What are 'Biometrics'?
The OPC’s paper defines biometrics as “the fully or partially automated recognition of individuals based on biological or behavioural characteristics”. The paper notes that the relevant characteristics are wide-ranging, including more obvious biometric data such as a person’s face, fingerprints, voice, or eyes, through to very specific features such as their hand geometry, gait, or even their odour.
‘Biometric information’ is correspondingly defined in the paper as information about an individual’s biological or behavioural characteristics (for example, a facial image or a fingerprint pattern). The focus of the OPC’s consultation is on the use of such biometric information for the purposes of automated recognition (rather than seeking to limit the use of any specific technology).
How are Biometrics currently regulated?
Biometric information falls within the broad definition of 'personal information' under the Privacy Act 2020 (Act) which covers all “information about an identifiable individual”. The collection, use, storage, and disclosure of biometric information is therefore regulated under the Act, and agencies must comply with the Act’s thirteen privacy principles in respect of that information. Those principles apply with particular weight in this context given that, as the OPC notes in the consultation paper, biometric information is sensitive personal information (as it is “directly connected to an individual’s sense of identity and personhood” and is “very difficult to change”).
'Biometric information' is currently dealt with very briefly under the current Act, as part of provisions dealing with the transfer of information between certain specified government departments. There are no specific provisions relating to biometric data which apply to non-governmental agencies.
In a position paper issued by the OPC in October last year, it initially observed that the privacy principles and the regulatory tools in the Act are currently sufficient to regulate the use of biometrics from a privacy perspective, although it recommended that agencies carry out careful Privacy Impact Assessments for all projects in which the use of biometrics was being considered. However, after continued monitoring of the use of biometrics (and in recognition of increased regulatory scrutiny of biometric technology overseas), the OPC is now exploring whether further regulatory measures are needed.
What changes are the OPC considering?
The OPC’s consultation paper notes the growth of biometrics and questions the suitability of the current regulatory framework in light of various risks, including:
- Technical challenges, including accuracy (e.g. wrongly identifying someone) and security (e.g. biometric data being stolen or otherwise compromised);
- Risks of mass surveillance and profiling, particularly when biometric information is collected without people’s knowledge or consent, is combined with other information or is used in ways that could have significant adverse impacts on people;
- Function creep, when biometric information collected for one purpose is used for another; and
- Bias and discrimination in the operation of biometric systems, including risks of inaccuracy for some groups or entrenchment of biases. (In that regard, the OPC specifically acknowledges the need to consider Te Tiriti o Waitangi and perspectives from Te Ao Māori, noting concerns about bias, profiling and accuracy).
The OPC’s consultation paper proposes three broad options for further regulation as follows:
- Non-legislative options (i.e. non-binding recommendations). This could take the form of further guidance from the OPC, new biometrics standards and principles, and directives for government agencies.
- A biometrics code of practice under the Act. Unlike guidance, codes issued under the Act have legal effect and can modify the operation of the Act. A code under the Act could apply to biometric information generally, or in a particular context (such as facial recognition).
- Legislative change, i.e. changes to the Act to introduce new laws to specifically deal with biometrics (beyond the limited existing provisions noted above).
The consultation paper hints at a preference for the second option. It notes that the OPC is “giving serious consideration to the creation of a code.” The paper also observes that the Law Commission and the Privacy Foundation have both previously recommended the adoption of a biometrics code, and refers to various advantages (including that the OPC could develop and amend a code on its own initiative).
The deadline for submissions is 30 September 2022. The OPC then intends to issue its findings, and its proposed approach to regulation, by the end of the year.
We expect that businesses involved in the development or use of biometric technology will have a real interest in which of the various regulatory options is adopted, and how the chosen option is formulated in due course. That will be the case both for New Zealand organisations and also for overseas organisations that carry on business in New Zealand (to whom the Act also applies).
Bell Gully’s Consumer, Regulatory and Compliance Team are closely monitoring these developments. If you would like further details on the proposed changes, or assistance in making submissions, please get in touch with the authors or your usual Bell Gully adviser.