The Office of the Privacy Commissioner (OPC) has recently released a draft Biometric Processing Privacy Code (Code) for public consultation. The consultation period closes on 8 May 2024. The Code proposes legal obligations on agencies that carry out automated processing of biometric information. With biometric processing rapidly becoming common place, this is an important opportunity for agencies to engage with this legislative change.
What is biometrics?
Biometrics is generally understood to cover a wide range of measurable details about a person that can be used to identify, assess or make an inference or prediction about them. Under the Code, biometrics includes both physiological biometrics (eg a person's fingerprints, facial structure or retina) and behavioural biometrics (eg gestures, voice, eye movements or a person's pattern of using a digital device).
What does the Code cover?
The Code would regulate any agency that carries out automated biometric processing, subject to certain exceptions (eg the Code would not apply to processing of health information under the Health Information Privacy Code). Like other special codes of practice under the Privacy Act, it will modify and supplement the standard information privacy principles so that agencies processing biometrics only need to apply the Code (rather than the Privacy Act more broadly).
The focus of the Code is a set of new, significant obligations on agencies collecting and using biometric information, including:
- An agency must, before collecting biometric information, have adopted such privacy safeguards as are reasonable in the circumstances, and must also believe the biometric processing is "not disproportionate" in the circumstances. This will require the agency to consider certain matters, including whether the agency's purpose could be achieved by alternative means, the cultural impacts and effects of the biometric processing, and whether the benefits outweigh the associated "privacy risks" (as defined in the Code).
- An agency collecting biometric information from an individual must provide that individual with both a "conspicuous notice" (eg a notice readily displayed before or at the point of collection) and an "accessible notice" (eg an online notice that provides more detail about the processing - this is conceptually similar to the existing notice obligations in the Privacy Act).
- An agency is prohibited from using biometric classification to infer or detect an individual's health information, their "inner state" or physical state, or any "restricted biometric category" (eg age, race, ethnicity or gender) they belong to, unless one of a few, limited exceptions applies.
As the Privacy Act is principles-based, it is generally considered to be relatively permissive. In comparison, the Code would introduce a relatively prescriptive regime. While more prescriptive privacy legislation mirrors international privacy trends, this could signal a significant change for privacy law in New Zealand. Agencies that use biometric information, or may use it in future, should consider making a submission and keep a close eye on how this Code develops.
If you have any questions about the Code, or if you would like any assistance with preparing a submission on it, please get in touch with one of our team.
This article was co-written by Alex Chapman (senior associate) and Michael Finucane (senior solicitor).