The Gaming Boardroom

Where the gambling industry comes to think

New Code for Facial Recognition Technology in New South Wales ups operator responsibility

Steve Tyler Exec Content

New Code for Facial Recognition Technology in New South Wales ups operator responsibility

Summary

New South Wales has published a new Code of Practice for the use of facial recognition technology (FRT) in hotels and clubs to strengthen self-exclusion systems that have historically relied on staff ‘eyesight and memory’. The code links FRT to existing ClubSafe and BetSafe registers and sets standards to support ethical application, privacy protections and operational requirements for venues using FRT.

The code permits one-to-any matching (comparing captured images against large databases) — a method noted as having higher error rates and greater privacy implications than one-to-one matching. It also requires venues to comply with the Australian Privacy Principles (APPs) where applicable, perform Privacy Impact Assessments, store biometric data within Australia, restrict use of data to regulatory purposes (not marketing), and implement technical and procedural safeguards including signage, credentialled installation and minimum internet speeds.

Key Points

  1. NSW Liquor & Gaming published a voluntary Code of Practice for FRT in hotels and clubs to improve self-exclusion enforcement.
  2. The code encourages compliance but is not itself a legislative instrument; breaches of the Privacy Act and APPs can still trigger enforcement.
  3. FRT use will typically be one-to-any matching, which increases error and privacy risks compared with one-to-one systems.
  4. Venues must perform and retain a Privacy Impact Assessment before installing FRT and update privacy policies accordingly.
  5. Biometric and exclusion data must be stored exclusively in Australia and separated from other venue data; only minimum necessary information may be kept.
  6. FRT systems cannot be linked to other venue systems holding biographical or payment data, and must not be used for commercial or marketing purposes.
  7. Signage provided by Liquor & Gaming NSW must be displayed where FRT is used; displays must meet size and visibility requirements.
  8. Operational controls include credentialled installation, authorised-staff-only displays, documented access controls and retaining staff training records for five years.
  9. FRT may also be used for other regulatory obligations such as liquor banning orders or financial-crime related exclusions.
  10. The code complements wider NSW harm-reduction reforms (eg six-hour daily pokie shutdowns, moves toward cashless gaming and carded play).

Content summary

The NSW code sets out practical steps venues must take when deploying facial recognition to detect self-excluded patrons. Although the code is not a law, it ties FRT use to the Privacy Act and the 13 Australian Privacy Principles, making APP compliance critical for larger organisations and strongly recommended for smaller ones. Venues must conduct Privacy Impact Assessments, store data domestically, separate excluded-patron data, and ensure systems are installed and run by appropriately credentialled personnel.

There are strict limits on data linking and secondary use: biometric information cannot be used for marketing, commercial tracking, or to entice previously excluded patrons back. The code also mandates specific signage and internet-speed requirements, and allows short offline operation during disruptions. Liquor & Gaming NSW can request PIAs and other records, while the Australian Information and Privacy Commissioner retains investigative and enforcement powers under the Privacy Act.

Context and relevance

This code arrives amid broader NSW efforts to reduce gambling harm. For venue operators, compliance changes are substantial: tech providers and legal teams need to be involved early, privacy processes tightened, and staff trained. For vendors of FRT solutions, the code signals demand for systems that limit false positives, store data locally in Australia, and provide auditable privacy controls. Regulators and advocates will watch how FRT deployment balances efficacy in self-exclusion with privacy and accuracy concerns.

Why should I read this?

Short version: if you run a pub, club, or supply tech to them — this affects you now. It tells you what you need to do (PIA, keep data in Australia, no linking to payments, visible signage, credentialled installs) and what you absolutely can’t do (use biometric data for marketing). Read it so you don’t get blindsided by privacy breaches or regulator attention.

Author style

Punchy: this is practical, immediate and matters for operators and suppliers. If you’re involved in venue operations, compliance or FRT provision, the details here change processes and contracts — so treat it as operational guidance, not optional reading.

Source

Source: https://agbrief.com/news/australia/27/03/2026/new-code-for-facial-recognition-technology-in-new-south-wales-ups-operator-responsibility/