Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Resources and learning

Print | Email this page

Using fingerprint recognition in multi-factor authentication to protect sensitive information

Scenario

Secret Information Limited (SIL) holds highly sensitive personal information about clients that some members of staff must access as part of their job.

SIL decides to implement a biometric-based multi-factor authentication (MFA) process to protect the information.

Staff that need to access the information must present their username, password and scan their fingerprint to access this personal information.

 A businesswoman with long blonde hair sits in the back seat of a car looking out the window. She is wearing a loose dark suit with a white shirt.

 

Rule

Application of the rule

Does the Code apply?

 Yes, SIL is collecting fingerprints (biometric information) to use in biometric verification.

Rule 1: Purpose for collection

SIL’s lawful purpose is to protect highly sensitive personal information (organisations are required under the Privacy Act to use reasonable security safeguards to protect personal information).

SIL determines that the biometric processing is necessary to achieve their purpose.

  • It’s effective: There is a clear link between the biometric processing and SIL’s lawful purpose. MFA is a widely used way to protect personal information, and there is an evidential basis that fingerprint scanning offers a highly effective form of protection. SIL confirms the effectiveness of the specific MFA system they intend to use, as well as considering the effectiveness of fingerprint scanning for MFA more generally.
  • Alternative: SIL researched different MFA options and the differing levels of security each provides. There are other authentication factors that SIL could use, including both different biometric factors (e.g. iris scanning) and non-biometric factors (e.g. SMS code, smart cards). SIL considers that, for its context, the fingerprint authenticator has advantages over the other non-biometric options, including being resistant to phishing attacks, unable to be lost or forgotten and unlikely to be stolen. It is also more practical to implement than other biometric options like iris scanning or facial recognition and doesn’t present accuracy differentials across demographic groups. Overall, there is no reasonable alternative that would enhance security as effectively and also poses less privacy risk.

SIL will adopt reasonable privacy safeguards, including:

  • SIL will consult with employees before introducing the system and offer the ability to opt-out of providing biometric information (but then the employee would lose access to the sensitive information). If the consultation reveals significant employee concerns, the organisation will work with employees to resolve or mitigate the concerns before continuing with the fingerprint MFA system.
  • SIL will only retain a template of the fingerprint scan, not the actual scan, to reduce risks of spoofing and presentation attacks.
  • SIL will use best practice security measures to protect the biometric information, including having a process in place to audit any access to the fingerprint templates to identify any employee browsing issues.
  • Not linking the fingerprint information with any other personal information of the employee.

SIL assess proportionality:

SIL assesses the privacy risk as low to medium based on:

  • The MFA measure is targeted so fingerprint data will be collected only from those who need to access the sensitive information.
  • The context of the employment relationship increases the intrusiveness of the measure as the power imbalance may mean employees feel coerced into giving their biometric data. To help mitigate this risk, SIL will consult with employees on whether it is practical to allow employees to opt-out of giving their biometric information (but in that case the employee would lose access to the sensitive information and may require changes to their job following the normal employment process).

SIL considers there is a medium to high benefit that outweighs the privacy risk based on:

  • The increased level of security benefits SIL (private benefit) by preventing data breaches and unauthorised access, ensures compliance with any legal requirements around security, protects the organisation’s reputation, ensures client trust, and reduces financial and operational risks. There is also a benefit to the people whose information is being protected.
  • This benefit substantially outweighs the risk.

SIL considers cultural impacts on Māori:

  • As part of SIL’s consultation with employees, it will specifically seek feedback on cultural impacts from Māori employees and consider how to address any impacts raised.
  • The biometric system used has a high accuracy rating regardless of skin tone.
  • The fingerprints will be stored locally on each individual’s device so no biometric information will leave New Zealand.

Overall proportionality: Despite some level of intrusiveness, overall the measure is proportionate due to the heightened need for robust security measures to protect the sensitive personal information. The privacy and employment impact on employees is further mitigated by the safeguards (see above).

Rule 2: source of biometric information

 SIL is collecting biometric information directly from the individual. 

Rule 3: collection of information from individual

SIL will comply with rule 3 by informing the employees of the purpose of collection, alternative option and consequences for not providing a fingerprint etc. as part of the consultation before using the system. It will also give employees a plain language, written statement at the time that they provide a fingerprint sample and add information to the employee intranet.

Rule 4: manner of collection

SIL is collecting information in a lawful way. It will not collect any biometric information of children or young people. Consulting with employees and offering an opt-out of biometric processing is one of the ways SIL ensures the manner of collection is lawful, fair and not unreasonably intrusive.

Rule 5: Storage and security of biometric information

SIL is using biometric information to protect other personal information. But it still needs to ensure the biometric information is appropriately protected by security safeguards. 

Examples of steps SIL takes to protect the employee fingerprint information:

  • Deleting the original samples and only storing the biometric template.
  • Storing the template locally on the device.
  • Not linking the fingerprint template with any other personal information of the employee.

Rule 6: Access to biometric information

  

If an employee requests access to their biometric information, SIL will confirm if it holds a template of their fingerprint (it doesn’t hold a scan of the fingerprint because it is deleted after the individual is enrolled in the system and the template is generated). The template may not be extractable (not readily retrievable), so in that case SIL decides it will provide an explanation that it holds a template and what that means so that the employee better understands what information SIL holds about them.

Rule 7: Correction of biometric information

SIL will comply with requests to correct biometric information. 

e.g. An employee is consistently having to make multiple attempts at scanning their fingerprint before gaining access and requests their biometric information is updated. SIL organises for the employee to re-enrol and update their fingerprint template.

Rule 8: Accuracy, etc, of biometric information to be checked before use or disclosure

The way in which biometric information is being collected and used by SIL is unlikely to raise issues under rule 8. Collecting the fingerprint samples directly from the employees helps ensure the information is accurate before it is used. SIL will have processes in place to update the information if needed, e.g. if an employee injured their finger resulting in a changed fingerprint.

Rule 9: Retention of biometric information 

SIL doesn’t need the fingerprint scan to operate the recognition system after enrolling the employee, so SIL will delete it post enrolment. 

SIL will only store the fingerprint template for as long as an employee requires access to the sensitive information.

Rule 10: Limits on use of information

SIL will ensure it only uses the biometric information for the purpose of MFA and no other purpose, unless an exception applies.

The limits on biometric categorisation in rule 10 are not applicable as SIL is carrying out verification not categorisation.

Rule 11: Limits on disclosure of biometric information

SIL will not share any biometric information with any other organisation (unless an exception applies). 

Rule 12: Disclosure of biometric information outside New Zealand

SIL will not disclose any biometric information outside New Zealand.

Rule 13: Unique identifiers

SIL is not assigning a biometric template to customers as a unique identifier, so rule 13 is not engaged.
Back to top