Reflecting growing pressure from public and private sector agencies to utilise new technologies, the Office of the Privacy Commissioner released a timely position paper on the regulation of biometrics. The paper puts some stakes in the ground with respect to biometrics. It outlines how the Privacy Act applies to the collection and use of biometrics, comments on complementary frameworks that can assist to ensure biometrics are used ethically and lawfully, and clearly articulates the risks associated with such technologies. The OPC conveyed some interesting expectations on agencies considering the use of biometrics, including:
- Ensuring they consider the sensitivity of biometric information — it is based on inherent biological or behavioural characteristics of an individual that cannot readily be changed in the event of a breach (unlike, for example, a password).
- Ensuring the use of biometrics is targeted and proportionate — do the benefits outweigh the risks, particularly in relation to vulnerable groups?
- Ensuring Te Ao Māori perspectives have been taken into account — the paper is a promising example of the OPC’s increasing interweaving of Te Ao Māori into its regulatory approach.
- Ensuring an appropriate level of human oversight — the paper recognises biometrics are increasingly used to inform automated decision-making, often with significant consequences for people. As with conversations around the broader use of algorithms, the need for meaningful human oversight and governance is critical.