OPC releases position on biometrics regulation

On 7 October 2021, the Office of the Privacy Commissioner (OPC) released its paper Office of the Privacy Commissioner position on the regulation of biometrics (Paper).  The Paper was written following feedback from a range sources, such as Digital Identity New Zealand, representatives on the Cross-Government Biometrics Group, and various university researchers. The Paper discusses biometrics in the context of the Privacy Act 2020 (Privacy Act).  The Paper can be accessed here.

In this article we summarise the areas discussed in the Paper, including defining biometrics, and outline key takeaways from the Paper.

What are ‘biometrics’?

The Paper defines ‘biometric recognition’ (or shortened to just ‘biometrics’), as the ‘automated recognition of individuals based on biological or behavioural characteristics’.  To assess this in a privacy context, what is biometric information then needs to be defined.  The Paper defines biometric information as ‘information about an individual’s biological or behaviour characteristics: for example, a fingerprint pattern or a digital template of that pattern’.

Considering this definition, it is easy to recall examples of biometrics in action: facial recognition to unlock your phone, Google Home voice recognition, and (while international travel is less prominent than it once was) the use of Smartgates at airports. Last year there were various articles in relation to trialling of biometrics by the New Zealand Police reported use in various retail outlets in New Zealand.

Given this definition, the Paper naturally concludes that biometric information is personal information and so is covered by the Privacy Act.

What does the Paper consider?

The Paper is a good read for organisations wanting to know more about the interface of biometrics and privacy.  The Paper does this by discussing the following key areas:

  • the importance of considering perspectives from Te Ao Māori, in respect of which OPC notes it will “partner with Māori to identify, understand, and address these issues through the development of a kaupapa Māori framework”;
  • how biometrics are used for verification, identification and profiling, including examples of biometrics in action;
  • how biometrics technology works;
  • outlining concerns about the use of biometrics, particularly given the sensitivity of the information and a general lack of transparency, and potential uses for surveillance/profiling, using information for new functions, and risks around bias and discrimination;
  • listing various legal and ethical frameworks for the use of biometrics, including outlining guidelines, treaties, legislation and other principles that are relevant;
  • how the Privacy Act applies to biometric information, including analysing this in the context of each of the 13 information privacy principles (IPPs); and
  • how OPC will approach the regulation of biometrics in relation to privacy.

The Paper’s analysis of the IPPs is particularly useful for any organisation wanting guidance on how OPC will assess each IPP where biometrics are concerned, eg noting the importance of choice around collecting biometric information.  This section also includes some suggestions on how organisation may comply with IPP requirements, eg the use of signs where there is an area that uses facial recognition technology.

The section on other relevant legal and ethical frameworks is also useful for organisations wanting to understand what else needs to be considered or where further guidance can be sought when contemplating biometrics.

We also note that OPC concludes that, at this time, the IPPs and other tools OPC can use in the Privacy Act are sufficient protection for biometric information and further privacy regulation is not required.

Key takeaways

The final section of the Paper (together with commentary from the IPP analysis) provides an insight into OPC’s expectations for organisations contemplating the use of biometrics.

The first is that any organisation intending to utilise biometrics is expected to undertake a Privacy Impact Assessment (PIA) to aid in the identification of any potential risks arising from the proposed collection, use or handling of personal information and to find out if they are meeting their legal obligations. In particular, the PIA should:

  • consider whether the use of biometrics is justified;
  • explain how the system will meet that agency’s needs and how any privacy impacts may be mitigated;
  • consider all relevant legal and ethical frameworks relevant to the proposed use, and not just the Privacy Act (eg New Zealand Bill of Rights Act 1990).

The Paper notes that any PIA in favour of using biometrics should articulate a ‘strong business case’ for this. Given the ever-developing nature of biometrics, the PIA must also be updated for any changes in relation to the biometrics use case.

In addition to the standard PIA process, OPC expects organisations to consider the following questions as well:

  • Has the sensitivity of biometric information been considered?
  • Is the proposed use of biometrics targeted and proportionate?
  • Have perspectives from Te Ao Māori been taken into account?
  • Have relevant stakeholders been consulted?
  • Will alternatives to biometrics be provided?
  • How will transparency about the use of biometrics be provided?
  • What forms of human oversight are required?

Where an organisation implements a vendor’s biometrics system, OPC expects due diligence to be undertaken, such as ensuring accuracy claims made by vendors are subject to independent validation.

OPC also expects organisations to have a plan detailing how it will appropriately safeguard the biometric information it holds. The plan should be developed from the PIA and an information security risk assessment and be regularly audited.

Steps moving forward

Biometrics is a fast moving area.  Accordingly, OPC intends to review the Paper in April 2022.

We also note that the newly introduced Digital Identity Trust Framework (reported on here), and EU limits on artificial intelligence (as they extend to AI using biometrics, reported on here) are also likely to impact the development of how biometrics are regulated.

We will look to provide an update as this area of privacy law develops.

In the meantime, if you are considering biometrics and would like assistance considering how the Paper’s guidance impacts on your privacy obligations, please contact a member of Lane Neave’s Privacy Law Team.

Meet the team that makes
things simple.

Graeme Crombie