Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Rule 9: Retention of biometric information

A line of computer servers stand in a server room. Rule 9 is about how long you can hold (keep) information for. You must not hold biometric information for longer than is required for the purpose you are using the information for.

Limiting how much information you hold and how long you hold it for is a key way that you can lower the privacy risk of your processing – for example, immediately deleting biometric information that does not return a match in a FRT system means you will hold much less biometric information overall and effectively reduce privacy risks like over-collection, surveillance, scope creep, and security breaches.

Reminder: under rule 3, you must notify individuals about your retention policy for biometric information. This could include a timeframe or summary of your policy that tells individuals how long you intend to retain their information for. 

How long can I retain biometric information?

In most cases, if you do not have an active and lawful reason to use the biometric information, it will no longer be appropriate to hold it.

You also need to consider what you told the relevant individual when you first collected the biometric information.

For Māori biometric information, consideration should be given to the tapu and mana of the owner over their biometric information in regard to retention given its potential cultural significance.

What about other legal requirements?

There are some laws that may allow or require an organisation to retain or delete biometric information in certain situations or in a certain way. For example:

How to manage retention as an organisation

We recommend setting up retention and disposal systems. These may look like: 

  • Automated deletion: If possible, set up your systems to action your retention and disposal decisions in an automated way. Not doing so is a common cause of over-retention issues in organisations.
  • Manual deletion: If there is no ability to automatically dispose of biometric information. You will need to consider other ways, such as regular audits or manual review of the biometric information you hold. 
  • Different retention periods for different information: You also need to ensure that retention periods can be tailored for different circumstances. For example, if you are collecting different types of biometric information for different uses, some biometric information may need to be disposed of sooner than others.
  • Have a clear process outlined in a policy: Your organisation should have a clear process to support the lawful retention and disposal of biometric information. 
  • Regular review: Retention and disposal policies should be regularly reviewed to ensure that they are fit for purpose and being appropriately followed in practice. 
  • Effective disposal: you need to consider how to effectively dispose of biometric information so that it is irretrievable.

Read our example scenarios of how an organisation might apply rule 9 in context.

Back to top