What you need to know

The increasing use of biometric processing, such as facial recognition software, raises important issues about the privacy implications of the technology. In an effort to address those issues, the Office of the Privacy Commissioner (OPC) has issued an exposure draft of a biometric code of practice, which is open for public consultation until 8 May 2024.

In this article we identify the key features of the draft Code and their potential implications.

What are ‘Biometrics’?

Under the Code, the term ‘biometric information’ encompasses a broad range of information about an individual’s biological or behavioural characteristics. This includes a person’s face, fingerprints, palmprints, voice, eyes (iris or retina) and eye movements, vein patterns, signature, handwriting style, hand geometry, pattern of using any digital device or gait.

The Code specifically excludes information obtained or inferred from a person’s biological material, genetic material, brain activity or nervous system.

Who does the Code apply to?

The draft Code has a wide application, extending to a range of agencies (eg businesses, organisations and government agencies) that carry out automated biometric processing to recognise or classify people using their biometric information. There are limited exceptions, for example in relation to heath agencies and intelligence services.

Key issues for consideration

The OPC has asked that submitters consider three key issues:

  • Proportionality: how to strike a balance between the benefits of biometrics and the risks to privacy they entail;
  • Transparency: the extent to which people should be told when their biometric information is being collected; and
  • Limitations: what biometric technologies should not be used for.

Proportionality

Under the Code, agencies cannot embark upon the use of biometric processing lightly. Before they collect biometric information for processing, they must:

  • have in place reasonable and relevant privacy safeguards, for example measures such as obtaining consent, training staff and carrying out regular audits; and
  • believe on reasonable grounds that biometric processing is proportionate (ie the benefits must outweigh the privacy risks). This involves consideration of six factors, including the degree of privacy risk, whether there are less invasive alternatives and cultural impacts or effects of the biometric processing.

Transparency

The Code would modify the current requirements of the Privacy Act by requiring agencies to ensure that they are transparent about their use of biometric processing. Importantly, agencies using biometrics would need to provide, in addition to a privacy notice:

  • a conspicuous notice, being a written or verbal clearly visible notice before the information is collected, that makes it obvious that the agency is collecting biometric information for processing and tells people the reason why it is using biometrics; and
  • an accessible notice, being a readily available notice that tells people certain matters about the biometric processing that will be undertaken.

Limitations

Rule 4 of the Code is intended to address concerns about high risk and intrusive use of biometrics. With limited exceptions, it restricts agencies from using biometric classification (a kind of biometric processing) to:

  • collect health information;
  • collect information about a person’s inner state (eg emotional or mental) or physical state (eg tiredness or alertness); or
  • collect information to categorise individuals according to age or restricted categories (eg sex, race, ethnicity, disability and sexual orientation).

What's next?

Compared to other jurisdictions, New Zealand is late to specifically regulate biometrics. Under the GDPR and the Australian Privacy Act 1988, biometric data has special status meaning that an individual’s explicit consent is generally required before collection.

The OPC’s consultation document rightly reflects that while biometric information is particularly inherently sensitive, its use is not necessarily inconsistent with privacy and can even enhance it in certain circumstances (for instance the use of facial recognition to access online banking). Striking the balance between the risks and benefits, while keeping compliance costs proportionate is critical. The consultation is an important opportunity for businesses to have their say.

The cut-off date for consultation is 8 May 2024. As yet, there is no indication from the OPC of expected timing for a final biometrics code.

Get in touch

Please get in touch with our contacts if you would like to know more about how the Code may impact your business or you would like advice or assistance with preparing a submission.

Special thanks to Harrison Brown and Priya Prakash for their assistance in writing this article.

Contacts

Related Articles