PRIVACY, PROPORTIONALITY, AND FACE PRINTS: LESSONS FROM THE KMART OAIC RULING

Written By Luca Patti

INTRODUCTION

The recent OAIC ruling that found Kmart in breach of the Privacy Act over its use of facial recognition technology (FRT) is a landmark decision.  It underlines how boundaries between security, fraud prevention, and individual privacy are increasingly scrutinised - and rightfully so.  

At QNA Investigations, we believe this case offers crucial lessons for businesses, legal practitioners, and anyone working in investigations that touch on personal data and biometric identifiers.

WHAT WENT WRONG: KEY MISSTEPS BY KMART 

  • No meaningful consent from customers: Consent isn’t a checkbox.  It must be clear, informed, and specific.  Kmart failed to get customers’ consent before collecting biometric data (face prints).  Without that, the collection can’t satisfy the Privacy Act’s legal requirements.

  • Disproportionate use of technology: Even if refund fraud is a valid concern, using biometric FRT on every customer entering stores (or being captured in public-facing areas) is quite invasive.  OAIC emphasised there were less intrusive alternatives.

  • Lack of privacy impact risk balancing: The ruling hinges on whether the privacy intrusion is justified by the benefit.  OAIC determined Kmart could not reasonably believe the benefit outweighed the privacy cost in this case. 

WHY THIS RULING MATTERS FOR BUSINESSES & INVESTIGATORS 

  • Litigation risk: Misuse of biometric data or using face recognition without consent can lead to OAIC investigations, reputational damage, and legal scrutiny.

  • Regulatory clarity: The decision clarifies that companies deploying biometric tech must align with privacy laws - consent, purpose limitation, proportionality, data protection.

  • Forensic relevance: In any investigation where biometric or facial recognition tech is involved, preserving metadata, understanding the systems, and checking for compliance are critical. 

HOW ORGANISATIONS SHOULD RESPOND 

  • Audit existing biometric/face recognition systems: Check whether they have documented consent, proportionate usage, privacy impact assessments, and if there are less invasive alternatives.

  • Review policies, vendor contracts, and data retention: How is the data stored?  Who has access?  How long is it kept?  Are there transparency and deletion policies?

  • When planning investigations, include privacy and data experts early: Whether you’re investigating workplace misconduct, refund fraud, or anything involving biometrics, engaging legal and investigative specialists from the start ensures compliance and reduces risk.

  • Train staff & customers: Ensure staff handling or managing biometric tech understand the legal, ethical, and privacy dimensions.  Inform customers appropriately about any biometric collection. 

IMPLICATIONS FOR QNA INVESTIGATIONS’ WORK 

Our work often touches on technologies, data sources, and systems - all of which may raise privacy issues.  From this ruling, we reinforce our internal best practices: 

  • Ensuring any investigative technology used is compliant with privacy law.

  • Maintaining chain of custody and secure handling of biometric or sensitive personal data.

  • Using metadata and technical evidence to verify claims about how biometric systems are operated.

  • Advising our clients (law firms, corporations) on the legal risk of deploying or relying on biometrics. 

CONCLUSION

The OAIC’s decision against Kmart isn’t just a win for privacy advocates - it’s a wake-up call for all organisations and legal teams handling sensitive personal data.  Security and fraud prevention are legitimate objectives - but not at the cost of privacy rights.  Business strategies, investigative methods, and technologies must align with legal standards of consent, proportionality, and fairness. 

We stand ready to help businesses and legal professionals navigate these complex terrain - ensuring that investigations protect both evidence and privacy. 

NEED CLARITY IN A COMPLEX MATTER 

At QNA Investigations, we deliver facts, not assumptions - helping a wide range of clients uncover the truth with precision and integrity.  If you’d like to know more, contact us by phone on +61 2 9212 5000 or via email at mail@qnainvestigations.com.au.

Luca Patti
Previous

THE FIRST STEP THAT CAN MAKE OR BREAK YOUR CASE: WHY INVESTIGATORS BELONG IN THE ROOM FROM DAY ONE
Next

UNCOVERING THE TRUTH: SUPPORTING A FAMILY LAW FIRM IN COMPLEX PROCEEDINGS