Bunnings has scored a partial win in a tribunal review after the retailer was found to have breached the Privacy Act when using facial recognition technology (FRT) during the COVID-19 pandemic.
Bunnings’ sister business Kmart – under Wesfarmers – was also slapped with a breach by the Privacy Commissioner for much the same reason. Both entities have claimed they used FRT in a bid to crack down on a surge in refund fraud.
Kmart has also filed for a review in the Administrative Review Tribunal (ART), with that verdict yet to be handed down.
In Bunnings’ case, the Tribunal affirmed the Privacy Commissioner’s finding that it had contravened Australian Privacy Principles (APP) 1 and 5 when rolling out FRT in its stores. Respectively, both points cover open and transparent management of personal information as well as the notification of the collection of personal information.
The Tribunal found that Bunnings failed to provide appropriate notice to individuals of its use of FRT and should have completed a ‘formal, structured and documented’ risk assessment of its FRT system which considered the privacy implications.
The Tribunal also affirmed the Privacy Commissioner’s statement of the relevant factors when considering whether Bunnings was entitled to rely on an exemption to the requirement to obtain consent for the collection of personal information, namely whether the FRT was a suitable and effective response to the problem of repeat offenders, whether less privacy-intrusive alternatives were available, and whether the use of FRT was proportionate.
However, the Tribunal departed from the Privacy Commissioner’s ultimate finding that Bunnings had contravened APP 3.3 – regarding the collection of solicited personal information.
The Tribunal was satisfied that Bunnings was entitled to rely on exemptions to the requirement to obtain consent, for the limited purpose of combatting retail crime and protecting their staff and customers from violence, abuse and intimidation within their stores.
“Today’s decision confirms the Privacy Act contains strong protections for individual privacy that are applicable in the context of emerging technologies,” a spokesperson for the Office of the Australian Information Commissioner (OAIC) said. “It underscored the importance of APP entities maintaining good privacy governance and complying with the Australian Privacy Principles in adopting new tech, and that limited exemptions are subject to robust criteria that must be assessed on a case-by-case basis.
“We particularly welcome that the decision reaffirmed a range of key interpretive positions taken by the OAIC, including that even momentary collection of personal information by advanced digital tools constitutes a collection under the Privacy Act.”
The spokesperson added that the Australian community cares about their privacy and is increasingly worried about the challenges in protecting their personal information. They then cited an Australian Community Attitudes to Privacy Survey in 2023, which found that 62 per cent of Australians see protection of their personal information as a major concern.
“Only 32 per cent believe they are in control of their privacy, while many say they have no choice but to accept the terms of how services and businesses use their data. 84 per cent of Australians also told the OAIC, that they want more to be done to protect their privacy, giving them more control and choice over the collection and use of their information,” they said.
The OAIC is carefully considering this decision and its implications. An appeal period applies to the ART’s decision.
In a statement issued to Ragtrader last year following the initial verdict, a Kmart spokesperson said the low-price retailer was “disappointed” with the commissioner’s determinations and is reviewing its options to appeal the verdict.
“Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” the spokesperson shared.
“To tackle a growing problem of refund fraud in our stores, we conducted a limited trial of FRT, commencing in one store, and extending to another 27 stores with high levels of refund fraud between June 2020 to July 2022. We implemented controls to protect the privacy of our customers.
“Images were only retained if they matched an image of a person of interest reasonably suspected or known to have engaged in refund fraud. All other images were deleted, and the data was never used for marketing or any other purposes. ”
Kmart then ceased the trial when the Privacy Commissioner commenced its investigation.
“From August 2024 to March 2025 alone, refund-related customer threatening incidents increased by 85 per cent,” the spokesperson continued. “Customer threatening incidents unrelated to refund requests increased by 28 per cent over the same period, demonstrating the heightened risk of the refund task for team members.
“At Kmart we believe that all our team members deserve protections that make their workplaces safe, and that customers should also feel safe where and when they shop.
“Kmart remains committed to finding tools to reduce crime in our stores, so we deliver on team member and customer safety, and retain our ability to continue delivering on our low-price credentials for our customers.”