Facial recognition technology: a guide to assessing the privacy risks

Who is this guidance for?

This guidance sets out general considerations for private sector organisations that are considering using facial recognition technology (FRT) to undertake facial identification in a commercial or retail setting. It does not cover all privacy issues and obligations in relation to the use of FRT, rather it provides information about key principles captured under the Australian Privacy Principles (APPs) that are particularly relevant when considering the use of FRT. Organisations should consider this guidance together with the Privacy Act 1988 (Cth) and the Australian Privacy Principles guidelines.

Key points

• FRT involves the collection of a digital image of an individual’s face and the extraction of their distinct features into a biometric template. The biometric template is then compared against one or more pre-extracted biometric templates for the purpose of facial verification or identification.
  • facial verification refers to ‘one-to-one’ matching. It involves determining whether a face matches a single biometric template.
  • facial identification refers to ‘one-to-many’ matching. It involves determining whether a face matches any biometric template in a database.
• Biometric templates and biometric information, including when used for automated verification or identification purposes is considered sensitive information under the Privacy Act.[1] Sensitive information is generally afforded a higher level of privacy protection under the Privacy Act. Organisations must take reasonable steps to protect personal information they hold from misuse, interference and loss, as well as unauthorised access, modification and disclosure.[2]
• It is best practice for organisations considering using FRT to undertake a privacy impact assessment (PIA) to identify potential privacy impacts at the outset and implement recommendations to manage, minimise or eliminate them. This will assist to ensure that a privacy by design approach is embedded from the start in accordance with an organisation’s obligations under APP 1.
• As part of this privacy by design approach, it is expected that key principles will be explored to support the appropriate use of sensitive information when using FRT, including:
  • Necessity and proportionality (APP 3) – personal information for use inFRT must only be collected when it is necessary and proportionate in the circumstances and where the purpose cannot be reasonably achieved by less privacy intrusive means.
  • Consent and transparency (APP 3 and 5) – individuals need to be proactively provided with sufficient notice and information to allow them to provide meaningful consent to the collection of their information.
  • Accuracy, bias and discrimination (APP 10) – organisations need to ensure that the biometric information used in FRT is accurate and steps need to be taken to address any risk of bias.
  • Governance and ongoing assurance (APP 1) – organisations who decide to use FRT need to have clear governance arrangements in place, including privacy risk management practices and policies which are effectively implemented, and ensure that they are regularly reviewed.

What is facial recognition technology?

FRT is the process by which an individual can be identified or verified from a digital image. FRT involves the collection and use of biometric information (i.e. face data).

Biometric templates and biometric information including when used for biometric verification or identification is considered sensitive information under the Privacy Act. Sensitive information is a subset of personal information that is generally afforded a higher level of privacy protection.

Where FRT is used, distinct features of an individual’s face are extracted into a biometric template and compared against one or multiple pre-extracted biometric templates.

An individual does not need to be identified from the specific information being handled to be ‘identifiable’ in a facial identification system. An individual can be identified if their facial image is distinguishable from others in a database.

Privacy management – managing and mitigating risks

FRT significantly interferes with the privacy of individuals, and live FRT in particular is highly intrusive to an individual’s privacy. This means that negative privacy impacts will be identified as part of the privacy impact analysis in a PIA, and an organisation’s compliance check, which will need to be managed or mitigated if the organisation decides to proceed with the use of FRT.

Organisations should consider the principles below to determine whether the use of FRT is appropriate in the circumstances, including:

• Privacy by design
• Necessity and proportionality
• Consent and transparency
• Accuracy and bias, and
• Governance and ongoing assurance

This is not an exhaustive list and does not intend to cover the entirety of relevant considerations that an organisation should consider relevant to its circumstances.

Adopting a privacy by design approach (APP 1)

Organisations are encouraged to adopt a ‘privacy by design’ approach to their use of FRT. [3] A Privacy Impact Assessment (PIA) will support organisations to instil this approach and comply with its obligations.

Undertaking a PIA is considered a reasonable step to take under APP 1.2 to ensure an organisation is complying with their privacy obligations.[4]

A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. There is very real community concern about the privacy risks associated with FRT. A PIA demonstrates commitment to, and respect of, individual’s privacy and other associated human rights.

This guidance highlights some key privacy considerations for organisations to consider before determining whether to use FRT and when completing a PIA.

Necessity and proportionality (APP 3)

Personal information for use in FRT must only be collected when it is reasonably necessary for one or more of an organisation’s functions or activities.[5] What is reasonably necessary is an objective test based on whether a reasonable person who is properly informed would agree that collecting the personal information is necessary.[6]

In determining whether the collection of personal information is reasonably necessary for a function or activity, an organisation should consider:

• The primary purpose of collecting the personal information
• How the personal information will be used in undertaking a function or activity of the organisation, and
• Whether the organisation could undertake the function or activity without collecting that personal information, or by collecting a lesser amount of personal information.[7]

It is up to an organisation to be able to justify that collection of the information is reasonably necessary. The fact that FRT is available, convenient or desirable should not be relied on to establish that it is necessary to collect the information.

In determining whether the use of FRT is necessary, the following factors will be relevant:

• The suitability of the FRT system in addressing the relevant activity or conduct
• The alternatives available to address the relevant activity or conduct
• Whether the use of the FRT system is proportionate to the outcome achieved. An organisation will need to balance the privacy impacts of the collection of sensitive information, and holding this information, against the benefits of the use of the FRT system.

When assessing whether the use of FRT is proportionate, organisations should carefully consider whether the benefits clearly outweigh the risks posed to individual’s privacy and other human rights. For example, where an organisation is using FRT to lessen or prevent serious threats to the health, safety and security of customers in a commercial or retail setting, it must be able to demonstrate how its use is proportionate to the risks identified.

An organisation should regularly consider whether the benefits of using FRT have been realised, and the use of the technology is still needed, including whether any anticipated privacy risks have arisen. The use of the technology must be regularly reviewed, and any required steps taken to ensure practices are consistent with the assessment findings.

Consent and transparency (APP 3 and 5)

Consent

Consent is generally required to collect sensitive information such as biometric data used in FRT, subject to some limited exceptions.[8]

In order to provide meaningful consent, certain elements will need to be met. These include:

• The individual is adequately informed before giving consent
• The individual gives consent voluntarily
• The consent is current and specific, and
• The individual has the capacity to understand and communicate their consent.[9]

The nature of FRT means that it is not often practical to obtain true, express consent from individuals whose biometric information might be captured by FRT. Merely having signage or notice about the use of FRT in and of itself, will not generally be sufficient to show that an individual has consented to the use of this technology. This is because the information is sensitive information, and all four elements of consent are unlikely to have been satisfied. Further notice will be required to ensure informed consent can be provided. These are detailed below.

Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the organisation. Generally, implied consent should not be relied on when collecting sensitive information, including biometric information, from customers. The mishandling or inappropriate use of biometric information can have adverse consequences for an individual or those associated with the individual. It can also cause humiliation, embarrassment or undermine an individual’s dignity.[10]

Opt-out mechanisms are a type of implied consent. It is only appropriate to infer consent from an opt-out mechanism in very limited circumstances.[11]

There are some limited exceptions called permitted general situations contained in s 16A of the Privacy Act that would allow an organisation to collect this information without consent. However, these permitted general situations are highly specific and confined to particular circumstances. An organisation would need to make a careful assessment about whether they satisfy the criteria for these exceptions, prior to relying on them to utilise FRT, and as a matter of best practice, ensure that they document this consideration.[12]

Transparency

As an important transparency step, APP 5 requires organisations to ensure that an individual is aware of certain matters when they collect their personal information. This is important because there are many complexities surrounding FRT that can impact an individual’s ability to understand how their personal information is collected and handled.

Organisations are required under the Privacy Act to manage personal information in an open and transparent way and to take reasonable steps to provide notice under APP 5.[13] This enhances the accountability of organisations for their personal information handling practices, as well as aids community trust and confidence in those practices.

Organisations that are collecting personal information must take reasonable steps to either notify the individual of certain matters,[14] or ensure the individual is aware of those matters.[15] The reasonable steps required will depend on the circumstances, but more rigorous steps may be needed when collecting sensitive information, such as biometric information in FRT, and where the collection can result in detriment to an individual.[16]

Organisations need to ensure individuals have knowledge choice and control over how personal information, especially sensitive information relating to them, is handled. This ensures that they can make an informed decision about whether to provide their personal information to organisations.[17]

Accuracy, bias and discrimination (APP 10)

Accuracy

Organisations have an obligation to take reasonable steps to ensure the personal information collected, used and disclosed is accurate, up-to-date, complete and relevant.[18]

The reasonable steps that an organisation must take will depend on the circumstances including:

• The sensitivity of the personal information
• The nature of the organisation holding the personal information, and
• Possible adverse consequences for an individual if the quality of personal information is not ensured. More rigorous steps are required where the information collected, used or disclosed is ‘sensitive information’, such as biometric data used in FRT.

FRT carries inherent accuracy risks. Organisations must develop processes to check the proportion of predictions the FRT system gets right. If a FRT system is not sufficiently accurate, it may lead to:

• False negatives – a failure to identify an individual whose face is part of the reference database, or
• False positives – the matching of faces that belong to two different individuals.

Bias and discrimination

Another risk in using an FRT system is in-built bias and discrimination of certain demographic groups which may lead to adverse impacts and unfair outcomes. Even if an FRT system is highly accurate, the training data may reflect past bias and discrimination depending on the data used. Organisations must ensure this is accounted for if they are using or designing an FRT system.

Organisations relying on a third party hosted FRT system must conduct their own due diligence to manage risks associated with inaccuracy, bias and discrimination. For example, organisations should ensure that a third party hosted FRT system has been subject to robust testing and monitored for evidence of inaccuracy, bias and discrimination.

Accountability and ongoing assurance (APP 1)

An organisation will need to take reasonable steps to implement practices, procedures and systems relating to its function or activities that will ensure compliance with the APPs and any binding registered APP code.[19] In addition to conducting a PIA, this includes:

• Procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction and de-identification
• Clear and robust governance mechanisms to ensure compliance with the APPs, such as designated privacy officers and regular reporting to the organisation’s governance body
• Regular staff training and information bulletins on how the APPs apply to the organisation, and its practices, procedures and systems developed under APP 1.2
• Appropriate supervision of staff regularly handling personal information, and reinforcement of the organisation’s APP 1.2 practices, procedures and systems, and
• A program of proactive review and audit of the adequacy and currency of the organisation’s Privacy Policy and of the practices, procedures and systems implemented under APP 1.2, including for dealing with inquiries and complaints.[20]

An organisation should be able to demonstrate that these steps have been taken and that practices, procedures and systems are regularly reviewed and updated.

Organisations will also need to have a clearly expressed and up to date Privacy Policy about how they manage personal information, such as biometric information collected using FRT.[21] This needs to be regularly reviewed and updated to ensure it accurately reflects the organisation’s information handling practices, as well as that it is easy for individuals to understand and navigate.

Additional resources

OAIC resources

• Guide to undertaking privacy impact assessments
• PIA e-Learning course
• Guide to securing personal information
• Data breach preparation and response guide
• Biometric scanning

International resources

• Global Privacy Assembly Resolution on Principles and Expectations for the Appropriate Use of Personal Information in Facial Recognition Technology