The Office of the Privacy Commissioner has been looking at the regulation of biometrics for a couple of years now. In July it published a discussion document on a potential biometrics code of practice and is seeking feedback by 27 August 2023. The current discussion document can be found here.
The discussion document sets out specific proposals being considered by the Privacy Commissioner, and asks targeted questions on them. The Privacy Commissioner is particularly keen to hear on the workability of its proposals. The discussion document is also useful for some broad notes on what is being done in Europe and Australia in relation to privacy and biometrics.
The discussion document sets out proposed changes to the information privacy principles in the Privacy Act and asks submitters a range of questions. It goes into a lot of detail on each proposal, including explaining the rationale and also giving examples of what would be covered. How the proposals would apply to some existing use cases (eg using biometric IT verification technology for meeting anti-money laundering obligations) is also outlined in the discussion document. For organisations contemplating or already using biometric information, the examples and use cases are useful for determining how that organisation’s use of such information may be impacted.
Some of the key proposals that are being considered for a code are:
- A code would only apply to the use of biometric information (being personal information about an individual’s physiological or behavioural characteristics) in automated processes to confirm or determine identity or learn something else about them, eg facial recognition.
- Collecting biometric information for those automated processes would only be where it is necessary, effective and proportionate, and collection would be prohibited in certain circumstances, eg for targeted marketing.
- Requiring an organisation to provide information on how biometric information is handled by the organisation as part of its notification requirements (and removing some exceptions to those requirements) and also requiring certain information to be made public, such as in relation to privacy impact assessments for the proposed use of biometric information.
- Requiring express consent to the collection of the biometric information and permitting consent to be withdrawn, although certain situations would be exempted (eg to protect health and safety).
- Requiring organisations to have more stringent security safeguards to protect biometric information (eg storing it separately, using strong encryption, regular vulnerability testing, limited access to staff, and auditing of safeguards), delete raw biometric information once templated and take reasonable steps to protect the underlying individual’s information from access by fake or modified biometric information.
- Having organisations undertake initial due diligence on, and ongoing testing and auditing of the accuracy of any biometric system.
- Only sending biometric information overseas if the organisation is sure the overseas country has similar protections for biometric information.
Following this consultation process, the Privacy Commissioner will consider whether or not to proceed with a code of practice. If it does proceed, a draft code will be released for public comment, meaning there will be a further opportunity to provide comments on proposals. Existing guidance would also be revised.
In the meantime, please get in touch with our corporate team if you would like us to discuss any of these proposals or would like assistance to make a submission on the discussion document.