An Australian tribunal decision has confirmed that even momentary or transient processing of personal information can constitute 'collection' under Australian privacy legislation. This is a helpful reminder to New Zealand organisations using facial recognition or other automated data-processing technologies – immediate deletion of personal information can be a helpful safeguard, but there is still a "collection" for the purposes of the Privacy Act 2020 and the Biometric Processing Privacy Code 2025 (Code).
Background: the Bunnings case
In February 2026, Australia's Administrative Review Tribunal (Tribunal) handed down its decision in Bunnings Group Limited v Privacy Commissioner [2026] ARTA 130. The case concerned Bunnings' trial of facial recognition technology (FRT) across 62 of its stores between November 2018 and November 2021. The system captured facial images of all individuals entering their stores, compared those images against a database of known offenders, and sent alerts to staff where a match was identified. Facial data used in the matching process was deleted within milliseconds.
The Office of the Australian Information Commissioner (OAIC) originally found that Bunnings had breached multiple Australian Privacy Principles (APPs) relating to transparency, collection and notification. Bunnings appealed.
What the Tribunal decided
While generally considered to be a 'win' for Bunnings, the Tribunal's decision was mixed. The Tribunal accepted that a 'permitted general situation' exception to the requirement to obtain consent applied as the collection was reasonably necessary to lessen or prevent a serious threat to the safety of staff and customers from retail crime and violence, and obtaining consent was impracticable. Accordingly, it set aside the OAIC finding that Bunnings had unlawfully collected sensitive information without consent.
However, the Tribunal agreed with the OAIC's findings that Bunnings failed to implement adequate privacy governance practices and did not give customers sufficiently specific notice about the collection of their facial images. Generic entry signage about video surveillance and that FRT may be used was found to be insufficient.
Key takeaway for New Zealand: transient processing is still 'collection'
The decision's most significant and broadly applicable finding is on the meaning of 'collection'. Bunnings argued that its system merely 'created' facial vector sets during a real-time matching process, retaining them only briefly before automatic deletion. The Tribunal rejected this argument and confirmed that the threshold for 'collection' under the Australian Privacy Act is a low one: even fleeting or transient handling of personal information (in this case for approximately four milliseconds per image), constitutes 'collection' for the purposes of the Act.
The New Zealand picture
New Zealand's Privacy Act uses similarly broad language in defining and regulating the collection of personal information.
The Tribunal's decision aligns with the New Zealand Privacy Commissioner's earlier inquiry into Foodstuffs' FRT trial, which is also relevant here. The Commissioner found that Foodstuffs' collection and use of FRT complied with the New Zealand Privacy Act because of robust safeguards, including purpose limitation, automatic deletion of non-matched images (99.999% within one minute), strict watchlist controls, and clear in-store signage and ongoing monitoring. Importantly, the Commissioner did not treat rapid deletion as a reason to find that no collection had occurred; rather, deletion was treated as a privacy safeguard going to the proportionality of an acknowledged collection. That approach is consistent with the Bunnings ruling: transient processing is still collection, and the appropriate question is whether the collection is justified, not whether it happened. The Foodstuffs finding was not a blanket endorsement of FRT but rather a demonstration that compliance is achievable with the right architecture.
The New Zealand position is further sharpened by the Biometric Processing Privacy Code 2025, which came into force on 3 November 2025 and now applies alongside the Privacy Act. Organisations already using biometric technologies have until 3 August 2026 to align with the Code. The Code requires organisations to:
- Collect biometric information only for a lawful purpose that is specific and necessary
- Assess proportionality (including any cultural impacts on Māori)
- Implement appropriate privacy safeguards before collection begins
- Notify individuals clearly and conspicuously, before or at the time of collection, that their biometric information is being collected and why.
What organisations should do now
The Bunnings' decision reinforces that privacy obligations are triggered at the point of collection, however brief. For in-house legal teams and privacy officers, the following steps are worth considering:
- Map all data flows end-to-end, including automated and real-time processes, to identify where personal or biometric information is captured, even transiently
- Review collection notices and privacy policies to ensure they describe the specific types of information collected, the technologies used and the precise purposes, rather than relying on general surveillance notices
- Conduct and document a formal privacy risk assessment before deploying any technology that processes personal information at scale, particularly biometric information
- Assess exemption pathways carefully: unlike Australia, New Zealand has no single 'permitted general situation' concept. Applicable carve-outs are embedded within each information privacy principle (IPP) (for example, the serious threat to life or health exception in IPPs 2, 10 and 11) and, where no IPP exception fits, an agency may apply to the Privacy Commissioner for authorisation under section 30 of the Privacy Act. Each pathway is narrow and must be assessed on the specific facts
- Review vendor contracts to include obligations around transient processing, automatic deletion, security controls and audit rights.
Organisations that have not yet reviewed their biometrics practices in light of the Code should treat that as a priority. The grace period for existing users ends on 3 August 2026.
