1. Home
  2. Insights & News
  3. OPC releases exposure draft of a biometrics privacy code

OPC releases exposure draft of a biometrics privacy code

Contributors:
Liz Blythe, Louise Taylor , Leah Pattison
Published on:
17 April 2024

The Office of the Privacy Commissioner (OPC) has released an exposure draft of a biometrics code (exposure draft) for consultation. The exposure draft proposes new rules for agencies that collect or use biometric information for biometric processing.

Biometric information and biometric processing

The OPC refers to "biometric information" as "information about people's physical or behavioural characteristics (such as a person's face, fingerprints, voice or how they walk)". The OPC views biometric information as sensitive information because it is based on the human body and is intrinsically connected to who a person is.

"Biometric Processing" is defined in the exposure draft as including "the identification, verification and classification of biometric information".

Applicability of the biometrics code

The biometrics code would apply to all agencies regulated by the Privacy Act 2020 that collect and use biometric information to verify, identify or categorise individuals using automated processing. Such agencies will only have to comply with the code (rather than the information privacy principles (IPPs) under the Privacy Act 2020) in relation to Biometric Processing.

Agencies that process biometric information in a manner not covered by the code (eg through manual processing) will remain be subject to the IPPs.

The code would not apply to health agencies that are covered by the Health Information Privacy Code. However, non-patient biometric information collected by a health agency is not considered health information and would be covered by the biometrics code.

Differences between the IPPs and the exposure draft

In the exposure draft, the OPC has focussed on three main modifications to the IPPs:

  • Rule 1 of the exposure draft goes beyond IPP 1 (the requirement to only collect personal information where necessary for a lawful purpose) by only permitting an agency to collect biometric information if it is "proportionate" (i.e., if the benefits outweigh the "privacy risks" (as defined in the biometrics code)). That agency must also have reasonable and relevant privacy safeguards in place.

  • Rule 3 of the exposure draft goes beyond IPP 3 (the requirement for agencies to take reasonable steps to tell individuals why their personal information is being collected) by requiring:

    • a "conspicuous notice" to ensure the relevant individual is aware: (a) that biometric information is being collected; (b) the purpose for which it is being collected; and (c) whether there is an alternative option to Biometric Processing that is available to the individual; and

    • an "accessible notice" to make the relevant individual aware of other matters such as rights of access to, and correction of, biometric information and the individual's right to complain to the Privacy Commissioner.

  • Rule 4 of the exposure draft goes beyond IPP 4 (the requirement to collect personal information in a lawful, fair and not unreasonably intrusive manner) by restricting an agency from using biometric classification (being the use of biometric information to infer other information about a person or categorise them into groups) to collect information about (for example) an individual's health, inner state or physical state (subject to certain exceptions).

Biometrics and Māori data

The OPC acknowledges in its consultation paper that biometric information holds cultural significance to Māori, that it relates to whakapapa, and that it carries the mauri of the person it was taken from.

The OPC considers that the best way to protect Māori interests is to strengthen the protections overall in respect of biometric data. However, it has also built in specific requirements in the exposure draft to address specific concerns of Māori, for example:

  • requiring agencies to take into account the cultural impacts and effects of biometric processing on Māori (Rule 1(2)(e));

  • requiring agencies not to use or disclose biometric information without taking reasonable steps to ensure such information is accurate and not misleading (Rule 8);

  • by including as an example of a privacy safeguard (which must be implemented pursuant to Rule 1) that where relevant and practicable an individual may have to provide informed consent to authorise the biometric processing (Paragraph 3(a) of Part 1); and

  • by putting limits on intrusive uses of biometric classification under Rule 4 (as explained above).

Next steps

After consultation on the exposure draft (which ends on 8 May 2024), the OPC will consider the feedback and may make some changes to the draft biometrics code. There will then be another period of consultation before the code is issued under the Privacy Act 2020. The date of commencement of the code has not yet been set.

You can view a full copy of the exposure draft and the consultation document here:

Submissions on the exposure draft should be emailed to the OPC at [email protected].

If you have any questions about the exposure draft or how a biometrics code may affect your organisation, please do not hesitate to contact us.

These articles are intended only to provide a summary of the subject covered. They do not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in these publications without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of our experts.