Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 12 examples

A person holds a bank card in one hand and uses a laptop with the other. A cell phone and notebook are in the background.

These scenarios are examples of how an agency might apply rule 12 in context.

Collection of voice sample and behavioural biometric information by bank

A bank plans to use a range of biometric information for fraud detection and prevention purposes. It will collect a voice sample when customers ring the bank call centre. It will also collect a range of behavioural biometric information based on how customers physically interact with the bank’s digital services such as internet banking and mobile app (e.g. keystroke logging, mouse and device use).

If the bank is investigating suspected fraud, it may need to send biometric information to its overseas head office. The bank assesses the other country’s laws that its overseas agency is subject to and receives legal advice that overall, the overseas head office is subject to laws that provide comparable protection to the Code. In addition, the bank has a contract with its head office that requires the overseas agency to protect biometric information in a comparable way to the Code. Either the fact that the overseas head office is subject to comparable laws or the contract with comparable protections would be enough to meet the rule 12 requirements.

A black man, shown from the shoulders up, stands at a slight angle to the camera with a blank expression. A red laser line runs from his forehead to his chin, as though his face is being scanned. Facial recognition to control access to restricted site

A company is using FRT to control access to a restricted site. The provider of the FRT system they choose is overseas and the images and templates will be processed overseas. The New Zealand company ensures that the FRT provider will not use any biometric information that the New Zealand company collects via the FRT system for the FRT provider’s own purposes e.g. to train their proprietary algorithm.

Because the FRT provider will not hold or use the information for its own purposes, the New Zealand company is not treated as “disclosing” the information overseas and so rule 12 does not apply. The New Zealand company ensures that their relationship with the overseas provider is managed in a way that is consistent with our guidance on third party providers.

Back to top