Source: New Zealand Privacy Commissioner – Blog
If you’re reading this on your phone, you may have unlocked your device using your face or fingerprint. If so, you’re one of a growing number of people who regularly interact with biometric technologies.
What are biometrics?
Biometrics (or biometric recognition) is the automated recognition of individuals from their biological or behavioural characteristics. There are many different types of biometric systems, based on characteristics as diverse as a person’s face, fingerprints, eyes, voice, or even the way a person walks or smells. These technologies can be used to verify people’s identities or to identify unknown people, and sometimes to determine things like a person’s gender, ethnicity, or mood.
Biometrics and privacy
Biometric technology can be convenient because our individual characteristics are unique and always with us. But the very factors that make the technology so convenient also raise significant privacy concerns. That’s why the Office of the Privacy Commissioner has released a position paper setting out our approach to regulating biometrics under the Privacy Act.
This paper is partly a response to concerns that have been raised about the use of facial recognition technology (FRT) in Aotearoa New Zealand, in both the public and the private sectors. Māori data sovereignty advocates have expressed concern about the impacts of FRT on Māori, and a 2020 report funded by the Law Foundation argued that greater regulation of FRT is needed.
We’ve developed this paper so that we can contribute to public discussion and make our position clear to agencies that are using, or considering using, biometrics. We’re not technical experts, but we’ve consulted with people who have technical, legal, and policy expertise in this area.
The Office of the Privacy Commissioner believes that careful regulation of the use of FRT and other biometric technologies is important. Biometric information is especially sensitive because it’s connected to our sense of personhood and identity. Using this technology with insufficient transparency and oversight can result in harms such as surveillance, profiling, and bias and discrimination. Its regulation needs to address the risks and potential harms of biometrics, while maintaining the benefits of its use.
In our view, because biometric information is personal information, the Privacy Act already regulates the use of biometrics to a significant extent. The position paper sets out how the Act applies to biometrics, and how we’ll exercise our role as regulator. There’s also a summary resource available that highlights some important issues agencies and organisations should consider before using biometric technology. Read the full paper and resource here.
Where to from here?
Biometrics is a complex issue and the technology is changing fast, so this paper is just the beginning of an ongoing conversation. We also recognise that there are issues which don’t fit within the Privacy Act framework, such as hapū and iwi rights to biometric information and the potential for bias and discrimination resulting from the use of biometrics.
We’ll continue to monitor the use of biometrics in Aotearoa New Zealand and overseas to see if stronger action is needed. We’ll also review our position in six months, so there will be more opportunities to participate in this discussion. If you’re keen to be involved, subscribe to our monthly Privacy News email to be the first to hear about new developments.