The Office of the Privacy Commissioner (OPC) has announced that an exposure draft of a biometrics code (exposure draft) will be released for consultation in early 2024. The exposure draft will propose new rules for agencies that collect or use biometric information using biometric technology.
This follows the OPC's announcement in December 2022 that it would explore the option of a code to regulate biometrics, and its targeted engagement with key stakeholders earlier in 2023.
Biometric information and technologies
The OPC refers to biometric information as "information about people’s physical or behavioural characteristics (such as a person’s face, fingerprints, voice or how they walk)". Biometric information is considered sensitive personal information and is currently regulated by the Privacy Act 2020.
The OPC refers to "biometric technologies" (such as facial recognition, retinal scans, and voice analysis) as technologies that "analyse biometric information to recognise who someone is, or to work out other things about them (such as their gender or mood)".
What will the exposure draft cover?
The OPC has identified three key proposals that will be effective and workable rules for biometric information:
-
A "proportionality assessment", which would require agencies to carefully consider whether they should collect and use biometric information.
-
"Additional transparency and notification requirements" to place clear obligations on agencies to be transparent and open when collecting and using biometric information.
-
"Purpose limitations" to rule out some reasons for collecting and using biometric information.
These proposals will target the key privacy risks that the OPC views as associated with biometric information, which are unnecessary/high risk collection and use; function and scope creep (where biometrics are collected for one purpose and used for another); and a lack of control or knowledge about the collection and use of biometric information.
The code would apply to all agencies regulated by the Privacy Act 2020 that collect and use biometric information to verify, identify or categorise individuals using automated processing.
Next steps
The OPC will be releasing the biometric code exposure draft in early 2024 and will be seeking submissions on the proposed code. If you would like to be notified when the exposure draft is open for consultation, you can email the OPC (as explained here).
We will also be monitoring developments and will provide a further update when the exposure draft has been released. In the meantime, if you have any questions about how a biometrics code may affect your organisation, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.