While many would not think twice about using finger scanning and facial recognition technology to unlock their smart phones, the increasing use of the same technology to enter a workplace or gym, for example, has led to calls for greater regulation of biometrics in New Zealand.

Biometrics can have convenience, efficiency and security benefits for an organisation or individual, however they can also create significant risks. The Privacy Commissioner, Michael Webster, explains these risks could include “surveillance and profiling, lack of transparency and control, and accuracy, bias and discrimination.”

The Office of the Privacy Commissioner (OPC) recently announced it was seeking public feedback on whether biometrics should be further regulated in New Zealand. In addition to consulting with the public, the OPC will also engage with key stakeholders, including Māori experts and organisations using biometric information. The consultation is open until 30 September 2022

What you need to know

• The OPC’s preliminary view is that the current approach to regulating the treatment of biometric information in New Zealand is no longer sufficient amidst concerns such as when sensitive biometric information collected for one purpose is used for another (function creep).
• Potential further regulation of biometrics comes as no surprise in light of calls that the treatment of biometric information in New Zealand needs to be consistent with our international partners. Privacy advocates argue that the law on treatment of biometric information should be robust and require a higher degree of scrutiny and compliance.
• Employers currently using or seeking to introduce biometric technologies will need to consider how any further regulation of biometric information may impact their overlapping employment obligations.

What are Biometrics?

The OPC defines biometrics (or biometric recognition) as the fully or partially automated recognition of individuals based on biological or behavioural characteristics. These characteristics can include a person’s face, fingerprints, voice, eyes (iris or retina), signature, hand geometry, gait, keystroke pattern or odour. Biometric information can also include a facial image, a fingerprint pattern or a digital template of that image or pattern.

How are Biometrics currently regulated?

Biometric information falls within the scope of personal information and regulated as such under the Privacy Act 2020 (Act). Organisations who are collecting biometric information need to comply with Information Privacy Principles (IPPs) under the Act in respect of that information. However, there are no specific provisions within the Act regulating the collection, use and disclosure of biometric information.

In 2021, the OPC released a position paper outlining how it considers the Act regulates biometrics. In that paper, the OPC recognises that biometric information is sensitive information, which needs to be treated with extra care. This is because biometric information is directly connected to an individual’s sense of identity and personhood and biometric characteristics are very difficult to change.  

At the time, the OPC’s position was that the Act provides adequate protection for biometric information from a privacy perspective, because the Act is principles-based and technology-neutral allowing it to adapt to regulate new technologies and address novel privacy risks as they emerge. However, in light of the increasing and diversifying use of biometric technologies in New Zealand, and the tighter controls on biometrics imposed or to be introduced by other comparable jurisdictions, the OPC is now considering whether further regulation may be needed. .

Consultation paper

The OPC’s consultation paper comprises two parts. The first part of the paper seeks feedback on:

• the purpose and scope of the OPC’s biometric review;
• the OPC’s key assumptions about biometrics and objectives for the review;
• how biometrics are used and concerns and risks relating to their use; and
• Māori perspectives and other cultural perspectives on biometrics.

The second part of the paper concerns the future regulation of biometrics. Specifically, it seeks feedback on the position paper on biometrics published by the OPC in 2021 and whether further regulation is required. The OPC considers that, in light of the risks presented by biometric technology, there is a strong case for further regulation to ensure that the use of biometrics is subject to appropriate privacy protections. One of the risks highlighted by the OPC is function creep - when biometric information collected for one purpose is used for another. This risk, if realised, means sensitive personal information would be used without appropriate safeguards and without the knowledge of the individual concerned.

The OPC proposes three options for further regulatory action:

• Non-legislative options (which would not be legally binding). This could include further guidance from the OPC, creation of standards and principles on biometrics and specific directives for government agencies.
• A biometrics code of practice under the Act. Codes under the Act have legal effect and can modify the operation of the Act, for example by setting standards that are tighter or more flexible than under the Act.
• Legislative change – the OPC can advocate for changes to the law, if there is a strong call from submitters, but it does not directly advise Ministers on legislative change.

Is further regulation likely?

The possibility of further regulation is not surprise, and is likely inevitable. Many overseas jurisdictions have already introduced more stringent requirements or guidelines specifically targeting biometrics, some even going so far as to ban the use of certain technologies that gather biometric information (such as live automated facial recognition technology in public spaces or for predictive policing purposes). Privacy advocates have been arguing that the treatment of biometric information under New Zealand law should be robust, with a higher degree of scrutiny and compliance required, to keep pace with our international partners.

There have also been several high-profile case overseas that have brought the potential harms of biometric information to the attention of the public (and regulators), including for example the Clearview AI litigation taking place in several jurisdictions^[1], and the regulatory investigations by the Australian Information Commissioner into the use of facial recognition in retail outlets in Australia.^[2]

Employment considerations

Many employers are currently using or considering introducing biometrics into the operation of their organisation for a range of purposes, including health and safety, security and efficiency.

Employers must ensure that they meet their obligations under the Employment Relations Act 2000 and the Privacy Act. In particular, employers seeking to introduce biometric technologies need to undertake genuine consultation with any potentially affected employees prior to making a decision to introduce biometric technology. Currently, part of the consultation process requires an employer to notify the affected employees (or contractors or other third parties’ whose information is being collected) of the specific details specified in principle 3 of the Privacy Act, including why the employer is proposing to collect biometric information. Employers may have further obligations in respect of biometric information in the near future depending on the OPC’s decision following its public consultation process.

Next steps

As further regulation will impact any organisation developing or using biometric information, it is an opportune time for organisations to provide feedback on whether further regulation is needed from a privacy perspective and help shape the future direction of that regulation.

Submissions are due by 30 September 2022 and can be made to biometrics@privacy.org.nz or by mail to Biometrics submission, Office of the Privacy Commissioner, PO Box 10 094, Wellington 6143.

The OPC will consider the feedback received through the consultation process and report back on their regulatory approach by the end of 2022. If the Privacy Commissioner decides to develop a code of practice under the Act, the OPC will consult on a draft code in 2023.

Get in touch

Please get in touch with any of our contacts listed on this page if you would like assistance with making submissions on the OPC’s consultation paper or if you have any questions about this topic.

Special thanks to Phillip Leaupepe-Nickel for his assistance in writing this article.