Peter A Clarke

Regulators are increasing their focus on the proper use of biometrics. Advances in technology has made the collection and mandatory use of biometrics more prevalent. Even common in some industries. That has meant more attention by the regulators as compliance is an issue when it comes to collection, storage, use and disposal of this sort of personal information. On 11 August 2025 the Privacy Commissioner of Canada issued its guidance on the use of biometrics. This follows the New Zealand Privacy Commissioner publishing rules on the use of biometrics earlier this month. The UK Information Commissioner has probably issued the most comprehensive biometric data guidance. While it is referable to UK legislation it’s general advice is very good. The Australian Information Commissioner has not published guidelines on biometrics however has advised that biometric information is sensitive information for the purpose of the Privacy Act 1988.

The key issues from the Canadian guidelines are:

1. Collection, use and dislosure.  Appropriate use
   • At the outset the organisation must have  lawful authority for the collection, use and disclosure of biometric information. The issue is slightly different between sectors:
     • Public sector: In establishing whether Federal institutions have lawful authority to collect biometric information the information must directly relate to a government program or activity.
     • Private sector: organisations must identify a legitimate need for using biometrics.  The collection and use must be effective, minimally intrusive and proportionate to its purpose.
2. Consent
   • As with all privacy legislation consent is important.  As the guidance states it must be valid, informed and meaningful. That includes advising people what biometric information will be collected, why it is needed, who it may be shared with and any risks of harm.
   • Biometrics is not the first and only option.  Where biometrics are not integral to the service, alternatives must be offered.
3.  Privacy Impacts; Necessity and ProportionalityAs is good practice generally prior to implementing a biometrics program there should be a privacy impact assessment. That means showing that biometrics are:
   • Necessary for a specific, legitimate and defensible objective;
   • Effective and reliable in achieving that purpose;
   • Minimally intrusive, with no less invasive alternatives available; and
   • Proportional, ensuring that privacy impacts are commensurate to the benefits gained.
4. Limiting Collection, Use and Retention

   Organisations must only collect and use the biometric characteristics strictly necessary for the stated purpose. The process involves:

   • Favouring verification (one-to-one) systems over identification (one-to-many), where feasible;
   • Avoiding large, centralised biometric databases;
   • Avoiding the extraction of secondary information t;
   • Limiting disclosure; and
   • Retaining biometric information only as long as necessary and destroying it once no longer required.
5. Security/Safeguards

   This encompases having measures to protect personal information against loss, theft or unauthorised access. Biometric information must be secured with physical, administrative and technical measures proportionate to its sensitivity. Best practices involves:

   • Encryption during storage and transmission;
   • Regular penetration testing and vulnerability assessments;
   • Control of employee access; and
   • Breach reporting.
6. Accuracy

   It is important to have accurate information.  The consequences can be even greater with  biometric recognition.  Erroneous information can lead to wrongful denial of services or misidentification. Best practice includes:

   • adopting technologies with appropriate accuracy rates;
   • Testing systems in real-world conditions and across demographic groups to minimise bias and discrimination;
   • Monitoring accuracy on an ongoing basis, as system updates can affect performance; and
   • Developing procedures for false positives and negatives, ensuring timely resolution and human review where decisions have significant consequences.
7. Accountability

   While holding biometric information organisations remain responsible for that biometric information even when using third-party service providers. In that respect organisations obligations include:

   • due diligence on service providers’ practices;
   • having contracts and information-sharing agreements that embed privacy protections;
   • establishing clear governance structures, audit rights and breach response plans; and
   • ensuring there is adequate employee training and oversight.
8. Openness and Transparency

The guidelines stress that transparency is important and ensuring accountability with biometrics systems. To that end organisations should:

• • provide privacy notices tthat explain the purpose, authority, risks and the right to submit a complaint to the Privacy Commissioner;
  • report consistently on biometric holdings;
  • be transparent about transfers to service providers, especially if data crosses borders; and
  • explain automated decisions made using biometrics.

What is clear from the guidance is that as biometric data is sensitive and if compromised cannot be changed. The guidance recommends that biometric programs should be narrow in scope, legally authorised and subject to continuous oversight.

Many of the issues raised in the guidance are equally applicable in the Australian context. Implementing these processes and follow the recommendations will reduce the poor practices which give rise to data breaches.  As importantly, if there is a data breach and the Privacy Commissioner investigates an organisation which follows these guidelines or at least their outline will minimise its impact.  A regulator may investigate a specific breach or other event but often expands their enquiries to compliance generally.  The Privacy Commissioner has broad powers and as a matter of practicality it is not difficult to justify lines of enquiry as being linked to the initial reason for the investigation.  Often those enquiries can cause more problems than the initial breach.