Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 6: Access to biometric information

A feminine hand hovers over the top of a row of thick office files, as though she is about to pick one up. Rule 6 is about an individual’s right to access their information. In general, an individual has the right to receive on request: 

  • Confirmation of whether you hold any biometric information about them.
  • Confirmation of what type of biometric information you hold about them.
  • Access to the biometric information you hold about them.

If you give an individual access to their biometric information, you must also tell them that they have a right to request that their biometric information be corrected (see rule 7).

Part 4 of the Privacy Act outlines the process for handling access requests

Rule 6 is subject to Part 4 of the Privacy Act, which explains the process for requesting access, the process for charging for access, and outlines the exceptions for when you may refuse access to personal information.

Read our general guidance on access requests and the grounds that allow agencies to refuse access to personal information. The same grounds also apply to the biometrics Code.

What if an individual requests other personal information? 

An individual may request other personal information in addition to their biometric information from you. For example, they might want access to both biometric information and results (outputs) from the biometric process, such as confirmation of a match (output of a verification process) or an age range estimate (output from age estimation).

Although results are not biometric information, they are still personal information about the individual and depending on the context might be sensitive information. Individuals are entitled to ask for this information under IPP6 of the Privacy Act rather than rule 6 of the Code. The process for responding to both requests is the same and in most cases you will be able to provide them to the individual at the same time. 

Organisations must give reasonable assistance to anyone requesting access to their information (section 42 of the Privacy Act). If you don’t know what information the individual is seeking, ask the individual to clarify. If an individual asks for the information to be provided in a specific way, you should give it to them in that way unless there is a good reason not to. These reasons are listed at section 56 of the Privacy Act.

Confirm the type of biometric information

If an individual requests access to their biometric information, unless a ground for refusing access applies, you must also confirm the type of biometric information you hold about them. For example, you must confirm if you hold a biometric sample (e.g. a facial image or fingerprint scan) or a biometric template or model (e.g. numerical representation of their facial features or fingerprint ridges).

An individual only needs to request access to their biometric information for the obligation to confirm the type of biometric information held to apply. The individual does not need to specifically request access to the type of biometric information separately.

The requirement to confirm the type of biometric information you hold is in the Code to support people’s privacy rights in a context where it may be difficult to provide someone with meaningful or actual access to their biometric information. Biometric information may not be readable or understandable by people, or even by other biometric systems. It may also not be possible to extract the biometric information and provide the individual with their biometric information in hard copy or a common electronic form (see below for more information about when the information is not readily retrievable).

When you confirm what types of biometric information you hold, consider also providing a description of the information to help the individual understand what biometric information you hold about them and, if relevant, why you cannot provide a copy of the information. Although providing a description is not required by the Code, it may be frustrating for individuals to not be able to receive access to their biometric information in a meaningful way. Providing information about the form of information you hold and how it’s used in the system may be helpful to individuals. Remember that individuals are entitled to complain to OPC about an organisation’s failure to provide them with access to their information.

Providing access to biometric information

Providing someone with access to the biometric information you hold about them could mean:

  • You send a copy of a biometric sample you hold, for example, a copy of a fingerprint or a copy of a photo of their face.
  • You allow the individual to view their biometric sample on your premises.
  • You provide the individual with a copy of their biometric template. If you do this, consider also providing an explanation of what it is (as it otherwise may not be readily understandable by the user).
  • You provide the individual with a copy of a biometric sample, and you also inform them that you hold a biometric template related to that individual. This could apply if it is not possible to extract a biometric template (or other biometric information) from your biometric system.

Grounds for refusing to provide access to biometric information

Read our guidance on when you can refuse access requests that explains the permitted grounds for refusing access to personal information in the Privacy Act that also apply to providing access to biometric information.

Readily retrievable information

You need to provide access to readily retrievable biometric information. Read our general guidance on what is considered readily retrievable information. This will apply to biometrics too.

If the biometric information cannot be easily isolated or extracted from the biometric system, then the information will not be considered readily retrievable. But, when you are designing a new biometric system, being able to respond efficiently to an access request should be part of the system design. 

Information about more than one person

Another ground for refusing access to biometric information could be if the information contains information about more than one individual – e.g. if you hold a similarity score comparing two faces or a list of potential matches generated in an identification process. 

If the information is about more than one person, you need to consider whether providing access to the requestor would be an unwarranted disclosure of the affairs of another person. Read our guidance on responding to requests for access for information about more than one person

You don’t need to keep biometric samples for responding to access requests

An important security measure for biometric information can be deleting original biometric samples once they have been processed into a biometric template. If it is appropriate in your overall circumstances to delete biometric samples, you can do so, and this is not a breach of rule 6 (and it may even be part of complying with rule 9).

Read our example scenarios of how an organisation might apply rule 6 in context.

Back to top