In August 2022 the Privacy Commissioner released a consultation paper about the Privacy Regulations of Biometrics in Aotearoa New Zealand, asking a range of 17 questions, and inviting feedback and submissions/responses.
The Privacy Commissioner has indicated an option they are considering is the development of a code of practice for biometrics under the Privacy Act. If the Privacy Commissioner decides to develop a code, another consultation paper will be released in 2023. Any code of practice on biometrics could modify the operation of the Privacy Act and could be issued by the Privacy Commissioner without needing to be approved by the Government.
What is biometric information?
Biometric information is information about an individual’s biological or behavioural characteristics and can include a person’s face, fingerprints, voice, eyes, signature, hand geometry, gait, keystroke pattern, etc.
Employer's Considerations for Submissions on proposed New Biometric Privacy Act Code:
Large employers or agencies such as Police, and Immigration NZ may consider that the establishment of a Biometric Code in the Privacy Act is beneficial to clarify and detail obligations in collection, use, disposal etc of biometric information to ensure they know their obligations.
The case of Fenson v KME Services NZ Pty Ltd in the Employment Relations Authority in December 2019 showed that employers do not only have obligations towards their collection, use etc of biometrics, but also obligations about the proper process and consultation with employees around implementation or introduction of using biometrics. This case is an example of where employers may benefit or want to have a Biometrics Code to better understand their obligations.
However New Zealand employers, businesses and agencies have already recently had to undergo reviews of their privacy systems, policies and processes when the Privacy Act was updated on 1 December 2020, regardless of whether they were big or small businesses.
If the Privacy Act is updated again by the introduction or imposition of a Biometrics Code inputting further obligations or regulations on employer's collection and use of biometric information, there is likely going to be on flowing significant additional cost to employers, including small businesses that may not be using biometric information yet, to update their policies, join or pay regulation authorities, or to meet compliance notices. Additionally, organisations and businesses might need help to navigate and understand the requirements under the main Privacy Act and under the Code.
Businesses in New Zealand are still struggling from the COVID-19 costs and the impacts that staff shortages and new public holidays have had. This could be a setback or concern for small businesses in New Zealand.
Employee's Considerations for Submissions on proposed New Biometric Privacy Act Code
Mishandling or misuse of biometric information, regardless of whether malicious or through misunderstanding, could have huge potential impacts and implications for people’s rights – criminal or police vetting records, immigration status etc. In assessing the risk, the impact on an individual if the Privacy Act principles are not adequately followed is huge.
Employees and the average New Zealander may consider that the establishment of a Biometrics Code in the Privacy Act is necessary to ensure better enforceability and regulation of agencies to ensure businesses and agencies know their obligations, are checked and regulated to ensure compliance, and for individuals to know they have greater protections for their biometric information.
Does the current Privacy Act do enough?
The Privacy Commissioner had previously released a paper about biometrics on 7 October 2021 and appeared to consider that the Privacy Act 2020 provided adequate and sufficient protection.
However the recent 8 September 2022 Joint IPCA and OPC investigation report of Police practices with biometric information (see here), and the Privacy Commissioners different view in their August 2022 consultation paper, appears to indicate that potentially the Privacy Act 2020 does not. Mistakes and mishandling of biometric information can and do happen.
Though the Privacy Commissioner issued a compliance notice to the Police relating to their collection of photographs and biometric prints and to delete material, it is unclear what was enforced or done to resolve the individual harm, and what costs compliance caused to Police.
The question becomes is there either a lack of regulation, a lack of understanding of privacy obligations, or inadequate enforceability actions when privacy rights are breached and who should bear the costs.
The concerns that the Privacy Commissioner detailed of function creep, lack of transparency and control and accuracy, have become real problems.
Further action or amendments to the Privacy Act 2020 may be needed to ensure these privacy complaints about misuse or mishandling of biometric information are regulated and adequately resolved reflecting the harms that can result. This would also seem to bring New Zealand in line with the tighter controls that exist in other comparable countries. But given there were amendments made so recently – who should pay for these updates?
Currently, several agencies can and are collecting, using, and keeping biometric material of New Zealanders and our visitors – Police, Immigration NZ (MBIE), DIA etc. New Zealanders should be submitting their response or feedback to ensure their voices are heard.
Submissions on the Privacy Commissioner’s Consultation Paper are due by Friday 30 September.
If you are unsure of your rights and responsibilities with biometric information, whether as an employer or employee, do not hesitate to contact BuckettLaw (04 472 8600 or at www.buckettlaw.co.nz). We offer a free 15-minute phone enquiry.