03.05.2024

Privacy Commissioner releases draft biometrics privacy code

Biometrics is a trending issue and with the development of technology there are consistently more ways biometric data can be used, from replacing a password to identifying repeat shoplifters in a shop. With these developments, issues have started to be identified from a privacy perspective.

In our update late last year, we discussed the Privacy Commissioner’s (Commissioner) intention to release an exposure draft for a privacy code that will govern the collection and use of biometric information in biometric processing in New Zealand.  The exposure draft of the Biometric Processing Privacy Code (Code) and an associated consultation document have now been released.

Biometric information – what is it?

Biometric information relates to a person’s physical and behavioural characteristics.  For example, a person’s facial features, voice, fingerprints, signatures, keystroke patterns, and more.  Biometric information is personal information and is already regulated by the Privacy Act 2020 (Act).  However, the Commissioner considers biometric information to be a special type of personal information that requires specific protection in certain circumstances.

What are the concerns?

The use of biometric information can have great benefits, including convenience and security.  But there are risks too.  The Commissioner has identified risks such as lack of transparency and control, accuracy, bias, and risks relating to surveillance and profiling.  The Code is intended to give some guidance as to how this type of information can be processed and used.  

The Commissioner is seeking feedback on the Code and is asking three main questions:

  • How should organisations have to balance the benefits and disadvantages of biometrics before using them?
  • How and what should people be told when their biometrics are being collected?
  • What are some things that biometrics should not be used for?

So, what exactly does the Code cover?

The new Code is intended to apply to the activity of biometric processing and biometric information (as a class of information for the purpose of that activity).  The Code applies to the use of biometric information to recognise or classify people by way of biometric processing. 

The Code sets out thirteen rules that must be complied with when undertaking biometric processing and collecting, using and disclosing biometric information.  Overall, there are general similarities with the thirteen Information Privacy Principles (IPP) in the Act.  However, some key changes have been suggested.  These include:

Rule 1 of the Code

Rule 1 of the Code places responsibility on organisations to demonstrate that their biometric processing is proportionate.  In the Code, in addition to only collecting biometric information for a lawful purpose, organisations must not collect biometric information for biometric processing unless (1) they believe on reasonable grounds that their biometric processing is proportionate in the circumstances and (2) they have put in place any privacy safeguards that are reasonable in the circumstances. 

Rule 3 of the Code

The proposed Rule 3 would, amongst other things, require organisations to have a clear and obvious notice advising individuals that biometric information is being collected, the specific purposes the biometric information is being collected for and whether there is an alternative option to biometric processing available.  Agencies will also need to have an easily accessible notice that advises individuals of additional information such as the agency’s retention policies, complaints processes, policies, procedures and protocols for the collection and disclosure of biometric information. 

Rule 4 of the Code

The Commissioner wishes to restrict certain unfair and intrusive uses of biometric processing.  Accordingly, Rule 4 of the Code prohibits an agency from collecting information about an individual’s health by way of biometric classification (a type of biometric processing), using biometrics to obtain information about a person’s emotional or physical state or to place individuals into restricted biometric categories e.g., age, race, sex, ethnicity, etc.   

The default position under the Code is that these types of biometric activity are prohibited unless an exception applies.  The intent is that these types of biometric processing will only be used where there are clear benefits.

Find out more

You can find copies of the draft privacy code and consultation document here and any feedback must be emailed to biometrics@privacy.org.nz by 8 May 2024.

If you have any questions or concerns about the changes to come, or about your current privacy practices, feel free to get in touch with our team, to see how we can help.

 

Disclaimer:  The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.

 

 

Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Kerry
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.

Related Articles / Insights & Opinion

Property
Make Your Premises Good Again
With all the time, effort and cost that goes into taking on a new lease of commercial premises, what happens when it comes time to move on can seem unimportant. It is not surprising, then that make-go...
25.06.2025 Posted in Property
Flooded car
Flooding due to overland flow paths and damaged drainage
Persistent heavy rainfall across the country often results in damage to property due to flooding caused by overland flow paths and defective drainage.  But who is responsible for the cost of the dama...
17.06.2025 Posted in Climate Change & Property
Understanding Indirect Privacy Notification: What you need to know
The Privacy Amendment Bill (the Bill), if passed into law, will require agencies to notify individuals when their personal information is collected from a source other than the individual themselves, ...
16.06.2025 Posted in Corporate & Commercial & Employment
iStock  Succession Plan medium
Family Ties: Intra-Family Succession and Exit Planning
As the second instalment in a series of articles looking at the generational wealth transition and its impacts on business succession in New Zealand, Ben Hickson (partner, Corporate & Commercial...
16.06.2025 Posted in Corporate & Commercial & Private Wealth
Employment law at a glance – June 2025
If you are anything like us, you will be shocked to realise that we are halfway into 2025. As time has been marching on, so too have employment law developments – and there have certainly been quite...
05.06.2025 Posted in Employment
HH Pg  Forrest uncropped
ETS Update: Climate Change Commission recommends minor tweaks to ETS Settings
Last month, He Pou a Rangi Climate Change Commission (the Commission) released its annual advice to the Government on the Emissions Trading Scheme (ETS) settings for the period 2026 to 2030 (Advice)....
HS Scrabble Med Crop Vignette
Health and safety learnings for landowners following latest Whakaari decision
The leasing and subleasing of land, buildings and infrastructure is commonplace in New Zealand business and commerce, but what happens when something goes wrong? Do landowners have health and safety o...
08.05.2025 Posted in Health & Safety
SEND AN ENQUIRY
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.