Skip to content
Insights
Governance

Biometrics, privacy and the audit trail: access control under the Privacy Act

3 July 2026 · 6 min read · James Park

Facial recognition at the door and a fingerprint at the gym are convenient. Under Australian law they are also sensitive information, and the regulator has spent the last two years making clear how seriously it takes that.

Biometric data is sensitive information

Under the Privacy Act, biometric information used for automated verification or identification, and biometric templates, are classified as sensitive information. That classification does real work: collection generally requires consent, and the Australian Privacy Principles apply higher standards to how it is collected, stored, used and disclosed than they do to ordinary personal information.

For a building operator, that means the enrolment photo, the face template on the reader, and the record of who walked through which door are not just operational data. They sit in the most protected category Australian privacy law has.

What the OAIC has signalled

The OAIC has published guidance on facial recognition, and its determinations against major retailers, most prominently the Bunnings matter and the scrutiny of Kmart's trial, set a high bar. Convenience and loss prevention did not justify collection without adequate notice, genuine consideration of less intrusive alternatives, and privacy impact assessment done before deployment rather than after.

The lesson for anyone deploying biometric access is that "we told people in a policy" is not the standard.

The standard is closer to: demonstrate why you need it, show what else you considered, give people a real choice, and be able to prove all of it later.

Why build-to-rent is squarely in scope

BTR operators run residential buildings where smart access is part of the product. That cuts both ways. A resident can choose not to shop at a store that uses facial recognition; they cannot meaningfully opt out of their own front door. The power imbalance that concerned the regulator in retail is sharper at home.

That makes consent design, genuine non-biometric alternatives, and proportionality assessments live obligations for operators, not paperwork. A building that offers biometric entry needs to offer a mobile credential or card path that is just as good, and needs to be able to show its reasoning.

Governance as a design property

A privacy policy describes intentions. A platform either enforces them or it does not. Role-scoped permissions mean a concierge cannot browse biometric enrolments. An immutable audit trail means every access to resident data is itself recorded. Australian data residency means the question of where templates live has one answer.

None of these can be added by a policy document after deployment. They are either properties of the system or absent from it, and the difference is exactly what a regulator, an auditor or a class-action discovery process will ask about.

Questions to ask any access vendor

  • Where is biometric data stored, in what form, and in which country?
  • Who can see enrolments, and is that access itself logged?
  • What is the non-biometric alternative, and is it a first-class experience?
  • Can you produce a complete access history for one person in one building with one query?

If a vendor cannot answer these quickly, the governance is probably a policy, not a property.

BTR OS was built with these as design properties, which is the perspective this piece is written from. This article is general information, not legal advice; operators deploying biometric access should take their own advice and run their own privacy impact assessment.

Built on these convictions.

BTR OS is the platform this thinking produced. See it running on a live building.

Prefer email? hello@ark360.com.au