Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 7: Correction of biometric information

Three people do paperwork on a desk with documents and laptops all over it. Only their hands are visible, and they are gesturing at one set of papers in particular. Rule 7 provides that a person has a right to ask you to correct information about them if they think it is wrong. Upon this request, or on your own initiative, you must take steps to ensure that the information is accurate, up to date and complete and not misleading for the purpose you are using it for.

Failing to respond to a correction request could also breach the rule 8 requirement to take steps to ensure the accuracy of the information you hold.

Part 4 of the Privacy Act outlines the process for handling correction requests

The rules for how an organisation must respond to a correction request are set out in Part 4, Subpart 2 of the Privacy Act 2020. We have general guidance on correction requests that could help you to respond.

What if an individual asks us to correct other personal information?

An individual may ask you to correct other personal information in addition to their biometric information that you hold. For example, they might want you to correct both their biometric information and results (outputs) from an identification or verification process. The process for responding to requests under the Privacy Act and the Code is the same and you can do both at the same time. 

If you don’t know what information the individual is seeking to correct you should ask the individual to clarify.  

What if you don’t agree with the correction request? 

If you do not agree that the information needs correcting, for example, because you have taken reasonable steps to ensure the information is accurate and you believe it is accurate, the individual can ask you to attach a statement of correction to their records, and you must take reasonable steps to do so. You also need to take reasonable steps to ensure the statement of correction will always be read alongside the person’s information.

If you correct the individual’s biometric information (or attach a statement of correction to it), as far as reasonably practical, you must also inform every other person to whom you disclosed that biometric information to (note also that any disclosure of biometric information needs to comply with rule 11 and rule 12).

What correcting biometric information could look like 

If you receive a request to correct a person’s biometric information, you must take reasonable steps to satisfy yourself about whether the information you hold is correct. See also the rule 8 accuracy requirements.

Depending on the individual’s information and reason for requesting a correction, you could correct someone’s biometric information by:

  • Completely removing the individual’s information from your system and re-enrolling them with new information e.g. a new image or other biometric sample. If you do this, consider whether it is appropriate to keep a record of the fact that you have removed/replaced the person’s information. In general, you don’t need to retain a copy of the original information that you removed (unless other legal requirements apply).
  • Removing or deleting someone’s biometric information entirely from the system if they have been incorrectly enrolled, misidentified, or have asked to be deleted.
  • Adding a person’s statement of correction alongside their biometric information within your system so it always read alongside that information (this may be the right step where you are confident the information is accurate and have taken reasonable steps to verify the accuracy of the information, but the individual disagrees).
  • Regenerating a biometric template based on an existing biometric sample (this could be appropriate if there have been updates to the biometric system).

Read our example scenarios of how an organisation might apply rule 7 in context.

Back to top