Last week the Office of the Privacy Commissioner (OPC) announced that it will issue a Biometrics Code. This is a topic that the OPC has been consulting on for some time, with the last round of consultation on a discussion document taking place in July and August this year. You can view our commentary on the earlier discussion document here.
In making this announcement, the OPC issued a media release outlining what the process is from here and setting out what the Biometrics Code will likely cover. OPC’s media release can be found here. In this article we discuss the process from here, what to expect from a Biometrics Code and actions that organisations that collect biometrics information can do now.
Consultation steps
OPC has signaled a number of steps that it will follow before a final Biometrics Code is issued under the Privacy Act 2020. The first is for OPC to issue a draft Biometrics Code for consultation. OPC have indicated that this will be early in the New Year. After that a formal version of the Biometrics Code is issued, with a further period of consultation. Then the final Biometrics Code is issued.
Once the final Biometrics Code is issued, it will have the same force as the Privacy Act, so anyone collecting biometrics information that involve automated processes will need to comply with it.
What can be expected in the Biometrics Code?
The scope of the Biometrics Code will be on collection and use of biometric information to verify, identify or categorise individuals using automated processes. This is an important limitation – the Biometrics Code would not apply to manual processes involving biometric information. This has not changed from the consultation earlier in the year.
However, the areas of focus have reduced. The earlier consultation had canvassed numerous topics. OPC have now said it will focus on just three key areas:
- Collection only in appropriate circumstances
- Transparency of collection
- Limiting the use of biometrics information
Under the first element, a proportionality assessment is being considered. This will require organisations to undertake such an assessment to determine whether or not they should collect and use biometric information. This goes beyond the current requirement under the Privacy Act that information is collected for a lawful purpose connected with a function or an activity of the organization and collection is necessary for that purpose. The OPC indicates that the Biometrics Code will set out situations when biometrics information should not be collected. Based on information to date, that is likely to be where collection is too risky, intrusive or for a trifling matter.
The transparency requirement is likely to expand on the current notification requirements in the Privacy Act, so that specific types of notification to individuals to ensure that they are aware that biometrics information is being collected, and the purpose for its collection, is clear to the individual. The OPC indicates that this could include the use of signage (eg where cameras collect biometrics information).
Finally, the Biometrics Code is likely to rule out the use of biometrics information in certain circumstances. OPC have indicated that this would be around using biometrics for direct marketing, to infer someone’s health information or mood, subject to exceptions (eg where health services are being provided). More on this can be found in the earlier discussion document, which can be accessed here.
Actions for organisations
If you collect or have future plans to collect biometrics information (eg physiological or behavioural characteristics) and use automated processes (ie using an algorithm to compare or analyse biometric information, such as facial recognition, finger scanning or voice recognition technologies), then you need to review your practices as follows:
- Is the automated process appropriate for what the organisation wishes to achieve?
- Does your privacy policy/statement separately explain the collection and use of biometrics information, and do you have processes in place that make it clear that collection of biometrics information is going to occur?
- Would your use of biometrics information fall into any of the areas that OPC are considering prohibiting (eg using facial analysis to automate the collection of data about the age, gender and ethnicity of people entering an organisation’s premises)?
If you would like help updating your privacy policy/statement or considering if or how the proposed Biometrics Code will apply to you, please get in touch with our privacy law expert, Graeme Crombie.