Thought Leadership

Data sharing, biometrics and the price of convenience

Reflections on data sharing, biometric privacy and facial recognition governance, drawing on practical experience across policing, secure identity, retail security and privacy impact assessment work.

There is a question I keep coming back to when discussing data sharing and biometric technology:

What is the price we are willing to place on our privacy?

Not in a theoretical sense. In a practical sense.

People regularly give up data for convenience, discounts, safety, access or speed. We use a Google account to sign into services because it is easy. We scan loyalty cards to save a few dollars at the supermarket, knowing that our purchases are being profiled. We scan our driver licence to enter licensed venues because that has become normalised. We walk past cameras in public and private spaces without always knowing what they are doing, how long information is retained, or whether it is being matched against another source.

None of this necessarily starts with bad intent. In many cases, the intent is sensible. Improve safety. Reduce fraud. Stop violent behaviour. Prevent banned people from re-entering a venue. Help find a missing person. Support police where there is a lawful basis to do so.

The problem is not simply whether the technology works.

The problem is whether the organisation deploying it has properly answered the harder questions before it goes live.

Biometrics are different

I have worked around biometric identity, facial recognition and secure identity systems for many years, including in law enforcement, corrections, public safety, commercial identity management and public-facing environments.

That experience has left me with a clear view: biometrics should never be treated as just another data field.

A password can be changed. A card can be cancelled. An email address can be replaced. A face, fingerprint or biometric template is different. It is connected to the person in a much deeper way, both technically and socially.

That does not mean biometric technology should never be used. I do not hold that view. In some environments, biometrics can provide real operational value. They can support safety, identity assurance, fraud prevention, public protection and operational integrity. I have seen that value directly.

However, the sensitivity of the data means the governance threshold must be higher.

The organisation needs to be clear about why the technology is necessary, what problem it is solving, whether there are less intrusive alternatives, who is affected, what is collected, what is retained, who has access, how decisions are made, what happens when the system gets it wrong, and how people are told in plain language what is happening.

From capability to accountability

Over the years, I have seen biometric projects succeed when they are treated as governance projects, not just technology projects.

The technology itself is only one component. The more important questions are usually operational and ethical:

Who decides that a person is added to a watchlist?

What evidence is required?

Who reviews that decision?

How long does the record remain active?

What happens when circumstances change?

Who can remove a person?

How are false positives managed?

What is the human review process?

Can the technology be used for anything beyond the original purpose?

What safeguards stop future expansion into profiling, marketing, or general surveillance?

These questions matter because facial recognition can shift very quickly from a targeted security control to a broad surveillance mechanism if it is not tightly governed.

The difference is not always in the camera or the algorithm. Often, it is in the operating model.

The lesson from retail facial recognition

Recent Australian debate about facial recognition in retail has been useful because it has moved the conversation beyond simplistic positions.

It is too easy to say, “facial recognition is bad”. It is also too easy to say, “safety justifies it”.

Neither statement is sufficient.

Retailers and shopping centres can face real safety issues. Staff can be threatened. Customers can be assaulted. Repeat offenders can cause serious harm. In some environments, banning notices and manual security processes may not be enough.

At the same time, scanning every person who enters a store or centre is a serious privacy intervention. It is not made harmless simply because the organisation says the images of non-matches are deleted quickly. It still involves the collection and processing of sensitive biometric information, at scale, from people going about ordinary life.

That is why necessity and proportionality are so important.

The right question is not, “Can we use this technology?”

The right question is, “Can we justify this specific use of this technology, in this specific environment, for this specific purpose, with these specific safeguards?”

Privacy impact assessment as a governance tool

I recently delivered a privacy impact assessment for a client considering facial recognition in a public retail environment. I will not name the client, but the work reinforced my view that a Privacy Impact Assessment is not a box-ticking exercise.

A good PIA should tell the full story of the project from a privacy, operational, legal, ethical and governance perspective. It should map how information flows through the system, from cameras, to matching engines, to alerts, to operators, to incident records, to retention and destruction. It should document who is accountable, who has access, what third parties can see, and what controls apply.

For a facial recognition deployment, I would expect a serious PIA to address at least the following:

Purpose and use case definition: The organisation must distinguish between security, trespass enforcement, lost-person response, police collaboration, fraud prevention and any other proposed use. Each use case has different privacy implications and may require separate justification.

Information flow mapping: It must be clear what is collected, where it is processed, where it is stored, what is matched, what is discarded, what is retained, and what is logged.

Watchlist governance: The PIA must define who can add or remove people from a watchlist, what approval process applies, what evidence is required, how long entries remain active, and how decisions are reviewed.

Necessity and proportionality: The organisation must assess whether facial recognition is genuinely necessary and whether less intrusive controls could reasonably achieve the same outcome.

Transparency and notice: People need to be told what is happening in plain language. Signage, website content, privacy policies, FAQs, customer service scripts and complaints handling all matter.

Access and third-party controls: If security providers, vendors or public agencies are involved, their access must be clearly defined and controlled.

Human review: The system should not become an unquestioned authority. Matches, alerts and operational responses require human oversight, auditability and escalation rules.

Bias, error and fairness: The organisation must consider demographic performance, false positives, accessibility, discrimination risk and the real-world consequences of getting a match wrong.

Retention and deletion: Biometric templates, images, alerts and related incident records need clear retention and destruction rules.

Public confidence: A technically lawful deployment may still fail if the public reasonably sees it as excessive, covert or poorly explained.

For me, that is the real purpose of a PIA. It forces the organisation to move from enthusiasm or fear into structured decision-making.

The public has become used to trading privacy

One of the issues I raised in an ACS Data Sharing Frameworks discussion was that public concern about privacy has changed.

There was a time when Australians reacted strongly against the idea of a single national identity card. The Australia Card debate reflected a community concern that a centralised identifier could be used for surveillance or excessive government control.

Today, many people effectively live with linked identifiers across government, banking, telecommunications, platforms, loyalty schemes, digital identity systems and private services. The difference is that it has arrived gradually, often under the banner of convenience.

That slow normalisation matters.

If a person scans a loyalty card every week to save money, signs into services with a platform account, uses a smart speaker at home, hands over a licence to enter a venue, and carries a mobile phone that constantly produces location and behavioural signals, privacy becomes less visible.

The risk is not that people do not care.

The risk is that the exchange is unclear.

People are often not given a meaningful explanation of what is collected, how it is used, how it is linked, how long it is retained, and what the downstream consequences may be.

That is where data sharing becomes a public trust issue.

Consent is often presented as the answer, but in many real-world environments it is more complicated than that.

If a person wants to enter a major shopping centre, licensed venue, transport hub or public event, is their consent meaningful if the practical alternative is exclusion?

If a notice is buried in a privacy policy, is that genuine transparency?

If signage says “CCTV in use”, but the system is actually performing facial recognition, has the person really been informed?

If the technology is used for one purpose today, what prevents it being used for a broader purpose tomorrow?

In biometric environments, consent should not be treated as a magic phrase that cures all risk. It needs to sit within a broader governance framework that includes necessity, proportionality, transparency, purpose limitation, access control, review rights, auditability and accountability.

Safety and privacy are not opposites

I do not accept the idea that safety and privacy are mutually exclusive.

This is particularly important in environments where there are genuine threats to staff, customers or the public. It is legitimate for organisations to look for better tools to manage real risks.

However, safety cannot be used as a blanket justification for poor governance.

A well-designed biometric system should be able to articulate the safety problem it is solving, limit itself to that purpose, minimise unnecessary collection, restrict access, provide meaningful notice, maintain records of decision-making, and ensure that people are not unfairly affected by error or misuse.

In other words, the safer system is not always the system with the most surveillance.

The safer system is the one with the clearest controls.

The role of the technology profession

This is where I think the technology profession has a larger role to play.

As technologists, we cannot stand at a distance and say, “That is a legal issue”, or “That is a business decision”. Technology professionals are often the people who understand what systems are actually doing, what data is actually being collected, what vendors are actually capable of, and where the risks are hidden.

We should be helping organisations ask better questions before systems are deployed.

That includes questions such as:

Is the proposed data collection genuinely necessary?

Has the organisation mapped the information flow?

Is there a clear lawful basis?

Is the use case narrow and well defined?

Has the organisation considered less intrusive alternatives?

Does the public-facing explanation match the technical reality?

Are vendors contractually limited?

Are staff trained?

Is there an audit trail?

Can the system be tested?

Can the decision be reviewed?

Can the organisation explain its position to a regulator, a journalist, a customer, a board, and the community?

These are not abstract governance questions. They are practical implementation questions.

My own view

My view on biometrics is neither blindly supportive nor reflexively opposed.

I have spent too long working with this technology to pretend it has no value. I have also spent too long around real operational environments to pretend governance can be left until later.

Facial recognition and biometric identity systems can be useful. In some cases, they can be important. But they must be designed, implemented and governed with a level of care that reflects the sensitivity of the data and the potential impact on individuals.

The starting point should not be, “We bought a system, how do we justify it?”

The starting point should be, “What problem are we solving, and what is the least intrusive, most defensible way to solve it?”

That is the discipline a good Privacy Impact Assessment brings.

It slows the conversation down just enough to ask the questions that should have been asked before the purchase order, before the installation, before the signage, before the public concern, and before the regulator becomes involved.

Biometric technology is not going away. Data sharing is not going away. AI, digital identity, surveillance analytics and automated decision-making will only make these issues more complex.

The organisations that will be trusted are not necessarily the ones that avoid these technologies altogether.

They will be the ones that can explain, plainly and defensibly, why they are using them, how they are limiting them, how they are protecting people, and how they are holding themselves accountable.