Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

3. What are your privacy safeguards?

Two people look over paperwork on a clipboard. Only their hands are visible, and one person points at the paper on the clipboard with a pencil.

The third part of rule 1 is implementing appropriate privacy safeguards. If a privacy safeguard is reasonable in the circumstances for you to adopt and implement, rule 1 requires you to do so before you start collecting biometric information.

On this page:

What are privacy safeguards?

Privacy safeguards are measures that reduce privacy risk, increase the transparency and accountability of the biometric system, and increase the control individuals have over their information.

There are some examples of privacy safeguards below, but the list is not exhaustive. You can and should implement privacy safeguards that are not listed if they are relevant to your use of biometrics. You should also continue to assess safeguards throughout your use of biometrics to ensure your safeguards remain effective and appropriate – for example through regular audits, or whenever you make a material change to how your system works.

How do I decide which safeguards are “reasonable” to implement?

You need to consider the overall context and privacy risk of your biometric processing. Consider the kind of biometric system you will use, the relationship you have with affected individuals, the consequences if biometric information is lost, misused, inappropriately accessed or disclosed etc., and the likelihood of and consequences from errors in the biometric system.

A safeguard can still be reasonable in the circumstances to implement even if it is difficult, expensive or takes time to implement. You need to factor in the costs of relevant safeguards to your overall planning. But, a wholly disproportionate cost or difficulty to implement could make a safeguard no longer reasonable.

The more severe the consequences for individuals from misuse of their biometric information, or errors in the biometric system, then the more likely it is that a safeguard will be appropriate, even at a high cost or difficulty to implement.

Rule 1 requires you to ensure that the relevant safeguards are adopted or implemented before you collect information. You should continue to assess your safeguards for as long as you are collecting biometric information and make any changes that are necessary to ensure your safeguards are appropriate and effective.

Examples of specific safeguards

Authorisation and/or providing an alternative

Giving individuals the choice to authorise the biometric processing or use an alternative to biometric processing is an important safeguard to mitigate privacy risk because you give them control and agency over the collection of their personal information. It won’t always be appropriate – for example, in some contexts like fraud prevention, requiring or even offering authorisation may undermine your lawful purpose. However, if it will not undermine your lawful purpose, organisations should consider whether individual authorisation and/or providing an alternative is reasonable in the circumstances, particularly if you have a direct interaction with the individual you are collecting information from.

If you are implementing individual authorisation as a safeguard, you should consider:

  • Has the individual been specifically and meaningfully informed about all the relevant factors involved in the biometric processing – e.g. what information is being collected, why, who has access, how it will be stored and used, and how it will be protected?

  • Is there a genuine non-biometric alternative available?  It should be a genuine choice for the individual as to whether to authorise the processing or whether to use the alternative. This does not mean that that individual gets to choose the consequences of not authorising the processing – but the option to authorise should not be coerced or presented in a way that leaves the individual with no effective choice. Remember that if you can reasonably achieve your lawful purpose as effectively by an alternative means with less privacy risk, then your biometric processing will not be necessary.  But there may still be less effective non-biometric alternatives that are reasonable to offer individuals as an alternative.

  • Is there an easily accessible way for the individual to withdraw their authorisation at any point without being penalised?

  • Is there is an imbalance in power between you and the individuals who are being asked to authorise the biometric processing? For example, employers, public agencies or any agency where people may depend on the services provided by that agency for basic needs? If so, you need to take special care when relying on authorisation. People may have no other viable option, and could be worried about negative consequences if they do not authorise the biometric processing, which may make the authorisation not freely given.

You should not make unnecessary obstacles that would prevent individuals choosing the alternative to biometric processing, such as by requiring additional information, unnecessarily delaying access to services, hiding or de-prioritising the alternative option, or penalising the individual for choosing an alternative. You should also consider accessibility for people with disabilities to ensure your alternative does not exclude anyone.

If you are using authorisation as a safeguard, then the authorisation must be explicit. You cannot rely on assumed or implied authorisation – for example, continuing to use a service, or entering a space where biometric information is collected (e.g. a store using a FRT system) would not be sufficient evidence of authorisation. You should also seek fresh authorisation for any material changes in how you collect, use, hold or disclose information.

Example:

A fitness gym plans to use FRT for members to access its facilities. Individual authorisation and a non-biometric alternative could be used as a useful safeguard to reduce privacy risk by having a specific entry gate where the FRT would not operate, and individuals could instead use a swipe card. 

However, if members were told that if they do not authorise the biometric processing, they can no longer access the gym but still have to pay membership fees for the rest of their contract, then this would not be reasonable implementation of authorisation as a safeguard because the individuals were not given a genuine choice.

Safeguards for biometric watchlists 

A watchlist is where you have a list of specific individuals whose information is enrolled in your biometric system and who you want to identify to take some kind of adverse action against them – for example, removing them from your premises, monitoring their behaviour or imposing a fine on them. If you are using a biometric system to operate a watchlist, there are some key safeguards you should implement to help mitigate the privacy risks.

It is not necessary for you to know the names or any other details of people on your watchlist.

First, when deciding whether to add someone to a watchlist, we expect:

  • Adding each specific person must be clearly linked to achieving the lawful purpose of the biometric processing.  
  • Only collect information for the watchlist in a fair and reasonable way.  
  • There are objective and consistent enrolment criteria. This helps mitigates the risk of subjective decision making that could perpetuate unfairness, bias or discrimination.  
  • Manage decisions about enrolment with a small and well-trained group of people. 
  • Do not add children and young people or other vulnerable people to a watchlist unless there are special circumstances that justify their inclusion.  
  • You should generally only use objectively verifiable facts to make enrolment decisions (e.g. a conviction, clear evidence of relevant behaviour, or a trespass notice). If you add someone to a watchlist based on opinion or speculation, this has more risk – both for the person concerned and for the agency – than verified information.

The minimum accuracy match threshold should be carefully considered and appropriate to your circumstances.

In addition, if you are operating a biometric watchlist, in general you should inform an individual on the watchlist of the following matters, (unless doing so is not practical in the circumstances):

  • When they are enrolled in the biometric system.
  • How they may challenge their enrolment. 
  • If an adverse action is taken or is to be taken, and what the consequences of that action are.
  • How the individual may challenge a decision to take an adverse action.

You should also delete any biometric information of individuals not on the watchlist as soon as it is determined that they are not a match to an individual on the watchlist. For example, if you are using a FRT system to identify specific individuals, you should immediately delete the biometric information of anyone not on the watchlist.

In some situations, informing individuals about their inclusion on the watchlist will not be appropriate or feasible, for example if you do not have the individual’s contact details, if it is not safe to approach the individual or if informing the individual would undermine the purpose of the biometric watchlist. However, if you can’t notify individuals directly, you should still consider whether you can provide general information about the watchlist e.g. on your website.

Examples:

  • A store is using FRT to identify individuals on a watchlist. Individuals are enrolled on the watchlist if they are trespassed from the site because of violent or aggressive behaviour or high-value shoplifting. At the time that individuals are trespassed they are verbally informed that they are being enrolled in the store’s watchlist and they are given a notice explaining the store’s process and the consequences for the individual. Informing the person of these matters does not undermine the purpose of the watchlist, so it is reasonable to implement this safeguard and inform people of their inclusion on the watchlist. Biometric information of people not on the watchlist is immediately deleted once it is determined the individual is not on the watchlist.

  • FRT is being used at a train station to manage a watchlist of people who have made violent threats. Informing the people directly could endanger staff, so information about the existence of the watchlist is included on a website instead.

Testing and/or assurance of the biometric system

The biometric system should be subjected to testing and/or assurance processes before you collect any biometric information. This could involve:

  • Reviewing any external evaluation of a biometric system’s performance.
  • Testing the biometric system with test data.
  • Testing the impact of different matching thresholds to assess false positive and false negative rates.
  • Establishing a process for dealing with false matches and false non-matches.
  • Testing for and mitigating any identified bias in the system (for example, lower accuracy rates for certain demographic groups). If the bias could lead to discrimination, you should not use the system unless the bias can be sufficiently mitigated to a level that no longer carries a significant risk of discrimination.

You may be able to rely on the testing done by a provider of the biometric system – particularly if the overall risk of your use of biometrics is low. However, you still need to ensure you have sufficient confidence that the testing was sufficient for your purposes – for example, by seeking evidence of the testing and assessing whether you need to do additional independent testing. Additional testing or assurance may be particularly relevant if you are using FRT, given the lack of existing testing on New Zealand faces.

Your testing process should also help you identify what other safeguards are necessary to have in place to reduce the risk that individuals may suffer real detriment or harm because of errors or false matches or non-matches by the system.

Protect biometric information with security safeguards

You need to have a plan for how you are going to keep information secure before you collect it, including by considering any security issues with using a third-party provider.

Some security safeguards which will generally be relevant for organisations to implement are:

  • Use multi-factor authentication to protect access to biometric information.
  • Encrypt biometric data that you store.
  • Process biometric samples into biometric templates as soon as possible and destroy the original sample.
  • Use Privacy Enhancing Technologies (PETs). Read more guidance about using PETs from the Information Commissioner’s Office in the UK.
  • Store biometric information separately from other personal information you hold about an individual.
  • If you are using a third-party provider of a biometric system, ensure your contract contains privacy-protective obligations on the provider. Also ensure you have reviewed the provider’s own privacy policies and practices. See our guidance on working with third-party providers for more information.
  • If it is necessary to give biometric information to a person or other agency in connection with the provision of a service to your organisation, ensure that there are sufficient security safeguards in place to receive and access the information.
  • Engage a subject matter expert to review your security controls.

Read more guidance on Security and Access controls in Poupou Matatapu, or our guidance on rule 5 of the this Code.

Human oversight and staff training

Having human oversight of your biometric system is an important safeguard. However, it is not enough to simply have human involvement – it is how people are involved that matters.

The human oversight or monitoring needs to be by individuals who have sufficient training to understand how the system works and what a match by the system means. They also need to have the confidence to overrule the system if there is a mistake. They need to be providing genuine scrutiny, not merely confirming results without proper assessment (e.g. due to “automation bias”, which is the tendency for people to over-rely on automated systems when making human decisions). 

Having effective oversight requires agencies to have process in place to:

  • Provide sufficient training for people who will be establishing, overseeing and operating biometric systems, including regular refresher training.
  • Support people to challenge results of the biometric system where necessary.
  • Address issues of bias and discrimination. In some contexts, particularly for high-risk use cases with a high risk of harm to individuals, it will also be appropriate to consider training on internal/unconscious bias of the overseer that could be reinforced by the system.
  • Make changes to the system to respond to errors or flaws.
  • You should keep a record of all staff training.  You should update your training any time there is a material change in the biometric system and any time you identify any issues with how the staff are monitoring the system.
  • Staff should have general privacy training in addition to biometric-specific training.

Review and audit the biometric system

You should regularly review and audit any biometric system and the safeguards that are in place. This can be done by your organisation, but you should consider whether to use an external party to review and audit the system. Where the overall privacy risk is higher, it will be more appropriate to have external review and audit.

The review and audit could cover the overall performance of the system, security safeguards, staff training, any adverse actions taken, how information has been used and disclosed, performance of third-party vendors, compliance with policies, protocols and procedures etc.

We expect organisations to continue to review and audit throughout the whole life of a biometric system. It will often be appropriate to conduct the reviews and audits at a higher frequency when the system is first being used, and again following any significant changes.

Maintain appropriate policies and procedures

You should have appropriate policies and procedures that govern the use of any biometric system. But it is not enough just to have the policies and procedures in place – they must be fit for purpose and followed by staff. These documents should be regularly reviewed and updated as necessary.

Policies and procedures should address:

  • Overall compliance with the Code and the Privacy Act.
  • Thresholds for matches and the process for reporting and addressing errors with the system.
  • Training obligations.
  • If operating a biometric watchlist, the process for adding or removing people from the watchlist and taking adverse action.
  • Review and audit of the system, including user access. 
  • Governance of the system.

 

The final step of rule 1 is assessing the proportionality of the collection.

Back to top