Think about it, have you….

• Unlocked your smartphone with just a glance?
• Departed or entered New Zealand through an eGate?
• Been asked by Facebook “is that you” in a friend’s recent photo?

It should come as no surprise that the age of automated facial recognition technology (FRT) is already among us, rampantly becoming commonplace globally and here in Aotearoa.

In a Victoria University of Wellington report commissioned by the New Zealand Law Foundation, FRT is defined simply as involving “the use of an algorithm to match a facial image to one already stored in a system”. As FRT becomes more accessible, and arguably more efficient in identity management – its use is increasingly being considered and implemented across the private and public sectors and is equally being scrutinised by the public and in academic institutions.

Police, airports, banks, and retail and hospitality outlets are increasingly deploying FRT for security and identity verification purposes. In New Zealand, there have even been adaptations of FRT for use in the agricultural sector for the identification of livestock.

While advancements in FRT may offer accuracy, speed and convenience, it is important to remember that there are legal obligations associated with the implementation of FRT.  You should take steps to ensure you are aware of, and can meet, these obligations before you and your business decide to embrace the use of FRT.

The use of FRT is primarily based on the collection and analysis of facial images, a particularly sensitive category of personal information, and as such, the Privacy Act 2020 governs all things applicable to the collection and subsequent use of this personal information.

We explore below what you need to know as a business or consumer when considering the implementation of FRT:

What to consider as a business?

The Privacy Commissioner has released helpful guidance on what to consider when collecting biometric information, such as facial scans and fingerprints. In summary, key questions to consider include:

1. Do you have a lawful purpose for collecting this information?
2. Is the collection necessary for that lawful purpose?
3. Is collection unreasonably intrusive or unfair?
4. Have you obtained informed consent from the affected individual?
5. How do you ensure accuracy of personal information?
6. Are your security safeguards to protect the information reasonable?

The Privacy Act 2020 also governs how personal information can be processed, retained, and transferred.

The Privacy Commissioner strongly recommends that all businesses complete a Privacy Impact Assessment before implementing any kind of FRT. A privacy impact assessment (PIA) is a tool used by agencies to help them identify and assess the privacy risks arising from their collection, use or handling of personal information. A PIA will also propose ways to mitigate or minimise these risks.

Part 1: Whether to do a Privacy Impact Assessment

Part 2: How to do a Privacy Impact Assessment

Bonus tip: If you are contracting with a FRT Supplier, it is important to remember that you still have obligations towards the individuals you are collecting personal information from.

‍What are my rights as a consumer?

As a consumer you have rights. If an agency wants to collect your personal information, it must obtain your informed consent. This means it needs to make available the following information:‍

1. What personal information is being collected;
2. How will it be used‍
3. Who will have access to it;
4. Is collection voluntary or mandatory;‍
5. What are the consequences, if any, of opting out;‍
6. How can you access and correct your personal information?

Bonus tip: There are limited instances where an agency does not need to seek your consent to collect your personal information (information privacy principle 2).

The Privacy Commissioner can investigate complaints about an agency’s compliance with the Privacy Act, click here for more information if you are concerned with the use, collection, or disclosure of your personal information by an agency.

Partner, Anchali Anandanayagam says, "From a business perspective, it is important to be transparent about the reasons for which you are implementing the technology and the precautions you are taking to address the privacy concerns. Ensuring privacy is the foundation for trust – if your customers and other stakeholders are concerned about privacy, this will affect the trust they have in your business or the services you provide".

If you are a business or individual looking to understand if the use of facial recognition technology is aligned with the Privacy Act and best practice, please get in touch.