Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 4: Be fair in how you collect biometric information

A man smiles at the camera while holding a folder of paperwork under one arm. He's wearing a blue button down shirt over a while polo, and has a lanyard around his neck. Rule 4 is about how you collect information – your manner of collection. You must collect biometric information in a way that is lawful, fair and not unreasonably intrusive in the circumstances.

What does “manner of collection” mean?

Your manner of collection is any steps that you take to collect the biometric information. For example:

  • the device or technology used to obtain the information (e.g. FRT system),
  • the method of recording the information (e.g. remotely via camera or recording device or directly via a sensor), 
  • the timing and context of collection (e.g. when offering a service), and 
  • how you act or represent yourself (e.g. how and what you tell people about the collection. See rule 3 for more information about notification requirements).

Collect biometric information in a lawful way  

You must not breach the law or contravene regulations when obtaining or collecting biometric information. 

Think about what other laws apply to the situation. For example, there are laws setting out expectations for how employers should conduct themselves in the employment relationship, including processes they must follow. Breaching these during an employment processes may mean personal information collected during that time is unlawfully collected. 

If you break any law when collecting information, that will make the collection not lawful under the Code, and there may be other consequences under the law you broke or the Privacy Act.

Don’t collect biometric information in an unfair or unreasonably intrusive way 

What is fair and not unreasonably intrusive will depend on the specific circumstances and context in which you are collecting the information. Take steps to ensure that people have as much control and agency over the collection and use of their information as possible, especially if there may be adverse consequences for them. 

Relevant factors include:

The age and capacity of the individual whose biometric information you are collecting.
  • For example, particular care needs to be taken when collecting biometric information from children and young people. It may not be fair to collect information from children in the same manner as you would from an adult. You may need to take special care with the information of young people to address any power imbalance, and to obtain their genuine consent for the collection (or consent from their family/whānau, if appropriate).
  • You should also consider other factors which may make an individual vulnerable, such as health conditions or disabilities.

The purpose of collection and the consequences for the individual stemming from the collection and the use of their information.
  • For instance, if there are likely to be adverse consequences for the individual, this affects what would be a fair way to collect the information e.g. ensure they were notified, can opt-out of the processing or have time to address any issues with the processing.

What the individual has been told about all aspects of the collection.
  • For example, was the individual informed about the collection under rule 3? Do you think they are aware about the collection? Are you collecting their biometric information from another source? Covert collection of biometric information runs a serious risk of being unfair.

The type and amount of information collected.
  • For example, if your facial recognition camera captures people that you don’t want or need to identify.

When and where the biometric information is collected.
  • For example, are you using covert surveillance without reasonable justification? What does the individual need to do for the information to be collected? Is there a less intrusive means to collect the same information?
  • It may not be fair to collect the information in one particular context and intend to use it in a completely different context.

Your relationship with and conduct toward the individual.
  • Threatening, coercive or misleading behaviour when collecting information is likely to make the collection unfair or unreasonably intrusive.

Would people reasonably expect that their biometric information would be collected by you in the way you intend to collect it?
  • Fairness is about handling information in ways that people would reasonably expect. If people would likely be surprised or upset by the way you collect their biometric information, this could indicate that the way you are collecting information is not fair.

Using web scraping to collect biometric information

What is web scraping?

Web scraping means using automated tools to extract information from online sources including websites and social media platforms. While it can be done manually by a human user, the term usually refers to automated processes. It typically involves a software program or bot that is designed to visit web pages, retrieve their content, and process it to collect specific data, like text or images.

Web scraping can have significant privacy impacts. It enables large amounts of biometric information like facial images or voice recordings to be indiscriminately captured from websites and used without the individual’s knowledge or consent. Web scraping also enables huge databases of biometric information to be created, which can be used for large-scale surveillance.

While the information obtained through web scraping may be publicly available online, individuals may not reasonably expect their information to be used in this way. Web scraping is a form of invisible processing: where an organisation uses web scraping to collect information, the individual will not know that their information has been collected, and they cannot easily exercise their Privacy Act rights of access to and correction of their information.

Is web scraping to obtain biometric information allowed under the Code? 

Using web scraping tools to collect biometric information could be a breach of the collection rules, particularly rule 4, depending on how and what is scraped and why.

You should be cautious about using web scraping as a means of collection because in some circumstances it could breach rule 4. You should consider:

  • Is the scraping targeted or indiscriminate?
  • How much biometric information are you collecting?
  • Does the scraping circumvent online privacy controls?
  • Is the scraping tool collecting information which has been shared in a specific context? (e.g. on a chat forum with restricted membership).
  • What will the scraped information be used for (e.g. to train biometric recognition or classification models/algorithms? To create watchlists?)
  • Is the information being scraped sensitive or are individuals concerned vulnerable in any way?
  • Did the individual make the information publicly available themselves? Or has it been shared by someone else?
  • What are the intended downstream uses of the biometric information? Is it likely that there will be adverse effects on people, and if so, are these warranted?
  • Are you transparent about your use of web scraping tools and which online sites they scrape data from?

Overseas example:

The Australian privacy regulator found that Clearview AI breached Australians’ privacy by scraping biometric information from the web and disclosing it through a facial recognition tool. They found that the covert collection of sensitive information through web scraping was unreasonably intrusive and unfair. There was a lack of transparency around the collection practice, people’s data was monetised by Clearview AI for a purpose entirely outside reasonable expectations, and there was a risk of adverse impacts to people whose images were included in their database. These factors contributed to the finding that the web scraping was unreasonably intrusive and unfair.

Although there are differences between the Code and Australian privacy law, this example provides helpful insight into the kind of situation when web scraping could be unfair.

Read our example scenarios of how an organisation might capply rule 4 in context.

Back to top