A simple risk assessment would likely have stopped Bunnings, Kmart and The Good Guys from deploying controversial facial recognition security systems, according to privacy experts, who say that mandating the considerations could create a “seismic” improvement in data practices.
The three retailers are now facing backlash after consumer group Choice revealed their use of facial recognition technology last month and filed a complaint with the federal privacy regulator.
The companies defended the use of the technology as a way to make their stores safer and argued consumers had been informed by signage and privacy policies.
But under mounting pressure, The Good Guys backed away, saying it would “pause” its trial of the technology. The Wesfarmers retailers said they will continue to use it while awaiting a possible investigation.
At the Privacy Enhancing Technologies (PETS) Symposium in Sydney on Monday, experts said the high-profile incident demonstrated a lack of awareness about privacy risks and how to mitigate them.
“If Bunnings and Kmart had actually done a risk assessment on their technology and whether it was suitable to record everybody entering the store and check their facial characteristics, then I don’t think they would have come to the conclusion that it was such a good idea,” New South Wales Privacy Commissioner Samantha Gavel said at the event.
Privacy impact assessments are not required by law but are strongly recommended by the regulator for large businesses and government agencies when dealing with personal information, particularly sensitive information like the biometrics collected by facial recognition technology.
The assessments provide organisations with a systematic method for assessing the privacy impact of projects and then mitigate the risks.
Business consultant and lawyer Peter Leonard wants the risk assessments mandated to force companies to consider likely harms before deploying privacy invasive technologies or information sharing.
Mr Leonard, a member of the NSW Government’s Artificial Intelligence Review Committee, said requiring the assessment would be the fastest way to shift the needle to better data practices.
“If you’re regulated to require that — like you require environmental impact assessment to be done before somebody builds a new building or puts a new playing field somewhere — that would make a seismic shift, I think, in the level of compliance awareness out there,” he said at the PETS Symposium.
“Sometimes the difficult problems can be started to be solved in simple ways. I think risk assessment is really important.”
The weeklong event is showcasing the cutting edge in privacy enhancing technologies and providing workshops for the developers behind them.
Ms Gavel urged the participants to not think of the technology as a silver bullet.
“PETS can help ensure information is protected and kept secure. But security is only one piece of the privacy puzzle. On its own, it doesn’t ensure protection of privacy rights or compliance with privacy law.
“…Personal information needs to be secured and protected. But it’s equally important that it’s collected, used and shared lawfully as well.”