Can we collect biometric information?
If you want to collect any kind of biometric information (for instance, fingerprints or facial scans), you need to make sure that you have a lawful purpose for collecting this information and that the collection is necessary for that purpose.
Collecting biometrics from people should be done directly, and transparently. You shouldn’t collect a biometric from somebody without them knowing.
In particular, you will need to make sure that you let individuals know what you are collecting and why, including what you will be using the information for, who will have access to it, whether collection is voluntary or mandatory, and the consequences if the person doesn’t want to provide you with this information, along with their rights to access and correct the information.
Biometric information is also inherently sensitive personal information, so you need to take care that your collection or use of this information isn’t unreasonably intrusive – in other words, you need to be able to justify why this method of collection is necessary, instead of collecting information in another less invasive way.
You should also keep in mind that, once you collect biometric information, a range of other obligations under the Privacy Act will apply (including obligations about security, accuracy, retention, use and disclosure, and in terms of providing individuals with their rights to access and request correction of the information). You should do a Privacy Impact Assessment(external link) to make sure you have addressed the risks before depoying this technology.
This position paper(external link) sets out the position of the Office of the Privacy Commissioner (OPC) on how the Privacy Act regulates biometrics.
Security of biometric information is particularly important, given that, if there is some kind of data breach and the information is lost or stolen, there is very little the individual can do to change things. For a real life example of this problem, check out this blog post.
Note the Privacy Commissioner can investigate whether the collection of personal information complies with the Privacy Act. This could include systemic issues, such as overcollection of unnecessary information, or unreasonably intrusive collection of biometric information, or inadequate security measures for protecting sensitive personal information.
(Updated October 2021)