Briefing body
What happened
On 5 February 2026, ABC News reported that the Administrative Review Tribunal found Bunnings was entitled to use AI-based facial recognition in a limited retail safety context, while also saying the company should have done more on customer notice, signage, and privacy information.
That combination matters. The ruling was not a simple “privacy loses” outcome. It recognised a legitimate safety purpose while still reinforcing that collection, notice, and governance standards apply even when data is retained only briefly.
Why it matters for operators
Childcare operators should not read this as a green light for aggressive surveillance. They should read it as a sharper test for design discipline.
If a provider wants to use CCTV, analytics, or real-time detection, the questions become clearer:
- What is the exact purpose?
- What data is collected?
- Who is notified, and how?
- Who can access footage or outputs?
- How long is information retained?
- What evidence exists that the system is proportionate to the risk it addresses?
Those are the questions that will matter with families, regulators, and boards.
Operational impact
The ruling raises the standard on notice and explainability. If a system is deployed in a sensitive environment, it is not enough to say that safety is the goal. Operators need plain-language disclosure, clean policy language, and operational controls that match what they tell families and staff.
It also raises the standard on data minimisation. The more advanced the tooling, the more important it is to prove that unnecessary collection, broad retention, and casual access have been designed out.
Finally, it raises the standard on vendor governance. If a provider uses a third-party system for CCTV analytics or identity-related processing, the provider still owns the governance risk.
What to review now
- Define the narrowest safety purpose for each CCTV or AI workflow you use or are considering.
- Review signage, family notices, staff notices, and privacy language for plain-English clarity.
- Confirm retention periods, deletion rules, and access permissions for footage and derived outputs.
- Check whether vendor contracts clearly allocate security, breach, audit, and deletion obligations.
- Test whether the system can be explained credibly to a family, a regulator, and a board without hand-waving.
Lunero perspective
This ruling supports a more disciplined market, not a looser one.
Operators who want technology to help them respond faster should avoid over-collection, vague purpose statements, and opaque vendor setups. The strongest position is a tightly bounded system with visible notice, on-prem or controlled processing where appropriate, role-based access, and auditable exports.
In childcare settings, trust depends on more than technical accuracy. It depends on whether the system is proportionate, intelligible, and governable.