Research undertaken by CHOICE in Australia indicates that major Australian retailers (including Kmart and Bunnings) have been using facial recognition technology in their stores with the intent of preventing theft and anti-social behaviour. While many might be sympathetic to those goals, in New Zealand the use of CCTV and/or facial recognition does present potential compliance issues with the New Zealand Privacy Act 2020. In particular:
- Personal information can only be collected for a lawful purpose and the collection of personal information must be necessary for that purpose. This is particularly important with facial recognition which collects sensitive biometric information. This means that agencies need to think carefully about what problem they are seeking to address by using CCTV and/or facial recognition and whether CCTV and/or facial recognition is in fact the best answer to that problem. For example, are there other, less invasive options that could be used instead? In addition, and as we have written about before, facial recognition technology is far from perfect and relies heavily on the quantity and quality of the data fed into it. The potential for misidentification and error rates due to gender and racial biases in algorithms are known to be high, even with the best facial recognition software, with disproportionately higher error rates among certain ethnic and racial groups - which may lead to unintended but potentially catastrophic consequences. These issues can make it difficult for agencies to ensure that the personal information that they are using is accurate, up to date, complete, relevant and not misleading (as required by the Privacy Act). In this context, and as the Office of the Privacy Commissioner has recommended, privacy impact assessments can be a useful tool to help agencies assess the problem at hand and the appropriateness of the proposed solutions (both at the outset and on an ongoing basis).
- When an agency collects personal information, it needs to make sure that the relevant individuals are aware of that collection. In addition, personal information must be collected by means that are fair in the circumstances and do not intrude to an unreasonable extent upon the personal affairs of the individual concerned. This also applies to the use of CCTV/facial recognition. The research in Australia indicates that the stores using facial recognition had physical signs at the entrance of the stores to inform customers about the use of this technology, but the signs would likely have been missed by most customers. In the New Zealand context, agencies will need to be careful about how they communicate the use of CCTV/facial recognition to individuals - limited or small signs at an entrance way may not be sufficient to address the requirements of the Privacy Act. Further, depending on the circumstances in which CCTV/facial recognition technology is used, even if there is clear signage, that may not be enough to make the collection justifiable (eg the Office of the Privacy Commissioner has previously held that a camera placed in the toilet area of a pub collected information in an unreasonably intrusive way, and that signage would not have remedied this).
- If an agency has collected personal information via CCTV and/or facial technology, it will need to ensure that the information is kept secure, that it is accurate and that it is not held for any longer than is necessary. In practice, this means restricting who can see and use the information (including by keeping logs of who accesses it) and then destroying the information once it is no longer necessary for the purpose for which it was originally collected. Agencies will also need to consider how they can respond to access requests for this information.
- Finally, the context in which CCTV/facial recognition is used is important. For example, agencies should also consider their obligations from an employment law perspective in relation to their employees. Similarly, in the law enforcement context, agencies need to consider the regulatory framework within which they operate and social licence that they may have (if any) to use such technology.
Why is this important?
While an offence under the Privacy Act has a relatively limited fine (of NZ$10,000), there is a considerable public relations risk to poor privacy practices. In this context, it is of note that the Office of the Privacy Commissioner's Privacy Concerns and Sharing Data 2020 survey found that 41 per cent of people over 18 years old were concerned about the use of surveillance cameras (and the CHOICE research in Australia found that 78% of survey respondents were concerned about the storage of faceprint data).
If you would like to know more about this topic, the Office of the Privacy Commissioner has recently collated its guidance on its website regarding CCTV or you can get in touch with a member of our team.
