Proptech: Understanding and Managing Privacy and Surveillance Issues – Insights
The use of surveillance technologies such as CCTV is now common, and new surveillance technologies, such as facial recognition technology, are increasingly being used. This technology inherently relies on a large amount of personal information to be collected and stored. While the innovative capabilities technologies provide are practical and can improve property safety and efficiency, as well as the occupant experience, their use is not without risk. In particular, building owners and users must ensure that any use of surveillance technologies is done in a manner that is transparent, respectful of privacy and complies with the law.
Why are surveillance technologies used?
In the context of an office or retail space, for example, surveillance technologies can be used to:
- improve access controls throughout the property with the aim of replacing more traditional security methods (for example, to replace the need for a concierge or security personnel monitoring ground floor access doors floor of a building);
- monitor and monitor people, including to identify and prevent security risks and potential criminal activity;
- monitor foot traffic to understand and analyze how spaces are used. For example, the technology can be used to help plan shared offices or manage room reservations for visitors;
- detect and monitor dangerous areas in buildings; and
- provide occupants with real-time data on the use of spaces in a building (such as meeting rooms and end-of-trip facilities).
Confidentiality and other legal considerations
The collection of visual images and data through surveillance technologies will include personal information as defined in the Privacy Act 1988 (Cth) (Privacy Act) to the extent that it includes information about an “identified person” or a reasonably identifiable person (for example, a person’s facial features and other identifying information, such as tattoos).
Relevantly, the use of surveillance technologies may involve the collection of certain “sensitive information” as defined in Section 6 of the Privacy Act, including health information, biometric templates and biometric information that is to be used for automated biometric verification or biometric identification purposes. . Sensitive information receives a higher level of protection under the Privacy Act and associated Australian Privacy Principles (Apps).
Organizations that are classified as “APP entities” under the Privacy Act and that use personal information, including sensitive information (including through facial recognition and other surveillance technologies ), must :
- only collect this information by lawful and fair means;
- notify the individual of the collection of personal information in accordance with APP 5; and
- ensure that all collections, uses and disclosures of personal information are carried out in accordance with all other applications.
In particular, under the Privacy Act, APP entities must not collect sensitive information about an individual unless the individual consents to the collection of the information and meets the other conditions of the Privacy Act. APP 3. Certain limited exceptions apply, for example, if the collection of sensitive information is required or permitted by or under any Australian law.
It is important to note that the use of CCTV and facial recognition technology may also be subject to other laws, including privacy legislation and state and territory surveillance devices and, depending on the jurisdiction, specific workplace surveillance laws, such as the Workplace Surveillance Act. 2005 (New South Wales). This law regulates the monitoring of employees in a workplace and states that monitoring of an employee shall not begin without written notice to the employee. Special and additional requirements apply to particular types of workplace surveillance, including camera surveillance.
Be aware of biases and other errors
No technology is completely infallible. In particular, concerns have been raised that facial monitoring may fail due to algorithmic or user error that may be biased by race and gender. It is therefore important that any use and deployment of surveillance technologies is subject to continuous testing and monitoring and complies with anti-discrimination laws. Any use of technology must be properly tested and verified by a human. Technology should be a help and not the only source of truth.
Surveillance technologies collect large amounts of data, which can be invaluable to a hacker or malicious actor, so it is essential that users protect their data and carefully assess and manage cybersecurity and other security risks associated with it. collecting them (you can get some tips on how to manage and mitigate cybersecurity risks in a proptech context here). In addition, data from surveillance technologies must not be used for illegal or illegitimate purposes, such as stalking a current or former partner.
The road ahead
As new technologies such as the use of facial recognition technologies become more widespread and are widely reported in the media, we are likely to see more targeted oversight and regulation of the field.
Major retail giants, including Kmart Australia and Bunnings, have already been the subject of widespread media coverage and concerns from consumer group CHOICE over their use of facial recognition technology. The facial recognition technology was reportedly used by Kmart Australia for the prevention of fraud and criminal activity, and by Bunnings to help identify people who had previously been involved in concerning incidents in their stores. According to reports, Kmart Australia and Bunnings have now stopped using facial recognition technology.
The Australian Information Commissioner’s Office (CATO) is currently conducting an investigation regarding the use of facial recognition technology by these entities. This follows its 2021 determination that 7-Eleven was collecting sensitive biometric information (via facial imaging while surveying customers about their in-store experience), and that it interfered with consumer privacy because it was not reasonably necessary for 7-Eleven’s functions and was conducted without sufficient notice as required by the APPs. The Commissioner concluded that the facial images and facial prints were sensitive information under the Privacy Act since they were biometric information used for automated biometric identification purposes and that the facial prints were biometric templates.
The recently released report by the University of Technology’s Institute of Human Technology, Facial Recognition Technology – Towards a Model Law, offers a risk-based approach to the use and deployment of facial recognition technology. If enacted, the model law would require developers and deployers of facial recognition technologies to assess human rights vulnerabilities both individually and in combination to identify the overall level of risk for the particular application of the law. facial recognition technology. This goes beyond general privacy considerations under existing law and requires users to think more broadly about the use and application of facial recognition technology, including factors such as where technology is deployed, the performance of each application to produce reliable results and whether it is affected. individuals were given the opportunity and ability to give their free and informed consent to the collection of facial data. The outcome of this assessment will determine the risk rating of the relevant facial recognition application and determine whether the technology can be deployed and, if so, the level of restrictions applied to the use of this technology. High-risk apps would be prohibited under the model law, unless there are special circumstances, such as limited law enforcement.
Use of surveillance technologies as part of your proptech
Owners and users of surveillance technologies in a proptech context should:
- carefully evaluate their use of technology, including any potential impact on privacy. Ideally, such an assessment should be undertaken before the technology is used;
- examine the nature and means by which they obtain their consent to the collection of personal information using surveillance technologies;
- ensure that clear and transparent notice is provided regarding the operation of technologies and the collection of personal information and that an appropriate form of such notice is used that meets all requirements of law, including included under APP 5 of the Privacy Act;
- ensure that the technologies, and the systems and procedures associated with their use, comply with all relevant laws and regularly review such laws to ensure that the technology remains compliant with any legislative developments;
- manage and mitigate cybersecurity risks and ensure that all personal information generated through the use of surveillance technologies is protected against loss, unauthorized access, use or disclosure and other misuse; and
- write clear provisions in all relevant contract documents (for example, a lease agreement between a tenant and a landlord for a building that uses surveillance technology), which adequately manages the legal and other risks associated with the deployment of the technology. For example, it may be worth considering the inclusion of confidentiality terms, as well as contractual provisions that clearly indicate which party is responsible for maintaining and monitoring the technology.
Thanks to Hareesh Makam for his help in writing this article.