Source: Privacy Commissioner
New Zealand doesn’t yet have specific privacy rules for biometrics. We’ve outlined our proposal in an exposure draft biometrics code of practice under the Privacy Act 2020. Between 10 April – 8 May 2024 we asked New Zealanders to have their say on how that might work by reviewing our exposure draft and giving us feedback.There was generally strong support for the three fair processing limits, which would restrict some uses of biometric classification. Some agencies helpfully gave constructive comments about exceptions and definitions.Allowing for the fact that biometric processing is a technical topic, some submitters still thought the draft code it seemed overly complex. They thought it could be simplified and that we could revise the technical terms. This would make it clearer and more easily understood.There was support for somewhat stronger notification and transparency obligations, but agencies weren’t quite clear about the notice obligations as drafted. They also said that how we’d explained it seemed repetitive.Another major theme was that agencies want guidance so that they can understand how to apply and comply with the rules. They want to be super clear about:The private sector flagged risks around compliance burden and costs.
|
A note about guidance If the Commissioner decides to proceed with a code of practice, we’ll provide draft guidance with the proposed code when we next go out for consultation. Our intent will be to help people understand the proposed code and get people’s feedback on that and the accompanying guidance material. |
We also need to reconsider some of our policy decisions
Your feedback told us where we need to review the policy proposals. We’ll do that alongside our other work. That will include:
- The broad exclusion for health agencies.
- The exclusion of heartbeat biometrics (and how wearable devices are treated).
- How long agencies are given to bring their activities into compliance with any new code.
- Whether the components in the proportionality assessment will work well in real life.
- Clearing up how notice requirements will work, what the benefit of them is, and a few other small matters.
- Checking whether more exceptions may be necessary to make sure that any rules would be targeted at the high risk uses of biometrics, rather than the low risk beneficial uses of biometrics.
Thanks to everyone’s feedback, we will continue working on the proposals informed by the we’ve got clear direction about what may need to be changed or reworked, which is what we’ll do now.
Next steps
- We will consider the detailed feedback in the submissions
- We’ll do further work on the proposals based on the constructive comments we received. This will include technical definitions and drafting points..
- We’ll develop draft guidance to help explain the technical nature of biometrics and the proposed privacy rules.
Read the full report on submissions we received about an exposure draft of a biometrics code.
The Privacy Commissioner expects to announce his decision on whether he will go ahead with issuing a biometrics code of practice for statutory consultation, later this year.
If you want to contact us about this work please email biometrics@privacy.org.nz
