Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 2: Source of biometric information

A close up of a person's brown eye with four corners of a white square surrounding the iris, as though it's being scanned. The person has light skin and freckles. Rule 2 of the Code is about where you collect biometric samples from (image of face, voice recording, fingerprint scan etc.). Unless an exception applies, you must only collect biometric samples directly from the person whose information it is.

Collect biometric information directly from the individual

Collecting biometric samples directly means that the source of the sample is the person whose information it is. Direct collection helps improve transparency, gives the individual more control over their information, and will often mean that the information you collect is most accurate and up to date.

The individual does not need to be aware of the collection for it to be direct (but see rule 3 for notice requirements). 

Using a third-party to collect biometric samples directly from the individual on your behalf will still be direct collection. Read our guidance on working with third-party providers for more information.

Direct collection could look like:

  • The individual sends you a photograph of themself to enrol in your facial recognition system.
  • You take a fingerprint scan from someone to use in a security access system.
  • You collect a voice recording from a customer when they call your call centre for fraud detection and prevention purposes.
  • You collect stills of people’s faces from your CCTV system to use in a facial recognition system.
  • You use a hidden facial recognition camera to collect biometric samples for law enforcement purposes. Even though the individual may not be aware that their biometric sample is being collected, you are still collecting it directly from the individual.

Collection that is not direct could look like:

  • Another business shares their database of facial images of customers and you use the database for your facial recognition system.
  • You obtain a biometric sample of your employee from their former employer.

What if you delete the biometric information quickly?

“Collect” means to take any step to seek or obtain the information. Even if you delete the information quickly, you are collecting the information if you hold the information even for only a fraction of a second. But deleting the information quickly can be an important safeguard that helps you comply with other rules in the Code.

Exceptions: When you can collect biometric information from other sources

You can collect a biometric sample from someone other than the individual if you believe, on reasonable grounds, that one of the below exceptions applies. 

What does 'believe on reasonable grounds' mean?

A reasonable belief requires more than just suspecting something might be the case – you must have some evidence for why you think an exception applies. You should keep a written record of why you believe the exception applies. 

You must consider whether the exception applies each time you collect biometric samples and whether it applies to everyone whose information you are collecting.

If you aren’t sure whether an exception applies, you must not rely on that exception. If no exception applies, you must either collect the information directly from the individual or not collect the information at all. Sometimes, more than one exception may apply to your situation. You should still record the reasons for relying on each exception.

Some of the rule 2 exceptions (for example, avoiding prejudice to the maintenance of the law), are also exceptions in other rules. The same general guidance for those exceptions applies to the exception in each rule.

Exception Note on when the exception applies

Collecting the information directly from the individual would be prejudicial to the individual’s interests.

Note: This exception in the Code has a higher standard than the similar exception in IPP 2. In the Code, this exception only applies if collecting the information directly from the individual would be actively prejudicial to their interests.

Exception may apply when:

  • You know that someone would be harmed if you collected the biometric sample directly from them. For example, someone has a health condition that means it would be harmful to collect the biometric sample directly from them. 
  • The individual cannot provide the sample directly or authorise the collection, but the individual could be adversely affected if the sample is not collected and processed for their benefit.

Exception would not apply when:

  • You assume it would be prejudicial to the individual’s interests, but you don’t have any good evidence about why. 

Note: You should consider asking the individual for their view about whether collecting information directly from them would be prejudicial to their interests. Asking the individual will not always be appropriate – for example, if it would be detrimental to their mental health. But, particularly where it would be more costly or inconvenient for them, you should generally seek individual authorisation to collect the information from another source, rather than rely on the “prejudicial to the individual’s interests” exception. Some individuals may prefer to provide information directly, even if it is more inconvenient for them. 

You would not be able to achieve the purpose for collecting the biometric information if you collected the information directly from the individual.

Exception may apply when:

  • You are collecting biometric samples for fraud investigation and collecting the information directly from the individual would undermine your investigation.

Exception would not apply when:

  • It is less convenient for you to collect the information directly from the individual, so you don’t want to.

The individual authorises the collection from someone else.

Exception may apply when:

  • You’ve given the individual all the information they need to understand the collection of their biometric sample in the specific circumstances, and they authorise you to collect the biometric sample from someone else.

Exception would not apply when:

  • You haven’t explained all the information the individual needs to know – for example, you didn’t explain who you will collect the biometric sample from, or what kind of biometric sample you will collect.
  • You pressure, coerce or threaten the individual into authorising the collection.

The information is publicly available.

Exception may apply when:

  • You are collecting a biometric sample from a publication such as a book, newspaper, or public register.
  • You are collecting a biometric sample from a website or public social media page e.g. a public profile picture.

Exception would not apply when:

  • You are collecting a biometric sample from photos on social media that require you to have additional permission to view the photos (such as being a friend or a follower of the social media account).
  • The information is only public because of a privacy breach (and you know, ought to know or reasonably suspect that this is the case).

It is necessary to avoid prejudice to maintaining the law (including in relation to court proceedings), enforce specific laws, or protect public revenue.

Exception may apply when:

  • A public sector agency is investigating an offence and needs to collect a biometric sample from someone else to adequately investigate the offence, and the agency has followed all other relevant laws that apply to obtaining evidence.
  • You are not a law enforcement agency, but you have an urgent or exceptional situation, where it is necessary to collect a biometric sample from another source for biometric processing to avoid a likely risk that a relevant law enforcement agency function would be prejudiced (e.g. to be able investigate serious offending). (Note – this will be rare because there are likely other rule 2 exceptions that you can use when you set up the purpose for your biometric processing.)

Exception would not apply when:

  • You are not a law enforcement agency, but you want to obtain a biometric sample from someone else to do your own investigation of a suspected offence. (Note – if investigating suspected offending is the purpose of your biometric processing that meets rule 1, then you can likely use other exceptions under rule 2). 

It is necessary to prevent or lessen a serious threat to someone’s life or health

Exception may apply when:

  • There is a real and serious threat to any person’s life or health, and collecting a biometric sample from someone other than the individual concerned for the purpose of biometric processing will help you prevent or lessen that threat.

Exception would not apply when:

  • There is a serious threat to a person’s life or health, but collecting the biometric sample will not help prevent or lessen that threat.

Read more guidance on this exception.

The overall circumstances mean you cannot comply with rule 2 for the particular case.

Exception may apply when:

  • There is a legitimate and unavoidable reason why you cannot comply with rule 2 in the particular circumstances, and no other exception applies (for example, you cannot seek individual authorisation).

Exception would not apply when:

  • You could reasonably change the circumstances to make it possible to comply with rule 2 in the particular case.

The individual will not be identified when the information is used, or the biometric information will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

Exception may apply when:

  • You are using biometric information as part of a research study and only aggregated information that will not identify anyone will be published.

Exception would not apply when:

  • You have removed someone’s name or their face from their biometric information, but they can still be identified in other ways.
  • The audience of a publication may have additional knowledge to help them identify an individual in the research.

Read more guidance on what makes a personal identifiable.

While you can rely on an exception to rule 2 in these circumstances, if you are using biometric information for statistical or research purposes, it will usually be good practice to still collect information directly from the individual where possible.

Read our example scenarios of how an organisation might apply rule 2 in context.

Back to top