Kia ora koutou,
In my 2 Sept. 2022 notes, I reported New Zealand's Office of the Privacy Commissioner released a consultation paper on the regulation of facial recognition and other types of biometric technologies. The OPC noted regulatory action in this space may be needed due to the increasing use of biometric technology in New Zealand along with growing concern about the adequacy of current regulation, implications of biometric technology for Māori, potential for greater clarity to support safe innovation, the need for greater public assurance about the use of biometrics and tighter controls on biometrics being implemented in other countries. Regulatory action might include the development of a code of practice issued under the Privacy Act.
The OPC's efforts in this area have now progressed further with the release of a second discussion document exploring the potential for a biometrics code of practice. The office is also setting out proposals for such a code.
The decision to explore a code of practice reflects 100 submissions the OPC received on the initial consultation paper, as well as further stakeholder engagement. Many submissions supported clarification of regulatory requirements for biometrics. The OPC has also been mindful of overseas practice in this space, noting that Aotearoa is not alone in specifically regulating biometrics.
The key proposals the OPC has for a new biometric code of practice include the following:
- The code would apply when organizations use biometric information in automated processes to recognize or categorize people.
- An organization that wants to collect biometric information needs to show information will be used in a way that is effective and justified.
- Organizations would not be allowed to collect biometric information for the purposes of marketing, classifying individuals by personal characteristics, or trying to learn about their emotions or state of health.
- Organizations that collect biometric information would need to make sure people can understand how and for what purpose their information will be used, handled and retained.
- Before collecting biometric information, an organization would need to get consent from the person whose information it is. People would need to be given an alternative that doesn’t involve collecting biometric information.
- Organizations would need to have strong safeguards to keep biometric information secure and would need to regularly check the accuracy of their biometric systems.
- There would be exceptions to code requirements to allow for appropriate uses, including existing uses that are required by law.
The OPC is now seeking stakeholder feedback on whether the proposals seem workable and are likely to be effective, and is looking for comment particularly from organizations that use or sell biometrics, Māori data specialists, privacy and human rights advocates, and independent experts. Feedback on the proposals is sought by the close of 27 Aug. I would certainly encourage all members with any interest or expertise in this space to engage and comment.
The OPC's efforts in this space are welcomed and timely, and will be a specific topic of discussion at the upcoming IAPP ANZ Summit in Sydney in November. Deputy Privacy Commissioner Liz MacPherson will join a panel of experts to discuss "Navigating Biometrics and Privacy," including providing an update on regulatory developments in Aotearoa New Zealand.
The IAPP events team is currently working to finalize keynote speakers and sessions — including several sessions with a focus on AI — which will be of significant interest to privacy professionals in New Zealand, Australia and further afield. Registration for the event is now open, with early bird rates closing on 18 Aug., so make sure you secure your spot at the region's premier privacy event.
In the meantime, enjoy the digest, stay safe and be kind.
