(20 July 2015) The Office of the Privacy Commissioner for Personal Data (“PCPD”) published today “Guidance on Collection and Use of Biometric Data (the “Guidance Note”) to provide data users who intend to collect biometric data with practical guidance on complying with the requirements under the Personal Data (Privacy) Ordinance (the “Ordinance”).
Biometrics are the physiological traits with which individuals are born with. Biometric data could be sensitive data as it may be unique and immutable, or it may contain an individual’s intimate information relating to health, mental condition or racial origin.
The Privacy Commissioner for Personal Data, Mr Allan Chiang said, “Collection and use of biometric data for consumer applications have been on the increase. For example, with advancement in technology leading to improved effectiveness and lowered cost, the use of fingerprint recognition systems is now commonplace, and this trend is gradually extended to other forms of biometric data such as palm shape, facial image, iris, retina or even DNA. Organisations using biometric technology must understand the privacy risks associated with the uniqueness, immutability and the inference ability of biometric data. They should only use biometric data where justified and put in place appropriate procedural and technological safeguards to prevent unauthorised access to and wrongful use of biometric data which could lead to identity theft, impersonation or discrimination.”
“Organisations have to consider whether it is feasible to collect less sensitive biometric data or use other less privacy intrusive means to achieve the same organisational purpose. Organisations are encouraged to conduct a Privacy Impact Assessment to evaluate the impact upon personal data privacy before embarking on the use of biometric technology. Employers who wish to collect employees’ biometric data must ensure that the data collection is “necessary and not excessive”, and that it is conducted by means that are fair in the circumstances.” Mr Chiang stressed.
The Guidance Note is prepared based on the knowledge and experience gained from relevant complaints/enquiries that the PCPD have handled. It replaces the previous “Guidance Note on the Collection of Fingerprint Data” issued in May 2012. It covers the following six main topics:
- Need for caution to handle sensitive biometric data
- Justifications for collecting and using biometric data
- Risk minimisation techniques in biometric data collection
- The need for a privacy impact assessment
- Free and informed choice to allow collection of one’s biometric data
- Privacy requirements for dealing with the biometric data collected
The Guidance Note can be downloaded from the website of the PCPD at www.pcpd.org.hk/english/resources_centre/publications/files/GN_biometric_e.pdf; or obtained from the PCPD office (12/F, Sunlight Tower, 248 Queen’s Road East, Wan Chai, Hong Kong).