Biometrics are the unique physical characteristics that can be used for automatic recognition of a person’s identity. Examples of biometrics include fingerprints, iris scans, voiceprints, facial features and even behavioral patterns. Biometrics are increasingly used for authentication and security purposes, such as unlocking smartphones, accessing bank accounts, boarding planes and entering workplaces.
However, biometrics also raise significant privacy concerns. Biometric information is personal information and is regulated by the Privacy Act in New Zealand1. It is particularly sensitive and requires careful assessment before use. Biometric information is uniquely precious to each of us, and there is growing concern about the level of regulation covering its use.
Some of the privacy issues and challenges posed by biometrics are:
Consent: Biometric information should only be collected with the informed consent of the individuals whose information is being collected. Consent should be voluntary, specific and current. Individuals should also have the right to withdraw their consent at any time and request the deletion of their biometric data.
Purpose limitation: Biometric information should only be collected for a lawful and necessary purpose that is directly related to the function or activity of the organisation collecting it. Biometric information should not be used or disclosed for any other purpose without the consent of the individual or as required by law.
Data minimisation: Biometric information should only be collected to the extent that it is relevant and adequate for the purpose for which it is collected. Biometric information should not be retained for longer than necessary and should be securely destroyed when no longer needed.
Data security: Biometric information should be protected from unauthorised access, use, modification, disclosure or loss. Appropriate technical and organisational measures should be implemented to ensure the confidentiality, integrity and availability of biometric data. Biometric data should also be encrypted during transmission and storage.
Data quality: Biometric information should be accurate, complete and up-to-date. Biometric systems should have mechanisms to verify and update biometric data as needed. Biometric systems should also have error rates that are acceptable for the intended purpose and context of use.
Data access and correction: Individuals should have the right to access their biometric information and request its correction if it is inaccurate, incomplete or out-of-date. Individuals should also have the right to request a copy of their biometric data in a portable format.
Data accountability: Organisations that collect, use or disclose biometric information should be accountable for their data practices. They should have clear policies and procedures regarding biometric data collection, use, disclosure, retention and destruction. They should also conduct regular audits and reviews of their biometric systems to ensure compliance with privacy laws and principles.
Biometrics can offer many benefits for convenience and security, but they also pose significant risks for privacy. Organisations that use biometrics should be aware of their legal obligations and ethical responsibilities to protect the privacy rights of individuals whose biometric data they collect. Individuals who provide their biometric data should also be informed of their rights and choices regarding their biometric data.