How does privacy law protect my biometric information?

Simply speaking “biometric information” is things like body measurements and calculations related to human characteristics. This can involve both physical and behavioural characteristics. Every human being has some biological characteristics that are unique to them, such as fingerprints, body movement and even typing habits. A biometric system essentially allows those biological characteristics to be used as a key or form of identification.

In recent years the use of biometric information has become increasingly common in everyday life. The use of this technology has several benefits and practical uses, however lack of oversight and regulation can lead to some significant privacy (and human rights) breaches.

In New Zealand a person’s biometric information is considered to be personal information, therefore its collection, storage and use is primarily governed by the Privacy Act 2020. 

There are many ways in which biometric information may be used, including the following:

• When you use your fingerprint or face to secure your phone, the phone will keep a copy of that data in its system. When you unlock your phone, it will make sure that the data held on the phone is the same as the person who is trying to access it.
• Some banks use voice recognition technology to prevent other people from impersonating you. They may keep a record of your voice in their database, and when you call them to perform banking functions, they will use the technology to ensure that they are talking to you. This adds an extra layer of protection of your bank accounts and funds.

• Automated gates at airports use your biometric data to confirm your identity. The system will scan your passport and your face when you are at the gate, if they match then the system will know that it is you. This prevents people from using false passports. This technology has been used at New Zealand airports since 2015.
• Law enforcement agencies can use biometric data to make it easier for them to identify and locate people. Most people convicted of an offence will have their fingerprints and a photo taken and stored on a database. This will allow law enforcement agencies to locate them more easily if they are involved in further offending.  The technology can also be used to find missing persons.
• Stores or businesses may be able to use biometric technology to identify when a shoplifter or trespassed person has entered the premises and alert security staff.  This adds to existing concerns about the personal information obtained from CCTV and other camera technology. 

Privacy concerns with this technology

As an emerging technology, the use of biometric information raises a number of considerations and concerns in relation to privacy of personal information, many of which have not yet come into play in New Zealand but are already being seen elsewhere in the world.

• Personal information is information which can be used to identify an individual.  It is vital that the privacy of personal information is protected, to prevent against it being lost, improperly used or disclosed, or otherwise misused in a way that could harm an individual.  Harms can include identity theft, financial loss, and emotional harm.
• A person’s biometric information is strongly connected with their individual identity. If biometric information is compromised it can have serious impacts on the person concerned.  Unlike other forms of personal information, if someone’s biometric information is compromised it cannot be replaced.  For example, if your fingerprint data is stolen, you cannot change your fingerprint.
• Biometric data has been shown to be less accurate when identifying people of some ethnicities. This may lead to ethnic profiling or bias in certain situations.
• The biometric information held by an organisation or agency may be shared with other parties without the person it concerns being aware of it, for example under an information sharing agreement.  It may even be transferred overseas.  Offshore disclosure of personal information raises concerns about whether the recipient country has adequate privacy laws.
• Biometric technology has the potential to result in mass surveillance. If businesses start to share this data with other businesses through a shared database, then it has the potential to cause significant harm, especially because this technology has proven to be less accurate with non-Caucasian faces.

Privacy law and biometrics

The Privacy Act is based on 13 Information Privacy Principles that set out how agencies must handle personal information (which includes biometric information). The Act is technology neutral meaning that it does not have a special set of rules for biometric information, however the principles are broad enough to apply to it. The Act applies to government agencies, private companies, as well as individuals – essentially anyone who collects and holds personal information about other people. 

Biometric information is currently being treated the same as any other personal information under New Zealand’s privacy law.  That may change over time as the technology becomes more widespread.  It is important to remember that the Information Privacy Principles are subject to certain limitations. If another piece of legislation directly covers biometric information now or in the future, then it may be able to override the provisions of the Privacy Act. 

Interference with privacy

If you have concerns around biometric information being held about you, a starting point would be to make a request to access your personal information from the relevant agency.  Once you have this information, you will be better equipped to consider further options.  Given the technical nature of biometric data, you may face complications with receiving the information or understanding what implications it may have.  If you are not familiar with this technology, you should talk with a privacy expert.

According to Information Privacy Principle 6, where an agency holds your personal information, you have a right to ask for access to it. The agency may refuse to grant you access to the information if there is a lawful reason for doing so, however they must provide you with the reason for refusing your request. Failure to comply with these requirements will likely constitute an interference with your privacy. If the agency refuses your request, you may appeal their decision to the Privacy Commissioner.

If you are an agency using, or considering using, biometric information as part of your business practices you should take advice from experienced advisors working in this area.

If you believe that an agency or organisation has breached its obligations to you under the Privacy Act, then you are able to make a complaint to the Privacy Commissioner.  You should also consider speaking with a privacy expert to understand your rights.

Leading law firms committed to helping clients cost-effectively will have a range of fixed-price Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.