AskUs

Can I use facial recognition technology?

There are a number of factors you need to consider carefully before deciding to use facial recognition technology or any other biometric-collection technology.

Biometric information is personal information and is regulated by the Privacy Act. Biometric information is particularly sensitive and requires careful assessment before use. OPC believes that the privacy principles and the regulatory tools in the Privacy Act are currently sufficient to regulate the use of biometrics from a privacy perspective, but may review this position in future. This position paper(external link) sets out the position of the Office of the Privacy Commissioner (OPC) on how the Privacy Act regulates biometrics.

Like CCTV, security cameras and other recording technologies that can intrude on the privacy of individuals, it is important to make sure that your use of the technology is proportionate to your need for it.

Even if facial recognition software is highly accurate, there will still be times when it can get things wrong. Therefore any organisation or business using facial recognition technology needs to undertake a high level of scrutiny over how accurate it is and how thoroughly it has been tested for use in New Zealand. 

One of the risks of facial recognition technology is that it may misidentify individuals. In cases of preventing shoplifting, if a person is misidentified, they may continue to be branded an offender by your business or organisation, when the information is wrong as happened in this case(external link).

An organisation needs to take the risk of misidentification seriously, and ask itself what controls and processes can it put in place to minimise that risk. When it comes to identifying people accused of a crime, getting it wrong can have a severe impact on the person affected. 

The Office's position is that any organisation considering the use of facial recognition or other biometric technology conduct a privacy impact assessment before using the technology. 

Here are some factors you need to consider carefully about facial recognition technology:

  • What is the lawful purpose for using the technology? (principle one of the Privacy Act)
  • How will you notify people that you are using the technology? (principle three)
  • Will the technology be used in a way that might be unfair or unreasonably intrusive? (principle four)
  • Will the personal information be stored securely? (principle 5)
  • How will you accommodate an individual’s right to access the information about them? (principle 6)
  • How will you accommodate an individual’s right to correct information about them, if it is wrong? (principle 7)
  • How will you make sure the information collected is up-to-date and accurate? (principle 8)
  • How long will you keep the information for? (principle 9)
  • What will be your reasons for disclosing the information? (principle 11)

Finally, if individuals feel their privacy has been interfered with by the use of this technology, they should raise their concerns with the organisation first. If they are not satisfied with the outcome of that complaint, they can make a complaint to us.

Updated December 2022