Exposure draft of Biometric Processing Privacy Code released
Last week, the Office of the Privacy Commissioner (OPC) released an exposure draft code of practice for the use of biometrics (Code).
The OPC is seeking feedback on the draft Code prior to 8 May 2024.
How does the Code apply?
The Privacy Act 2020 (Act) regulates the collection and use of personal information generally, however New Zealand doesn’t currently have specific rules governing biometrics.
Codes of practice made under the Act modify the Act’s existing information privacy principles (IPPs) to set more specific, and often more stringent, rules for specific industries or types of personal information.
In this case, the Code would apply to businesses and organisations that collect biometric information for biometric processing (i.e. to recognise or classify people using their biometric information).
The Code will not apply to health agencies that are covered by the existing Health Information Privacy Code 2020.
What is biometric information?
Biometric information refers generally to people’s physical or behavioural features like their face, fingerprints, or voice. The Code’s definition of biometric information currently includes:
- Information about physiological biometrics (e.g. face, fingerprint);
- Information about behavioural biometrics (e.g. voice, gait);
- biometric samples or templates;
- biometric results.
Key changes
Feedback received during the OPC’s first public consultation on biometrics was heavily weighted in favour of keeping the IPPs flexible and technology neutral, accordingly the Code has focused on limited changes to specific IPPs.
The key changes are in rules 1, 3 and 4 of the Code:
- Rule 1: In addition to the existing requirements of IPP 1:
- an agency must only collect biometric information if it is proportionate – the benefits outweigh the privacy risks; and
- agencies collecting biometric information for processing must put in place reasonable privacy safeguards.
- Rule 3: Agencies using biometrics are subject to additional transparency obligations, including prescribed requirements for conspicuous and accessible Such notices must be presented independently of any general privacy statement.
- Rule 4: To help prevent unfair or intrusive uses of biometric information, additional restrictions have been placed on certain types of biometric processing. Agencies must not use biometrics to collect information about an individual’s health, mood or emotions, physical state and other restricted categories.
How can we help?
The Code will place significant additional compliance obligations on any organisation looking to implement biometric technologies.
If you are seeking guidance on the application of the Code to your business, or have any queries about the OPC’s feedback process, please get in touch with our specialist Technology & Digital team.
For the PDF version, click here.