Resources and learning

Lawful purpose

The store has two lawful purposes: 

1. To improve staff and customer safety. 
2. To reduce shoplifting, particularly shoplifting of high-value items.

How the system will operate

Cameras will be mounted at key areas within the store. All people entering the store will be scanned. Non-match information and images will be deleted immediately. If there is a positive match with an individual on the watchlist, two staff members will confirm whether the positive match is correct (i.e. it has correctly identified a person on the watchlist) and then decide whether and what action to take.

When establishing the watchlist, the store will only enrol people based on clear evidence of harmful behaviour such as previous aggressive or threatening actions towards staff members, other customers or store property, or having engaged in repeated, high-value shoplifting.

Necessary

The store determines the biometric processing is necessary because:

• Effectiveness: The store assesses that the processing will be effective in achieving its stated purposes:
  
  • Evidence from comparable retail stores domestically and overseas that have used FRT to improve staff and customer safety and prevent high-value shoplifting.
  • Performance metrics, including accuracy rates, from the provider of the biometric system.
  • Information about the training or evaluation data that the provider used, compared with the demographics of customers of the store.
• Alternative means: The store considers what alternatives there could be for achieving its purpose(s), including:
  
  • Employing security guards.
  • Additional obvious security cameras (CCTV).
  • Physical measures to reduce shoplifting such as security tags on high-value items.

After assessing the alternatives, the store determines that its lawful purpose cannot reasonably be achieved as effectively by an alternative with less privacy risk. That is because the store has already invested in some additional security measures like security tags and additional CCTV, but these measures have not had a sufficient impact on the rate of harmful behaviour or repeated, high-value shoplifting.

Safeguards

The safeguards the store adopts to reduce privacy risk include:

• Thorough testing of the FRT system before deployment.
• Deleting images and non-match information immediately.
• Using best practice security measures (see rule 5).
• Ensuring there is appropriate and adequate staff training for all staff involved in watchlist enrolment decisions and any responses to FRT alerts.

Proportionate

The store believes on reasonable grounds that the biometric processing is proportionate.

Risk assessment

• High level of inherent intrusiveness: the FRT system is operating live, in a semi/quasi-public space. All people entering the store have their faces scanned, sometimes multiple times as they move through the store. 
  
  • Mitigation: automatic and immediate deletion of non-match images significantly means that most images are not retained and cannot be reused for another purpose.
• An element of surveillance risk. Use of live FRT in a semi/quasi-public space reduces the ability of individuals to avoid being monitored. However, this store is not considered an essential service (operating FRT in an essential service would increase the overall level of privacy risk as people have a reduced ability to choose not to visit that store).
• Potential risk that individuals will be misidentified and could suffer harm as a result.
• Risk around lack of awareness. Although there will be signs, it is likely some customers will not notice or understand these and be unaware of the operation of FRT.
• Possible chilling effect. Some individuals may also be deterred from exercising their freedom of movement because of the FRT (notwithstanding that images of people not on the watchlist will be deleted immediately).
• Some risks around accuracy. The watchlist will need to be carefully managed to ensure that enrolment images are good quality and that the criteria for adding and removing people from the watchlist are followed. A poorly managed watchlist may also exacerbate risks of over surveillance, chilling effects and breach other data protections such as scope creep (including children’s information on watchlist).
• Possible storage and security risks: There’s a low risk the watchlist or biometric system may be accessed by unauthorised staff and misused. Immediate deletion of non-match images reduces the information stored and therefore meaningfully reduces this risk.

Outcome of risk assessment: Substantial risk mitigated by appropriate safeguards. 

Benefits weighed against risks

• Benefit of using FRT for safety: reduction in violence, aggression and threats made against staff and customers and safer workplace for staff (public benefit). Based on similar case studies and its assessment of effectiveness, the store expects statistically significant and meaningful reduction. 
• Benefit of using FRT to reduce shoplifting: reduction in stock loss by the store, better use of staff time, and increased revenue (private benefit). Although there may also be some general public benefit from lower shoplifting in the sense of reduced crime, the primary benefit from reduced shoplifting is the private benefit to the store.

Weighing benefit against risks

• Using FRT for safety (public benefit): In accordance with rule 1(4)(a), the store considers that, with the identified safeguards reducing the level of risk, the benefit of using FRT outweighs the residual privacy risk. 
• Using FRT to address shoplifting (private benefit): After weighing the benefit and risk in line with rule 1(3)(c), the store considers that the benefit to the organisation from using FRT to address high value shoplifting events and prolific shoplifters outweighs the privacy risk by a substantial degree. 
  
  • However, the store considers that the advantages of using FRT to address low-value or one-off shoplifting events does not outweigh the associated privacy risk by a significant margin and won’t meet the test in rule 1(3)(c). 
  • Accordingly, the watchlist criteria would need to be focused on safety concerns and high value or repeated shoplifting only.

Impacts on Māori

• One possible impact on Māori that the retail store considers is the possibility of lower accuracy for Māori customers, or bias (unconscious or conscious) in staff members responsible for the watchlist. This could lead to discrimination against Māori customers either through misidentification or unwarranted enrolment on the watchlist. 
• The retail store plans to mitigate this impact by choosing a FRT system with high accuracy across all relevant demographic groups, requiring clear and objective criteria to be meet before enrolling someone on the watchlist, ensuring staff members receive training on bias and discrimination and actively monitoring the system for unexpected results once in place. 

Overall conclusion

Overall, the collection is necessary for a lawful purpose, proportionate and reasonable safeguards will be implemented.

Lawful purpose

The purpose is to facilitate cashless payments at the cafeteria.

How the system will operate

The school will install cameras at the payment point in the school cafeteria where live FRT will be used to identify the child purchasing food at sale point and deduct the meal price from their prepaid school lunch account. 

Necessary

After assessing the effectiveness and available alternatives, the school thinks that the biometric processing is probably not necessary to achieve their purpose.

• Effectiveness: After assessing the data from the FRT provider and considering a case study in the setting of a workplace cafeteria, the school determines that FRT could be an effective way to offer a cashless payment method. However, there could be some accuracy issues as the children at the school grow and their faces change.
• Alternative means: There are many alternative ways of meeting the lawful purpose of facilitating a cashless payment system that would be significantly less privacy intrusive and likely just as effective. For example, by having physical tokens, a swipe card or entering the student’s ID number at point of sale. This is particularly the case given the privacy risks associated with the collection of children’s biometric information (see the risk section below).

Overall, it is not clear that the biometric processing is necessary. Because it is not necessary, collection would not be permitted under rule 1. However, the school also considered the proportionality of the collection.

Safeguards

• Images from the FRT system would be deleted after one billing cycle (to enable parents to challenge any possible misidentifications leading to incorrect charges).
• There would be a governance committee to oversee the FRT system.
• The school would choose a system that has a high degree of accuracy for young people.
• The school would engage a technical expert to assist with establishing security safeguards for the biometric information stored, such as encryption and other technical protections.
• The school considers seeking parental authorisation, but determines in their setting it would be practically difficult to prevent the cameras from capturing any information of people who have not authorised the collection. This means that authorisation cannot be relied on as an effective safeguard in this context if all people who enter the cafeteria have their biometric information collected, whether or not they have authorised it. 

Proportionate

The school determines that the biometric processing would not be proportionate.

Risk assessment

• Children are a more vulnerable population. Children generally have a lower ability to appreciate the risks or envisage the consequences associated with the processing of their biometric information. They also may not be as aware of their privacy rights and may have more difficulty exercising them.
• There is a significant power imbalance between the children and the school and some power imbalance between the children’s parents and the school. If no genuine alternative is offered, the potential negative impact of the power imbalance is heightened.
• There is a risk of misidentification or errors which could lead to financial consequences for individuals (incorrect billing of food items) or embarrassment for a child that cannot pay. 
• The school would likely need to retain images from the FRT for a set period to enable parents or students to challenge any suspected incorrect bills. Storing information increases privacy risk.
• There may be particular psychological harms for children from the normalisation of surveillance in their everyday lives. For example, children are more vulnerable to the negative impacts of surveillance, including lack of trust, changing the nature of interactions with others and authority, denying children experiences, and incentivising secrecy and subversion.
• A review of the school’s own privacy and security maturity shows that it does not have sufficient expertise internally to manage the system safely on an ongoing basis.

Outcome of risk assessment: Significant risk that is not sufficiently mitigated by safeguards.

Benefits weighed against risks

Increased efficiency of payment in the cafeteria and a reduction in the need for cash to be carried at school. This is a benefit to the school so would need to substantially outweigh the privacy risk.

Weighing benefit against risks 

• The increased convenience does not substantially outweigh the privacy risk.

Impacts on Māori

• Possibility of lower accuracy for Māori students, leading to higher rates of misidentification. 
• School needs to consider tikanga of collecting information of tamariki.

Overall conclusion

Overall, the biometric processing is not proportionate. There is insufficient benefit to justify the high privacy risk.

Lawful purpose

To protect a database of sensitive information.

How the system will operate

The organisation will consult with its employees about the need for increased security and possible biometric authenticator, allowing employees to raise concerns and/or ask questions. If it decides to go ahead with fingerprint MFA, then employees will be required to enrol a fingerprint sample using the fingerprint reader on their work laptops and subsequently scan in to access to the information. If an employee chooses not to provide a sample, they will no longer be permitted to access the information, which could require redeployment into another role.

Necessary

The organisation believes the biometric authentication factor is necessary:

• Effectiveness: the employer believes the fingerprint verification system will be effective based on:
  
  • Performance metrics from the provider of the biometric system (false acceptance and rejection rates, equal error rates, presentation attack detection, time taken to verify).
  • Evidence about the technical validity of overall process to enhance security.
• Alternative means: There are other authentication factors that the employer could use, including both different biometric factors (e.g. iris scanning) and non-biometric factors (e.g. SMS code, smart cards). The organisation considers that, for its context, the fingerprint authenticator has advantages over the other non-biometric options, including being resistant to phishing attacks, unable to be lost or forgotten and unlikely to be stolen. It is also more practical to implement than other biometric options like iris scanning or facial recognition and doesn’t present accuracy differentials across demographic groups. Overall, there is no reasonable alternative that would enhance security as effectively and also poses less privacy risk.

Safeguards

• Consultation with affected employees and commitment to work with employees to resolve or mitigate any concerns raised by employees.
• Only retain a template of the fingerprint scan, not the actual sample, to reduce risks of spoofing and presentation attacks. 
• Best practice security measures to protect the biometric information in the context, including storing locally on device.

Proportionate

The organisation believes on reasonable grounds that the biometric processing is proportionate.

Risk assessment

Risk assessment:

Factors contributing to lower risk:  

• Limited scope: targeted and minimal biometric information collection measure, from only those who need to access the sensitive information.
• Strong technical safeguards to protect the biometric information.

Factors contributing to higher risk:

Power imbalance: The inherent power dynamic of the employment relationship increases the intrusiveness of the measure as employees may feel they have a lack of choice in giving their biometric information. This is particularly the case, if they cannot do their job without accessing the sensitive information and will have to change roles. 

Mitigation: Consulting with employees and offering the choice to opt-out (a limited opt out due to consequence of redeployment) provides some degree of mitigation against the power imbalance.

Outcome of risk assessment: Overall low risk.

Benefits weighed against risks

• Benefit: The increased level of security benefits the organisation (private benefit) by preventing data breaches and unauthorised access, ensures compliance with any legal requirements around security, protects the organisation’s reputation, ensures client trust, and reduces financial and operational risks. 

This benefit substantially outweighs the risk.

Impacts on Māori

• As part of the consultation with employees, the employer will specifically seek feedback on cultural impacts from Māori employees and consider how to address any impacts raised.
• The fingerprint recognition technology used has a high accuracy metrics that do not differ across demographic groups.
• The fingerprints will be stored locally on each individual’s laptop so no biometric information will leave New Zealand (better reflecting Māori data sovereignty principles).
  

Overall conclusion

Overall, the collection is necessary for a lawful purpose, proportionate and reasonable safeguards will be implemented.

Lawful purpose

Ensuring customer accounts are only being accessed by the correct customer to detect and prevent fraud.

How the system will operate

The bank will set up a voice verification system that collects voice samples to verify customers over the phone when they call the bank. The bank will also collect behavioural information based on how the customer interacts with the mobile app and website such as keystroke logging and mouse and finger movements. This information will be used to create a profile of the customer’s use patterns, continuously authenticate them as they access their account and generate an alert if there is a noticeable change in behaviour that could indicate fraud.

Necessary

The bank assesses that the voice and behavioural verification systems are necessary:

• Effectiveness:
  
  • Performance metrics from the providers of the voice and behavioural verification systems.
  • Evidence about the technical validity of the overall process and any weaknesses or disadvantages. 
  • Review of comparable use domestically or in overseas jurisdiction.
  • Results from testing the systems before live rollout.
• Alternative means: The bank considers other over-the-phone verification methods, such as security questions, are insufficiently effective to verify customers. They are vulnerable to social engineering attacks and, in fact, pose greater privacy risk than voice verification due to relying on more easily accessible personal information.

Safeguards

Some of the safeguards which are relevant and could help reduce privacy risk are:

• High level of transparency with bank customers about what information is collected.
• Thorough testing of the systems before deployment.
• Using best practice security measures to protect stored biometric information.
• Robust operational safeguards including access limits and retention policies.

Proportionate

The bank assesses that the biometric verification systems are overall proportionate. 

Risk assessment

Risk assessment:

Factors contributing to increased risk:

• Lack of control / choice: customers can’t opt-out of the collection of their biometric information (because that would be detrimental to the purpose of preventing fraud).
• Lack of transparency: behavioural and voice biometrics can be collected passively without the customers’ awareness of what information is being collected, why and how its being used.
• Profiling / scope creep: continuous collection of behavioural biometrics enables a profile of the customer to be created which can reveal other sensitive traits like cognitive or physical impairments. Voice samples can also reveal other sensitive information about the individual.

Factors contributing to lower risk:

• Minimal to no risk of impact on other protected rights.

Outcome of risk assessment: Some risk, largely mitigated by safeguards.

Benefits weighed against risks

• Benefit: increase in security of customers bank accounts and reduction in fraud and misuse. This has a clear benefit to the individual, as well as a benefitting the bank. The clear benefit to the customer – enhanced account protection and reduced risk of fraud – justifies the customers lack of ability to avoid the collection of their biometric information and minimal risk of scope creep.

Impacts on Māori

• The bank ensures the voice biometrics will be accurate for Māori, including if Māori customers are speaking te reo Māori.
• The verification systems require approval and oversight by a governance board that has Māori representation.

Overall conclusion

Overall, the collection is necessary for a lawful purpose, proportionate and reasonable safeguards will be implemented.