Liquor & Gaming NSW has developed a voluntary Code of Practice: Facial Recognition Technology in Hotels & Clubs (the Code) to set out expectations and provide guidance for hotel and clubs with gaming machines on the responsible and appropriate use of FRT to identify patrons that have excluded themselves.
The requirements in the Code are intended to apply to venues that already use FRT voluntarily, or those considering installing FRT for exclusion purposes.
The Code sets out robust requirements on system operation, privacy, data handling and security, as well as staff responses to FRT matches, to ensure the protection of patrons’ privacy and personal information.
The Code does not apply to FRT for anti-money laundering purposes, or for use of FRT for non-exclusion purposes, such as for venue security or staff sign-in systems.
Although the Code is voluntary, compliance with the Code is encouraged. As noted in the Code, venues should also seek independent legal advice to ensure their FRT use complies with their legal obligations as it relates to their individual circumstances.
The Code sets out best practice requirements that venues are expected to meet in relation to:
The Code also includes a separate checklist of technical specifications and statutory declaration form for venues to give to their FRT provider.
The Code was developed with consideration to aligning with requirements under Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs). Further, the Code was subject to several rounds of public and targeted consultation with key stakeholders, including with cybersecurity and privacy experts, such as Office of the Australian Information and Privacy Commissioner (OAIC) and Cyber Security NSW.
Facial recognition technology is a computer system or device capable of matching the features of a human face based on a live image against an existing image from a digital database.
Facial recognition technology (FRT) uses proprietary algorithms to analyse facial image scans by measuring unique facial features and the distances between them. These measurements are encoded into a biometric template, which compares the image on the digital database and identifies a potential match.
FRT enables the automatic identification of patrons on an exclusion database when they enter a venue or a gaming area, supporting staff in busy or crowded venues where manual identification can be difficult.
Importantly, FRT does not replace staff responsibilities; it supplements existing processes for identifying and managing excluded patrons.
No, it is voluntary. The NSW Government has committed to mandating FRT in all hotels and clubs with gaming machines to support broader gaming reform initiatives, including a statewide exclusion register (under development) and third‑party exclusions.
The voluntary Code has been developed in consultation with stakeholders and is an interim step toward meeting the NSW Government’s commitment for mandatory facial recognition to support the statewide exclusion register.
Regulatory approval to voluntarily install and operate FRT in venues is not currently required. Accordingly, as a voluntary scheme Liquor & Gaming NSW does not keep a list of suitable FRT providers.
Installation of an FRT system should follow the requirements set out under Section 2 Installation and Controls of the Code. Attachment A of the Code contains the technical installation requirements.
Liquor & Gaming are currently considering signage options for use by venues and will notify licensees when this becomes available.
Venues that follow the Code should display FRT signage provided by Liquor & Gaming NSW (when available) where:
Venues that use FRT must have a privacy policy that complies with the Privacy Act 1988 (Commonwealth). Under the Australian Privacy Principles (APPs), entities that collect personal information must disclose what personal information it collects, such as biometric data.
Venues should refer to the OAIC’s Guide to developing an APP privacy policy for further information.
Under the Code authorised staff should be trained on the Code requirements before accessing the FRT system or related devices, with FRT providers responsible for training staff on system operation.
While the Code does not mandate specific training content, training should ensure staff understand their roles, privacy obligations and how to operate FRT, supported by practical exercises such as responding to alerts, verifying patron identity, managing incidents and escalating issues.
Venues must retain staff training records for at least five years, including attendance and course details, and are encouraged to keep versioned copies of training materials.
Although refresher training is not mandatory, venues should consider it where breaches or complaints occur, new legal requirements are introduced, or the FRT system is significantly modified.
While every effort has been made to list the requirements in plain English, in some instances, the technical nature of FRT systems makes this a challenge.
The separate checklist at Attachment A is designed to shift some of the responsibility for more technical specifications from venues to FRT providers.
If uncertain of any requirements, venues should liaise with their own IT or FRT provider to confirm they are compliant, or otherwise seek clarification by contacting the Liquor & Gaming NSW Hospitality Concierge. For privacy related matters venues should contact the Office of the Australian Information Commissioner.
While the Code is in effect from 18 March 2026, as a voluntary code, it is recognised that it may take some time for venues to comply with the requirements. As the Code is an interim step towards mandatory FRT, it provides industry with requirements to work towards.
Venues that currently use FRT voluntarily should take steps, as soon as possible, to ensure their existing system is compliant with the Code or develop an implementation plan to reach compliance in the future.
The Code sets out minimum standards that the NSW Government expects venues to meet when operating FRT. The code is not mandatory, and it is not an offence if a venue breaches the Code. However, the Government strongly encourages all venues to ensure they are compliant with the Code and best practice use of FRT.
However, venues need to meet their obligations under the Privacy Act 1988 (Cth). Where there are breaches of the Privacy Act this could be subject to potential investigation and enforcement action by the Office of the Australian Information Commissioner. Compliance with the Code will help venues to meet their obligations under Commonwealth privacy legislation.
Following the Code provides clear benefits for hotels and clubs using FRT by helping them manage ethical and privacy risks, navigate complex public concerns, and build trust with patrons and the broader community, even though compliance is not mandatory.
If you have any accessibility feedback or concerns related to this resource, please contact us.
