Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 2 examples

A person with short, dark hair sits in front of a slot machine. These scenarios are examples of how an agency might apply rule 2 in context.

Facial recognition in a gaming venue

Topics covered: direct collection would be prejudicial to the individual’s interests, not reasonably practicable to collect the information directly from the individual.

The Gambling Act places a duty on venue managers to assist problem gamblers, including by issuing an exclusion order under the Gambling Act in some circumstances. A gaming venue plans to use FRT to help enforce exclusion orders under the Gambling Act. It will use stills from the video footage captured by the venue’s existing CCTV system if the quality is high enough (direct collection).

If the venue does not have an existing sample that is high enough quality to use, it may ask the individual for a photo to include (direct collection).

The venue considers any indirect collection on a case-by-case basis. Some situations that could justify indirect collection are:

  • The individual cannot provide a suitable photo and the venue believes that asking the individual to come to the site to take a photo to use in the facial recognition system could cause them harm by triggering a desire to gamble. In this case, direct collection would be detrimental to the individual’s interests.
  • The venue has received notice of a venue-initiated exclusion order from another venue, and based on the information received, it has reasonable grounds to believe that the relevant individual would refuse to provide a photo. Therefore, the venue decides to collect a photo from another gaming venue (indirect collection) because collecting it directly from the individual would prejudice the purpose for collection.

A person's finger rests on a fingerprint scanner below a number pad. The scanner has lit up green. Fingerprint scan for Multi Factor Authentication (MFA)

Topics covered: Using a third-party provider.

A business has access to highly sensitive information. It wants to ensure only the correct staff members have access to a limited, highly restricted database. It decides to implement a multi-factor authentication system using employee fingerprints.

Most employees are based in the business’s main office. The employer decides to collect employee fingerprints directly in the main office on certain days. 

A few employees work remotely. The business gives its remote employees the option between travelling to the main office or having their fingerprint samples taken by a third-party provider. Using a third-party provider in this way is still considered direct collection by the business.

A person holds a bank card in one hand and uses a laptop with the other. A cell phone and notebook are in the background. Collection of voice sample and behavioural biometric information 

Topics covered: Direct collection, fraud prevention.

A bank uses a voice recognition system for customer phone calls and also collects behavioural information based on how the customer interacts with the mobile app and website e.g. keystroke logging and mouse and finger movements. This information is used to create a customer profile and generate an alert if there is a noticeable change in voice or behaviour that could indicate fraud. This information is collected directly from customers when they interact with the bank.

Back to top