Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 5: Security of biometric information

Rule 5 is about protecting biometric information. You need to ensure that you protect the biometric information that you hold with security safeguards that are reasonable for the sensitivity of biometric information. The biometric information must be protected against loss, misuse, and any unauthorised access, use, modification or disclosure.

Note: Security considerations may be relevant to your use of biometrics in two ways: 

  1. You have an obligation to protect biometric information you hold under rule 5 in the Code.
  2. You may also use biometrics as a security measure itself, as a way of meeting your obligations under IPP5 to protect other personal information, including using biometric verification or identification systems to restrict access to devices or spaces. 

These two obligations are connected – protecting the biometric information you hold from misuse will help it be an effective security protection for other personal information.

See our Rule 5 example scenarios for how your obligations could work in practice.

A person with short blonde hair sits at a desk, typing at a computer. There is an open laptop and post-it notes next to her on the desk.

What are reasonable security safeguards?

You need to consider what is appropriate for the specific biometric information that you hold. Te ao Māori perspectives, such as protecting the tapu, mana and mauri of the data, can also inform what is reasonable for your circumstances. 

Your security safeguards need to reflect the sensitivity of biometric information and the overall context and risk of the biometric information that you hold. The more sensitive the information, the more robust the safeguards need to be to limit the risk of the information being compromised. A safeguard can still be reasonable to implement even if it is difficult, expensive or takes time to implement. You need to factor in the costs of relevant safeguards to your overall planning. But, a wholly disproportionate cost or difficulty to implement could make a security safeguard no longer reasonable to implement. 

The more severe the consequences for individuals from loss, misuse or unauthorised access to their biometric information, then the more likely it is that a security safeguard will be appropriate, even at a high cost or difficulty to implement. 

Security safeguards must be layered, meaning you have multiple safeguards in place at the same time. No safeguard is complete on its own, and layering safeguards will limit the impact of one safeguard failing or being breached.

Download a PDF version of the list below (opens to PDF, 190KB).

In general, you need to consider:

  • How will you protect the biometric information within your system?
  • Protecting information means protecting it from loss and unauthorised modifications. Protecting information includes technical controls (e.g. encryption), physical controls (e.g. locked rooms) and organisational controls (e.g. policies governing how biometric information is stored – such as storing biometric information locally if appropriate).
  • How will you ensure devices and software are kept up to date by applying the latest updates and patches?
  • Where and how is information stored?
  • Will the biometric information be kept separate from (e.g. not linked or connected to) other information in your system?
  • If it is necessary to link it to other information, what other protections can be put in place?
  • Do you need to store the information on a central system, or can you store it across local devices i.e. on-device verification? 
  • What is your plan for information back ups?
  • How will you restrict access to biometric information?
  • How will you ensure only authorised people have access? (e.g. individual user logins and regular and random audits).
  • Who is responsible for controlling access?
  • How will you limit and identify employee browsing?
  • How will you restrict the use and disclosure of biometric information?
  • Can you build in technical restrictions as well as having organisational policies about the use and disclosure?
  • Who is responsible for making these decisions?
  • How will you assess whether your safeguards are operating effectively?
  • What is your vulnerability management process?
  • How are you minimising data collected, stored and retained? The less information you hold, the less information you have to protect. If you do not need to retain biometric information, you should delete it – for example, if you only need to retain biometric templates and not samples, you should delete the biometric samples as soon as they are processed into templates.
  • How will you safely dispose of biometric information when it is no longer needed for your lawful purpose?
  • Are your disposal methods appropriate for the type of information concerned? When will you dispose of biometric information? 
  • What staff training will be in place for staff involved in your biometric system?
  • What is your organisation’s capability in this area? While the size and resources of your organisation is a factor in what is reasonable, you must still ensure you have enough capability to securely deploy and manage a biometric system. This is an important consideration as off-the-shelf biometric systems become more widely available.
  • If you are using a third-party provider to hold biometric information on your behalf, what are your rights and ability to monitor and audit that provider’s security practices?
  • What are your residual responsibilities? See our guidance on working with third parties for more information. Remember that if the third-party provider is holding the information on your behalf and not using the information for their own purposes, you are still responsible under the Privacy Act.
  • What is your plan for if something goes wrong? Security breaches can lead to privacy breaches, but even a security breach that does not directly cause a privacy breach could weaken the biometric system and needs to be promptly addressed. Remember that if you have a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able. See our privacy breach guidance for more information. 
  • Does the biometric data involve content sensitive for Māori e.g. moko kanohi or moko kauae and how will you address it?
  • What mitigations are available to you to avoid breaches relevant tikanga? Have you consulted experts if appropriate?
  • Can you meet technical guidance from relevant international bodies or experts? E.g. can you meet relevant ISO/IEC standards for protecting biometric information? 

You should consider engaging a subject matter expert to review your planned security controls, both at the outset and at regular intervals.

Using biometric information as one of your security safeguards

Sometimes you may want to use biometric information to protect other information – for example, using biometric information as part of multi-factor authentication (MFA) to protect other information. That is, you may be using biometric information as part of your security safeguards. If you are doing so, you still need to ensure you are protecting the biometric information appropriately, for example by taking steps to protect the biometric information and the wider system from presentation attacks.

You need to carefully design your biometric system for your context. Different kinds of biometric systems have different strengths and weaknesses, and addressing these relative strengths/weaknesses needs to be a core part of designing the safeguards for your system. For example, a facial recognition system may have more accuracy issues in an environment with poor lighting, and so the design of the system would need to take that into account.

You will need a plan for responding to any errors in the system (e.g. false positive or false negatives). How will you mitigate any impacts on individuals (e.g. not being able to access a space or use a device)?

Security obligations when using third party providers

If you are using a third-party service provider, then you still have the responsibility of ensuring the security of the information. You will need to do everything reasonably within your power to prevent unauthorised use or disclosure of the biometric information by making sure that the provider has their own security safeguards in place.

Other relevant guidance about security safeguards

International guidance on biometrics and security

Read our example scenarios of how an organisation might apply rule 5 in context.

Back to top