Anna Johnston is a leading privacy expert, former Deputy Privacy Commissioner of NSW and founder and Principal of Salinger Privacy.
When CHOICE went public last month with its investigation into the use of facial recognition by major Australian retailers, the public reaction was swift – and negative. No surprise, given we already knew that the majority of Australians are uncomfortable about their biometric information being collected when they shop in a retail store.
Much of the online chatter, the media coverage and the defensive comms swirled around in circles, sometimes getting lost in the minutiae of topics like the size of the font on the signage at stores, or how long images of customers are held for, or who is recognisable from the images, or arguing about whether customers 'consent' by walking into a store, or by going through privacy policies with a fine-toothed comb. Another common angle of exploration was facial recognition technology itself, including its questionable accuracy and potential discriminatory impacts.
The Office of the Australian Information Commissioner (OAIC) has since launched an investigation into the use of facial recognition technology by Bunnings and Kmart. (By pausing its use of the tech in response to the CHOICE investigation, a third retailer The Good Guys seems to have turned down the regulatory heat, and has thus far avoided a formal investigation.)
By pausing its use of [facial recognition] tech ... The Good Guys seems to have turned down the regulatory heat, and has thus far avoided a formal investigation
But it's not only facial recognition technology which might create privacy concerns for customers. Nor are these data management issues and PR headaches limited to the retail sector. I see similar concerns raised in discussions about other forms of data collection and use, such as customer profiling, online tracking and marketing. So there are lessons to be learned for all types of organisations, collecting all sorts of personal information.
In particular, this incident has highlighted a lot of confusion about the rules when collecting personal information, and the roles of notice and consent, including what is needed, and when, under Australian privacy law.
Happily we don’t need to wait for the OAIC to conclude its investigation before we can clear up some of that confusion. We already have the Privacy Act 1988, existing OAIC publications and formal determinations to guide us.
So here’s your quick and dirty, eight-point cheat-sheet guide to collection of personal information under the Privacy Act.
On this page:
- 1. The act of creating new data, such as by drawing inferences, generating insights or producing biometric vectors, is a fresh 'collection', which must comply with the Collection principles
- 2. An organisation is 'collecting' personal information even if it is only transient
- 3. All collection must be reasonably necessary, and proportionate to a legitimate business objective
- 4. All collection requires a collection notice to be provided that is specific to that collection
- 5. A Privacy Policy is not a collection notice
- 6. Some acts of collection (or use, or disclosure) also require the prior consent of the individual, unless a public interest exception applies
- 7. If a business does need consent to authorise its conduct, that consent will only be valid if it is voluntary, informed, specific, current, and given by a person with capacity
- 8. Consent cannot be obtained by making customers 'agree' to a Privacy Policy, a collection notice, or Terms and Conditions
1. The act of creating new data, such as by drawing inferences, generating insights or producing biometric vectors, is a fresh 'collection', which must comply with the Collection principles
Let's start by looking at what constitutes a 'collection' of personal information, for the purposes of compliance with the Collection principles, which are in found in Australian Privacy Principles (APPs) 3–5 in the Privacy Act.
Collection isn't just about when customers are asked to fill out a form. The 'creation' of new personal information, such as by way of combining data or inferring information from existing data, will also constitute a 'collection' for the purposes of the APPs.
For example in the Uber case, the OAIC stated that "The concept of 'collection' applies broadly, and includes gathering, acquiring or obtaining personal information from any source and by any means", such as via online cookies.
'Collection' ... includes gathering, acquiring or obtaining personal information from any source and by any means
The OAIC response to Uber
And in the Clearview case, the OAIC found that the vectors used for its facial recognition technology, which were generated from images drawn from photographs scraped from the web, were also 'collected', noting that "'collects' includes collection by 'creation' which may occur when information is created with reference to, or generated from, other information".
2. An organisation is 'collecting' personal information even if it is only transient
The act of taking a photo of a customer, to be used to generate a faceprint, is a 'collection' of personal information, no matter how ephemeral that image is, and even if the image is not going to be stored.
In the 7-Eleven case, the OAIC found that even a transient collection, such as images which were stored on a tablet for around 20 seconds before being uploaded to a server in the cloud, will constitute a 'collection' for the purposes of the APPs.
The fact they then throw away that piece of paper isn't the problem, it's that they took the customer's fingerprints in the first place
Justin Warren, Chair Electronic Frontiers Australia
So Electronic Frontiers Australia's Chair Justin Warren was spot on when he compared the use of facial recognition on retail customers to taking a fingerprint of every customer as they enter the store and checking it against a file of previous fingerprints: "The fact they then throw away that piece of paper isn't the problem, it's that they took the customer's fingerprints in the first place".
3. All collection must be reasonably necessary, and proportionate to a legitimate business objective
The collection of any type of personal information, no matter how benign, must be reasonably necessary for a legitimate purpose. From the 7-Eleven case we know that under APP 3, collecting personal information because it will be "helpful, desirable or convenient" is not enough; collection of personal information must be "reasonably necessary" for one of the organisation's "functions or activities".
The OAIC has formulated this test as involving consideration as to whether the impact on individuals' privacy is "proportionate to a legitimate aim sought". In the case of 7-Eleven, while the OAIC noted that "implementing systems to understand and improve customers' in-store experience" was a legitimate aim of the business, the collection of biometric templates was not a proportionate way to achieve that aim, and thus was in breach of APP 3.
Plus, all collection of personal information must also be by lawful and fair means (APP 3.5), and collected directly from the individual unless an exception applies (APP 3.6).
4. All collection requires a collection notice to be provided that is specific to that collection
APP 5 requires organisations to take reasonable steps to notify people about the collection of their personal information – the who, what, when, where, how and why. That notice must be provided at or before the time of the collection.
Reasonable steps must be taken to notify people about the collection of their personal information ... at or before the time of the collection
Not to be confused with a Privacy Policy (which talks in general terms about the whole organisation), a collection notice must be specific to the personal information being collected at that point. Privacy regulators stress the need to keep notices concise and in plain language, while also offering enough detail about how the business proposes to collect, use or disclose the individual's personal information.
The objective of a collection notice is to prevent anyone getting a nasty surprise later; and it can enable the individual to make an informed choice about whether to provide the organisation with their information (if they even have that much choice).
But remember that a collection notice is not a free pass for an organisation or business to collect anything they like. They can still only collect personal information if their reason for asking for the personal information is reasonably necessary – see point #3 above.
Tip: Collection notices shouldn't be confused with consent forms. Collection notices are a one-way form of communication. The person does not need to indicate their agreement; they are simply being put 'on notice'.
5. A Privacy Policy is not a collection notice
The obligation to have a Privacy Policy comes from APP 1. It's a separate requirement to APP 5 collection notices.
As described by the OAIC, a Privacy Policy is simply "a transparency mechanism", which "must include information about an entity's personal information handling practices including how an individual may complain and how any complaints will be dealt with".
So a Privacy Policy is not magic. It cannot authorise an organisation to do anything that the APPs don't already allow it to do.
6. Some acts of collection (or use, or disclosure) also require the prior consent of the individual, unless a public interest exception applies
Asking for a person's consent is a separate process to either providing a collection notice or publishing a Privacy Policy.
Importantly, an organisation or a business doesn't need consent for everything! Seeking consent is only necessary when the APPs say that they need a person's consent, in order to lawfully collect, use or disclose their personal information.
This is most commonly when they are either:
- collecting information about a person's health or disability, unless that information is necessary to provide a health service to the individual, or
- collecting other types of 'sensitive information' about a person, such as biometrics (hello, facial recognition tech), genetic information, or information about the person's ethnicity, sexuality, criminal record, religion, religious or philosophical or political beliefs, or membership of a trade union, political association or professional association, or
- proposing to use or disclose personal information for a purpose unrelated to the primary purpose for which it was collected, or
- disclosing personal information overseas
…and no exemption applies.
So check the APPs to find out whether or not any particular activity (whether a collection, use or disclosure of personal information) first requires the person's consent, in order to be lawfully authorised.
But heads up: a valid consent is hard to get.
7. If a business does need consent to authorise its conduct, that consent will only be valid if it is voluntary, informed, specific, current, and given by a person with capacity
The OAIC has said that in order to be valid, a consent must be voluntary, informed, specific, current, and given by a person with the capacity to consent.
I like to describe consent as the 'Would you like fries with that?' question. The question must be very specific about what is being proposed, the question must be asked about only one thing at a time, the default position must be 'no', and the customer must be completely free to say either yes or no to the fries, and still get their burger.
The customer must be completely free to say either yes or no to the fries, and still get their burger
So notice alone typically does not allow an organisation to infer consent. (For anyone who still thinks that posting a notice outside a store is the same as getting consent from customers who enter the store, please consider this: if providing a notice was enough to infer consent, the Privacy Act would not need to require both.)
'Opt out' is not consent either; the OAIC has made clear that an individual's silence cannot be confidently taken as an indication of consent.
8. Consent cannot be obtained by making customers 'agree' to a Privacy Policy, a collection notice, or Terms and Conditions
In the Flight Centre case, the OAIC noted that a Privacy Policy is not a tool for obtaining consent. Making customers 'agree' to a Privacy Policy, or to a collection notice, or to T&Cs, before they can access a service, download an app, enter a store or buy a product removes the voluntary aspect needed to gain a valid consent.
So, any business wanting to collect (including create) personal information from or about its customers, should make sure they:
- can demonstrate that their collection is reasonably necessary, for a legitimate aim, and proportionate to that aim (APP 3.1- 3.3)
- only use lawful and fair means (APP 3.5)
- collect information directly from each customer unless they are authorised otherwise (APP 3.6)
- provide a collection notice to every customer (APP 5), and
- publish a Privacy Policy, such as on their website (APP 1).
Plus, if the personal information it is collecting/creating is 'sensitive' information, the business will also require each customer's consent, unless an exemption applies.
Easy, right? Now we've got that sorted, you can go and enjoy your fries. Or not. It's completely up to you.
This article has been republished from the Salinger Privacy blog.
Stock images: Getty, unless otherwise stated.
