Regulatory Update - Facial recognition technology: a guide to assessing the privacy risks

October 2025
Authors
Nitesh Patel
Linda Zeng

On 19 November 2024, the OAIC released a guidance for organisations considering the use of facial recognition technology (FRT). This guidance outlines how the APPs apply to the collection and handling of biometric data, which is classified as sensitive information under the Privacy Act.

Given the heightened privacy risks associated with FRT, the OAIC recommends a structured, privacy-conscious approach to its deployment. Organisations are encouraged to assess the appropriateness of FRT in their operational context by applying the following
principles.

Key principles for responsible use of FRT

Privacy by Design (APP 1)

Conduct a PIA to identify and mitigate privacy risks. This is a reasonable step under APP 1.2 to ensure compliance with privacy obligations.

Necessity and Proportionality (APP 10)

  • Collect biometric data only when it is reasonably necessary for a defined organisational function or activity.
  • Apply an objective test: would a properly informed reasonable person agree the collection is necessary?
  • Consider whether the function could be performed without collecting biometric data or with less intrusive methods.

Accuracy, Bias & Discrimination (APP 10)

  • Take reasonable steps to ensure biometric data is accurate, complete, and up-to-date.
  • Address risks of in-built algorithmic bias and discrimination, particularly those affecting specific demographic groups.
  • Conduct due diligence when using third-party FRT systems to manage risks related to accuracy and fairness.

Governance & Ongoing Assurance (APP 1)

Establish robust governance mechanisms to ensure compliance with the APPs, including:

  • conducting a PIA
  • designated privacy officers and regular reporting to governance bodies
  • regular staff training on privacy obligations and procedures and ongoing supervision of staff to reinforce training
  • ongoing review and audit of privacy policies and practices, including handling complaints, and
  • proactive procedures for managing privacy risks across all stages of the information lifecycle.

This publication constitutes a summary of the information of the subject matter covered. This information is not intended to be nor
should it be relied upon as legal or any other type of professional advice. For further information in relation to this subject matter please contact the author.

Stay updated with Gilchrist Connell’s news and insights, zero spam, promise.

Contact

We acknowledge the Traditional Custodians throughout Australia and their connection to land, culture, waters and skies. We pay our respect to the communities, the people, and Elders past, present and emerging.

© Gilchrist Connell 2026

Liability limited by a scheme approved under Professional Standards Legislation. Legal Practitioners employed by and the directors of Gilchrist Connell Pty Ltd are members of the scheme.

Privacy policy
Modern slavery policy
Environmental policy
Terms of use
Made by kidyounot