Guideline on using facial recognition technology in a licensed premises

Gaming Machine Regulation 2002 - Section 28A
Liquor Regulation 2002 - Section 27B

Purpose

The purpose of this guideline is to inform licensees authorised to use facial recognition technology (FRT) under the Liquor Act 1992 and the Gaming Machine Act 1991 about:

• the scope of its use
• their obligations when using it
• the application of privacy laws
• best practices for using it
• prohibited uses.

This will help licensees ensure compliance with legal requirements and the protection of individuals' privacy.

The FRT authorisation requirements under sections 28A of the Gaming Machine Regulation and 27B of the Liquor Regulation do not apply to licensees who are already required to use FRT under an existing licence condition or statutory obligation. Those requirements remain unchanged.

Scope of using FRT

Licensees can use FRT to identify individuals who are:

• excluded from gaming areas or premises under a self-exclusion order or exclusion direction as defined in the Gaming Machine Act 1991
• under a banning order under the Liquor Act 1992.

The use of FRT is strictly limited to these purposes.

Using FRT in any other case, such as for marketing, customer profiling or incentivising gambling, is not permitted under the law.

Licensees are authorised to collect and use sensitive biometric information¹without prior consent, but only for enforcing bans and exclusions.

Obligations of licensees using FRT

Licensees using FRT must adhere to the following requirements:

• They must display signage advising FRT is in use at the licensed premises.
• The FRT system must include a function that immediately deletes all biometric information recorded about someone that is not matched to an excluded or banned person.
• They must not keep or disclose any personal information held in an FRT system after the licence for the premises ends.

Signage requirements

Licensees must display clear and prominent signage at each entrance to the premises and gaming areas, and near identification (ID) scanners (if applicable). The signage must state that FRT is in operation and explain its purpose in plain English.

The signage should also include information—for example a QR code or website link—explaining how patrons can access the venue's privacy policy and refer patrons to the Australian Privacy Principles (APPs).

Installation of FRT systems

Licensees should ensure that FRT is installed where it doesn't inadvertently capture the biometric information of members of the public who are not intending to enter the premises.

Application of Australian privacy legislation

Licensees using FRT with annual turnover under $3 million must opt in to the Privacy Act 1988 (Cwlth) by completing the online opt-in application form on the Office of the Australian Information Commissioner (OAIC) website. Once they have opted in, they must comply with the APPs as set out in the Privacy Act.

All licensees with an annual turnover over $3 million must automatically comply with the Privacy Act APPs when handling personal information. This applies regardless of whether the licensee is authorised under Queensland law to use FRT.

Before installing FRT, we recommend completing a privacy impact assessment to identify privacy risks.

Licensees should consult the OAIC website or seek independent legal advice to ensure compliance with the Privacy Act and APPs.

Best practices

To adopt best practices for using FRT, licensees need to:

• regularly review privacy policies and signage to ensure compliance with legal requirements
• train staff in the appropriate use of FRT and their privacy obligations
• seek legal advice if considering any use of FRT that could be beyond the authorised scope.

Prohibited uses

To avoid doubt, FRT must not be used to incentivise gambling or promote liquor consumption, including in association with loyalty programs.

Licensees should ensure that FRT is installed where it doesn't inadvertently capture the biometric information of members of the public.

Disclaimer

This guideline is intended to provide general information and does not constitute legal advice.

Licensees should consult the OAIC or seek independent legal advice for further guidance on compliance with Australian privacy laws.

¹Biometric information is classified as 'sensitive information' under the Privacy Act 1988 (Cwlth), which means it is subject to stricter privacy protections.

Also consider...

• Read the OAIC's Privacy Management Framework.