Biometric Data And Privacy: What Australian Businesses Need To Know About Compliance

Biometric technology is moving fast in Australia. From fingerprint scanners on warehouse doors to facial recognition for staff access and voiceprints for call centre authentication, biometrics can improve security and convenience.

But because biometric data is uniquely tied to identity, it comes with extra privacy obligations. If you collect, store or use biometric information in your business, it’s important to build privacy and security in from day one. Getting it wrong can lead to regulatory action, complaints, and serious reputational damage.

In this guide, we’ll explain what counts as biometric data, how Australian privacy law treats it, when consent is required (and when it might not be valid), and the practical steps to stay compliant. You’ll also find tips for common scenarios like employee time-and-attendance systems, CCTV with analytics, and using third‑party biometric vendors.

What Counts As Biometric Data In Australia?

Biometric data is information derived from a person’s unique physical or behavioural traits. These identifiers are difficult to fake and, unlike a password, you can’t just “reset” your fingerprint or face template if it’s compromised.

• Fingerprints and palm prints
• Facial images and facial recognition templates
• Iris or retina scans
• Voiceprints and voice recognition templates
• DNA and certain genetic information
• Behavioural patterns such as keystroke dynamics or gait

Under the Privacy Act 1988 (Cth), biometric data used for the purpose of automated biometric verification or biometric identification is treated as “sensitive information”. That classification matters because sensitive information is subject to stricter rules than other kinds of personal data.

Which Privacy Laws Apply To Biometric Data?

Several parts of the Australian privacy framework are relevant when you handle biometrics. Here’s the high‑level picture.

Privacy Act And APP Entities

The Privacy Act 1988 (Cth) sets out the Australian Privacy Principles (APPs), which apply to “APP entities”. Generally, private sector businesses with an annual turnover of more than $3 million are APP entities. Some smaller businesses are also covered, including health service providers, businesses that trade in personal information, and contractors to the Commonwealth.

If you are an APP entity, you must comply with the APPs when collecting, using, disclosing and securing biometric data. That includes having an up‑to‑date, clearly expressed Privacy Policy (this is required for all APP entities, not just those handling sensitive information).

Sensitive Information Rules

Biometric data used for automated verification/identification is sensitive information. As a rule of thumb, APP entities should only collect sensitive information with the individual’s consent, unless a specific exception applies. The bar for consent is higher for sensitive information, and you should assume you need clear, informed permission unless you’ve identified a lawful alternative basis under the Act.

Employee Records Exemption (Important Nuance)

Private sector employers may rely on the Privacy Act’s “employee records” exemption for certain acts or practices directly related to a current or former employment relationship, and directly related to employee records. However, this exemption is narrow and nuanced:

• It generally does not apply to job applicants or contractors.
• It does not cover the period before an employment relationship exists (for example, collecting biometrics at interview stage).
• Even where the exemption applies, other laws, awards, enterprise agreements, workplace surveillance laws and work health and safety obligations may still regulate your conduct.

Many employers choose to meet APP‑level standards anyway (including consent, transparency and security) to reduce risk and build trust with staff.

Notifiable Data Breaches (NDB) Scheme

If you experience an eligible data breach involving biometric data, you may have to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the NDB scheme. Having a tested Data Breach Response Plan helps you act quickly and meet your obligations.

State And Territory Laws

Certain state and territory laws may also apply in specific contexts, such as health information legislation or workplace surveillance laws. If you operate in regulated sectors (e.g. health, education, gaming, security) or you deploy surveillance devices on premises, get advice on the additional rules in your state or territory.

Do You Need Consent To Collect Biometric Data?

For APP entities, the starting point is yes-collecting biometric data used for automated identification/verification typically requires consent. But “consent” has to be meaningful, especially in sensitive contexts like employment.

What Counts As Valid Consent?

To be valid for sensitive information under the APPs, consent should be:

• Informed: You explain what you collect, why, how you use it, how long you keep it, and who you share it with (including overseas disclosures if relevant).
• Voluntary: People have a genuine choice. Consent given under pressure, or where refusal leads to unfair detriment, may not be valid.
• Specific and current: It covers the particular use at the time of collection-re‑using data for a new purpose usually needs fresh consent.
• Capable: The person has capacity to understand and decide.

Importantly, signage alone does not equal consent to biometric processing. A notice can help with transparency, but you still need to satisfy the consent criteria, or identify another lawful basis in the limited situations where one applies.

Consent In Employment Settings

Power imbalance in the workplace can undermine “voluntariness”. If employees feel forced to agree to biometric time‑clocks or access control with no reasonable alternative, consent may not be regarded as freely given.

Best practice is to provide a non‑biometric option (for example, an access card) and ensure no adverse treatment for employees who opt out. Update your employment documentation and policies so the purpose and process are clear, and maintain records of consent decisions. If you deploy biometrics for staff, it’s sensible to align with APP‑level standards even if you believe the employee records exemption applies.

Privacy Collection Notices

At the point of collection, present a concise notice that covers identity and contact details, purpose, consequences of not providing information, usual disclosures (including to any cloud providers), and how individuals can access or correct their information. Many businesses address this with a tailored Privacy Collection Notice that sits alongside a full Privacy Policy.

Practical Compliance Steps For Australian Businesses

Here’s a pragmatic roadmap to handle biometrics lawfully and responsibly.

1) Map Your Biometric Use

• What biometric identifiers are you collecting (e.g. face templates, fingerprints)?
• Why do you need them, and is there a less intrusive alternative?
• Where do the data and templates live (on‑device, on‑premises server, or a vendor’s cloud)?
• Who can access them, and in which locations (including overseas)?

A lightweight privacy impact assessment (PIA) helps you identify risks, reduce data collection to what’s necessary, and document decisions.

2) Set The Legal Foundations

• Publish an up‑to‑date Privacy Policy that clearly covers the collection and use of biometric data.
• Use a layered approach with a Privacy Collection Notice at the point of capture.
• Implement a Privacy Complaint Handling Procedure so you can respond quickly to access, correction and complaint requests.

3) Obtain And Record Consent

• Use plain language and capture affirmative consent (no pre‑ticked boxes).
• Offer a reasonable alternative (e.g. access card) wherever possible.
• Log consent, withdrawal and opt‑out choices, and refresh consent if the purpose changes.

4) Strengthen Security

• Prefer template storage (e.g. hashed/encrypted templates) over raw images wherever feasible.
• Encrypt data in transit and at rest; enforce strict role‑based access controls and audit logs.
• Apply data minimisation and short retention-delete biometric data when it’s no longer needed.
• Adopt an Information Security Policy and run regular training for staff.

5) Prepare For Incidents

• Maintain and test a Data Breach Response Plan that aligns with the NDB scheme.
• Define clear internal escalation paths and rehearse them.
• Keep vendor and technical contacts handy to speed up containment and notifications.

6) Manage Third‑Party Vendors

• Conduct due diligence on biometric providers’ security, retention and deletion controls.
• Put appropriate privacy and data protection clauses in place, or a dedicated Data Processing Agreement where relevant.
• Control overseas disclosures and ensure equivalent protection where data leaves Australia.

If your use cases are complex or evolving, consider getting tailored privacy advice before you roll out.

Special Scenarios: Employees, CCTV And Third‑Party Vendors

Biometrics often show up in similar places across different businesses. Here’s how common scenarios typically play out.

Time-And-Attendance And Access Control For Staff

Fingerprints or facial recognition can reduce “buddy punching”, but design the process carefully:

• Explain the purpose (timekeeping or security), what you collect, and how long you retain it.
• Offer a non‑biometric option on request and avoid penalising employees who choose it.
• Restrict use to the original purpose; don’t repurpose time‑clock biometrics for other monitoring without fresh consent.
• Review any interaction with awards/enterprise agreements and local surveillance laws.

Update your internal policies and, where appropriate, your employment documentation to reflect these practices. If your business is an APP entity, aligning with APP standards (even if an employee records exemption might apply) is a prudent, low‑risk approach.

Customer Authentication And Account Security

Financial services, health, and online platforms may use voice or face authentication. Given the sensitivity, set a high bar for transparency, security and opt‑out options. Present a clear collection notice inside the flow and give users control over enabling or disabling biometric sign‑in.

In‑Store CCTV And Facial Recognition

General CCTV for security is one thing; adding facial recognition or analytics to identify individuals is another. If you are using facial recognition for identification or profiling, you’re handling sensitive information. Prominent signage helps with transparency, but by itself it is not consent for biometric identification. Assess whether your use is necessary and proportionate, consider a consent mechanism (or genuine opt‑out with a non‑biometric alternative), and check any state surveillance device laws that apply to your setup.

Vendors, Cloud And Cross‑Border Handling

Many biometric systems rely on third‑party providers. Lock down privacy and security obligations in your contracts (including audit rights, retention/deletion, and breach support), consider a Data Processing Agreement, and control any overseas disclosures with appropriate safeguards. Your public‑facing Privacy Policy should transparently describe these arrangements.

Retention And Deletion By Design

Because biometric identifiers can’t be changed, retaining data for longer than necessary increases risk. Set short retention periods, automate deletion after offboarding or inactivity, and make sure vendors actually delete templates on request. For broader record‑keeping obligations, consider your sector’s specific rules and general data retention laws that may apply to your business.

Key Takeaways

• Biometric data used for automated identification or verification is sensitive information under Australian law, which means stricter rules and higher expectations.
• APP entities must comply with the Australian Privacy Principles and have a clearly expressed Privacy Policy-this is mandatory for all APP entities.
• Consent for biometrics must be informed, specific and voluntary; signage alone doesn’t equal consent, and employment settings require special care due to power imbalance.
• Build privacy by design: minimise what you collect, offer non‑biometric alternatives, secure data strongly, and delete it when it’s no longer needed.
• Prepare for incidents with a tested Data Breach Response Plan and handle requests and complaints via a clear complaints procedure.
• When using vendors, tighten contracts and consider a Data Processing Agreement to govern security, retention and breach support-especially for cross‑border processing.
• If you’re unsure whether the employee records exemption or APP obligations apply to your use case, seek tailored privacy advice before rollout.

If you would like a consultation on how your business can comply with biometric data and privacy requirements, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.