The Office of the Privacy Commissioner (OPC) published a biometrics position paper in October 2021 stating that it did not need any additional regulatory measures in relation to biometric technology. However, in the context of a number of recent news stories about agencies using, or contemplating use of, biometric technology, eg to allow for easier identification of clients and customers and to enable detection of crime, the OPC now believes that there is a strong case for further work in this area. It is now asking for public and stakeholder feedback on how biometrics (in particular, automated recognition of individuals) should be regulated to protect privacy in Aotearoa.
What is biometric technology?
Biometric technology involves the automatic recognition of individuals based on their biological or behavioural features (for example, by analysing faces, eyes, fingerprints or voices). Biometric information collected using such technology is personal information - and so its collection, storage, use and disclosure is governed by the Privacy Act. While there can be significant benefits to using biometric technology, it involves the collection of information that is based on the human body and, as a result, is considered to be particularly sensitive (especially given that it is very difficult to change). There is, therefore, a higher risk of harm if it is misused or compromised (as the individual can't simply change their biometric data in the same way that they could update a compromised password).
Biometrics and the Privacy Act 2020
The OPC's consultation paper highlights a number of potential concerns in relation to how the Privacy Act addresses the collection, storage, use and disclosure of biometric information, including relating to:
- The sensitivity of the information collected. While the Privacy Act does effectively require consideration of the sensitivity of information (eg agencies must consider whether the relevant protections in place for information are reasonable in the context of the information being collected), unlike other territories (such as the EU and UK) it does not make an express distinction between personal information generally (eg names) and information that is particularly sensitive (eg information about health or ethnicities)
- The implications of biometric technology for Māori. The OPC particularly notes the OPC's Te Tiriti o Waitangi obligations and issues with biometric technology relating to accuracy, bias and discrimination (although, interestingly, the consultation excludes profiling and human rights concerns from its scope)
- Lack of transparency. While the access and disclosure principles in the Privacy Act apply to biometric information, there continues to be a lack of transparency and control for individuals that are subject to biometric recognition (eg practical difficulties in notifying individuals of the collection of such information and disclosing biometric information), which in turn makes it difficult for individuals to challenge decisions based on biometric information (and that may be a critical issue for individuals who are subject to discrimination or bias as a result of the use of biometrics)
- The risk of function creep. As with most information that agencies hold, there is always a risk that information collected for one purpose may, inadvertently or intentionally, be used for another purpose - and where that happens the relevant individual may not be aware of that additional purpose and the necessary safeguards and protections may not be in place.
Consultation
The OPC's preliminary view is that the Privacy Act is not on its own enough to address the risks posed by biometric technology (as summarised above) and is seeking feedback on options that will assist it to protect individuals' privacy without adding any undue compliance burden or overly restricting regulated organisations.
The consultation proposes a number of legislative and non-legislative options, including:
- Further OPC guidance clarifying how it sees the Privacy Act applying in specific contexts or to certain technologies
- Specific technical standards/principles for the use of biometrics. The OPC has proposed that these could be mandatory, but only for those in the public sector
- Introducing a biometrics code of practice under the Privacy Act. This would effectively modify the application of the information privacy principles under the Privacy Act or specify how they apply in a particular context (for example, how the Privacy Act applies to biometric information generally or in a particular context, like facial recognition technology)
- Legislative change, although, as the consultation notes, this is outside of the OPC's remit and would be ultimately in the hands of policy makers.
Next steps
Submissions on the consultation paper are due by 30 September 2022, with the OPC indicating that it will share its findings and a proposed approach by the end of 2022.
We encourage all agencies using or contemplating the use of biometrics technology to engage with this consultation to seek to ensure that its outcomes result in a Privacy Act that contemplates how technology and information are used in practice.
This article was co-written by Alex Chapman (senior associate), Keri Johansson (senior associate) and Lucy Washington Emerson (solicitor).
