Resources and learning

A woman works at her laptop while sitting at an office desk. The first part of rule 1 is ensuring you have a lawful purpose to collect biometric information.

You need to identify a clear purpose that explains why you are collecting biometric information. Identifying a clear purpose will ensure you can properly walk through the rest of the rule 1 assessment: whether the collection is necessary and proportionate, what privacy safeguards are reasonable, and what the privacy risk is. It will also help ensure you can comply with the other rules in the Code.

Your purpose needs to be lawful – meaning it must comply with all laws, not just the Code or the Privacy Act.

Your purpose for collecting information should be specific – a purpose like “for business use” or “for security” is too broad. But the purpose can allow for multiple related uses – provided that the purpose is still specific enough to allow people to clearly understand what the information is actually being collected for.

Your purpose for collection needs to be relevant at the time you are collecting information. You cannot collect biometric information just in case you may want to use it later.

The purpose needs to be connected to a function or activity of your organisation.

If your lawful purpose does not require the collection of a person’s identifying information, you must not require that identifying information.

What if you delete the biometric information quickly?

“Collect” means to take any step to seek or obtain the information. Even if you delete the information quickly, you are collecting the information if you hold the information even for only a fraction of a second. But deleting the information quickly can be an important safeguard that helps you comply with the Code.

The next step of rule 1 is assessing the necessity of the collection.