Busting Myths - Biometric Privacy in New Zealand

Monday 13 May, 2024

To celebrate Privacy Week 2024 and the theme of Busting Privacy Myths, we willl be spotlighting some current privacy issues of interest and busting some myths! Today we will look at biometrics and the draft Biometric Processing Privacy Code (the Code) recently released by the Office of the Privacy Commissioner (OPC).

The proposed Code will apply to all organisations that collect biometric information for biometric processing (i.e. to recognise or classify people using their biometric information). The OPC defines biometrics as “physical and behavioural characteristics (face scans, fingerprint scans, voice recordings) that can be used to identify individuals”.

Let’s bust some myths about biometrics and the proposed Code.

Myth One: The Privacy Act 2020 does not cover biometric information

Reality: The Privacy Act 2020 comprehensively covers personal information, which includes biometric data often used in biometric technology. The Act applies to any form of personal information, whether collected digitally or physically. However, the Privacy Commissioner considers biometric information to be a special type of personal information requiring additional protection in the form of a standalone code of practice.

Myth Two: Once the Code comes into force, organisations will be able to collect my biometric information without my knowledge.

Reality: Organisations will be required to notify individuals conspicuously, either in writing or verbally, before any information is collected. Such notice has to make it obvious that the organisation is collecting your biometric information for processing and the reasons for the collection of your biometric data.

Myth Three: The Code will allow every organisation to collect biometric information for processing.

Reality: Before collecting biometric information, an organisation will have to believe on reasonable grounds that biometric processing is “proportionate” and that the benefits outweigh the privacy risks. Six specific factors need to be considered in considering proportionality. An organisation cannot merely decide to start collecting biometric information.

Myth Four: Under the Code, informed consent is required before biometric information is collected, as is required in Australia and the EU.

Reality: No. The current version of the Code removed the requirement of informed consent as it was considered that obtaining informed consent would be too difficult in practice.

Myth Five: Once the Code is in force, there will be a transition period for compliance.

Reality: If the Code comes into effect in its current form, organisations that want to start processing biometric information will have to comply with the Code immediately. Organisations that already conduct biometric processing will have 6 months to comply.

The proposed Code represents a proactive step by New Zealand to address the complex privacy issues surrounding the use of biometric technologies.

If you are unsure whether the Code will be relevant to your organisation, or how it may affect your business, please contact one of our experts listed below.