics for the OAIC </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Consumer Data Right <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/consumer-data-right" class="header-nav__sub-link"> Consumer Data Right </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/consumer-data-right/information-for-consumers" class="header-nav__sub-link"> Information for consumers </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-complaints" class="header-nav__sub-link"> Consumer Data Right complaints </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business" class="header-nav__sub-link"> Consumer Data Right guidance for business </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions" class="header-nav__sub-link"> Consumer Data Right legislation, regulation and definitions </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments" class="header-nav__sub-link"> Consumer Data Right assessments </a> </div> </div> </div> </div> <div class="header-nav__item"> <a href="https://www.oaic.gov.au/digital-id" class="header-nav__link " > Digital ID </a> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Engage with us <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/engage-with-us" class="header-nav__sub-link"> Engage with us </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/engage-with-us/consultations" class="header-nav__sub-link"> Consultations </a> <a href="https://www.oaic.gov.au/engage-with-us/submissions" class="header-nav__sub-link"> Submissions </a> <a href="https://www.oaic.gov.au/engage-with-us/translations" class="header-nav__sub-link"> Translations </a> <a href="https://www.oaic.gov.au/engage-with-us/events" class="header-nav__sub-link"> Events </a> <a href="https://www.oaic.gov.au/engage-with-us/networks" class="header-nav__sub-link"> Networks </a> <a href="https://www.oaic.gov.au/engage-with-us/research-and-training-resources" class="header-nav__sub-link"> Research and training resources </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > About the OAIC <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/about-the-OAIC" class="header-nav__sub-link"> About the OAIC </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/about-the-OAIC/what-we-do" class="header-nav__sub-link"> What we do </a> <a href="https://www.oaic.gov.au/about-the-OAIC/who-we-are" class="header-nav__sub-link"> Who we are </a> <a href="https://www.oaic.gov.au/about-the-OAIC/join-our-team" class="header-nav__sub-link"> Join our team </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information" class="header-nav__sub-link"> Access our information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach" class="header-nav__sub-link"> Our regulatory approach </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information" class="header-nav__sub-link"> Our corporate information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/information-policy" class="header-nav__sub-link"> Information policy </a> <a href="https://www.oaic.gov.au/about-the-OAIC/serving-legal-documents-on-the-australian-information-commissioner" class="header-nav__sub-link"> Serving legal documents on the Australian Information Commissioner </a> </div> </div> </div> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/news" class="header-nav__link">News</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/about-the-OAIC/join-our-team" class="header-nav__link">Join our team</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/contact-us" class="header-nav__link">Contact us</a> </div> </nav> </div> </div> </header> <div class="nav-close-overlay"></div>   <main class="main"> <div class="breadcrumb__wrapper"> <div class="section "> <div class="section-item flex-box "> <div class="breadcrumb breadcrumb--separator-chevron"> <nav class="breadcrumb__nav" aria-label="Breadcrumb"> <ul class="breadcrumb__list"> <span class="breadcrumb__list-item"><a href="https://www.oaic.gov.au" class="breadcrumb__list-item-link" aria-label="Go to home page"><svg xmlns="http://www.w3.org/2000/svg" version="1.0" viewBox="0 0 50 50" height="24" width="24"><path d="M25 9.0937 7.281 25.3747h5.563v15.531h24.312v-15.531h5.563L25 9.0937z" fill="currentColor"></path></svg></a></span> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy">Privacy</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies">Privacy guidance for organisations and government agencies</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations">Organisations</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/facial-recognition-technology-a-guide-to-assessing-the-privacy-risks">Facial recognition technology: a guide to assessing the privacy risks</a> </li> </ul> </nav> </div> </div> </div> </div> <div class="content-wrapper"> <div class="lhs-wrapper"> <div class="lhs-nav"> <a href="https://www.oaic.gov.au/privacy" class="lhs-nav__level-1"> Privacy </a> <div class="lhs-nav__nav-wrapper"> <div class="lhs-nav__level-2"> <h4> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies"> Privacy guidance for organisations and government agencies </a> </h4> <button class="lhs-nav__level-2-toggle" aria-expanded="false" aria-label="Expand Level 2 submenu: Privacy guidance for organisations and government agencies"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus-white.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-3"> <li class="lhs-nav__level-3-link current has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations"> Organisations </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Organisations"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/credit-reporting" class=""> Credit reporting </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/direct-marketing" class=""> Direct marketing </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/employee-records-exemption" class=""> Employee records exemption </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/id-scanners" class=""> ID scanners </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/opting-in-to-the-privacy-act" class=""> Opting in to the Privacy Act </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/privacy-for-not-for-profits,-including-charities" class=""> Privacy for not-for-profits, including charities </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/privacy-management-plan-template" class=""> Privacy management plan template </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/selling-a-business" class=""> Selling a business </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/small-business" class=""> Small business </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/sporting-clubs" class=""> Sporting clubs </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/start-ups" class=""> Start-ups </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/tips-for-good-privacy-practice" class=""> Tips for good privacy practice </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/trading-in-personal-information" class=""> Trading in personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/guidance-for-edr-schemes-when-handling-complaints-about-notifiable-data-breaches" class=""> Guidance for EDR schemes when handling complaints about notifiable data breaches </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/tracking-pixels-and-privacy-obligations" class=""> Tracking pixels and privacy obligations </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/facial-recognition-technology-a-guide-to-assessing-the-privacy-risks" class="current"> Facial recognition technology: a guide to assessing the privacy risks </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies"> Government agencies </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Government agencies"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/agency-referee-reports" class=""> Agency referee reports </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/australian-government-agencies-privacy-code" class=""> Australian Government Agencies Privacy Code </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/conducting-surveys" class=""> Conducting surveys </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/guidelines-on-data-matching-in-australian-government-administration" class=""> Guidelines on data matching in Australian Government administration </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/privacy-impact-assessment-register-assessment-program" class=""> Privacy impact assessment register assessment program </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/government-agencies/privacy-code-checklist" class=""> Privacy Code checklist </a> </li> </ul> </li> <li class="lhs-nav__level-3-link "> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models"> Guidance on privacy and developing and training generative AI models </a> </li> <li class="lhs-nav__level-3-link "> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products"> Guidance on privacy and the use of commercially available AI products </a> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers"> Health service providers </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Health service providers"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/communications-with-patients" class=""> Communications with patients </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/data-breach-action-plan-for-health-service-providers" class=""> Data breach action plan for health service providers </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/guide-to-health-privacy" class=""> Guide to health privacy </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/individual-healthcare-identifiers" class=""> Individual healthcare identifiers </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/my-health-record" class=""> My Health Record </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/privacy-action-plan-for-your-health-practice" class=""> Privacy action plan for your health practice </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/taking-photos-of-patients" class=""> Taking photos of patients </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information"> Handling personal information </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Handling personal information"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/anti-money-laundering-obligations" class=""> Anti-money laundering obligations </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/centrelink-requests-for-information" class=""> Centrelink requests for information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/dealing-with-requests-for-access-to-personal-information" class=""> Dealing with requests for access to personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/dealing-with-requests-for-correction-of-personal-information" class=""> Dealing with requests for correction of personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/de-identification-and-the-privacy-act" class=""> De-identification and the Privacy Act </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/de-identification-decision-making-framework" class=""> De-identification Decision-Making Framework </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guide-to-securing-personal-information" class=""> Guide to securing personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guide-to-the-privacy-persons-reported-as-missing-rule-2024" class=""> Guide to the Privacy (Persons Reported as Missing) Rule 2024 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guidelines-for-state-and-territory-governments-creating-nationally-consistent-requirements-to-collect-personal-information-for-contact-tracing-purposes" class=""> Guidelines for state and territory governments: creating nationally consistent requirements to collect personal information for contact tracing purposes </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/national-relay-service" class=""> National Relay Service </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/posting-photos-and-videos" class=""> Posting photos and videos </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/protecting-customers-personal-information" class=""> Protecting customers' personal information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/sending-personal-information-overseas" class=""> Sending personal information overseas </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/the-privacy-tax-file-number-rule-2015-and-the-protection-of-tax-file-number-information" class=""> The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/transfer-of-financial-adviser-records" class=""> Transfer of financial adviser records </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/what-is-personal-information" class=""> What is personal information? </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches"> Preventing, preparing for and responding to data breaches </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Preventing, preparing for and responding to data breaches"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response" class=""> Data breach preparation and response </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/preventing-data-breaches-advice-from-the-australian-cyber-security-centre" class=""> Preventing data breaches: advice from the Australian Cyber Security Centre </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/guidance-for-entities-in-preparing-for-and-responding-to-cyber-incidents" class=""> Guidance for entities in preparing for and responding to cyber incidents </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments"> Privacy impact assessments </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: Privacy impact assessments"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/10-steps-to-undertaking-a-privacy-impact-assessment" class=""> 10 steps to undertaking a privacy impact assessment </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments" class=""> Assessing privacy risks in changed working environments: privacy impact assessments </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments" class=""> Guide to undertaking privacy impact assessments </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design" class=""> Privacy by design </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-impact-assessment-tool" class=""> Privacy impact assessment tool </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19"> COVID-19 </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: COVID-19"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff" class=""> Coronavirus (COVID-19): understanding your privacy obligations to your staff </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-vaccinations-understanding-your-privacy-obligations-to-your-staff" class=""> Coronavirus (COVID-19) vaccinations: understanding your privacy obligations to your staff </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/covidsafe-reports" class=""> COVIDSafe Reports </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/guidance-for-businesses-collecting-personal-information-for-contract-tracing" class=""> Guidance for businesses collecting personal information for contract tracing </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/national-covid-19-privacy-principles" class=""> National COVID-19 privacy principles </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/privacy-update-on-the-covidsafe-app" class=""> Privacy update on the COVIDSafe app </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/retention-and-deletion-of-personal-information-collected-during-covid-19" class=""> Retention and deletion of personal information collected during COVID-19 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/guidance-for-businesses-collecting-covid-19-vaccination-information" class=""> Guidance for businesses collecting COVID-19 vaccination information </a> </li> </ul> </li> <li class="lhs-nav__level-3-link has-children"> <div class="lhs-nav__level-3-accordion"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance"> More guidance </a> <button class="lhs-nav__level-3-toggle" aria-expanded="false" aria-label="Expand Level 3 submenu: More guidance"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus.svg" class="icon-plus" aria-hidden="true" /> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-minus.svg" class="icon-minus" aria-hidden="true" /> </button> </div> <ul class="lhs-nav__level-4"> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/australian-bushfires-disaster-emergency-declaration-understanding-your-privacy-obligations" class=""> Australian Bushfires Disaster Emergency Declaration: understanding your privacy obligations </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/australian-entities-and-the-european-union-general-data-protection-regulation" class=""> Australian entities and the European Union General Data Protection Regulation </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/emergencies-and-disasters" class=""> Emergencies and disasters </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guide-to-data-analytics-and-the-australian-privacy-principles" class=""> Guide to data analytics and the Australian Privacy Principles </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guide-to-developing-an-app-privacy-policy" class=""> Guide to developing an APP privacy policy </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/how-to-develop-an-app-privacy-policy-poster" class=""> How to develop an APP privacy policy (poster) </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guidelines-for-developing-codes" class=""> Guidelines for developing codes </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/guidelines-for-recognising-external-dispute-resolution-schemes" class=""> Guidelines for recognising external dispute resolution schemes </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/handling-privacy-complaints" class=""> Handling privacy complaints </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/keeping-records-of-disclosures-under-the-telecommunications-act-1997" class=""> Keeping records of disclosures under the Telecommunications Act 1997 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/mobile-privacy-a-better-practice-guide-for-mobile-app-developers" class=""> Mobile privacy: a better practice guide for mobile app developers </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-management-framework-enabling-compliance-and-encouraging-good-practice" class=""> Privacy management framework: enabling compliance and encouraging good practice </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-public-interest-determination-guide" class=""> Privacy public interest determination guide </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/self-assessment-checklist-privacy-obligations-under-the-data-retention-scheme" class=""> Self-assessment checklist: privacy obligations under the Data Retention Scheme </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/telecommunications-service-providers-obligations-arising-under-the-privacy-act-1988-as-a-result-of-part-5-1a-of-the-telecommunications-interception-and-access-act-1979" class=""> Telecommunications service providers' obligations arising under the Privacy Act 1988 as a result of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 </a> </li> <li class="lhs-nav__level-4-link"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-considerations-for-financial-services-entities-receiving-data-from-a-carrier-or-carriage-service-provider-under-the-telecommunications-regulations" class=""> Privacy considerations for financial services entities receiving data from a carrier or carriage service provider </a> </li> </ul> </li> </ul> </div> </div> </div> <div class="middle-wrapper">  <div id="main-content-area" class="page-content"> <div class="toc"> <ul class="toc__list"> <li class="toc__heading"> <h2 class="toc-exclude">On this page</h2> </li> </ul> </div> <section class="banner-grey-newsroom__wrapper"> <div class="banner-grey-newsroom__content"> <h1 class="banner-grey-newsroom__title">Facial recognition technology: a guide to assessing the privacy risks</h1> </div> </section>  <script> if(document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content')) { document.querySelector('.breadcrumb__wrapper').insertAdjacentElement('afterend',document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content').closest(' .banner-grey-newsroom__wrapper')) } </script><div class="container-max-width"> <div class="date-component"> <div class="published-date"> <i class="bi bi-calendar3" title="Published date"></i> <span>Published: </span>  <time datetime="19 November 2024" class="date-text">19 November 2024</time> </div> </div> <div id="reading-time" class="reading-time" role="status" aria-live="polite" aria-atomic="true"> <i class="bi bi-clock" aria-hidden="true"></i> <span id="reading-time-text" aria-label="Estimated reading time"></span> </div> </div> <div class="container-max-width" id="component_243764"> <div class="panel panel-default download-box"> <div class="panel-body"> <div class="media"> <div class="media-left"> <i class="bi bi-file-earmark-arrow-down download-icon" aria-hidden="true"></i> </div> <div class="media-body"> <h3 class="media-heading">Download the Facial recognition technology and privacy factsheet</h3> <a href="/__data/assets/pdf_file/0026/243935/Facial-recognition-technology-and-privacy.pdf">Facial recognition technology and privacy (PDF, 334 KB)</a><br> <small>Last updated: 11 November 2024</small> </div> </div> </div> </div> </div> <div class="container-max-width" id="component_243758"> <h2>Who is this guidance for?</h2><p>This guidance sets out general considerations for private sector organisations that are considering using facial recognition technology (FRT) to undertake facial identification in a commercial or retail setting. It does not cover all privacy issues and obligations in relation to the use of FRT, rather it provides information about key principles captured under the Australian Privacy Principles (APPs) that are particularly relevant when considering the use of FRT. Organisations should consider this guidance together with the <em><a href="https://www.legislation.gov.au/Series/C2004A03712">Privacy Act 1988</a></em> (Cth) and the <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a>.</p><h2>Key points</h2><ul><li>FRT involves the collection of a digital image of an individual’s face and the extraction of their distinct features into a biometric template. The biometric template is then compared against one or more pre-extracted biometric templates for the purpose of facial verification or identification. <ul><li><strong>facial verification</strong> refers to ‘one-to-one’ matching. It involves determining whether a face matches a single biometric template.</li><li><strong>facial identification</strong> refers to ‘one-to-many’ matching. It involves determining whether a face matches any biometric template in a database.</li></ul></li><li>Biometric templates and biometric information, including when used for automated verification or identification purposes is considered sensitive information under the Privacy Act.<a href="#_ftn1" name="_ftnref1" title="">[1]</a> Sensitive information is generally afforded a higher level of privacy protection under the Privacy Act. Organisations must take reasonable steps to protect personal information they hold from misuse, interference and loss, as well as unauthorised access, modification and disclosure.<a href="#_ftn2" name="_ftnref2" title="">[2]</a></li><li>It is best practice for organisations considering using FRT to undertake a privacy impact assessment (PIA) to identify potential privacy impacts at the outset and implement recommendations to manage, minimise or eliminate them. This will assist to ensure that a privacy by design approach is embedded from the start in accordance with an organisation’s obligations under APP 1.</li><li>As part of this privacy by design approach, it is expected that key principles will be explored to support the appropriate use of sensitive information when using FRT, including: <ul><li><strong>Necessity and proportionality (APP 3) – </strong>personal information for use inFRT must only be collected when it is necessary and proportionate in the circumstances and where the purpose cannot be reasonably achieved by less privacy intrusive means.</li><li><strong>Consent and transparency (APP 3 and 5) </strong>– individuals need to be proactively provided with sufficient notice and information to allow them to provide meaningful consent to the collection of their information.</li><li><strong>Accuracy, bias and discrimination (APP 10) </strong>– organisations need to ensure that the biometric information used in FRT is accurate and steps need to be taken to address any risk of bias.</li><li><strong>Governance and ongoing assurance</strong> <strong>(APP 1)</strong> – organisations who decide to use FRT need to have clear governance arrangements in place, including privacy risk management practices and policies which are effectively implemented, and ensure that they are regularly reviewed.</li></ul></li></ul><h2>What is facial recognition technology?</h2><p>FRT is the process by which an individual can be identified or verified from a digital image. FRT involves the collection and use of biometric information (i.e. face data).</p><p>Biometric templates and biometric information including when used for biometric verification or identification is considered sensitive information under the Privacy Act. Sensitive information is a subset of personal information that is generally afforded a higher level of privacy protection.</p><p>Where FRT is used, distinct features of an individual’s face are extracted into a biometric template and compared against one or multiple pre-extracted biometric templates.</p><div class="callout-box-blue"><p><strong>Facial verification and identification</strong></p><p>Generally, FRT can be used to accomplish two tasks: verification or identification.</p><ul><li><strong>facial verification</strong> refers to ‘one-to-one’ matching. It involves determining whether a face matches a single biometric template. An example is iPhone Face ID.</li><li><strong>facial identification</strong> refers to ‘one-to-many’ matching. It involves determining whether a face matches any biometric template in a database. Facial identification is increasingly used by law enforcement to identify an unknown criminal suspect by comparing their faces that appear in databases.</li></ul></div><p>An individual does not need to be identified from the specific information being handled to be ‘identifiable’ in a facial identification system. An individual can be identified if their facial image is distinguishable from others in a database.</p><h2>Privacy management – managing and mitigating risks</h2><p>FRT significantly interferes with the privacy of individuals, and live FRT in particular is highly intrusive to an individual’s privacy. This means that negative privacy impacts will be identified as part of the privacy impact analysis in a PIA, and an organisation’s compliance check, which will need to be managed or mitigated if the organisation decides to proceed with the use of FRT.</p><p>Organisations should consider the principles below to determine whether the use of FRT is appropriate in the circumstances, including:</p><ul><li>Privacy by design</li><li>Necessity and proportionality</li><li>Consent and transparency</li><li>Accuracy and bias, and</li><li>Governance and ongoing assurance</li></ul><p>This is not an exhaustive list and does not intend to cover the entirety of relevant considerations that an organisation should consider relevant to its circumstances.</p><h3>Adopting a privacy by design approach (APP 1)</h3><p>Organisations are encouraged to adopt a ‘<a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design">privacy by design</a>’ approach to their use of FRT. <a href="#_ftn3" name="_ftnref1">[3]</a> A Privacy Impact Assessment (PIA) will support organisations to instil this approach and comply with its obligations.</p><p>Undertaking a PIA is considered a reasonable step to take under APP 1.2 to ensure an organisation is complying with their privacy obligations.<a href="#_ftn4" name="_ftnref2">[4]</a></p><p>A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. There is very real community concern about the privacy risks associated with FRT. A PIA demonstrates commitment to, and respect of, individual’s privacy and other associated human rights.</p><p>This guidance highlights some key privacy considerations for organisations to consider before determining whether to use FRT and when completing a PIA.</p><div class="callout-box-yellow"><p><strong>Undertaking a PIA before using FRT</strong></p><p>Organisations regulated by the Privacy Act should conduct a PIA for projects involving sensitive information such as FRT. The OAIC has identified 10 steps which should be considered when undertaking a PIA in relation to a new, or updated project. Further information on each step is available in the <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments">OAIC’s PIA Guide</a>.</p></div><h3>Necessity and proportionality (APP 3)</h3><p>Personal information for use in FRT must only be collected when it is reasonably necessary for one or more of an organisation’s functions or activities.<a href="#_ftn5" name="_ftnref1">[5]</a> What is reasonably necessary is an objective test based on whether a reasonable person who is properly informed would agree that collecting the personal information is necessary.<a href="#_ftn6" name="_ftnref1">[6]</a></p><p>In determining whether the collection of personal information is reasonably necessary for a function or activity, an organisation should consider:</p><ul><li>The primary purpose of collecting the personal information</li><li>How the personal information will be used in undertaking a function or activity of the organisation, and</li><li>Whether the organisation could undertake the function or activity without collecting that personal information, or by collecting a lesser amount of personal information.<a href="#_ftn7" name="_ftnref2">[7]</a></li></ul><p>It is up to an organisation to be able to justify that collection of the information is reasonably necessary. The fact that FRT is available, convenient or desirable should not be relied on to establish that it is necessary to collect the information.</p><p>In determining whether the use of FRT is necessary, the following factors will be relevant:</p><ul><li>The suitability of the FRT system in addressing the relevant activity or conduct</li><li>The alternatives available to address the relevant activity or conduct</li><li>Whether the use of the FRT system is proportionate to the outcome achieved. An organisation will need to balance the privacy impacts of the collection of sensitive information, and holding this information, against the benefits of the use of the FRT system.</li></ul><div class="callout-box-blue"><p><strong>Alternatives to FRT </strong></p><p>Alternatives to FRT to monitor for safety and security concerns may include:</p><ul><li>Quality CCTV coverage</li><li>The deployment of security guards, including covert security guards</li><li>Training employees in dealing with safety and security issues, and</li></ul><p>Close engagement with law enforcement.</p></div><p>When assessing whether the use of FRT is proportionate, organisations should carefully consider whether the benefits clearly outweigh the risks posed to individual’s privacy and other human rights. For example, where an organisation is using FRT to lessen or prevent serious threats to the health, safety and security of customers in a commercial or retail setting, it must be able to demonstrate how its use is proportionate to the risks identified.</p><p>An organisation should regularly consider whether the benefits of using FRT have been realised, and the use of the technology is still needed, including whether any anticipated privacy risks have arisen. The use of the technology must be regularly reviewed, and any required steps taken to ensure practices are consistent with the assessment findings.</p><div class="callout-box-yellow"><p><strong>Organisations should consider</strong></p><ul><li>Is the collection of biometric information reasonably necessary to perform a particular function or activity? ‘Reasonably necessary’ depends on whether the interference with privacy is proportionate to a legitimate aim sought to be achieved. Factors to consider include:</li><li>What is the primary purpose of collecting the information?</li><li>How will the biometric information be used, stored and secured in undertaking a function or activity?</li><li>Can you undertake the function or activity without collecting the biometric information?</li><li>Can the purpose be achieved by less intrusive means? Have you considered other alternative means?</li><li>Have you identified and assessed the benefits and privacy risks? Do the benefits to be achieved clearly outweigh the privacy risks, and why?</li><li>Is there a clear public interest in using FRT? Examples may include to lessen or prevent a serious threat to public health or safety.</li><li>Would an individual reasonably expect FRT to be used in the circumstances? Will the use of FRT lead to unjustified adverse effects, such as unjust discrimination?</li></ul></div><h3>Consent and transparency (APP 3 and 5)</h3><h4>Consent</h4><p>Consent is generally required to collect sensitive information such as biometric data used in FRT, subject to some limited exceptions.<a href="#_ftn8" name="_ftnref1">[8]</a></p><p>In order to provide meaningful consent, certain elements will need to be met. These include:</p><ul><li>The individual is adequately informed before giving consent</li><li>The individual gives consent voluntarily</li><li>The consent is current and specific, and</li><li>The individual has the capacity to understand and communicate their consent.<a href="#_ftn9" name="_ftnref2">[9]</a></li></ul><p>The nature of FRT means that it is not often practical to obtain true, express consent from individuals whose biometric information might be captured by FRT. Merely having signage or notice about the use of FRT in and of itself, <u>will not</u> generally be sufficient to show that an individual has consented to the use of this technology. This is because the information is sensitive information, and all four elements of consent are unlikely to have been satisfied. Further notice will be required to ensure informed consent can be provided. These are detailed below.</p><div class="callout-box-blue"><h5><strong>Tips for adhering to the four key elements of consent when using FRT</strong></h5><p>A commercial organisation must consider the following matters relating to consent before using FRT.</p><h5><strong>Informed consent</strong></h5><p>Before an individual enters the premises, they must be informed that an image will be taken of their face. The individual must be advised that biometric data will be generated from that image which will be compared against a database of other images to determine whether there is a match. You must inform the individual about the actions that may be taken if a match is identified.</p><h5><strong>Voluntary consent</strong></h5><p>You must make sure the individual has a genuine opportunity to provide or withhold consent prior to an image being taken of their face.</p><h5><strong>Current and specific consent</strong></h5><p>You must have obtained consent from the individual to collect, use or disclose their personal information when it is collected.</p><h5><strong>Consent with capacity</strong></h5><p>You may presume that an individual has capacity to consent, unless there is a factor that casts doubt on their capacity. You need to have a system in place to take into account matters such as the age, disabilities and language skills of customers whose face you propose to scan.</p></div><p>Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. Generally, implied consent should not be relied on when collecting sensitive information, including biometric information, from customers. The mishandling or inappropriate use of biometric information can have adverse consequences for an individual or those associated with the individual. It can also cause humiliation, embarrassment or undermine an individual’s dignity.<a href="#_ftn10" name="_ftnref1">[10]</a></p><p>Opt-out mechanisms are a type of implied consent. It is only appropriate to infer consent from an opt-out mechanism in very limited circumstances.<a href="#_ftn11" name="_ftnref1">[11]</a></p><p>There are some limited exceptions called permitted general situations contained in s 16A of the Privacy Act that would allow an organisation to collect this information without consent. However, these permitted general situations are highly specific and confined to particular circumstances. An organisation would need to make a careful assessment about whether they satisfy the criteria for these exceptions, prior to relying on them to utilise FRT, and as a matter of best practice, ensure that they document this consideration.<a href="#_ftn12" name="_ftnref2">[12]</a></p><div class="callout-box-blue"><p><strong>Organisations should consider</strong></p><ul><li>How will you be transparent and provide notice to individuals to ensure they are able to provide informed consent?</li><li>Have you provided individuals with the information required under APP 5.2?</li><li>How will you inform individuals that their facial image may or will be subject to, or included in, a reference database for a FRT system?</li><li>Is there an accessible way for individuals to raise a complaint or question about the collection and use of their biometric information? Your Privacy Policy should explain what individuals need to do to make a complaint.</li><li>Have you considered the four key elements of consent?</li><li>How will consent be obtained from individuals who have particular needs, such as individuals from a non-English speaking background and children?</li><li>If biometric information is sourced from a third party, has the third party collected it lawfully and do they have authority to disclose it to you?</li><li>If an individual does not consent to the collection of their biometric information or withdraws their consent, is an alternative process available which will not result in detriment to the individual?</li></ul></div><h4>Transparency</h4><p>As an important transparency step, APP 5 requires organisations to ensure that an individual is aware of certain matters when they collect their personal information. This is important because there are many complexities surrounding FRT that can impact an individual’s ability to understand how their personal information is collected and handled.</p><p>Organisations are required under the Privacy Act to manage personal information in an open and transparent way and to take reasonable steps to provide notice under APP 5.<a href="#_ftn13" name="_ftnref1">[13]</a> This enhances the accountability of organisations for their personal information handling practices, as well as aids community trust and confidence in those practices.</p><p>Organisations that are collecting personal information must take reasonable steps to either notify the individual of certain matters,<a href="#_ftn4" name="_ftnref2">[14]</a> or ensure the individual is aware of those matters.<a href="#_ftn15" name="_ftnref3">[15]</a> The reasonable steps required will depend on the circumstances, but more rigorous steps may be needed when collecting sensitive information, such as biometric information in FRT, and where the collection can result in detriment to an individual.<a href="#_ftn16" name="_ftnref4">[16]</a></p><p>Organisations need to ensure individuals have knowledge choice and control over how personal information, especially sensitive information relating to them, is handled. This ensures that they can make an informed decision about whether to provide their personal information to organisations.<a href="#_ftn17" name="_ftnref5">[17]</a></p><h3>Accuracy, bias and discrimination (APP 10)</h3><h4>Accuracy</h4><p>Organisations have an obligation to take reasonable steps to ensure the personal information collected, used and disclosed is accurate, up-to-date, complete and relevant.<a href="#_ftn18" name="_ftnref1">[18]</a></p><p>The reasonable steps that an organisation must take will depend on the circumstances including:</p><ul><li>The sensitivity of the personal information</li><li>The nature of the organisation holding the personal information, and</li><li>Possible adverse consequences for an individual if the quality of personal information is not ensured. More rigorous steps are required where the information collected, used or disclosed is ‘sensitive information’, such as biometric data used in FRT.</li></ul><div class="callout-box-blue"><p><strong>Reasonable steps to ensure accuracy</strong></p><p>Organisations should consider the reasonable steps they will need to take to ensure accuracy. These will depend on the circumstances but may require the organisation to:</p><ul><li>Take steps to ensure the referenced database is made up of accurate and up-to-date information</li><li>Run a trial and conduct regular testing of accuracy</li><li>Undertake due diligence in relation to data quality practices, and</li></ul><p>Clearly communicate any limitations in relation to the accuracy of the FRT system.</p></div><p>FRT carries inherent accuracy risks. Organisations must develop processes to check the proportion of predictions the FRT system gets right. If a FRT system is not sufficiently accurate, it may lead to:</p><ul><li>False negatives – a failure to identify an individual whose face is part of the reference database, or</li><li>False positives – the matching of faces that belong to two different individuals.</li></ul><h4>Bias and discrimination</h4><p>Another risk in using an FRT system is in-built bias and discrimination of certain demographic groups which may lead to adverse impacts and unfair outcomes. Even if an FRT system is highly accurate, the training data may reflect past bias and discrimination depending on the data used. Organisations must ensure this is accounted for if they are using or designing an FRT system.</p><p>Organisations relying on a third party hosted FRT system must conduct their own due diligence to manage risks associated with inaccuracy, bias and discrimination. For example, organisations should ensure that a third party hosted FRT system has been subject to robust testing and monitored for evidence of inaccuracy, bias and discrimination.</p><div class="callout-box-blue"><p><strong>Organisations should consider</strong></p><ul><li>Do you have appropriate and robust steps in place to check the FRT system is producing accurate results?</li><li>What strategies have been developed to manage and mitigate risks associated with false negatives and false positives?</li><li>What due diligence have you undertaken to assess the accuracy of the FRT? For example, if you are relying on a third party FRT system, have you been informed about the technical effectiveness and statistical accuracy?</li><li>Have you implemented measures to mitigate risks of bias, discrimination and unfair treatment of different demographic groups prior to using an FRT system?</li></ul></div><h3>Accountability and ongoing assurance (APP 1)</h3><p>An organisation will need to take reasonable steps to implement practices, procedures and systems relating to its function or activities that will ensure compliance with the APPs and any binding registered APP code.<a href="#_ftn19" name="_ftnref1">[19]</a> In addition to conducting a PIA, this includes:</p><ul><li>Procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction and de-identification</li><li>Clear and robust governance mechanisms to ensure compliance with the APPs, such as designated privacy officers and regular reporting to the organisation’s governance body</li><li>Regular staff training and information bulletins on how the APPs apply to the organisation, and its practices, procedures and systems developed under APP 1.2</li><li>Appropriate supervision of staff regularly handling personal information, and reinforcement of the organisation’s APP 1.2 practices, procedures and systems, and</li><li>A program of proactive review and audit of the adequacy and currency of the organisation’s Privacy Policy and of the practices, procedures and systems implemented under APP 1.2, including for dealing with inquiries and complaints.<a href="#_ftn20" name="_ftnref2">[20]</a></li></ul><p>An organisation should be able to demonstrate that these steps have been taken and that practices, procedures and systems are regularly reviewed and updated.</p><div class="callout-box-blue"><p><strong>FRT topics in policies and procedures</strong></p><p>In the context of FRT, the topics addressed in policies and procedures should include, but are not necessarily limited to:</p><ul><li>How the FRT system collects, uses,   holds and discloses personal information</li><li>The circumstances in which the FRT   system can be used</li><li>Controls on staff access to the   FRT system and the referenced database</li><li>The process for enrolling and   reviewing images in the referenced database</li><li>The process for assessing   positives and false positives</li><li>A retention and destruction   protocol for any biometric information collected</li><li>The process for handling   complaints</li><li>Training requirements for relevant   staff, and</li><li>Systems to review the efficacy of   the FRT system and implement the relevant policies.</li></ul></div><p>Organisations will also need to have a clearly expressed and up to date Privacy Policy about how they manage personal information, such as biometric information collected using FRT.<a href="#_ftn21" name="_ftnref3">[21]</a> This needs to be regularly reviewed and updated to ensure it accurately reflects the organisation’s information handling practices, as well as that it is easy for individuals to understand and navigate.</p><div class="callout-box-yellow"><p><strong>Organisations should consider</strong></p><ul><li>What governance arrangements do you have in place? Some examples include designated privacy officers and regular reporting to the organisation’s governance body.</li><li>How is the effectiveness of privacy risk management practices and policies being assessed?</li><li>Do you have clear processes in place to ensure you are handling personal and sensitive information in accordance with your legislative obligations?</li><li>Are you delivering training on privacy, risk management and other practices and policies to employees? Training should be documented and conducted periodically to refresh and update employee’s knowledge on emerging privacy issues.</li><li>Have you clearly outlined how employees are expected to handle personal and sensitive information?</li><li>Do reporting mechanisms exist to ensure that employees are routinely informed about changes to practices and policies?</li><li>Are you regularly reviewing and updating your Privacy Policy to ensure that it reflects your information handling practices?</li><li>Is there an adequate level of human control or oversight over the FRT?</li><li>Are you undertaking periodic audits of the effectiveness and necessity of using the FRT?</li><li>Given the rapid pace of FRT advancements, are privacy risk management practices and policies flexible and adaptable to changes in technology?</li><li>Have you developed a <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response">data breach preparation and response plan</a> that can be relied on the event of a cyber security incident? If you are relying on a third party hosted FRT system, consider who will be allocated responsibility for meeting legislative requirements. For example, if the biometric information is jointly held, who will be responsible for complying with the Notifiable Data Breaches scheme in the event of a data breach and handling complaints?</li><li>Are there processes that allow individuals to easily access and correct their personal information? You must respond to a request for correction within a reasonable period after the request is made. In most cases, a reasonable period will not exceed 30 calendar days.</li><li>If you are relying on a third party hosted FRT system, have you obtained sufficient information to inform your privacy risk management practices and policies?</li></ul></div><h2>Additional resources</h2><h3>OAIC resources</h3><ul><li><a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments">Guide to undertaking privacy impact assessments</a></li><li><a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments?external-uuid=515b2f7c-3a9a-446d-b0cd-9f7ba12cc5da">PIA e-Learning course</a></li><li><a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-securing-personal-information">Guide to securing personal information</a></li><li><a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response">Data breach preparation and response guide</a></li><li><a href="https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-monitoring/biometric-scanning">Biometric scanning</a></li></ul><h3>International resources</h3><ul><li><a href="https://globalprivacyassembly.org/wp-content/uploads/2022/11/15.1.c.Resolution-on-Principles-and-Expectations-for-the-Appropriate-Use-of-Personal-Information-in-Facial-Recognition-Technolog.pdf">Global Privacy Assembly Resolution on Principles and Expectations for the Appropriate Use of Personal Information in Facial Recognition Technology</a></li></ul><hr /><div id="ftn1"><p><a href="#_ftnref1" name="_ftn1" title="">[1]</a> s 6 of the Privacy Act.</p></div><div id="ftn2"><p><a href="#_ftnref2" name="_ftn2" title="">[2]</a> APP 11.</p></div><div id="ftn3"><p><a href="#_ftnref3" name="_ftn3" title="">[3]</a> OAIC, <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design">Privacy by design</a>.</p></div><div id="ftn4"><p><a href="#_ftnref4" name="_ftn4" title="">[4]</a> APP 1.2 requires organisations to take reasonable steps to implement practices, procedures and systems to ensure the organisation complies with the APPs and is able to deal with related enquiries and complaints. For more information, see <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information">Chapter 1: APP 1 Open and transparent management of personal information</a></p></div><div id="ftn5"><p><a href="#_ftnref5" name="_ftn5" title="">[5]</a> APP 3.2.</p></div><div id="ftn6"><p><a href="#_ftnref6" name="_ftn6" title="">[6]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines </a>(oaic.gov.au) [3.18].</p></div><div id="ftn7"><p><a href="#_ftnref7" name="_ftn7" title="">[7]</a> <a name="_Hlk176163336" href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a> (oaic.gov.au) [3.19].</p></div><div id="ftn8"><p><a href="#_ftnref8" name="_ftn8" title="">[8]</a> APP 3.4 lists five exceptions to the requirements of APP 3.3(a).</p></div><div id="ftn9"><p><a href="#_ftnref9" name="_ftn9" title="">[9]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a> (oaic.gov.au) [6.17].</p></div><div id="ftn10"><p><a href="#_ftnref10" name="_ftn10" title="">[10]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines </a>(oaic.gov.au) [B.144].</p></div><div id="ftn11"><p><a href="#_ftnref11" name="_ftn11" title="">[11]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a> (oaic.gov.au) [B.41] – [B.43].</p></div><div id="ftn12"><p><a href="#_ftnref12" name="_ftn12" title="">[12]</a> For more information, see the <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-b-key-concepts">APP Guidelines</a>.</p></div><div id="ftn13"><p><a href="#_ftnref13" name="_ftn13" title="">[13]</a> APP 1.</p></div><div id="ftn14"><p><a href="#_ftnref14" name="_ftn14" title="">[14]</a> The matters are listed under APP 5.2.</p></div><div id="ftn15"><p><a href="#_ftnref15" name="_ftn15" title="">[15]</a> APP 5.1.</p></div><div id="ftn16"><p><a href="#_ftnref16" name="_ftn16" title="">[16]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a> (oaic.gov.au) [5.4].</p></div><div id="ftn17"><p><a href="#_ftnref17" name="_ftn17" title="">[17]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a> (oaic.gov.au) [5.35].</p></div><div id="ftn18"><p><a href="#_ftnref18" name="_ftn18" title="">[18]</a> APP 10.1.</p></div><div id="ftn19"><p><a href="#_ftnref19" name="_ftn19" title="">[19]</a> APP 1.2(b).</p></div><div id="ftn20"><p><a href="#_ftnref20" name="_ftn20" title="">[20]</a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines">Australian Privacy Principles guidelines</a> (oaic.gov.au)  [1.7].</p></div><div id="ftn21"><p><a href="#_ftnref21" name="_ftn21" title="">[21]</a> APP 1.3.</p></div> </div> </div>  </div> </div> </main>   <div class="footer"> <div class="footer__upper"> <div class="footer__upper--wrapper"> <div class="back-to-top__wrapper"> <button class="back-to-top" aria-label="Back to top"> <svg class="back-to-top__icon" aria-hidden="true" focusable="false" width="28" height="47" viewBox="0 0 28 47" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M6 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M14 21L14 1" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M2.94 41V33.41H0.36V31.25H8.1V33.41H5.52V41H2.94ZM13.2027 41.18C12.5227 41.18 11.9027 41.065 11.3427 40.835C10.7927 40.605 10.3177 40.275 9.9177 39.845C9.5277 39.405 9.2227 38.87 9.0027 38.24C8.7827 37.6 8.6727 36.88 8.6727 36.08C8.6727 35.28 8.7827 34.57 9.0027 33.95C9.2227 33.32 9.5277 32.795 9.9177 32.375C10.3177 31.945 10.7927 31.62 11.3427 31.4C11.9027 31.18 12.5227 31.07 13.2027 31.07C13.8727 31.07 14.4877 31.18 15.0477 31.4C15.6077 31.62 16.0827 31.945 16.4727 32.375C16.8727 32.805 17.1827 33.33 17.4027 33.95C17.6227 34.57 17.7327 35.28 17.7327 36.08C17.7327 36.88 17.6227 37.6 17.4027 38.24C17.1827 38.87 16.8727 39.405 16.4727 39.845C16.0827 40.275 15.6077 40.605 15.0477 40.835C14.4877 41.065 13.8727 41.18 13.2027 41.18ZM13.2027 38.96C13.7927 38.96 14.2527 38.705 14.5827 38.195C14.9227 37.675 15.0927 36.97 15.0927 36.08C15.0927 35.19 14.9227 34.505 14.5827 34.025C14.2527 33.535 13.7927 33.29 13.2027 33.29C12.6127 33.29 12.1477 33.535 11.8077 34.025C11.4777 34.505 11.3127 35.19 11.3127 36.08C11.3127 36.97 11.4777 37.675 11.8077 38.195C12.1477 38.705 12.6127 38.96 13.2027 38.96ZM19.4784 41V31.25H23.0484C23.5784 31.25 24.0834 31.305 24.5634 31.415C25.0434 31.515 25.4634 31.695 25.8234 31.955C26.1834 32.205 26.4684 32.54 26.6784 32.96C26.8984 33.37 27.0084 33.88 27.0084 34.49C27.0084 35.09 26.8984 35.605 26.6784 36.035C26.4684 36.465 26.1834 36.82 25.8234 37.1C25.4634 37.37 25.0484 37.575 24.5784 37.715C24.1084 37.845 23.6184 37.91 23.1084 37.91H22.0584V41H19.4784ZM22.0584 35.87H22.9884C23.4984 35.87 23.8734 35.75 24.1134 35.51C24.3634 35.27 24.4884 34.93 24.4884 34.49C24.4884 34.05 24.3534 33.74 24.0834 33.56C23.8134 33.38 23.4284 33.29 22.9284 33.29H22.0584V35.87Z" fill="white"/></svg> </button> </div> <div class="footer__logo-group"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12962/logo.svg" class="logo--main" alt="OAIC logo"> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/freedom-of-information-requests-to-the-oaic" class="footer-logo" aria-label="OAIC sub-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0021/12963/logo2.svg" class="logo--sub" alt="OAIC sub logo"> </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/our-information-publication-scheme" class="footer-logo" aria-label="OAIC Information Publication Scheme"> <img src="https://www.oaic.gov.au/__data/assets/image/0026/91385/ips_white_text.png" class="logo--sub" width="120px" alt="Information Publication Scheme"> </a> </div><div class="footer__link-group"> <ul class="link-list"> <li><a href="https://www.oaic.gov.au/sitemap" class="footer-link" aria-label="Site map">Site map</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/copyright" class="footer-link" aria-label="Copyright">Copyright</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/terms-and-conditions" class="footer-link" aria-label="Terms and conditions">Terms and conditions</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy" class="footer-link" aria-label="Privacy policy">Privacy policy</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/accessibility" class="footer-link" aria-label="Accessibility">Accessibility</a></li> </ul> </div> </div> </div> <div class="footer__lower"> <div class="footer__util-group"> <div class="footer__contact"> <a href="https://www.oaic.gov.au/contact-us" class="contact--link" aria-label="Contact us">Contact us</a> <a href="tel:1300 363 992" class="contact--phone" aria-label="Call 1300 363 992">1300 363 992</a> <p class="contact--hours">Monday to Thursday 10 am to 4 pm (AEST/AEDT)</p> </div> <div id="footer_language_listing_13517"> <div class="footer__language-list"> <label for="languages">Translations</label> <select name="languages" id="languages" onChange="if (this.value.startsWith('https://www.oaic.gov.au')) window.location = this.value;"> <option value="">Please select…</option> <option lang="ar" value="https://www.oaic.gov.au/engage-with-us/translations/arabic">العربية</option><option lang="zh" value="https://www.oaic.gov.au/engage-with-us/translations/chinese">中文</option><option lang="el" value="https://www.oaic.gov.au/engage-with-us/translations/greek">ελληνικός</option><option lang="it" value="https://www.oaic.gov.au/engage-with-us/translations/italian">Italiano</option><option lang="es" value="https://www.oaic.gov.au/engage-with-us/translations/spanish">Español</option><option lang="th" value="https://www.oaic.gov.au/engage-with-us/translations/thai">ไทย</option><option lang="vi" value="https://www.oaic.gov.au/engage-with-us/translations/vietnamese">Tiếng Việt</option><option lang="EN" value="https://www.oaic.gov.au/engage-with-us/translations/easy-english">Easy English</option> </select> </div> </div> <div class="footer__social"> <p class="social--header">Follow us</p> <ul class="social-list"> <li> <a href="https://www.facebook.com/OAICgov" class="social-link social-link--facebook" aria-label="OAIC on Facebook"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0025/12958/facebook.svg" alt="OAIC on Facebook"> </a> </li> <li> <a href="https://twitter.com/OAICgov" class="social-link social-link--twitter" aria-label="OAIC on Twitter" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0026/12959/x-logo.svg" alt="OAIC on Twitter"> </a> </li> <li> <a href="https://www.youtube.com/user/oaicgov" class="social-link social-link--youtube" aria-label="OAIC on Youtube" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0018/12960/youtube.svg" alt="OAIC on Youtube"> </a> </li> <li> <a href="https://au.linkedin.com/company/office-of-the-australian-information-commissioner" class="social-link social-link--linkedin" aria-label="OAIC on Linkedin"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0019/12961/linkedin.svg" alt="OAIC on Linkedin"> </a> </li> <li> <a href="https://www.instagram.com/oaicgov/" class="social-link social-link--Instagram" aria-label="OAIC on Instagram" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/91364/Instagram_Glyph_White.svg" alt="OAIC on Instagram"> </a> </li> </ul> </div> </div> <div class="footer__content-group"> <p class="footer__content-header">Acknowledgement of Country</p> <p class="footer__content-text">The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.</p> <p class="footer__content-copyright">© Commonwealth of Australia</p> </div> </div> </div>   </div>   <div id="footer_js" style="display: none !important;"> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/runtime.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/main.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/js_file/0025/242791/custom.js"></script> <script> var lhsWrapper = document.querySelector('.lhs-wrapper'); if(lhsWrapper) { lhsWrapper.innerHTML.trim() === '' ? lhsWrapper.style.display='none' : ''; } //Readpeaker function readSpeaker() { var readButtonContent = ` <div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=page-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-guidance-for-organisations-and-government-agencies%2Forganisations%2Ffacial-recognition-technology-a-guide-to-assessing-the-privacy-risks"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; var readButtonSearch = ` <div id="readspeaker_button2" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=search-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-guidance-for-organisations-and-government-agencies%2Forganisations%2Ffacial-recognition-technology-a-guide-to-assessing-the-privacy-risks"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; //for content pages var pageContent = document.querySelector('.page-content'); //for search pages var pageSearch = document.querySelector('.search-content'); if(pageContent) pageContent.insertAdjacentHTML('afterbegin', readButtonContent); if(pageSearch) pageSearch.insertAdjacentHTML('afterbegin', readButtonSearch); } readSpeaker(); </script> <script> function feedbackGrepCallback(response) { if (response.length > 0) { document.querySelector(".feedback__submit input").disabled = false } } function feedbackGrepExpiredCallback(response) { if (!response) { document.querySelector(".feedback__submit input").disabled = true } } </script> </div> <style> .page-content section.banner-grey-newsroom__wrapper, .page-content section.landing-page { display: none; } </style>   </body> </html>

CINXE.COM

Facial recognition technology: a guide to assessing the privacy risks | OAIC