03.05.2024

Privacy Commissioner releases draft biometrics privacy code

Biometrics is a trending issue and with the development of technology there are consistently more ways biometric data can be used, from replacing a password to identifying repeat shoplifters in a shop. With these developments, issues have started to be identified from a privacy perspective.

In our update late last year, we discussed the Privacy Commissioner’s (Commissioner) intention to release an exposure draft for a privacy code that will govern the collection and use of biometric information in biometric processing in New Zealand.  The exposure draft of the Biometric Processing Privacy Code (Code) and an associated consultation document have now been released.

Biometric information – what is it?

Biometric information relates to a person’s physical and behavioural characteristics.  For example, a person’s facial features, voice, fingerprints, signatures, keystroke patterns, and more.  Biometric information is personal information and is already regulated by the Privacy Act 2020 (Act).  However, the Commissioner considers biometric information to be a special type of personal information that requires specific protection in certain circumstances.

What are the concerns?

The use of biometric information can have great benefits, including convenience and security.  But there are risks too.  The Commissioner has identified risks such as lack of transparency and control, accuracy, bias, and risks relating to surveillance and profiling.  The Code is intended to give some guidance as to how this type of information can be processed and used.  

The Commissioner is seeking feedback on the Code and is asking three main questions:

  • How should organisations have to balance the benefits and disadvantages of biometrics before using them?
  • How and what should people be told when their biometrics are being collected?
  • What are some things that biometrics should not be used for?

So, what exactly does the Code cover?

The new Code is intended to apply to the activity of biometric processing and biometric information (as a class of information for the purpose of that activity).  The Code applies to the use of biometric information to recognise or classify people by way of biometric processing. 

The Code sets out thirteen rules that must be complied with when undertaking biometric processing and collecting, using and disclosing biometric information.  Overall, there are general similarities with the thirteen Information Privacy Principles (IPP) in the Act.  However, some key changes have been suggested.  These include:

Rule 1 of the Code

Rule 1 of the Code places responsibility on organisations to demonstrate that their biometric processing is proportionate.  In the Code, in addition to only collecting biometric information for a lawful purpose, organisations must not collect biometric information for biometric processing unless (1) they believe on reasonable grounds that their biometric processing is proportionate in the circumstances and (2) they have put in place any privacy safeguards that are reasonable in the circumstances. 

Rule 3 of the Code

The proposed Rule 3 would, amongst other things, require organisations to have a clear and obvious notice advising individuals that biometric information is being collected, the specific purposes the biometric information is being collected for and whether there is an alternative option to biometric processing available.  Agencies will also need to have an easily accessible notice that advises individuals of additional information such as the agency’s retention policies, complaints processes, policies, procedures and protocols for the collection and disclosure of biometric information. 

Rule 4 of the Code

The Commissioner wishes to restrict certain unfair and intrusive uses of biometric processing.  Accordingly, Rule 4 of the Code prohibits an agency from collecting information about an individual’s health by way of biometric classification (a type of biometric processing), using biometrics to obtain information about a person’s emotional or physical state or to place individuals into restricted biometric categories e.g., age, race, sex, ethnicity, etc.   

The default position under the Code is that these types of biometric activity are prohibited unless an exception applies.  The intent is that these types of biometric processing will only be used where there are clear benefits.

Find out more

You can find copies of the draft privacy code and consultation document here and any feedback must be emailed to biometrics@privacy.org.nz by 8 May 2024.

If you have any questions or concerns about the changes to come, or about your current privacy practices, feel free to get in touch with our team, to see how we can help.

 

Disclaimer:  The information contained in this article is current at the date of publishing and is of a general nature.  It should be used as a guide only and not as a substitute for obtaining legal advice.  Specific legal advice should be sought where required.

 

 

Do you need expert legal advice?
Contact the expert team at Hesketh Henry.
Kerry
Media contact - Kerry Browne
Please contact Kerry with any media enquiries and with any questions related to marketing or sponsorships on +64 9 375 8747 or via email.

Related Articles / Insights & Opinion

aviation
Sky’s the Limit: ICAO Announces Increase of Airlines’ Limitation of Liability under the Montreal Convention
On 18 October 2024, the International Civil Aviation Organisation (ICAO) announced the liability limits for death, injury, delays, baggage and cargo claims will increase from 28 December 2024 under th...
04.12.2024 Posted in Trade and Transport
Christmas Merry Xmas
Checking it Twice – Health and Safety Considerations for the End of Year Work Function
As the year draws to a close both employees and employers alike are looking forward to the end of the year, and some well-deserved rest and relaxation. Many are also looking to celebrate the year that...
22.11.2024 Posted in Employment & Health & Safety
Duty of care owed by manufacturers of cladding products: Cridge v Studorp Ltd [2024] NZCA 483
The Court of Appeal’s recent decision in Cridge v Studorp Ltd [2024] NZCA 483 confirms that a manufacturer of cladding products owes a non-delegable duty of care to building owners (commercial and...
20.11.2024 Posted in Construction
Contracts of Insurance Act – what’s in store for you?
For our previous articles concerning the Bill, please click here and here. The Contracts of Insurance Act passed into law on 15 November 2024.  Although the Act will come into force over a period of ...
20.11.2024 Posted in Insurance
Will Wide BW
Left out of the will?
The Family Protection Act 1955 (FPA) is a significant piece of legislation in New Zealand that allows certain family members to challenge a will if they believe adequate provision has not been made fo...
19.11.2024 Posted in Private Wealth
Plan fail results in health and safety conviction
Deliver the health and safety work you promise, or there may be legal consequences – as a health and safety consultancy recently learnt! Earlier this year, WorkSafe prosecuted Safe Business Solution...
25.10.2024 Posted in Employment & Health & Safety
Contract stock edit e
Rent reviews
As a tenant or landlord under a commercial lease, your business will be affected by rent reviews during the life of your lease.  Therefore, it is essential that you understand the most common types o...
24.10.2024 Posted in Property
SEND AN ENQUIRY
Send us an enquiry

For expert legal advice, please complete the form below or call us on (09) 375 8700.