Office of the Privacy Commissioner announces draft biometrics privacy code

Code will affect Privacy Act's governance of using employees’ biometric information

BY Suzy McMillan and Thomas Anderson 09 Dec 2023

The Office of the Privacy Commissioner (OPC) announced on 23 November 2023 that they will be seeking consultation on an exposure draft of a privacy code for the collection of biometric information. It is expected that a draft biometrics privacy code will be released in early 2024, with submissions opening at the same time. The OPC’s announcement can be read here.

Biometric information is information about a person’s physical or behavioural features. This includes a person’s voice, fingerprints, face, or how they walk. Biometric information is used to identify a person based on these features using biometric technology. As these features are unique to each person, they form a very sensitive category of personal information which can be exploited to impersonate someone online.

The OPC is particularly concerned about unnecessary or high-risk collection, biometric information being collected for one purpose and then used for another, and a lack of control or knowledge on how individual biometric information is being collected and used.

What will the biometrics privacy code include?

The draft privacy code will change how some of the principles in the Privacy Act apply when agencies use technology to analyse biometric information. The code will focus on three requirements to address the key privacy risks associated with biometric information. The requirements are:

A proportionality assessment: Agencies collecting biometric information would be required to consider whether the purpose of their collection of biometric information outweighs the invasion of privacy and disclosure risks. If there is a high amount of risk, or the use is intrusive, the biometric information should not be collected.
Transparency and notification requirements: Agencies collecting biometric information would be required to clearly and openly notify individuals about the collection of their biometric information, as well as the general public. Suggestions from the OPC include using plain English and having clear signage where biometric information will be collected.
Purpose limitations: The code would create limits on the purposes for collecting and using biometric information. The OPC’s earlier guidance document gave examples of such limits, including using biometric information for direct marketing purposes or to gather information about someone’s mood or health.

The biometrics privacy code would apply to all agencies regulated by the Privacy Act 2020 who collect and use biometric information using automated processes (for example, facial recognition) to identify or classify individuals. Health information under the Health Information Privacy Code 2020 would not be covered, as well as genetic information, neurodata (relating to the brain) and information that is not about an identifiable individual – i.e. data that falls outside the definition of personal information.

When will the code take effect?

The OPC has indicated that an exposure draft of the code will be released in early 2024, with submissions opening at the same time. Following public submissions, the OPC will consider the views and make any changes to the code before submitting it for formal consultation. The final code will then be issued once formal consultation is concluded.

The biometrics privacy code will have a significant impact on any agency that collects or uses biometric information. We will closely watch the development of the biometrics code of practice and will continue to provide guidance on the proposed obligations and requirements of the code once the initial exposure draft has been released in 2024.

Suzy McMillan is a senior associate and Thomas Anderson is a law clerk, both at MinterEllison RuddWatts in Auckland.