Privacy Commissioner Michael Webster is currently exploring whether a privacy Code of Practice is required to regulate the use of biometric information in New Zealand.
Biometric recognition is the automatic recognition of people by technology. This recognition is based on a person’s biological features and can include analysing their face, eyes, fingerprints, voice, signatures, keystroke patterns, odours, and mannerisms, including how they walk. For example, Immigration New Zealand, uses photographs, fingerprints and iris scans to authentic identities and to counter identity fraud.
Biometric information is “personal information” under the Privacy Act 2020 (Act) and therefore its collection, use, security, and disclosure is subject to the protections set out in the Act. The use of biometrics in New Zealand is diversifying. As a result, there is an increased focus on ensuring that New Zealanders and New Zealand businesses can harness the benefits of the technology, but also be protected from potential harm.
In October 2021 the Office of the Privacy Commissioner launched a position paper on how the Act regulates biometrics. In August 2022 the Office conducted a period of broad public engagement with a consultation paper, ‘Privacy Regulations of Biometrics in Aotearoa New Zealand’.
In the 100 submissions, many broadly agreed with the Office’s concerns about biometrics. The key concerns were that biometric information is sensitive information which is unique to the individual and difficult to change, so it needs careful protection. Other concerns focused on the risks of discriminatory impacts from the use of biometrics, particularly on Māori. While there were mixed views on the most appropriate type of intervention, Privacy Commissioner Michael Webster concluded that “what was clear is that something more needs to be done”.
The Act allows the Privacy Commissioner to issue a code of practice in relation to the Information Privacy Principles (IPP) at any time. These codes modify the Information Privacy Principles (IPP) under the Act and set rules for specific industries, organisations, or types of personal information. There are currently six codes of practice, including the Civil Defence National Emergencies (Information Sharing) Code 2020 and the Health Information Privacy Code 2020.
Arguably, New Zealand is a bit late to the party as overseas in the USA, Illinois, Texas and Washington each have a biometric-specific privacy law. In February 2023 the Illinois Supreme Court issued two rulings involving the Illinois Biometric Information Privacy Act 2008. Following these decisions there has been a legislative push in the USA, resulting in nine proposed bills in other states, including New York and Tennessee as of 15 March 2023.
What happens next in New Zealand is that there will be a round of targeted engagement with agencies and people who are interested in this field about what might be in a code. The Commissioner will then decide whether to progress with a Code of Practice. If that happens, then the Commissioner has said that “We will be actively encouraging the public to take part in the consultation period because the use of biometric information will affect us all”. “Advances in technology can offer great benefits, but it’s important the benefits are enabled for all and the public are safe-guarded against risk.”
Please get in touch if you would like to discuss any privacy related queries, including workplace privacy policies and the protection of employee’s personal information.